Improving Detection Accuracy of Brute-Force Attacks on MariaDBUsing Standard Isolation Forest: A Comparative Analysis with RotatedVariant
DOI:
https://doi.org/10.30812/matrik.v25i1.5817Keywords:
Anomaly Detection, Brute Force, Isolation Forest, Log Analysis, Rotated Isolation ForestAbstract
Brute-force attacks remain among the most prevalent and persistent cybersecurity threats to database systems, causing unauthorized access, data leakage, and service disruptions. Conventional thresholdbased detection methods often struggle to adapt to evolving and dynamic attack patterns, necessitating more robust anomaly detection approaches. This study aims to develop, evaluate, and compare two unsupervised machine learning algorithms—Standard Isolation Forest (IF) and Rotated Isolation Forest (RIF)—for detecting brute-force attacks targeting databases such as MariaDB. A large-scale raw access log dataset containing millions of entries was pre-processed through data cleaning, normalization, and feature extraction. Behavioural features were engineered for IP-path pairs, including login-attempt frequency, request intervals, and rapid-attempt ratios. The dataset consisted of 1,831,989 benign and 5,126,052 brute-force entries. The Standard IF model was trained using benign data (n estimators = 175, contamination = 0.1, max samples = ’auto’) and evaluated on mixed data, achieving Recall 99.94%, Precision 99.29%, F1-Score 99.61%, AUC 0.9495, and Accuracy 99.28%, with TP = 5,123,224 and FN = 2,828. The RIF model, using Gaussian Random Projection (n components = 5), yielded slightly lower metrics: Recall 99.44%, F1-Score 99.36%, and Accuracy 98.81%. The findings indicate that Standard Isolation Forest provides higher detection accuracy and reliability in identifying brute-force anomalies within large-scale log data. Despite the theoretical advantage of feature rotation in handling complex anomalies, the Standard IF demonstrates superior practical performance and efficiency. Overall, the study confirms the method’s strong potential for integration into automated and real-time cybersecurity monitoring systems.
Downloads
References
[1] I. M. Lina and G. R. Fernandes, “Anticipate password security with burp suite using the brute force attack method,” vol. 7, no. 1,
pp. 118–127, June,2023, https://doi.org/10.37339/e-komtek.v7i1.1162.
[2] N. Alaa and F. Al-Shareefi, “A comparative study between two cybersecurity attacks: Brute force and dictionary attacks,”
vol. 11, no. 2, pp. 133–139, 2024, https://doi.org/10.31642/JoKMC/2018/110216.
[3] Y. Wu, P. M. Cao, A. Withers, Z. T. Kalbarczyk, and R. K. Iyer, “Mining threat intelligence from billion-scale SSH bruteforce
attacks,” in Proceedings 2020 Workshop on Decentralized IoT Systems and Security. Internet Society, 2020, https:
//doi.org/10.14722/diss.2020.23007.
[4] B. Pal et al., “Might I get pwned: A second generation compromised credential checking service,” in 31st USENIX
Security Symposium (USENIX Security 22), 2022, pp. 1831–1848. [Online]. Available: https://www.usenix.org/conference/
usenixsecurity22/presentation/pal
[5] M. H. Nguyen Ba, J. Bennett, M. Gallagher, and S. Bhunia, “A case study of credential stuffing attack: Canva data breach,” in
2021 International Conference on Computational Science and Computational Intelligence (CSCI), 2021, pp. 735–740, https:
//doi.org/10.1109/CSCI54926.2021.00187.
[6] N. Hubballi, N. Tiwari, and P. Khandait, “POSTER: Distributed SSH bruteforce attack detection with flow content similarity
and login failure reputation,” in 15th ACM Asia Conference on Computer and Communications Security, 2020, pp. 916–918,
https://doi.org/10.1145/3320269.3405443.
[7] N. Tiwari and N. Hubballi, “Secure socket shell bruteforce attack detection with petri net modeling,” vol. 20, no. 1, pp. 697–710,
2023-03, https://doi.org/10.1109/TNSM.2022.3212591.
[8] F.Wilkens and M. Fischer, “Towards data-driven characterization of brute-force attackers,” in 2020 IEEE Conf. Commun. Netw.
Secur. CNS, 2020, pp. 1–9, https://doi.org/10.1109/CNS48642.2020.9162326.
[9] G. Fahrnberger, “Pattern-and similarity-based realtime risk monitoring of SSH brute force attacks with bloom filters,” in 2024
36th Conf. Open Innov. Assoc. FRUCT, 2024, pp. 133–144, https://doi.org/10.23919/FRUCT64283.2024.10749895.
[10] A. Raj et al., “Brute forcing on secured shell servers emphasising the role of cyber forensics – a quali-quantitative study,”
vol. 92, no. 3, pp. 152–157, September,2024, https://doi.org/10.1177/00258172241236269.
[11] D. Stiawan, g.-i. family=Idris, given=Mohd. Y., R. F. Malik, S. Nurmaini, N. Alsharif, and R. Budiarto, “Investigating brute
force attack patterns in IoT network,” vol. 2019, no. 1, p. 4568368, 2019, https://doi.org/10.1155/2019/4568368.
[12] A. Subhan, Y. N. Kunang, and I. Z. Yadi, “Analyzing the attack pattern of brute force attack on SSH port,” pp. 67–72, 2023,
https://doi.org/10.1109/ICITCOM60176.2023.10441929.
[13] O. Mykhaylova, A. Shtypka, and T. Fedynyshyn, “An Isolation Forest-based approach for brute force attack detection,” in 1st
International Workshop on Bioinformatics and Applied Information Technologies (BAIT 2024), 2024, pp. 43–54. [Online].
Available: https://ceur-ws.org/Vol-3842
[14] M. Elnour, N. Meskin, K. Khan, and R. Jain, “A dual-isolation-forests-based attack detection framework for industrial control
systems,” vol. 8, pp. 36 639–36 651, 2020, https://doi.org/10.1109/ACCESS.2020.2975066.
[15] H. Xu, G. Pang, Y. Wang, and Y. Wang, “Deep isolation forest for anomaly detection,” vol. 35, no. 12, pp. 12 591–12 604,
December,2023, https://doi.org/10.1109/TKDE.2023.3270293.
[16] G. Pang, C. Shen, L. Cao, and A. Van Den Hengel, “Deep learning for anomaly detection: A review,” vol. 54, no. 2, pp.
38:1–38:38, March,2021, https://doi.org/10.1145/3439950.
[17] G. Pu, L. Wang, J. Shen, and F. Dong, “A hybrid unsupervised clustering-based anomaly detection method,” vol. 26, no. 2, pp.
146–153, April,2021, https://doi.org/10.26599/TST.2019.9010051.
[18] L. Ruff et al., “A unifying review of deep and shallow anomaly detection,” vol. 109, no. 5, pp. 756–795, May,2021, https:
//doi.org/10.1109/JPROC.2021.3052449.
[19] V. Monemizadeh and K. Kiani, “Detecting anomalies using rotated isolation forest,” vol. abs/2501.17787, 2025, https://doi.org/
10.48550/arXiv.2501.17787.
[20] ——, “Detecting anomalies using rotated isolation forest,” vol. 39, no. 3, p. 24, March,2025, https://doi.org/10.1007/
s10618-025-01096-5.
[21] G.-P. Fernando, A. M. Florina, and C.-B. Liliana, “Evaluation of the performance of unsupervised learning algorithms for
intrusion detection in unbalanced data environments,” vol. 12, pp. 190 134–190 157, 2024, https://doi.org/10.1109/ACCESS.
2024.3516615.
[22] M. Nalini, B. Yamini, C. Ambhika, and R. S. Subramanian, “Enhancing early attack detection: Novel hybrid densitybased
isolation forest for improved anomaly detection,” vol. 16, no. 5, pp. 3429–3447, June,2025, https://doi.org/10.1007/
s13042-024-02460-5.
[23] W. Chua et al., “Web traffic anomaly detection using isolation forest,” vol. 11, no. 4, p. 83, December,2024, https://doi.org/10.
3390/informatics11040083.
[24] Y. Xu, H. Dong, M. Zhou, J. Xing, X. Li, and J. Yu, “Improved isolation forest algorithm for anomaly test data detection,”
vol. 9, no. 8, pp. 48–60, August,2021, https://doi.org/10.4236/jcc.2021.98004.
[25] L. Max, S. Florian,W. Markus, H.Wolfgang, and R. Andreas, “AIT log data set V1.1,” 2020, https://doi.org/10.5281/ZENODO.
4264796.
[26] M. Hogan, Y. Michalevsky, and S. Eskandarian, “DBREACH: Stealing from databases using compression side channels,” in
2023 IEEE Symp. Secur. Priv. SP, 2023, pp. 182–198, https://doi.org/10.1109/SP46215.2023.10179359.
[27] C. Rookard and A. Khojandi, “Unsupervised machine learning for cybersecurity anomaly detection in traditional and softwaredefined
networking environments,” vol. 22, no. 2, pp. 1129–1144, April,2025, https://doi.org/10.1109/TNSM.2024.3490181.
[28] S. U. Shankari, H. Mohameed, M. Kulkarni, S. Aravindh, and N. Purushotham, “Cybersecurity threat detection in smart cities
using box plot sampling isolation forest,” in 2025 Int. Conf. Intell. Syst. Comput. Netw. ICISCN, 2025, pp. 1–5, https://doi.org/
10.1109/ICISCN64258.2025.10934339.
[29] T. A. Almoabady et al., “Protecting digital assets using an ontology based cyber situational awareness system,” vol. 7, 2025,
https://doi.org/10.3389/frai.2024.1394363.
[30] J. A. Pawar, M. S. Avhankar, A. Gupta, A. Barve, H. Patil, and R. Maranan, “Enhancing network security: Leveraging isolation
forest for malware detection,” in 2024 2nd International Conference on Advancement in Computation & Computer Technologies
(InCACCT), 2024, pp. 230–234, https://doi.org/10.1109/InCACCT61598.2024.10550968.
[31] U. Bhadani, “Advanced email security with NLP and the isolation forest algorithm,” in 2024 IEEE 12th Int. Conf. Inf. Commun.
Netw. ICICN, 2024, pp. 497–503, https://doi.org/10.1109/ICICN62625.2024.10761702.
[32] J. Liang, H. Shui, R. Gupta, D. Upadhyay, and E. Darve, “Transfer learning for anomaly detection in rotating machinery using
data-driven key order estimation,” vol. 22, pp. 13 310–13 326, 2025, https://doi.org/10.1109/TASE.2025.3552009.
[33] L. Wang et al., “Incorporating gradients to rules: Towards lightweight, adaptive provenance-based intrusion detection,” 2024,
https://doi.org/10.14722/ndss.2025.23822.
[34] M. Agoramoorthy, A. Ali, D. Sujatha, M. T. F. Raj, and G. Ramesh, “An analysis of signature-based components in hybrid
intrusion detection systems,” in 2023 Intelligent Computing and Control for Engineering and Business Systems (ICCEBS),
2023, pp. 1–5, https://doi.org/10.1109/ICCEBS58601.2023.10449209.
[35] T. Sommestad, H. Holm, and D. Steinvall, “Variables influencing the effectiveness of signature-based network intrusion detection
systems,” vol. 31, pp. 711–728, 2021, https://doi.org/10.1080/19393555.2021.1975853.
[36] U. Bhadani, “Advanced email security with NLP and the isolation forest algorithm,” in 2024 IEEE 12th International Conference
on Information, Communication and Networks (ICICN), 2024, pp. 497–503, https://doi.org/10.1109/ICICN62625.2024.
10761702.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Hartono, Khusnul Khotimah, Rokin Maharjan
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
How to Cite
Similar Articles
- Yuri Ariyanto, Yan Watequlis Syaifudin, M. Hasyim Ratsanjani, Ali Ridho Muladawila, Triana Fatmawati, Pramana Yoga Saputra, Chandrasena Setiadi , Cyber Threat Detection and Automated Response UsingWazuh andTelegram API , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 25 No. 1 (2025)
- Muhammad Amirul Mukminin, Tio Dharmawan, Muhamad Arief Hidayat, Gender Classification Using Viola Jones, Orthogonal Difference Local Binary Pattern and Principal Component Analysis , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 23 No. 3 (2024)
- Guntoro Guntoro, Lisnawita Lisnawita, Loneli Costaner, Optimizing Random Forest for IoT Cyberattack Detection UsingSMOTE: A Study on CIC-IoT2023 Dataset , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 25 No. 1 (2025)
- Budi Sumanto, Salima Nurrahma, Comparison of Random Forest Support Vector Machine and Passive Aggressive Models on E-nose-Based Aromatic Rice Classification , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 24 No. 3 (2025)
- Imam Fahrur Rozi, Ahmadi Yuli Ananta, Endah Septa Sintiya, Astrifidha Rahma Amalia, Yuri Ariyanto, Arin Kistia Nugraeni, Analyzing the Application of Optical Character Recognition: A Case Study in International Standard Book Number Detection , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 24 No. 2 (2025)
- Umar Aditiawarman, Alfian Dody, Teddy Mantoro, Haris Al Qodri Maarif, Anggy Pradiftha, Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 22 No. 3 (2023)
- Jelita Asian, Dimas Erlangga, Media Ayu, Data Exfiltration Anomaly Detection on Enterprise Networks using Deep Packet Inspection , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 22 No. 3 (2023)
- Ahmad Zein Al Wafi, Febry Putra Rochim, Veda Bezaleel, Investigating Liver Disease Machine Learning Prediction Performancethrough Various Feature Selection Methods , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 24 No. 3 (2025)
- Hepatika Zidny Ilmadina, Muhammad Naufal, Dega Surono Wibowo, Drowsiness Detection Based on Yawning Using Modified Pre-trained Model MobileNetV2 and ResNet50 , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 22 No. 3 (2023)
- Putu Tisna Putra, Anthony Anggrawan, Hairani Hairani, Comparison of Machine Learning Methods for Classifying User Satisfaction Opinions of the PeduliLindungi Application , MATRIK : Jurnal Manajemen, Teknik Informatika dan Rekayasa Komputer: Vol. 22 No. 3 (2023)
You may also start an advanced similarity search for this article.
.png)
