GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection
This addresses the problem of detecting and explaining network anomalies for cybersecurity, but it is incremental as it combines existing techniques.
The paper tackles network anomaly detection by developing GEE, a framework that uses an unsupervised variational autoencoder for detection and gradient-based fingerprinting for explanation, showing effectiveness on the UGR dataset.
This paper looks into the problem of detecting network anomalies by analyzing NetFlow records. While many previous works have used statistical models and machine learning techniques in a supervised way, such solutions have the limitations that they require large amount of labeled data for training and are unlikely to detect zero-day attacks. Existing anomaly detection solutions also do not provide an easy way to explain or identify attacks in the anomalous traffic. To address these limitations, we develop and present GEE, a framework for detecting and explaining anomalies in network traffic. GEE comprises of two components: (i) Variational Autoencoder (VAE) - an unsupervised deep-learning technique for detecting anomalies, and (ii) a gradient-based fingerprinting technique for explaining anomalies. Evaluation of GEE on the recent UGR dataset demonstrates that our approach is effective in detecting different anomalies as well as identifying fingerprints that are good representations of these various attacks.