Lu Chen,Tao Zhang,Yuanyuan Ma,Mu Chen

DOI: https://doi.org/10.1109/iist62526.2024.00098

2024-01-01

Abstract:With the increasing complexity, automation, and intelligence of network attacks, new types of attacks are constantly emerging in the network, posing great challenges to network attack detection and timely response based on prior rules. In order to more effectively and accurately identify abnormal traffic, a network abnormal traffic detection algorithm based on improved convolutional neural networks is proposed. The algorithm first inputs the key features of traffic anomaly monitoring, converts them into color images through visualization technology, extracts higher dimensional features, and then uses neural structure search technology to find a lightweight convolutional network structure with high accuracy and less time consumption. The optimal model is used to output the type of traffic anomaly. The results indicate that the algorithm has a higher accuracy and the shortest classification time for a single image.

Laisen Nie,Yongkang Li,Xiangjie Kong

DOI: https://doi.org/10.1109/access.2018.2854842

IF: 3.9

2018-01-01

IEEE Access

Abstract:Over the last decade, vehicular ad-hoc networks (VANETs) have received a greater attention in academia and industry due to their influence in intelligent transportation systems. Providing reliability and security to the VANET is essential in order to guarantee the efficiency of its applications. Anomaly detection has become a challenging problem due to the unique environment of VANETs with quick movement and short-lived link. In this paper, a method using the spatio-temporal feature of network traffic is proposed to implement network traffic estimation at first, and on this basis, an anomaly detection algorithm is put forward. The convolutional neural network is employed to extract the spatio-temporal features of the traffic matrix. In terms of the extracted features, network traffic is estimated by using a fully connected architecture as the output layer. Then, a threshold-based separation method is used to implement anomaly detection. The preliminary experiments comparing the proposed method with other machine learning-based methods show the effectiveness of the proposed anomaly detection method.

Pengfei Xiong,Baojiang Cui,Zishuai Cheng

DOI: https://doi.org/10.1007/978-3-030-50399-4_37

2020-01-01

Abstract:Traffic data distribution problem and novel network attack pose great threat to the traditional machine learning based anomaly network traffic detection system. In this paper, we design a method based on deep transfer learning to try to solve these problems. To evaluate the performance of the proposed method, we use the basic classifiers KNN, SVM, RandomForest, Xgboost and the basic classifiers above based on the TCA mapping method as benchmark on the NSL-KDD dataset. The experiment result shows that it can solve the inconsistent distribution of different network traffic data and possible novel attacks in network traffic detection tasks to some extent.

Zhihong Zhang

DOI: https://doi.org/10.1109/ICTEI60496.2023.00065

2023-09-11

Abstract:At present, most network intrusion detection is to analyze the data afterwards, that is, after the attack, it can react. This is not conducive to the timely detection of anomalies and the effective management of the network. Therefore, this paper designs a network traffic anomaly detection algorithm based on Deep CNN (Convective Neural Network). For the safety and reliability of data transmission and the reasonable allocation of network resources, it is necessary to detect the anomaly of network traffic. In view of the current Internet security requirements, simple and quick methods can quickly and effectively detect security incidents when they break out, thus gaining time for network defense. Finally, the detection accuracy of the algorithm proposed in this paper is compared with GA and ACA. The results show that the detection accuracy is the ratio between the number of abnormal traffic time series detected and the expected number of abnormal sequences. It can be seen that the accuracy of the three algorithms can reach $50 \%$, but the detection accuracy of the algorithm proposed in this paper is the highest, with an average accuracy of $94.13 \%$. The algorithm in this paper ensures a high detection speed while maintaining a certain detection accuracy.

Engineering,Computer Science

Daoquan Li,Xueqing Dong,Jie Gao,Keyong Hu

DOI: https://doi.org/10.1109/access.2023.3289200

IF: 3.9

2023-01-01

IEEE Access

Abstract:Abnormal traffic detection is critical to network security and quality of service. However, the similarity of features and the single dimension of the detection model cause great difficulties for abnormal traffic detection, and thus a big-step convolutional neural network traffic detection model based on the attention mechanism is proposed. Firstly, the network traffic characteristics are analyzed and the raw traffic is preprocessed and mapped into a two-dimensional grayscale image. Then, multi-channel grayscale images are generated by histogram equalization, and an attention mechanism is introduced to assign different weights to traffic features to enhance local features. Finally, pooling-free convolutional neural networks are combined to extract traffic features of different depths, thus improving the defects such as local feature omission and overfitting in convolutional neural networks. The simulation experiment was carried out in a balanced public data set and an actual data set. Using the commonly used algorithm SVM as a baseline, the proposed model is compared with ANN, CNN, RF, Bayes and two latest models. Experimentally, the accuracy rate with multiple classifications is 99.5%. The proposed model has the best anomaly detection. And the proposed method outperforms other models in precision, recall, and F1. It is demonstrated that the model is not only efficient in detection, but also robust and robust to different complex environments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wanting Hu,Lu Cao,Qunsheng Ruan,Qingfeng Wu

DOI: https://doi.org/10.3390/s23115059

2023-05-25

Abstract:Network traffic anomaly detection is a key step in identifying and preventing network security threats. This study aims to construct a new deep-learning-based traffic anomaly detection model through in-depth research on new feature-engineering methods, significantly improving the efficiency and accuracy of network traffic anomaly detection. The specific research work mainly includes the following two aspects: 1. In order to construct a more comprehensive dataset, this article first starts from the raw data of the classic traffic anomaly detection dataset UNSW-NB15 and combines the feature extraction standards and feature calculation methods of other classic detection datasets to re-extract and design a feature description set for the original traffic data in order to accurately and completely describe the network traffic status. We reconstructed the dataset DNTAD using the feature-processing method designed in this article and conducted evaluation experiments on it. Experiments have shown that by verifying classic machine learning algorithms, such as XGBoost, this method not only does not reduce the training performance of the algorithm but also improves its operational efficiency. 2. This article proposes a detection algorithm model based on LSTM and the recurrent neural network self-attention mechanism for important time-series information contained in the abnormal traffic datasets. With this model, through the memory mechanism of the LSTM, the time dependence of traffic features can be learned. On the basis of LSTM, a self-attention mechanism is introduced, which can weight the features at different positions in the sequence, enabling the model to better learn the direct relationship between traffic features. A series of ablation experiments were also used to demonstrate the effectiveness of each component of the model. The experimental results show that, compared to other comparative models, the model proposed in this article achieves better experimental results on the constructed dataset.

Haoran Yu,Wenchuan Yang,Baojiang Cui,Runqi Sui,Xuedong Wu

DOI: https://doi.org/10.1186/s42400-024-00297-7

2024-01-01

Abstract:AbstractAbnormal traffic detection is a crucial topic in the field of network security. However, existing methods face many challenges when processing complex high-dimensional traffic data. Especially in dealing with redundant features, data sparsity and nonlinear features, traditional methods often suffer from high computational complexity and low detection efficiency. It is challenging to capture potential patterns in complex data effectively and cannot fully meet the needs of practical applications. To address these challenges, this paper proposes an enhanced anomaly traffic detection framework using bidirectional generative adversarial networks (BiGAN) and contrastive learning. This method preprocesses high-dimensional data through steps such as data cleaning, normalization, and clustering to improve data quality. It uses BiGAN and contrastive learning technology to enhance the model's feature representation capabilities. Experimental results show that the method proposed in this paper performs well on multiple traffic data sets and significantly improves the accuracy and efficiency of anomaly detection. Overall, the solution proposed in this paper effectively overcomes the limitations of existing methods in high-dimensional data processing and provides a more advanced abnormal traffic detection strategy.

Jiali Yin,Bin Hou,Jiapeng Dai,Yunxiao Zu

DOI: https://doi.org/10.1145/3653781.3653807

2024-01-01

Abstract:Abstract: Network traffic anomaly detection technology is an effective method for monitoring network security status and identifying potential attacks. With the increasing volume of network traffic data exhibiting high dimensionality and imbalance, traditional intrusion detection models face limitations in detection efficiency and accuracy. Existing intrusion detection methods often overlook issues related to temporal features in data and class imbalances, further hindering intrusion detection efficiency. In response to these challenges, this paper proposes an attention-based convolutional neural networks–long short-term memory (CNN-BiLSTM) network structure to enhance intrusion detection efficiency. By integrating CNN and BiLSTM networks to jointly learn spatio-temporal features of the data, and introducing an attention mechanism to deeply capture hidden feature relationships, this approach accelerates model convergence while balancing accuracy and efficiency. Additionally, to address class imbalance issues in network anomaly traffic, this study optimizes the cross-entropy loss function by introducing a cyclical focal loss function (CFL). This function cyclically adjusts the model's focus on different samples, thereby enhancing the detection rate of challenging samples and improving the model's generalization capabilities. Experiments conducted on the UNSW-NB15 datasets demonstrate that the proposed algorithm achieves a high accuracy of 97.09% while ensuring efficiency. Moreover, it effectively enhances the detection rate of imbalanced samples, highlighting its capability in handling class imbalances within anomaly traffic. Keywords: abnormal traffic detection detection; attention mechanism; CNN-BiLSTM; imbalanced data

Jing Bi,Lifeng Xu,Haitao Yuan,Jia Zhang

DOI: https://doi.org/10.1109/smc53992.2023.10394549

2023-01-01

Abstract:Nowadays, rapid development of Internet has brought a sharp increase in traffic data. Abnormal traffic haS serious impact on network security. Traffic anomaly detection can be achieved by extracting characteristics of network traffic to detect anomalous intrusions, and therefore, anomaly detection algorithms are of great significance to maintenance of network security. This work proposes a hybrid spatio-temporal neural network with attention named CTGA to effectively identify anomalous traffic. CTGA combines a Convolutional neural network (CNN), a Temporal convolutional network (TCN), a bidirectional Gated recurrent unit network (BiGRU), and a self-Attention mechanism. It automatically extracts temporal and spatial features of sequences from raw data by sliding window preprocessing followed by CNN, TCN, BiGRU, and the self-attention mechanism to detect anomalous data. CNN is used to extract spatial features of time sequences and reduce the loss of spatial information. In the sequence, TCN obtains short-term features. Long-term dependencies in the data are captured by BiGRU, and the self-attention mechanism obtains important information in the sequence. Finally, experiments with the real-life Yahoo S5 dataset prove that CTGA outperforms other approaches substantially.

Niandong Liao,Xiaoxuan Li,Li, Xiaoxuan

DOI: https://doi.org/10.1007/s40815-022-01269-0

IF: 4.085

2022-03-23

International Journal of Fuzzy Systems

Abstract:As the digital world becomes the main complement to the physical world, establishing a solid line of defense against cyber attacks becomes critical and arduous. The intrusion detection systems (IDSs) based on the supervised learning method have achieved excellent performance, which requires a large amount of labeled data in the training phase. However, attacks occur much less frequently than normal behaviors, and it is difficult to obtain accurate labels. In addition, IDSs based on supervised learning cannot identify unknown attacks. At the same time, the problem that detection accuracy varies greatly with different applications is very significant in traditional unsupervised learning methods. Therefore, it is necessary to perform high-precision anomaly detection on unlabeled samples. This paper proposes a traffic anomaly detection model using K-means and Active Learning Method (ALM), which is mainly composed of a feature extraction module and an anomaly detection module. Firstly, the Pearson correlation coefficient and Light Gradient Boosting Machine (LightGBM) are used in the feature extraction module to select important features. Secondly, K-means divides the characteristic-processed traffic into normal or abnormal categories. Finally, the results of K-means are diffused through ALM, and new classification results are obtained after defuzzification, thereby improving the accuracy of anomaly detection. The latest CICDDoS2019 data set is used in the experiment. Experimental results show that the detection accuracy of the proposed model is above 90%, and the F1 score is above 95%, regardless of whether it is a binary classification of a single attack or a mixed classification of multiple attacks. Compared with three unsupervised learning methods K-means, Auto-encoder and short-term memory (LSTM) and three supervised learning methods Naive Bayes (NB), Support Vector Machine (SVM), Decision Tree (DT), the proposed model has higher classification accuracy and better generalization effect. This article is very helpful for exploring the application of unsupervised learning methods in network intrusion detection systems based on the characteristics of the data itself.

computer science, information systems,automation & control systems, artificial intelligence

Zecheng Li,Shengyuan Chen,Hongshu Dai,Dunyuan Xu,Cheng-Kang Chu,Bin Xiao

DOI: https://doi.org/10.1109/tr.2022.3204349

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Abnormal traffic detection is the core component of the network intrusion detection system. Although semisupervised methods can detect zero-day attack traffic, previous work suffers from high false alarms because the trained model is simply based on normal traffic. In this article, we propose an accurate abnormal traffic detection method using pseudoanomaly, consisting of an efficient feature extraction framework and a novel denoise autoencoder-generative adversarial network (DAE-GAN) model. The feature extraction framework adopts an innovative packet window scheme to extract spatial and temporal features from traffic flows. The DAE-GAN model has multiple DAEs to achieve efficient data augmentation and generate high-quality pseudoanomalies. The pseudoanomalies are obtained by adding noise on normal traffic and enhanced by adversarial learning in DAE-GAN. Our semisupervised detection method, exploiting both normal data and generated pseudoanomalies, achieves a precision of 98.6 on the NSL-KDD dataset and 98.5 on the UNSW-NB15 dataset. Compared with the state-of-the-art, the detection precision and recall under different user behaviors are significantly improved. The evaluation on four attack datasets shows that our method has a high flow-wise precision of over 99 and a high recall of 60.6.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Rongqiao Fan,Qiyuan Fan,Xue Li,Puming Wang,Jing Xu,Xin Jin,Shaowen Yao,Peng Liu

DOI: https://doi.org/10.1016/j.ins.2024.121210

IF: 8.1

2024-01-01

Information Sciences

Abstract:Network traffic anomaly detection is a crucial task for today's network monitoring and maintenance. However, with the rapid growth of network data volume, the data structure has become more and more complex, showing multi-modal characteristics, which makes traffic anomaly detection face a great challenge. The earlier proposed anomaly detection methods have the following deficiencies, i) Most of them are static or dynamic detection methods that only grow along the temporal modality. ii) Lower detection rate or higher computational cost. To address these deficiencies, this article proposes a traffic anomaly detection framework based on multi-modal incremental tensor decomposition, which has the following three highlights, i) Constructing traffic data as a tensor model to fully mine the correlation between data, and the proposed framework is applicable to the situation where traffic data grows dynamically along multiple modes. ii) Using the multi-modal incremental tensor decomposition method to process dynamically growing data without decomposing all the data, greatly reducing computational cost and improving data quality. iii) Using the XGBoost classification algorithm for anomaly detection to improve detection accuracy. Finally, the results of experiments on two real network traffic datasets NSL-KDD and CICDDOS 2019 show that the proposed framework can achieve a high detection rate of 99.21%, and has the characteristics of good scalability and fast detection speed.

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Fengqin Zuo,Damin Zhang,Lun Li,Qing He,Jiaxin Deng

DOI: https://doi.org/10.1016/j.heliyon.2024.e32087

IF: 3.776

2024-05-29

Heliyon

Abstract:One of the critical technologies to ensure cyberspace security is network traffic anomaly detection, which detects malicious attacks by analyzing and identifying network traffic behavior. The rapid development of the network has led to explosive growth in network traffic, which seriously impacts the user's information security. Researchers have delved into intrusion detection as an active defense technology to address this challenge. However, traditional machine learning methods struggle to capture complex threats and attack patterns when dealing with large-scale network data. In contrast, deep learning methods have the advantages of automatically extracting features from network traffic data and strong generalization capabilities. Aiming to enhance the ability of network anomaly traffic detection, this paper proposes a network traffic anomaly detection based on Deep Residual Shrinkage Network (DRSN), namely "GSOOA-1DDRSN". This method uses an improved Osprey optimization algorithm to select the most relevant and essential features in network traffic, reducing the features' dimensionality. For better detection performance of network traffic anomalies, a one-dimensional deep residual shrinkage network (1DDRSN) is designed as a classifier. Validation is performed using the NSL-KDD and UNSW-NB15 datasets and compared with other methods. The experimental results show that GSOOA-1DDRSN has improved multi-classification accuracy, precision, recall, and F1 Score by approximately 2 % and 3 %, respectively, compared to the 1DDRSN model on two datasets. Additionally, it reduces the time computation costs by 20 % and 30 % on these datasets. Furthermore, compared to other models, GSOOA-1DDRSN offers superior classification accuracy and effectively reduces the number of features.

Yueqin Ge,Xiaoyong Li,Binsi Cai

DOI: https://doi.org/10.1109/WCNC55385.2023.10118651

2023-01-01

Abstract:The rapid development of the Internet and the increasingly complex structure of network space make the network security situation more and more serious. Abnormal traffic detection is an important part of network intrusion detection and plays an important role in the field of network security. Traditional machine learning methods rely too much on feature selection and extraction and have high false positive rate and delay caused by abnormal behavior recognition. Deep learning models such as CNN and RNN have many parameters and long training time, which seriously affect the early warning function of network intrusion detection. Aiming at the problem that the parameter redundancy of deep learning models limits the corresponding model deployment in some scenarios and devices, this paper proposes a lightweight bit-operation abnormal traffic detection method based on XNOR-net convolutional neural network (XNOR-CNN). The model uses convolutional neural network(CNN) and long-short term memory(LSTM) to comprehensively analyze the temporal and spatial characteristics of network traffic, and predicts and classifies the attack behaviors in the future network traffic. In particular, the model transforms the complex convolution process into bit operation between vectors by XNOR operation, which reduces the storage of weight vectors and complex redundant calculation, greatly improves the speed of network training and reduces the consumption of network memory. In this paper, the accuracy and efficiency of XNOR-CNN model are proved through a large number of comparative experiments on real traffic datasets.

Mohammad Kazim Hooshmand,Doreswamy Hosahalli

DOI: https://doi.org/10.1049/cit2.12078

IF: 7.985

2022-01-31

CAAI Transactions on Intelligence Technology

Abstract:Convolutional neural networks (CNNs) are the specific architecture of feed‐forward artificial neural networks. It is the de‐facto standard for various operations in machine learning and computer vision. To transform this performance towards the task of network anomaly detection in cyber‐security, this study proposes a model using one‐dimensional CNN architecture. The authors' approach divides network traffic data into transmission control protocol (TCP), user datagram protocol (UDP), and OTHER protocol categories in the first phase, then each category is treated independently. Before training the model, feature selection is performed using the Chi‐square technique, and then, over‐sampling is conducted using the synthetic minority over‐sampling technique to tackle a class imbalance problem. The authors' method yields the weighted average f‐score 0.85, 0.97, 0.86, and 0.78 for TCP, UDP, OTHER, and ALL categories, respectively. The model is tested on the UNSW‐NB15 dataset.

Changpeng Ji,Haofeng Yu,Wei Dai

DOI: https://doi.org/10.3390/pr12071418

IF: 3.5

2024-01-01

Processes

Abstract:To overcome the challenges of feature selection in traditional machine learning and enhance the accuracy of deep learning methods for anomaly traffic detection, we propose a novel method called DCGCANet. This model integrates dilated convolution, a GRU, and a Channel Attention Network, effectively combining dilated convolutional structures with GRUs to extract both temporal and spatial features for identifying anomalous patterns in network traffic. The one-dimensional dilated convolution (DC-1D) structure is designed to expand the receptive field, allowing for comprehensive traffic feature extraction while minimizing information loss typically caused by pooling operations. The DC structure captures spatial dependencies in the data, while the GRU processes time series data to capture dynamic traffic changes. Furthermore, the channel attention (CA) module assigns importance-based weights to features in different channels, enhancing the model’s representational capacity and improving its ability to detect abnormal traffic. DCGCANet achieved an accuracy rate of 99.6% on the CIC-IDS-2017 dataset, outperforming other algorithms. Additionally, the model attained precision, recall, and F1 score rates of 99%. The generalization capability of DCGCANet was validated on a subset of CIC-IDS-2017, demonstrating superior detection performance and robust generalization potential.

Minghui Gao,Li Ma,Heng Liu,Zhijun Zhang,Zhiyan Ning,Jian Xu

DOI: https://doi.org/10.3390/s20051452

IF: 3.9

2020-03-06

Sensors

Abstract:Anomaly detection systems can accurately identify malicious network traffic, providing network security. With the development of internet technology, network attacks are becoming more and more sourced and complicated, making it difficult for traditional anomaly detection systems to effectively analyze and identify abnormal traffic. At present, deep neural network (DNN) technology achieved great results in terms of anomaly detection, and it can achieve automatic detection. However, there still exists misclassified traffic in the prediction results of deep neural networks, resulting in redundant alarm information. This paper designs a two-level anomaly detection system based on deep neural network and association analysis. We made a comprehensive evaluation of experiments using DNNs and other neural networks based on publicly available datasets. Through the experiments, we chose DNN-4 as an important part of our system, which has high precision and accuracy in identifying malicious traffic. The Apriori algorithm can mine rules between various discretized features and normal labels, which can be used to filter the classified traffic and reduce the false positive rate. Finally, we designed an intrusion detection system based on DNN-4 and association rules. We conducted experiments on the public training set NSL-KDD, which is considered as a modified dataset for the KDDCup 1999. The results show that our detection system has great precision in malicious traffic detection, and it achieves the effect of reducing the number of false alarms.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yufan Feng,Changda Wang

DOI: https://doi.org/10.1007/s10922-023-09727-2

2023-02-16

Journal of Network and Systems Management

Abstract:A successful DDoS attack disables systems and causes huge economic losses, which is every company's worst fear. The goal of IT security is to avoid this worst-case situation. Anomaly detection is one of the most imperative currently. However, feature selection and accuracy detection limitations are still pertinent to traditional algorithms. Moreover, these methods cannot predict and respond to DDoS attacks in advance. Therefore, this paper proposes a network anomaly early warning method based on Generalized Network Temperature (GNT) and deep learning. The approach first classifies DDoS-induced network congestion. Then, it predicts network traffic characteristics using Bi-GRU and discovers the class of congestion states corresponding to each feature collection through the Stacking model. In what follows, this method connects the two models to achieve the early warning function. Furthermore, a combination of criteria is designed based on congestion states and attack probability to improve the early warning accuracy. The proposed model is validated using the intrusion detection dataset CICIDS2017 and UNSW-NB15. The Bi-GRU model achieves the best result of 77.95% and 81.96% for the R-Squared traffic prediction on the two datasets. The Stacking model achieves 94.37% accuracy and 95.82% for congestion states classification, respectively. After the model is connected, our proposed approach performs the best warning accuracy of 96.84% on the CICIDS2017 dataset and 95.68% on the UNSW-NB15 dataset.

computer science, information systems,telecommunications

Yanmiao Li,Xuan Kong,Jiangang Hou,Xin Li,Kun Zhao,Wei Liang,Tongqing Jiang,Yang Xin,Zhi Liu

DOI: https://doi.org/10.1109/icsip55141.2022.9886658

2022-01-01

Abstract:Network traffic anomaly detection plays an important role in maintaining network space security and is usually modeled as a traffic classification problem. With the rapid change of the Internet, the network traffic environment is increasingly complex, and the traditional classification method is no longer applicable. In this article, we propose a new traffic classification framework for network anomaly detection, which operates directly on the original traffic. The NIN-DSC network was used to extract the features of the data, and the validation was carried out in the public data set.