Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Junyi Li,Fangce Guo,Yibing Wang,Lihui Zhang,Xiaoxiang Na,Simon Hu

DOI: https://doi.org/10.1109/itsc45102.2020.9294409

2020-01-01

Abstract:A key problem in short-term traffic prediction is the prevailing data missing scenarios across the entire traffic network. To address this challenge, a transfer learning framework is currently used in the literature, which could improve the prediction accuracy on the target link that suffers severe data missing problems by using information from source links with sufficient historical data. However, one of the limitations in these transfer-learning based models is their high dependency on the consistency between datasets and the complex data selection process, which brings heavy computation burden and human efforts. In this paper, we propose an adaptive transfer learning method in short-term traffic flow prediction model to alleviate the complex data selection process. Specifically, a self-adaptive neural network with a novel domain adaptation loss is developed. The domain adaptation loss is able to calculate the distance between the source data and the corresponding target data in each training batch, which can help the network to adaptively filter inconsistent source data and learn target link related information in each training batch. The Maximum Mean Discrepancy (MMD) measurement, which has been fully validated and applied in transfer learning research, is used in combination with the Gaussian kernel to measure the distance between datasets in each training batch. A series of experiments are designed and conducted using 15-minute interval traffic flow data from the Highways England, UK. The results have demonstrated that the proposed adaptive transfer learning method is less affected by the inconsistency between datasets and provides more accurate short-term traffic flow prediction.

Junyi Li,Ningke Xie,Kaihang Zhang,Fangce Guo,Simon Hu,Xiqun (Michael) Chen

DOI: https://doi.org/10.1016/j.trc.2022.103719

2022-01-01

Abstract:Network traffic flow prediction on a fine-grained spatio-temporal scale is essential for intelligent transportation systems, and extensive studies have been carried out in this area. However, existing methods are mostly data-driven, with stringent requirements on the amount and quality of data. The collected network-scale traffic data are expected to be complete, sufficient, and representative, containing most traffic flow patterns in the road network. Unfortunately, it is very rare that sufficient and representative traffic data across the whole road network in several consecutive weeks are available for model calibration. In real-world applications, data insufficiency and dataset shift problems are prevalent, resulting in the 'cold start' issue in traffic prediction. To deal with the challenges above, this paper develops a two-stage physics-informed transfer learning method for network-scale link-wise traffic flow knowledge transfer under MFDbased physical constraints. In the first stage, the road network is partitioned and similar traffic regions are identified according to the physical invariants and MFD characteristics. In this way, the network-scale link-wise traffic flow pattern transfer between similar regions can be initiated under the assumption that regions with similar aggregated traffic flow patterns are more likely to share comparable link-wise traffic flow features. In the second stage, we propose our knowledge transfer architecture Deep Tensor Adaptation Network (DTAN) to bridge traffic flow knowledge in source and target regions via the parallel Siamese network structure, and further reduce domain discrepancy by imposing two distribution adaptation regularizations. A real-world traffic dataset on the urban expressway network of Beijing is used for numerical tests. The experiment results show that the proposed framework can leverage the trade-off between specific regression task performance in a single region and generalized domain adaptation capacity across multiple regions. The data insufficiency, dataset shift, and heavy computational cost problems are alleviated by improving model transferability. Finally, extensive empirical analysis is carried out to explore traffic flow pattern transferability and its relation to network traffic properties.

Xisong Chen,Kaihong Yan,Tao Fu,Jin Zhang,D. Niu,Li Wang

DOI: https://doi.org/10.1109/CAC51589.2020.9327030

2020-11-06

Abstract:With the rapid development of information network, network security is becoming more and more important. Intrusion detection is an important component of the network security system. The traditional signature-based matching detection method is difficult to cope with the increasingly complex network environment. On the contrary, anomaly detection which is based on network traffic pattern analysis has obvious advantages in dealing with encryption attacks, zero-day attacks and other new attacks. This paper studies the network traffic anomaly detection, and proposes a traffic anomaly detection model which combines convolution neural network and eXtreme Gradient Boosting algorithm. First, the collected traffic data is preprocessed into appropriate format that meets the input requirements of the model. Then the improved LeNet-5 convolution neural network is used for feature learning, and finally XGBoost algorithm is used to classify the learning features. Experimental results show that the proposed network traffic anomaly detection method based on CNN and XGBoost has a high accuracy, and good experimental results have been achieved in both two- classification and multi-classification.

Computer Science

Mingshu He,Xiaojuan Wang,Peng Wei,Liu Yang,Yinglei Teng,Renjian Lyu

DOI: https://doi.org/10.1109/tnsm.2024.3352586

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Anomaly detection plays an essential role in network security and traffic classification. Many studies have focused on anomaly detection to improve network security, including machine learning and deep learning methods. These methods often require numerous samples and must obtain the results by classifying the entire data set, thereby limiting their inflexibility. Although transfer and multitask learning have achieved some results in the model’s transferability, these methods must manually label or reprocess the test set. These problems limit the application of previous methods in network security management. To solve these problems, we propose a transferable and adaptable network intrusion detection system (TA-NIDS) based on deep reinforcement learning. The interaction process between the agent and the environment varies every time. A small-scale data set can be used to produce many interactive processes. Therefore, robustness is guaranteed when there are few samples. Then, a reasonable reward function allows the agent to learn how to first choose outliers without classifying the entire data set. This makes the TA-NIDS more adaptable to the scene when we prioritize apparent outliers. More importantly, the original features are transformed into the state of the environment, so no requirement exists for the feature dimension. Furthermore, the general rather than the specific state of one data set makes the model transferable to other data sets. The experimental results for IDS2017, IDS2018, NSL-KDD, UNSW-NB15 and CIC-IoT2023 show that the proposed framework maintains good accuracy when prioritizing outliers and transferability are prioritized simultaneously.

computer science, information systems

Shi Dong,Yuanjun Xia,Tao Peng

DOI: https://doi.org/10.1109/tnsm.2021.3120804

2021-12-01

IEEE Transactions on Network and Service Management

Abstract:The rapid development of Internet technology has brought great convenience to our production life, and the ensuing security problems have become increasingly prominent. These problems threaten users' privacy and pose significant security risks to the normal conduct of many aspects of society, such as politics, economy, culture, and people's livelihood. The growth of the information transmission rate expands the scope of attacks and provides a more attack environment for intruders. Abnormal detection is an effective security protection technology that can monitor network transmission in real-time, effectively sense external attacks, and provide response decisions for relevant managers. The development of machine learning has also led to the development of abnormal traffic detection technology. The goal has been to use powerful and fast learning algorithms to deal with changing threats and respond in real-time. Most of the current abnormal detection research is based on simulation, using public and well-known datasets. On the one hand, the dataset contains high-dimensional massive data, which traditional machine learning methods cannot be processed. On the other hand, the labeled data scale is far behind the application requirements, and the dataset's labels are all manually labeled, so the labeling cost is exceptionally high. This paper proposes a semi-supervised Double Deep Q-Network (SSDDQN)-based optimization method for network abnormal traffic detection, mainly based on Double Deep Q-Network (DDQN), a representative of Deep Reinforcement Learning algorithm. In SSDDQN, the current network first adopts the autoencoder to reconstruct the traffic features and then uses a deep neural network as a classifier. The target network first uses the unsupervised learning algorithm K-Means clustering and then uses deep neural network prediction. The experiment uses NSL-KDD and AWID datasets for training and testing and -erforms a comprehensive comparison with existing machine learning models. The experimental results show that SSDDQN has certain advantages in time complexity and achieved good results in various evaluation metrics.

computer science, information systems

Xuecheng Yu,Yan Huang,Yu Zhang,Mingyang Song,Zhenhong Jia

DOI: https://doi.org/10.32604/cmc.2023.044999

2024-01-01

Abstract:With the increasing dimensionality of network traffic, extracting effective traffic features and improving the identification accuracy of different intrusion traffic have become critical in intrusion detection systems (IDS). However, both unsupervised and semisupervised anomalous traffic detection methods suffer from the drawback of ignoring potential correlations between features, resulting in an analysis that is not an optimal set. Therefore, in order to extract more representative traffic features as well as to improve the accuracy of traffic identification, this paper proposes a feature dimensionality reduction method combining principal component analysis and Hotelling’s T2 and a multilayer convolutional bidirectional long short-term memory (MSC_BiLSTM) classifier model for network traffic intrusion detection. This method reduces the parameters and redundancy of the model by feature extraction and extracts the dependent features between the data by a bidirectional long short-term memory (BiLSTM) network, which fully considers the influence between the before and after features. The network traffic is first characteristically downscaled by principal component analysis (PCA), and then the downscaled principal components are used as input to Hotelling’s T2 to compare the differences between groups. For datasets with outliers, Hotelling’s T2 can help identify the groups where the outliers are located and quantitatively measure the extent of the outliers. Finally, a multilayer convolutional neural network and a BiLSTM network are used to extract the spatial and temporal features of network traffic data. The empirical consequences exhibit that the suggested approach in this manuscript attains superior outcomes in precision, recall and F1-score juxtaposed with the prevailing techniques. The results show that the intrusion detection accuracy, precision, and F1-score of the proposed MSC_BiLSTM model for the CIC-IDS 2017 dataset are 98.71%, 95.97%, and 90.22%.

computer science, information systems,materials science, multidisciplinary

Yuanjun Xia,Shi Dong,Tao Peng,Tao Wang

DOI: https://doi.org/10.1109/msn53354.2021.00083

2021-12-01

Abstract:With the continuous development of information technology, the network as the infrastructure of the information age has become an indispensable and vital aspect of our daily lives. With the popularization of 5G technology, the number of handheld devices has increased significantly. Although it has brought great convenience to our production and life, it has also introduced new security risks, making the network more likely to be infiltrated and attacked. Currently, abnormal network traffic detection technology has become a vital part of network security, effectively protecting the network and computer systems from intrusion and maintaining normal operation. In the network abnormal traffic detection experiment based on simulation, most researchers use public and well-known datasets, and different datasets contain different attack samples. When testing on different datasets, the model needs to be retrained, significantly increasing the consumption of computer resources. The paper proposes a wireless network abnormal traffic detection method based on the deep transfer adversarial environment dueling double deep Q-Network (DTAE-Dueling DDQN). First, use the old NSL-KDD dataset to train AE-Dueling DDQN and save the training model weights. Then, use the idea of fine-tuning, transfer the weight of the AE-Dueling DDQN training is completed to the target model, and fine-tune the target model using the newer AWID dataset in the WiFi environment. The experiment compares the current representative deep learning (DL) and deep reinforcement learning (DRL) methods. Experimental results show that our proposed method saves computer resources significantly and achieves good results in all evaluation indicators.

Hanghang Tong,Chongrong Li,Jingrui He,Jiajian Chen,Quang-Anh Tran,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11427469_77

2005-01-01

Abstract:As a crucial issue in computer network security, anomaly detection is receiving more and more attention from both application and theoretical point of view. In this paper, a novel anomaly detection scheme is proposed. It can detect anomaly network traffic which has extreme large value on some original feature by the major component, or does not follow the correlation structure of normal traffic by the minor component. By introducing kernel trick, the non-linearity of network traffic can be well addressed. To save the processing time, a simplified version is also proposed, where only major component is adopted. Experimental results validate the effectiveness of the proposed scheme.

Hui Cao

DOI: https://doi.org/10.1109/ACCESS.2024.3436541

IF: 3.9

IEEE Access

Abstract:With the continuous evolution of network attack methods, traditional rule-based and signature-based security strategies are becoming increasingly hard to deal with increasingly complex network threats. The research focuses on the problem of network traffic anomaly detection in network security, and proposes an improved Transformer and Generative Adversarial Networks network traffic anomaly detection model. The innovation lies in utilizing the Patch segmentation in the Transformer module to reduce information loss, while introducing random masked data blocks to enhance the anti-interference ability of Generative Adversarial Networks, and proposing a class balance model. Therefore, a Transformer Multi Receive Field Fusion (Trans-M) model for network traffic anomaly detection is constructed. The performance test results showed that after category balancing, the accuracy, recall, and F1-score of each model were been significantly improved. The accuracy of the Trans-M model on the balanced dataset arrived 98.12%, an improvement of 8.59% compared to before balancing. The recall rate of the Trans-M model was improved by 8.62% to 97.86%. On Balanced F Score (F1-score), the highest score of the Trans-M model was 98.46%, which was 8.18% higher than before balancing. The experiment outcomes demonstrate that the raised network traffic anomaly detection system is superior to common anomaly traffic detection models and can meet the actual network security protection needs.

Computer Science,Engineering

Tingting Su,Jia Wang,Wei Hu,Gaoqiang Dong,Jeon Gwanggil

DOI: https://doi.org/10.32604/cmc.2024.051535

2024-01-01

Abstract:Along with the progression of Internet of Things (IoT) technology, network terminals are becoming continuously more intelligent. IoT has been widely applied in various scenarios, including urban infrastructure, transportation, industry, personal life, and other socio-economic fields. The introduction of deep learning has brought new security challenges, like an increment in abnormal traffic, which threatens network security. Insufficient feature extraction leads to less accurate classification results. In abnormal traffic detection, the data of network traffic is high-dimensional and complex. This data not only increases the computational burden of model training but also makes information extraction more difficult. To address these issues, this paper proposes an MD-MRD-ResNeXt model for abnormal network traffic detection. To fully utilize the multi-scale information in network traffic, a Multi-scale Dilated feature extraction (MD) block is introduced. This module can effectively understand and process information at various scales and uses dilated convolution technology to significantly broaden the model’s receptive field. The proposed Max-feature-map Residual with Dual-channel pooling (MRD) block integrates the maximum feature map with the residual block. This module ensures the model focuses on key information, thereby optimizing computational efficiency and reducing unnecessary information redundancy. Experimental results show that compared to the latest methods, the proposed abnormal traffic detection model improves accuracy by about 2%.

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Shi Dong,Yuanjun Xia,Tao Wang

DOI: https://doi.org/10.1109/mwc.011.2200320

IF: 12.777

2024-01-01

IEEE Wireless Communications

Abstract:Because wireless communication network attacks continue to evolve, cyber security is becoming more and more important, requiring network security solutions to be constantly updated. In addition, wireless communication network traffic in high-speed networks is massive, high-dimensional, dynamic, and so on, making attacks difficult to detect in real-time. Unknown attacks are also difficult to identify. This article proposes a framework for abnormal traffic detection based on deep reinforcement learning, mainly consisting of four stages: data collection, dataset pre-processing, feature selection, and model detection. Experimental results show that the abnormal traffic detection framework has improved detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Yung-Chung Wang,Yi-Chun Houng,Han-Xuan Chen,Shu-Ming Tseng

DOI: https://doi.org/10.3390/s23042171

IF: 3.9

2023-02-16

Sensors

Abstract:The prevalence of internet usage leads to diverse internet traffic, which may contain information about various types of internet attacks. In recent years, many researchers have applied deep learning technology to intrusion detection systems and obtained fairly strong recognition results. However, most experiments have used old datasets, so they could not reflect the latest attack information. In this paper, a current state of the CSE-CIC-IDS2018 dataset and standard evaluation metrics has been employed to evaluate the proposed mechanism. After preprocessing the dataset, six models—deep neural network (DNN), convolutional neural network (CNN), recurrent neural network (RNN), long short-term memory (LSTM), CNN + RNN and CNN + LSTM—were constructed to judge whether network traffic comprised a malicious attack. In addition, multi-classification experiments were conducted to sort traffic into benign traffic and six categories of malicious attacks: BruteForce, Denial-of-service (DoS), Web Attacks, Infiltration, Botnet, and Distributed denial-of-service (DDoS). Each model showed a high accuracy in various experiments, and their multi-class classification accuracy were above 98%. Compared with the intrusion detection system (IDS) of other papers, the proposed model effectively improves the detection performance. Moreover, the inference time for the combinations of CNN + RNN and CNN + LSTM is longer than that of the individual DNN, RNN and CNN. Therefore, the DNN, RNN and CNN are better than CNN + RNN and CNN + LSTM for considering the implementation of the algorithm in the IDS device.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hsiu-Min Chuang,Li-Jyun Ye

DOI: https://doi.org/10.3390/su15129395

IF: 3.9

2023-06-12

Sustainability

Abstract:In traditional network management, the configuration of routing policies and associated settings on individual routers and switches was performed manually, incurring a considerable cost. By centralizing network management, software-defined networking (SDN) technology has reduced hardware construction costs and increased flexibility. However, this centralized architecture renders information security vulnerable to network attacks, making intrusion detection in the SDN environment crucial. Machine-learning approaches have been widely used for intrusion detection recently. However, critical issues such as unknown attacks, insufficient data, and class imbalance may significantly affect the performance of typical machine learning. We addressed these problems and proposed a transfer-learning method based on the SDN environment. The following experimental results showed that our method outperforms typical machine learning methods. (1) our model achieved a F1-score of 0.71 for anomaly detection for unknown attacks; (2) for small samples, our model achieved a F1-score of 0.98 for anomaly detection and a F1-score of 0.51 for attack types identification; (3) for class imbalance, our model achieved an F1-score of 1.00 for anomaly detection and 0.91 for attack type identification. In addition, our model required 15,230 seconds (4 h 13 m 50 s) for training, ranking second among the six models when considering both performance and efficiency. In future studies, we plan to combine sampling techniques with few-shot learning to improve the performance of minority classes in class imbalance scenarios.

environmental sciences,environmental studies,green & sustainable science & technology

Jinfu Chen,Tianxiang Lv,Saihua Cai,Luo Song,Shang Yin

DOI: https://doi.org/10.1016/j.infsof.2023.107166

IF: 3.9

2023-02-03

Information and Software Technology

Abstract:Context: The increasingly complex and diverse network environment has increased traffic intrusion behaviors, but the traditional machine learning-based model has the problems of time-consuming and low detection accuracy due to the need of manually selecting features. Therefore, it is very important to construct an automatically abnormal network traffic detection model with a high detection accuracy. Objective: The goal of this paper is to train the network traffic through deep learning technology to generate an automatic abnormal network traffic detection model without manual design of features. Methods: We propose an abnormal network traffic detection model called BiTCN based on bidirectional time convolution network, it first uses temporal convolutional network (TCN) model to better grasp the sequence characteristics of network traffic, and then uses Exponential Linear Unit (ELU) activation function to replace ReLU in the model training stage to avoid the problem of neuron "death" leading to the reduction of detection accuracy, as well as improves the original one-way model to a two-way model to capture the two-way semantic fusion characteristics of network traffic. Results: We evaluate the efficiency of the proposed BiTCN model by comparing it with different models on the CTU and USTC-TFC2016 datasets. The experimental results show that the proposed BiTCN model outperforms other models in terms of the precision, accuracy, recall and F1-measure. Conclusion: In this paper, we propose a novel detection model for abnormal network traffic based on bidirectional temporal convolutional network , it solves some shortcomings and limitations of existing models, and obtains a high detection accuracy of abnormal network traffic with a high stability.

computer science, information systems, software engineering

Harsh Dhillon,Anwar Haque

DOI: https://doi.org/10.1109/TrustCom50675.2020.00144

2021-01-04

Abstract:Network traffic is growing at an outpaced speed globally. The modern network infrastructure makes classic network intrusion detection methods inefficient to classify an inflow of vast network traffic. This paper aims to present a modern approach towards building a network intrusion detection system (NIDS) by using various deep learning methods. To further improve our proposed scheme and make it effective in real-world settings, we use deep transfer learning techniques where we transfer the knowledge learned by our model in a source domain with plentiful computational and data resources to a target domain with sparse availability of both the resources. Our proposed method achieved 98.30% classification accuracy score in the source domain and an improved 98.43% classification accuracy score in the target domain with a boost in the classification speed using UNSW-15 dataset. This study demonstrates that deep transfer learning techniques make it possible to construct large deep learning models to perform network classification, which can be deployed in the real world target domains where they can maintain their classification performance and improve their classification speed despite the limited accessibility of resources.

Machine Learning

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang

DOI: https://doi.org/10.1109/ICC.2009.5199196

2009-01-01

Abstract:The randomness of the network behaviors poses serious challenges for discovering the abnormal patterns in network traffic flows. This paper presents a method based on blind source separation approach for detecting abnormal traffic flows. It decomposes the network traffic into two components: the routine pattern and the abnormal pattern. The scale-space filter with adaptive scale is applied to filter the noise without affecting the main behavior patterns which can be used to form the abnormal traffic metrics and profiles. The zero-crossing method is applied to extract the stochastic behavior pulse widths and the largest width is selected as the scale space factor. In this way, the influence of the inherent randomness could be removed or greatly reduced. The extracted patterns of the routine behaviors imply the user's habit and the abnormal patterns are useful for discovering anomalous behaviors such as scanning, flooding and content distribution attacks. A salient feature of the method is that no supervised learning process is needed. This is a very important advantage since obtaining labeled samples in traffic monitoring is extremely difficult. Experimental results based on the datasets of an actual network show that this method is effective for monitoring anomaly traffic flows in the gigabytes traffic environment and the identification accuracy is above 95%.

Yitu Wang,Runqi Dong,Takayuki Nakachi,Wei Wang

DOI: https://doi.org/10.1109/wcnc55385.2023.10118849

2023-01-01

Abstract:Network traffic monitoring plays a crucial role in maintaining the security and reliability of the communication networks. Although Machine Learning (ML) assisted abnormal traffic detection has been emerged as a promising paradigm, the existing data-driven learning-based approaches are faced with challenges on inefficient traffic feature extraction and high computational complexity, especially when taking the evolving property of traffic process into consideration. To this end, we establish an online learning framework for abnormality traffic detection by embracing Gaussian Process (GP) and Sparse Representation (SR). The contributions of this paper are two-fold: 1). We utilize a special kernel, i.e., mixture of Gaussian, to better explore and exploit the evolving traffic characteristics, so as to more accurately model network traffic. 2). To combat noise and modeling error, we formulate a feature vector based on Kullback-Leibler (KL) divergence to measure the difference between normal and abnormal traffic, based on which SR is adopted to perform robust binary classification. Finally, we demonstrate the superiority of the proposed framework in terms of detection accuracy through simulation.