Shaoyu Wang,Xinyu Wang,Liangpei Zhang,Yanfei Zhong

DOI: https://doi.org/10.1109/tgrs.2021.3057721

IF: 8.2

2021-01-01

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Hyperspectral anomaly detection is aimed at detecting observations that differ from their surroundings, and is an active area of research in hyperspectral image processing. Recently, autoencoders (AEs) have been applied in hyperspectral anomaly detection; however, the existing AE-based methods are complicated and involve manual parameter setting and preprocessing and/or postprocessing procedures. In this article, an autonomous hyperspectral anomaly detection network (Auto-AD) is proposed, in which the background is reconstructed by the network and the anomalies appear as reconstruction errors. Specifically, through a fully convolutional AE with skip connections, the background can be reconstructed while the anomalies are difficult to reconstruct, since the anomalies are relatively small compared to the background and have a low probability of occurring in the image. To further suppress the anomaly reconstruction, an adaptive-weighted loss function is designed, where the weights of potential anomalous pixels with large reconstruction errors are reduced during training. As a result, the anomalies have a higher contrast with the background in the map of reconstruction errors. The experimental results obtained on a public airborne data set and two unmanned aerial vehicle-borne hyperspectral data sets confirm the effectiveness of the proposed Auto-AD method.

Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Zhongnan Zhao,Hongwei Guo,Yue Wang

DOI: https://doi.org/10.1038/s41598-024-66760-0

IF: 4.6

2024-07-13

Scientific Reports

Abstract:Network traffic anomaly detection, as an effective analysis method for network security, can identify differentiated traffic information and provide secure operation in complex and changing network environments. To avoid information loss caused when handling traffic data while improving the detection performance of traffic feature information, this paper proposes a multi-information fusion model based on a convolutional neural network and AutoEncoder. The model uses a convolutional neural network to extract features directly from the raw traffic data, and a AutoEncoder to encode the statistical features extracted from the raw traffic data, which are used to supplement the information loss due to cropping. These two features are combined to form a new integrated feature for network traffic, which has the load information from the original traffic data and the global information of the original traffic data obtained from the statistical features, thus providing a complete representation of the information contained in the network traffic and improving the detection performance of the model. The experiments show that the classification accuracy of network traffic anomaly detection using this model outperforms that of classical machine learning methods.

multidisciplinary sciences

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Xueyuan Duan,Yu Fu,Kun Wang

DOI: https://doi.org/10.48550/arXiv.2205.03907

2022-05-08

Networking and Internet Architecture

Abstract:To address the problem that traditional network traffic anomaly detection algorithms do not suffi-ciently mine potential features in long time domain, an anomaly detection method based on mul-ti-scale residual features of network traffic is proposed. The original traffic is divided into subse-quences of different time spans using sliding windows, and each subsequence is decomposed and reconstructed into data sequences of different levels using wavelet transform technique; the stacked autoencoder (SAE) constructs similar feature space using normal network traffic, and gen-erates reconstructed error vector using the difference between reconstructed samples and input samples in the similar feature space; the multi-path residual group is used to learn reconstructed error The traffic classification is completed by a lightweight classifier. The experimental results show that the detection performance of the proposed method for anomalous network traffic is sig-nificantly improved compared with traditional methods; it confirms that the longer time span and more S transformation scales have positive effects on discovering potential diversity information in the original network traffic.

Zhixia Zhang,Liping Xie

DOI: https://doi.org/10.1002/cpe.5861

2020-01-01

Abstract:At present, irrelevant or redundant features in network traffic data occupy a lot of storage and computing resources, reducing the accuracy of network anomaly detection. Aiming at this problem, a many-objective feature selection model is proposed in this article. The model takes the number of selected feature, false alarm rate, detection rate, precision and accuracy as the optimization objectives, and characterizes the performance of the feature selection method from different perspectives. At the same time, a many-objective integration optimization algorithm (IN-MaOEA) is designed to solve this model. First, the algorithm will build the evolution strategy pool and the dominance strategy pool, then a random probability strategy selection mechanism is designed to improve the algorithm's convergence and diversity. At the same time, an anomaly detection simulation was performed using the NSL-KDD dataset. Experimental results show that the IN-MaOEA algorithm can effectively improve the performance of detection.

Lisheng Huang,Jinye Ran,Wenyong Wang,Tan Yang,Yu Xiang

DOI: https://doi.org/10.1016/j.comnet.2020.107645

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>This paper proposes a novel multi-channel network traffic anomaly detection method combined with the idea of multi-scale decomposition, feature selection and fusion. Our method includes a feature selection and fusion module, which extracts the most important features from redundancy traffic features and fuses the selected features, a multi-scale decomposition module, and a multi-channel Generalized Likelihood Ratio Test (GLRT) detection module, for anomaly detection and decision-making. The advantage of our method is that, first, it only considers the selected features and reduces the amount of computation. Second, compared with traditional anomaly detection methods that usually work on each scale independently thus mainly focused on temporally correlated traffic, our method fully explores the internal frequency-time correlations within multiple scales. It can be verified with experiments that this method performs better than other traditional methods, thus gives a new sight on the anomaly detection with different types of traffic data.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shuhan Chen,Xiaorun Li,Yunfeng Yan

DOI: https://doi.org/10.3390/rs15225266

IF: 5

2023-01-01

Remote Sensing

Abstract:As an unsupervised data representation neural network, auto-encoder (AE) has shown great potential in denoising, dimensionality reduction, and data reconstruction. Many AE-based background (BKG) modeling methods have been developed for hyperspectral anomaly detection (HAD). However, their performance is subject to their unbiased reconstruction of BKG and target pixels. This article presents a rather different low rank and sparse matrix decomposition (LRaSMD) method based on AE, named auto-encoder and independent target (AE-IT), for hyperspectral anomaly detection. First, the encoder weight matrix, obtained by a designed AE network, is utilized to construct a projector for generating a low-rank component in the encoder subspace. By adaptively and reasonably determining the number of neurons in the latent layer, the designed AE-based method can promote the reconstruction of BKG. Second, to ensure independence and representativeness, the component in the encoder orthogonal subspace is made into a sphere and followed by finding of unsupervised targets to construct an anomaly space. In order to mitigate the influence of noise on anomaly detection, sparse cardinality (SC) constraint is enforced on the component in the anomaly space for obtaining the sparse anomaly component. Finally, anomaly detector is constructed by combining Mahalanobi distance and multi-components, which include encoder component and sparse anomaly component, to detect anomalies. The experimental results demonstrate that AE-IT performs competitively compared to the LRaSMD-based models and AE-based approaches.

Laisen Nie,Yongkang Li,Xiangjie Kong

DOI: https://doi.org/10.1109/access.2018.2854842

IF: 3.9

2018-01-01

IEEE Access

Abstract:Over the last decade, vehicular ad-hoc networks (VANETs) have received a greater attention in academia and industry due to their influence in intelligent transportation systems. Providing reliability and security to the VANET is essential in order to guarantee the efficiency of its applications. Anomaly detection has become a challenging problem due to the unique environment of VANETs with quick movement and short-lived link. In this paper, a method using the spatio-temporal feature of network traffic is proposed to implement network traffic estimation at first, and on this basis, an anomaly detection algorithm is put forward. The convolutional neural network is employed to extract the spatio-temporal features of the traffic matrix. In terms of the extracted features, network traffic is estimated by using a fully connected architecture as the output layer. Then, a threshold-based separation method is used to implement anomaly detection. The preliminary experiments comparing the proposed method with other machine learning-based methods show the effectiveness of the proposed anomaly detection method.

Song Hao,Wentao Fu,Xuanze Chen,Chengxiang Jin,Jiajun Zhou,Shanqing Yu,Qi Xuan

2024-09-12

Abstract:Traditional anomalous traffic detection methods are based on single-view analysis, which has obvious limitations in dealing with complex attacks and encrypted communications. In this regard, we propose a Multi-view Feature Fusion (MuFF) method for network anomaly traffic detection. MuFF models the temporal and interactive relationships of packets in network traffic based on the temporal and interactive viewpoints respectively. It learns temporal and interactive features. These features are then fused from different perspectives for anomaly traffic detection. Extensive experiments on six real traffic datasets show that MuFF has excellent performance in network anomalous traffic detection, which makes up for the shortcomings of detection under a single perspective.

Machine Learning

Zhiyu Ren,Xiaojie Li,Jing Peng,Ken Chen,Qushan Tan,Xi Wu,Canghong Shi

DOI: https://doi.org/10.1038/s41598-024-51374-3

IF: 4.6

2024-01-14

Scientific Reports

Abstract:Traffic time series anomaly detection has been intensively studied for years because of its potential applications in intelligent transportation. However, classical traffic anomaly detection methods often overlook the evolving dynamic associations between road network nodes, which leads to challenges in capturing the long-term temporal correlations, spatial characteristics, and abnormal node behaviors in datasets with high periodicity and trends, such as morning peak travel periods. In this paper, we propose a mirror temporal graph autoencoder (MTGAE) framework to explore anomalies and capture unseen nodes and the spatiotemporal correlation between nodes in the traffic network. Specifically, we propose the mirror temporal convolutional module to enhance feature extraction capabilities and capture hidden node-to-node features in the traffic network. Morever, we propose the graph convolutional gate recurrent unit cell (GCGRU CELL) module. This module uses Gaussian kernel functions to map data into a high-dimensional space, and enables the identification of anomalous information and potential anomalies within the complex interdependencies of the traffic network, based on prior knowledge and input data. We compared our work with several other advanced deep-learning anomaly detection models. Experimental results on the NYC dataset illustrate that our model works best compared to other models for traffic anomaly detection.

multidisciplinary sciences

Tangda Yu,Futai Zou,Linsen Li,Ping Yi

DOI: https://doi.org/10.1109/cyberc.2019.00020

2019-01-01

Abstract:In recent years, with the widespread use of encrypted traffic communication technology, network traffic encryption has been gradually becoming a standard of communication. This phenomenon has a great impact on traditional traffic detection methods, especially on anomaly detection methods, which are highly dependent on the type of network protocol types and traffic data. By surveying the existing encrypted traffic classification and analyzing these methods, we found that there are two main methods for detection: payload-based detection and feature-based detection. On this basis, this paper puts forward an Encrypted Malicious Traffic Detection System which is based on multi-AEs(Autoencoder). We use malicious sandbox for traffic data collection, mark malicious flow and normal flow with labels. After that, we use multilayer networks of AEs for feature extraction and training classifier model. Our system analyzes the feature of cryptographic protocol from handshake phase to Authentication phase on the basis of existing research, and we extract the traffic feature for a better classification by further expanding flow feature vector to the higher dimensions. In addition, we compared the performance of our model with the traditional learning model under the same environment. The experimental results showed that our system had higher detection accuracy and lower loss rate. We also studied the influence of dataset imbalance on results in the detection of encrypted traffic by several experiments. According to the experimental evaluation, dataset imbalance will lead to the decrease of positive rate.

Van Quan Nguyen,Viet Hung Nguyen,Nhien-An Le-Khac,Van Loi Cao

DOI: https://doi.org/10.1007/978-3-030-63924-2_17

2020-01-01

Abstract:AbstractA novel hybrid approach between clustering methods and autoencoders (AEs) is introduced for detecting network anomalies in a semi-supervised manner. A previous work has developed regularized AEs, namely Shrink AE (SAE) and Dirac Delta Variational AE (DVAE) that learn to represent normal data into a very small region being close to the origin in their middle hidden layers (latent representation). This work based on the assumption that normal data points may share some common characteristics, so they can be forced to distribute in a small single cluster. In some scenarios, however, normal network data may contain data from very different network services, which may result in a number of clusters in the normal data. Our proposed hybrid model attempts to automatically discover these clusters in the normal data in the latent representation of AEs. At each iteration, an AE learns to map normal data into the latent representation while a clustering method tries to discover clusters in the latent normal data and force them being close together. The co-training strategy can help to reveal true clusters in normal data. When a querying data point coming, it is first mapped into the latent representation of the AE, and its distance to the closest cluster center can be used as an anomaly score. The higher anomaly score a data point has, the more likely it is anomaly. The method is evaluated with four scenarios in the CTU13 dataset, and experiments illustrate that the proposed hybrid model often out-performs SAE on three out of four scenarios.

Chunying Zhang,Meng Zhang,Guanghui Yang,Tao Xue,Zichi Zhang,Lu Liu,Liya Wang,Wei Hou,Zhihai Chen

DOI: https://doi.org/10.3390/electronics12081788

IF: 2.9

2023-01-01

Electronics

Abstract:With the application and development of Internet technology, network traffic is growing rapidly, and the situation of network security is becoming more and more serious. As an important way to protect network security, abnormal traffic detection has been paid more and more attention. In this paper, the uncertainty of the samples in the abnormal traffic detection dataset is studied. Combining the three-way decision idea with the random forest algorithm, a three-way selection random forest optimization model for abnormal traffic detection is proposed. Firstly, the three-way decision idea is integrated into the random selection process of feature attributes, and the attribute importance based on decision boundary entropy is calculated. The feature attributes are divided into the normal domain, abnormal domain, and uncertain domain, and the three-way attribute random selection rules are designed to randomly select the feature attributes that conform to the rules from different domains. Secondly, the classifier evaluation function is constructed by combining pure accuracy and diversity, and the anomaly traffic detection base classifier with a high evaluation value is selected for integration to eliminate the unstable factors caused by randomness in the process of base classifier generation. Thirdly, the optimal node weight combination of the base classifier is obtained by iterative calculation of the gray wolf optimization algorithm to further improve the prediction effect and robustness of the model. Finally, the model is applied to the abnormal traffic detection dataset. The experimental results show that the prediction accuracy of the three-way selection random forest optimization model on CIC-IDS2017, KDDCUP99, and NSLKDD datasets is 96.1%, 95.2%, and 95.3%, respectively, which has a better detection effect than other machine learning algorithms.

Guolou Ping,Shuo Feng,Yehao Li,Xiaojun Ye

DOI: https://doi.org/10.1109/iccc56324.2022.10065635

2022-01-01

Abstract:To address the challenge of lacking labeling information in network traffic anomaly detection, we propose an unsupervised anomaly detection algorithm based on cascading representation and multiple-clustering. First, this paper designs a cascading representation method to obtain discriminative traffic features. We create a residual auto-encoder that employs generative learning to capture generic statistical expressions. We augment the time-series features in various ways and leverage contrastive learning to capture discriminative representations. We develop a host identification task based on triplet loss, enhancing feature discrimination in addition to cascading two feature representations. Second, we design a multiple-clustering-based algorithm for anomalous traffic detection. By performing KMeans on the cascading feature representations, we obtained clustering centers to replace each cluster and avoid the problem of unbalanced abnormal traffic. By applying DBSACAN clustering with a tree structure to these clustering centers and using the height of the anomalies to calculate the traffic anomaly score, we can detect abnormal network traffic flexibly. Finally, we conducted experimental validation on several commonly used intrusion detection datasets. The experimental results show that the method proposed in this paper generally outperforms the comparison methods.

Junzhou Chen,Jiajun Pu,Baiqiao Yin,Ronghui Zhang,Jun Jie Wu

DOI: https://doi.org/10.1109/tits.2024.3365820

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:In the realm of road surveillance systems, Automatic Incident Detection (AID) methods have shown promise in swiftly and precisely detecting traffic anomalies. Nevertheless, the paucity of frame-level precisely annotated training data poses substantial challenges. To navigate this issue, we introduce TA-NET, a novel framework designed to highly efficient traffic anomaly detection. TA-NET utilizes a generic dataset pre-training model to facilitate weakly supervised learning. It comprises two main modules: the Adaptive Hierarchical Feature Reconstruction Block (AHFRB) and the Multi-Head Local Self-Attention (MHLSA) mechanism. AHFRB refines the feature extractor by reconstructing the features drawn from the pre-trained model. Concurrently, MHLSA scrutinizes the contextual relationships between contiguous video segments and bolsters anomaly detection accuracy. Our approach was validated using the TAD testing dataset, with the results highlighting the efficacy of TA-NET. Remarkably, it accomplishes an Area Under the Curve (AUC) of 94.47% for the overall dataset and 70.78% for the anomaly subset. These scores surpass the previous state-of-the-art method by 1.54% and 4.96%, respectively, attesting to TA-NET’s superior performance. Consequently, our study offers a fresh perspective and sets a new standard for future video-based traffic incident detection research.

Yao Xiao,Chunying Kang,Hongchen Yu,Tao Fan,Haofang Zhang

DOI: https://doi.org/10.3390/s22197548

2022-10-05

Abstract:In recent years, network traffic contains a lot of feature information. If there are too many redundant features, the computational cost of the algorithm will be greatly increased. This paper proposes an anomalous network traffic detection method based on Elevated Harris Hawks optimization. This method is easier to identify redundant features in anomalous network traffic, reduces computational overhead, and improves the performance of anomalous traffic detection methods. By enhancing the random jump distance function, escape energy function, and designing a unique fitness function, there is a unique anomalous traffic detection method built using the algorithm and the neural network for anomalous traffic detection. This method is tested on three public network traffic datasets, namely the UNSW-NB15, NSL-KDD, and CICIDS2018. The experimental results show that the proposed method does not only significantly reduce the number of features in the dataset and computational overhead, but also gives better indicators for every test.

Shiyong Dai,Yufei Zhao,Jinhua Huang,Xuxian Wang,Guifei Zhao,Lei Zhang,Ming Xie,Ziyue Guo

DOI: https://doi.org/10.1109/access.2023.3306243

IF: 3.9

2023-01-01

IEEE Access

Abstract:Network traffic anomaly detection methods can detect traffic that is significantly different from normal traffic by analyzing network traffic, and are seen as an effective means to detect unknown new attacks because they do not rely on static feature codes. However, most of the current network traffic anomaly detection methods have low accuracy and high false alarm rate. In this paper, an OS-ELM (Online Sequential Extreme Learning Machine) network traffic anomaly detection method is proposed. First, we use SMOTE to balance the data samples to improve the classification detection performance. In order to reduce the high dimensionality between data features and eliminate the redundancy, the Stacked Denoising Autoencoder (SDAE) network is adopt to reduce the dimension of the feature vectors. Finally, we test the real network traffic and analyze the effect of model structure and external noise on the detection performance, and the experimental results verify the correctness of our scheme. Compared with other detection methods based on data reconstruction, the proposed method has higher detection accuracy and better detection performance.

computer science, information systems,telecommunications,engineering, electrical & electronic

Huiyao Dong,Igor Kotenko

DOI: https://doi.org/10.1016/j.future.2024.04.005

IF: 7.307

2024-04-22

Future Generation Computer Systems

Abstract:As a system allowing intra-network devices to automatically communicate over the Internet, the Internet of Things (IoT) faces increasing popularity in modern applications and security threats – particularly network intrusions that target both networks and devices. A major threat is network attacks that attempt to obtain unauthorised access and damage the networks or systems. To effectively safeguard against these attacks, it is essential to use efficient hybrid intrusion detection systems with advanced techniques. Deep learning-based algorithms, such as Autoencoders (AEs), have been recognised as efficient methods for intrusion detection. However, it is crucial to further analyse the impact of different structures on detection performance. This paper proposes a method combining AE for data reconstruction and anomaly detection and multi-task learning (MTL)-structured models for IoT traffic classification. Additionally, we suggest a hybrid resampling technique with the Synthetic Minority Over-Sampling Technique and Generative Adversarial Network (SMOTE-GAN) for enhanced training and conduct a comparative analysis of different neural networks with AEs. The experimental results on two publicly available datasets demonstrate the effectiveness and practicality of the proposed AE-MTL approach comparing with single-task learning. Additionally, while the performance varies on different datasets, Long Short-Term Memory (LSTM), Gated Recurrent Units (GRU) and Convolutional Neural Network (CNN) have improved the detection of minor classes.

computer science, theory & methods

Wengang Ma,Yadong Zhang,Jin Guo,Kehong Li

DOI: https://doi.org/10.2991/ijcis.d.210301.003

IF: 2.259

2021-01-01

International Journal of Computational Intelligence Systems

Abstract:Complex and multidimensional network traffic features have potential redundancy. When traditional detection methods are used for training samples, the detection accuracy of the supervised classification model is affected due to small data samples. Therefore, a method based on generative adversarial networks (GANs) and feature optimization is proposed....

computer science, artificial intelligence, interdisciplinary applications