A method for network traffic anomaly detection in small information systems based on behavioral microprofiles

Small information systems – corporate networks of small and medium-sized enterprises, departmental local area networks, and specialized automated control systems – are vulnerable to automated credential brute-force attacks over FTP and SSH protocols, as they possess limited computational resources and personnel capacity to deploy full-scale security solutions. This paper proposes a semi-supervised network traffic anomaly detection method with minimal labelling requirements, which models normal user behavior through behavioral microprofiles – robust statistical descriptions of typical network activity modes derived by adaptive K-Means clustering of TCP flows. Each profile is defined by a median and scaled median absolute deviation pair, while the anomaly score of a new flow is computed as a weighted Z-score relative to the profile of its nearest cluster. Feature weights are determined using the Kolmogorov–Smirnov statistic, and the number of clusters is selected by a ROC-curve area saturation criterion. Experimental evaluation on the publicly available CICIDS2017 dataset for FTP-Patator and SSH-Patator attacks demonstrated that the proposed method substantially outperforms classical unsupervised detectors – Isolation Forest, Local Outlier Factor, and One-Class SVM – both in ranking ability and in the proportion of true alarms. The key practical finding is the method's effectiveness in a deployment mode that requires no labelling on the target system: feature selection is performed once using publicly available attack data, after which profile construction and threshold calibration proceed without any labels. Under these conditions, the method detects more than three quarters of credential brute-force attempts, whereas competing methods under identical conditions produce virtually no detections.

1. Maseer Z.K., Yusof R., Bahaman N., et al. Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset. IEEE Access. 2021;9:22351–22370. https://doi.org/10.1109/ACCESS.2021.3056614

2. Campazas-Vega A., Crespo-Martínez I.S., Guerrero-Higueras Á.M., et al. Malicious traffic detection on sampled network flow data with novelty-detection-based models. Scientific Reports. 2023;13(1):15446. https://doi.org/10.1038/s41598-023-42618-9

3. Alotibi N., Alshammari M. Deep learning-based intrusion detection: A novel approach for identifying brute-force attacks on FTP and SSH protocol. International Journal of Advanced Computer Science and Applications. 2023;14(6):107–111. https://doi.org/10.14569/IJACSA.2023.0140612

4. Cantone M., Marrocco C., Bria A. Machine learning in network intrusion detection: A cross-dataset generalization study. IEEE Access. 2024;12:144489–144508. https://doi.org/10.1109/ACCESS.2024.3472907

5. Chua W., Pajas A.L.D., Castro C.Sh., et al. Web traffic anomaly detection using Isolation Forest. Informatics. 2024;11(4):83. https://doi.org/10.3390/informatics11040083

6. Rabih R., Vahdat-Nejad H., Mansoor W., et al. Highly accurate anomaly based intrusion detection through integration of the local outlier factor and convolutional neural network. Scientific Reports. 2025;15(1):21147. https://doi.org/10.1038/s41598-025-08175-z

7. Sharafaldin I., Habibi Lashkari A., Ghorbani A.A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, 22–24 January 2018, Funchal, Madeira, Portugal. SciTePress; 2018. P. 108–116. https://doi.org/10.5220/0006639801080116

8. Awad M., Fraihat S. Recursive feature elimination with cross-validation with decision tree: feature selection method for machine learning-based intrusion detection systems. Journal of Sensor and Actuator Networks. 2023;12(5):67. https://doi.org/10.3390/jsan12050067

9. Goldstein M., Uchida S. A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PLoS ONE. 2016;11(4):e0152173. https://doi.org/10.1371/journal.pone.0152173

10. Rai H.M., Yoo J., Agarwal S. The improved network intrusion detection techniques using the feature engineering approach with boosting classifiers. Mathematics. 2024;12(24):3909. https://doi.org/10.3390/math12243909