Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning
Zero-Day attack detection in Network Intrusion Detection Systems (NIDS) refers to the ability to identify previously unseen attack patterns during testing without having been explicitly trained on those specific attacks, utilizing learned features from other known attacks. In this paper, we propose...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11063272/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849427497659138048 |
|---|---|
| author | Khorshed Alam Md Fahad Monir Md Junayed Hossain Mohammad Shorif Uddin Md. Tarek Habib |
| author_facet | Khorshed Alam Md Fahad Monir Md Junayed Hossain Mohammad Shorif Uddin Md. Tarek Habib |
| author_sort | Khorshed Alam |
| collection | DOAJ |
| description | Zero-Day attack detection in Network Intrusion Detection Systems (NIDS) refers to the ability to identify previously unseen attack patterns during testing without having been explicitly trained on those specific attacks, utilizing learned features from other known attacks. In this paper, we propose a Deep Reinforcement Learning (DRL)-based NIDS designed for Zero-Day attack detection. We use a stacked LSTM architecture to extend the learning capabilities of the DRL agent. We apply several oversampling techniques to handle the issue of class imbalance since the zero-day attack datasets are not as abundant. We use some of the most widely available benchmark datasets in NIDS domain, which all together cover a wide range of attack types, such as reconnaissance, ddoS, infiltration, injection, password attacks, brute force, dos, backdoor, and benign traffic. For example, we converted attacks to 1 and benign traffic to 0, then excluded certain attack categories (DoS and Backdoor) from the training dataset while keeping them in the test dataset. This makes those attack types zero-day attacks, as they are entirely unseen during training. We also compare which data balancing technique works better among K-means SMOTE, SMOTE, Borderline-SMOTE and ADASYN on the performance of our DRL agent. We then demonstrate how powerful our agent is by validating many datasets for remarkable success in detecting both known and unknown attacks in a zero-day manner. Our work has been made publicly available on GitHub (<uri>https://github.com/codewithkhurshed/ZDAD</uri>) to support researchers in advancing zero-day attack detection in NIDS. |
| format | Article |
| id | doaj-art-56cabc39994d4575bdf07661ef2af658 |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-56cabc39994d4575bdf07661ef2af6582025-08-20T03:29:02ZengIEEEIEEE Access2169-35362025-01-011311634511636110.1109/ACCESS.2025.358544511063272Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement LearningKhorshed Alam0https://orcid.org/0009-0004-8040-8598Md Fahad Monir1Md Junayed Hossain2Mohammad Shorif Uddin3https://orcid.org/0000-0002-7184-2809Md. Tarek Habib4https://orcid.org/0000-0001-5009-6459Department of Computer Science and Engineering (CSE), Independent University at Bangladesh, Dhaka, BangladeshDepartment of Computer Science and Engineering (CSE), Independent University at Bangladesh, Dhaka, BangladeshDepartment of Computer Science and Engineering (CSE), Independent University at Bangladesh, Dhaka, BangladeshDepartment of Computer Science and Engineering, Jahangirnagar University, Dhaka, BangladeshDepartment of Computer Science and Engineering (CSE), Independent University at Bangladesh, Dhaka, BangladeshZero-Day attack detection in Network Intrusion Detection Systems (NIDS) refers to the ability to identify previously unseen attack patterns during testing without having been explicitly trained on those specific attacks, utilizing learned features from other known attacks. In this paper, we propose a Deep Reinforcement Learning (DRL)-based NIDS designed for Zero-Day attack detection. We use a stacked LSTM architecture to extend the learning capabilities of the DRL agent. We apply several oversampling techniques to handle the issue of class imbalance since the zero-day attack datasets are not as abundant. We use some of the most widely available benchmark datasets in NIDS domain, which all together cover a wide range of attack types, such as reconnaissance, ddoS, infiltration, injection, password attacks, brute force, dos, backdoor, and benign traffic. For example, we converted attacks to 1 and benign traffic to 0, then excluded certain attack categories (DoS and Backdoor) from the training dataset while keeping them in the test dataset. This makes those attack types zero-day attacks, as they are entirely unseen during training. We also compare which data balancing technique works better among K-means SMOTE, SMOTE, Borderline-SMOTE and ADASYN on the performance of our DRL agent. We then demonstrate how powerful our agent is by validating many datasets for remarkable success in detecting both known and unknown attacks in a zero-day manner. Our work has been made publicly available on GitHub (<uri>https://github.com/codewithkhurshed/ZDAD</uri>) to support researchers in advancing zero-day attack detection in NIDS.https://ieeexplore.ieee.org/document/11063272/Zero-day attack detectiondeep reinforcement learningcybersecuritynetwork intrusion detection systemsinternetunseen attack generalization |
| spellingShingle | Khorshed Alam Md Fahad Monir Md Junayed Hossain Mohammad Shorif Uddin Md. Tarek Habib Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning IEEE Access Zero-day attack detection deep reinforcement learning cybersecurity network intrusion detection systems internet unseen attack generalization |
| title | Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning |
| title_full | Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning |
| title_fullStr | Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning |
| title_full_unstemmed | Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning |
| title_short | Adaptive Defense: Zero-Day Attack Detection in NIDS With Deep Reinforcement Learning |
| title_sort | adaptive defense zero day attack detection in nids with deep reinforcement learning |
| topic | Zero-day attack detection deep reinforcement learning cybersecurity network intrusion detection systems internet unseen attack generalization |
| url | https://ieeexplore.ieee.org/document/11063272/ |
| work_keys_str_mv | AT khorshedalam adaptivedefensezerodayattackdetectioninnidswithdeepreinforcementlearning AT mdfahadmonir adaptivedefensezerodayattackdetectioninnidswithdeepreinforcementlearning AT mdjunayedhossain adaptivedefensezerodayattackdetectioninnidswithdeepreinforcementlearning AT mohammadshorifuddin adaptivedefensezerodayattackdetectioninnidswithdeepreinforcementlearning AT mdtarekhabib adaptivedefensezerodayattackdetectioninnidswithdeepreinforcementlearning |