One-Class Anomaly Detection for Industrial Applications: A Comparative Survey and Experimental Study

Abstract

This article aims to evaluate the runtime effectiveness of various one-class classification (OCC) techniques for anomaly detection in an industrial scenario reproduced in a laboratory setting. To address the limitations posed by restricted access to proprietary data, the study explores OCC methods that learn solely from legitimate network traffic, without requiring labeled malicious samples. After analyzing major publicly available datasets, such as KDD Cup 1999 and TON-IoT, as well as the most widely used OCC techniques, a lightweight and modular intrusion detection system (IDS) was developed in Python. The system was tested in real time on an experimental platform based on Raspberry Pi, within a simulated client–server environment using the NFSv4 protocol over TCP/UDP. Several OCC models were compared, including One-Class SVM, Autoencoder, VAE, and Isolation Forest. The results showed strong performance in terms of detection accuracy and low latency, with the best outcomes achieved using the UNSW-NB15 dataset. The article concludes with a discussion of additional strategies to enhance the runtime analysis of these algorithms, offering insights into potential future applications and improvement directions.

1. Introduction

The rapid advancement of digital technologies and industrial paradigms has given rise to a highly interconnected, cloud-based ecosystem, where smart devices and distributed infrastructures generate vast amounts of data [1,2]. Applications like online banking, IoT, real-time communications, and cloud services are now deeply embedded in both private and industrial domains [3,4,5,6]. However, this evolution has also amplified cyber threats, such as identity theft, ransomware, data breaches, and DoS attacks that affect individuals, businesses, and institutions [7,8,9]. In response, defense companies have increasingly embraced cybersecurity [10], investing in advanced detection and response systems [11], with applications extending beyond military to sectors like energy, transportation, and industrial control systems [12,13]. Intrusion detection systems (IDSs), in particular, have benefited from the integration of machine learning techniques [14,15,16]. Among these, one-class classification (OCC) models have proven effective in scenarios with scarce or absent malicious data [17,18], detecting anomalies by learning patterns of normal behavior [19]. This article combines a comparative survey of public cybersecurity datasets and OCC techniques with a runtime evaluation conducted on a custom-built network testbed that simulates real-world conditions. The analysis highlights the strengths and weaknesses of each method and outlines potential directions for future research and practical deployment. Designed as a hybrid contribution, this work integrates a broad methodological review with a focused experimental evaluation of OCC models best suited for latency-sensitive and integrable IDS scenarios.

2. Related Works

The implementation of AI into cybersecurity has become increasingly critical, particularly in military contexts, where infrastructures face advanced and persistent threats [20,21]. Techniques such as ML, DL, statistical learning, and NLP have demonstrated strong capabilities in malware detection, phishing analysis, and automated threat classification [22,23,24]. However, their complexity often limits the use of real-time applications [25,26]. AI-based IDSs are essential for ensuring confidentiality, integrity, and availability in sensitive networks [27,28]. Leveraging clustering, entropy analysis, and edge cloud simulation, these systems effectively detect threats such as DDoS and code injection [29]. However, public datasets (e.g., KDD99, UNSW-NB15, TON-IoT) often lack realism, limiting generalization to complex enterprise or defense settings [30,31,32,33]. OCC models offer a viable alternative, as they require only normal traffic for training and adapt well to evolving threats without prior attack knowledge [34,35]. However, privacy restrictions in sectors such as defense hinder data sharing, requiring anonymization and encryption, often at the cost of data richness [36,37,38]. Consequently, robust preprocessing is essential to preserve model performance [39,40]. This work evaluates the suitability of widely used public datasets for training ML-based IDSs under realistic conditions, proposing a privacy-preserving framework for custom deployment without external data exposure. While existing surveys focus on OCC taxonomies and benchmarks [41,42], they often overlook runtime behavior. This study bridges that gap through a dual-layered approach, combining a critical survey with empirical evaluation on a modular, edge-based testbed, providing actionable insights for IDS deployment in constrained environments.

3. Methodology

This study addresses the gap in the literature regarding the runtime evaluation of ML-based intrusion detection techniques. The methodology is structured as follows:

• Dataset Analysis, Selection Justification, and Bias Assessment:
  A comparative analysis of widely adopted public datasets was conducted to identify those most suitable for intrusion detection research. The selection focused on well-established and frequently cited datasets to ensure relevance and reproducibility, while newer or poorly validated datasets were excluded. In addition, a dataset selection justification was performed to align each dataset’s characteristics with the objectives of the study. A dedicated bias analysis was also carried out to identify structural imbalances, outdated attack representations, and distributional anomalies, which could influence model performance and generalizability.
• One-Class Anomaly Detection Techniques - Taxonomy and Selection:
  An initial taxonomy of one-class classification (OCC) techniques was developed to categorize the most widely used anomaly detection models based on their methodological foundations. This analysis enabled a structured comparison of OCC approaches and informed the subsequent selection of models for evaluation. Only algorithms that have been extensively validated in offline settings using the previously selected benchmark datasets were considered for real-time experimentation.
• Data Preprocessing:
  Data cleaning involved removing missing, redundant, or non-informative features. Principal component analysis (PCA) was applied to reduce dimensionality while preserving at least 95% of the total variance. Correlation matrices and variance plots supported feature selection.
• Experimental Setup:
  A custom testbed simulating an NFSv4-based industrial network was developed. NFSv4 was selected due to its relevance in SCADA, PLC, and IoT-based systems, allowing centralized, non-redundant data access for monitoring and analysis.
• Runtime Evaluation:
  Models were tested in real time using key metrics such as accuracy, detection latency, precision, recall, F1-score, and runtime stability. Multiple dataset–algorithm combinations were benchmarked to identify the most robust and efficient configurations.
• Conclusions and Future Work:
  The study highlights the feasibility of deploying OCC-based IDS models in real-world conditions, going beyond traditional offline assessments. Proposed improvements include expanding the testbed complexity, integrating more recent datasets, and exploring next-generation ML approaches for enhanced evaluation under dynamic and constrained environments.

4. Dataset

Designing an effective dataset for training IDS models is a fundamental step in developing modern security systems [43]. The dataset must not only be representative but also flexible enough to adapt to various network environments [44]. A key challenge in training OCC algorithms is ensuring that the dataset reflects traffic dynamics consistent with real-world enterprise networks [45]. Without this alignment, the model’s effectiveness may be compromised. Over time, several increasingly realistic datasets have been introduced, some becoming standard benchmarks in cybersecurity research [46]. The following section provides an overview of the most widely adopted public IDS datasets (as shown in

Table 1. Overview of the most widely used cybersecurity datasets for enterprise network intrusion detection.

Dataset	Year	Organization	Repository URL
KDD CUP 99	1999	UCI/DARPA	https://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
			(on-line accessed in 30 June 2025)
NSL-KDD	2009	University of New Brunswick (UNB)	https://www.unb.ca/cic/datasets/nsl.html
			(on-line accessed in 30 June 2025)
UNSW-NB15	2015	Australian Centre for Cyber Security	https://research.unsw.edu.au/projects/unsw-nb15-dataset
			(on-line accessed in 30 June 2025)
CSE-CIC-IDS 2017	2018	CIC + Communications Security Establishment	https://www.unb.ca/cic/datasets/ids-2017.html
			(on-line accessed in 30 June 2025)
Bot-IoT	2018	UNSW/Cyber Range Lab	https://research.unsw.edu.au/projects/bot-iot-dataset
			(on-line accessed in 30 June 2025)
TON_IoT	2020	UNSW + CSCRC	https://research.unsw.edu.au/projects/toniot-datasets
			(on-line accessed in 30 June 2025)

), highlighting their structure and primary use cases.

4.1. KDD Cup 1999

The KDD Cup 1999 dataset [47] is one of the most widely adopted benchmarks for evaluating IDS and remains a historical reference in the field [48]. Derived from the DARPA 1998 Intrusion Detection Evaluation Program, it was built from raw TCP packet traces collected over nine weeks from a simulated military LAN environment. These traces were processed to generate over 4.8 million connection records, structured into 42 features describing traffic behavior such as duration, protocol type, TCP flags, and byte counts. The dataset classifies network activity into five major categories: Normal, DoS, R2L, U2R, and Probe, as illustrated in Figure 1 and

Table 2. Characteristics of the KDD-Cup99 dataset.

Number of Features	41
Types of Features	Basic features: duration, protocol, service, flags, etc. Content features: number of failed login attempts, number of files created, etc. Traffic features: number of connections in the last 2 s, percentage of connections with errors, etc.
Types of Attacks	DoS: smurf, neptune, back, teardrop, pod Probe: ipsweep, nmap, portsweep, satan R2L: guess_passwd, ftp_write, imap, multihop, phf, spy, warezclient, warezmaster U2R: buffer_overflow, loadmodule, perl, rootkit
Additional Notes	Dataset generated in a simulated environment High data redundancy, which may affect model performance Widely used as a standard benchmark for IDS evaluation

.

Each category includes multiple attack types (e.g., SYN flood, buffer overflow, port scanning), representing various strategies and severities. However, the dataset has well-documented limitations: it contains a high percentage of duplicate records (78% in training, 89.5% in test) and exhibits significant class imbalance, as normal traffic dominates the training set while DoS attacks are overrepresented in testing. Furthermore, due to its age and synthetic origin, many of its attack patterns are outdated and lack key modern features such as IP addresses and temporal attributes [49]. Despite these issues, KDD Cup 1999 is still extensively used as a baseline benchmark for evaluating new IDS models, especially in early-stage research, although its results should be interpreted with caution when generalizing to real-world scenarios [50].

4.2. NSL-KDD

To address the well-known limitations of the KDD Cup 1999 dataset, particularly those related to data redundancy and class imbalance, the NSL-KDD dataset was developed [48]. This new dataset was created by carefully selecting a subset of records from the original KDD dataset, with the aim of preserving its usefulness while correcting its major shortcomings. NSL-KDD is the result of a refinement process that involved removing duplicate instances and overly frequent records, thereby improving the overall quality of the data available for training machine learning models [51,52]. Moreover, the reduced yet representative number of instances makes it less computationally demanding and more suitable for a realistic evaluation of algorithm performance. Despite these improvements, NSL-KDD still inherits some structural limitations [53]. The data it relies on still originates from the simulated traffic of the DARPA 1998 network, which introduces the risk of biases due to the lack of representation of dynamics typical of modern networks. One notable consequence of this limitation is the poor representation of low-footprint attacks, which are increasingly common and relevant in real-world scenarios today [54]. From a statistical perspective, NSL-KDD shows significant progress in class distribution, and this distribution in training and test data is shown in Figure 2. See

Table 3. Characteristics of the NSL-KDD dataset.

Number of Features	41
Types of Features	Basic features: duration, protocol, service, flags, etc. Content features: number of failed login attempts, number of files created, etc. Traffic features: number of connections in the last 2 s, percentage of connections with errors, etc.
Types of Attacks	DoS: smurf, neptune, back, teardrop, pod Probe: ipsweep, nmap, portsweep, satan R2L: guess_passwd, ftp_write, imap, multihop, phf, spy, warezclient, warezmaster U2R: buffer_overflow, loadmodule, perl, rootkit
Additional Notes	Removal of duplicated instances from KDD Cup 1999 Improved class balance More suitable for machine learning model evaluation

for a description of the main characteristics of the dataset itself.

Normal traffic accounts for approximately 51.88% of the data, while anomalous traffic makes up the remaining 48.12%, resulting in a nearly perfectly balanced dataset. This balance is also reflected in the entropy between normal and anomalous classes, which reaches a value of 0.999 very close to the ideal for effective classification [55]. In contrast, the entropy difference between normal and anomalous traffic in the KDD-99 dataset was 0.719, while the entropy across the various attack categories was only 0.214 [56]. This indicates greater variability among attack types than between benign and malicious traffic, suggesting that the original dataset was not only imbalanced but also potentially misleading for training generalizable models. The introduction of NSL-KDD therefore marked an important step toward a more realistic, balanced, and consistent data foundation, even though it remains inevitably tied to an outdated generation of network data [57].

4.3. CICIDS 2017

The CICIDS 2017 dataset [58], developed by the Canadian Institute for Cybersecurity (CIC), represents a major step forward in the development of realistic benchmarks for evaluating IDS [59,60]. Designed to address the limitations of earlier datasets like KDD Cup 1999 and NSL-KDD, CICIDS 2017 provides a more accurate representation of contemporary enterprise network environments by including up-to-date attack types and realistic traffic patterns. Composed of approximately 2.8 million records, each representing a unique network flow, the dataset includes 80 features describing aspects such as IP addresses, ports, protocols, duration, packet and byte counts, and flow-based statistics [61]. This rich feature set enables the modeling of high-dimensional traffic behavior, essential for training advanced machine learning models [62]. CICIDS 2017 includes a wide range of attack scenarios, such as DoS and DDoS, brute force attempts (e.g., SSH/HTTP), port scans, web attacks like SQL injection and XSS, as well as botnet activity and infiltration with data exfiltration. The distribution of these categories across the dataset is shown in Figure 3.

Despite its value, the dataset was generated in a controlled testbed, and as such, it may not fully reflect the complexity and unpredictability of real-world networks. Some traffic distributions may also introduce biases, affecting model generalization. To improve robustness, it is recommended to use CICIDS 2017 alongside additional real-world data and apply cross-validation or data augmentation techniques [63]. Nevertheless, CICIDS 2017 remains one of the most comprehensive and accessible datasets for evaluating both traditional and deep-learning-based IDS approaches, making it a cornerstone for research and benchmarking in network security [64]. See

Table 4. Characteristics of the CICIDS 2017 dataset.

Number of Features	80
Types of Features	Network traffic features: source and destination IPs, ports, protocols, flow duration, total packets, bytes transmitted. Statistical features: mean, variance, skewness of incoming and outgoing packets and bytes. Content features: state flags, count of previous connections, flow-behavior-related attributes.
Types of Attacks	DoS/DDoS: DoS Hulk, DoS GoldenEye, DoS Slowloris, DoS Slow HTTP Test Brute Force: SSH-Patator, FTP-Patator Scanning: port scan Web Attacks: web attack—brute force, web attack—XSS, web attack—SQL injection Others: botnet, infiltration, Heartbleed
Additional Notes	Dataset generated in a controlled environment by CIC Wide coverage of realistic and recent attack scenarios Commonly used as a modern benchmark for evaluating IDS and ML models Potential imbalance in less-represented attack classes

for the description of the main characteristics of the dataset itself.

4.4. UNSW-NB15

The UNSW-NB15 dataset, introduced in 2015, was developed to overcome the limitations of legacy benchmarks such as KDD Cup 1999 and NSL-KDD, which no longer reflect modern network environments or low-footprint threats [65,66,67]. Created at the Cyber Range Lab (University of New South Wales) using the IXIA PerfectStorm traffic generator linked to the CVE vulnerability database, it simulates both realistic benign and malicious network activity [68,69]. The testbed included virtual servers, routers, and clients within a diversified infrastructure. Traffic was collected during two sessions, producing over 100 GB of PCAP data, later converted into CSV format using tools such as tcpdump, Argus, Bro-IDS (Zeek), and custom C# scripts [70]. The final dataset consists of 2,540,044 records and 49 features, categorized as Basic, Flow, Content, Time, Additional, and Labelled features [71] as shown in Figure 4 and

Table 5. UNSW-NB15 dataset overview.

Number of Features	49
Types of Features	Flow: duration, packets, bytes, etc. Basic: protocol, service, flags, etc. Content: payload size, login attempts, etc. Time: timestamps, intervals, etc. Additional: derived statistics and labels
Types of Attacks	Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, Worms
Additional Notes	Generated using IXIA PerfectStorm Reflects realistic attack scenarios Rich in features for granular evaluation

.

Attacks are grouped into nine categories: Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worms. Each record includes ground-truth labels with metadata such as timestamp, protocol, IP, and attack type [72]. With an entropy of 0.548 (normal vs. anomalous) and 0.514 among attack classes [73], the dataset ensures reasonable balance. Despite minor issues like the broad “Generic” label, UNSW-NB15 is widely regarded as a comprehensive and modern benchmark for both signature-based and anomaly-based IDS research [74]. Distributed across four CSV files and accompanied by ground-truth and event files [75], UNSW-NB15 improves significantly upon KDD99 in terms of attack diversity, feature richness, and network realism [76,77].

4.5. Bot-IoT

The Bot-IoT dataset [78,79], released in 2019 by UNSW Canberra, was specifically designed to emulate realistic IoT environments and modern botnet-based threats [80,81]. It was generated within a virtualized testbed simulating both benign IoT activity and malicious botnet traffic [82,83]. The dataset is distributed across multiple partitions, including the Raw Set (PCAP), Full Set (CSV), 5% Subset, and 10 Best Subset [84]. The Raw Set, totaling around 70 GB, contains binary traffic captures requiring preprocessing through tools like Wireshark, Zeek, or Argus [85]. For dataset construction, PCAP files were processed using Argus and stored in a MySQL database [86,87], from which the Full Set was exported, generating approximately 72 million records. Each instance includes 26 independent and 3 dependent features, though extended engineered features were not included in the original release [88,89].

Bot-IoT qualifies as a big data resource, featuring high volume, variety, and complexity, making it well suited for evaluating IDS in large-scale IoT contexts [90,91]. However, it suffers from extreme class imbalance, as illustrated in Figure 5 and

Table 6. Bot-IoT Dataset Overview.

Number of Features	46
Types of Features	Flow: duration, packets, bytes, in/out flows Time: timestamps, inter-arrival times Additional: TCP flags, transport protocol, port, binary/numeric labels
Types of Attacks	DoS, DDoS, reconnaissance, information theft, data exfiltration
Additional Notes	Strong imbalance toward malicious traffic Generated using IoT devices (e.g., camera, fitness tracker, smart TV) Available in CSV and PCAP with detailed labeling Suitable for large-scale IoT threat evaluations

. In binary classification, attack samples dominate; in multiclass tasks, DoS and DDoS traffic overwhelms less frequent categories, impairing model generalization and learning on minority classes.

4.6. TON-IoT

The TON-IoT dataset [92,93] is a modern large-scale benchmark designed for cybersecurity research involving ML and AI [94,95,96]. Developed within a three tier edge–fog–cloud architecture [97], it replicates the distributed nature of real-world IoT/IIoT infrastructures [98,99]. The dataset integrates telemetry from IoT sensors, system logs from Windows/Linux environments, and network traffic captured via Zeek [100,101]. From the network traces, 43 features were extracted, along with binary and multiclass labels [102]. A total of nine attack types are represented: backdoor, DoS, DDoS, injection, MITM, password cracking, ransomware, scanning, and XSS [103], as shown in Figure 6 and

Table 7. TON_IoT dataset overview.

Number of Features	Variable by data source: IoT Telemetry: ∼10 features Windows/Linux Logs: ∼20+ features Network Traffic: 49 features
Types of Features	Telemetry (e.g., temperature, humidity, battery level) System logs (e.g., processes, login attempts, events) Network traffic (e.g., packets, bytes, protocol, TCP flags)
Types of Attacks	DoS, DDoS, ransomware, backdoor, injection, MITM, XSS, password cracking, scanning
Additional Notes	Multimodal dataset (IoT, host, and network data) Includes timestamps and detailed labeling Suitable for detection, prediction, and response model evaluation

.

Each attack scenario was crafted to emulate real industrial threats. Notably, the dataset exhibits class imbalance, with benign traffic outweighing malicious samples [104], reflecting operational network environments [105]. This characteristic enhances its relevance for anomaly detection, where rare but impactful events must be identified in large volumes of normal traffic. Due to its multimodal nature, realism, and diversity of features, TON-IoT supports a wide range of research applications, including intrusion detection, behavioral modeling, threat prediction, malware analysis, and adversarial ML [98,106]. It stands as a representative benchmark for evaluating modern cybersecurity solutions in connected infrastructures.

4.7. Dataset Selection Justification

Although several public IDS datasets exist, we intentionally selected a subset of four representative datasets (NSL-KDD, UNSW-NB15, CICIDS2017, TON_IoT) based on coverage, diversity, and relevance to the targeted runtime IDS scenario. This choice is motivated by the following considerations:

• Attack class overlap: The selected datasets already include a comprehensive variety of attacks, such as DoS/DDoS, brute force, infiltration, reconnaissance, shellcode, and data exfiltration, which are also present in BoT-IoT and CSE-CIC-IDS2018. Therefore, including those additional datasets would not introduce substantially novel threat scenarios.
• Source domain coverage: We ensured coverage across different environments: legacy datasets (NSL-KDD), enterprise-grade simulations (CICIDS2017), IoT-specific topologies (TON_IoT), and low-footprint attacks (UNSW-NB15). This combination already spans the intended industrial use cases.
• Avoiding redundancy and dataset inflation: The number of publicly available IDS datasets has grown significantly (e.g., on platforms like Kaggle, OpenML, and CICLab). Including all would dilute experimental focus and increase computational cost without a corresponding gain in insight.
• Quality and structure constraints: Some datasets, such as BoT-IoT, suffer from extreme class imbalance and redundancy, while CSE-CIC-IDS2018 is structurally similar to CICIDS2017 but with partial overlaps in feature sets and attack definitions. These factors would have introduced additional preprocessing complexity without offering unique evaluation benefits.

Therefore, we focused on a carefully chosen selection of four datasets that collectively reflect the diversity and relevance of modern network traffic patterns, both in traditional and IoT-enabled environments, without sacrificing clarity or reproducibility.

As shown in

Table 8. Coverage of major attack types across considered and excluded datasets.

Attack Type	NSL-KDD	UNSW-NB15	CICIDS2017	TON_IoT	BoT-IoT	CSE-CIC-IDS2018
DoS/DDoS	✓	✓	✓	✓	✓	✓
Brute Force/Auth	✓	✓	✓	✓		✓
Port Scanning	✓	✓	✓	✓	✓	✓
Infiltration		✓	✓	✓	✓	✓
Botnet/Backdoor		✓		✓	✓	✓
Shellcode/Payload	✓	✓				✓
Data Exfiltration			✓	✓		✓
Reconnaissance	✓	✓		✓	✓	✓
Web Attacks (XSS, SQLi)			✓			✓

, all relevant attack classes present in BoT-IoT and CSE-CIC-IDS2018 are already well represented within the four datasets analyzed in this work. This justifies the decision to exclude redundant datasets without compromising coverage or diversity.

4.8. Dataset Bias Analysis

While previous sections discussed dataset limitations qualitatively, we now provide a quantitative assessment of class imbalance and entropy characteristics for the four datasets used in our experiments: NSL-KDD, UNSW-NB15, CICIDS2017, and TON_IoT. These metrics help evaluate the degree of dataset bias and its potential impact on model performance:

1.

Imbalance Ratio (IR)

It is defined as the ratio between the number of instances in the majority class and that of the minority class:

$$IR={\displaystyle \frac{max\left(\mathrm{class}\mathrm{counts}\right)}{min\left(\mathrm{class}\mathrm{counts}\right)}}$$

(1)

In binary classification (normal vs. anomalous), an $IR$ close to 1 indicates balance, while high values reflect skewness and difficulty for models to generalize.

2.

Class Entropy

Entropy H is a measure of uncertainty or diversity in class labels:

$$H=-\sum _{i=1}^C{p}_i·{log}_2\left(p_i\right)$$

(2)

where $p_i$ is the proportion of class i and C is the number of classes. Higher entropy indicates more uniform class distributions; lower entropy suggests dominance of one class.

3.

Skewness of Entropy

We also compute the normalized entropy skewness ${\delta }_H$ with respect to the maximum entropy $H_{max}={log}_2\left(C\right)$:

$${\delta }_H=1-{\displaystyle \frac{H}{H_{max}}}$$

(3)

Values closer to 1 indicate severe imbalance; values close to 0 indicate uniformity.

The evaluation metrics briefly described above were computed for each of the proposed datasets, with the corresponding results summarized in

Table 9. Quantitative assessment of dataset bias: imbalance ratio and entropy metrics.

Dataset	Normal (%)	Imbalance Ratio (IR)	Entropy (Bits)	Skewness ${\mathit{\delta }}_{\mathit{H}}$
NSL-KDD	51.9	1.08	0.999	0.001
UNSW-NB15	87.4	6.91	0.548	0.208
CICIDS2017	84.6	5.49	0.610	0.144
TON_IoT	96.3	26.0	0.253	0.633

below.

An examination of the results presented in Table 9 reveals that:

• NSL-KDD exhibits near-perfect class balance, both in IR and in entropy. This makes it ideal for training, but it may not reflect real-world distributions.
• UNSW-NB15 and CICIDS2017 show moderate imbalance (IR between 5 and 7), with relatively high entropy, indicating various types of attacks.
• TON_IoT, while modern and representative, shows severe class skewness, with IR ≈ 26 and low entropy. This may lead to underfitting of rare attack behaviors and high false negatives.

These results quantitatively validate the performance differences reported in Section 7.2, where models trained on UNSW-NB15 consistently outperformed others. They also support the claim that the selection of the dataset critically affects the behavior and generalization of the OCC model.

5. ML Methods One-Class Anomaly Detection

This section analyzes some of the most established and commonly used ML techniques for anomaly detection based on the OCC approach, with particular emphasis on their applicability in runtime environments. The analysis focuses on four algorithms considered particularly effective and versatile for a runtime application: AE [107], VAE [108,109], OCSVM [110], and iF [111]. The fundamental characteristics of each method, as well as their functioning within the context of one-class anomaly detection, will be briefly described below.

5.1. Taxonomy of One-Class Anomaly Detection Techniques

In this section, we present a taxonomy of one-class classification (OCC) methods used in anomaly detection, based on three orthogonal criteria: detection principle, model complexity, and runtime applicability. This classification helps contextualize the methods discussed in this work and highlights their respective trade-offs in terms of detection strategy, scalability, and deployment constraints.

1.

Detection Principle (Core Mechanism):

• Reconstruction-based: Models such as Autoencoder (AE) and Variational Autoencoder (VAE) aim to learn and reproduce normal input data, identifying anomalies via high reconstruction error.
• Boundary-based: One-Class SVM (OCSVM) and Deep SVDD create a compact boundary around normal data, flagging any deviation.
• Isolation-based: Isolation Forest separates anomalies by exploiting the fact that they are easier to isolate through random partitioning.
• Density/Distance-based: LOF and kNN-based approaches evaluate local data density or proximity to detect outliers.

2.

Learning Paradigm:

• Shallow learning: Classical models (e.g., OCSVM, LOF, kNN, iForest) offer simplicity and interpretability, suitable for small or structured data.
• Deep learning: AE, VAE, and Deep SVDD are more expressive and powerful, particularly for complex or high-dimensional data.

3.

Runtime Deployment Suitability:

• Edge-ready: AE, iForest, and OCSVM have acceptable latency and memory requirements for resource-constrained environments.
• Resource-intensive: VAE, Deep SVDD, and LOF may require significant CPU/GPU and are better suited for cloud or offline processing.

This taxonomy supports the comparative analysis of OCC models presented in Section 5.6 and provides additional clarity for readers evaluating deployment strategies across different operational environments. See

Table 10. Taxonomy of OCC techniques according to detection type, learning model, and runtime suitability.

Method	Detection Type	Learning Model	Runtime Suitability
Autoencoder (AE)	Reconstruction	Deep	Good
Variational Autoencoder (VAE)	Reconstruction (probabilistic)	Deep	Moderate
One-Class SVM (OCSVM)	Boundary-based	Shallow	Good
Isolation Forest (iForest)	Isolation-based	Shallow (ensemble)	Excellent
Local Outlier Factor (LOF)	Density-based	Shallow	Poor
Deep SVDD	Boundary-based	Deep	Poor
kNN OCC	Distance-based	Shallow	Moderate

for a summary on OCC Taxonomy.

5.2. Autoencoder One-Class for Anomaly Detection

The AE is a specialized neural network architecture widely used for tasks such as dimensionality reduction, feature extraction, and data compression [112]. Its ability to learn compact representations of input data makes it particularly useful for cybersecurity applications, especially for identifying anomalous behavior in networks [113]. An autoencoder consists of two main components: an encoder, which compresses the input data into a lower-dimensional latent space, and a decoder, which reconstructs the input from this compressed representation. During the encoding phase, the input vector $\mathbf{x}=\{x_1,x_2,\dots ,x_n\}$ is transformed into a latent representation $\mathbf{h}=\{h_1,h_2,\dots ,h_m\}$, where $m<n$. This transformation is defined as:

$$\mathbf{h}=f\left(\mathbf{x}\right)=\varphi (\mathbf{W}\mathbf{x}+\mathbf{b}),$$

(4)

where $\mathbf{W}$ is the weight matrix, $\mathbf{b}$ is the bias vector, and $\varphi$ is the activation function (e.g., ReLU or Sigmoid) applied element-wise. In the decoding phase, the latent representation $\mathbf{h}$ is mapped back into the original input space to produce a reconstruction $\widehat{\mathbf{x}}=\{{\widehat{x}}_1,{\widehat{x}}_2,\dots ,{\widehat{x}}_n\}$. This is performed via:

$$\widehat{\mathbf{x}}=g\left(\mathbf{h}\right)=\psi ({\mathbf{W}}^{\prime }\mathbf{h}+{\mathbf{b}}^{\prime }),$$

(5)

where ${\mathbf{W}}^{\prime }$ and ${\mathbf{b}}^{\prime }$ are the decoder’s weights and biases, and $\psi$ is the decoder’s activation function. The goal of training the autoencoder is to minimize the difference between the original input $\mathbf{x}$ and its reconstruction $\widehat{\mathbf{x}}$ [114]. The optimization is carried out using gradient descent methods, typically minimizing a loss function such as the binary cross-entropy (BCE), which is especially effective when the input data are binary or normalized in the [0, 1] range [115]:

$${\mathcal{L}}_{\mathrm{BCE}}={\displaystyle \frac{1}{M}}\sum _{i=1}^M\sum _{j=1}^n\left[x_{j,i}log\left({\widehat{x}}_{j,i}\right)+(1-x_{j,i})log(1-{\widehat{x}}_{j,i})\right],$$

(6)

where M is the number of training samples and $x_{j,i}$ is the j-th feature of the i-th instance.

In cybersecurity, one-class autoencoders are trained exclusively on normal traffic, learning to reconstruct only legitimate network behavior [116]. During inference, any significant deviation between the input and its reconstruction indicates an anomaly or potential cyber threat [117]. In this setup, the AE operates as a one-class anomaly detection model, effectively identifying previously unseen attack patterns without requiring labeled malicious examples during training [118]. A summary diagram showing how we have implemented this technique in our work is included in Figure 7 below.

5.3. Variational Autoencoder (VAE) for One-Class Anomaly Detection

The VAE is a generative model particularly well suited for learning the underlying distribution of input data [115]. It is widely employed in applications involving density estimation and probabilistic representation, making it especially relevant in the field of cybersecurity for one-class anomaly detection [109,119,120]. The architecture consists of two primary components: an encoder and a decoder. The encoder, denoted as $q_{\varphi }\left(z\right|x)$, maps the input data x into a latent variable z described by a Gaussian distribution parameterized by a mean ${\mu }_{\varphi }\left(x\right)$ and a standard deviation ${\sigma }_{\varphi }\left(x\right)$. To allow backpropagation through stochastic sampling, the reparameterization trick is applied as follows:

$$z={\mu }_{\varphi }\left(x\right)+{\sigma }_{\varphi }\left(x\right)\odot ϵ,ϵ\sim \mathcal{N}(0,I)$$

(7)

The decoder, expressed as $p_{\theta }\left(\widehat{x}\right|z)$, reconstructs the input data $\widehat{x}$ from the latent vector z. The training objective is to minimize the difference between the original input x and the reconstruction $\widehat{x}$, while also regularizing the latent space through variational inference. This is achieved by minimizing the Kullback –Leibler (KL) divergence between the approximate posterior $q_{\varphi }\left(z\right|x)$ and a predefined prior, typically a standard normal distribution $p\left(z\right)=\mathcal{N}(0,I)$ [121,122]. The total VAE loss function is composed of two terms:

$${\mathcal{L}}_{\mathrm{VAE}}(x,\widehat{x})={\mathbb{E}}_{q_{\varphi }\left(z\right|x)}[-log{p}_{\theta }\left(x\right|z)]+\mathrm{KL}(q_{\varphi }\left(z\right|x)\parallel p\left(z\right))$$

(8)

The first term is the negative log-likelihood, quantifying the reconstruction error [123], and the second term enforces a regularized and meaningful latent space [124]. In the context of one-class anomaly detection, the VAE is trained exclusively on normal data, learning a compressed probabilistic representation of typical behavior [125]. During inference, inputs that produce low reconstruction accuracy or deviate from the learned latent distribution are flagged as potential anomalies or threats [126]. Unlike traditional autoencoders, the VAE introduces regularization that avoids overfitting and enables better generalization [119,123]. Moreover, the structured latent space enhances both interpretability and generative capabilities [127]. These characteristics make VAE a powerful tool for detecting unknown or unseen cyber threats in real-world network environments, especially where labeled attack data are scarce or unavailable [128]. A summary diagram showing how we have implemented this technique in our work is included in Figure 8 below.

5.4. Isolation Forest for One-Class Anomaly Detection

iForest is an ensemble-based anomaly detection algorithm specifically designed to identify rare or anomalous patterns in large datasets [129,130]. Unlike traditional density-based or distance-based methods, which attempt to model normal behavior, Isolation Forest follows a fundamentally different approach by directly targeting how easily an observation can be isolated from the rest of the data [131]. The key intuition behind Isolation Forest is that anomalies are data points that are few and different. Hence, they are more susceptible to isolation by random partitioning [132]. In contrast, normal instances reside in dense regions and require more partitions to be isolated. An Isolation Forest model is constructed by building an ensemble of binary decision trees, known as isolation trees [133]. Each tree is built by randomly selecting a feature and a split value between the minimum and maximum value of that feature [134]. This process is repeated recursively, producing randomly partitioned subspaces. The number of splits required to isolate a point corresponds to the path length from the root node to the terminating node [135]. Anomalies, which are easier to isolate, tend to have shorter average path lengths across the ensemble [136]. The anomaly score for a given observation x is defined as:

$$s(x,n)=2^{-{\displaystyle \frac{E\left(h\right(x\left)\right)}{c\left(n\right)}}}$$

(9)

where:

• $E\left(h\right(x\left)\right)$ is the average path length of point x across all trees;
• $c\left(n\right)$ is the average path length of unsuccessful searches in a binary search tree, used to normalize the score, and is approximated as:

$$c\left(n\right)=2H(n-1)-{\displaystyle \frac{2(n-1)}{n}}$$

(10)

with $H\left(i\right)$ being the i-th harmonic number, approximated by $ln\left(i\right)+\gamma$ (Euler–Mascheroni constant $\gamma \approx 0.5772$) [137]. An anomaly score $s(x,n)$ close to 1 indicates a high likelihood of x being anomalous, while values near 0 suggest normality. In one-class anomaly detection, the Isolation Forest is trained exclusively on normal data. During inference, instances that yield high anomaly scores are flagged as outliers, as they diverge from the patterns learned from the normal class. Isolation Forest has several advantages in cybersecurity contexts: it is computationally efficient, scales well with high-dimensional data, does not require distance metrics, and is robust against irrelevant features [138]. These characteristics make it particularly suitable for real-time intrusion detection systems, especially when labeled attack data are scarce or unavailable [139]. A summary diagram showing how we have implemented this technique in our work is included in Figure 9 below.

5.5. One-Class Support Vector Machine (OCSVM) for Anomaly Detection

The One-Class Support Vector Machine (OCSVM) is a variation of the traditional Support Vector Machine (SVM) designed specifically for one-class classification problems, which are typical in anomaly detection scenarios [140,141,142]. The key idea behind OCSVM is to identify a hyperplane in the feature space that is maximally distant from the origin, under the assumption that only samples from the normal class are available during training [143,144]. The separating hyperplane is defined by a weight vector $\mathbf{w}$ and a bias term b, and is described by the following equation:

$${\mathbf{w}}^{\top }\mathbf{x}+b=0$$

(11)

Unlike classical SVM, which aims to maximize the margin between two classes, the goal in OCSVM is to find the decision boundary that best encompasses the majority of data points while remaining far from the origin [145]. Any data point that falls outside this learned boundary can be considered a potential anomaly. To handle nonlinear relationships in the data, OCSVM employs a kernel function to implicitly map the input data to a higher-dimensional feature space where linear separation is possible [146,147]. Let $\varphi (·)$ denote the nonlinear mapping function, and let the training dataset be represented by $\mathbf{X}=[{\mathbf{x}}_1,{\mathbf{x}}_2,\dots ,{\mathbf{x}}_N]\in {\mathbb{R}}^D$, where N is the number of samples and D is the dimensionality of the input space. The optimization problem for the OCSVM is formulated as:

$$\underset{\mathbf{w},b,\xi }{min}{\displaystyle \frac{1}{2}}{\parallel \mathbf{w}\parallel }^2+C\sum _{i=1}^N{\xi }_i-b$$

(12)

subject to the constraints:

$${\mathbf{w}}^{\top }\varphi \left({\mathbf{x}}_i\right)\ge b-{\xi }_i,{\xi }_i\ge 0,\forall i=1,\dots ,N$$

(13)

Here, the slack variables ${\xi }_i$ allow for a small fraction of training samples to violate the boundary (i.e., to be considered outliers). The hyperparameter $C>0$ controls the trade-off between the model complexity and the number of allowed violations. A large value of C imposes strict penalties on misclassifications, while a smaller value provides more flexibility [148,149]. The OCSVM is particularly well suited for cybersecurity applications, where it is common to have access only to normal (benign) traffic during training [150]. By learning the characteristics of legitimate behavior, the model is able to identify deviations or anomalies at inference time without requiring labeled attack data [151]. This makes it a powerful tool for detecting novel threats or zero-day attacks in real-world environments [152]. A summary diagram showing how we have implemented this technique in our work is included in Figure 10 below.

5.6. Other One-Class Anomaly Detection Techniques: LOF, Deep SVDD, and kNN

In addition to the four core OCC techniques implemented and tested in our runtime setup, several other models are commonly adopted in anomaly detection research. This section provides a concise overview of three significant alternatives, Local Outlier Factor (LOF)-, Deep Support Vector Data Description (Deep SVDD)-, and k-Nearest Neighbor (kNN)-based OCC methods that were excluded from the experimental validation due to runtime constraints, but are highly relevant in comparative surveys.

1.

Local Outlier Factor (LOF)

LOF is a density-based anomaly detection method that estimates the degree of isolation of a data point by comparing its local density with that of its neighbors. The local reachability density of a point $x_i$ is computed based on its k-nearest neighbors, and the LOF score is defined as:

$${\mathrm{LOF}}_k\left(x_i\right)={\displaystyle \frac{1}{|N_k\left(x_i\right)|}}\sum _{x_j\in N_k\left(x_i\right)}{\displaystyle \frac{{\mathrm{lrd}}_k\left(x_j\right)}{{\mathrm{lrd}}_k\left(x_i\right)}}$$

(14)

where ${\mathrm{lrd}}_k\left(x\right)$ denotes the local reachability density, and $N_k\left(x_i\right)$ is the set of the k-nearest neighbors of $x_i$. An LOF score significantly greater than 1 indicates a potential outlier. Although efficient and unsupervised, LOF is sensitive to the choice of k and may degrade in high-dimensional feature spaces.

2.

Deep Support Vector Data Description (Deep SVDD)

Deep SVDD [153] extends the classical SVDD method by leveraging a deep neural network to learn a nonlinear transformation $\varphi (x;\theta )$ that maps inputs into a latent space where normal samples are enclosed in a minimal-radius hypersphere. The training objective is to minimize:

$$\underset{\theta }{min}{\displaystyle \frac{1}{n}}\sum _{i=1}^n{\parallel \varphi (x_i;\theta )-c\parallel }^2$$

(15)

where c is the center of the hypersphere in the latent space. This approach avoids the need for input reconstruction, focusing instead on compressing normal behavior representations. Deep SVDD is particularly effective on structured data but incurs a high computational cost, making it less suitable for edge-level runtime deployment.

3.

kNN-Based One-Class Detection

This method assigns anomaly scores to new observations based on their distances from k-nearest neighbors in the training data [154]:

$${\mathrm{score}}_{\mathrm{avg}}\left(x\right)={\displaystyle \frac{1}{k}}\sum _{x_i\in N_k\left(x\right)}\parallel x-x_i\parallel \mathrm{or}{\mathrm{score}}_{min}\left(x\right)=\underset{x_i\in N_k\left(x\right)}{min}\parallel x-x_i\parallel$$

(16)

If the score exceeds a threshold $\tau$, the sample is flagged as anomalous. kNN-based OCC is simple and interpretable but not well suited to high-volume or high-dimensional data due to scalability issues.

5.7. Discussion and Justification of Exclusion

Although LOF, Deep SVDD, and kNN are robust and well-established OCC methods, they were not included in our runtime testbed for the following reasons:

• Lack of optimized support for real-time deployment in Python-based runtime environments (e.g., pyshark, joblib).
• Inability to meet the latency constraints imposed by our edge-based system on Raspberry Pi hardware.
• High sensitivity to hyperparameter tuning, which may hinder practical out-of-the-box integration in a plug-and-play GUI framework.

Nonetheless, these methods remain promising for future inclusion in our platform. Our current selections of AE, VAE, iForest, and OCSVM prioritized compatibility with real-time streaming, modular deployment, and literature adoption in edge-ready IDS pipelines [92]. Having presented the theoretical foundations, taxonomy, and core mechanisms of one-class classification (OCC) techniques, we now transition to the second part of this work: an experimental evaluation of these methods in a runtime anomaly detection context. The following sections describe the testbed implementation, preprocessing pipeline, and performance assessment under real-time constraints using NFSv4-based network communication. This dual approach is intended to bridge the gap between academic surveys and practical IDS deployment strategies.

6. Preprocessing Data and Setup

This section presents the experimental phase, focused on evaluating the runtime performance of OCC techniques within a live network testbed designed to emulate edge and industrial environments. Moving beyond offline benchmarks, the goal is to assess model behavior under real-time operational constraints. The analysis considers four widely adopted datasets: NSL-KDD 2009, UNSW-NB15, CICIDS 2017, and TON-IoT, selected for their relevance to one-class anomaly detection and their realistic traffic characteristics [155,156,157]. Preprocessing involved identifying and removing redundant, missing, or low-information features, followed by normalization to enhance model training. Evaluation metrics were defined to ensure consistent assessment of detection accuracy across normal and anomalous traffic patterns. The experimental setup, including system architecture and parameter configurations, is also detailed. Results are then analyzed to compare model performance across datasets, providing insights into their effectiveness under realistic runtime conditions.

6.1. Feature Preprocessing and Normalization

Regardless of the specific dataset to which the proposed workflow is applied, several preprocessing operations are necessary to ensure the robustness and consistency of the subsequent steps [158]. The first transformation consists of converting symbolic or categorical features into numerical representations. This applies, for example, to attributes such as Timestamp or Port Number, which may encode information in a symbolic or sequential form. To this end, a label encoding strategy is adopted, where each unique categorical value within a feature is mapped to a distinct integer. This approach is chosen to minimize the number of features and maintain a compact feature space, as opposed to one-hot encoding, which could lead to dimensionality explosion and increased computational cost in downstream tasks. After encoding, a normalization step is applied to mitigate the risk of computational distortions due to heterogeneous feature scales [159]. Specifically, min-max normalization is used to rescale all feature values to the interval [0, 1]. The normalization of a feature vector $f=\{f_1,f_2,\dots ,f_n\}$ is defined as:

$$f_i^{\prime }={\displaystyle \frac{f_i-min\left(f\right)}{max\left(f\right)-min\left(f\right)}}\mathrm{for}i=1,\dots ,n$$

(17)

where $f_i$ is the original value of the i-th component of feature f, and $f_i^{\prime }$ is the normalized value. Once normalization is complete, all observations containing missing or undefined values (NaNs) are removed from the final dataset, as they carry no informative content and may compromise the integrity and performance of the learning process.

6.2. Feature Reduction Using Principal Component Analysis (PCA)

To preliminarily reduce the number of features in the datasets, feature reduction techniques are applied during both the data preparation and learning phases. In particular, we employ principal component analysis (PCA), a widely used linear method for projecting data into a lower-dimensional space while preserving as much information (i.e., variance) as possible [160,161,162]. Let us consider the dataset represented by a matrix $\mathbf{A}\in {\mathbb{R}}^{N\times n}$, where N is the number of observations and n is the number of features. The goal of PCA is to transform this dataset into a new representation with fewer dimensions, capturing most of the original information [163].

1.

Dataset Centering

Starting from the original matrix $\mathbf{A}$, the mean of each column is computed:

$${\mu }_j={\displaystyle \frac{1}{N}}\sum _{i=1}^N{a}_{ij}\mathrm{for}j=1,\dots ,n$$

(18)

A centered matrix $\mathbf{B}\in {\mathbb{R}}^{N\times n}$ is then obtained by subtracting the mean from each element:

$${\mathbf{B}}_{ij}={\mathbf{A}}_{ij}-{\mu }_j$$

(19)

2.

Covariance Matrix Computation

The covariance matrix $\mathbf{\Sigma }\in {\mathbb{R}}^{n\times n}$ is computed as:

$$\mathbf{\Sigma }={\displaystyle \frac{1}{N-1}}{\mathbf{B}}^{\top }\mathbf{B}$$

(20)

Each element ${\Sigma }_{ij}$ represents the covariance between features i and j.

3.

Eigenvalue and Eigenvector Decomposition

To determine the principal directions (principal components), the eigenvalues and eigenvectors of $\mathbf{\Sigma }$ are computed by solving:

$$det(\mathbf{\Sigma }-\lambda \mathbf{I})=0$$

(21)

This yields the matrix of eigenvectors $\mathbf{V}=[{\mathbf{v}}_1,\dots ,{\mathbf{v}}_n]\in {\mathbb{R}}^{n\times n}$, sorted by decreasing eigenvalue magnitude. By selecting the first m eigenvectors (with $m<n$) that account for the largest variance, we obtain the projection matrix:

$${\mathbf{V}}_{\mathrm{red}}=[{\mathbf{v}}_1,\dots ,{\mathbf{v}}_m]\in {\mathbb{R}}^{n\times m}$$

(22)

4.

Projection into the Reduced Space

The reduced representation of the dataset is then obtained by projecting the centered data onto the new basis:

$${\mathbf{A}}_{\mathrm{new}}=\mathbf{B}·{\mathbf{V}}_{\mathrm{red}}\in {\mathbb{R}}^{N\times m}$$

(23)

This transformation projects the original data into a lower-dimensional space ${\mathbb{R}}^m$, preserving the structure of feature correlations while improving the computational efficiency of the subsequent machine learning models [164,165]. After having carried out the analysis of the PCA with the corresponding correlation matrices, the cumulative variance is calculated, and then the graphs of the latter are plotted. Cumulative variance refers to the total proportion of variance in the original dataset that is explained by a given number of principal components in PCA [166]. It is computed as the cumulative sum of the individual explained variance ratios of each principal component. Let ${\lambda }_1,{\lambda }_2,\dots ,{\lambda }_n$ be the eigenvalues of the covariance matrix of the data, sorted in descending order, and let ${\lambda }_{\mathrm{total}}={\sum }_{i=1}^n{\lambda }_i$ be the total variance. Then, the cumulative variance explained by the first k components is:

$$\mathrm{Cumulative}{\mathrm{Variance}}_k={\displaystyle \frac{{\sum }_{i=1}^k{\lambda }_i}{{\sum }_{i=1}^n{\lambda }_i}}={\displaystyle \frac{{\sum }_{i=1}^k{\lambda }_i}{{\lambda }_{\mathrm{total}}}}$$

This measure helps determine the smallest number of principal components needed to retain a desired proportion (e.g., 95%) of the original variance, which is crucial for effective dimensionality reduction while preserving information [167,168]. It is important to note that, during the PCA process, all features exhibiting binary or Boolean values were excluded from the analysis [169]. This decision was based on the assumption that such features provide limited informational variance and are therefore of low utility for training the algorithms effectively [170,171]. The results we obtain from the PCA analysis for each dataset are graphically shown in the following Figure 11, Figure 12, Figure 13, Figure 14, Figure 15, Figure 16, Figure 17 and Figure 18 below and summarized in

Table 11. Principal component analysis (PCA)—selected features and variance explained per dataset.

Dataset	PCA Components (95% Variance)	Selected Features from PCA
NSL-KDD	20	diff_srv_rate, duration, num_file_creations, num_shells, root_shell, num_access_files, urgent, dst_host_srv_diff_host_rate, num_failed_logins, srv_diff_host_rate, dst_bytes, dst_host_diff_srv_rate, wrong_fragment, land, dst_host_count, logged_in, protocol_type, su_attempted, count, num_root
UNSW-NB15	24	smean_sz, Djit, Sjit, res_bdy_len, Dload, Sload, service, stcpb, ct_flw_http_mthd, dttl, dtcpb, ct_srv_dst, ct_src_ltm, ct_srv_src, ct_state_ttl, ct_dst_ltm, trans_depth, Dintpkt, ct_dst_sport_ltm, state, is_sm_ips_ports, ct_ftp_cmd, ct_src_dport_ltm, sttl
TON_IoT	23	dns_rcode, conn_state, src_ip_bytes, http_response_body_len, missed_bytes, dns_qclass, dns_query, src_port, service, src_pkts, weird_name, duration, dst_port, dst_pkts, weird_addl, dst_ip, http_resp_mime_types, src_ip, proto, dst_ip_bytes, ts, dst_bytes, dns_qtype
CICIDS 2017	30	Down/Up Ratio, TotLen Bwd Pkts, Dst Port, Fwd Pkt Len Mean, Pkt Len Mean, Fwd PSH Flags, Init Bwd Win Byts, Fwd Act Data Pkts, Tot Fwd Pkts, Fwd Pkt Len Max, Flow IAT Min, Fwd IAT Min, TotLen Fwd Pkts, Tot Bwd Pkts, Fwd URG Flags, Init Fwd Win Byts, Fwd Pkt Len Min, Bwd IAT Min, Active Std, Bwd Pkt Len Min, URG Flag Cnt, Flow Pkts/s, Bwd Pkts/s, Fwd Header Len, Pkt Len Std, Bwd Header Len, Pkt Size Avg, Bwd Pkt Len Mean, Timestamp, Flow IAT Max

.

6.3. Performance Evaluation

To assess the effectiveness of the ML models applied in this study, a set of standard performance metrics was used, based on the construction of the confusion matrix, which is a widely adopted tool for evaluating the outcomes of OCC tasks [172,173]. In an OCC, each instance is assigned to either the positive class (e.g., anomaly) or the negative class (e.g., normal) [174]. The confusion matrix is composed of the following elements:

• True Positives (TP): number of instances correctly predicted as belonging to the positive class.
• True Negatives (TN): number of instances correctly predicted as belonging to the negative class.
• False Positives (FP): number of instances incorrectly predicted as positive when they actually belong to the negative class.
• False Negatives (FN): number of instances incorrectly predicted as negative when they actually belong to the positive class.

Based on these quantities, the following performance indicators are computed:

• Accuracy

It measures the proportion of total correct predictions among all predictions and is defined as:

$$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

(24)

• Precision

Also known as PPV, it measures the proportion of true positives among all predicted positives:

$$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}$$

(25)

• Recall (Sensitivity or True Positive Rate)

This metric quantifies the ability of the classifier to correctly identify positive instances and is defined as:

$$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}$$

(26)

• F1-Score

The F1-score is the harmonic mean of precision and recall, offering a balanced measure when there is an uneven class distribution. It is computed as:

$$\mathrm{F}1\mathrm{Score}={\displaystyle \frac{2·\mathrm{Precision}·\mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(27)

These metrics collectively provide a comprehensive view of the classifier’s performance, especially in imbalanced classification problems such as anomaly detection, where the majority of data belong to the normal class and anomalies are relatively rare [175,176,177]. In such cases, relying solely on accuracy may be misleading, and greater emphasis is placed on precision, recall, and F1-score to evaluate model robustness and reliability [178,179,180].

6.4. Experimental Setup: NFSv4 Server with Runtime IDS and Multi-Client Architecture

To evaluate the proposed anomaly detection techniques in realistic conditions, a custom network demonstrator was implemented, consisting of a centralized NFSv4 server and three client nodes communicating over a TCP/UDP infrastructure, as illustrated in Figure 19.

The environment simulates both nominal and anomalous behavior through file-sharing operations. The NFSv4 server exports a shared directory accessed by clients via sequential mount and write operations, emulating enterprise or industrial file system interactions. All communications adhere to the NFSv4 stack, with core transactions over TCP and occasional auxiliary RPC messages over UDP. Each client initiates a mount, then performs randomized write operations to introduce variability in traffic and prevent overfitting. Variations in inter-arrival times and payloads simulate diverse usage patterns and workload conditions. On the server side, a runtime IDS monitors network- and system-level activity in real time. The detection engine incorporates multiple OCC techniques (OCSVM, VAE, iForest, and statistical reconstruction models) and analyzes the following:

• Request frequency and inter-arrival time;
• Packet size distribution;
• Port and protocol usage (TCP/UDP);
• System metrics (I/O, syscall anomalies).

Anomalies are flagged when deviations from the learned normal profile are detected, e.g., brute-force attempts, unauthorized file access, malformed payloads, or scanning activity. Traffic capture is performed at both endpoints using Wireshark for offline analysis. The testbed serves as a controlled, reproducible environment for validating IDS models in runtime, with constraints on latency, partial observability, and evolving traffic characteristics typical of real-world edge and industrial systems.

7. Experiment & Results

7.1. Experimental Procedure and Runtime Evaluation Setup

To validate the proposed OCC techniques under runtime conditions, an experimental client–server testbed was developed. The setup consists of a centralized NFS server and three client nodes interconnected via TCP/UDP, generating both nominal and anomalous traffic for runtime evaluation. All components were implemented in Python v13, with four custom scripts automating the test procedures. On the client side, Algorithm 1 generates legitimate NFS operations (e.g., mount, write), while Algorithm 2 injects anomalous behaviors such as high-frequency bursts, unauthorized port scanning, brute-force commands, malformed payloads, and low-size UDP floods. On the server side, Algorithm 3 passively captures incoming traffic, and Algorithm 4 classifies packets in real time using the selected OCC model (OCSVM, iForest, AE, or VAE). This framework enables direct performance assessment of anomaly detection methods in a live runtime environment.

Algorithm 1: Nominal Traffic Generation (Client Side)

All ML models were trained offline on normal data only, using supervised-free approaches tailored for OCC settings. The training output was embedded into Python pipeline objects as Selected -ML-pipeline.joblib, allowing seamless loading and deployment during runtime without the need for retraining. A dedicated graphical user interface (GUI) was implemented on the server side to ensure that the entire system is easily executable, fully automated, and accessible even to users outside the development team. This allows the proposed solution to be tested and deployed not only within the demonstrator environment but also in different operational contexts, facilitating broader experimentation and adaptation of the anomaly detection algorithms across various scenarios. This GUI allows the operator to:

• Select the ML technique to be tested from a predefined list;
• Specify the network interface or port to be monitored;
• Launch the detection process and visualize outcomes in real time.

Network traffic is captured using pyshark, a Python wrapper for Wireshark, enabling detailed packet-level analysis directly within the Python runtime. Each incoming packet is processed and classified as either nominal or anomalous according to the behavior learned during the offline training phase. Additionally, the system automatically stores the following outputs:

• A summary of performance metrics (accuracy, precision, recall, F1-score) in structured output;
• A historical report saved in plain-text (.txt) format, logging each observed packet with timestamp, classification result, and basic flow metadata.

This fully packaged solution provides an effective environment for runtime evaluation and facilitates seamless integration into operational networks without manual tuning. The functioning of the graphical user interface (GUI) described in this section is summarized in the flowchart shown in Figure 20, while the configuration interface of the GUI is illustrated in Figure 21.

Algorithm 2: Multi-Type Attack Traffic Generator (Client Side)

Algorithm 3: TCP/UDP Request Listener on NFSv4 Simulated Server

Algorithm 4: Runtime Intrusion Detection on Server using ML model selected (Server Side)

7.2. Results of Experiment

The evaluation was conducted on a custom-designed testbed (Figure 22) replicating realistic industrial network conditions using an edge-based client–server architecture over NFSv4. The network comprised one server and three client nodes, implemented with Raspberry Pi 3 devices, simulating bidirectional TCP/UDP traffic flows.

During the runtime testing phase, a total of 250,192 packets were captured and processed. Of these, 110,741 were anomalous, emulating various attack patterns, including DoS, UDP floods, brute-force commands, port scanning, and malformed payloads, while the remaining 130,449 packets represented legitimate NFSv4 operations (e.g., MOUNT, WRITE) transmitted over TCP and UDP. All OCC models were pre-trained offline using the preprocessed datasets discussed previously. Hyperparameters for each algorithm are reported in

Table 12. Hyperparameter values used for the anomaly detection algorithms.

Algorithm	Hyperparameter	Value/Choice
Autoencoder	Layers (enc/dec)	2 encoder, 2 decoder
	Units per layer	[400, 200]
	Activation	ReLU
	Loss	MSE
	Optimizer	Adam (lr = 0.001)
	Epochs	150
	Batch size	64
Variational Autoencoder	Latent size	6
	Activation	ReLU
	Loss	MSE + KL divergence
	Optimizer	Adam (lr = 0.001)
	Epochs	150
	Batch size	64
One-Class SVM	Kernel	RBF
	Gamma	$1/N_{features}$
	Nu	0.05
Isolation Forest	Trees	100
	Max samples	256
	Contamination	0.05

, ensuring reproducibility and comparability.

All models were evaluated on the same traffic stream under identical runtime conditions, allowing direct comparison. Performance metrics (accuracy, precision, recall, and F1-score) were computed at the end of each run, and these are summarized in

Table 13. Performance of OCC algorithms across datasets (best values are highlighted in green).

Model	Dataset	Accuracy	Precision	Recall	F1-Score
OCSVM	NSL-KDD	0.89	0.85	0.81	0.83
	UNSW-NB15	0.95	0.93	0.92	0.92
	TON_IoT	0.87	0.84	0.79	0.81
	CICIDS2017	0.88	0.86	0.80	0.83
AE	NSL-KDD	0.91	0.89	0.84	0.86
	UNSW-NB15	0.96	0.94	0.93	0.93
	TON_IoT	0.88	0.86	0.82	0.84
	CICIDS2017	0.89	0.87	0.83	0.85
iForest	NSL-KDD	0.86	0.83	0.78	0.80
	UNSW-NB15	0.94	0.92	0.91	0.91
	TON_IoT	0.85	0.82	0.77	0.79
	CICIDS2017	0.87	0.84	0.80	0.82
VAE	NSL-KDD	0.90	0.87	0.83	0.85
	UNSW-NB15	0.96	0.94	0.92	0.93
	TON_IoT	0.88	0.85	0.81	0.83
	CICIDS2017	0.89	0.86	0.82	0.84

. Logging was automated, with each packet labeled and timestamped for post-analysis.

All models achieved their best performance on the UNSW-NB15 dataset, with F1-scores above 0.91, peaking at 0.93 with both AE and VAE. This confirms the dataset’s strong feature representation and class balance. Deep learning models (AE, VAE) showed higher recall, indicating better detection of subtle anomalies, particularly under complex temporal or statistical patterns. Performance on CICIDS2017 and TON_IoT was slightly lower, likely due to greater class imbalance and sparse attack representation. Results on NSL-KDD were consistently lower, aligning with known limitations in diversity and data aging. Average inference times per packet (

Table 14. Average runtime inference time per packet for each OCC technique (fastest technique is highlighted in green).

ML Technique	Inference Time (ms)
OCSVM	2.8
AE	3.1
VAE	5.3
iForest	1.3

) reflect model complexity. VAE had the highest latency (5.3 ms), followed by AE and OCSVM, while iForest was the fastest (1.3 ms), confirming its efficiency for real-time deployment (Figure 23).

Based on the results presented and discussed in this section, it can be concluded that the UNSW-NB15 dataset is the most effective training source across all evaluated models, enabling the development of accurate, precise, and robust anomaly detection systems. The strong performance of deep learning methods, particularly the Autoencoder and Variational Autoencoder, further confirms their suitability for real-time IDS deployment, especially in contexts requiring high sensitivity to subtle or low-profile anomalies. Although slightly less accurate, the Isolation Forest algorithm demonstrated the fastest inference times among all evaluated models, confirming its effectiveness as a lightweight and computationally efficient solution for scenarios where low latency is a critical constraint.

7.3. Statistical Validation of Performance Differences

To validate that the observed performance differences between OCC models are not due to random variation, we performed a one-way ANOVA (analysis of variance) test on the F1-scores achieved by each model across multiple datasets. The tests were conducted separately for each dataset. All proposed OCC models were evaluated through 10 repeated runs on each dataset, with F1-scores collected to assess performance consistency. The null hypothesis ($H_0$) states that the mean F1-score is equal across all four models. The alternative hypothesis ($H_a$) asserts that at least one model significantly differs from the others. The significance level was set at $\alpha =0.05$. A summary of the ANOVA test results is reported in

Table 15. ANOVA results on F1-score across OCC models for each dataset.

Dataset	F-Statistic	p-Value	Significance
NSL-KDD	14.23	0.00009	Yes
UNSW-NB15	21.58	0.00001	Yes
CICIDS2017	11.41	0.00027	Yes
TON_IoT	8.67	0.00065	Yes

. All datasets produced p-values well below the threshold, indicating that the observed differences in model performance are statistically significant.

Across all datasets, ANOVA tests confirm that the performance differences among the OCC models are statistically significant. In particular:

• The UNSW-NB15 dataset yielded the strongest statistical separation (F = 21.58), with VAE and AE showing consistently higher F1-scores than OCSVM and iForest.
• NSL-KDD and CICIDS2017 showed similar trends, although the gap between the deep and classical models was narrower.
• TON_IoT, being highly imbalanced, resulted in slightly lower F-statistics but still confirmed significance.

Pairwise comparisons using Tukey’s HSD test (not shown) revealed that:

• AE and VAE significantly outperform iForest and OCSVM across all datasets;
• The difference between AE and VAE was not statistically significant, supporting their comparable effectiveness;
• OCSVM and iForest yielded overlapping performance in TON_IoT.

These results statistically support the empirical ranking observed in Table 13, confirming that deep-learning-based models offer superior robustness and generalization under real-time runtime conditions.

7.4. Benchmark Comparison with State-of-the-Art IDS

To contextualize the performance of the proposed OCC-based IDS, we compared it with several representative real-time IDS frameworks reported in the recent literature.

Table 16. Benchmark comparison with recent real-time IDS solutions.

System (Ref.)	Methodology	Accuracy (%)	F1-Score (%)	Runtime/Deployment
DeepIDS [181]	CNN + supervised	97.2	96.1	Offline (KDD, NSL-KDD)
CICFlowMeter + Random Forest [182]	Flow-based + RF	92.5	91.0	Real-time (CICIDS2017)
LOF-IDS [183]	Unsupervised LOF	87.3	85.2	Partial runtime, no GUI
EdgeML-IDS [184]	Lightweight DL	94.0	93.1	IoT gateway, online
Ours (OCC-IDS)	One-Class SVM/AE/VAE/iForest	96.0 (max)	93.0 (UNSW-NB15)	Real-time, modular GUI, TCP/UDP capture

summarizes the key features and performance metrics (where available) for each system.

Compared to other recent IDS implementations, our OCC-based IDS demonstrates several strengths:

• Real-time execution: All models are executed in streaming mode using PyShark capture, with average latency below 5.5 ms per packet.
• Offline-free deployment: Unlike supervised models such as DeepIDS, our framework does not require labeled attack data for training.
• Modular GUI and configurability: The implemented interface allows model switching, real-time monitoring, and auto-logging—rarely found in academic prototypes.
• Competitive accuracy: The best model (VAE with UNSW-NB15) achieves 96% accuracy and 93% F1-score, outperforming unsupervised baselines like LOF.

While supervised models may achieve higher accuracy in some cases, they require extensive labeled attack samples and retraining on domain-specific data. In contrast, our IDS remains effective and deployable in restricted environments such as military or industrial networks, where access to annotated threats is often limited or prohibited.

7.5. Limitations and Critical Analysis

Although the experimental results confirm the effectiveness of OCC models for runtime intrusion detection, several limitations must be acknowledged to ensure a realistic and complete interpretation of the findings.

• Sensitivity to Training Data Quality: OCC models are trained exclusively on nominal data. Any biases, artifacts, or inconsistencies in this training set may lead to overfitting or misclassification of benign deviations as anomalies. Datasets such as NSL-KDD, which contain redundant or outdated traffic patterns, tend to reduce model generalization.
• False Positive Rate (FPR): Due to the absence of labeled attack samples, OCC models construct tight boundaries around the nominal class. As shown in

  Table 17. Critical instances of elevated false positive rate (FPR) are often associated with complex and imbalanced datasets.

  Model	Training Dataset	FPR (%)	Comments
  Autoencoder (AE)	UNSW-NB15	3.8	Balanced feature space yields low FPR.
  Autoencoder (AE)	CICIDS2017	11.5	High variability in benign traffic increases FPR.
  Variational Autoencoder (VAE)	TON_IoT	9.2	Sensitive to rare yet legitimate deviations.
  OCSVM	NSL-KDD	12.0	Legacy dataset with limited behavioral diversity.
  Isolation Forest (iForest)	UNSW-NB15	4.1	Fast and robust tree-based separation.

  , this often results in non-negligible false positive rates—particularly when tested on complex or imbalanced datasets such as CICIDS2017 or TON_IoT. For instance, the AE model trained on CICIDS2017 yields an FPR above 11%.
• Threshold Calibration: For models based on reconstruction error (e.g., AE and VAE), detection depends on a critical threshold $\theta$. If the reconstruction error $ϵ\left(\mathbf{x}\right)$ exceeds $\theta$, the sample is flagged as anomalous:

  $$ϵ\left(\mathbf{x}\right)=\parallel \mathbf{x}-\widehat{\mathbf{x}}{\parallel }_2>\theta$$

  (28)
  Improper selection of $\theta$ can significantly impact the trade-off between precision and recall. Static thresholds may also degrade performance in the presence of runtime variability.
• Concept Drift: Network traffic patterns and system behaviors evolve over time. Without periodic retraining or adaptation, OCC models may fail to detect new types of anomalies or may increasingly classify benign changes as malicious, thereby degrading long-term performance.
• Lack of Interpretability: Deep-learning-based OCC models (e.g., VAE) tend to operate as black boxes. This impedes root cause analysis and limits the explainability of alarms—a critical requirement in industrial or military environments.

To mitigate these limitations, we recommend the following enhancements in future work:

1.

Dynamic or percentile-based thresholding to reduce sensitivity to global scale variations;

2.

Online learning or periodic retraining using updated nominal traffic samples;

3.

Hybrid semi-supervised models capable of incorporating occasional labeled anomalies;

4.

Explainable AI (XAI) layers or attribution techniques to improve transparency and operational trust.

8. Discussion and Future Work

The results of this study confirm the suitability of OCC approaches for real-time anomaly detection in networked environments, particularly where the structure and nature of potential threats are unknown. Traditional rule-based IDSs rely on predefined attack patterns and show limited adaptability against novel or evolving threats [185,186]. In contrast, OCC models trained exclusively on nominal traffic model legitimate behavior and flag deviations as anomalies [187,188]. A key advantage of OCC techniques is their simplified training process, as they do not require labeled attack samples or prior knowledge of threat types. This makes them well suited for operational contexts such as industrial or defense networks, where acquiring representative malicious data is often infeasible or constrained by data sensitivity [189,190]. Additionally, this reduces the time and effort associated with dataset preparation and training [191,192,193]. The runtime evaluation further validated the practical applicability of the proposed system. During the test phase, the IDS processed over 250,000 packets, comprising both nominal and anomalous traffic, using pre-trained models integrated via modular pipelines. While the current setup targets a selected range of anomalies, future iterations will incorporate additional threat classes (e.g., reconnaissance, malware, data exfiltration) to evaluate model generalization under more diverse conditions. Initial experiments relied on widely used public datasets for training. However, given that several of these benchmarks are now outdated, future work will explore the integration of more recent and domain-specific datasets, particularly those relevant to industrial applications [194,195]. This work presents a dual contribution: a comparative survey of OCC techniques and a real-time evaluation conducted on an industrial-like testbed. The survey reviewed key public IDS datasets and organized OCC models within a unified taxonomy. Four representative algorithms (Autoencoder, Variational Autoencoder, Isolation Forest, and One-Class SVM) were selected based on their relevance in the literature and runtime feasibility. These models were trained on four benchmark datasets and deployed within a Python-based IDS framework with GUI support, running over an NFSv4 client–server architecture using Raspberry Pi devices to simulate realistic network behavior.The main findings obtained from this study are summarized as follows:

• UNSW-NB15 outperformed other datasets, consistently yielding the highest precision and F1-scores across all OCC models.
• AE and VAE showed superior recall and F1-score, confirming their effectiveness in capturing complex traffic patterns, albeit with increased inference latency.
• Isolation Forest demonstrated the best latency/performance trade-off, making it suitable for resource-constrained, real-time deployments.
• The runtime testbed revealed the practical impact of dataset bias, dimensionality, and preprocessing strategies on detection accuracy and system robustness.

By bridging the gap between theoretical analysis and practical deployment, this study provides both a structured taxonomy of OCC methods and a validated framework for their real-time evaluation. Future developments will focus on hybrid learning approaches, integration of real industrial datasets, and adaptive IDS architectures capable of responding to evolving threat landscapes.