A Lightweight Cascade-Based Farmework for Real-Time Zero-Day Attack Detection
Annotatsiya
Zero-day intrusion detection is still a difficult task because of the difference between high laboratory precision and real-time deployability under strict operational constraints. This paper proposes a lightweight two-stage cascade architecture that is specifically designed for CPU-only environments and strict zero-day evaluation. The proposed architecture only uses statistical and flow-level metadata attributes, which are independent of payload analysis, to ensure compatibility with encrypted traffic. The first stage of the proposed architecture is precision oriented to detect potentially malicious traffic with a low decision threshold, and the second stage is precision oriented to enhance classification and remove false positives. To avoid optimistic bias, a strict attack-type separation protocol is employed, where testing attack types are strictly prohibited from training. The proposed method is tested on three benchmark datasets: CSIC 2012 (HTTP level), UNSW-NB15 (intra-domain), and CSE-CIC-IDS2018 (cross-domain). The experimental results show the excellent intra-domain zero-day detection capability (up to 94.81% accuracy with 0.50% FPR), controllable performance degradation in the cross-domain setting (80.53% accuracy with near-zero FPR), and extremely low FP rates on all datasets. The system provides microsecond-level inference latency (0.002–0.006 ms), a throughput of up to 470,000 requests per second, and memory usage below 6.2 MB without GPU support. These results confirm the significance of architectural optimization and thorough evaluation in building efficient zero-day detection systems.