Dual-Phase Learning Approach for Zero-Day Intrusion Detection Using NSL-KDD
DOI:
https://doi.org/10.47392/IRJAEH.2026.0068Keywords:
Dual-Phase Learning, Zero-Day Detection, Intrusion Detection System, NSL-KDD, Anomaly Detection, Random ForestAbstract
The increasing sophistication of cyber-attacks has made traditional intrusion detection systems (IDS) inadequate, particularly in identifying zero-day attacks that do not follow known patterns. Signature-based and purely supervised machine learning approaches perform well on previously seen attacks but fail to generalize to novel and unseen threats. To address this limitation, this paper proposes a Dual-Phase Learning Approach for effective intrusion detection with a specific focus on zero-day attack identification using the NSL-KDD dataset. In the first phase, an unsupervised anomaly detection model is trained exclusively on normal network traffic to learn baseline behavior. Techniques such as K-Means clustering or Autoencoders are employed to detect statistical outliers based on distance metrics or reconstruction error, which are treated as potential zero-day attacks. In the second phase, a supervised classification model, such as a Random Forest classifier, is used to categorize non-anomalous traffic into known attack classes including DoS, Probe, R2L, and U2R. Experimental results demonstrate that the proposed hybrid framework achieves high accuracy in detecting known attacks while significantly improving the identification of anomalous and previously unseen traffic patterns. By combining anomaly detection and misuse detection in a structured two-phase pipeline, the proposed system enhances the robustness and reliability of intrusion detection systems in modern network environments.
Downloads
Downloads
Published
Issue
Section
License
Copyright (c) 2026 International Research Journal on Advanced Engineering Hub (IRJAEH)
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
. 