Detect, Decide, Explain: An Intelligent Framework for Zero-Day Network Attack Detection
摘要
The growing complexity and diversity of network traffic have made the detection of previously unseen cyberattacks a critical challenge. While supervised learning models perform well on known threats, they often fail to generalise to novel attack types. In earlier work, we introduced the Unknown Network Attack Detector (UNAD), an unsupervised ensemble-based framework trained exclusively on benign traffic to detect anomalies. This paper presents an enhanced version of UNAD, referred to as UNAD+, which incorporates three key improvements. First, a Weighted Majority Voting (WMV) mechanism replaces majority voting to prioritise stronger detectors and eliminate ambiguous predictions. Second, a supervised refinement stage is introduced, where pseudo-labelled anomalies are used to train a secondary classifier that improves detection accuracy and reduces false positives. Third, a post-hoc explainability layer is added, combining LIME and surrogate tree modelling to provide both local and global interpretability of the system’s decisions. Evaluations on CICIDS2017 and NSL-KDD show that UNAD+ substantially improves detection performance compared with the original UNAD baseline, achieving an F1-score of up to 98.25% and reducing false positives by over 98%, while enhancing transparency and operational suitability through integrated explainability.