Representation Learning for Content-Sensitive Anomaly Detection in Industrial Networks
This work addresses network intrusion detection for industrial systems, but the results are incremental as the learned representations did not improve detection performance.
The paper tackled unsupervised anomaly detection in industrial network traffic using a convGRU-based autoencoder to learn spatial-temporal representations, but found that these representations did not effectively enhance anomaly detection when applied to compressed traffic fragments, though the autoencoder itself could detect anomalies based on residual loss.
Using a convGRU-based autoencoder, this thesis proposes a framework to learn spatial-temporal aspects of raw network traffic in an unsupervised and protocol-agnostic manner. The learned representations are used to measure the effect on the results of a subsequent anomaly detection and are compared to the application without the extracted features. The evaluation showed, that the anomaly detection could not effectively be enhanced when applied on compressed traffic fragments for the context of network intrusion detection. Yet, the trained autoencoder successfully generates a compressed representation (code) of the network traffic, which hold spatial and temporal information. Based on the models residual loss, the autoencoder is also capable of detecting anomalies by itself. Lastly, an approach for a kind of model interpretability (LRP) was investigated in order to identify relevant areas within the raw input data, which is used to enrich alerts generated by an anomaly detection method.