Anomaly detection in network flows using unsupervised online machine learning
This addresses the need for adaptive security solutions in dynamic network environments where labeled data is scarce, though it appears incremental as it applies existing methods to network data.
The paper tackles anomaly detection in network traffic by developing an unsupervised online machine learning model that dynamically learns normal behavior without labeled data, achieving over 98% accuracy, below 3.1% false positive rate, 100% recall, and processing times under 0.033 ms per flow on the NF-UNSW-NB15 dataset.
Nowadays, the volume of network traffic continues to grow, along with the frequency and sophistication of attacks. This scenario highlights the need for solutions capable of continuously adapting, since network behavior is dynamic and changes over time. This work presents an anomaly detection model for network flows using unsupervised machine learning with online learning capabilities. This approach allows the system to dynamically learn the normal behavior of the network and detect deviations without requiring labeled data, which is particularly useful in real-world environments where traffic is constantly changing and labeled data is scarce. The model was implemented using the River library with a One-Class SVM and evaluated on the NF-UNSW-NB15 dataset and its extended version v2, which contain network flows labeled with different attack categories. The results show an accuracy above 98%, a false positive rate below 3.1%, and a recall of 100% in the most advanced version of the dataset. In addition, the low processing time per flow (<0.033 ms) demonstrates the feasibility of the approach for real-time applications.