ENCODE: Encoding NetFlows for Network Anomaly Detection

TL;DR

This paper introduces a novel encoding method for NetFlow data that emphasizes feature frequency and context, improving the performance of machine learning models in detecting network anomalies, especially in Kubernetes environments.

Contribution

The work presents a new encoding algorithm tailored for network data that enhances anomaly detection by considering feature frequency and context, unlike existing generic preprocessing methods.

Findings

Encoding improves anomaly detection accuracy.

Models trained on encoded data outperform baseline methods.

Effective on both Kubernetes and public NetFlow datasets.

Abstract

NetFlow data is a popular network log format used by many network analysts and researchers. The advantages of using NetFlow over deep packet inspection are that it is easier to collect and process, and it is less privacy intrusive. Many works have used machine learning to detect network attacks using NetFlow data. The first step for these machine learning pipelines is to pre-process the data before it is given to the machine learning algorithm. Many approaches exist to pre-process NetFlow data; however, these simply apply existing methods to the data, not considering the specific properties of network data. We argue that for data originating from software systems, such as NetFlow or software logs, similarities in frequency and contexts of feature values are more important than similarities in the value itself. In this work, we propose an encoding algorithm that directly takes the frequency and the context of the feature values into account when the data is being processed. Different types of network behaviours can be clustered using this encoding, thus aiding the process of detecting anomalies within the network. We train several machine learning models for anomaly detection using the data that has been encoded with our encoding algorithm. We evaluate the effectiveness of our encoding on a new dataset that we created for network attacks on Kubernetes clusters and two well-known public NetFlow datasets. We empirically demonstrate that the machine learning models benefit from using our encoding for anomaly detection.