A Clustering-based Shrink AutoEncoder for Detecting Anomalies in Intrusion Detection Systems

Abstract

Detecting anomalies is an essential problem in many Intrusion Detection Systems (IDSs). This problem has received increasing attention from researchers and practitioners recently. Among many approaches developed for detecting and preventing the abnormal accesses to information systems, Shrink AutoEncoder (SAE) is an appealing technique due to its simplicity in implementation and effectiveness in detecting network attacks. However, this model has a potential drawback when applying to datasets with the presence of several clusters. The reason is that it attempts to compress all normal data samples into a single cluster in the hidden space of an AutoEncoder. In our research, we introduce a hybrid model between K-means clustering algorithm and SAE to lessen the limitation of SAE in handling such datasets. Our model tested on five popular IDS datasets, and the empirical outcomes show that it helps to improve the accuracy of SAE in detecting anomalies in datasets that can divide into some smaller clusters.