Intrusion Detection System using Outlier Analysis for Adaptive Detection of Unknown Attacks

doi:10.23940/ijpe.25.11.p6.661671

Abstract

Abstract: Detecting both known and unknown cyberattacks remains a central challenge for intrusion detection systems (IDS). Signature-based IDS are effective for known threats but fail against novel attacks, while anomaly-based IDS can detect unknowns as outliers yet cannot recognize them if they reappear in new forms. Hybrid IDS improve coverage by combining both approaches, but most existing designs still treat unknown attacks as one-time anomalies without capturing their behavioral patterns. This limitation is critical in adaptive threat landscapes where attackers continuously refine their methods to mimic legitimate traffic, making stealthy intrusions especially difficult to detect. In this paper, we propose a Behavior-Based Hybrid IDS (Behavior-HIDS) that integrates (i) a GA-optimized Support Vector Machine (SVM) for supervised detection of known attacks, with (ii) a two-stage anomaly detection pipeline (Isolation Forest and Extended Isolation Forest) for identifying unseen threats. Crucially, our system goes beyond detection by clustering unknown attacks into coherent behavioral groups using autoencoder embeddings and HDBSCAN. These clusters are incorporated into retraining, thereby creating a form of behavioral memory that enables the IDS to recognize future variants of previously unseen attacks. Comprehensive experiments on NSL-KDD, CICIDS2017, and UNSW-NB15 confirm that Behavior-HIDS consistently outperforms classical hybrid IDS approaches. On NSL-KDD, it achieves 92.49% accuracy and 92.30% F1-score, with similar improvements observed on the other datasets. By combining anomaly detection with behavioral learning, our framework advances IDS design toward adaptive and evolving defense mechanisms.

Key words: intrusion detection system (IDS), outlier analysis, hybrid IDS, unknown attack detection, behavioral clustering, autoencoder, extended isolation forest (EIF), support vector machine (SVM)

Moudjib Errahmane Benzitouni and Abdelhakim Hannousse. Intrusion Detection System using Outlier Analysis for Adaptive Detection of Unknown Attacks [J]. Int J Performability Eng, 2025, 21(11): 661-671.

Add to citation manager EndNote|Reference Manager|ProCite|BibTeX|RefWorks

References

[1] Rani, M.,Gagandeep, 2022. Effective network intrusion detection by addressing class imbalance with deep neural networks multimedia tools and applications. Multimedia Tools and Applications,81(6), pp. 8499-8518.
[2] Khraisat A., Gondal I., Vamplew P., Kamruzzaman J., and Alazab A., 2020. Hybrid intrusion detection system based on the stacking ensemble of c5 decision tree classifier and one class support vector machine.Electronics, 9(1), 173.
[3] Hariri S., Kind M.C., and Brunner R.J., 2019. Extended isolation forest. IEEE Transactions on Knowledge and Data Engineering,33(4), pp. 1479-1489.
[4] Tschannen M., Bachem O., and Lucic M., 2018. Recent advances in autoencoder-based representation learning.Arxiv Preprint Arxiv:1812.05069.
[5] Campello R.J., Moulavi D., and Sander J., 2013. Density-based clustering based on hierarchical density estimates. InPacific-Asia Conference on Knowledge Discovery and Data Mining, pp. 160-172.
[6] Mitchell M.,1998. An Introduction to Genetic Algorithms. MIT press.
[7] Yuliana Y., Supriyadi D.H., Fahlevi M.R., and Arisagas M.R., 2024. Analysis of nsl-kdd for the implementation of machine learning in network intrusion detection system. Journal of Informatics Information System Software Engineering and Applications (INISTA),6(2), pp. 80-89.
[8] Yin C., Zhu Y., Fei J., and He X., 2017. A deep learning approach for intrusion detection using recurrent neural networks.IEEE Access, 5, pp. 21954-21961.
[9] Mohamed S., and Ejbali R., 2023. Deep SARSA-based reinforcement learning approach for anomaly network intrusion detection system. International Journal of Information Security,22(1), pp. 235-247.
[10] Ieracitano C., Adeel A., Morabito F.C., and Hussain A., 2020. A novel statistical analysis and autoencoder driven intelligent intrusion detection approach.Neurocomputing, 387, pp. 51-62.
[11] Liu Y., Zhang K., and Wang Z., 2023. Intrusion detection of manifold regularized broad learning system based on LU decomposition: Y. Liu et al. the Journal of Supercomputing,79(18), pp. 20600-20648.
[12] Xu W., Jang-Jaccard J., Singh A., Wei Y., and Sabrina F., 2021. Improving performance of autoencoder-based network anomaly detection on nsl-kdd dataset.IEEE Access, 9, pp. 140136-140146.
[13] Yang Y., Zheng K., Wu C., and Yang Y., 2019. Improving the classification effectiveness of intrusion detection by using improved conditional variational autoencoder and deep neural network.Sensors, 19(11), 2528.
[14] Kao M.T., Sung D.Y., Kao S.J., and Chang F.M., 2022. A novel two-stage deep learning structure for network flow anomaly detection.Electronics, 11(10), 1531.
[15] Zhou P., Zhang H., and Liang W., 2023. Research on hybrid intrusion detection based on improved harris hawk optimization algorithm.Connection Science, 35(1), 2195595.
[16] Gao X., Shan C., Hu C., Niu Z., and Liu Z., 2019. An adaptive ensemble machine learning model for intrusion detection.IEEE Access, 7, pp. 82512-82521.
[17] Alotaibi S.D., Yadav K., Aledaily A.N., Alkwai L.M., Yousef Dafhalla A.K., Almansour S., and Lingamuthu V., 2022. Deep neural network-based intrusion detection system through PCA.Mathematical Problems in Engineering, 2022(1), 6488571.
[18] Liu L., Wang P., Lin J., and Liu L., 2020. Intrusion detection of imbalanced network traffic based on machine learning and deep learning.IEEE Access, 9, pp. 7550-7563.
[19] Kasongo S.M.,2023. A deep learning technique for intrusion detection system using a recurrent neural networks based framework.Computer Communications, 199, pp. 113-125.
[20] Rawat S., Srinivasan A., Ravi V., and Ghosh U., 2022. Intrusion detection systems using classical machine learning techniques vs integrated unsupervised feature learning and deep neural network.Internet Technology Letters, 5(1), e232.
[21] Kim G., Lee S., and Kim S., 2014. A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Systems with Applications,41(4), pp. 1690-1700.
[22] Cui J., Zong L., Xie J., and Tang M., 2023. A novel multi-module integrated intrusion detection system for high-dimensional imbalanced data. Applied Intelligence,53(1), pp. 272-288.
[23] Haggag M., Tantawy M.M., and El-Soudani M.M., 2020. Implementing a deep learning model for intrusion detection on apache spark platform.IEEE Access, 8, pp. 163660-163672.
[24] Suganthi J., Nagarajan B., and Muhtumari S., 2022. Network anomaly detection using hybrid deep learning technique. InAdvances in Parallel Computing Algorithms, Tools and Paradigms, pp. 103-109.
[25] Abou El Houda Z., Brik B., Ksentini A., and Khoukhi L., 2023. A MEC-based architecture to secure IoT applications using federated deep learning. IEEE Internet of Things Magazine,6(1), pp. 60-63.
[26] Keshk M., Koroniotis N., Pham N., Moustafa N., Turnbull B., and Zomaya A.Y., 2023. An explainable deep learning-enabled intrusion detection framework in IoT networks.Information Sciences, 639, 119000.
[27] Benzitouni M.R., and Hannousse A., 2023. Enhancing intrusion detection systems through simultaneous feature selection and hyperparameter tuning. InInternational Conference on Computing and Information Technology, pp. 159-168.
[28] Revathi S., and Malathi A., 2013. A detailed analysis on NSL-KDD dataset using various machine learning techniques for intrusion detection. International Journal of Engineering Research & Technology (IJERT),2(12), pp. 1848-1853.
[29] Panigrahi R., and Borah S., 2018. A detailed analysis of CICIDS2017 dataset for designing intrusion detection systems. International Journal of Engineering & Technology,7(3.24), pp. 479-482.
[30] Moustafa N., and Slay J., 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In2015 Military Communications and Information Systems Conference (MilCIS), pp. 1-6.