{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T12:50:20Z","timestamp":1775739020183,"version":"3.50.1"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"3","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,8,31]]},"abstract":"<jats:p>Detecting unknown cyberattacks remains an open research problem and a significant challenge for the research community and the security industry. This article tackles the detection of unknown cybersecurity attacks in the Internet of Things (IoT) and traditional networks by categorizing them into two types: entirely new classes of unknown attacks (type-A) and unknown attacks within already known classes (type-B). To address this, we propose a novel multi-stage, multi-layer zero trust architecture for an intrusion detection system (IDS), uniquely designed to handle these attack types. The architecture employs a hybrid methodology that combines two supervised and one unsupervised learning stages in a funnel-like design, significantly advancing current detection capabilities. A key innovation is the layered filtering mechanism, leveraging type-A and type-B attack concepts to systematically classify traffic as malicious unless proven otherwise. Using four benchmark datasets, the proposed system demonstrates significant improvements in accuracy, recall, and error classification rates for unknown attacks, achieving an average accuracy and recall ranging between 88% and 95%. This work offers a robust, scalable framework for enhancing cybersecurity in diverse network environments.<\/jats:p>","DOI":"10.1145\/3725216","type":"journal-article","created":{"date-parts":[[2025,3,19]],"date-time":"2025-03-19T07:08:26Z","timestamp":1742368106000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":10,"title":["Multi-Stage Enhanced Zero Trust Intrusion Detection System for Unknown Attack Detection in Internet of Things and Traditional Networks"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6694-9193","authenticated-orcid":false,"given":"Malek","family":"Al-Zewairi","sequence":"first","affiliation":[{"name":"Department of Computer Science, Princess Sumaya University for Technology","place":["Amman, Jordan"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9076-3519","authenticated-orcid":false,"given":"Sufyan","family":"Almajali","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Princess Sumaya University for Technology","place":["Amman, Jordan"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0868-143X","authenticated-orcid":false,"given":"Moussa","family":"Ayyash","sequence":"additional","affiliation":[{"name":"Department of Computing, Information, and Mathematical Sciences and Technology, Chicago State University","place":["Chicago, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9701-5505","authenticated-orcid":false,"given":"Mohamed","family":"Rahouti","sequence":"additional","affiliation":[{"name":"Department of Computer and Information Science, Fordham University","place":["New York, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-2208-2691","authenticated-orcid":false,"given":"Fernando","family":"Martinez","sequence":"additional","affiliation":[{"name":"Department of Computer and Information Science, Fordham University","place":["New York, United States"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-0782-5825","authenticated-orcid":false,"given":"Nordine","family":"Quadar","sequence":"additional","affiliation":[{"name":"Royal Military College of Canada","place":["Kingston, Canada"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,8,23]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"2024. CrowdStrike 2024 Global Threat Report. In CrowdStrike. Retrieved March 22 2025 from https:\/\/www.crowdstrike.com\/blog\/crowdstrike-2024-global-threat-report\/"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2018.2841987"},{"issue":"1","key":"e_1_3_2_4_2","first-page":"54","article-title":"LnaCBR: Case based reasoning architecture for intrusion detection to learning new attacks","volume":"6","year":"2016","unstructured":"Mohssine El Ajjouri, Siham Benhadou, and Hicham Medromi 2016. LnaCBR: Case based reasoning architecture for intrusion detection to learning new attacks. Revue M\u00e9diterran\u00e9enne des T\u00e9l\u00e9communications 6, 1 (2016), 54\u201359.","journal-title":"Revue M\u00e9diterran\u00e9enne des T\u00e9l\u00e9communications"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/ictcs.2017.29"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9122006"},{"key":"e_1_3_2_7_2","doi-asserted-by":"crossref","unstructured":"Malek Al-Zewairi Sufyan Almajali and Moussa Ayyash. 2020. Unknown security attack detection using shallow and deep ANN classifiers. Electronics 9 12 (2020) 2006.","DOI":"10.3390\/electronics9122006"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jocs.2017.03.006"},{"key":"e_1_3_2_9_2","doi-asserted-by":"crossref","unstructured":"Fatima Alwahedi Alyazia Aldhaheri Mohamed Amine Ferrag Ammar Battah and Norbert Tihanyi. 2024. Machine learning techniques for IoT security: Current research and future vision with generative AI and large language models. Internet of Things and Cyber-Physical Systems 4 (2024) 167\u2013185.","DOI":"10.1016\/j.iotcps.2023.12.003"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-02607-3_14"},{"issue":"23","key":"e_1_3_2_11_2","doi-asserted-by":"crossref","first-page":"13097","DOI":"10.1007\/s00500-021-06679-0","article-title":"Malicious attack detection approach in cloud computing using machine learning techniques","volume":"26","author":"Arunkumar M.","year":"2022","unstructured":"M. Arunkumar and K. Ashok Kumar. 2022. Malicious attack detection approach in cloud computing using machine learning techniques. Soft Computing 26, 23 (2022), 13097\u201313107.","journal-title":"Soft Computing"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-45402-2_188"},{"issue":"1","key":"e_1_3_2_13_2","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1007\/s43926-023-00034-5","article-title":"Anomaly-based intrusion detection system for IoT application","volume":"3","year":"2023","unstructured":"Mansi Bhavsar, Kaushik Roy, John Kelly, and Odeyomi Olusola. 2023. Anomaly-based intrusion detection system for IoT application. Discover Internet of Things 3, 1 (2023), 5.","journal-title":"Discover Internet of Things"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/s12652-020-02014-x"},{"key":"e_1_3_2_15_2","first-page":"226","volume-title":"Proceedings of the KDD","year":"1996","unstructured":"Martin Ester, Hans-Peter Kriegel, J\u00f6rg Sander, and Xiaowei Xu. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. In Proceedings of the KDD. 226\u2013231."},{"key":"e_1_3_2_16_2","first-page":"226","volume-title":"Proceedings of the 2nd International Conference on Knowledge Discovery and Data Mining","author":"Ester Martin","year":"1996","unstructured":"Martin Ester, Hans-Peter Kriegel, J\u00f6rg Sander, and Xiaowei Xu. 1996. A density-based algorithm for discovering clusters in large spatial databases with noise. In Proceedings of the 2nd International Conference on Knowledge Discovery and Data Mining (Portland, Oregon). AAAI Press, 226\u2013231."},{"key":"e_1_3_2_17_2","doi-asserted-by":"crossref","first-page":"e1674","DOI":"10.7717\/peerj-cs.1674","article-title":"An intelligent zero trust secure framework for software defined networking","volume":"9","year":"2023","unstructured":"Xian Guo, Hongbo Xian, Tao Feng, Yongbo Jiang, Di Zhang, and Junli Fang. 2023. An intelligent zero trust secure framework for software defined networking. PeerJ Computer Science 9 (2023), e1674.","journal-title":"PeerJ Computer Science"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10586-022-03776-z"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9071151"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9040692"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9010173"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9060916"},{"key":"e_1_3_2_23_2","unstructured":"K. Kizzee. 2023. Cyber Attack Statistics to Know in 2023. In Parachute. Retrieved March 22 2025 from https:\/\/parachute.cloud\/cyber-attack-statistics-data-and-trends\/"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2019.05.041"},{"key":"e_1_3_2_25_2","unstructured":"Przemys\u0142aw Kukie\u0142ka and Zbigniew Kotulski. 2014. New unknown attack detection with the neural network\u2013based ids. (2014)."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2021.103111"},{"key":"e_1_3_2_27_2","first-page":"012138","volume-title":"Proceeding of the Journal of Physics: Conference Series","author":"Maithem Mohammed","year":"2021","unstructured":"Mohammed Maithem and Ghadaa A. Al-Sultany. 2021. Network intrusion detection system using deep neural networks. In Proceeding of the Journal of Physics: Conference Series. IOP Publishing, 012138."},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01746-0_12"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.12.006"},{"key":"e_1_3_2_30_2","unstructured":"Alberto Parmisano Sebastian Garcia and M. Jose Erquiaga. 2020. A labeled dataset with malicious and benign IoT network traffic. Stratosphere Laboratory: Praha Czech Republic (2020)."},{"key":"e_1_3_2_31_2","unstructured":"Paolo Passeri. 2022. 2022 Cyber Attacks Statistics. In HACKMAGEDDON. Retrieved March 22 2025 from https:\/\/www.hackmageddon.com\/2023\/01\/24\/2022-cyber-attacks-statistics\/"},{"key":"e_1_3_2_32_2","unstructured":"Paolo Passeri. 2023. Q2 2023 Cyber Attacks Statistics. In HACKMAGEDDON. Retrieved March 22 2025 from https:\/\/www.hackmageddon.com\/2023\/08\/08\/q2-2023-cyber-attacks-statistics\/"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/iciteed.2016.7863293"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.3390\/computers8030059"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/ictcs.2019.8923067"},{"key":"e_1_3_2_36_2","first-page":"359","volume-title":"Proceedings of the ICCBR","author":"Schoenborn Jakob Michael","year":"2023","unstructured":"Jakob Michael Schoenborn and Klaus-Dieter Althoff. 2023. A multi-agent case-based reasoning intrusion detection system prototype. In Proceedings of the ICCBR. Springer, 359\u2013374."},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.131.2200513"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1166\/asl.2016.7991"},{"key":"e_1_3_2_39_2","first-page":"172","volume-title":"Proceedings of the ICISSP","year":"2018","unstructured":"Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. A detailed analysis of the cicids2017 data set. In Proceedings of the ICISSP. Springer, 172\u2013188."},{"key":"e_1_3_2_40_2","first-page":"108","article-title":"Toward generating a new intrusion detection dataset and intrusion traffic characterization.","volume":"1","year":"2018","unstructured":"Iman Sharafaldin, Arash Habibi Lashkari, and Ali A. Ghorbani. 2018. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSP 1 (2018), 108\u2013116.","journal-title":"ICISSP"},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","first-page":"108626","DOI":"10.1016\/j.compeleceng.2023.108626","article-title":"Anomaly based network intrusion detection for IoT attacks using deep learning technique","volume":"107","year":"2023","unstructured":"Bhawana Sharma, Lokesh Sharma, Chhagan Lal, and Satyabrata Roy. 2023. Anomaly based network intrusion detection for IoT attacks using deep learning technique. Computers and Electrical Engineering 107 (2023), 108626.","journal-title":"Computers and Electrical Engineering"},{"key":"e_1_3_2_42_2","first-page":"1","volume-title":"Proceeding of the NOMS\/IFIP","year":"2023","unstructured":"Rahul Sharma, Chien Aun Chan, and Christopher Leckie. 2023. Probabilistic distributed intrusion detection for zero-trust multi-access edge computing. In Proceeding of the NOMS\/IFIP. IEEE, 1\u20139."},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9091533"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22871-2_7"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.dajour.2022.100142"},{"key":"e_1_3_2_46_2","doi-asserted-by":"crossref","unstructured":"Na Xing Shuai Zhao Yuehai Wang Keqing Ning and Xiufeng Liu. 2023. A dynamic intrusion detection system capable of detecting unknown attacks. International Journal of Advanced Computer Science and Applications 14 7 (2023).","DOI":"10.14569\/IJACSA.2023.0140743"},{"key":"e_1_3_2_47_2","first-page":"1","volume-title":"Proceedings of the CNS","author":"Yang Huan","year":"2019","unstructured":"Huan Yang, Liang Cheng, and Mooi Choo Chuah. 2019. Deep-learning-based network intrusion detection for SCADA systems. In Proceedings of the CNS. IEEE, 1\u20137."},{"key":"e_1_3_2_48_2","doi-asserted-by":"crossref","unstructured":"L. Yang M. E. Rajab A. Shami and S. Muhaidat. 2024. Enabling AutoML for zero-touch network security: Use-case driven analysis. IEEE Transactions on Network and Service Management 21 3 (2024) 3555\u20133582. DOI:TNSM.2024.3376631","DOI":"10.1109\/TNSM.2024.3376631"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3725216","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T14:47:47Z","timestamp":1755960467000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3725216"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,23]]},"references-count":47,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,8,31]]}},"alternative-id":["10.1145\/3725216"],"URL":"https:\/\/doi.org\/10.1145\/3725216","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,8,23]]},"assertion":[{"value":"2024-05-18","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-15","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-23","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}