Anomaly detection aims at identifying unexpected fluctuations in the expected behavior of a given system. It is acknowledged as a reliable answer to the identification of zero-day attacks to such extent, several ML algorithms that suit for binary classification have been proposed throughout years. However, the experimental comparison of a wide pool of unsupervised algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets was not investigated yet. To fill such gap, we exercise seventeen unsupervised anomaly detection algorithms on eleven attack datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We conclude that algorithms as Isolation Forests, One-Class Support Vector Machines and Self-Organizing Maps are more effective than their counterparts for intrusion detection, while clustering algorithms represent a good alternative due to their low computational complexity. Further, we detail how attacks with unstable, distributed or non-repeatable behavior as Fuzzing, Worms and Botnets are more difficult to detect. Ultimately, we digress on capabilities of algorithms in detecting anomalies generated by a wide pool of unknown attacks, showing that achieved metric scores do not vary with respect to identifying single attacks

Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape / Zoppi, Tommaso; Ceccarelli, Andrea; Capecchi, Tommaso; Bondavalli, Andrea. - In: ACM/IMS TRANSACTIONS ON DATA SCIENCE. - ISSN 2691-1922. - ELETTRONICO. - 2:2(2021), pp. 701-726. [10.1145/3441140]

Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape

Zoppi, Tommaso;
2021-01-01

Abstract

Anomaly detection aims at identifying unexpected fluctuations in the expected behavior of a given system. It is acknowledged as a reliable answer to the identification of zero-day attacks to such extent, several ML algorithms that suit for binary classification have been proposed throughout years. However, the experimental comparison of a wide pool of unsupervised algorithms for anomaly-based intrusion detection against a comprehensive set of attacks datasets was not investigated yet. To fill such gap, we exercise seventeen unsupervised anomaly detection algorithms on eleven attack datasets. Results allow elaborating on a wide range of arguments, from the behavior of the individual algorithm to the suitability of the datasets to anomaly detection. We conclude that algorithms as Isolation Forests, One-Class Support Vector Machines and Self-Organizing Maps are more effective than their counterparts for intrusion detection, while clustering algorithms represent a good alternative due to their low computational complexity. Further, we detail how attacks with unstable, distributed or non-repeatable behavior as Fuzzing, Worms and Botnets are more difficult to detect. Ultimately, we digress on capabilities of algorithms in detecting anomalies generated by a wide pool of unknown attacks, showing that achieved metric scores do not vary with respect to identifying single attacks
2021
2
Zoppi, Tommaso; Ceccarelli, Andrea; Capecchi, Tommaso; Bondavalli, Andrea
Unsupervised Anomaly Detectors to Detect Intrusions in the Current Threat Landscape / Zoppi, Tommaso; Ceccarelli, Andrea; Capecchi, Tommaso; Bondavalli, Andrea. - In: ACM/IMS TRANSACTIONS ON DATA SCIENCE. - ISSN 2691-1922. - ELETTRONICO. - 2:2(2021), pp. 701-726. [10.1145/3441140]
File in questo prodotto:
File Dimensione Formato  
3441140.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 4.57 MB
Formato Adobe PDF
4.57 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/390273
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact