SECL: A Zero-Day Attack Detector and Classifier based on Contrastive Learning and Strong Regularization
Abstract
Intrusion Detection Systems (IDSs) always had difficulties in detecting Zero-Day Attacks (ZDAs). One of the advantages of Machine Learning (ML)-based IDSs, which is their superiority in detecting ZDAs, remains largely unexplored, especially when considering multiple ZDAs. This is mainly due to the fact that ML-based IDSs are mainly using supervised ML methods. Although they exhibit better performance in detecting known attacks, they are by design unable to detect unknown attacks because they are limited to detecting the classes present in the dataset they were trained on. This paper introduces SECL, a method that combines Contrastive Learning (CL) and a new regularization method composed of dropout, Von Neumann Entropy (VNE) and Sepmix (a regularization inspired from mixup). SECL is close to, or even better than supervised ML methods in detecting known attacks, while gaining the ability to detect and differentiate multiple ZDAs. Experiments were performed on three datasets, UNSW-NB15, CIC-IDS2017 and WADI, effectively showing that this method is able to detect multiple ZDAs while achieving performance similar to supervised methods on known attacks. Notably, the proposed method even has an overall better performance than a supervised method knowing all attacks on the WADI dataset. These results pave the way for better detection of ZDAs, without reduction of performance on known attacks.
Citation
Robin Duraz, David Espes, Julien Francq, and Sandrine Vaton. 2024. SECL: A Zero-Day Attack Detector and Classifier based on Contrastive Learning and Strong Regularization. In Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES ‘24). Association for Computing Machinery, New York, NY, USA, Article 22, 1–12. https://doi.org/10.1145/3664476.3664505
