Impact of Minority Class Variability on Anomaly Detection by Means of Random Forests and Support Vector Machines

The increased connectivity of our world has resulted in a drastic rise of cyberattacks. This has created a dire need for improved security methods that can protect data. Many techniques and technologies have been developed to meet security and privacy demands. Machine learning algorithms are one of such techniques that can be used to detect cyberattacks. In a real network, the attacks represent only a small fraction of the traffic and, therefore, these events can be considered as an anomaly. This article discusses how the anomaly ratio affects results such as the accuracy, the recall, the true positive rate, or the false positive rate when machine learning algorithms are used to detect cyberattacks. Two different algorithms, Random Forests and Support Vector Machines, and two datasets, UNSW-NB15 and CICIDS-2017, are used to carry out this study. We observe that class imbalance affects each algorithm in a very different way. While SVMs fail to recognize the anomalies with acceptable accuracy, RFs seem to be more robust against class imbalance, although in cases of extreme anomaly the detection begins to deteriorate in a similar way. It is, therefore, necessary to investigate new methodologies that solve the problem of detecting attacks when their proportion is very small, and even when this proportion can change dynamically over time.