From baselines to breakthroughs : fundamentals and applications of machine learning in cybersecurity

Our digital society is increasingly dependent on online services, used by individuals, businesses, and governments. While this brings many benefits, it also creates vulnerabilities to cyberattacks such as phishing, malware, and denial-of-service. Traditional methods like signature-based detection are struggling to keep up with increasingly sophisticated threats. Cybercriminals exploit weaknesses in systems, networks, and human behavior, making static defenses less effective. Advanced threat detection techniques are therefore crucial to modern cybersecurity. Machine learning (ML), a branch of artificial intelligence, offers strong potential for improving cyber threat detection. ML enables systems to identify patterns in data and make predictions without being explicitly programmed. In cybersecurity, data sources like network traffic logs can reveal attack patterns and detect malicious activity more effectively than conventional approaches. However, challenges remain. Most network traffic is benign, creating a strong class imbalance, and many data points lack labels indicating whether they are malicious. Despite these issues, continuous developments in ML are helping overcome such limitations. This dissertation explores both theoretical and practical applications of ML in cybersecurity. It consists of three parts: baseline methods, intrusion detection, and learning and breakthroughs. Each section addresses key challenges in the development and evaluation of ML-based security systems. Chapter 2 introduces the Dutch Draw (DD), a general-purpose baseline for evaluating binary classifiers. Evaluation metrics like accuracy can be misleading without a reference point. The DD provides a simple, universal benchmark that any meaningful model should surpass. It offers clarity in model evaluation and ensures that performance scores are properly contextualized. Chapter 3 expands on this by studying all input-independent binary classification baselines. These models do not rely on data features. The concept of average-permutation-optimality is introduced to measure the expected performance when data and predictions are randomly ordered. The DD is shown to outperform all other such baselines for any order-invariant evaluation metric, confirming it as the preferred standard. Chapter 4 focuses on the ability of classifiers to detect known and novel variants of cyberattacks, especially distributed denial-of-service (DDoS) and HTTP-based web attacks. It describes how datasets are constructed using features from multiple network layers and presents three experiments: detecting known attacks, detecting unseen variants, and evaluating training with multiple attack types. Results show that classifiers perform well on known threats and can sometimes detect new variants, though not always symmetrically. Training on more attack types does not always improve results, suggesting that carefully selected examples may be more effective. The DD baseline is again used for benchmarking. Chapter 5 introduces the Dutch Scaler (DS), a new performance indicator that measures how much a model has actually learned. The Dutch Scaler Performance Indicator (DSPI) maps evaluation scores between two fixed points: the DD (representing no learning) and the Dutch Oracle (an approximation of an optimal model). This approach enables more meaningful interpretation of model scores and can be extended to other types of ML problems, such as multi-class classification and regression. Chapter 6 presents ULTRA, a framework designed to tackle the cold-start problem in cybersecurity, where labeled data is scarce in new environments. ULTRA combines active and transfer learning by aligning source and target data in a shared space while selecting the most informative instances. It performs well in cold-start scenarios and shows robustness to domain shifts. However, it assumes a shared feature space between source and target domains. Future work should address this limitation and optimize parameter tuning for better adaptability. This dissertation provides valuable contributions to both the theory and practice of machine learning in cybersecurity, aiming to support data scientists and security professionals in building more reliable and effective detection systems.

• View at Worldcat

Free Full Text ( Final Version , 11mb )