The methodology utilized in this study is innovative, as the procedure used to identify malicious network traffic involves an unsupervised method in contrastive learning. This unsupervised technique aims to surpass both supervised and unsupervised methods, while also presenting best detection strategies for identifying malware through the utilization of area under the curve (AUC) metrics.
Supervised techniques for detecting malicious network data labeling for classification purposes exist; however, the methodology adopted in this study is unsupervised. The ContraMTD data eliminates the need for labeling and offers a straightforward means of recognizing emerging threats.
The methodology implemented in this approach involves comparative learning to pinpoint anomalous patterns within network traffic, all without the need for labeled data. Furthermore, it tackles the drawbacks associated with singular validation points in network traffic analysis. To enhance detection precision, the authors integrate graph edge attention (GEAT) to exploit the characteristics of each dataset. Consequently, the proposed model has enhanced its capacity to capture intricate network datasets.
The proposed approach, ContraMTD, is evaluated on three distinct datasets, including the CICIDS2018 dataset. Notably, it exhibits superior performance across all metrics on the CICIDS2018 dataset, achieving an F1 score of 94.82 and an AUC of 96.48 [1].
Compared to other methods such as Rosetta-IF, Kitsune, CPS-Guard, and AutoML-MD, ContraMTD displays higher effectiveness. Particularly, it surpasses Rosetta-IF by enhancing AUC between 3.74 to 13.12 and maintains a minimum of 9.79 higher AUC than Kitsune and CPS-Guard [1].
The research looks at potential challenges such as scalability toward networks comprising tens of thousands of devices and the likelihood of attackers avoiding detection by following regular traffic patterns. Subsequent endeavors aim to tackle these challenges by taking apart extensive graphs and potentially utilizing federated learning techniques [2].
While the computational complexity and time consumption of ContraMTD slightly surpass some models, it delivers noteworthy performance enhancements with only a modest rise in complexity. Furthermore, the time overhead of ContraMTD is inferior to that of Kitsune and Rosetta-IF, despite these models exhibiting marginally superior performance [3].
Experimental assessments on the CICIDS2018 and Real-MTU datasets reveal that optimizing specific hyper-parameters, such as compression dimension and scoring round quantity, enhances ContraMTD’s performance. Nonetheless, an excessive number of dimensions or clusters may introduce obstructed performance [4,5].
The incorporation of a dynamic edge-graph attention network (DE-GAT) significantly elevates both the F1 score and AUC by effectively concentrating on critical sessions and channels. Additionally, the cluster strategy aids in alleviating false negatives in contrastive learning [6].
These findings collectively establish ContraMTD as a potent and reliable approach for detecting malicious network activities, eliminating the need for labeled data and positioning it as an asset in the realm of network security.