review-article

A review of Machine Learning-based zero-day attack detection: : Challenges and future directions

Author:

Yang GuoAuthors Info & Claims

Volume 198, Issue C

Pages 175 - 185

https://doi.org/10.1016/j.comcom.2022.11.001

Published: 15 January 2023 Publication History

Abstract

Zero-day attacks exploit unknown vulnerabilities so as to avoid being detected by cybersecurity detection tools. The studies (Bilge and Dumitraş, 2012, Google, 0000, Ponemon Sullivan Privacy Report, 2020) show that zero-day attacks are wide spread and are one of the major threats to computer security. The traditional signature-based detection method is not effective in detecting zero-day attacks as the signatures of zero-day attacks are typically not available beforehand. Machine Learning (ML)-based detection method is capable of capturing attacks’ statistical characteristics and is, hence, promising for zero-day attack detection. In this survey paper, a comprehensive review of ML-based zero-day attack detection approaches is conducted, and their ML models, training and testing data sets used, and evaluation results are compared. While significant efforts have been put forth to develop accurate and robust zero-attack detection tools, the existing methods fall short in accuracy, recall, and uniformity against different types of zero-day attacks. Major challenges toward the ML-based methods are identified and future research directions are recommended at last.

References

[1]

Bilge L., Dumitraş T., Before we knew it: An empirical study of zero-day attacks in the real world, in: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS ’12), ACM, 2012, pp. 833–844.

[2]

. Google, Project Zero, URL https://googleprojectzero.blogspot.com/p/0day.html.

[3]

Ponemon Sullivan Privacy Report L., The economic value of prevention in the cybersecurity lifecycle, 2020.

[4]

Bridges R.A., Oesch S., Verma M.E., Iannacone M.D., Huffer K.M.T., Jewell B., Nichols J.A., Weber B., Beaver J.M., Smith J.M., Scofield D., Miles C., Plummer T., Daniell M., Tall A.M., Beyond the hype: A real-world evaluation of the impact and cost of machine learning-based malware detection, 2021, arXiv:2012.09214.

[5]

Hindy H., Atkinson R., Tachtatzis C., Colin J.-N., Bayne E., Bellekens X., Utilising deep learning techniques for effective zero-day attack detection, Electronics 9 (10) (2020),. URL https://www.mdpi.com/2079-9292/9/10/1684.

[6]

Mirsky Y., Doitshman T., Elovici Y., Shabtai A., Kitsune: An ensemble of autoencoders for online network intrusion detection, NDSS (2018).

[7]

Zhou Q., Pezaros D., Evaluation of machine learning classifiers for zero-day intrusion detection – an analysis on CIC-aws-2018 dataset, 2021, arXiv:1905.03685.

[8]

Comar P.M., Liu L., Saha S., Tan P.-N., Nucci A., Combining supervised and unsupervised learning for zero-day malware detection, in: 2013 Proceedings IEEE INFOCOM, 2013, pp. 2022–2030,.

[9]

Huda S., Miah S., Mehedi Hassan M., Islam R., Yearwood J., Alrubaian M., Almogren A., Defending unknown attacks on cyber-physical systems by semi-supervised approach and available unlabeled data, Inform. Sci. 379 (2017) 211–228,. URL https://www.sciencedirect.com/science/article/pii/S0020025516309380.

[10]

Kim J.-Y., Bu S.-J., Cho S.-B., Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders, Inform. Sci. 460–461 (2018) 83–102,. URL https://www.sciencedirect.com/science/article/pii/S0020025518303475.

Digital Library

[11]

Zhao J., Shetty S., Pan J.W., Feature-based transfer learning for network security, in: MILCOM 2017 - 2017 IEEE Military Communications Conference, MILCOM, 2017, pp. 17–22,.

Digital Library

[12]

Zhao J., Shetty S., Pan J.W., Kamhoua C., Kwiat K., Transfer learning for detecting unknown network attacks, EURASIP J. Inf. Secur. 2019 (2019),.

[13]

Sameera N., Shashi M., Deep transductive transfer learning framework for zero-day attack detection, ICT Express 6 (4) (2020) 361–367,. URL https://www.sciencedirect.com/science/article/pii/S2405959519303625.

[14]

Buczak A.L., Guven E., A survey of data mining and machine learning methods for cyber security intrusion detection, IEEE Commun. Surv. Tutor. 18 (2) (2016) 1153–1176,.

Digital Library

[15]

Khraisat A., Gondal I., Vamplew P., Kamruzzaman J., Survey of intrusion detection systems: techniques, datasets and challenges, in: Cybersecur, 2, 2019.

[16]

Liu H., Lang B., Machine learning and deep learning methods for intrusion detection systems: A survey, Appl. Sci. 9 (20) (2019),. URL https://www.mdpi.com/2076-3417/9/20/4396.

[17]

Ye Y., Li T., Adjeroh D., Iyengar S.S., A survey on malware detection using data mining techniques, ACM Comput. Surv. 50 (3) (2017),.

Digital Library

[18]

Liu K., Xu S., Xu G., Zhang M., Sun D., Liu H., A review of android malware detection approaches based on machine learning, IEEE Access 8 (2020) 124579–124607,.

[19]

Schölkopf B., Williamson R., Smola A., Shawe-Taylor J., Platt J., Support vector method for novelty detection, in: Proceedings of the 12th International Conference on Neural Information Processing Systems, NIPS ’99, MIT Press, Cambridge, MA, USA, 1999, pp. 582–588.

[20]

Wang S., Liu Q., Zhu E., Porikli F., Yin J., Hyperparameter selection of one-class support vector machine by self-adaptive data shifting, Pattern Recognit. 74 (2018) 198–211,. URL https://www.sciencedirect.com/science/article/pii/S0031320317303564.

Digital Library

[21]

Japkowicz N., Myers C., Gluck M., A novelty detection approach to classification, in: IJCAI, 1995.

[22]

Hindy H., Atkinson R.C., Tachtatzis C., Colin J.-N., Bayne E., Bellekens X., Towards an effective zero-day attack detection using outlier-based deep learning techniques, 2020, ArXiv arXiv:2006.15344.

[23]

Gharib M., Mohammadi B., Hejareh Dastgerdi S., Sabokrou M., AutoIDS: Auto-encoder Based Method for Intrusion Detection System, 2019, arXiv e-prints arXiv:1911.03306.

[24]

Goodfellow I., Bengio Y., Courville A., Deep Learning, MIT Press, 2016, http://www.deeplearningbook.org.

Digital Library

[25]

Intrusion detection evaluation dataset (CIC-IDS2017), URL https://www.unb.ca/cic/datasets/ids-2017.html.

[26]

NSL-KDD Dataset, URL https://www.unb.ca/cic/datasets/nsl.html/.

[27]

Panigrahi R., Borah S., A detailed analysis of CICIDS2017 dataset for designing Intrusion Detection Systems, Int. J. Eng. Technol. 7 (3.24) (2018) 479–482.

[28]

Bergstra J., Bengio Y., Random search for hyper-parameter optimization, J. Mach. Learn. Res. 13 (2) (2012).

[29]

Chen P.-H., Lin C.-J., Schölkopf B., A tutorial on ν-support vector machines, Appl. Stoch. Models Bus. Ind. 21 (2) (2005) 111–136.

[30]

Liu F.T., Ting K.M., Zhou Z.-H., Isolation forest, in: 2008 Eighth IEEE International Conference on Data Mining, 2008, pp. 413–422,.

Digital Library

[31]

Reynolds D., Gaussian mixture models, in: Li S.Z., Jain A. (Eds.), Encyclopedia of Biometrics, Springer US, Boston, MA, 2009, pp. 659–663,.

[32]

Abri F., Siami-Namini S., Khanghah M.A., Soltani F.M., Namin A.S., Can machine/deep learning classifiers detect zero-day malware with high accuracy?, in: 2019 IEEE International Conference on Big Data (Big Data), 2019, pp. 3252–3259,.

[33]

Parrend P., Navarro J., Guigou F., Deruyver A., Collet P., Foundations and applications of artificial intelligence for zero-day and multi-step attack detection, EURASIP J. Inf. Secur. 2018, Number 1 (2018).

[34]

A realistic cyber defense dataset (CSE-CIC-IDS2018), URL https://registry.opendata.aws/cse-cic-ids2018/.

[35]

Hao P.-Y., Chiang J.-H., Lin Y.-H., A new maximal-margin spherical-structured multi-class support vector machine, Appl. Intell. 30 (2009) 98–111.

[36]

Kaggle: Microsoft malware classification challenge (BIG 2015), URL https://www.kaggle.com/c/malware-classification.

[37]

Pan S.J., Yang Q., A survey on transfer learning, IEEE Trans. Knowl. Data Eng. 22 (10) (2010) 1345–1359,.

Digital Library

[38]

Zhuang F., Qi Z., Duan K., Xi D., Zhu Y., Zhu H., Xiong H., He Q., A comprehensive survey on transfer learning, Proc. IEEE 109 (1) (2021) 43–76,.

[39]

Wang C., Mahadevan S., Heterogeneous domain adaptation using manifold alignment, in: Proceedings of the Twenty-Second International Joint Conference on Artificial Intelligence - Volume Volume Two, IJCAI ’11, AAAI Press, 2011, pp. 1541–1546.

[40]

Taghiyarrenani Z., Fanian A., Mahdavi E., Mirzaei A., Farsi H., Transfer learning based intrusion detection, in: 2018 8th International Conference on Computer and Knowledge Engineering, ICCKE, 2018, pp. 92–97,.

[41]

Kumar R., Lal S.P., Sharma A., Detecting denial of service attacks in the cloud, in: 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), 2016, pp. 309–316,.

[42]

Sameera N., Shashi M., Transfer learning based prototype for zero-day attack detection, in: IJCAI, 2019.

[43]

Musca C., Mirica E., Deaconescu R., Detecting and analyzing zero-day attacks using honeypots, in: Proceedings of the 2013 19th International Conference on Control Systems and Computer Science, CSCS ’13, IEEE Computer Society, USA, 2013, pp. 543–548,.

Digital Library

[44]

Hu Z., Chen P., Zhu M., Liu P., Reinforcement learning for adaptive cyber defense against zero-day attacks, in: Jajodia S., Cybenko G., Liu P., Wang C., Wellman M. (Eds.), Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Control- and Game-Theoretic Approaches To Cyber Security, Springer International Publishing, Cham, 2019, pp. 54–93,.

Digital Library

Cited By

Cam NHung TNam P(2025)uitPDF-MalDeEngineering Applications of Artificial Intelligence10.1016/j.engappai.2025.110031143:COnline publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1016/j.engappai.2025.110031
Li ZZhao D(2024)ZeroD-fender: A Resource-aware IoT Malware Detection Engine via Fine-grained Side-channel AnalysisACM Transactions on Design Automation of Electronic Systems10.1145/368748229:6(1-25)Online publication date: 24-Aug-2024
https://dl.acm.org/doi/10.1145/3687482
Mvula PBranco PJourdan GViktor H(2024)A Survey on the Applications of Semi-supervised Learning to Cyber-securityACM Computing Surveys10.1145/365764756:10(1-41)Online publication date: 22-Jun-2024
https://dl.acm.org/doi/10.1145/3657647
Show More Cited By

Index Terms

A review of Machine Learning-based zero-day attack detection: Challenges and future directions

Index terms have been assigned to the content through auto-classification.

Recommendations

Zero-day attack detection: a systematic literature review
Abstract
With the continuous increase in cyberattacks over the past few decades, the quest to develop a comprehensive, robust, and effective intrusion detection system (IDS) in the research community has gained traction. Many of the recently proposed ...
From zero-shot machine learning to zero-day attack detection
Abstract
Machine learning (ML) models have proved efficient in classifying data samples into their respective categories. The standard ML evaluation methodology assumes that test data samples are derived from pre-observed classes used in the training ...
Detecting and Analyzing Zero-Day Attacks Using Honeypots
CSCS '13: Proceedings of the 2013 19th International Conference on Control Systems and Computer Science

Computer networks are overwhelmed by self prop- agating malware (worms, viruses, trojans). Although the number of security vulnerabilities grows every day, not the same thing can be said about the number of defense methods. But the most delicate problem ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Communications

Computer Communications Volume 198, Issue C

Jan 2023

298 pages

ISSN:0140-3664

Issue’s Table of Contents

Copyright © 2022.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 15 January 2023

Author Tags

Qualifiers

Review-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cam NHung TNam P(2025)uitPDF-MalDeEngineering Applications of Artificial Intelligence10.1016/j.engappai.2025.110031143:COnline publication date: 1-Mar-2025
https://dl.acm.org/doi/10.1016/j.engappai.2025.110031
Li ZZhao D(2024)ZeroD-fender: A Resource-aware IoT Malware Detection Engine via Fine-grained Side-channel AnalysisACM Transactions on Design Automation of Electronic Systems10.1145/368748229:6(1-25)Online publication date: 24-Aug-2024
https://dl.acm.org/doi/10.1145/3687482
Mvula PBranco PJourdan GViktor H(2024)A Survey on the Applications of Semi-supervised Learning to Cyber-securityACM Computing Surveys10.1145/365764756:10(1-41)Online publication date: 22-Jun-2024
https://dl.acm.org/doi/10.1145/3657647
Iannone ESellitto GIaccarino EFerrucci FDe Lucia APalomba F(2024)Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?ACM Transactions on Software Engineering and Methodology10.1145/365444333:6(1-41)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3654443
Huertas Celdrán AMiguel Sánchez Sánchez Pvon der Assen JSchenk TBovet GMartínez Pérez GStiller B(2024)RL and Fingerprinting to Select Moving Target Defense Mechanisms for Zero-Day Attacks in IoTIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340205519(5520-5529)Online publication date: 16-May-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3402055
Roopak MParkinson STian GRan YKhan SChandrasekaran B(2024)An unsupervised approach for the detection of zero‐day distributed denial of service attacks in Internet of Things networksIET Networks10.1049/ntw2.1213413:5-6(513-527)Online publication date: 21-Nov-2024
https://dl.acm.org/doi/10.1049/ntw2.12134
Rodda MChambers ARohl A(2024)Robust Automated Event Detection from Machine-Learning Analysis of Network DataProcedia Computer Science10.1016/j.procs.2024.09.635246:C(1619-1629)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1016/j.procs.2024.09.635
Moreira CMoreira DSales C(2024)A comprehensive analysis combining structural features for detection of new ransomware familiesJournal of Information Security and Applications10.1016/j.jisa.2024.10371681:COnline publication date: 1-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2024.103716
Wu YHu YWang JFeng MDong AYang Y(2024)An active learning framework using deep Q-network for zero-day attack detectionComputers and Security10.1016/j.cose.2024.103713139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103713
Novikova EFedorchenko EDanilov ASaenko I(2024)Dataset Generation Methodology: Towards Application of Machine Learning in Industrial Water Treatment SecuritySN Computer Science10.1007/s42979-024-02704-95:4Online publication date: 29-Mar-2024
https://dl.acm.org/doi/10.1007/s42979-024-02704-9
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents