Unsupervised Abnormal Traffic Detection through Topological Flow Analysis
This work addresses cyberthreat detection for network security, offering an incremental approach by incorporating graph-based features into existing unsupervised algorithms.
The paper tackled the problem of detecting abnormal network traffic by leveraging topological connectivity features in an unsupervised manner, achieving several improvements over standard anomaly detection methods on real datasets.
Cyberthreats are a permanent concern in our modern technological world. In the recent years, sophisticated traffic analysis techniques and anomaly detection (AD) algorithms have been employed to face the more and more subversive adversarial attacks. A malicious intrusion, defined as an invasive action intending to illegally exploit private resources, manifests through unusual data traffic and/or abnormal connectivity pattern. Despite the plethora of statistical or signature-based detectors currently provided in the literature, the topological connectivity component of a malicious flow is less exploited. Furthermore, a great proportion of the existing statistical intrusion detectors are based on supervised learning, that relies on labeled data. By viewing network flows as weighted directed interactions between a pair of nodes, in this paper we present a simple method that facilitate the use of connectivity graph features in unsupervised anomaly detection algorithms. We test our methodology on real network traffic datasets and observe several improvements over standard AD.