Novelty Detection in Network Traffic: Using Survival Analysis for Feature Identification
This addresses the limitation of signature-based intrusion detection for unknown attacks in cybersecurity, though it appears incremental as it applies existing survival analysis methods to a known bottleneck.
The paper tackles the problem of detecting unknown network attacks in Intrusion Detection Systems by using survival analysis techniques to identify key traffic features that influence novelty detection, successfully pinpointing PSH Flag Count, ACK Flag Count, URG Flag Count, and Down/Up Ratio as impactful features across multiple classifiers.
Intrusion Detection Systems are an important component of many organizations' cyber defense and resiliency strategies. However, one downside of these systems is their reliance on known attack signatures for detection of malicious network events. When it comes to unknown attack types and zero-day exploits, modern Intrusion Detection Systems often fall short. In this paper, we introduce an unconventional approach to identifying network traffic features that influence novelty detection based on survival analysis techniques. Specifically, we combine several Cox proportional hazards models and implement Kaplan-Meier estimates to predict the probability that a classifier identifies novelty after the injection of an unknown network attack at any given time. The proposed model is successful at pinpointing PSH Flag Count, ACK Flag Count, URG Flag Count, and Down/Up Ratio as the main features to impact novelty detection via Random Forest, Bayesian Ridge, and Linear Support Vector Regression classifiers.