Robust Anomaly Detection in Network Traffic: Evaluating Machine Learning Models on CICIDS2017
This work provides practical guidance for selecting intrusion detection models in dynamic network environments, but it is incremental as it evaluates existing methods on a standard dataset.
The study compared four machine learning models for intrusion detection on the CICIDS2017 dataset, finding that supervised models like MLP and CNN excelled on known attacks but struggled with novel ones, while unsupervised methods like OCSVM balanced performance across both scenarios.
Identifying suitable machine learning paradigms for intrusion detection remains critical for building effective and generalizable security solutions. In this study, we present a controlled comparison of four representative models - Multi-Layer Perceptron (MLP), 1D Convolutional Neural Network (CNN), One-Class Support Vector Machine (OCSVM) and Local Outlier Factor (LOF) - on the CICIDS2017 dataset under two scenarios: detecting known attack types and generalizing to previously unseen threats. Our results show that supervised MLP and CNN achieve near-perfect accuracy on familiar attacks but suffer drastic recall drops on novel attacks. Unsupervised LOF attains moderate overall accuracy and high recall on unknown threats at the cost of elevated false alarms, while boundary-based OCSVM balances precision and recall best, demonstrating robust detection across both scenarios. These findings offer practical guidance for selecting IDS models in dynamic network environments.