fa electronic. Article Comparative Evaluation of AI-Based Techniques for Zero-Day Attacks Detection ‘Shamshair Ali 10, Saif Ur Rehman "©, Azhar Imran #0, Ghazif Adem !, Zafar Iqbal ? and Ki-II Ki @ seas: tna Adem a 2 Ki, 1a. etn 00/ ‘ested 25 November 202 foun Copyigt © 202 by he one Levee MOTI, Buel Sittin aban (CC BY) ease (pe uo 1 University Institut of fafrmatin Technology (UM), Pir Mehar Ali Shah Acid Agriculture Universi Rayealpindi 46000 Pakistan Department of Creative Technologie, Air Univers, Islamabad $4000, Pakistan Department of Cyber Secu, Ale Univers llamabad 4400, Pakistan Department of Computer Science and Engincering, Chungram National University, Daecon 34134, Republic of Korea Comrespondence: [email protected] Abstract: Many intrusion detection and prevention systems (IDPS) have been introduced to identify suspicious activities. However, since attackers are exploiting new vulnerabilities in systems and are employing more sophisticated advanced cyber attack, these zero-day attacks remain hidden from IDPS in most cases. These features have incentivized many researchers to propose different artificial intelligence-based techniques to prevent, detect, and respond to such advanced attacks ‘This has also crented a new requirement for a comprehensive comparison ofthe existing schemes in several aspects aftr a thorough study we found that there currently exists no detailed comparative analysis of artificial intelligence-based techniques published in the last five yeas. Therefore, there is ‘need for this kind of work to be published, as there are many comparative analyses in other fields of eyber security that are availabe for readers to review ln this papet, we provide a comprehensive review ofthe latest and me scent literature, which introduces well-known machine learning and deep learning algorithms and the challenges they face in detecting zero-day attacks, Following these qualitative analyses, we present the comparative evaluation results regarding the highest accuracy, precision, recall, and F1 score compared to different datasets Keywords: to-day attacks; artificial intelligence; machine learning; dep learning; cyber security Introduction The trend of adopting the Internet and online services has increased exponentially [1] ‘Technological advances have changed how people work, communicate, and socialize [2]. thas become an integral part of daily life, making i easy to access any information, e abling global communication, and also as a source of entertainment. The primary goal ofthe Internet is to transmit data from one end of the network (node) to another end (node) over the network. The Internet can be defined as an interconnected network of hundreds of thousands of networks, computers, and associated devices. The transformation, evelu- tion, and invention of modern devices and gadgets such as loT devices have significantly increased Internet usage worldwide. However, malware can cause disturbance in JoT devices [3] With all these benefits, there isa scary aspect tothe Internet the privacy and security concerns that most people face on the Internet. As Internet usage and the number of devices ae increasing daily, security issues are also dramatically increasing. This is why the Internet has become the playground of cybercriminals [i]. They penetration test the entire network to find the security loopholes and vulnerabilities that exist in a network. Cyberspace continuously intrudes upon, and malicious attacks are made against, any systems or services [5-5]. A system can be secure if it ensures the CIA triangle, which comprises three main components: confidentiality, integrity, and availablity ‘lsc 202,11, 5854. hsp: So ong/10390 lecroniee 11259954 tps //onevemdp com journal electors,lcroics 2002, 11,3834 Privacy and confidentiality are substantially identical concepts. Measures for main- taining confidentiality are intended to guard against unauthorized access to sensitive data, ‘To ensure confidentiality, organizations employ encryption and access control techniques so that data can be accessed and read only by relevant individuals, In contrast, integrity uses various techniques such as hash and cyclic redundancy check (CRO) to verify that nobody has tampered with data at ret or in transit. On the other hand, availability ensures that end systems and networks remain available to legitimate users. Organizations use various techniques to ensure the 24/7 availablity of resources, namely fail-safe systems and distributed deployment. Integrity isthe upkeep of data throughout its life cycle in terms of consistency, accuracy, and dependability The security and integrity of a system are said to be compromised whenever an illegal activity, destructive program, or unauthorized entity enters a computer or network to harm [9], There is no universally accepted definition for cyber security, but in the scope of this article, it can be stated that cyber security is a set of different tools, techniques, devices, and approaches that can be used to safeguard cyberspace [10,1 Based on previous history, signature-based and rule-based algorithms have produced, effective results in identifying traditional cyber attacks that indicate discriminate pat- terns [12-14], most likely known as signatures or fingerprints. Nowadays, cyber attacks are advanced and persistent, and are termed Advanced Persistent Threats (APT). Such attacks can change memory [15] interact between components [616], communicate with command and control [17] activate threads and open files [5], and perform packet routing [17]. There- fore, to cope with such advanced threats, machine learning algorithms help to develop accurate and somewhat precise predictions of future events and circumstances and how to act intelligently in those circumstances [18,19]. In general, machine learning attempts to learn how to produce better and more advantageous circumstances in the future. Figure 1 briefly shows what a zero-day timeline looks like, eg, the developer uploads software that can be accessed by the public, and hackers find the zero-day vulnerabilities and exploit and leverage them to take control ofthe system; the developer gets notified about the bugs, fixes it, and creates patches. Figure 1, Zero-day reaL-life scenario, According to Ref, [20], Deep Learning (DL) comes under the umbrella of machine learning (ML), comprising multiple hidden artificial neural network (ANN) layers. Its methodology includes applying high-level model abstractions and non-linear transfor- mations in large databases, Deep learning (DL) algorithms allow computational models made up of multiple processing layers to learn data representation by using abstraction onlcroics 2002, 11,3034 30f2s multiple levels [21]. Deep Learning (DL) tries to find complex structures in large datasets using a back propagation algorithm, which indicates when to change or adjust specific internal parameters used for computing every single layer representation from the previous layer. Techniques of DL can be ulilized in multiple technical predicaments rather than one usual method in order to save resources and time [22] [A serious threat is posed by zero-day attacks on the security of the Internet, as zero-day ‘vulnerabilities exploit computer systems. A zero-day attack can be deseribed as “a traffic pattern of interest, In general, it has no matching patterns in malware or attack detection, elements in the network", as stated by the authors of Ref. [23]. Zero-day attacks of unknown nature (previously not disclosed) are being taken advantage of by attackers, and they use them with other complex attacks to protect themselves from being detected by the intrusion detection techniques, thus making it harder to defend against these kinds of attacks. Zero- day attacks can come in many variations, such as worms (polymorphic), viruses, Trojans, network attacks, and other malware. Blended attacks are attacks that show effectiveness but are not detected, and the worms (polymorphic) are sometimes not detected. This comprises sophisticated mutations for evading target defenses, targeted exploitation to directly attack specific hosts, multiple active, passing, and scanning techniques for detecting vulnerabilities, dropping shells at compromised hosts for a future connection, and other post-exploitation techniques [24]. The schematic for a zero-day attack detection process is given in Figure 2 Researchers have also demonstrated that zero-day attacks are often used, but are not apparent, as 11 out of 18 attacks were identified as previously unknown [25]. Their in- vestigation shows that a zero-day attack can be present in a compromised system for an extended period (10 months on average) before the security team can even detect them. ‘The authors of Ref, [25] refer toa statistical study showing that more than 62% of attacks are detected after the system is compromised, Furthermore, zero-day attacks are becoming more and more unpredictable as their number is gradually increasing [271 ‘According to. Ref. [28], anomaly-based techniques study the ordinary and sual network traffic and the entire network flow and tr to find anomalies that are not according to the same or usual network traflic pattern, This behavior makes them a good candidate for detecting zero-day attacks, Network traffic and activity vary from user to user, which makes itharder for attackers to know which activities they can perform undetected. Signatures for risuse detectors can be defined upon the data on which anomaly-based techniques throw off alerts. This anomaly-based approach results in high false alarm rates as previously unseen traffic work can be classified as an anomaly. Figure 2. Zero-day attack detection process.lcroics 2002, 11,3034 40825 According to Ref. [25], an attack graph represents previously disclosed knowledge about vulnerabilities, network connectivity, and dependability of vulnerabilities, that is, their dependencies. An attack graph can track vulnerabilities, dependencies, and attack ‘paths without losing any information, The resultant graph has no redundant vertices and. polynomial size, which is calculated by multiplying the number of vulnerabilities and the number of connected host pairs. The most common and effective way of detecting zero-day attacks is the Intrusion, Detection System (IDS). IDS is good at tackling the exponential rise in detecting zero- day attacks, but it still shows a deficiency compared to the previously known attack detection [30,31]. Such attacks either take advantage of a new vulnerability inthe system or exploit some previous vulnerability in a new way that cannot be detected in any of the IDS because it does not match with the existing known signatures, The growth of internet devices often exposes the systems to brand-new attacks that cause the growth of hacking activities, In such scenarios, the likelihood of a zero-day attacks becomes higher and higher. ‘To design effective and efficient IDS, ML and DL. techniques have been widely used for better performance of the systems [31,32 This paper focuses specifically on zero-day attack detection techniques using different Al-based algorithms. It gives insights into previously used zero-day attack techniques as well as techniques used in recent years. A brief introduction of techniques with their performance is also given in the final sections. Not much up-to-date comparative research, has been done in recent years from the perspective of zero-day attacks, which is why we chose to work on this area so as to show the latest and current techniques, This paper is structured as follows: Section 2 contains a literature review along with, a brief introduction of datasets, models, and algorithms. Section 3 provides a comparative analysis of state-of-the-art studies. In the end, Section 4 covers the limitations of existing studies. Moreover, the conclusion and future directions to mitigate zero-day attacks are provided in Section 5 2. Literature Review Zero-day attacks are subdivided into anomaly-based, graph-based, and Al-based attacks, as shown in Figure 3. The detail ofthese attacks is provided in the subsequent sections. Zero-day Attacks Detection Anomaly Ree Graph Based Al Based Detection. Models Evaluation Metrics Main Datasets Approaches Figure 3, Zero-day attack detection approaches. 2.1, Anomaly-Based The anomaly-based detection approach in Ref. [35] is represented using regression, i.e, logistics for in-variants that are chaotic, for example, entropy, dimensions of correlation, etc, which are non-linear and intrinsic features. The authors stated that the machine learning algorithms could use these properties, which are highly responsible for generatinglcroics 2002, 11,3034 prominent attributes. The proposed scheme is not suitable, as it is most likely better for anomaly-based attacks that specifically hit buffer overflows, packets’ contents, or other associated exploitable vulnerabilities, ‘Another zero-day detection technique was proposed by Duessel et al. in Ref. [3] to ‘work with the new representation of data known as CN-Gram at the layer of the application, level. Syntactic, as well as sequential attributes of payload fusions, were allowed in the combined feature space. The similarity of syntax level attributes alongside mapped byte messages utilizing data representation is calculated after training the algorithm that detects earning normality on a global level. Detection is determined by comparing the message of the model trained and doing a scoring assignment for the extent of the behavior that was found to be anomalous. Moon et al. [35] proposed a detection system based on hosts for a human-centric computation that is secure, A total of 39 features were defined in 7 categories, ie, file system, process, registry, thread, etc, to detect if a process running on a host system is malicious. Features taken from the host PC were stored in a separately created database. ‘The decision tree was used to classify if program was malicious, and a feature vector was used for this purpose, containing features from the database. ‘An Outlier Dirichlet Mixture (ODM) was proposed by Moustafa et al. in Ref. [36] asa detection system for fog. The authors of Ref. [37] proposed a zero-day polymorphic sworm attack framework for detecting polymorphic worms that are zero-day in nature by their behavior, anomaly, and signature-based techniques. Three layers, namely, analysis, detection, and resource, were used in the proposed architecture, The detection engine used healthy and malicious traffic for detecting zero-day altacks. Khan etal. [38] proposed a multilevel anomaly detection model namely Supervisory Control and Data Acquisition Systems (SCADA). The core of the model depends upon the communication between the expected and consistent structure that is in place between devices in the whole setup. To construct the model, the dimensionality reduction technique was used for preprocessing the data; then, the Bloom filter was used to create the signature database. The integration of content-evel detection with instance-based learning was done to make the model hybrid in detecting zero-day attacks. 2.2, Graph-Based Detecting attacks through graphical models has shown improvements compared to ‘behavioral-based or (anomaly-based) attack detection. Different concep\s for implementing, graphical models have been used, as stated by Refs. [39-t1]. ‘The authors of Ref. [42] proposed a detector for anomalies using the probability of network attack occurrences. A directed graph with nodes and edges showing their communication in the entire network can be visualized. Fist and foremost, a behavioral ‘model for the stochastic attacker was introduced, Afterwards, the detector was used to compare the network probability ofthe attacker's behavior whem he attacks the host under normal conditions and compromises For detecting variations in DDoS attacks, an architecture named DaMask was proposed, bby Wang et al. [13], which updates the model according to new observations based on Bayesian network inference. An attack graph-basedi zero-day attack detection using layered architecture was presented by Singh et al. in Ref. [44]. The proposed zero-day attack architecture consisted of a risk analyzer, physical, and path generator layers. The centralized server and database of this architecture were used for other layers. An algorithm named AttackRank was proposed to find the exploitation chances in the graph ‘A content-based visualization framework for classifying diverse signatures ofthe worm. using a Conjunction of Combinational Motifs (CCM) was devised by Bayoglu et al in Ref. [41] Vertices of the graph were taken and considered as the worms’ invariant parts. The CCM automatically generated and detected signatures of unscen worms (polymorphic). For the discovery of an effective attack path using a compact graph, planning was suggested by ‘Yichao etal. in Ref. [42] the neighbor is involved in the three main steps of the proposed so-lcs 2002, 11,3034 Iution: the closure and formalism calculation, the construction of the graph, and the extraction of the attack path. The basic building block of the approaches and techniques reviewed within this sub- section is the graph, in which the edges and nodes are treated differently according to the different implementations. For example, ina few works, the nods are taken and considered as hosts, and communication among the nodes is considered as edges. Alternatively, some researchers consider nodes as file structure instances and edges as ordinal relationships. ‘The likelihood of a node being malicious or not is based upon some external evidence for some approaches, On the other hand, the likelihood of an attack occurrence is shown by the comparing network traffic and its flow under attack and normal conditions. Overall, the {graph is used for signature extraction in all these approaches by applying specific criteria for detecting zero-day attacks, 23. ALBased Solutions A brief introduction of various AI models, different datasets, evaluation metrics, and various research work carried out in zero-day attack detection is provided in the following subsections. 2311, Detection Models This section briefly in attack detection roduces various AL-based detection models used in zero-day Decision Trees Decision Trees are a supervised non-parametric machine learning approach based on a recursive tree structure that may be used for regression and classification, The goal is to determine the values of target variables by learning basic decision rules abstracted from data attributes by creating a tree-like model. Unlike many other strategies, this approach does not need extensive dala preprocessing. Furthermore, because the trees can be viewed, it is simple to comprehend and interpret. A root or intermediate node, a route, and a leaf node are the three components of a decision tree. An object/attribute is represented by a tree's root/intermediate node. Each divergence route in the tree indicates the parent node's potential values (object). The leaf node represents the predicted category classified attribute, If-then rules are used to depict the resulting tree further. Entropy and information gain measurements are employed to identify the best potential intermediate node throughout the tree-building process [45]. Random Forests Random forest isa simple supervised learning algorithm that, in most circumstances, produces excellent results even without hyper-parameter adjustments. Its one of the most extensively used models due to its simplicity and adaptability. It may be applied to both classification and regression. It produces a “forest” through a collection of decision trees that are frequently trained by ulilizing the “bagging” method [46] Multilayer Perceptron The multilayer perceptron (MLP) is technique for approximating any continuous function and dealing with non-linearly separable situations. MLP’s typical uses are pattern classification, approximation, recognition, and prediction. MLP has three layers: one input layer, one output layer, and one or more hidden layers. The input layer receives the input signal, The output layer handles tasks such as categorization and prediction. Lastly, the hidden layers, located between the input and output layers, relate to the MLP algorithm's underlying computational engine [17]lcroics 2002, 11,3034 Bloom Filter Model Bloom Filter is a space-efficient probabilistic model used to check whether an object belongs to some specific set it creates a database of signatures of anomalies and predicts the abnormal traffic based on the stored signatures [48]. It was invented by Bloom in 1970 [49] and has been widely used in various sub-domains of the IT sector, including by Google in their search engine, because it is much faster and lightweight [50]. A Bloom Filter can be implemented in both hardware and software, Long Short-Term Memory Long short-term memory (ISTM) [51] isa deep learning architecture based on artificial RNNs (Recurres Networks). Unlike traditional feed-forward neural networks, the latter has feedback connections, It can handle individual data points (such as pho: tographs) and whole data sequences (such as videos). In regards to voice recognition, linked handwriting identification, unsegmented intrusion detection system (IDS), and anomaly detection can all take advantage of LSTM [52,53] sural Hybrid Multilevel Anomaly Detection IDS HMLADS is a hybrid multilevel anomaly detection approach that uses the Bloom Filters technigue to check whether an item is part of some specilic group. After that it stores the signature from the network trafic and identifies malicious trafic (attacks). Itis explicitly designed to detect previously unknown (zero-day) atacks on SCADA systems [42] Kalman Filter To solve the discrete-data linear filtering problem, R.E Kalman presented his famous statistical model in 1960, which is known as the ‘Kalman Filter’; in his famous paper, he proposed a recursive solutian to the problem mentioned above, Itisa set of mathematical, expressions that provides a robust computational (recursive) solution of the least-squares method. It has played a vital role in digital computing, mainly autonomous or assisted navigation, KF is very powerful in different aspects duc to its ability to estimate present, ppast, and future states even when the distinctiveness of a modeled system is not known [54]. Zero-Shot Learning Learning to perceive new ideas with just a description is known as zero-shot learning. A range of strategies has been offered to overcome the obstacles created by this topic. In this research, we propose a zero-shot learning strategy that requires only one line of code to implement and outperforms state-of-the-art algorithms on standard datasets. The method is built on a more general framework representing the interactions between characteristics, attributes, and classes as a two-layer network, with the top layer’s weights determined by the environment rather than being learned, By recasting these approaches as domain adaptation methods, we also offer a learning constraint on their generalization error [55] Support Vector Data Description ‘The Support Vector Classifier inspires Support Vector Data Description (SVDD), pro- posed to solve the multidimensional outlier detection problem. By avoiding the estimation of data density by probabilistic methods, it obtains a spherical boundary around the dataset described by a few training objects (support vectors) that can be made moze versatile and flexible by applying various kernel functions similar to the support vector classifier. Using both actual and simulated data, they demonstrated the features of support vector data descriptions. They made this strategy robust to withstand outliers in the training dataset and help it tighten the description by using negative examples [55] Autoencoder Autoencoder is an unsupervised deep learning technique. It deconstruets, compresses, and removes noise from the data, which minimizes the size and dimensions of the inputlcs 2002, 11,3834 data. The reconstruction procedure can also restore the input’s original form. The autoen- coder assumes that the desired output values should be the same as the original input values. An autoencoder is made up of four primary components, An encoder is employed to learn how the data is compressed. Afterwards, it uses 2 bottleneck to hold the fully compressed data, Furthermore, the model learns how to reconstruct data by employing the decoder. Finally, after reconstruction, it measures the reconstruction loss and determines how much the output is near the desired output values [57] Convolutional Neural Networks Convolutional neural networks (CNNs) are multilayer neural networks that are an ex- tension of feed-forward artificial neural networks (ANNs) [58]. Convolution isa linear mathematical action between matrices, which is how CNN got its name. The convolu- tional layer, non-linearity layer, pooling layer, and fully connected layer are some of the layers of CNN. The pooling and non-linearity layers do not have parameters, but the convolutional and fully connected layers have, In ML problems, CNN performs admirably ‘Avee-inspiring results were obtained where the applications deal with picture data, such as the world’s most extensive image classification data collection (Image Net), computer Vision, natural language processing (NLP) [59], drug discovery [60], and anomaly de tection [61,62]. It retrieves higher-resolution features and transforms them into complex. features as the resolution decreases, CNN architectures such as ZFNet [63], GoogLeNet [64], and ResNet [65] are widely employed Reinforcement Learning Reinforcement learning (RL) is sometimes referred to a learning with criticism because there is always feedback to the algorithms against any incorzect prediction; itis a machine learning subdomain. However, the algorithm needs to be informed of how to solve it Instead, the algorithm must consider and test various options until it discovers the true solution [66]. This phenomenon is based on a system of rewards and penalties. RL isthe closest approach to simulating the human way of thinking by applying an unfamiliar and novel seting. The five components of RL’s operation are the agent, environment, state, reward, and action. Tarough direct interaction withthe environment, an agent creates its own learning experiences. Asa result ofthis interaction, two modifications have happened ‘To begin, the environment is transformed into a new state. Secondly, the environment imposes a reward or penalty based on the activity. The reward function shows the agent how excellently or poorly an action was done ina given state, The agent gains knowledge from the reward and filters out the undesired behaviors. To address many complicated issues, deep learning approaches and RI. are integrated. AlphaGo is an example of this strategy [67,68]. In eyber security, deep reinforcement learning is utilized for intrusion detection on hosts [6], fighting DDoS assaults [70], detecting phishing emails [71], and. cyber physical systems [72] to mention a few applications Deep Neural Network. ‘A Deep Neural Network (DNN) is a feed-forward network comprised of three layers: input, hidden, and output layer; it contains multiple hidden layers between its input and output. Each layer of DNN consists of multiple nodes connected hierarchically to all the nodes in the subsequent layer. After feeding the features to the input layer, it does its processing in hidden layers and comes up with predicted values from the output layer, ‘The model calculates the weighted sum and derives the predicted values from an activation function already defined in each hidden layer node, which receives a weighted sum of input nodes and converts them into valid results [73] ‘Transferred Deep-Convohutional Generative Adversarial Network ((DCGAN) ‘The authors proposed a new model called transferred deep-convolutional generative adversarial network ((DCGAN) to detect zero-day malware efficiently. Itis based on Deeplcroics 2002, 11,3034 AutoBncoder (DAE), and generative adversarial network (GAN) [36]. It leams different features of actual data and modified data generated by the model; then, by modifying those features, it generates some fake malware and learns to distinguish this fake malware from the real ones. WAVED Ina recent study, the authors designed a model that constituted a weighted ensemble of distinct classifiers termed "WAVED.’ It is meant to det data streams by assigning unique voting weights to each classifier’s prediction to detect abnormal behavior using the ideal weight vector of classifiers. To detect abnormalities in CAVs and benchmark the performance of the MSALSTM-CNN approach, it uses the average predicted probability of several classifiers [74] ‘anomalies in multi-sensor 232, Datasets The ICS Gas Pipeline dataset was provided by the State University of Mississippi's in-house SCADA lab. For the performance analysis of the IDS, 35 cyber-attacks were present in the dataset that was used for training and testing the classifiers used by IDS. Both regular and cyber outbreak data were present in the dataset. The dataset contained almost 60,048 attacked packets, and 214,580 were regular network packets [38] The Information Security and Object Technology (ISOT) dataset contains multiple botnets and various standard datasets, and it has a total of 1,673,424 instances of network traffic flow. For botnets, multiple honeypots such as Storm Botnet and Waledac Botnet were used for capturing malicious botnet traffic. Data from Trafic Lab Ericson was also gathered, which was non-malicious. This whole data and trafic flow was combined with another dataset created by Lawrence Berkeley National Lab (LBNL) {75} The Information Security Centre of Excellence (ISCX) dataset was generated through SSH, HTTP, and SMTP traffic, and it contained a diverse intrusion scenario ranging in variety, complexity, and scope [74]. The ISCX-URL-2016 dataset contained multiple URLs in a dataset ranging from benign (35,300), spam (12,000), phishing (10,000), malware URLs (11,5004), and defacement URLs (45,540) as reported by the Canadian Institute for Cyber security The NSL-KDD dataset was an improved version of the previously named KDD or KDD’99 dataset. Ithas some advantages over KD, such as no redundant records being present in the traning and testing sets. Itcontained data for Denial of Service (DoS), User to Root (U2R), Remote to Local Attack (RAL), and probing attacks. Itwas built on KDD, built by DARPA’s 4 GB of compressed tepdump data of 7 weeks of network traffic with about 5 million connection records [65]. The dataset can be found in JSON and CSV files [76] Cloud Intrusion Detection Dataset (CIDD) considers network and host audit data Data is correlated with the IP address of the user and audit times. CIDD has two main parts: the collection of Unix Solan’ audits and Windows NT aucit and their respective TCP data dump. CID has 35 days of Solaris audit for training and TCP data dump alongside labeled attacks for traning any IDS. For testing, CIDD has 10 days of Solan’s audits, and ‘TCP data dumps (77 The CICIDS2017 dataset was created by the Canadian Institute for Cyber securit (CIC). It is a recording of 5 days of traffic capture for insider and outsider attacks and benign traffic. Data ofa few attacks such as SSH and FTP brute-forcing, DoS/DD0S and Heartbleed, Brute-orce, XS5, SQL. injection and Infiltration, and BotNet was captured ‘The total data was almost 51 GB, including regular and attack activity [78]. The various datasets used inthis study are graphically presented in Figure 4letroics 2022, 11,3884 wots vanwumenats [Uleters Sorbets 16545 benign ome c,088 tacked packets CSI 214500 norma pts cont of mse botnets 1675428 ances 35.200benign UR 4.305430 ttl records 12.05pam unts Cont fo, RL U2R 1.000 sing Uns Probe 11500 aire Uns 45 40Delacement UR Sion records rs gross te um aearaeaoee trac of das 4 dys of Soars oud ‘ruck sales 95,053 Total 1 days operation 7 dye nara 8 ay tack otal an atc Figure 4, Datasets used inthe comparative analysis. The Safety Pilot Model Deployment dataset contained speed, GPS speed, and acceler- ation of vehicles. A researcher named Wyk added multiple simulations, such as instant, constant, gradual drift, and bias. These anomalies can cause malfunctioning vehicular services, ie., speed and acceleration, duc to cyberattacks and faults [74] ‘The Enron Spam dataset was collected by V. Metsis, I. Androutsopoulos, and G. Paliouras. Itcontained 17,171 spam emails and 16545 ham (non spam) emails, totaling 38,716 emails inthe dataset. The emails contain a subject, message, date of arrival, and their categorization (ether spam or ham). This dataset is publicly available 76]. UNSWNBIB is basiSolari’s network intrusion dataset, which has plenty of attacks such as DoS, worms, backdoors, and fuzzes. It has 49 features that were extracted by Bro-IDS and Argus tools and 12 other additional SQL algorithms. The benign samples count in the dataset is 2,218,761, while 321,283 were attack samples, making a total of 2,540,044 data samples of network traffic. NF-UNSW-NBIS dataset was generated by 43 net flow-based features from pcap files of the UNSW-NB15 dataset. The benign samples count in this dataset is 2,295,222, while the attack sample count is 95,053, making a total of 2,390,725 network traffic flow samples [77 Kaggle: Microsoft Malware Classification Challenge was a competition conducted in ‘which malware datasets consisting of malware or virus’ samples such as Ramnit (1539 data,lcroic 2002, 11,3034 145 test data), Lollipop (2459, 234), and Obfuscator. ACY (1221, 132) and Gatak (1011, 106) used, and GAN generated other fake malware samples by the researchers [35 Secure Water Treatment (SWal]) Testbed: To tackle the cyber security threats to Indus. trial Control Systems (ICS), the iTrust team designed the SWaT dataset to enable experi- mental research. They studied possible vectors for attacks against industrial facilities and developed field-proven recommendations for critical infrastructure protection. It contains 11 days of continuous operation: 7 under regular operation and 4 days with attack scenarios, Fifty-one sensors and actuators were used in the test to collect data from network traffic and recorded 41 attacks. 233. Evaluation Metrics Before explaining the metrics, we will briefly introduce the confusion matrix. A confu- sion matrix is generally a2 x 2 matrix layout used to visualize an algorithm’s performance. ‘The actual performance measures that must or should be met are written vertically, while the predicted ones by the algorithm are written horizontally. A 2 x 2.confusion matrix is shown in a tabular format in Table | ‘Table 1. A2 x 2 confusion matrix, ‘Actual True False Predicted True True Positive False Positive False False Negative True Negative ~ True Positive (TP) is the total positive instances identified as positive, mee TP rR = pe @ = True Negative (TN) is the number of negative instances identified as negative Tyr => @ TN+FP ~ False Positive (FP) is defined as the number of negative instances classified or pre- dicted as positive. EP PPR= @ = False Negative (FIN) is the number of positive instances classified or predicted as neg- ative, EN ENR =a ® = Accuracy is the ratio between the number of correct predictions and a total number of predictions, TP +TN 7 Acc~ TRTEP+ INGEN ° ~ Precision: is defined as the ratio between TPs combined with several TPs and FP’, Itis the percentage of correctly identified positives out of al the results that were said to be positive either correctly or not TP. Precision = PE @ = Recall: the ratio between TPs combined to several TPs and FNs. Itis the percentage of correctly identified positives out of all actual positives, either correctly or notlcs 2002, 11,3834 TP. TPHEN ~ __ Fl-score: It takes both false negatives and false positives into consideration, and is the harmonic mean of recall and precision. It performs well on imbalanced datasets. Recall = a 2 (Precision « Recall) are = 2x (Precision Resa) 6 Fis Precision + Recall 2.3.4, Main Approaches ‘This section touches upon some of the main approaches followed by researchers that employ Deep Neural Network (DNN) and Machine Learning (ML) techniques to develop their framework. Table 2 provides an overview of various state-of-the-art ML- and DLbased approaches for zero-day attack detection, ‘Table 2. Analysis of zero-day attack detection techniques. Taper Year Mthodoogy nd dincsianliy redaction war dancing Gey Wol Ope (120 Deep Neural Network Appatch reer (SHO) ind PCA Dienst edacion eine sed fv oe inoculating Ta ay Seno Nea Nea Leng shot em Memos StS Tor uses detection based uponth rote used by he po Howl lccion (sl) m0 Port Anayssing Satta! Apprach ns dled envsonntat High velume tack eased Aad Bat ee iby velume wee nat eve 5 Sane At-ncoder wih decp ner adwon ada was proce: Felon (e2]__ 2029 Deep Neural Neteork mance war analyzed on NSL-KDD and CICIDS2037 dataset WManialdalgrent fre wnleton fetus pace Sa (63) a0 Deep Neural Network Maye ate ay acon wan dave wags hp Fite ib and NSU ROD etedn pobre fay detonperormnes Tq uo” Palen wag enfawnwn tang” EART aor wed or model fetes acon Newer ale (aie) v ing Reinf “e _was used for evaluation. Dyramic static and ioge bad aja was onde or wae Season (etl 2019 Deep Leaming uous td exceable bai of malware Te chug was se Seca Far ZA cls on nd tad tine Lae cv ere ao done Assgementf eatin Llbood wos done wing Raking Alston bused to ans Setlnusion DetconSytemsing Hy- ann Holme stad ed tn san ed Se phe Sea appre ate The wats foas warn highness Low volume ign nahi EAR clean ay” KNN and Boom iter was se or ptang sad anlvang tro atic fon) ang KNeanstNeighbr QNNYand loom Fier HIN petne tes he Bom er The ral aed apreeh yd spre eb enploedlorlighandlow vlumeta-day sack deeon Syme Sunol Disdesngreabon of xl and varity was the man Foca Copal rs] 2019 Stats Model functions auch a student + and Gaussian were use. Cenantne Advcsanl Nebork wlan Deletion ol As wars by leveraging sos adit in uaing mavens ZA (912018 SMtoencoder dletction of fixed length malware was focused odes os) of graph oabted of fentanyl edges wr commis (io) 218 Bayes Nenrk Nenieece eal Recs eee vaso wars he fr promence Tun Sappon rans oan Sequel eatres win petal one wae contined and Tomson Only application layer attacks were considered ‘The authors presented transfer learning [85] for detecting time series anomalies prob- lems by changing the weights of the source instances to check and match against target instances. In actuality, nearest neighbor classification was employed for anomaly detection based on some of the labeled instances of the source, The authors of Ref. [86] focused on. ‘unifying homogeneous feature spaces, The domains’ orthogonal transformation leveraginglcroics 2002, 11,384 Principal Component Analysis (PCA) was done. Afterwards, they opted for the K-nearest ncighbors classification technique on that transformed space to detect zero-day attacks ‘Anovel approach known as “Transferred Decp-Convolutional Generative Adversarial Network” (1DCGAN) to detect actual malware from the fake malware that was generated by this approach itself was proposed [87]. This approach contains a detector that learns features of actual malware and generated malware by utilizing a deep autoencoder, by ‘which GAN training is also stabilized, which is then used for detecting attacks of zero-day malware, For zero-day detection, the authors claimed that their model was the most robust ‘The Cyber Resilience Recovery Model (CRRM) was proposed by Tran et al. [88], ‘which handles attacks on closed networks. The NIST SP 800-61, an incident response framework for resilience and standard, is joined with the Susceptible Infected-Quarantine Recovered (SIQR) model in Ref. [89] to capture zero-day attack and recovery. A deep learning identification technique utilizing an IoT environment’s fog-based ecosystem has been proposed in Ref, [90], As smart infrastructures and fog network has closeness, the nodes ofthe fog ecosystem are responsible for model training and performing the detection of the attack. The trained model results in models for detecting attacks and native associated learning parameters used by the fog network nodes for propagation and global update In Ref, [91], an approach of detection based upon Artificial Neural Network (ANN) ‘was proposed by Saied et al, for unknown and known DDoS attacks depending upon particular attributes that can separate Distributed Denial of Service attacks from authentic traffic. This model was then trained withthe help of Java Neural Network Simulator (NS) upon preprocessing data, and Snort AI was integrated within The authors employed the Gated Recurrent Unit (GRU) technique. Its primary purpose ‘was to pick up new Distributed Denial of Service (DDoS) attacks. The authors claimed that the proposal shows better accuracy [92]. A recent study [23] implemented an approach to resolve issues of security in-vehicle communication that are possibly open to plenty of attacks, Its a hybrid technique based on GRU and CNN for detecting possible attacks ‘A signature extraction technique based upon the concept of heavy hitters for high- ‘volume zero-day attacks was proposed by Afek etal, who presented the Metwally’s heavy hitter algorithm with a slight variation and modification. It generated all possible K-Grams of the sets from input data, The main concern behind detecting zero-day DDoS attacks is looking for the heavy hitters in real attack data. Then, depending upon the predefined threshold, the heavy hitters’ outputs checked and placed in different categories depending, on their malicious extent. Finally, they can find and detect the attacks by going through the probable malicious heavy hitters [24] Kim et al. proposed a malware detection system based on deep learning called Trans- ferred Deep Convolutional Generative Adversarial Networks ((DCGAN). A decoder was used to leam the characteristics of malware, the deep auto-enc, and generate new malware samples. The newly generated data is then sent to the adversarial network generator. There were three main parts of the proposed system; compression and reconstruction of data, generation of fake malware data, and finally, malware detection [87] The authors proposed a Deep Neural Network (DNN) approach for detecting cyber- attacks. Itcombines techniques such as PCA and the GWO algorithm, where the responsibil- ity of PCA is to reduce the dimensions ofthe dataset [95]. Then GWO is used for optimizing the transformed dataset for redundancy reduction in the transformed dataset [25]. The main focus ofthis approach is the dimensionality reduction for making DNN-based IDS more responsive [80,96] ‘The authors proposed a framework for efficiently handling historical attack data volatility and multivariate dependency among the attacks. Its main goal was to disclose trends regarding various vulnerabilities and their dependence and exploits on volatile historical data using copula, Two functions, Student-T and Gaussian, were used as the copula function. Using these functions gives us the attack risks joint property [78] ‘A multistage attention mechanism alongside CNN that is LSTM-based was proposed for anomaly detection [81]. Data abnormality generated through various sensors in autolcs 2002, 11,3034 nots mated vehicles is covered explicitly within the proposed method. An ensemble approach based on the voting technique for deciding anomalous data from different classifiers was also proposed, The authors addressed the problem of detecting zero-day attacks because of lacking Iabeled data [7], An approach, namely "Manifold Alignment,” was used, which works by mapping the domain data ofthe target and source into the same latent space. It helps take care of Various feature spaces and domain probability distribution. The generated space is also dealt with as a newly proposed technique that generates labels that are too soft to deal ‘with the short number of labels utilized to construct the Deep Neural Network model for zerorday attack detection. “Another technique for intrusion detection and prevention system using classification and. 2 one-time signature technique was proposed for the cloud [75] by the authors. The proposed technique OTS is different from OTF, which stands for one-time password, whereas OTS is, used for accessing the data over the cloud. Hybrid classification consisting of normalized K-Means and Recurrent Neural Network (RNN) was used. An approach based on a deep autoencoder was proposed to detect zero-day attacks [52]. Its performance was demon- strated by using two popular and well known datasets, NSL-KDD and CICIDS2017, and the performance was compared against the one-lass SVM outlier detection. 3. Comparative Analysis This section provides a comparative analysis of Al-based techniques for detecting zero-day attacks and their performanc: Machine learning and deep learning approaches are widely used to deal with cyber attack detection and prevention, In the last few years, many researchers have applied ML. and DL techniques to classify and detect zero-day attacks from systems, including malware, malicious URLs, and spam. Most of the zero-day malware is not detected by antiviruses, which is why they are problematic; in Ref. [36] the authors proposed a zero-day malware detection framework based on Deep Autoencoder (DAE). It generates fake malware and trains the model to distinguish between real and fake malware by comparing the fake data with the actual data. It learns different malware features from both real data and fake generated data using the proposed model (tCGAN). It extracts the appropriate features from the data and stabilizes the training. The trained model used transfer learning to capture malware features with an average classification accuracy of 95.74%. A hybrid model was used, which took patterns from communication that was consis- tent and anticipated from multiple devices of Industrial Control Systems (ICS). The ICS dataset was used, which was then improved (pre-processed) by using normalization, stan- dardization, labeling (categorical) of the samples, and feature scaling. Then, features were extracted from the dataset, and the feature matrix was constructed using PCA, CCA, and ICA. The proposed technique, HML-IDS, was based on an instance-based k-NN learning algorithm. It was trained on the reduced features by reduction techniques, and then the results were compared with Bloom Filter (BF) and Random Forest (RF). The proposed tech- nique showed better results as it achieved 0.97, 0.98, 0,92, and 0.95 in accuracy, precision, recall, and Fl-score, respectively. The main question here is why deep learning techniques ‘were nat used. DL techniques improve accuracy, precision, recall, and Fl score [42] ‘A recent study [74] for detecting anomalies in connected automated vehicles (CAVs) proposed a multistage attention mechanism with an LSTM-based convolutional neural retwork model named MSALSIM-CNN for detecting different anomalies caused by faults, errors, or that were perhaps due to cyber-attacks; whatever the cause, these events can results in fatal accidents, and can therefore not be compromised in any way. MSALSTM- CNN converts data streams into multidimensional vectors and then processes them to detect anomalies. Another method the study introduced works on the principle of average predicted probability of multiple classifiers for anomaly detection, a weight-adjusted fine- tuned ensemble, or WAVED. They effectively improved the anomaly detection rate in both low- and high-magnitude cases of anomalous instances by gaining 2.54% in F evaluation.lcroics 2002, 11,3834 detect single anomaly types in the dataset. Moreover, it showed promising performance swith a gain of up to 3.24% in the Fl-score in detecting mixed anomaly types in CAVs. Regarding an autooncoder based framework fo the detection of zero-day attacks, the authors in Ref [7] used the NSL-KDD and CICIDS2017 datasets to perform the tests; they compared theit model with one class SVM on both the datasets and outperformed it by achieving a higher average accuracy of 92.96% for NSL-KDD and 95.19% for CICIDS2017. Sameera eta. [85] proposed a zero-day attack detection model for IDS systems; they applied DNN to build their model. It was difficult fr them to detect and identify zero-day attacks because there were no labels in the Intrusion detection systems, so they used the Manifold alignment method to map sources and targets using their mapping functions, and assign soft labels, and then applied DNN to identify zero-day attacks from the test data. They used NSL-KDD and CID datasets for testing. By comparing their results with other ML Models, ie, DI, RE SVM, and KNN, they found that their proposed framework outperformed the other models and achieved an average accuracy of 91.83%. The authors discussed and presented botnet detection using a reinforcement-based learning approach. The whole workflow is thatthe network traffic captured was filtered down and reduced by control filters, feature extraction from connections and hosts was done, and then reduced by the CART algorithm. Then, those features were passed into multilayer neural network classifier while dividing features and data into training and testing and, in the end, classifying them into anomalies or not. The resultant detection accuracy is 98.3% with a lower false-positive rate of 0.012% (89) Instead of targeting a system, hackers mostly ty to target humans because they are easy targets. Fooling people by using their weaknesses is an ancient but helpful technique often used by attackers to gain access to a system; they somehow persuade the victim to unknowingly provide sensitive credentials to the attacker. Attackers send phishing. links embedded in emails or text messages to the users. Once the person clicks the link inside the mail, their system gets affected by the malicious software sentby the attackers A similar scenario is used by Ref, [51], where they tied to classify malicious emails from ‘benign emails. A comparison of various AL-based techniques for zero-day attack detection is presented in Table 3. ‘Theyinvestigated the email header and body using a deep-learning approach and e tracted features to test the abnormal score against it. They detected both zero-day malicious mails and regular spam emails, andl achieved 78% accuracy for zero-day malicious email detection. Itis difficult to obtain data samples for all attack classes in Network Intrusion Detection Systems (NIDS) to observe the traffic in production. Machine learning, based NIDSS face unknown attack traffic known as zero-day attacks that are not used in training because they did not exist during the time of training. The authors proposed a Zero-shot Learning ZSL technique to detect zero-day attacks in NIDS to evaluate the performance of the proposed model. It maps the features of unknown attacks from the network to differentiate its attributes from known attacks. They defined a new zero-day detection rate metric to measure the mode!’ effectiveness [52]rons 202, 11,984 ots “Table . A comparison of different A-bsed techniques for zero-day altck detection rising fn at Bex car m 3 ORS fil amt x legend ms 0 ia Be Gar Taree = a = file Geer Hagin & 8 ts) a Gar sa S 2 iredertheat [ls] Et Ser ihe 3 3 Deca fie] et Get ox 2 3 ts) it Gar xp x x til Zt Gear ine 3 3 fn! 3s Ratko Imecder toh dat __ASERDD Sav 22 * ya cesT Taran Gl En oka ae “so” msyoves Eat UNSHWNIS Bone aS Og perp fey at Gssar Sot ms oe fio aoe RBC NS Ntpader a6 Ta ca ae e e ae ey Sh ae 2 g eR f ht om 3S 8 nr) fl ont Fedex 3 a ne) a er FAN 2 3 BR promaiybaet fa set Bidson % & BOM fl sx Seausriecnsy Sse Bae te fh ay wate Me ORS au fa sab g we aS a ba se Sx a 3 a ta Bd Bae x 3 sh Sees Thepgigin bine Drhecdiomanin ee & tly ata ES ne OR ese Namcnna Be least accAN cs rr asa “ bil Miwekbinet Bt : i wR Researchers developed a benign communication database from multiple devices in ICS by observing the communication patterns of a system for some time with the use of a Bloom. Filter, They then created another SCADA gas pipeline dataset. Afterwards, they proposed a stacked LSTM for time-series anomaly detection by combining both datasets and the Bloom filter The results were much better than the state-of-the-art techniques, as claimed by the researchers ofthe study. The framework outcomes were then compared with SVD, BN, and BF. The proposed work's results were 0.94, 0.78, 0.92, and 0.85 for precision, recall, accuracy, and Fl-score, respectively. Other deep learning approaches should have also been tied to maximize the performance, The proposed framework misclassified attack types such as MSCI and MPCI and considered their behavior normal instead of harmful [2°] ‘The authors studied previous literature and noted problems with the previous ap- proaches in the detection of zero-day attacks as well as irregularities in data, which results ina poor rate of attack detection. They proposed an approach with steps starting from Bloom Filter payload level detection, then used the Kohonen enhanced neural network by utilizing PCA and iyper-graph partitioning, and then finally used BLOSOM-based hybrid anomaly detection using datasets obtained from Singapore University (SWAT dataset) and Mississippi State University (gas-pipeline data from SCADA lab). The BLOSOM model imputes packet contents for checking the data’s behavioral pattern in an unsupervised fashion, Ithelps identify whether the packet contents lie within the ANN training phaselcs 2002, 11,3034 ‘The proposed technique using both datasets showed improved results compared to BLE, RE RNN, and CNN. The results were 0:97, 0.98, 0.92, and 0.95 in terms of accuracy, precision, recall, and Fl-score, respectively [109] The authors focused on anomaly detection in industrial control systems by considering packet latency and jitter. An algorithm based upon Grey Wolf optimizer neural network ‘raining for anomaly detection was proposed to be applied in industrial control systems. Multiple datasets, gas-pipeline, and swat from different sources were used. Grey Wolf Optimizer (GWO) is the principle used for imitating wolves’ behavior in nature to hunt cooperatively. Leadership hierarchy is imitated by alpha, omega, alpha, delta, and beta wolves. Optimization is performed by three basic steps: prey searching, encircling, and attacking prey. The performance of a grey wolf algorithm using gas and swat datasets was compared against PSO, BBO, ACO, ES, and PBIL. optimized algorithms with A\ The accuracy of the Grey Wolf algorithm was 98% on gas-pipeline while it achieved 96% accuracy on swat, Regarding robustness and accuracy, GWO achieves higher. Iftime is lof higher concern, then the ES algorithm takes less time [101 The focus ofthe researchers was to combine supervised and unsupervised learning to detect known and unknown attacks. The primary proposed technique is a stacker, a two layer meta-learning adaptation, Datasets such as ISCX, UNSW-NBI5, ADFA-NetflowiDS, CIDDS, and NSL-KDD were taken from the public, containing real systems while creating variants allowing for anonymous attack analysis. The most valuable features were extracted from datasets using Information Gain, then the supervised algorithm picked and derived features from the meta-feature set. Then, for the entire dataset, unsupervised model-based features were generated, The dataset was also split into a 30:70 ratio, A 50:50 ratio was used for raining and testing the supervised algorithm in the case of meta-level learners ‘The performance of the stacker was compared against different datasets, and the highest accuracy was shown for CICIDS2017 by 0.9997 alongside 0.998 (precision), 1.000 (recall), and 0,999 (FI-Score) [102] For detecting zero-day attacks that are phishing URL-based, URLs that are constructed and destructed quickly after the attacks, deep learning, and logic programmed domain knowledge integration were suggested. Logie and neural classifiers were designed and approached joint learning on symbolic neurological integration. Datasets containing 222,541 URLs were used. The LSIM CNN-based triplet network comprising of shared ‘weight based upon a neural feature extractor is a promising approach for learning the latent space of phishing by comparing URLs with standard-similarity functions. Two steps are used in the process of learning latent phishing space: normal and phishing URLs distance metrics and feature extraction of the learning function, The results were compared with previously proposed triplets while showing an accuracy and recall of 97.8% and 96.1% for the ISCX URL dataset [103] ‘Another study [104] used an ML-based insider threat detection model based on KNN; they used two approaches to detect insider threats: user-based and role base. In user-based, they calculate the abnormal score ofthe user's session withthe previous sessions based on his activities in the system, and for role-based, they apply the same technique to sessions in different roles and compare the results with the previous sessions of the same role and then calculated the abnormal score. Hidden Markov Model (HMM) was also used for insider threat detection by Ref, [105] they used the CERT 4.2, which contains 70 malicious users, and then trained the users in the frst week, recorded their activities on different tasks on a weekly basis, found the similarities between the activites, and then classified them as malicious or normal. In Ref, [106], the authors introduced a multilayer machine learning-based insider threat detection model that employed three techniques for insider threat detection, namely Misused Insider Threat Detection(MITD) using Random Forest Algorithm, Anomaly Insider ‘Theat Detection (AITD) using K-Nearest Neighbor, and Hybrid Insider Threat Detection (HITD) by the combination of both MITD and AITD. The model is observed with 97% accuracy and 2.88% False Positive Rate (FPR) for unknown (Zero-day) threats using thelcs 2002, 11,3834 HITD, while MITD and AITD showed an accuracy of 92% and 90%, respectively. They also compared their model with existing ML-based insider threat detection approaches, including SVM, LSTM, and DNN. Although it showed better accuracy over the other algorithms, a sill false negative is a bit high—9.56%—which is alarming because zero- day attacks (Z.As) are critical in any system because they can cause serious damage to the organizations, Another autoencoder based model is proposed by Kunang et al 97]. They applied automatic feature extraction on IDS using the autoencoder approach. Their experiments showed a high accuracy of around 99.947%, which is quite impressive. However, unfor- tunately, they used very old datasets from 1998, and hence will be missing the signatures, of new attacks. With its many benefits, the inereasing number of CAVs can give rise to new challenges in terms of privacy, security, and, more significantly, the safety of travelers [97]. Due to connectivity with the internet, their sensors can play a role in cyber-attacks on vehicles, ‘which can result in fatal crashes or even car hijacking, ete. In the article, the authors presented a technique for anomaly detection from CAVs by combining CNN with a famous anomaly detection approach called ‘Kalman filtering’ to identify abnormal behaviors in CAVs, This hybrid approach outperformed Kalman fillers and CNN in anomaly detection swith an impressive accuracy of 98.2% In the coming years, objects will be connecting more and more, generating a massive amount of data that could geab the attention of potential attackers, posing different cyber threats to the privacy of individuals and organizations. The IP reputation system plays a vi- tal ole in identifying Malicious Intemet Protocols (Ps). Itprofiles the behaviors of potential security threats to different cyber-physical systems, but previously available reputation systems were not suitable for everyone due to their high management costs; they also had limitations in terms of performance, ie, false-positive rates, running time, and relying on minimal data sources for validating the reputation of IP addresses. Nighat etal. [98] intro- duced a Dynamic Malware Analysis, Machine Learning, Data Forensics, and Cyberthreat Intelligence-based unique hybrid technique to address the abovementioned concerns. IP reputation is anticipated in the pre-acceptance stage using the idea of big data forensics, and the associated zero-day assaults are classified using behavioral analysis, which uses the Decision Tree (D1) approach. The suggested method identifies extensive data forensic concems and computes severity, risk score, confidence, and longevity simultaneously. ‘The proposed system is assessed in two ways: frst, they compare ML algorithms to deter- rine the best F-measure, accuracy, and recall scores, and then they compare the comple reputation system to other reputation systems. In today’s Industrial Control Systems (ICS), the extensive connectivity between smart equipment opens up a large space for various cyber-attacks and harmful threats. These assaults have the potential to not only interrupt or fully impair system functionality but also to have major safety implications. As a result, one of the most crtieal challenges in ICS is cyber security. A recent study [100] proposed a way to design algorithms for detecting cyber-attacks on communication channels between smart devices in this study. The method is based on Convolutional Neural Networks and belongs to the family of semi-supervised data-driven approaches (CNN). The proposed technique automatically determines accept- able CNN architecture and thresholds for online intrusion detection based on a pre-set range of network hyperparameters and data received from a system operation without assaults. The suggested intrusion detection is host-based; in keeping with the features Of ICS, they analyzed the structure of ICS and the practicality of implementing the attack detection algorithm on control system devices. Two ease studies were used to validate the strategy experimentally. The comparison analysis of the proposed method with other approaches used a publicly accessible dataset derived from the Secure Water Treatment (Wal) testbedlero 2022, 11,3884 a9.0t5 Figure 5 shows the overall accuracy of different techniques (BF, RE, LSTM, SVDD, Stacker, etc), which were trained and tested against different datasets covering various attack vectors from various sizes and multiple domains, including industria-level systems, o ef OHS Figure 5. The accuracy of the compared techniques on diferent datasets ‘The precision of previously discussed algorithms and techniques that are trained and tested against various datasets is shown in Figure 6, Figure 6 Precision ofthe compared techniques on different datasets. Figure 7 presents the recall score of various algorithms and techniques alongside their datasets. The promising recall value of 100% is achieved using the STACKER approach evaluated on the CICIDS-2017 dataset.lcroics 2002, 11,3034 of Figure 7, Recall ofthe compared techniques on different datasets, ‘The F1-score of the above-mentioned datasets and approaches is depicted in Figure 8. ‘The highest FI-score of 99.9% has been achieved using STACKER on the CICIDS-2017 dataset. Figure 8. The F-score of the compared techniques on different datasets, 4. Research Limitations In the last decade, many researchers have introduced AL-based approaches to detect zero-day attacks based on their behaviors and other factors. However, they still face high false negative and false positive rates because most of them used very old datasets such as DARPA or KDD. These datasets are vast and famous within the field of cyber security; however, they will be missing the new attacks and new strategies that are used nowadays in attacks. Furthermore, most of the researchers trained and tested their models on high volume traffic to capture the zero-day attacks, but in the case of zero-day attacks, they can. be in the form of meager traffic; itis not always coming from DoS or DDoS. Since zero days are more critical than regular attacks, a very efficient model should handle the traffic in real-time. Although some of them achieved impressive results, their custom datasets may have been designed in a way that produced good results on their systems; when the same models were applied to other datasets, they came up with many different results [53] Moreover, everyone uses different evaluation metrics to express their results, which are not even suitable for eyber security scenarios.lcs 2002, 11,3834 210825 5. Conclusions and Future Work This research has compared the latest articles regarding zero-day attack detection in multiple domains, such as IDS, DoS/DDoS, anomaly-based (IDS), and malware. We have reviewed almost 10 different approaches in the gencris attacks detected by IDS. Itcan be seen that the stacker based approach was the best in terms of accuracy as it reached up to 88.8% accuracy. In terms of precision, both HMI-IDS and BLOSOM attained 98% precision ‘The reinforcement learning approach achieved higher recall and Fi-Score, 97.9%, and 988, respectively: For Dos/DD0S attack, on the dataset of CICTDS2017, the stacker-based approach outperforms all the others by achieving 99.97% accuracy 98.8% precision, 100% recall, and 99% in the FI-Score metric. Regarding anomaly-based attack detection, the CNN‘KF-based approach on the dataset of SPMD achieved 98.2% accuracy, which is the highest among the other compared approaches. However, the highest precision was 99.8%, ‘which CNN achieved on the same dataset of SPMD. The highest recall was achieved by the BLOSOM approach on the SWat dataset, MSALSTM-CNN approach outperformed others in terms of Fl-score ‘The approach of the 1OCGAN, over the malware dataset, outperformed other com- pared approaches by achieving an accuracy of 95.74%. Other metrics such as precision, recall, and Fl-score were maximum on the network dataset by a decision tree. In all aspects, zero-day attacks are critical to any system; whether in IDS systems or spam-based, they can cause massive damage to any organization. Rival companies find zero-day vulnerabilities and exploit them against their competitors by gaining access to their sensitive data by compromising their systems. Attackers normally try to remain inside the system without letting anyone know that they are about to steal confidential data instead of destroying the system. They tend to remain hidden as long as possible because, once the securit team leams about the vulnerability they fx the issue as quickly as possible, Due to there not being any previous records and signatures, zero-day attacks are hard to detect using firewalls or other security measures used by organizations to keep their systems secure from potential threat ‘Due to the sensitivity of the zero-day attacks, relying on only accuracy or precision is not enough to measure the performance of the models; they should use false alarms to implement their models on existing systems. Secondly, instead of using outdated datasets, rw benchmarks should be used to tackle modern attacks properly. ‘Author Contributions: Conceptualization, S.A. and AL; methodology, S.A. and SUR; validation, GA. and 2.1; formal analysis, A. resources, K-LK; data curation, A. and ZL, wrting—original draft preparation, $.A.;wniting—review and editing, SUR; visualization, K-LK; supervision, SUR; project administration, K-TK; funding acquisition, K-1K. All uthERROR: Failed to exccute system command: ors have read and agreed to publish the manuscript Funding: This research received no external funding, Data Availability Statement: Not applicable. Acknowledgments: Ths work was supported by Institute for Information & communications Tech nology Planning & Evaluation (ITP) grant funded by the Korea government (MSIT) (No.2022-0-01200, “Training Key Talents in Industrial Convergence Security) and the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. RS-2022-00165225). Conflicts of Interest: The authors declare no conflict of interest References 1. Yoon, H.Jang, ¥; Kim, 8; Speasmaker, A; Appl. Gerontol. 2021, 40, 466-470, [CrossRef] 2. Alhashmi, A.A; Darem, A.; Abawaly, JH. Taxonomy of Cybersecurity Awareness Delivery Methods: A Countermeasure for Phishing Threats. int. J. Ado. Comput. Sa. Appl. 2024, 12. [CrossRef] 3. AlMarghilani, A. Comprehensive Analysis of loT Malware Evasion Techniques. Eng. Tel. Appl. Si Res. 2021, 11, 7495-7500 [CrossRef] 4. Bhattacharyya, DK Kata IK, Network Anomaly Detection: A Machine Leaning Perspective; CRC Press: Boca Raton, FL, USA, 2013, Vaon, I Tends in internet use among older adults in the United States, 2011-2016, J.lcs 2002, 11,3034 n20f25 5. Zeng, Ys Hu, X; Shin, KG. Detection of botnets using combined hostand network-level information. In Proceedings ofthe 2010 IEEE /IFIP International Conference on Dependable Systems & Networks (DSN), Chicago,IL, USA, 28 June 2010-1 July 2010; pp. 291-300 6, Studnia, L; Nicomette, V; Alata, Ey Deswarte, ¥; Kafniche, M; Laarouchi, ¥. Survey on security threats and protection mechanisms in embedded automotive networks. In Proceedings of the 2013 43rd Annual IEEE /IIP Conference on Dependable Systems and Networks Workshop (DSN-W), Budapest, Hungary, 24-27 June 2013; pp. 1-12 “Meakins,J. A zero-sum game: The zero-day market in 2018. J. Cyber Policy 2019, 4, 60-71, [CrossRef] Fang, B, Lu, Q; Pattabiraman, K, Ripeanu, M; Gurumutth S. ePVE: An enhanced program vulnerability factor methodology for cross-layer resilience analysis, In Proceedings of the 2016 46th Annual IEEE /IFIP International Conference on Dependable Systems and Networks (DSN), Toslouse, France, 28 June-1 July 2016; pp. 168-178. 8. Ambalavanan, V. Cyber threats detection and mitigation using machine earning. In HandBook of Research om Machine and Deep Learning Applications for Cyber Security; IGI Global: Hershey, PA, USA, 2020; pp. 132-14. 30. Nabi, S; Rehman, SU;; Fong, $, Aziz, K.A model for implementing security at application level inservice oriented architecture J. Emerg Technol. Web Intell, 2014, 6, 157-163, [CrossRef] 11. Craigen, D, Diakun-Thibault, N; Purse, R. Defining cybersecurity. Teclol.lnmov. Manag. Rev. 2014, 4, 13-21. [Crosse 12, He,S; Zhu, J; He, P; Lyu, MR. Experience report: System log analysis for anomaly detection. In Proceedings ofthe 2016 IEEE 27th interational symposium on software reliability enginccring (ISSRE}, Ottawa, ON, Canada, 23-27 October 2015, pp. 207-218. 413, ALQaté, Mz Lasheng, Y; Al Habib, M; Al-Sabshi, K. Deep learning approach combining sparse autoencoder with SVM for network intrusion detection, IEEE Access 2018, 6, 52843-52856, [CrossRel] 14. Hindy, H, Brosset, D; Bayne, E; Secam, AK; Tachtatzs, C; Atkinson, R;Bellekens, X. A taxonomy of network threats and the cfect of current datasets on intrusion detection systems. IEEE Access 2020, 8, 104650-104675. [CrossRef] 15. Pan, K; Rakhshani, E; Palensky, P. False data injection attacks on hybrid AC/HVDC interconnected systems with virtual {nertia—Valnerability, impact and detection. IEEE Access 2020, 8, 141982141945, [CrossRe‘] 16. Zoppi, T; Ceccarlli, A; Salani,I.; Bondavalli, A. On the educated selection of unsupervised algorithms via attacks and anomaly classes. JInf Seeur. Appl, 2020, 2, 102474 [CrossRef] 17. Hansolmann, M, Strauss, T; Dormann, K; Ulmer, H. CANet: An unsupervised intrusion detection system for high dimensional CAN bus data, IEEE Accss 2020, 8, 58194-58205, (CrossRe‘] 18, Latif, Jy Xiao, C, Imran, A, Tu, S. Medical imaging using machine learning and deep learning algorithms: A review: In Proceedings of the 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies (iCoMET, Sukkur, Pakistan, 30-31 January 2019; pp. 1-5. 38. Latif}; Xiao, C.'Tu, S; Rehman, S.U; Imran, A. Bilal, A. Implementation and use of disease diagnosis systems for electronic ‘medieal records based on machine learning: A complete review. IEEE Access 2020, 8, 150489150513. [CrossRe‘] 20. Vargas, R; Mosavi, A; Ruiz, R. Deep learning: A review Adoances in Inteligent Systems and Computing 2017, 5, 1-10. 21, LeCun, ¥; Bengio, ¥; Hinton, G, Deep learning. Nature 2015, 521, 436-144, [CrossRef] 22. Biabani, S.A; Tayyib, N.A. A Review on the Use of Machine Learning Against the Covid-l9 Pandemic. Eng. Technal. Appl Sei Res. 2022, 12, 8088-8044, [CrossRe‘] 23, Chapman, C. Netaork Performance and Security: Testing and Analyzing Using Open Source and Low-Cost Tole; Syngress: Oxford, UK, 2016, 24. Singh, AP. A study on zero day malware attack. In. J Ado. Res. Comput. Commun. Eng. 2017 6 381-892. [CrossRef] Bilge, L; Dumitra, I. Before we knew it An empirical study of zore-day attacks inthe real world. In Proceedings ofthe 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, USA, 16-18 October 2012; pp. 83-84 Nguyen, 1; Reddi, VJ. Deep reinforcement learning for cyber security: IEEE Trans. Newral Netw. Learn. Syst. 2018. [Czossie!] [PubMed] 27. Metrick, Ky Najaf P; Somrau, J. Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than ‘SkillIntelligence for Vulnerability Management. Technical Report, Technical REPORT, FircEye Technical Report. Available on line: hitps:/ /www.ireeye.com /blog /threat-research/ 2020/04/7er0-day-exploitation-demonstrates-2ccess-to-money-not- skill html (accessed on 1 September 2022) 28. Xin, ¥;Kong, Ls Lit, Z; Chen, Ys i, Ys Zhu, H.;Gae, Me cybersecurity, IEEE Access 2018, 6, 35355-38381. [CrossRef] 29, Albanese, M; Jajodi, 5. Singhal, A; Wang, L. An efficient approach to assessing the risk of zero-day vishnerabilitics. In Pro= ceedings of the 2013 International Conference on Security and Cryptography (SECRYP1), Reykjavik Ieland, 26-31 July 2013; pp.1-2 30. Kaloudi, N, Li, J. The ai-based cyver threat landscape: A survey. ACM Comput. Sura (CSUR) 2020, $3, 1-34. [Ceossef] 31, Hindy, H; Hodo, E; Bayne, E; Seeam, A. Atkinson, R; Bellekens, X. A taxonomy of malicious traffic fr intrusion detection systems. In Proceedings ofthe 2018 International Conference on Cyber Situational Awareness, Data Analytics and Assossment (Cyber $A), Scotland, UK, 11-12 June 2018; pp. 1-4 32, Kiraisat, A; Gondal, 1; Vamplew, P; Kamruzzaman, J. Survey f intrusion detection systems: Techniques, datasets and challenges Cybersecurity 2019, 2, 1-22. [CrossRef] fou, Hi Wang, C. Machine learning and deep learning methods orlcroics 2002, 11,384 20825 33. 5 36 a 38 2%. 51. 52, 53. 54 5s. . 6. Palmieri, F. Network anomaly detection based on logistic regression of nonlinear chaotic invariants. J. Nela: Comput. App. 2018, 148, 102460. [CrossRef] ‘Duessel,P; Gehl, C.; Flegel, Us Dietrich, $; Meier, M. Detecting zero-day attacks using context-aware anomaly detection tthe pplication layer. In. J Inf Secur. 2017, 16, 475-490, [CrossRef] ‘Moon, D ; Pan, $B; Kim, I. Hostbased intrusion detection system for secure humar-centric computing, J Supercomput, 2016, 72, 2520-2536. [CrossRef] Moustafa, N, Choo, KK R, Radwan, 1; Camtepe,§. Outlier dirichlet mixture mechanism: Adversaial statistical learning f anomaly detection inthe fog, IEEE Trans. ln. Forensics Secur. 2019, 14, 1975-1987. [CrossRef] Kaur, R; Singh, M. A hybrid realtime zero-day attack detection and analysis system, Int, J. Comput. Neb, Inf Secu. 2018, 7,19-81. [CrossRef] Khan, LA, Pi, D, Khan, Z.U; Hussain, Y; Nawaz, A. HMLIDS: A hybrid-multevel anomaly prediction approach for intrusion detection in SCADA systems. IEEE Access 2019, 789507-89521. [CrossRe!] Sun, X; Dai, Liu, P; Singhal, A; Ye, J. Using Bayesian networks for probabilistic identification of zero-day attack paths. IEFE Trans, Inf Forensics Secur. 2018, 13, 2506-2521, [CrossRef] Bayoglu, B. Sogukpinar, I. Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw 2012, 56, 832-844, [CrossRef] Yiehao, Z.; Hanyang, Z:; Xiaoyue, G; Qingxian, W. An improved attack path discovery algorithm through compact graph planning. IEEE Access 2018, 7, 59346-59356, [CrossRef] Grana, J; Wolpert, Dy Nell, J Xie, D, Bhattacharya, T; Bent, A likelihood ratio anomaly detector for identifying within- perimeter computer network attacks. Netw. Comput. Appl 2016, 66, 186-178. [CrossRef] ‘Wang, B; Zheng, Y; Lou, W; Hou, YT. Des attack proteetion inthe cta of cloud computing and software-defined networking Comput, Netw. 2015, 81, 308-319, [CrossRef] Singh, UK ; Joshi, C; Kanellopoulos,D. A framework for zero-day vulnerabilities deteetion ané prioritization. J Inf Seeur 2018, 46, 164-172. [CrossRef] ‘Abirami, §, Chitra, P. Energy-cfficent edge based real-time healthcare support system, In Advanocs i Computers; Elsevier “Amsterdam, The Netherlands, 2020; Volume 117, pp. 339-368 Ma, L; Chamberlain, RD, Buhler J.D; Franklin, M.A. Bloom filter performance on graphics engines. In Proceedings ofthe 2011 International Conference on Parallel Processing, Taipei, Taiwan, 13-16 September 2011, pp. 522-831 Bloom, BLH. Space/time trade-offs in hash coding with allowable erxors. Commun. ACM 1870, 13, 422-426. [CrossRef] Harrison, AB. Peer-to-Grid Computing: Spanning Diverse Service-Oriented Architectures; Cardiff University: Cardiff, UK, 2008, Hochroiter,S;Schenidhuber, J. Long short-term memory. Neural Comput. 1997, 8, 1735-1780, [CrossRef] Jemal, L; Haddar, M.A; Cheikheouhou, ©.; Mahfoudhi, A. M-CNN: A new hybrid deep learning model for web security In Proceedings of the 2020 IFEE /ACS 17th International Conference on Computer Systems and Applications (AICCSA), Antalya, Turkey, 2-5 November 2020; pp. 1-7. Jomal, L; Haddar, M.A.; Cheikhrouhou, O, Mahfoudhi, A. Malicious http request detection using code-level convolutional neural network. In Proceedings ofthe Intemational Conference on Risks and Security of Internet and Systems, Pars, France, 4-6 ‘November 2020, Springer: Berlin/ Heidelberg, Germany, 202, pp. 317-324 Welch, G ; Bishop, G. An Introduction fo the Kalman Filter; ACM Ine: New York, NY, USA, 1996, Romera-Peredes, B, Tort, P. An embarrassingly simple approach to zero-shot learning. In Proceedings ofthe International Conference on Machine Learning, PMLR, Lille, France, 6-11 July 2015; pp. 2152-2161 ‘Tax, DIM; Duin, RP. Support vector data description. Mach. Lear. 2004, 5, 45-66. [CrossRef] Kebede, TM; DjaneyeBoundjou, O.; Narayanan, BIN, Ralescu, A, Kapp, D. Classification of malware programs using autoencoders based deep learning architecture and its application to the microsoft malware classification challenge (big 2015) dataset. In Proceedings of the 2017 IEEE National Aerospace and Electronics Conference (NAECON), Dayton, OH, USA, 27-30 June 2017; pp. 70-75, Fukushima, K. Neocogeitron: A hierarchical neural network eapable of visual pattem recognition. Neural Netw. 1988, , 119-130. IcrossRef] Albawi, 5; Mohammed, T.A, AF-Zawi, §. Understanding of a convolutional neural network. In Proceedings of the 2017 Intornational Conference on Engincering and Technology (ICET), Antalya, Turkey, 21-23 August 2017; pp. 1-6 Wallach, 1; Deambs, M:; Heifets,A. AtomNet: A deep convolutional neural network for bioactivity prediction in structure-based drug discovery. arXiv 2015, arxiv:1510.02855, Ren, Hu, B; Wang, ¥; VC, Huang, C; Kou, X; Xing, T; Yang, M; Tong, J Zhang, Q. Time-series anomaly detection service at microsoft. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, Anchorage, AK, USA, 4-8 August 2019; pp. 3009-3017. Vinayakumar, R; Soman, K; Poorachandran, P. Applying convolutional neural network for network intrusion detection. In Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (CACC, ‘Manipal, India, 13-16 September 2017; pp. 1222-1228 Zailor, M.D. Fergus, R. Visualizing and understanding convolutional networks. In Proceedings ofthe European Conference on ‘Computer Vision, Zurich, Switzerland, 8-11 September 2014 Springer: Berin/ Heidelberg, Germany, 2014; pp. 818-833. phlcroics 2002, 11,384 2 of 62, Srogedy, CL, W, Jia, Y; Setmanet, P; Reed, $,; Anguclou, D, Ethan, D, Vanhoucke, V; Rabinovich, A. Going deeper with convolutions In Proceedings ofthe IEEE Conference on Computer Vision and Patter Recognition, Boston, MA, USA, 7-12 June 2015; pp. 1, 63. He, K; Zhang, X, Ren, $, Sun, J. Deep residual learning for image recognition. In Proceedings ofthe IEEE Conference on Computer Vision and Patern Recognition, Las Vegns, NV, USA, 27-30 June 2016; pp. 770-778 64, Marsland, §. Machine Learning: An Algorithmic Perspective; Chapman and Hall/CRC: Boca Raton, FL, USA, 2011 65. Grantor, SR, Beck, A Papke JDJ. AlphaGo, doep learning, and the futuee of the human mictoscopist. Arch, Pathol, Lab Med, 2017, 141, 619-621. [Crossiet] 66, Chen, JX. The evolution of computing: AlphaGo. Comput Sci Eng. 2016, 18,447. [CrossRef] 87. Xu,X;Xie,T. A reinforcement leaning approach for host-based intrusion detection using sequences of system calls, In Proceedings of the International Conference on Intligent Computing; Springer: Berin/ Heidelberg, Germany 2005; pp. 85-1003, 68, Xu, X; Sun, ¥; Huang, Z. Defending DDoS attacks sing hidden Markov models and cooperative reinforcement earning In Proceedings ofthe Pacf-Asia Workshop om Intelligence and Security Informatics; Springer: Berin/ Heidelberg, Germany, 2007, pp. 196-207 69, Smadi, 5; Aslam, N. Zhang, 1. Detection of online phishing email using dynamic evolving neural network based on reinforcement learning. Devs, Support Syst, 2018, 107, 88-102. [CrossRef] 70. Feng, M, Xu, H. Deep reinforecement learning based optimal defense for eyber-physical system in presence of unknown cyber attack. In Proceedings of the 2017 IEEE Symposium Series on Computational Intelligence (SSCN, Honolulu, HI, USA, 27 November December 2017; pp. 1-8. TA. Back, J; Cho, ¥. Deep neural network for predicting ore production by truck-haulage systems in open-pit mines. Appl. Sci, 2020, 10, 1657. [CrossRef] 72. Feng, Li, T; Chana, D. Multe-level anomaly detection in industrial control systems via package signatures and LSTM networks In Proceedings of the 2017 47th Annual IFEE/IFIP International Conference on Dependable Systems and Networks (DS Denver, CO, USA, 26-28 June 2017; pp. 251-272 73,_ Joglap, 5S: Sriram, $V; Subramanivaswamy, V. A hypergraph based Kohonen map for detecting intrusions over eyber-physieal systems traffic. Future Gener. Comput, Syst. 2021, 173, 4-108. [CrossRef] 74, lauthman, M, Aslam, Nj AL-Kasassbeh, M; Khan, 5 A-Qerem, A.; Choo, KKR. An efficent reinforcement learning based Botnet detection approsch. J. Netto Comput. Appl 2020, 150, 102478. {Crosse 78, Tavallace, M; Bagheri E; Lu, W; Ghorbani, A.A. A detailed analysis ofthe KDD CUP 99 data set In Proceedings of the 2008 TEE Symposium on Computational Intelligence for Security and Defense Applications, Otawa, ON, Canada, 810 July 2008; pp. 76, Sathan, M, Layeghy, 5; Gallagher, M, Portman, M, From Zero-Shot Machine Learning to Zero-Day Attack Detection. arXfo 2021, srxiv 2109. 14866, 77. Shaukat, K; Luo, ; Varadharajan, V; Hameed, LA. Xu, M, A survey on machine learning techniques for eyber security in the last decade. IEEE Access 2020, 8, 22510-22235, [CrossRef] Sterman, J. Business Dynamics; rwin/ McGraw-Hill Irvine, CA, USA, 2010. RM, SP, Maddikunta, PKR, Parimala, M; Koppu, &; Gadekallu, TR, Chowdhary, C1; Alazab, M. An effective feature engineering for DN using hybrid PCA-GWO for intrusion detection in loMT architecture. Comput. Commun, 2020, 160, 138-148 80, Javed, AR; Usman, M, Rehman, S1U; Khan, MU, Haghighi, MS. Anomaly detection in automated vehicles using multistage attention-based convolutional neural network. IEEE Trans. Intell. Transp. Syst. 2020, 22, 4291-4300, [CrossRef] 81, Blaise, A; Bouet, M; Conan, V; Sec S. Detection of zero-day atacks: An unsupervised port-based approach. Compu. Netw 2020, 150, 107381. [CrossRef] 82, Hindy, H.; Atkinson, Ry Tachtatis, C; Colin, JN Bayne, Ey Bellekens, X. Utilising deep learning techniques for effective zero-day attack detection. Electonics 2020, 9, 1684. [CrossRef] 83, Sameera, N Shashi, M. Deep transductive transfer learning framework for zero-day attack detection, ICT Express 2020, 6 361-367. [CrossRef] 84, Vinayakumar, R; Alazab, M; Soman, K, Poornachandran, P; Venkatraman, S, Robust intelligent malware detection using deep leareing. IEEE Access 2018, 7, 46717-46738 (Crosse 85, Vercruyssen, V; Meert, W, Davis, J. Transfer learning for time series anomaly detection. In Proceedings of the Workshop and Tutorial on Tnterative Adaptive Learning’ ECMLPKDD 2017, CEUR Workshop Proceedings, Skopje, Macedonia 18 September 2017; Volume 1924, pp. 27-37. IN. Shashi, M. Transfer learning based prototype for zero-day attack detection, Int. J Eng. Adv, Tec, (JEAT) 208, 4, 1325-1328. 87, Kim, J; Bu, SJ; Cho, SB. Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders. Inf Sci 2018, 460, 83-102. [CrossRef] 88, Diro, A.A. Chilamkurl, N, Distributed attack detection scheme using deep learning approach for Internet of Things. Future Gener. Comput. Syst. 2018, 82, 761-768. [Crosske] 89, Said, A; Over, RE; Radzik,. Detection of known and unknown DDoS attacks using Artificial Neural Networks. Neuron puting 2016, 172, 385-383. [Crossel] ae %,lcs 2002, 11,3834 25085 90, UrRehman,$; Khaliq, M; Imtiaz, $1; Rasool, A; Shafig, M; Iaved, AR, [lil,Z; Bashir, AK. Diddos: An approach for detection and identification of distributed denial of service (dos) cyberattacks using gated recurrent units (gru). Future Gener. Comput Syst, 2021, 118, 453-166, [CrossRef] 91. Javed, AR; UrRehman S; Khan, MU; Alazab, M; Red, 1: CANintllZDS: Detecting in-vehiele intrusion attacks on a controller area network using CNN and attention-based GRU, IEEE Trans, Netw, Sei. Eng. 2021, 8, 156-1466, [CrossRef] 92. Alek, ¥; Bremler-Bare, A; Fibish, §.1. Zero-day signature extraction for high-volume attacks. IEEE/ACM Trans. Netw. 2019, 27, 681-706, [CrossRef] 93, More, P; Mishra, . Fnhanced-PCA based dimensionality reduction and feature selection for real-time network threat detection, Eng. Technol. Appl. Sc. Res. 2020, 10, 6270-6278, [Crossiof] 94, Balamurugan, V; Saravanan, R Enhanced intrusion detection and prevention system on cloud environment using hybrid classification and OTS generation. Clus. Comput. 2018, 22, 13027-13038. [CrossRef] 95, Saba Jameel, SUR. An optimal feature selection methed using a modified wrapper-based ant colony optimisation. Natl Sci Found Sri Lanks 2018, £5, 143-151, [Crosse] 96, Yavanoglu, O.; Aydos, M. A review on cyber security datasets for machine learning algorithms. In Proceedings of the 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA, 1IMI4 December 2017; pp. 2186-2193. 97. Van Wyk, F; Wang, ¥; Khojandi, A; Masoud, N. Real-time sensor anomaly detection and identification in automated vehicles, IEEE Trans, Intl. Transp Syst. 2018, 21, 1261-1276. [CrossRef] 98. Usman, N.; Usman, $; Khan, F;Jan, M.A, Sajid, A, Alazab, M,; Watters P. Intelligent dynamic malware detection using machine learning in IP reputation for forensics data analytics. Future Gener. Comput, Syst 2021, 118, 4-141, [CrossRef] 99, Mansouri, A; Majid; Shamisa, A. Metaheuristc neural networks for anomaly recognition in industrial sensor networks with packet latency and jitter for smart infrastructures, Int. J. Comput. Appl. 2021, 43, 257-266, [CrossRef] 100. Nedelikovie, D; Jakovijevic, Z. CNN based method for the development of cyber-attacks detection algorithms in industrial contol systems. Comput. Secur 2022, 114, 102585. [CrossRef] 101. Zoppi, T;Cecearell, A. Prepare fo touble and make it double! Supervised-Unsupervised stacking for anomaly-based intrusion detection. J. Netw. Comput. Appl. 2021, 188, 103106. [Crosse] 102. Bu,5J; Cho, 8B. Integrating deep learning with fistorder log programmed constraints for zero-day phishing attack detection In Proceedings of the ICASSP 2021-2021 IEEE Intemational Conference on Acoustics, Speech and Signal Processing (ICASSP), Toronto, ON, Canada, 6-11 June 2021; pp. 2685-2689. 103. Bose, B; Avasarala, B. Tirthapura, 8; Chung, VY; Steiner, D. Detecting insider threats using radish: A system for real-time anomaly detection in heterogencous data streams. IEEE Syst. J 2017, 11, 471-482. [CrossRef] 104. Lo, O, Buchanan, WJ, Griffiths, P; Macfarlane, R. Distance measuternent methods for improved insider threat detection. Secur Commun, Netw, 2018, 2018, 008368, [Crosskes] 105, Al-Mhigani, MIN; Ahmad, R,; Abidin, Z.Z.; Abdulkareem, KH; Mohammed, MA ; Gupta, D Shankar, K, A new intelligent ‘multilayer framework for insider threat detection, Comput. Elect. Eng. 2022, 97, 107597. [CrossRef] 106, Kunang, YN; Nurmain, 5; Stiawan, D, Zarkasi, A. Automatic features extraction using autoencoder in intrusion detection system, In Proceedings of the 2018 Intemational Conference on Electrical Engineering and Computer Science (ICECOS), Pangkal, Indonesia, 4 October 2018; pp. 219-224.