Meta-UAD: A Meta-Learning Scheme for User-level Network Traffic Anomaly Detection

Tongtong Feng,Qi Qi,Lingqi Guo,Jingyu Wang
2024-08-30
Abstract:Accuracy anomaly detection in user-level network traffic is crucial for network security. Compared with existing models that passively detect specific anomaly classes with large labeled training samples, user-level network traffic contains sizeable new anomaly classes with few labeled samples and has an imbalance, self-similar, and data-hungry nature. Motivation on those limitations, in this paper, we propose \textit{Meta-UAD}, a Meta-learning scheme for User-level network traffic Anomaly Detection. Meta-UAD uses the CICFlowMeter to extract 81 flow-level statistical features and remove some invalid ones using cumulative importance ranking. Meta-UAD adopts a meta-learning training structure and learns from the collection of K-way-M-shot classification tasks, which can use a pre-trained model to adapt any new class with few samples by few iteration steps. We evaluate our scheme on two public datasets. Compared with existing models, the results further demonstrate the superiority of Meta-UAD with 15{\%} - 43{\%} gains in F1-score.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is the anomaly detection problem in user - level network traffic, especially the problem of poor performance of traditional models when facing new anomaly categories with a small number of samples. Specifically, user - level network traffic has the following characteristics: 1. **Imbalanced**: The number of samples in new anomaly categories is far less than that in normal traffic and other known anomaly categories. 2. **Self - similar**: New anomaly categories usually evolve from existing categories and are closer to the characteristics of normal traffic. 3. **Data - hungry**: New attackers are more likely to target a small number of precise targets, resulting in a small number of samples in each new anomaly category. Traditional anomaly detection models have the following limitations: - **Dependence on large - scale training samples**: These models require a large amount of labeled data for training and are not effective for small - scale or newly emerging anomaly categories. - **Sensitivity to data distribution**: Traditional models can only have a good detection effect on specific anomaly categories (i.e., the categories already in the training set), and have poor generalization ability for newly emerging anomaly categories. - **Poor performance on extremely imbalanced data sets**: The model is easily biased towards the majority class, resulting in low detection performance for the minority class (such as new anomaly categories). To solve these problems, the author proposes Meta - UAD, a user - level network traffic anomaly detection scheme based on meta - learning. The main advantages of Meta - UAD are: - **Rapid adaptation to new categories**: Through the meta - learning framework, Meta - UAD can quickly learn from a small number of labeled samples and adapt to new anomaly categories. - **Reduction of computational consumption**: Compared with the traditional retraining method, Meta - UAD only needs a small number of iteration steps to update the model parameters, thereby reducing the computational cost. - **Improvement of generalization ability**: Meta - UAD can maintain good generalization performance between different data sets and is suitable for cross - data - set anomaly detection tasks. Through experimental verification, Meta - UAD is significantly superior to several existing anomaly detection models in terms of the F1 - score index, especially when dealing with newly emerging anomaly categories with a small number of samples.