In the last decades, researchers, practitioners and companies struggled in devising mechanisms to detect malicious activities originating security threats. Amongst the many solutions, network intrusion detection emerged as one of the most popular to analyse network traffic and detect ongoing intrusions based on rules or by means of Machine Learners (MLs), which process such traffic and learn a model to suspect intrusions. Supervised MLs are very effective in detecting known threats, but struggle in identifying zero-day attacks (unknown during learning phase), which instead can be detected through unsupervised MLs. Consequently, supervised and unsupervised MLs have their own advantages and downfalls that complement each other. Unfortunately, there are no definitive answers on the combined use of both approaches for network intrusion detection. In this paper we first expand the problem of zero-day attacks and motivate the need to combine supervised and unsupervised algorithms. We propose the adoption of meta-learning, in the form of a two-layer Stacker, to create a mixed approach that detects both known and unknown threats. Then we implement and empirically evaluate our Stacker through an experimental campaign that allows i) debating on meta-features crafted through unsupervised base-level learners, ii) electing the most promising supervised meta-level classifiers, and iii) benchmarking classification scores of the Stacker with respect to supervised and unsupervised classifiers. Last, we compare our solution with existing works from the recent literature. Overall, our Stacker reduces misclassifications with respect to (un)supervised ML algorithms in all the 7 public datasets we considered, and outperforms existing studies in 6 out of those 7 datasets. In particular, it turns out to be more effective in detecting zero-day attacks than supervised algorithms, limiting their main weakness but still maintaining adequate capabilities in detecting known attacks.

在过去的几十年里，研究人员、从业人员和公司努力设计机制来检测源自安全威胁的恶意活动。在众多解决方案中，网络入侵检测成为最流行的一种，用于分析网络流量并根据规则或通过机器学习器 (ML) 检测正在进行的入侵，机器学习器处理此类流量并学习模型以怀疑入侵。有监督的机器学习在检测已知威胁方面非常有效，但很难识别零日攻击（在学习阶段未知），而可以通过无监督的机器学习进行检测。因此，有监督和无监督的机器学习各有优缺点，相互补充。不幸的是，对于两种网络入侵检测方法的结合使用，还没有明确的答案。在本文中，我们首先扩展了零日攻击的问题，并激发了结合监督和无监督算法的需求。我们建议采用元学习，以两层 Stacker 的形式，创建一种混合方法来检测已知和未知威胁。然后，我们通过实验活动实施并实证评估我们的 Stacker，该活动允许 i) 讨论通过无监督基础级学习器制作的元特征，ii) 选择最有前途的监督元级分类器，以及 iii) 对 Stacker 的分类分数进行基准测试关于有监督和无监督分类器。最后，我们将我们的解决方案与最近文献中的现有作品进行比较。全面的，我们的 Stacker 在我们考虑的所有 7 个公共数据集中减少了（非）监督 ML 算法的错误分类，并且在这 7 个数据集中的 6 个数据集中优于现有研究。特别是，它在检测零日攻击方面比监督算法更有效，限制了它们的主要弱点，但仍保持足够的检测已知攻击的能力。