The use of supervised Machine Learning (ML) to enhance Intrusion Detection Systems has been the subject of significant research. Supervised ML is based upon learning by example, demanding significant volumes of representative instances for effective training and the need to re-train the model for every unseen cyber-attack class. However, retraining the models in-situ renders the network susceptible to attacks owing to the time-window required to acquire a sufficient volume of data. Although anomaly detection systems provide a coarse-grained defence against unseen attacks, these approaches are significantly less accurate and suffer from high false-positive rates. Here, a complementary approach referred to as 'One-Shot Learning', whereby a limited number of examples of a new attack-class is used to identify a new attack-class (out of many) is detailed. The model grants a new cyber-attack classification without retraining. A Siamese Network is trained to differentiate between classes based on pairs similarities, rather than features, allowing to identify new and previously unseen attacks. The performance of a pre-trained model to classify attack-classes based only on one example is evaluated using three datasets. Results confirm the adaptability of the model in classifying unseen attacks and the trade-off between performance and the need for distinctive class representation.

翻译：监督机器学习(ML)用于加强入侵探测系统是重要研究的主题。监督ML是基于通过实例学习的,要求大量代表性实例进行有效培训,并需要重新培训每一个看不见的网络攻击等级的模型。然而,当场再培训模型使得网络容易因获得足够数量的数据所需的时间窗口而遭到攻击。虽然异常探测系统提供了粗糙的防线,以抵御隐形攻击,但这些方法远不准确,而且受到高假阳性率的影响。这里,一个被称为“一流学习”的补充方法,即使用数量有限的新攻击类例子来确定新的攻击类(从许多类中)。模型提供了一种新的网络攻击分类,而无需再培训。一个暹罗网络受过训练,根据对等而不是特征区分不同班,以便确定新的和以前看不见的攻击。一个例子用来对攻击类进行分类的预培训模型的性能,正在使用三个数据组进行评估,用于对袭击进行隐形的模型和典型贸易表现的适应性能。