E-HUNF: Explainable Hybrid Unsupervised Network Forensics for robust cybercrime anomaly detection

Abstrakt

Anomaly-based network forensics is very important
for finding new types of cybercrime that don’t have reliable
signatures or labelled training data. But most unsupervised
detectors only look at one view of normality and don’t give
any forensic interpretability. This study talks about E-HUNF,
an Explainable Hybrid Unsupervised Framework that can find
crimes in network traffic. E-HUNF uses a manifold-aware, centreregularized
auto encoder to get compact latent representations
of flows. It then uses these to get three different anomaly scores
based on reconstruction error, latent density, and distance from a
learnt normalcy centre. These scores are combined into a hybrid
anomaly score with adaptive, percentile-based thresholding to
help people make judgements that are mindful of risk. An
explainability layer blends local linear surrogates with prototype
retrieval to show how each alert’s features and historical examples
are related. When tested on a standard network-forensics
dataset with benign, DoS, Probe/Scan, R2L/U2R, and Botnet
traffic, E-HUNF got an accuracy of 0.987, an F1-Score of 0.978,
a ROC-AUC of 0.995, and a PR-AUC of 0.993. It did better
than Deep SVDD, DAGMM, VAE-AD, and Isolation Forest. Even
for small R2L/U2R attacks, the class-wise F1-Scores stay above
0.937. Ablation results show that adding density and boundary
cues to reconstruction improves the F1 score by 3.3% over
reconstruction-only versions. These results show that E-HUNF
has the best detection performance and the most useful forensic
transparency for modern cyber-defence operations.