Abstract
Background: Network security is getting more serious and has attracted much attention in recent years. Anomaly detection is an important technology to identify bad network flows and protect the network, which has been a hot topic in the network security field. However, in an anomaly detection system, the unknown network flows are always identified as some known flows in the existing solutions, which results in poorer identification performance.
Objective: Aiming at detecting unknown flows and improving the detection performance, based on the KDD’99 dataset from a simulated real network environment, we analyzed the dataset and the main factors which affect the accuracy, and proposed a more robust and effective anomaly detection model (READM) to improve the accuracy of the detection.
Methods: Based on unknown flows determination, the extra unknown type class is trained by neural network and identified by deep inspection method. Then, the identification result for unknown class will be updated to the detection system. Finally, the newly proposed robust and effective anomaly detection model (READM) is constructed and validated.
Results: Through experiments comparison and analysis, the results indicate that READM achieves higher detection accuracy and less prediction time, which proves more efficient and shows better performance.
Conclusion: Our study found that the existence of unknown flows always results in error detection and becomes the main factor influencing the detection performance. So, we propose a robust and effective anomaly detection model based on the construction and training of the extra unknown traffic class. Through the comparison of three experiments with different ways of thinking, it is proved that READM improves detection accuracy and reduces prediction time. Besides, after comparing with other solutions, it also shows better performance and has great application value in this field.
Keywords: Robust, anomaly detection, unknown network, traffic, identification, READM
Graphical Abstract
[http://dx.doi.org/10.1109/ACCESS.2020.3000179]
[http://dx.doi.org/10.1186/s42400-019-0038-7]
[http://dx.doi.org/10.17487/rfc6335]
[http://dx.doi.org/10.1109/MASCOTS.2006.6]
[http://dx.doi.org/10.1145/988672.988742]
[http://dx.doi.org/10.1109/NOMS.2004.1317737]
[http://dx.doi.org/10.1186/s13673-016-0076-z]
[http://dx.doi.org/10.1109/ISI.2007.379535]
[http://dx.doi.org/10.1587/transinf.2015EDP7357]
[http://dx.doi.org/10.1109/PDCAT.2017.00054]
[http://dx.doi.org/10.1109/ACCESS.2018.2836950]