English

Sequence Aggregation Rules for Anomaly Detection in Computer Network Traffic

Cryptography and Security 2018-05-15 v2 Computers and Society Machine Learning Applications

Abstract

We evaluate methods for applying unsupervised anomaly detection to cybersecurity applications on computer network traffic data, or flow. We borrow from the natural language processing literature and conceptualize flow as a sort of "language" spoken between machines. Five sequence aggregation rules are evaluated for their efficacy in flagging multiple attack types in a labeled flow dataset, CICIDS2017. For sequence modeling, we rely on long short-term memory (LSTM) recurrent neural networks (RNN). Additionally, a simple frequency-based model is described and its performance with respect to attack detection is compared to the LSTM models. We conclude that the frequency-based model tends to perform as well as or better than the LSTM models for the tasks at hand, with a few notable exceptions.

Keywords

Cite

@article{arxiv.1805.03735,
  title  = {Sequence Aggregation Rules for Anomaly Detection in Computer Network Traffic},
  author = {Benjamin J. Radford and Bartley D. Richardson and Shawn E. Davis},
  journal= {arXiv preprint arXiv:1805.03735},
  year   = {2018}
}

Comments

Prepared for the American Statistical Associations Symposium on Data Science and Statistics 2018

R2 v1 2026-06-23T01:50:16.389Z