Few-shot network intrusion detection using online triplet mining

Wilkie, Jack and Hindy, Hanan and Tachtatzis, Christos and Bures, Miroslav and Atkinson, Robert (2026) Few-shot network intrusion detection using online triplet mining. Applied Sciences, 16 (10). 4589. ISSN 2076-3417 (https://doi.org/10.3390/app16104589)

Preview

Text. Filename: Wilkie-etal-AS-2026-Few-shot-network-intrusion-detection-using-online-triplet-mining.pdf Final Published Version License: Download (440kB)| Preview

Abstract

Network intrusion detection systems play a vital role in protecting networks by detecting malicious network traffic which can then be investigated by a cybersecurity operations centre. State-of-the-art approaches utilise supervised machine learning methods to train a classification model to recognise known cyberattacks; however, these models require a large labelled dataset to train and show poor performance when trained on smaller datasets. In an attempt to address this shortcoming, anomaly detection models learn the distribution of benign traffic and flag non-conforming traffic as malicious. While these methods do not require malicious examples to train, they suffer from high false-positive rates rendering them impractical. As a result, networks may be particularly vulnerable when there are insufficient labelled instances of a specific attack class to train an effective classifier. This often occurs in newly established networks or when previously unseen types of attacks emerge. To address this challenge, this work proposes the use of a triplet network, utilising online triplet mining and a KNN classifier, which is able to perform few-shot classification, enabling effective intrusion detection after being trained on a limited number of malicious examples. Various online triplet mining algorithms were explored and model design choices, such as the inference algorithm and optimised distance metrics, were compared and evaluated through a series of ablation studies. The final model was compared against other state-of-the-art approaches in few-shot binary and multiclass classification, where the proposed approach was found to be competitive with existing methods when trained on as little as 10 malicious samples of each class.

ORCID iDs

Wilkie, Jack ORCID: https://orcid.org/0009-0009-8046-7770

Tachtatzis, Christos ORCID: https://orcid.org/0000-0001-9150-6805

Atkinson, Robert ORCID: https://orcid.org/0000-0002-6206-2229

• Share and Export
  

  RDF+N-TriplesHTML CitationRIS (EndNote Online, Zotero, Ref manager, etc)BibTeXAtomASCII CitationRefWorksMultiline CSVEndNoteSimple MetadataJSONRDF+N3OpenURL ContextObjectEP3 XMLMETSRIOXX2 XMLReferRDF+XMLOPENAIREMPEG-21 DIDLData Cite XMLDublin CoreMODSOpenURL ContextObject in Span
• Item metadata

  Item type:	Article
  ID code:	96198
  Dates:	Date Event 7 May 2026 Published 3 May 2026 Accepted
  Subjects:	Technology > Electrical engineering. Electronics Nuclear engineering
  Department:	Faculty of Engineering > Electronic and Electrical Engineering Strategic Research Themes > Measurement Science and Enabling Technologies
  Depositing user:	Pure Administrator
  Date deposited:	07 May 2026 11:22
  Last modified:	09 Jun 2026 08:31
  URI:	https://strathprints.strath.ac.uk/id/eprint/96198