THE POTENTIAL OF THE ISOLATION FOREST METHOD FOR ANOMALY DETECTION IN NETWORK TRAFFIC
DOI:
https://doi.org/10.31891/2307-5732-2025-349-25Keywords:
anomaly detection, Isolation Forest, network traffic, machine learning, cybersecurity, network security, anomaly detection algorithms, SHAP, TreeSHAP, KernelSHAPAbstract
The article is dedicated to the use of the Isolation Forest method for anomaly detection in network traffic and explains the results through the SHAP method. As traditional methods for detecting cyber threats, such as signature-based and heuristic approaches, lose their effectiveness due to the increasing volume of data and the complexity of attacks, the use of machine learning methods, such as Isolation Forest, is gaining more significance. Isolation Forest allows for anomaly detection without the need for pre-labelled data, making it a powerful tool for analyzing large and complex datasets. However, this method has limitations in terms of result interpretability. To address this issue, the SHAP method was used, which helps to understand which specific features influence the model's decision.
The article discusses the stages of preprocessing network traffic data, including cleaning, aggregation, and feature selection, which help improve accuracy and reduce noise levels. The CICIDS2017 dataset, which contains real network traffic with cyber threats, including port scanning, was used to test the method. The results showed the effectiveness of the Isolation Forest method in detecting anomalous sessions. Two SHAP approaches were used to explain the results: KernelSHAP and TreeSHAP, both of which assess the impact of each feature on the anomaly score. A comparison of these methods helps identify their strengths and weaknesses in terms of the explainability of anomaly detection results.
Additionally, the article discusses the challenges associated with using Isolation Forest in real-world conditions, particularly the selection of optimal model parameters, which significantly impact the accuracy and effectiveness of anomaly detection. The conclusions drawn can be useful for cybersecurity professionals working on creating effective anomaly detection systems for network traffic and developing new approaches to data analysis in real-world scenarios.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 МАР’ЯН КИРИК, НАЗАР ПЛЕСКАНКА, АНДРІЙ РІЙ (Автор)
This work is licensed under a Creative Commons Attribution 4.0 International License.
