usfAD Algorithm for Unsupervised IDS
- usfAD algorithm is an unsupervised anomaly detector combining stochastic forest principles with isolation techniques to model and score network traffic.
- It employs a one-class classification approach, training solely on benign or known attack data to flag deviations as anomalies.
- Empirical studies show high accuracy and stability across benchmark IDS datasets and hierarchical IoMT deployments, highlighting its zero-day detection capability.
Searching arXiv for the cited usfAD papers and related IDS work. usfAD, short for Unsupervised Stochastic Forest based Anomaly Detector, is a tree-based unsupervised anomaly detection algorithm that intrusion-detection research operationalizes as a one-class classification (OCC) method. In this usage, the model is trained on a single class—most commonly benign network traffic—and new instances are assessed by their deviation from the learned training distribution. Recent IDS work uses usfAD both as a standalone OCC in unknown-attack-focused intrusion detection and as a root and verification component in a hierarchical Internet of Medical Things (IoMT) IDS that separates normal traffic, known attacks, and unknown attacks (Uddin et al., 2024, Uddin et al., 14 Aug 2025).
1. Definition and algorithmic identity
In the IDS literature considered here, usfAD is described as a state-of-the-art unsupervised anomaly detection algorithm proposed originally by Aryal et al. and later reused as an OCC for intrusion detection. Conceptually, it combines ideas from Unsupervised Stochastic Forest (USF) and Isolation Forest (IF). The USF component provides an unsupervised random-forest-like construction based on similarity measures that are robust to units and scales of measurement, while the isolation-style component supports anomaly scoring through the behavior of samples in the forest. The resulting score is presented as robust and relatively insensitive to feature scales and units (Uddin et al., 2024).
Within later IDS designs, usfAD is explicitly treated as an anomaly detector, implemented as a one-class classifier, and trained unsupervised on normal (“benign”) traffic only when deployed as a root detector. In the hierarchical IoMT IDS, the same algorithm is also reused at a second layer, where it is trained on known attack categories so that deviations from that known-attack manifold can be labeled as unknown (zero-day) attacks. The papers are explicit that usfAD is not a meta-learning method; in the IoMT architecture, meta-learning refers instead to a separate Reptile-based DNN alternative for the root layer (Uddin et al., 14 Aug 2025).
| Context | Role of usfAD | Training class |
|---|---|---|
| Unknown-attack-focused IDS | OCC anomaly detector | Benign traffic only |
| Hierarchical IoMT IDS, Near Edge | Root-level detector | Benign traffic only |
| Hierarchical IoMT IDS, Far Edge | Known-vs-unknown verifier | Known attacks |
2. Scoring and one-class decision mechanism
The later IDS papers do not re-derive the internals of the stochastic forest. They instead treat usfAD as an imported detector whose internal tree construction, anomaly-score equations, objective function, loss function, probabilistic model, and distance metric are not restated. What is specified is the operational interface: a trained usfAD model returns a score for each instance ,
with higher scores treated as more normal and lower scores treated as more anomalous (Uddin et al., 2024).
In the standalone OCC IDS framework, these scores are converted into binary decisions through a one-sided 3-sigma threshold computed from the scores of the normal training set. If
then
and the decision threshold is
Inference is then defined by
This converts the anomaly detector into a calibrated OCC for benign-versus-attack discrimination (Uddin et al., 2024).
The hierarchical IoMT paper uses the same one-class logic at two different semantic levels. At the Near Edge, usfAD is trained on benign traffic only, so any deviation is treated as anomalous traffic. At the Far Edge, the same OCC idea is applied to known attack categories rather than benign traffic, so deviations from the known-attack structure are labeled as unknown attacks. This means that the algorithm’s zero-day capability is framed as novelty detection, not as few-shot or meta-learning generalization (Uddin et al., 14 Aug 2025).
3. Training regime, preprocessing, and data assumptions
The training regime is deliberately minimalist. In the unknown-attack-focused IDS framework, the input is an IDS dataset labeled as normal vs attack, but usfAD training removes all attack instances and retains only normal points: Across models, preprocessing consists of one-hot encoding for categorical features, mean imputation for missing values, and min-max normalization to . The authors state that no explicit outlier removal or multicollinearity handling is performed, so that comparative results reflect the OCC models themselves rather than heavy preprocessing (Uddin et al., 2024).
The hierarchical IoMT study applies the same general normalization strategy, written as
and evaluates models with stratified 10-fold cross-validation. Its dataset is CICIoMT2024, described as multi-protocol IoMT traffic with 5 main attack families—DDoS, DoS, Reconnaissance, Spoofing, and MQTT—together with 18 attack subtypes and benign traffic. The dataset contains 9,378,297 total records, of which 1,048,575 (11.19\%) are benign (Uddin et al., 14 Aug 2025).
The two studies therefore use distinct evaluation regimes but a common one-class learning assumption: the detector is not trained on the class it is ultimately meant to reject. In the 2024 framework, that rejected class is “attack” in general. In the 2025 hierarchical IoMT framework, the rejected class is either “attack” at the root layer or “unknown attack” at the verification layer. This suggests a consistent interpretation of usfAD as a distribution-modeling OCC primitive rather than a task-specific classifier.
4. Function within hierarchical IoMT intrusion detection
The hierarchical IoMT IDS maps detection functions onto the layered IoMT architecture: Sensors, Near Edge, Far Edge, and Cloud. In this design, usfAD is a system-level building block rather than a standalone endpoint model. The first layer, located near the devices, acts as the root-level anomaly detector; the second layer validates whether suspicious traffic corresponds to a known or unknown attack; and later cloud layers perform attack-family and subtype classification with supervised Random Forest models (Uddin et al., 14 Aug 2025).
The root-level logic is given in the hierarchical IDS pseudocode. During training, the system trains 0 on normal instances and trains 1 on known attack instances. During inference, each incoming instance 2 is first passed through the root detector. If the output is Normal, processing stops. If the output is anomalous, the instance is forwarded to the second layer. There, the verification model decides whether the event is a Known Attack or an Unknown Attack. Known attacks proceed to the cloud classifiers for category and subtype prediction; unknown attacks are forwarded to security analysts for manual inspection, labeled as unknown, and stored for future retraining (Uddin et al., 14 Aug 2025).
This deployment reflects the constraints of IoMT networks emphasized by the paper: devices are resource constrained, heterogeneous, and latency-sensitive, making centralized IDS designs undesirable. usfAD is used at the Near Edge because OCC training on benign traffic avoids the need to maintain large labeled attack datasets locally. At the Far Edge, the same anomaly-detection principle supports zero-day triage by modeling only the space of known attacks. The paper’s formulation is explicit that this architecture is intended for zero-day attack detection in resource-constrained IoMT devices, where rapid detection close to patients and medical devices is critical (Uddin et al., 14 Aug 2025).
5. Empirical performance and comparative results
In the standalone unknown-attack-focused IDS framework, usfAD is evaluated on 10 benchmark IDS datasets: NSL-KDD, UNSW-NB15, ISCXURL2016, Malmem2022, CIC-DDoS2019, ToN-IoT-Network, Darknet2020, CIC-DoS2017, XIIoTID, and ToN-IoT-Linux. Reported accuracies for usfAD are 95.92\%, 82.15\%, 92.38\%, 94.65\%, 98.69\%, 99.43\%, 91.65\%, 97.04\%, 93.52\%, and 97.94\%, respectively. Macro F1-scores are likewise high, including 95.91\% on NSL-KDD, 81.84\% on UNSW-NB15, 98.04\% on CIC-DDoS2019, 99.37\% on ToN-IoT-Network, and 97.65\% on ToN-IoT-Linux. The paper states that usfAD is the top single OCC model on most datasets and reports 100\% recall for attacks on Malmem2022, CIC-DDoS2019, and ToN-IoT-Network (Uddin et al., 2024).
That study also compares usfAD with supervised Random Forest under explicit unknown-attack simulation. Random Forest is trained after withholding selected attack types from training while leaving them in the test set. As more attack types are removed, attack-class performance can collapse to 0\% F1 on several datasets, including NSL-KDD at C4, CIC-DDoS2019 at C5, and ToN-IoT-Network at C6. By contrast, usfAD is reported to remain stable across these scenarios because its training never includes attack samples at all; all attacks are, in effect, unknown by design (Uddin et al., 2024).
In the hierarchical IoMT IDS, usfAD performs strongly at the Near Edge root level. Reported root-level results are 99.77\% accuracy, 95.74\% F1-score for the Normal class, 99.88\% F1-score for the Attack class, 97.81\% macro F1, and 99.77\% weighted F1. In the same table, LOF reaches 99.46\% accuracy, IF 82.34\%, the meta-learning classifier 98.27\%, and the SGD-trained DNN 1.241\%. The paper therefore identifies usfAD as the best performing OCC and overall root detector in that experiment (Uddin et al., 14 Aug 2025).
At the Far Edge known-versus-unknown stage, performance is more heterogeneous across attack families. For unknown attacks, the reported usfAD F1-scores are 91.03\% for DoS, 88.48\% for MQTT, 60.96\% for DDoS, 81.51\% for Recon, and 26.29\% for Spoofing. The corresponding unknown-class precision and recall values indicate markedly different operating regimes: for example, DoS unknown has 96.17\% precision and 86.42\% recall, while Spoofing unknown has 16.13\% precision and 70.97\% recall. The same paper reports second-level accuracy figures of 96.69\% for Recon and 96.01\% for Spoofing, with DoS, MQTT, and DDoS described as high but slightly lower (Uddin et al., 14 Aug 2025).
6. Limitations, misconceptions, and research trajectory
A recurring misconception is to treat usfAD as a generic deep-learning zero-shot learner or as a meta-learning algorithm. The papers examined here do not support that interpretation. They describe usfAD as an unsupervised stochastic forest anomaly detector used as an OCC. In the IoMT architecture, the Reptile-based DNN is the meta-learning component, while usfAD is the anomaly detector that models a single class and flags deviations (Uddin et al., 14 Aug 2025).
Another important limitation is that later system papers do not document usfAD’s internal hyperparameters in detail. The 2024 IDS framework states that the detailed usfAD hyperparameters, such as number of trees and tree depth, are not enumerated and are taken from the original implementation. The IoMT paper likewise does not spell out tree-construction parameters and instead imports the algorithm as a black-box building block. The 2024 paper also states that no explicit computational complexity bounds are provided, although it characterizes the method as a Python implementation of a tree-based unsupervised forest with practical feasibility on a Xeon E5-2670 with 128 GB RAM and 2× GTX 1080 Ti (Uddin et al., 2024).
System-level limitations also appear in the hierarchical IoMT deployment. The root usfAD layer is highly effective for attack vs normal discrimination but does not by itself identify attack families. The paper notes that some normal instances are misclassified as attacks at the root level—approximately 831 benign instances—which is why cloud-level Random Forest models are trained on both attack and benign instances in order to correct upward-propagated errors. At the second layer, known-vs-unknown separation is uneven across attack families, especially when unknown patterns are close to known attacks, as in the reported Spoofing case (Uddin et al., 14 Aug 2025).
The research trajectory suggested in the 2024 framework is to move from binary benign-versus-attack detection toward hierarchical multi-class intrusion detection, including attack-type distinctions such as DoS, ransomware, spyware, and trojan. Additional future directions mentioned there include stronger ensemble and calibration strategies, and improved synthetic-noise generation for supervised baselines. A plausible implication is that usfAD’s current role in the literature is that of a robust OCC nucleus around which larger IDS pipelines—hierarchical, ensemble-based, or analyst-in-the-loop—can be constructed without requiring labeled zero-day attack data (Uddin et al., 2024).