ENAD: An Ensemble Framework for Unsupervised Network Anomaly Detection

Abstract

Network anomaly detection is paramount to early detect traffic anomalies and protect networks against cyber attacks such as (distributed) denial of service attacks and phishing attacks. As deep learning has succeeded in various domains, it has been adopted for network anomaly detection using a supervised learning approach. Due to the high velocity and dynamics of network traffic, labeling such voluminous network data with specific domain knowledge is difficult, and yet impossible. It makes supervised learning techniques become impractical. Several existing works have proposed unsupervised learning techniques to train detection models with unlabeled data. However, a single model cannot detect all types of attacking traffic due to the variety of their behavior. In this work, we develop an ensemble framework that uses different AutoEncoders (AEs) and generative adversarial networks (GANs) for network anomaly detection. We develop a weighting scheme that allows us to quantify the importance (goodness) of each model to each attacking traffic and then determine the final prediction score during the inference (detection) phase. We carry out extensive experiments on two recent datasets including UNSW-NB15 and CICIDS2017 to demonstrate the effectiveness of the proposed framework. The experimental results have shown that our framework significantly outperforms many state-of-the-art methods with an increase of up to 14.70% in various performance metrics such as precision, recall, F1-measure, AUROC and AUPRC.