Generative adversarial networks to detect intrusion and anomaly in IP flow-based networks

Abstract

[EN] Computer networks facilitate regular human tasks, providing services like data streaming, online shopping, and digital communications. These applications require more and more network capacity and dynamicity to accomplish their goals. The networks may be targeted by attacks and intrusions that compromise the applications that rely on them and lead to potential losses. We propose a semi-supervised systematic methodology for developing a detection system for traffic volume anomalies in IP flow-based networks. The system is implemented with a vanilla Generative Adversarial Network (GAN). The mitigation module is triggered whenever an anomaly is detected, automatically blocking the suspect IPs and restoring the correct network functioning. We implemented three versions of the proposed solution by incorporating Long Short-Term Memory (LSTM), 1D-Convolutional Neural Network (1D-CNN), and Temporal Convolutional Network (TCN) into the GAN internal structure. The experiments are conducted on three public benchmark datasets: Orion, CIC-DDoS2019, and CIC-IDS2017. The results show that the three considered deep learning models have distinct impacts on the GAN model and, consequently, on the overall system performance. The 1D-CNN-based GAN implementation is the best since it reasonably solves the mode collapse problem, has the most efficient computational complexity, and achieves competitive Matthews Correlation Coefficient scores for the anomaly detection task. Also, the mitigation module can drop most anomalous flows, blocking only a slight portion of legitimate traffic. For comparison with state-of-the-art models, we implemented 1D-CNN, LSTM, and TCN separately from the GAN. The generative networks show improved overall results in the considered performance metrics compared to the other models.