AI-Powered Zero-Day Attack Mitigation: Developing Predictive Models for Unknown Threats

Prepared by the researche : Rawaa Hamza Ali – Department of Biology, College of Science, University of Misan ,Maysan ,Iraq

Democratic Arabic Center

Journal of Iranian orbits : Twenty-Eighth Issue – June 2025

A Periodical International Journal published by the “Democratic Arab Center” Germany – Berlin

:To download the pdf version of the research papers, please visit the following link

https://democraticac.de/wp-content/uploads/2025/05/%D9%85%D8%AC%D9%84%D8%A9-%D9%85%D8%AF%D8%A7%D8%B1%D8%A7%D8%AA-%D8%A5%D9%8A%D8%B1%D8%A7%D9%86%D9%8A%D8%A9-%D8%A7%D9%84%D8%B9%D8%AF%D8%AF-%D8%A7%D9%84%D8%AB%D8%A7%D9%85%D9%86-%D9%88%D8%A7%D9%84%D8%B9%D8%B4%D8%B1%D9%88%D9%86-%D8%AD%D8%B2%D9%8A%D8%B1%D8%A7%D9%86-%E2%80%93-%D9%8A%D9%88%D9%86%D9%8A%D9%88-2025.pdf

Abstract

Zero-day attacks involve the exploitation of unknown vulnerabilities; hence they are difficult for traditional signature-based cybersecurity methods. This paper discusses the application of the Isolation Forest algorithm for anomaly detection in identifying zero-day attacks through deviations in network traffic patterns. In this work, a synthetic dataset was created to simulate real-world network conditions, with features such as packet size, duration, and protocol type. The model was optimized using cross-validation, with an accuracy of 66%, but it showed limitations in precision (21%) and recall (27%), highlighting challenges with false positives and missed detections. While the Isolation Forest algorithm showed a lot of promise and potential for use in its intended applications, the limitations seen during the implementation of this algorithm show a strong need to consider alternative models. Such alternatives may include more advanced techniques like Autoencoders or different ensemble methods that can provide higher detection rates while, at the same time, reducing the occurrence of false alarms. Moreover, the analysis of the conducted ROC and precision-recall curves showed that the model performance was poor, especially in cases involving data imbalance and complex attack patterns, which resulted in suboptimal outcomes. The current study seeks to emphasize and put into relief the practical feasibility of using AI-based anomaly detection approaches in the domain of cybersecurity applications. It also paves a firm ground for future research efforts towards proactive zero-day attack mitigation.

Introduction:

The most serious and hard-to-defend-against threats in modern cybersecurity are zero-day attacks. A zero-day exploit is one that takes advantage of vulnerabilities in software or systems that are not known at the time of the attack to either the vendor or wider cybersecurity community. The term “zero-day” reflects the fact that no prior knowledge of the vulnerability exists; in other words, no patches, fixes, or defenses exist to mitigate the risk as the attack is launched for the first time. Zero-day vulnerabilities can either be discovered directly by attackers or researchers who do not disclose them; this way, malicious actors may exploit these security gaps undetected.[1]

The intrinsic challenge in the detection of zero-day attacks is that they are new and unknown. Traditional security mechanisms, such as signature-based detection and heuristic approaches, work based on the existence of known threat patterns or signatures to identify malicious behavior. However, zero-day attacks do not fit any such established pattern, as they exploit vulnerabilities that have never been discovered before.[2] Zero-day attack detection and mitigation, therefore, require advanced and adaptive detection methods that do not depend on historical data. This challenge requires novel methods for finding uncommon patterns, behaviors, or anomalies that indicate zero-day attacks without searching with predefined threat signatures.[3]

Importance of Predictive Modeling in Cybersecurity

With an increasingly interconnected world, day-to-day incidents of cyber threats are on the rise; this clearly indicates that traditional reactive approaches to cybersecurity—such as patching known vulnerabilities or responding to incidents after they occur—are inadequate. Therefore, the shift has gone in the direction of proactive and predictive strategies. Predictive modeling in cybersecurity is the process of using historical data, machine learning, and statistical methods to estimate and mitigate the likelihood of a threat before it fully occurs.[4]

The predictive models are most important in zero-day threat mitigation, as they help in the identification of deviations from normal patterns and behaviors, hence identifying the threats that don’t have any known attack signatures. Predictive models can discover those subtle indications of an attack by analyzing large amounts of data in real time, such as unusual network traffic, unexpected file access, or anomalous system behavior. This proactive approach reduces the time between the discovery of a zero-day vulnerability and the deployment of a defense mechanism. Furthermore, predictive modeling allows cybersecurity professionals to respond dynamically to emerging threats, increasing the resilience of digital infrastructures against sophisticated attacks.[5]

Role of Artificial Intelligence in Anomaly Detection

Artificial Intelligence has revolutionized the way anomaly detection is performed in cybersecurity by enabling the development of models that could identify rare, abnormal events amidst huge volumes of data representing normal behavior. [6] Unlike traditional detection systems that are centered on predefined rules and signatures, AI-based anomaly detection can learn and adapt to new patterns, thereby being able to identify previously unseen threats. In general, when considering zero-day attacks, AI-driven models of anomaly detection are powerful because they focus on deviations from established norms, not known threat indicators.[7]

Machine learning, especially in the subset of AI, is most suited to this purpose. Algorithms from supervised machine learning could be trained over labeled data in order to recognize the patterns related to malicious and benign activities. However, for zero-day attack detection, the unsupervised and semi-supervised methods are more applicable, as they are able to identify the outliers without requiring large labeled datasets. In this aspect, algorithms such as Isolation Forests, One-Class Support Vector Machines (SVM), and neural network-based Autoencoders are very relevant for the purpose of anomaly detection in network traffic, system logs, and user behavior. These AI models continue to learn, adapt, and evolve with new data and fine-tune their detection capabilities over time—a critical aspect of staying ahead of rapidly evolving cyber threats.[8]

Problem Statement and Research Objectives

This research investigates the identification of zero-day attacks and their mitigation using predictive models powered by AI. Traditional methods of cybersecurity cannot detect zero-day threats since they depend on predefined signatures or rules which fail to account for unknown vulnerabilities. In view of the seriousness and the potential impact of zero-day attacks, it is increasingly imperative to have proactive threat-detecting advanced models through the identification of anomalies indicating malicious activity.[9]

The objectives of this research are twofold:

1. It is proposed that there be development and performance evaluation of a predictive model in zero-day attack detection using the Isolation Forest algorithm, normally an unsupervised learning method applied for anomaly detection. In this study, the underlying model should be optimized in performance to identify different strengths and weaknesses in uncovering zero-day anomalies within synthetic network traffic data by techniques such as tuning parameters and applying cross-validation.
2. It would be used to gauge the effectiveness of the model by a set of comprehensive metrics: accuracy, precision, recall, and F1 score. Besides, ROC and precision-recall curves will give complementary insights about the performance of the model, showing the feasibility of AI-based anomaly detection for real-world cybersecurity applications.

In addressing these objectives, this research will contribute to the literature by analyzing the practical applications of AI in proactive cybersecurity, assessing the suitability of the Isolation Forest model for zero-day detection, and discussing how improvement may be achieved through alternative approaches and further research.

Literature Review

It is an essential part of cybersecurity in detecting abnormal patterns from network traffic, system behaviors, or user activities that may imply some malicious intent. Traditional methods for anomaly detection in cybersecurity have always relied on rule-based and signature-based methods.[10] Rule-based systems utilize predefined rules to track specific network behaviors, while signature-based methods rely on the known threat signatures for malicious activity detection. These methods inherently can’t detect unknown threats like zero-day attacks, which do not have a prior signature or defined pattern. Therefore, it is crucial that cybersecurity move forward to anomaly detection models capable of detecting deviations from normal behavior without relying on predefined rules [11].

Traditional anomaly detection techniques include statistical methods such as Gaussian Mixture Models and unsupervised learning clustering techniques like k-means clustering. Traditional methods have had wide application because of their simplicity and interpretability. For example, statistical methods identify anomalies by determining a threshold from historical data, while in clustering techniques, anomalies are data points that cannot fit well inside any of the pre-set clusters. These approaches are simple, but they face serious challenges when dealing with high-dimensional data and complex attack patterns. Consequently, this restricts their power to identify advanced cyber threats [12].

It is in this regard that the limitations within traditional techniques have actually driven the need to have advanced methods that can handle complex data sets and identify very subtle anomalies indicative of cyber threats, especially zero-day attacks.

AI Techniques for Zero-Day Threat Detection

AI and ML have been found to be two of the critical weapons in the detection of zero-day threats. Unlike traditional methods, AI-based models learn from new data they are fed with, thus enabling them to spot hitherto unseen attack patterns through learning from large historical and real-time data. AI models for detecting zero-day attacks include supervised, unsupervised, and semi-supervised learning techniques. [13]

Some of the supervised learning methods, including decision trees, neural networks, and support vector machines learning from labeled data, classify network traffic into normal or malicious. However, in practical scenarios, the labeled data regarding zero-day threats is very scarce, so unsupervised and semi-supervised methods are practically feasible [14].

Attention has lately been paid to unsupervised techniques for zero-day attack detection, such as clustering, Autoencoders, and Isolation Forest. These methods have no labeled data; hence, they will turn out advantageous in the case of zero-day attacks since no labeled malicious data is available.

 Autoencoders, a form of neural network, for instance, are trained to reconstruct normal patterns of data. They incur reconstruction errors at the identification of abnormal patterns, such as those in zero-day attacks, thus signaling an anomaly. Further, CNNs had also been applied in cybersecurity with feature extraction and anomaly detection-promising due to the capability of catching the spatial relationships in data. [13, 15].

Another very promising area is that of deep learning and the application of hybrid AI models. Deep learning architectures such as Recurrent Neural Networks and Long Short-Term Memory networks have been applied to sequential data such as network traffic logs for the detection of abnormal patterns associated with zero-day attacks. Hybrid approaches that use deep learning in combination with other anomaly detection algorithms also make an effective case, especially in the identification of multi-step or multi-stage attacks [16]. These are usually computation-intensive models and sometimes need large datasets to show their best performance, which indicates further improvements to be explored in this direction [17].

Isolation Forest and Anomaly Detection Models

The Isolation Forest is an unsupervised learning algorithm that has, for this purpose, been designed to perform anomaly detection. Unlike typical methods that profile normal behavior and identify outliers in terms of distance or density, anomalies in the Isolation Forest algorithm are isolated by constructing random partitioning trees. Compared to normal data points, anomalies will be isolated quicker because they tend to reside in sparse regions of the feature space. This character of the approach being used makes the Isolation Forest effective for high-dimensional datasets, which is very common in cybersecurity [18].

Isolation Forest has been widely applied to cybersecurity to detect anomalies as an efficient and lightweight anomaly detection algorithm. It also consumes resources less than deep learning models; hence, it is suitable for real-time applications. For instance, Togbe et al.  show that Isolation Forest has the potential for performing anomaly detection on continuous streams of data, which is very typical in a cybersecurity environment [20].

However, not everything is perfect about the Isolation Forest. While quite efficient in the detection of point anomalies, that is, singular instances that are abnormal, it is not so in more complex anomalies that can be collective in nature and involve relationships across many instances. For example, there have been proposals like the Deep Isolation Forest, a modification of the Isolation Forest by incorporating it with deep learning methods for improving performance concerning complex anomaly detection in cybersecurity contexts [19].

Isolation forests are not all perfect, though. While effective in the detection of point anomalies-meaning those singular instances that are abnormal-the more complex ones which may be collective in nature, and even involve many instances with their relationships present, suffer at their hands. Examples include proposals such as the Deep Isolation Forest, which extends the Isolation Forest by embedding it with deep learning methods to enhance performance concerning complex anomaly detection in cybersecurity contexts.[21]

Research Gaps and Contributions of This Study

Despite the development in AI-based anomaly detection, a variety of research gaps have been listed in zero-day threat detection. Majorly, although AI and ML are considered the prime approaches, most models out of these techniques require large labeled datasets, which, however, is challengeable to obtain in cybersecurity. The unavailability of labeled data restricts the development of a strong supervised model for zero-day detection. Therefore, unsupervised and semi-supervised models are in demand. Still, their performance and adaptability are not well explored in real life [12].

Besides, though the Isolation Forest has been shown to work effectively on many anomaly detection scenarios, its applications to zero-day attack detection have not caught much attention in the literature. Most of the research remains at the traditional anomaly detection tasks or does not optimize model parameters for the challenges of zero-day threats. This gap in research is attempted to be filled by the systematic tuning of the Isolation Forest model and subsequent assessment of its performance in a controlled experimental setup. With the use of cross-validation to arrive at the optimum contamination, this research goes on to make its contribution toward developing a more robust anomaly detection model for zero-day threats [11].

This work also contributes to the understanding of the weaknesses of Isolation Forest and potential areas of improvement toward cybersecurity applications. The deep performance analysis based on different model performance metrics, including precision, recall, and F1 score, which was achieved in this work, identifies specific points where the model of Isolation Forest lags behind and hence provides a way toward further investigation. These contributions hopefully yield valuable insight about the practical application of unsupervised anomaly detection in zero-day attack detection and help researchers and practitioners in the cybersecurity domain [13].

Methodology and Approach

Data Creation and Preprocessing

Synthetic Dataset Generation

Therefore, one major challenge facing cybersecurity research has to do with the unavailability of labeled data that is publicly available for the detection of zero-day attacks. We used the synthetic generated dataset since it simulates network traffic characteristics-both normal and anomalous instances of attack traffic. The main criteria on which the dataset was built are typical network activities and abnormalities that may reveal some evidence leading toward security threats.

The dataset includes a variety of features commonly observed in network traffic analysis:

• Packet Size: Randomly generated values representing the size of data packets in bytes, ranging from 40 to 1500 bytes to simulate typical network transmission sizes.
• Duration: A floating-point value representing the time taken to transmit the packet, simulating realistic network timing.
• Source IP and Destination IP: Random integers representing anonymized IP addresses, used to mimic network source and destination points.
• Source Port and Destination Port: Integer values representing port numbers, with a range from 1024 to 65535, covering common port numbers used in network communication.
• Protocol: A categorical variable with values representing protocols such as TCP, UDP, and ICMP, which are prevalent in network traffic.
• Flags: TCP control flags (SYN, ACK, FIN, RST, PSH) represented as categorical variables to indicate specific types of packet actions.
• Attack Label: A binary label (0 for normal, 1 for attack) assigned to each instance to facilitate supervised evaluation of the model.

It generates the data in a ratio of 4:1 between normal and attack data, thus creating 800 normal instances and 200 attack instances. After creation, this dataset is then shuffled for randomness to occur, improving training and evaluation.

Data Preprocessing

To prepare the synthetic dataset for the anomaly detection model, several preprocessing steps were applied:

1. Encoding Categorical Variables: Label encoding transformed the categorical data in the protocol and flags columns to a numerical value that the Isolation Forest algorithm could work with effectively.
2. Scaling: Features such as packet size, duration, source/destination IPs, and ports are numeric; hence, StandardAero standardizes the values. This was important because several features may give disproportionate influence to a few in determining the model decision boundaries.

1. Handling Missing Values: While the synthetic dataset was complete by design, any analysis on real data needs consideration of missing values. Therefore, for robustness, the dataset was scanned for any missing values and missing entries were imputed by the mean in each column to ensure a consistent structure of input for model training.

The preprocessed dataset was then split into training and testing sets, ready for anomaly detection model training and evaluation.

Model Selection

Isolation Forest Model for Anomaly Detection

In this paper, the Isolation Forest algorithm was chosen because it was concretely designed for anomaly detection tasks. Unlike traditional clustering or distance-based models, Isolation Forest does not rely on profiling normal data distributions. Instead, this method isolates anomalies by recursively partitioning the data space using randomly selected features and split values. Anomalies are isolated more quickly than normal points since, in general, they resided in sparse regions of the feature space.

The algorithm of the Isolation Forest should turn out best while dealing with high-dimensional network traffic data, and this turns out to be computationally efficient in real-world applications. Besides, it is essentially an unsupervised model, suited to the nature of zero-day attacks, where one suffers from labeled data being scant or unavailable. With these advantages, Isolation Forest can become a very promising approach toward identifying unknown threats hidden in network traffic data.

Cross-Validation and Hyperparameter Tuning

Isolation Forest’s zero-day attack detection model was optimized via cross-validation. Cross-validation is one of the most crucial processes in unsupervised learning since it assesses a model’s resilience across diverse data subsets to reduce overfitting. Consider 5-fold cross-validation, which divides data into five groups. The model trained on four subsets and tested on one in each fold, cycling through all combinations.

In cross-validation, contamination—the dataset’s anomaly rate—was the most critical hyperparameter. This research examined contamination levels of 0.05, 0.1, 0.15, 0.2, and 0.25. The F1 score balances accuracy and recall, making it ideal for unbalanced datasets. It was used to measure model performance at each contamination level. Table 1 shows average F1 scores by contamination level. The best score at 0.25 contamination is optimum performance.

Table 1 Average F1 Scores for Different Contamination Levels

Based on these results, a contamination level of 0.25 was selected for the final model.

Results and Discussion

Model Performance

Evaluation Metrics Summary

Accuracy, precision, recall, and F1 score were used to measure the performance of the Isolation Forest model. Each of these metrics gives a different aspect of insight into how well the model performs the task of zero-day anomaly detection:

• Accuracy is the percentage of the total correct identifications, both true positives and true negatives. However, since the dataset is imbalanced, accuracy on its own does not provide the most information, because it can be seen as biased by the bigger number of normal samples.
• Precision is the ratio of true positive predictions relative to all the positive predictions made-the ability of a model to avoid false alarms. In cybersecurity, high precision is so paramount that a high rate of false positives could only result in the wasting of resources and response fatigue.
• Recall measures the fraction of actual positives-here, attacks-that the model successfully found. The importance of high recall is that one wants to make sure true positives are not missed.
• F1 Score is the harmonic mean of precision and recall, balancing the latter two into one performance measure. In zero-day detection, F1 score is more important as it reflects the trade-off of detecting all threats provided by recall, along with minimizing false alarms provided by precision.

Table 2 presents the evaluation metrics for the final model, trained with a contamination level of 0.25 as determined through cross-validation.

Table 2 Model Evaluation Metrics

These metrics mean that the model’s performance in the case of anomaly detection is quite moderate, with an accuracy of 66%, whereas it suffers much in terms of precision and recall, hence having an F1 score of 0.24. The low F1 score really indicates that the model is struggling to find a good balance between detecting actual anomalies-which would be its recall-and minimizing false positives-which would be its precision.

Confusion Matrix Analysis

A confusion matrix showing true positives-TP, true negatives-TN, false positives-FP, and false negatives-FN breakdown of the model’s predictions Figure 1.

Figure 1 Confusion Matrix

True Positives (TP): Instances correctly identified as attacks. The model detected 53 true anomalies, indicating some effectiveness in identifying malicious activities.

• True Negatives (TN): Instances correctly classified as normal traffic. The model correctly classified 603 instances as normal.
• False Positives (FP): Normal cases that were mislabeled as anomalous: In the worst case, the model would have to handle up to 197 false positives, which would lead to a considerable number of false alarms and wasted resources.
• False Negatives (FN): Attack instances not captured by the model: The model missed 147 anomaly detections. This means that some attacks do not noticeably differ in relation to the space spanned by the features chosen for the model.

The high count of false positives and false negatives highlights the limitations of Isolation Forest in this zero-day attack detection context.

Graphical Analysis

ROC Curve and AUC

The ROC curve reflects the balance between true positive rate and false positive rate at different threshold values. AUC stands for the discriminative ability of this model-the closer the value is to 1, the better the performance will be. Figure 2: ROC curve and AUC of the proposed model. In the case of this model, the ROC curve and AUC show the limited discriminative power with the score of 0.51.

Figure 2 ROC Curve

An AUC of 0.51 is closer to random guessing, with an AUC of 0.5 meaning that the model has very poor capability in distinguishing between normal and anomalous instances. This low score of AUC shows the difficulty in detecting zero-day anomalies by Isolation Forest, which is good at isolating simple outliers but may fail in complicated subtle attack patterns.

Precision-Recall Curve

Figure 3 shows more informatively the performance of the models on imbalanced datasets by plotting the Precision-Recall curve. In this work, the Precision-Recall curve depicts the trade-off between the model’s ability to detect true anomalies and its tendency toward false alarms.

Figure 3 Precision-Recall Curve

It can be inferred from the curve that precision decreases rapidly with increasing recall, indicating that in an effort to capture more anomalies, attempts result in a sharp increase in false positives. The area under the Precision-Recall curve is low, pointing out how this model struggles to handle such an imbalanced zero-day detection task-a rare event and often inconspicuous.

Limitations of the Isolation Forest Model

High False Positive Rate

A significant shortcoming with the model is the high number of false positives. The model returns 197 false positives, which means that the model frequently incorrectly classifies normal traffic as anomalous. This could result in alert fatigue in cybersecurity, whereby security teams are bombarded with fake alarms that might lead them to overlook actual threats. This high rate of false positives indicates that probably Isolation Forest is not discriminative enough for the nuances in zero-day detection, where the boundary between normal and abnormal is complex and requires further refinement in modeling.

Challenges in Detecting Low-Frequency Anomalies

Another critical limitation is the model’s false negative rate, whereby actual attacks are missed. The confusion matrix shows 147 false negatives, suggesting that the model could not catch, most likely, some type of low-frequency or subtle anomalies in the attack detection process. While the Isolation Forest performed very well in finding distinct outliers, it may lack sensitivity to complex attack patterns that do not deviate much from normal traffic.

Suggestions for Model Improvement

Given the limitations of Isolation Forest, alternative models should be explored to improve zero-day attack detection:

• Autoencoders: These neural networks are trained to reconstruct normal data patterns, while anomalies are detected by reconstruction errors. The autoencoder is able to capture complex dependencies across features and hence would be more suitable for detecting subtle anomalies in network traffic [11].
• One-Class SVM: A popular anomaly detection algorithm learning the decision boundary of the majority class-normal instances-and then classifying outliers as anomalies. It could achieve a better approach for zero-day detection if tuned appropriately.
• Deep Isolation Forest: Isolation Forest extended to incorporate deep learning to boost the detection of complex anomalies. Several works illustrate that Deep Isolation Forest could outperform the traditional Isolation Forest on high-dimensional datasets by modeling complex interactions of features. [15].

Conclusion

This study has sought to investigate the efficiency of the Isolation Forest algorithm as a model of anomaly detection powered by AI in identifying zero-day attacks in network traffic. These results show both the potential and limitations of Isolation Forest in handling this challenging task. By creating a synthetic dataset, it was ensured that the model had been trained and optimized via cross-validation, attaining moderate overall accuracy. However, the low precision and recall of the model reveal the difficulty in picking out complex, subtle anomalies inherent in zero-day attacks. The high false positive rate observed also speaks to a grave limitation since constant false alarms can cripple cybersecurity operations by way of alert fatigue and missing real threats.

Isolation Forest was an eye-opener regarding how anomaly detection could be put into practice, but its performance in the detection of zero-day attacks reflected that even more sophisticated methods are in order. Additionally, future studies may be oriented toward models like Autoencoders and One-Class SVM, which are sensitive to complex anomaly patterns. In addition, ensemble methods, which consider the combination of models for detection, might prove a promising approach for further improvement in accuracy detection and reduction of false positives. This research extends the scope of AI-driven cybersecurity by demonstrating the suitability test of the Isolation Forest model for zero-day detection and emphasizing how much-needed ongoing development is in the sphere of anomaly detection algorithms. The insights gained provide a base for further work in the development of models, which will be more robust and adaptive to address the ever-evolving landscape of cyber threats.

References

[1] A. Johnson, “Leveraging AI for Zero-Day Attack Detection: Challenges and Future Directions,” Journal of Artificial Intelligence Research, vol. 4, no. 2, pp. 123–128, 2024.

[2] N. Mazher, A. Basharat, and A. Nishat, “AI-Driven Threat Detection: Revolutionizing Cyber Defense Mechanisms,” Eastern-European Journal of Engineering and Technology, vol. 3, no. 1, pp. 70–82, 2024.

[3] N. Pureti, “Zero-Day Exploits: Understanding the Most Dangerous Cyber Threats,” International Journal of Advanced Engineering Technologies and Innovations, vol. 1, no. 2, pp. 70–97, 2022.

[4] J. O. Oloyede and F. Olaoye, “Revolutionizing Cybersecurity: Leveraging AI and Machine Learning for Advanced Threat Detection,” Unpublished Manuscript.

[5] A. Fathia, “Defending Against Adversarial Attacks in AI-Powered Cybersecurity: A Comprehensive Exploration,” Unpublished Manuscript, 2023.

[6] A. H. I. E. Tariq, M. B. I. E. Tariq, and S. Lu, “Hybrid AI-Driven Techniques for Enhancing Zero-Day Exploit Detection in Intrusion Detection System (IDS),” in 2024 3rd International Conference on Artificial Intelligence, Internet of Things and Cloud Computing Technology (AIoTC), Sep. 2024, pp. 156–160.

[7] D. R. Chirra, “AI-Based Threat Intelligence for Proactive Mitigation of Cyberattacks in Smart Grids,” Revista de Inteligencia Artificial en Medicina, vol. 14, no. 1, pp. 553–575, 2023.

[8] V. S. S. Reddy, “Advanced Threat Intelligence Utilizing AI To Predict And Prevent Cyber Attacks,” Global Journal of Cyber Security (GJCS), vol. 1, no. 1, pp. 1–12, 2023.

[9] O. Bolanle and K. Bamigboye, “AI-Powered Cloud Security: Leveraging Advanced Threat Detection for Maximum Protection,” International Journal of Trend in Scientific Research and Development, vol. 3, no. 2, pp. 1407–1412, 2019.

[10] D. Kavitha and S. Thejas, “AI Enabled Threat Detection: Leveraging Artificial Intelligence for Advanced Security and Cyber Threat Mitigation,” IEEE Access, 2024.

[11] A. Toshniwal, K. Mahesh, and R. Jayashree, “Overview of anomaly detection techniques in machine learning,” in 2020 Fourth International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), Oct. 2020, pp. 808–815.

[12] M. Alabadi and Y. Celik, “Anomaly detection for cyber-security based on convolution neural network: A survey,” in 2020 International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), Jun. 2020, pp. 1–14.

[13] A. Igugu, “Evaluating the Effectiveness of AI and Machine Learning Techniques for Zero-Day Attacks Detection in Cloud Environments,” Unpublished Manuscript, 2024.

[14] P. R. Kothamali, S. Banik, and S. V. Nadimpalli, “Introduction to Threat Detection in Cybersecurity,” International Journal of Advanced Engineering Technologies and Innovations, vol. 1, no. 2, pp. 113–132, 2020.

[15] S. Ali, S. U. Rehman, A. Imran, G. Adeem, Z. Iqbal, and K. I. Kim, “Comparative evaluation of AI-based techniques for zero-day attacks detection,” Electronics, vol. 11, no. 23, p. 3934, 2022.

[16] P. Parrend, J. Navarro, F. Guigou, A. Deruyver, and P. Collet, “Foundations and applications of artificial intelligence for zero-day and multi-step attack detection,” EURASIP Journal on Information Security, vol. 2018, no. 1, pp. 1–21, 2018.

[17] R. Ahmad, I. Alsmadi, W. Alhamdani, and L. A. Tawalbeh, “Zero-day attack detection: A systematic literature review,” Artificial Intelligence Review, vol. 56, no. 10, pp. 10733–10811, 2023.

[18] L. Gudala, M. Shaik, and S. Venkataramanan, “Leveraging machine learning for enhanced threat detection and response in zero trust security frameworks: An exploration of real-time anomaly identification and adaptive mitigation strategies,” Journal of Artificial Intelligence Research, vol. 1, no. 2, pp. 19–45, 2021.

[19] H. Xu, G. Pang, Y. Wang, and Y. Wang, “Deep isolation forest for anomaly detection,” IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 12, pp. 12591–12604, 2023.

[20] M. U. Togbe et al., “Anomaly detection for data streams based on isolation forest using scikit-multiflow,” in Computational Science and Its Applications – ICCSA 2020: 20th International Conference, Cagliari, Italy, July 1–4, 2020, Proceedings, Part IV, Springer, 2020, pp. 15–30.

[21] J. Chen, J. Zhang, R. Qian, J. Yuan, and Y. Ren, “An Anomaly Detection Method for Wireless Sensor Networks Based on the Improved Isolation Forest,” Applied Sciences, vol. 13, no. 2, p. 702, 2023.