Evaluation of feature learning for anomaly detection in network traffic | Evolving Systems Skip to main content
Springer Nature Link
Log in

Evaluation of feature learning for anomaly detection in network traffic

  • Original Paper
  • Published:
Evolving Systems Aims and scope Submit manuscript

Abstract

The application of anomaly detection approaches to network intrusion detection in real scenarios is difficult. The ability of techniques such as deep learning to estimate new data representations with higher levels of abstraction can be useful to address data analysis of network traffic data. For that reason, the performance of different anomaly detection techniques on feature representations obtained by an autoencoder and a variational autoencoder is compared. We have employed a variety of well-known anomaly detection algorithms, which addresses intrusion detection as a semi-supervised problem where patterns that deviate from a baseline model, estimated only from normal traffic, are labelled as anomalous. Furthermore, this assessment is performed on four publicly available benchmarks. The results show that the effect of feature representation on performance is highly dependent on the anomaly detection technique.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  • Ahmed M, Mahmood AN, Hu J (2016) A survey of network anomaly detection techniques. J Netw Comput Appl 60:19–31

    Article  Google Scholar 

  • Ambusaidi MA, He X, Nanda P, Tan Z (2016) Building an intrusion detection system using a filter-based feature selection algorithm. IEEE Trans Comput 65(10):2986–2998

    Article  MathSciNet  Google Scholar 

  • Angelov P (2014) Anomaly detection based on eccentricity analysis. In: 2014 IEEE Symposium on Evolving and Autonomous Learning Systems (EALS), pp 1–8, https://doi.org/10.1109/EALS.2014.7009497

  • Angelov PP, Gu X (2019) Anomaly detection-empirical approach. Springer International Publishing, Cham, pp 157–173

    Google Scholar 

  • Bengio Y, Courville A, Vincent P (2013) Representation learning: a review and new perspectives. IEEE Trans Pattern Anal Mach Intell 35(8):1798–1828

    Article  Google Scholar 

  • Bhuyan MH, Bhattacharyya DK, Kalita JK (2014) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutor 16(1):303–336

    Article  Google Scholar 

  • Breunig MM, Kriegel HP, Ng RT, Sander J (2000) LOF: identifying density-based local outliers. ACM Sigmod Record ACM 29:93–104

    Article  Google Scholar 

  • Buczak AL, Guven E (2015) A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun Surv Tutor 18(2):1153–1176

    Article  Google Scholar 

  • Chandola V, Banerjee A, Kumar V (2009) Anomaly detection—a survey. ACM Comput Surv 41(3):15:1–15:44. https://doi.org/10.1145/1541880.1541882

    Article  Google Scholar 

  • Chen Y, Li Y, Cheng XQ, Guo L (2006) Survey and taxonomy of feature selection algorithms in intrusion detection system. In: International conference on information security and cryptology, Springer, New York, pp 153–167

  • Erfani SM, Rajasegarar S, Karunasekera S, Leckie C (2016) High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning. Pattern Recognit 58:121–134

    Article  Google Scholar 

  • Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G, Vázquez E (2009) Anomaly-based network intrusion detection: techniques, systems and challenges. Comput Secur 28(1):18–28

    Article  Google Scholar 

  • Giap CN, Son LH, Chiclana F (2018) Dynamic structural neural network. J Intell Fuzzy Syst 34(4):2479–2490

    Article  Google Scholar 

  • Goldstein M, Dengel A (2012) Histogram-based outlier score (HBOS): A fast unsupervised anomaly detection algorithm. In: Wölfl S (ed) Poster and Demo Track of the 35th German Conference on Artificial Intelligence (KI-2012), pp 59–63

  • Goodfellow I, Bengio Y, Courville A, Bengio Y (2016) Deep learning, vol 1. MIT press, Cambridge

    MATH  Google Scholar 

  • Gu X, Angelov P (2017) Autonomous anomaly detection. In: 2017 evolving and adaptive intelligent systems (EAIS), pp 1–8, https://doi.org/10.1109/EAIS.2017.7954831

  • Guyon I, Elisseeff A (2003) An introduction to variable and feature selection. J Mach Learn Res 3(1):1157–1182

    MATH  Google Scholar 

  • Hinton GE, Salakhutdinov RR (2006) Reducing the dimensionality of data with neural networks. Science 313(5786):504–507. https://doi.org/10.1126/science.1127647

    Article  MathSciNet  MATH  Google Scholar 

  • Jain AK, Murty MN, Flynn PJ (1999) Data clustering: a review. ACM Comput Surv (CSUR) 31(3):264–323

    Article  Google Scholar 

  • Javaid A, Niyaz Q, Sun W, Alam M (2016) A deep learning approach for network intrusion detection system. In: Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), ICST, pp 21–26

  • Jolliffe I (2011) Principal component analysis. Springer, New York

    MATH  Google Scholar 

  • Khammassi C, Krichen S (2017) A GA-LR wrapper approach for feature selection in network intrusion detection. Comput Secur 70:255–277

    Article  Google Scholar 

  • Khan L, Awad M, Thuraisingham B (2007) A new intrusion detection system using support vector machines and hierarchical clustering. VLDB J 16(4):507–521

    Article  Google Scholar 

  • Kingma DP, Ba J (2014) Adam: A method for stochastic optimization. CoRR abs/1412.6980,

  • Kingma DP, Welling M (2013) Auto-encoding variational bayes. arXiv preprint arXiv:13126114

  • Lee JA, Verleysen M (2007) Nonlinear dimensionality reduction. Springer Science & Business Media, New York

    Book  Google Scholar 

  • Liu FT, Ting KM, hua Zhou Z (2008) Isolation forest. In: In ICDM ’08: Proceedings of the 2008 Eighth IEEE International Conference on Data Mining. IEEE Computer Society, pp 413–422

  • Lvd Maaten, Hinton G (2008) Visualizing data using t-SNE. J Mach Learn Res 9:2579–2605

    MATH  Google Scholar 

  • Madhawa S, Balakrishnan P, Arumugam U (2018) Employing invariants for anomaly detection in software defined networking based industrial internet of things. J Intell Fuzzy Syst (Preprint):1–13

  • Mahoney MV, Chan PK (2003) An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: International Workshop on Recent Advances in Intrusion Detection, Springer, New York, pp 220–237

  • Marir N, Wang H, Feng G, Li B, Jia M (2018) Distributed abnormal behavior detection approach based on deep belief network and ensemble svm using spark. IEEE Access 6:59657–59671

    Article  Google Scholar 

  • Martins RS, Angelov P, Sielly Jales Costa B (2018) Automatic detection of computer network traffic anomalies based on eccentricity analysis. In: 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp 1–8, 10.1109/FUZZ-IEEE.2018.8491507

  • McHugh J (2000) Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln laboratory. ACM Trans Inf Syst Secur (TISSEC) 3(4):262–294

    Article  Google Scholar 

  • Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:180209089

  • Moustafa N, Slay J (2015) UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS), 2015, IEEE, pp 1–6

  • Muda Z, Yassin W, Sulaiman M, Udzir NI et al (2011) A k-means and naive bayes learning approach for better intrusion detection. Inf Technol J 10(3):648–655

    Article  Google Scholar 

  • Nguyen MN, Vien NA (2018) Scalable and interpretable one-class SVMs with deep learning and random fourier features. arXiv preprint arXiv:180404888

  • Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V et al (2011) Scikit-learn: machine learning in python. J Mach Learn Res 12:2825–2830

    MathSciNet  MATH  Google Scholar 

  • Pérez D, Alonso S, Morán A, Prada MA, Fuertes JJ, Domínguez M (2019) Comparison of network intrusion detection performance using feature representation. In: Macintyre J, Iliadis L, Maglogiannis I, C J (eds) International Conference on Engineering Applications of Neural Networks. Communications in Computer and Information Science, vol. 1000, Springer, pp 463–475

  • Rezende DJ, Mohamed S, Wierstra D (2014) Stochastic backpropagation and approximate inference in deep generative models. arXiv preprint arXiv:14014082

  • Ring M, Wunderlich S, Scheuring D, Landes D, Hotho A (2019) A survey of network-based intrusion detection data sets. Comput Secur 86:147–167

    Article  Google Scholar 

  • Ringberg H, Soule A, Rexford J, Diot C (2007) Sensitivity of PCA for traffic anomaly detection. ACM SIGMETRICS Perform Eval Rev ACM 35:109–120

    Article  Google Scholar 

  • Rousseeuw PJ, Driessen KV (1999) A fast algorithm for the minimum covariance determinant estimator. Technometrics 41(3):212–223

    Article  Google Scholar 

  • Rubio JdJ, Cruz D, Elias Barrón I, Ochoa G, Balcazarand R, Aguilar A (2019) ANFIS system for classification of brain signals. J Intell Fuzzy Syst 37:4033–4041. https://doi.org/10.3233/JIFS-190207

    Article  Google Scholar 

  • Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471

    Article  Google Scholar 

  • Sharafaldin I, Lashkari AH, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp 108–116

  • Sommer R, Paxson V (2010) Outside the closed world: On using machine learning for network intrusion detection. In: 2010 IEEE symposium on security and privacy, IEEE, pp 305–316

  • Song J, Takakura H, Okabe Y, Eto M, Inoue D, Nakao K (2011) Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, ACM, pp 29–36

  • Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the KDD CUP 99 data set. In: Proceedings of the Second IEEE Symposium on Computational Intelligence for Security and Defence Applications 2009

  • Vinayakumar R, Alazab M, Soman K, Poornachandran P, Al-Nemrat A, Venkatraman S (2019) Deep learning approach for intelligent intrusion detection system. IEEE Access 7:41525–41550

    Article  Google Scholar 

  • Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: International Workshop on Recent Advances in Intrusion Detection, Springer, pp 203–222

  • Yousefi-Azar M, Varadharajan V, Hamey L, Tupakula U (2017) Autoencoder-based feature learning for cyber security applications. In: 2017 International joint conference on neural networks (IJCNN), IEEE, pp 3854–3861

  • Zhang Z, Li J, Manikopoulos C, Jorgenson J, Ucles J (2001) HIDE: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In: Proc. IEEE Workshop on Information Assurance and Security, pp 85–90

Download references

Funding

This study was funded by Junta de Castilla y León (ES) (Grant No. LE045P17).

Author information

Authors and Affiliations

  1. University of León, Campus de Vegazana s/n., 24007, León, Spain

    Daniel Pérez, Serafín Alonso, Antonio Morán, Miguel A. Prada, Juan José Fuertes & Manuel Domínguez

Authors
  1. Daniel Pérez
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Serafín Alonso
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Antonio Morán
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Miguel A. Prada
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Juan José Fuertes
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Manuel Domínguez
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Daniel Pérez.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Omitted for double-blind reviewing.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pérez, D., Alonso, S., Morán, A. et al. Evaluation of feature learning for anomaly detection in network traffic. Evolving Systems 12, 79–90 (2021). https://doi.org/10.1007/s12530-020-09342-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12530-020-09342-5

Keywords