Collective Anomaly Detection based on Long Short Term Memory Recurrent Neural Network

TL;DR

This paper introduces a real-time collective anomaly detection method using LSTM RNNs trained on normal network data, which detects anomalies based on prediction errors over multiple time steps, improving detection of malicious network activities.

Contribution

It proposes a novel collective anomaly detection approach leveraging LSTM RNNs trained solely on normal data, focusing on prediction errors over multiple time steps for improved detection.

Findings

Effective detection of collective anomalies in network traffic.

Reliable and efficient performance demonstrated on KDD 1999 dataset.

Outperforms traditional methods in identifying complex anomalies.

Abstract

Intrusion detection for computer network systems becomes one of the most critical tasks for network administrators today. It has an important role for organizations, governments and our society due to its valuable resources on computer networks. Traditional misuse detection strategies are unable to detect new and unknown intrusion. Besides, anomaly detection in network security is aim to distinguish between illegal or malicious events and normal behavior of network systems. Anomaly detection can be considered as a classification problem where it builds models of normal network behavior, which it uses to detect new patterns that significantly deviate from the model. Most of the cur- rent research on anomaly detection is based on the learning of normally and anomaly behaviors. They do not take into account the previous, re- cent events to detect the new incoming one. In this paper, we propose a real time collective anomaly detection model based on neural network learning and feature operating. Normally a Long Short Term Memory Recurrent Neural Network (LSTM RNN) is trained only on normal data and it is capable of predicting several time steps ahead of an input. In our approach, a LSTM RNN is trained with normal time series data before performing a live prediction for each time step. Instead of considering each time step separately, the observation of prediction errors from a certain number of time steps is now proposed as a new idea for detecting collective anomalies. The prediction errors from a number of the latest time steps above a threshold will indicate a collective anomaly. The model is built on a time series version of the KDD 1999 dataset. The experiments demonstrate that it is possible to offer reliable and efficient for collective anomaly detection.