Anomaly Detection in Cybersecurity: Unsupervised, Graph-Based and Supervised Learning Methods in Adversarial Environments

Machine learning for anomaly detection has become a widely researched field in cybersecurity. Inherent to today's operating environment is the practice of adversarial machine learning, which attempts to circumvent machine learning models. In this work, we examine the feasibility of unsupervised learning and graph-based methods for anomaly detection in the network intrusion detection system setting, as well as leverage an ensemble approach to supervised learning of the anomaly detection problem. We incorporate a realistic adversarial training mechanism when training our supervised models to enable strong classification performance in adversarial environments. Our results indicate that the unsupervised and graph-based methods were outperformed in detecting anomalies (malicious activity) by the supervised stacking ensemble method with two levels. This model consists of three different classifiers in the first level, followed by either a Naive Bayes or Decision Tree classifier for the second level. We see that our model maintains an F1-score above 0.97 for malicious samples across all tested level two classifiers. Notably, Naive Bayes is the fastest level two classifier averaging 1.12 seconds while Decision Tree maintains the highest AUC score of 0.98.