Abstract: Detecting anomalies in network traffic is critical for mitigating zero-day attacks and unauthorized intrusions in real-time. This study presents a comparative evaluation of four unsupervised machine learning models—Isolation Forest, One-Class Support Vector Machine (SVM), K-Means Clustering, and Local Outlier Factor (LOF)—using the benchmark CICIDS2017 dataset comprising over 2.8 million labeled records. To address memory constraints and ensure scalability, a batch-wise processing approach was adopted. The models were assessed based on standard classification metrics: precision, recall, F1-score, and accuracy. Results show that Isolation Forest achieved the most balanced performance with an F1-score of 0.59, while One-Class SVM recorded high precision (0.41) but lower recall. K-Means demonstrated strong recall (0.77) but at the expense of precision (0.14), whereas LOF underperformed across all metrics. Visual analytics, including PCA projections and anomaly score distributions, further supported the quantitative findings. This work contributes a practical framework for evaluating unsupervised models under resource constraints and offers insights for deploying anomaly detection systems in real-world network environments.

Keywords: Anomaly detection, Machine learning, CICIDS2017, Isolation Forest, One-Class SVM, K-Means, LOF, Network intrusion detection

Downloads: | DOI: 10.17148/IJIREEICE.2026.14328