Toward Open-World Network Intrusion Detection via Open Recognition and Inspection

Abstract

Deep learning is promising in open-world network intrusion detection, but current deep learning-based methods mainly focus on open recognition with properties that may not always hold and significantly neglect the inspection of unknown samples, increasing open space risks and manual inspection overhead for deployed models. To address these challenges in real-world environments, we propose a novel system, ORI, designed to tackle two critical tasks: 1) open recognition, including classifying known class samples while recognizing unknown ones, and 2) inspection, involving further inspecting samples recognized as unknown. Specifically, we reformulate open recognition as a binary classification task and propose a density-based method to recognize low-density samples as unknown while classifying known class samples with a closed-world classifier, thereby minimizing the risk associated with open spaces. To reduce the inspection overhead of samples recognized as unknown, we treat unknown sample inspection as a constrained clustering task, using a few manually inspected samples as constraints, and then assign labels to the remaining unknown samples via clustering. We evaluate our system against established open recognition and unknown sample inspection baselines through extensive experiments on three public datasets. Additionally, we simulated a security analyst inspecting unknown samples labeled by ORI. The experimental results demonstrate that ORI accurately classifies known class samples, recognizes unknown samples, and effectively labels samples recognized as unknown, enhancing both open recognition and inspection capabilities.