HERO: From High-dimensional network traffic to zERO-Day attack detection

Recent trends in zero-day attack (ZdA) detection use collective anomaly detection to give insights on out-of-distribution anomalies in a zero-shot fashion. Among these, existing frameworks propose the use of specialised labelling strategies to mimic a step-wise abstract anomaly detection algorithm that generalise ZdA-detection over low-dimensional traffic-flow statistics. To enlarge such applicative scenarios, this paper proposes hero, which is compatible with High-dimensional raw-network traffic captures when performing zERO-day attack detection. To reach convergence over such a high-dimensional and noisy input space, hero decouples the representation task and the correspondent gradient updates from the discriminative task, following the neural algorithmic reasoning blueprint. Specifically, a neural processor is first trained on the discriminative task using synthetic data, and the weights are then frozen. A second training phase successfully optimises the encoding and decoding networks using raw-traffic captures and the algorithmically-aligned processor. Experiments with well-known intrusion detection datasets demonstrate the crucial advantage of using a two-stage training framework to achieve convergence. To the best of the authors’ knowledge, hero is the first deep learning-based instrument that performs collective anomaly detection and categorisation over raw network traffic on a zero-shot basis, i.e., without using labels.