Variational Deep Clustering approaches for anomaly-based cyber-attack detection

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-04-19 DOI:10.1016/j.jnca.2025.104182

Van Quan Nguyen , Viet Hung Nguyen , Long Thanh Ngo , Le Minh Nguyen , Nhien-An Le-Khac

{"title":"Variational Deep Clustering approaches for anomaly-based cyber-attack detection","authors":"Van Quan Nguyen , Viet Hung Nguyen , Long Thanh Ngo , Le Minh Nguyen , Nhien-An Le-Khac","doi":"10.1016/j.jnca.2025.104182","DOIUrl":null,"url":null,"abstract":"<div><div>Detecting network anomalies is a critical cybersecurity task, yet existing methods struggle with high-dimensional data and limited interpretability in latent space. These challenges hinder precise differentiation between normal and anomalous activities due to (i) the chaotic distribution of normal samples, (ii) the absence of constraints to optimize the normal region’s hypervolume leading to high false alarm rates, (iii) the lack of prior knowledge for estimating the probability distribution of normal data, and (iv) slow inference times.</div><div>This research introduces two innovative deep generative models: Deep Clustering Variational Auto-Encoder (DCVAE) and Deep Clustering Support Vector Data Description Variational Auto-Encoder (DC-SVDD-VAE), designed to enhance learning latent features for detecting network anomalies. Both models incorporate a clustering layer within the Encoder to discover a clustering architecture suitable for normal network data. They also leverage prior information, specifically a Gaussian probability distribution, to estimate the posterior distribution that generates normal network data. Additionally, the DC-SVDD-VAE model integrates SVDD layers, which refine the clustering structure by mapping it onto an optimally sized hypersphere before computing the posterior probability. These approaches improve the separation between normal and abnormal regions at latent space, making it easier to identify significant/distinguishing latent features.</div><div>Both models were evaluated in conjunction with seven distinct one-class anomaly detection methods to assess the efficiency of the proposed solutions and the robustness of the generated features. These detectors were assessed using well-known intrusion benchmark datasets, including NSL-KDD, UNSW-NB15, CIC-IDS-2017, CSE-CIC-IDS-2018, and CTU-13. The experimental findings revealed that both models outperformed existing baselines and state-of-the-art approaches in terms of accuracy. Furthermore, inference stage processing times showed a notable decrease.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"240 ","pages":"Article 104182"},"PeriodicalIF":8.0000,"publicationDate":"2025-04-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525000797","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Detecting network anomalies is a critical cybersecurity task, yet existing methods struggle with high-dimensional data and limited interpretability in latent space. These challenges hinder precise differentiation between normal and anomalous activities due to (i) the chaotic distribution of normal samples, (ii) the absence of constraints to optimize the normal region’s hypervolume leading to high false alarm rates, (iii) the lack of prior knowledge for estimating the probability distribution of normal data, and (iv) slow inference times.

This research introduces two innovative deep generative models: Deep Clustering Variational Auto-Encoder (DCVAE) and Deep Clustering Support Vector Data Description Variational Auto-Encoder (DC-SVDD-VAE), designed to enhance learning latent features for detecting network anomalies. Both models incorporate a clustering layer within the Encoder to discover a clustering architecture suitable for normal network data. They also leverage prior information, specifically a Gaussian probability distribution, to estimate the posterior distribution that generates normal network data. Additionally, the DC-SVDD-VAE model integrates SVDD layers, which refine the clustering structure by mapping it onto an optimally sized hypersphere before computing the posterior probability. These approaches improve the separation between normal and abnormal regions at latent space, making it easier to identify significant/distinguishing latent features.

Both models were evaluated in conjunction with seven distinct one-class anomaly detection methods to assess the efficiency of the proposed solutions and the robustness of the generated features. These detectors were assessed using well-known intrusion benchmark datasets, including NSL-KDD, UNSW-NB15, CIC-IDS-2017, CSE-CIC-IDS-2018, and CTU-13. The experimental findings revealed that both models outperformed existing baselines and state-of-the-art approaches in terms of accuracy. Furthermore, inference stage processing times showed a notable decrease.

查看原文本刊更多论文

基于异常的网络攻击检测的变分深度聚类方法

检测网络异常是一项关键的网络安全任务，但现有方法难以处理高维数据和潜在空间有限的可解释性。这些挑战阻碍了正常和异常活动的精确区分，因为(i)正态样本的混沌分布，（ii）缺乏优化正态区域的超大容量的约束，导致高虚警率，（iii）缺乏估计正态数据概率分布的先验知识，以及（iv）缓慢的推理时间。本研究引入了两个创新的深度生成模型：深度聚类变分自编码器（DCVAE）和深度聚类支持向量数据描述变分自编码器（DC-SVDD-VAE），旨在增强学习潜在特征以检测网络异常。这两种模型都在Encoder中合并了一个聚类层，以发现适合普通网络数据的聚类架构。他们还利用先验信息，特别是高斯概率分布，来估计产生正常网络数据的后验分布。此外，DC-SVDD-VAE模型集成了SVDD层，在计算后验概率之前，通过将聚类结构映射到最优大小的超球上来改进聚类结构。这些方法改善了潜在空间中正常区域和异常区域的分离，使其更容易识别显著/区分潜在特征。将这两种模型与七种不同的一类异常检测方法结合起来进行评估，以评估所提出解决方案的效率和所生成特征的鲁棒性。这些检测器使用知名的入侵基准数据集进行评估，包括NSL-KDD、UNSW-NB15、CIC-IDS-2017、CSE-CIC-IDS-2018和CTU-13。实验结果表明，这两种模型在准确性方面都优于现有的基线和最先进的方法。此外，推理阶段的处理时间也显著减少。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.