Network Anomaly Detection Using Transfer Learning Based on Auto-Encoders Loss Normalization

Yehezkel, Aviv; Elyashiv, Eyal; Soffer, Or

doi:10.1145/3474369.3486869

Cited by 15 publications

(10 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Application Primary Focus Secondary Focus [38] malicious actor IDS - [39] malicious actor IDS - [40] malicious actor DDoS - [41] malicious actor SYN attack - [11] malicious actor botnet - [42] malicious actor -- [14] malicious actor -time series data [43] malicious actor malware detection - [46] malicious actor feature selection - [12] malicious actor -- [44] malicious actor IDS - [10] malicious actor IDS - [45] malicious actor IDS - [47] sensor performance water systems time series data [48] sensor performance charging system - [49] sensor performance nuclear power plant - [51] sensor performance edge connection fault detection - [15] sensor performance emergency detection - [54] time series data IIoT sensor drift - [7] time series data -- [13] time series data multivariate time series data - [55] time series data -- [57] general AD time series data multi-class detection [56] general AD automated vehicles - [58] general AD time series data energy efficiency [52] distributed AD -- [53] distributed AD time series data -…”

Section: Referencementioning

confidence: 99%

“…Training Epochs [39] 24 h of data [12] 128 Leaky ReLU 50 [48] 5 threshold [54] 40 sigmoid and tanh [40] 14 ReLU 100 [49] 256 [7] sigmoid, ReLU, softplus GRU [11] 12 SeLU [42] 60 ReLU LSTM, sigmoid, softmax [41] 50 [57] 8 softmax/regression 8 [58] 50-100 leaky ReLU (AE), ReLU+Lin (VAE enc), ReLU+Sig (VAE dec) Regression 100 [13] 128 leaky ReLU, max, ReLU max, softmax, sigmoid 150 (trn), 50 (f-t) [15] 15 logarithmic 7 [51] 10 tanh, sigmoid 5-80 [28] 500 [56] 64 ReLU, tanh 200 [55] varies sigmoid, tanh [44] 40 ReLU sigmoid 100 [2] ReLU softmax [14] 128 50 (5x mean) [43] varies avg pooling, ReLU, max pooling Softmax [23] [24] sigmoid, ReLU [10] sigmoid, ReLU, Leaky ReLU, tanh softmax [45] 35 ReLU softmax 300 [52] ReLU linear 1-class Table A2. Cont.…”

Section: Reference Largest Layer Activation Function Classifier/regre...mentioning

confidence: 99%

“…Learning Rate Batch Size Regularization Loss Function Optimizer [12] 0.001 MSE Adam [48] 0.005 [54] 0.0005 0.02 dropout min avg pred err [40] keras default 32 MSE Adam [49] 0.0001 0.35, 0.3 dropout cross-entropy Adam [7] Kullback-Leibler loss negative reconstruction err + reg [42] grid search opt dropout (grid search opt) MAE, cross-entropy (binary, categorical) Adam [41] MSE Adam [57] 0.005 modified log (TCN), reconstruction loss with KLD (VAE) Adam [58] mini batch reconstruction loss using MSE and KLD Adam [13] 0.0005, 0.0001 64, 32(trn), 32(f-t) 0.2 dropout cross-entropy, squared error SGD, Adam [15] 0.1 MSE MATLAB trainlm [28] KL-divergence+ MSE [56] 0.025 200 L2 w/ 0.2 dropout Adam [55] varies varies dropout, varies MSE GD [44] log log GD [2] batch GD [14] 0.0001 window size = 6 0.05 dropout MSE Adam [43] 0.001 cross-entropy Adam [24] D-value (anomaly score) [10] cross-entropy coordinate descent, GD [45] 0.4 dropout negative log likelihood Adam [52] batch norm w/ rand dropout Table A3. Breakdown of data-sets and metrics used by surveyed works.…”

Section: Referencementioning

confidence: 99%

“…Data-Set(s) Metrics [38] IP camera amperage amperage [39] 24 h of data from custom smart home TN, FN, TP, FP counts and associated TPR [12] SWaT, WaDI precision, recall, F1 [48] charging station logs accuracy, F1 [54] NAB, and yahoo variants, real-world server job AUC [40] benign IoT traffic, generated DDoS precision, recall, F1 [49] nuclear power plant data (from SIMULATE-3K) weighted accuracy [7] SMAP, MSL, SMD, custom (server dataset) precision, recall, F1 [11] IoTPOT, VirusShare, custom GitHub (benign), IoT ELF files (benign) accuracy, FNR, FPR [42] proprietary real-world set, UNB2018, UNB2019, UNB2012 precision, recall, F1 [41] custom SYN attack for virtual IoT network accuracy, FPR [57] DS2OS F1, class-based average F1 [58] SECOM, wafer manufacturing, APS failure precision, recall, F1, FPR, wall clock time (for energy consumption) [13] DSADS, HAR, Turbofan classification error, RMSE [15] coal mine data (private) [51] custom fault location rate [28] air conditioning (private) [47] custom water meter accuracy, AUC, sensitivity, specificity [56] Wyk et al 2020 reference accuracy, precision, F1, sensitivity [55] power, loop sensor, land sensor accuracy, precision, recall, F1, ROC, AUC [3] many, including KDDCup99 [44] BaIoT accuracy, recall, F1, FPR, TPR, specificity [2] multiple [14] SWAT, WaDI, SMAP, MSL recall, precision, F1 [43] IoT malware/benignware accuracy, recall, ROC, AUC, classification time per sample [23] WaDI, SWaT, MSL precision, recall, F1 [24] accuracy, precision,AUC, FPR [10] DS2OS accuracy, precision, recall, F1, ROC [45] DS2OS (distributed smart space orchestration system) accuracy, precision, recall, F1, FPR, specificity, ROC-AUC [52] BaIoT, El Niño FPR, TPR…”

Section: Referencementioning

confidence: 99%

See 3 more Smart Citations

A Survey of AI-Based Anomaly Detection in IoT and Sensor Networks

DeMedeiros

Hendawi

Álvarez

2023

Sensors

View full text Add to dashboard Cite

Machine learning (ML) and deep learning (DL), in particular, are common tools for anomaly detection (AD). With the rapid increase in the number of Internet-connected devices, the growing desire for Internet of Things (IoT) devices in the home, on our person, and in our vehicles, and the transition to smart infrastructure and the Industrial IoT (IIoT), anomaly detection in these devices is critical. This paper is a survey of anomaly detection in sensor networks/the IoT. This paper defines what an anomaly is and surveys multiple sources based on those definitions. The goal of this survey was to highlight how anomaly detection is being performed on the Internet of Things and sensor networks, identify anomaly detection approaches, and outlines gaps in the research in this domain.

show abstract

Section: Referencementioning

confidence: 99%

Section: Reference Largest Layer Activation Function Classifier/regre...mentioning

confidence: 99%

Section: Referencementioning

confidence: 99%

Section: Referencementioning

confidence: 99%

See 2 more Smart Citations

A Survey of AI-Based Anomaly Detection in IoT and Sensor Networks

DeMedeiros

Hendawi

Álvarez

2023

Sensors

View full text Add to dashboard Cite

show abstract

“…4 the typical deployment of a NIDS that leverages the support of ML, which can analyze data of different types, e.g., full packet-captures (PCAP), network flows 8 (NetFlows), SMNP, or even DNS records. Specifically, with the increasing growth of modern networks, NetFlow analyses are preferred due to many advantages over traditional PCAP, such as: reduced privacy concerns, less space required for storage, and faster processing times [176].…”

Section: Machine Learning In Network Intrusion Detectionmentioning

confidence: 99%

The Role of Machine Learning in Cybersecurity

Apruzzese,

Laskov,

de Oca

et al. 2022

Preprint

View full text Add to dashboard Cite

Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such discrepancy has its root cause in the current state-of-the-art, which does not allow to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience.This paper is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain-to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.

show abstract

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Dietz,

Mühlhauser,

Kögel

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Intrusion Detection Systems (IDS) tackle the challenging task of detecting network attacks as fast as possible. As this is getting more complex in modern enterprise networks, Artificial Intelligence (AI) and Machine Learning (ML) have gained substantial popularity in research. However, their adoption into real-world IDS solutions remains poor. Academic research often overlooks the interconnection of users and technical aspects. This leads to less explainable AI/ML models that hinder trust among AI/ML non-experts. Additionally, research often neglects secondary concerns such as usability and privacy. If IDS approaches conflict with current regulations or if administrators cannot deal with attacks more effectively, enterprises will not adopt the IDS in practice. To identify those problems systematically, our literature survey takes a user-centric approach; we examine IDS research from the perspective of stakeholders by applying the concept of personas. Further, we investigate multiple factors limiting the adoption of AI/ML in security and suggest technical, non-technical, and user-related considerations to enhance the adoption in practice. Our key contributions are threefold. (i) We derive personas from realistic enterprise scenarios, (ii) we provide a set of relevant hypotheses in the form of a review template, and (iii), based on our reviews, we derive design guidelines for practical implementations. To the best of our knowledge, this is the first paper that analyzes practical adoption barriers of AI/ML-based intrusion detection solutions concerning appropriateness of data, reproducibility, explainability, practicability, usability, and privacy. Our guidelines may help researchers to holistically evaluate their AI/ML-based IDS approaches to increase practical adoption.

show abstract

Network Anomaly Detection Using Transfer Learning Based on Auto-Encoders Loss Normalization

Cited by 15 publications

References 19 publications

A Survey of AI-Based Anomaly Detection in IoT and Sensor Networks

A Survey of AI-Based Anomaly Detection in IoT and Sensor Networks

The Role of Machine Learning in Cybersecurity

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Contact Info

Product

Resources

About