Cluster and conquer: Malicious traffic classification at the edge

The uptake of digital services and IoT technology gives rise to increasingly diverse cyber attacks, with which commonly-used rule-based Network Intrusion Detection Systems (NIDSs) struggle to cope. Therefore, Artificial Intelligence (AI) supports a second line of defense, since this methodology helps in extracting non-obvious patterns from network traffic and subsequently in detecting more confidently new types of threats. Cybersecurity is however an arms race and intelligent solutions face renewed challenges as attacks evolve while network traffic volumes surge. We propose Adaptive Clustering-based Intrusion Detection (ACID), a novel approach to malicious traffic classification and a valid candidate for deployment at the network edge. ACID addresses the critical challenge of sensitivity to subtle changes in traffic features, which routinely leads to misclassification. We circumvent this problem by relying on low-dimensional embeddings learned with a lightweight neural model comprising multiple kernel networks that we introduce, which optimally separates samples of different classes. Extensive experiments with datasets spanning 20 years demonstrate ACID attains 100% accuracy and F1-score, and 0% false alarm rate, significantly outperforming state-of-the-art clustering methods and NIDSs. Furthermore, our results show that ACID offers a high degree of robustness to input perturbations, while intrinsically providing a framework for continual learning.