Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1109/tifs.2020.2991876

IF: 7.231

2020-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Conventional intrusion detection systems based on supervised learning techniques require a large number of samples for training, while in some scenarios, such as zero-day attacks, security agencies can only intercept a limited number of shots of malicious samples. Therefore, there is a need for few-shot detection. In this paper, a detection method based on a meta-learning framework is proposed for this purpose. The proposed method can be used to distinguish and compare a pair of network traffic samples as a basic task of learning, including a normal unaffected sample and a malicious one. To accomplish this task, we design a deep neural network (DNN) named FC-Net, which mainly comprises two parts: feature extraction network and comparison network. FC-Net learns a pair of feature maps for classification from a pair of network traffic samples, then compares the obtained feature maps, and finally determines whether the pair of samples belongs to the same type. To evaluate the proposed detection method, we construct two datasets for few-shot network intrusion detection based on real network traffic data sources, using a specifically developed approach. The experimental results indicate that the proposed detection method is universal and is not limited to specific datasets or attack types. Training and testing on the same datasets demonstrate that the proposed method can achieve the average detection rate up to 98.88%. The outcome of training on one dataset and testing on the other one confirms that the proposed method can achieve better performance. In a few-shot scenario, malicious samples in an untrained dataset can be detected successfully, and the average detection rate is up to 99.62%.

Yen-Hung Chen,Yuan-Cheng Lai,Pi-Tzong Jan,Ting-Yi Tsai

DOI: https://doi.org/10.3390/s21041027

2021-02-03

Abstract:(1) Background: Link flooding attacks (LFA) are a spatiotemporal attack pattern of distributed denial-of-service (DDoS) that arranges bots to send low-speed traffic to backbone links and paralyze servers in the target area. (2) Problem: The traditional methods to defend against LFA are heuristic and cannot reflect the changing characteristics of LFA over time; the AI-based methods only detect the presence of LFA without considering the spatiotemporal series attack pattern and defense suggestion. (3) Methods: This study designs a deep ensemble learning model (Stacking-based integrated Convolutional neural network-Long short term memory model, SCL) to defend against LFA: (a) combining continuous network status as an input to represent "continuous/combination attacking action" and to help CNN operation to extract features of spatiotemporal attack pattern; (b) applying LSTM to periodically review the current evolved LFA patterns and drop the obsolete ones to ensure decision accuracy and confidence; (c) stacking System Detector and LFA Mitigator module instead of only one module to couple with LFA detection and mediation at the same time. (4) Results: The simulation results show that the accuracy rate of SCL successfully blocking LFA is 92.95%, which is 60.81% higher than the traditional method. (5) Outcomes: This study demonstrates the potential and suggested development trait of deep ensemble learning on network security.

Xiangwen Li,Shuang Zhang

DOI: https://doi.org/10.2174/1872212114999200403092708

2020-04-03

Recent Patents on Engineering

Abstract:: To detect network attacks more effectively, this study uses Honeypot techniques to collect the latest network attack data and proposes network intrusion detection classification models based on deep learning combined with DNN and LSTM models. Experiments showed that the data set training models gave better results than the KDD CUP 99 training model’s detection rate and false positive rate. The DNN-LSTM intrusion detection algorithm proposed in this study gives better results than KDD CUP 99 training model. Compared to other algorithms such as LeNet, DNN-LSTM intrusion detection algorithm exhibits shorter classification test time along with better accuracy and recall rate of intrusion detection.

Jingyi Zhu,Xiufeng Liu

DOI: https://doi.org/10.1016/j.compeleceng.2024.109113

IF: 4.152

2024-02-12

Computers & Electrical Engineering

Abstract:In the rapidly evolving landscape of the Internet of Things (IoT), ensuring robust intrusion detection is paramount for device and data security. This paper proposes a novel method for intrusion detection in IoT networks that leverages a unique blend of subspace clustering and ensemble learning. Our framework integrates three innovative strategies: Clustering Results as Features (CRF), Two-Level Decision Making (TDM), and Iterative Feedback Loop (IFL). These strategies synergize to enhance detection performance and model robustness. We employ mutual information for feature selection and utilize four subspace clustering algorithms – CLIQUE, PROCLUS, SUBCLU, and LOF – to create additional feature sets. Three base learners – NB, LGBM, and XGB – are used in conjunction with a Logistic Regression (LR) meta-learner. To fine-tune our model, we apply Particle Swarm Optimization (PSO) for hyperparameter optimization. We evaluate our framework on the UNSW-NB15 dataset, which contains realistic and diverse IoT network traffic data. The results show that our framework outperforms the state-of-the-art methods in terms of accuracy (97.05%), precision (96.33%), recall (96.55%), F1-score (96.45%), and false positive rate (0.029). Our framework can effectively detect both known and unknown attacks in IoT networks and achieve high accuracy and low false positive rate. The paper contributes both practical implications for network security and theoretical advancements in intrusion detection research.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Kuljeet Singh,Amit Mahajan,Vibhakar Mansotra

DOI: https://doi.org/10.1504/ijsnet.2023.135851

2024-01-10

International Journal of Sensor Networks

Abstract:Due to the continued and unabated increase in the number of cyber-attacks, the need for improved network security architecture is more apparent. The deep learning approach plays a pivotal role by classifying network traffic and identifying malicious records. However, this approach is often met with twin challenges of the high dimensionality of data and imbalanced ratio of attack labels within the data. To mitigate these issues and achieve a better detection rate, this research has proposed a new intrusion detection framework based on three main components; feature selection, oversampling, and hybrid CNN-LSTM classifier. This study deployed information gain, chi-square, basic methods, L1 regularisation, and random forest classifier as five feature selection methods and SMOTE for handling class imbalance. The experimental results, conducted using the CICIDS2017 dataset, have shown that the proposed model has demonstrated better performance in the detection of network attacks with more than 99% detection rate. Results established that number of features can be significantly reduced without altering the accuracy and oversampling has helped in improving the detection rate of minority attack labels.

computer science, information systems,telecommunications

Tao Yi,Xingshu Chen,Mingdong Yang,Qindong Li,Yi Zhu

DOI: https://doi.org/10.32604/cmes.2024.048793

2024-01-01

Computer Modeling in Engineering & Sciences

Abstract:Due to the rapid evolution of Advanced Persistent Threats (APTs) attacks, the emergence of new and rare attack samples, and even those never seen before, make it challenging for traditional rule-based detection methods to extract universal rules for effective detection. With the progress in techniques such as transfer learning and meta-learning, few-shot network attack detection has progressed. However, challenges in few-shot network attack detection arise from the inability of time sequence flow features to adapt to the fixed length input requirement of deep learning, difficulties in capturing rich information from original flow in the case of insufficient samples, and the challenge of high-level abstract representation. To address these challenges, a few-shot network attack detection based on NFHP (Network Flow Holographic Picture)-RN (ResNet) is proposed. Specifically, leveraging inherent properties of images such as translation invariance, rotation invariance, scale invariance, and illumination invariance, network attack traffic features and contextual relationships are intuitively represented in NFHP. In addition, an improved RN network model is employed for high-level abstract feature extraction, ensuring that the extracted high-level abstract features maintain the detailed characteristics of the original traffic behavior, regardless of changes in background traffic. Finally, a meta-learning model based on the self-attention mechanism is constructed, achieving the detection of novel APT few-shot network attacks through the empirical generalization of high-level abstract feature representations of known-class network attack behaviors. Experimental results demonstrate that the proposed method can learn high-level abstract features of network attacks across different traffic detail granularities. Compared with state-of-the-art methods, it achieves favorable accuracy, precision, recall, and F1 scores for the identification of unknown-class network attacks through cross-validation on multiple datasets.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Xihe Jiang,Dan Meng,Fucheng Liu,Dongxue Zhang,Yu Wen,Xinyu Xing

DOI: https://doi.org/10.1145/3319535.3363224

2019-11-06

Abstract:Conventional attacks of insider employees and emerging APT are both major threats for the organizational information system. Existing detections mainly concentrate on users' behavior and usually analyze logs recording their operations in an information system. In general, most of these methods consider sequential relationship among log entries and model users' sequential behavior. However, they ignore other relationships, inevitably leading to an unsatisfactory performance on various attack scenarios. We propose log2vec, a heterogeneous graph embedding based modularized method. First, it involves a heuristic approach that converts log entries into a heterogeneous graph in the light of diverse relationships among them. Next, it utilizes an improved graph embedding appropriate to the above heterogeneous graph, which can automatically represent each log entry into a low-dimension vector. The third component of log2vec is a practical detection algorithm capable of separating malicious and benign log entries into different clusters and identifying malicious ones. We implement a prototype of log2vec. Our evaluation demonstrates that log2vec remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM). Besides, log2vec shows its capability to detect malicious events in various attack scenarios.

Computer Science

Zhendong Wang,Zeyu Li,Junling Wang,Dahai Li

DOI: https://doi.org/10.1155/2021/9486949

IF: 1.968

2021-10-28

Security and Communication Networks

Abstract:The combination of deep learning and intrusion detection has become a hot topic in today’s network security. In the face of massive, high-dimensional network traffic with uneven sample distribution, how to be able to accurately detect anomalous traffic is the primary task of intrusion detection. Most research on intrusion detection systems based on network anomalous traffic detection has focused on supervised learning; however, the process of obtaining labeled data often requires a lot of time and effort, as well as the support of network experts. Therefore, it is worthwhile investigating the development of label-free self-supervised learning-based approaches called BYOL which is a simple and elegant framework with sufficiently powerful feature extraction capabilities for intrusion detection systems. In this paper, we propose a new data augmentation strategy for intrusion detection data and an intrusion detection model based on label-free self-supervised learning, using a new data augmentation strategy to introduce a perturbation enhancement model to learn invariant feature representation capability and an improved BYOL self-supervised learning method to train the UNSW-NB15 intrusion detection dataset without labels to extract network traffic feature representations. Linear evaluation on UNSW-NB15 and transfer learning on NSK-KDD, KDD CUP99, CIC IDS2017, and CIDDS_001 achieve excellent performance in all metrics.

computer science, information systems,telecommunications

Yan Gao,Yao Zhao,Robert Schweller,Shobha Venkataraman,Yan Chen,Dawn Song,Ming-Yang Kao

DOI: https://doi.org/10.1109/iwqos.2007.376561

2007-01-01

Abstract:We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques fail to detect spreaders such as bot scans in which each scanning host scans only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

Yiran Hao,Yiqiang Sheng,Jinlin Wang

DOI: https://doi.org/10.3390/app9204473

2019-01-01

Applied Sciences

Abstract:Most existing studies on an unsupervised intrusion detection system (IDS) preprocessing ignore the relationship among packets. According to the homophily hypothesis, the local proximity structure in the similarity relational graph has similar embedding after preprocessing. To improve the performance of IDS by building a relationship among packets, we propose a packet2vec learning algorithm that extracts accurate local proximity features based on graph representation by adding penalty to node2vec. In this algorithm, we construct a relational graph G′ by using each packet as a node, calculate the cosine similarity between packets as edges, and then explore the low-order proximity of each packet via the penalty-based random walk in G′. We use the above algorithm as a preprocessing method to enhance the accuracy of unsupervised IDS by retaining the local proximity features of packets maximally. The original features of the packet are combined with the local proximity features as the input of a deep auto-encoder for IDS. Experiments based on ISCX2012 show that the proposal outperforms the state-of-the-art algorithms by 11.6% with respect to the accuracy of unsupervised IDS. It is the first time to introduce graph representation learning for packet-embedded preprocessing in the field of IDS.

Fang Feng,Xin Liu,Binbin Yong,Rui Zhou,Qingguo Zhou

DOI: https://doi.org/10.1016/j.adhoc.2018.09.014

IF: 4.816

2019-01-01

Ad Hoc Networks

Abstract:Ad-hoc network is a temporary self-organizing network that needs no fixed infrastructure. So it has been applied extensively in many areas requesting temporary communication such as military field, emergency disaster relief and road traffic. While, due to the feature of self-organization and wireless communication channels, ad-hoc network is more vulnerable to various attacks compared to the traditional network. In this paper, we proposed a plug and play device to detect Denial of Service (DoS) and privacy attacks. This device mainly includes capture tool and deep learning detection model. Capture tool is used to grab packets in ad-hoc networks, deep learning detection model is used for detecting attacks. An alarm will be triggered if the detected result is attack. In this way, we can avoid the detected attack to spreading out in larger scale. The proposed method can be used as the second line of dense to issue the early-warning signal. In the experiment, first, we use Deep neural network (DNN) detection model to detect DoS attacks; next, we use DNN, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) detection model to detect XSS and SQL attacks. The results show that these detection models can achieve very high Accuracy, Precision, Recall and F1−score. In addition, the time efficiency among the CNN, the LSTM and the DNN is in acceptable range. It proofs that the proposed method can be effectively applied for attack detection. It is important to note that the proposed method can be extended to all other attacks with little modification in ad-hoc networks.

Wenyang Jiao,Xing Hu,Rohit Gupta,Jing Cheng,Linhua Jiang,Dawei Zhang

DOI: https://doi.org/10.1109/tim.2024.3373090

IF: 5.6

2024-03-27

IEEE Transactions on Instrumentation and Measurement

Abstract:Distributed optical fiber sensing systems are widely used in the field of security monitoring for their electromagnetic interference resistance and high sensitivity. Due to the complexity of the environment, unknown signals often arise during the monitoring process to interfere with the recognition model. However, the vast majority of existing research focuses on closed-set identification, which ignores the fact of open-set environments, and thus fails to effectively meet the needs of security monitoring in real scenarios. In addition, existing open-set identification methods as well as the traditional Softmax method are unable to control the orientation of convergence of the samples in the output space during the training stage, which increases the risk of open-set space. To tackle this problem, this article proposed a novel deep learning model based on convolutional neural networks called anchor point learning (APL) for improving classification robustness and reducing the distributional overlap between known and unknown category samples. With APL, different categories will be divided into different regions of the output space, which can be directly determined by the anchor points. Besides, we add an adversarial regularization term to improve the intraclass compactness of the feature representation by forming an adversary with the APL. In our experiments, our model is applied to the task of recognizing pavement intrusion signals. We compare it with the traditional Softmax method and the existing state-of-the-art open-set identification methods respectively. The results confirm that the proposed method not only outperforms the traditional methods in terms of classification performance but also can effectively achieve the recognition of intrusion events under low false alarm rate conditions in the open set environment.

engineering, electrical & electronic,instruments & instrumentation

Juozas Auskalnis,Nerijus Paulauskas,Algirdas Baskys

DOI: https://doi.org/10.5755/j01.eie.24.3.20972

2018-06-27

Elektronika ir Elektrotechnika

Abstract:Gap between the new attack appearance and signature creation for this attack may be critical. During this time, many computer systems may be affected and valuable resources may be lost. Even after signature creation, many computer systems still stay vulnerable because of bad security practice, i.e. patches and updates are not installed as needed. Therefore, anomaly intrusion detection system (IDS) that is capable to detect new unknown attacks is valuable security tool. This paper analyses the use of Local Outlier Factor (LOF) to detect anomalies in the computer network. The application of the LOF algorithm for the detection of anomalies when only normal network data are used for the model training has been demonstrated. Experimental results of different threshold values influence on the anomaly detection accuracy using NSL-KDD dataset is presented. DOI: http://dx.doi.org/10.5755/j01.eie.24.3.20972

engineering, electrical & electronic

Yuwen Qian,Shuchi Wu,Kang Wei,Ming Ding,Di Xiao,Tao Xiang,Chuan Ma,Song Guo

2024-05-21

Abstract:Federated self-supervised learning (FSSL) has recently emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data while preserving data privacy. While FSSL offers advantages, its susceptibility to backdoor attacks, a concern identified in traditional federated supervised learning (FSL), has not been investigated. To fill the research gap, we undertake a comprehensive investigation into a backdoor attack paradigm, where unscrupulous clients conspire to manipulate the global model, revealing the vulnerability of FSSL to such attacks. In FSL, backdoor attacks typically build a direct association between the backdoor trigger and the target label. In contrast, in FSSL, backdoor attacks aim to alter the global model's representation for images containing the attacker's specified trigger pattern in favor of the attacker's intended target class, which is less straightforward. In this sense, we demonstrate that existing defenses are insufficient to mitigate the investigated backdoor attacks in FSSL, thus finding an effective defense mechanism is urgent. To tackle this issue, we dive into the fundamental mechanism of backdoor attacks on FSSL, proposing the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models. In particular, EmInspector assesses the similarity of embeddings from different local models using a small set of inspection images (e.g., ten images of CIFAR100) without specific requirements on sample distribution or labels. We discover that embeddings from backdoored models tend to cluster together in the embedding space for a given inspection image. Evaluation results show that EmInspector can effectively mitigate backdoor attacks on FSSL across various adversary settings. Our code is avaliable at

Cryptography and Security,Machine Learning

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Chengyuan Zhu,Yanyun Pu,Zhuoling Lyu,Jiren Qian,Kaixiang Yang

DOI: https://doi.org/10.1007/978-3-031-44204-9_22

2023-01-01

Abstract:Pipeline is one of the most important transportation modes of oil and gas. However, it is different from the single-scene environments in fields such as security and high-speed railway, as the environment along the length of long-distance pipelines is complex and variable, including plains, mountains, and lakes. Different geological conditions have different effects on the transmission of vibrations, which poses great challenges to the external perception of distributed optic fiber sensing (DOFS) systems. At the same time, the similarity of different external activity signal characteristics also greatly affects the recognition performance of DOFS systems. Mechanical construction activities along the pipeline have posed a serious threat to the safety of pipelines. In this paper, an intrusion warning ensemble model based on environmental embedding is developed on the latest novel distributed optic fiber hardware system (f-OTDR), named Surroundings-Embedding Ensemble Learning (SEEL). Environmental embedding technology captures the fine-grained differences in spatial environment between different defense areas. At the same time, ensemble learning technology reduces the negative impact of random noise and environmental interference. A large amount of data collected in the actual environment is used for comparison experiments. The results show that this model can achieve more accurate intrusion detection accuracy and has a wider practical application range by effectively fusing environmental information. In addition, the effectiveness of the new component designed is verified through ablation experiments.

Yangyang Mei,Weihong Han,Shudong Li,Kaihan Lin,Zhihong Tian,Shumei Li

DOI: https://doi.org/10.1109/tits.2024.3360260

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Internet now plays a pivotal role in the social and economic landspace, providing individuals and businesses with access to essential daily services and tasks. However, it has also become a breeding ground for conflicts. Advanced Persistent Threats (APTs) pose a formidable chanllenge when directed at organizations and governments, exposing the entire network to substantial security risks. Employing network fornesics for attributing cyber-attacks and acquiring timely, credible forensic results is a fundamental challenge in maintaining cyber security. This paper introduces a Deep Learning-based network forensics framework for digitally identifying and tracking network attacks, providing a comprehensive overview of the network forensics process. Specifically, we extract network traffic and employ encryption to ensure the integrity and security of data. Subsequently, we apply feature filtering techniques to retain essential traceability information, and Deep Learning model parameters are automatically optimized using hyperparameter optimization techniques. Lastly, we develop a Multi-Layer Perceptual Deep Neural Network (MLP DNN) model with perceptual capabilities for detecting anomalous events within the network. We evaluated the framework’s effectiveness using the UNSW-NB15 dataset. The experiments demonstrate that the proposed framework is applicable to APT attack forensics scenarios. In comparison to other AI methods, our framework excels in discovering and tracking network attack events with high performance.

engineering, electrical & electronic,transportation science & technology, civil

Bayi Xu,Lei Sun,Xiuqing Mao,Chengwei Liu,Zhiyi Ding

DOI: https://doi.org/10.32604/cmc.2023.046478

2024-01-01

Abstract:In recent years, frequent network attacks have highlighted the importance of efficient detection methods for ensuring cyberspace security. This paper presents a novel intrusion detection system consisting of a data preprocessing stage and a deep learning model for accurately identifying network attacks. We have proposed four deep neural network models, which are constructed using architectures such as Convolutional Neural Networks (CNN), Bi-directional Long Short-Term Memory (BiLSTM), Bidirectional Gate Recurrent Unit (BiGRU), and Attention mechanism. These models have been evaluated for their detection performance on the NSL-KDD dataset.To enhance the compatibility between the data and the models, we apply various preprocessing techniques and employ the particle swarm optimization algorithm to perform feature selection on the NSL-KDD dataset, resulting in an optimized feature subset. Moreover, we address class imbalance in the dataset using focal loss. Finally, we employ the BO-TPE algorithm to optimize the hyperparameters of the four models, maximizing their detection performance. The test results demonstrate that the proposed model is capable of extracting the spatiotemporal features of network traffic data effectively. In binary and multiclass experiments, it achieved accuracy rates of 0.999158 and 0.999091, respectively, surpassing other state-of-the-art methods.

computer science, information systems,materials science, multidisciplinary

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications