The field of cybersecurity has seen a substantial
transformation, transitioning from rule-based systems
to solutions driven by machine learning. This
transition allows specialists to identify abnormal
traffic patterns with exceptional efficiency and
accuracy.
Among the various ML paradigms, supervised
learning methods such as Support Vector Machines
(SVMs) (Kong, 2017; Cao, 2020; Ma, 2021), K-
Nearest Neighbors (Maniriho, 2020) and Random
Forest (Assiri, 2021) have been extensively utilized
for network anomaly detection. These methods
fundamentally utilize labeled datasets to guide
models in differentiating between normal and
anomalous traffic patterns. While these approaches
have been proven effective, they excessively rely on
large and accurately annotated datasets, which, in
practical application scenarios, may incur costs that
exceed expectations (Salman, 2020).
In order to overcome the constraints of supervised
learning, researchers have explored the use of
unsupervised and semi-supervised learning
approaches. The benefit of these techniques resides in
their capacity to leverage data without requiring
labels, enabling the identification of new or intricate
attacks that may not be recorded by current datasets
(Nguyen, 2020; Vikram, 2020; Dong, 2021).
Two further promising techniques include Deep
Learning (DL) and Reinforcement Learning (RL). DL,
a specialized subset of ML, leverages the properties
of its multi-layer neural networks to tackle intricate
problems in network traffic analysis. By utilizing
automatic learning algorithms to extract feature
representations from data, deep learning
demonstrates its superiority in capturing nuanced
differences and complex patterns in high-dimensional
spaces (Hwang, 2020; Qiu, 2022). RL, a promising
machine learning paradigm, allows models to learn
the best actions by interacting with their environment
and performing anomaly detection tasks in a dynamic
manner. RL models can efficiently navigate the
extensive and diverse range of network behaviors by
constantly adjusting to observed network traffic
conditions and striving to maximize the total rewards
(Dong, 2021).
This literature review examines the utilization of
different machine learning paradigms in the field of
network anomaly detection. This study examines
recent studies and their techniques to identify the
benefits, constraints, and promise of each strategy in
promoting the advancement of more flexible network
security measures.
2 METHODS
2.1 Supervised Learning
2.1.1 SVMs
Support Vector Machines are an assortment of
supervised learning models that are frequently used
for regression as well as classification analyses. They
operate by identifying the most advantageous
hyperplane that divides distinct categories within the
feature space. SVMs use the kernel trick to handle
linear and non-linear data, focusing on maximizing
the margin between the nearest data points of any
class (support vectors) and the hyperplane. This
strategy improves the model's ability to generalize,
making SVMs highly useful for a variety of
applications, particularly in areas with a large number
of dimensions. Consequently, numerous researchers
prefer using this supervised learning strategy for
detecting aberrant traffic in these tasks.
For instance, Kong et al. develop an Abnormal
Traffic Identification System (ATIS) employing a
SVM classifier. This system integrates four key
components: data collection, flow feature extraction,
data processing, and SVM classification. The
methodology focuses on capturing network traffic,
aggregating packets into flows based on IP and port
information, extracting relevant statistical features,
and then transforming these into a format suitable for
SVM classification. The SVM classifier, enhanced by
"one-against-all" multi-classification strategy and
optimized through kernel parameter tuning and
feature scaling, is utilized to distinguish between
normal and various types of attack traffic,
demonstrating the effectiveness of SVM in network
security applications (Kong, 2017). In another study
carried by Jie Cao et al., the authors introduce two
principal methodological advancements for network
traffic classification using SVMs. Firstly, a hybrid
Filter-Wrapper feature selection technique is
developed to effectively reduce feature
dimensionality while capturing the optimal feature
subset, addressing the limitations of traditional
feature selection methods by preventing the false
exclusion of significant combined features. Secondly,
an improved parameter optimization algorithm based
on a refined grid search approach dynamically adjusts
the search area and mesh density, optimizing SVM
parameters to enhance classification accuracy and
prevent overfitting (Cao,2020). Qian Ma et al. also
provide SVM-L, a sophisticated anomaly detection
model that utilizes a combination of data
transformation and a novel hyper-parameter