ONE-CLASS FUSION-BASED LEARNING MODEL FOR ANOMALY DETECTION

Abstract

The Dempster-Shafer (DS) theory of evidence is frequently used to combine multipe supervised machine learning models into a robust fusion-based model. However, using the DS theory to create a fusion model from multiple one-class classifications (OCCs) for network anomaly detection is a challenging task. First, the lack of attack data leads to the difficulty in estimating an appropriate threshold for the OCC models to distinguish between normal and abnormal samples. Second, it is also very challenging to find the weight of OCCs that corresponds to the contribution of each OCC model in the fusion model. In this paper, we attempt to solve the above issues in order to make the DS theory applicable for constructing OCC-based fusion models. Specifically, we propose two novel methods for automatically choosing the appropriate threshold of OCCs and for estimating the weight of individual OCCs in fusion-based models. Thanks to that, we develop an One-class Fusion-based Anomaly Detection model (OFuseAD) from multiple single OCCs. The proposed model is evaluated on ten well-known network anomaly detection problems. The experimental results show that the performance of OFuseAD is improved on almost all tested datasets using two metrics: accuray and F1-score. The visualization results provides the insight into the characteristics of OFuseAD.