Towards Unsupervised Time-Series Anomaly Detection for Virtual Cloud Networks

Abstract

Virtual cloud network (VCN) is a fundamental cloud resource for endpoints (VMs or containers) to communicate with each other and with the outside. Anomaly detection, a key security approach for VCNs, faces serious challenges: 1) Current feature models are difficult to apply to VCNs with significant differences from traditional networks. 2) Current anomaly detection models lack the adaptability to learn multiple normal patterns simultaneously. The need to train a dedicated model for each endpoint causes serious scalability problems in VCNs. 3) Current anomaly detection models have difficulty addressing the complex temporal dependency and non-stationarity of VCNs. To address these challenges, we propose a new multilevel feature model MFM and a new unsupervised time-series anomaly detection model GTGmVAE. By combining the basic features with the topology features specifically designed for VCNs, MFM effectively characterizes the patterns of VCNs. GTGmVAE combines the new local-global feature extractor with the latent space following a Gaussian mixture distribution to achieve the strong adaptability to learn multiple normal patterns simultaneously, and achieves the strong temporal modeling capability to effectively address the complex temporal dependency and non-stationarity of VCNs by adequately modeling the global temporal dependencies of the input samples and latent variables. Extensive experiments on the VCN anomaly detection dataset CIC-IDS2018 and the time-series anomaly detection benchmark dataset SMD show that GTGmVAE with MFM achieves the desirable performance, and GTGmVAE outperforms all nine representative state-of-the-art detection models.