A Comparative Study of Network Traffic Representations for Novelty Detection

Data representation plays a critical role in the performance of novelty detection methods from machine learning (ML). Network traffic has conventionally posed many challenges to conventional anomaly detection, due to the inherent diversity of network traffic. Even within a single network, the most fundamental characteristics can change; this variability is fundamental to network traffic but especially true in the Internet of Things (IoT), where the network hosts a wide array of devices, each of which behaves differently, exhibiting high variance in both operational modalities and network activity patterns. Although there are established ways to study the effects of data representation in supervised learning, the problem is particularly challenging and understudied in the unsupervised learning context, where there is no standard way to evaluate the effect of selected features and representations at training time. This work explores different data representations for novelty detection in the Internet of Things, studying the effect of different representations of network traffic flows on the performance of a wide range of machine learning algorithms for novelty detection for problems arising in IoT, including malware detection, the detection of rogue devices, and the detection of cyberphysical anomalies. We find that no single representation works best (in terms of area under the curve) across devices or ML methods, yet the following features consistently improve the performance of novelty detection algorithms: (1) traffic sizes, (i.e., packet sizes rather than number of packets in volume-based representations); and (2) packet header fields (i.e., TTL, TCP flags).

[1]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[2]  Ali A. Ghorbani,et al.  Toward Developing a Systematic Approach to Generate Benchmark Android Malware Datasets and Classification , 2018, 2018 International Carnahan Conference on Security Technology (ICCST).

[3]  Nick Feamster,et al.  Machine Learning DDoS Detection for Consumer Internet of Things Devices , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[4]  Shadi A. Aljawarneh,et al.  GARUDA: Gaussian dissimilarity measure for feature representation and anomaly detection in Internet of things , 2018, The Journal of Supercomputing.

[5]  Yue Zhao,et al.  PyOD: A Python Toolbox for Scalable Outlier Detection , 2019, J. Mach. Learn. Res..

[6]  Akshay Kumar,et al.  Novel anomaly detection and classification schemes for Machine-to-Machine uplink , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[7]  Samory Kpotufe,et al.  Quickshift++: Provably Good Initializations for Sample-Based Mean Shift , 2018, ICML.

[8]  D. W. Scott,et al.  Multidimensional Density Estimation , 2005 .

[9]  Randy C. Paffenroth,et al.  Anomaly Detection with Robust Deep Autoencoders , 2017, KDD.

[10]  Geethapriya Thamilarasu,et al.  Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things , 2019, Sensors.

[11]  Radford M. Neal Pattern Recognition and Machine Learning , 2007, Technometrics.

[12]  Yuval Elovici,et al.  N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders , 2018, IEEE Pervasive Computing.

[13]  Emin Anarim,et al.  Frequency based DDoS attack detection approach using naive Bayes classification , 2016, 2016 39th International Conference on Telecommunications and Signal Processing (TSP).

[14]  Andrew W. Moore,et al.  Discriminators for use in flow-based classification , 2013 .

[15]  Aleksandar Lazarevic,et al.  Outlier Detection with Kernel Density Functions , 2007, MLDM.

[16]  Genoveva Vargas-Solar,et al.  Smart Detection: An Online Approach for DoS/DDoS Attack Detection Using Machine Learning , 2019, Secur. Commun. Networks.

[17]  Fei Tony Liu,et al.  Isolation-Based Anomaly Detection , 2012, TKDD.

[18]  Charu C. Aggarwal,et al.  Outlier Analysis , 2013, Springer New York.

[19]  Yuval Elovici,et al.  Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection , 2018, NDSS.

[20]  T. V. Lakshman,et al.  Unsupervised machine learning for network-centric anomaly detection in IoT , 2019, Big-DAMA@CoNEXT.

[21]  Natalia Gimelshein,et al.  PyTorch: An Imperative Style, High-Performance Deep Learning Library , 2019, NeurIPS.