Anomaly Detection in Event-triggered Traffic Time Series via Similarity Learning
This work addresses a domain-specific challenge in cybersecurity for anomaly detection, offering an incremental improvement by integrating existing methods into a new framework.
The paper tackles the problem of learning similarities among event-triggered traffic time series for anomaly detection in cybersecurity, proposing an unsupervised framework that combines hierarchical multi-resolution sequential autoencoders and Gaussian Mixture Models, and reports that it outperforms state-of-the-art methods considerably.
Time series analysis has achieved great success in cyber security such as intrusion detection and device identification. Learning similarities among multiple time series is a crucial problem since it serves as the foundation for downstream analysis. Due to the complex temporal dynamics of the event-triggered time series, it often remains unclear which similarity metric is appropriate for security-related tasks, such as anomaly detection and clustering. The overarching goal of this paper is to develop an unsupervised learning framework that is capable of learning similarities among a set of event-triggered time series. From the machine learning vantage point, the proposed framework harnesses the power of both hierarchical multi-resolution sequential autoencoders and the Gaussian Mixture Model (GMM) to effectively learn the low-dimensional representations from the time series. Finally, the obtained similarity measure can be easily visualized for the explanation. The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series. Through extensive qualitative and quantitative experiments, it is revealed that the proposed method outperforms state-of-the-art methods considerably.