COMPARATIVE ANALYSIS OF THE EFFECTIVENESS OF MACHINE LEARNING METHODS FOR CYBER INCIDENT DETECTION

Abstract

The article presents a comparative analysis of modern machine learning methods (supervised, unsupervised, and reinforcement learning) for detecting cybersecurity incidents in corporate information and communication systems. The advantages and limitations of the most common algorithms, including Decision Tree, Naive Bayes, SVM, Isolation Forest, K-Means, BERT, GPT, DQN, PPO, and Soft Actor–Critic, are discussed in terms of accuracy, recall, precision, and false positive rate. The CICIDS 2018 dataset was used for experimental evaluation, allowing the practical applicability of these methods for detecting both known threats and zero-day attacks to be assessed. The study found that decision tree models demonstrate the highest accuracy and the lowest false positive rates for conventional threats, while the Isolation Forest algorithm is the most effective for detecting anomalous activity and new types of attacks. An optimized approach is proposed, combining supervised learning (Decision Trees) for detecting known threats with unsupervised anomaly detection (Isolation Forest) to minimize false positives and enhance system adaptability. The results obtained can be used to build efficient cybersecurity systems capable of promptly responding to modern threats while considering resource constraints and the need to reduce false positives. Particular attention is given to assessing the impact of model parameters on their performance and scalability in high-traffic environments. The possibilities of integrating machine learning with existing security monitoring systems for incident detection automation are considered. Directions for future research are identified, including the development of hybrid models to increase resilience to zero-day attacks. The study concludes that machine learning should be considered a key component of modern cybersecurity strategies.