Toward Real Time Cyber Intrusion Detection Without Labeled Attack Data

Abstract

The rapid proliferation of networked systems has intensified the demand for cyber intrusion detection mechanisms capable of operating under conditions where labeled attack data are unavailable or insufficient. Conventional supervised intrusion detection systems (IDS) depend heavily on curated datasets annotated with specific attack categories—a requirement that becomes impractical in dynamic threat environments characterized by zero-day exploits and continuously mutating attack strategies. This paper proposes and evaluates an unsupervised deep learning framework for real-time cyber intrusion detection that dispenses entirely with labeled attack samples during training. The architecture centers on a variational autoencoder (VAE) trained exclusively on normal traffic representations, supplemented by an adaptive statistical thresholding module that identifies anomalous deviations from the learned normal distribution. A multi-stage feature extraction pipeline processes raw network flow records into a standardized 78-dimensional input vector. Extensive experiments on the NSL-KDD and UNSW-NB15 benchmark datasets demonstrate detection accuracy of 94.6%, precision of 93.1%, recall of 95.4%, and an F1-score of 0.923 under binary classification, outperforming unsupervised baselines including Isolation Forest and one-class support vector machine while sustaining packet processing throughput suitable for real-time deployment on commodity hardware. These results confirm that label-free anomaly detection constitutes a credible and practical foundation for next-generation network security infrastructure.