DOC-NAD: A Hybrid Deep One-class Classifier for Network Anomaly Detection

TL;DR

This paper introduces DOC-NAD, a deep one-class classifier that detects network anomalies using only benign data, outperforming existing methods in detection accuracy and false positive reduction.

Contribution

It presents a novel hybrid deep one-class classifier architecture tailored for network intrusion detection that requires only benign training data, addressing data scarcity issues.

Findings

Outperforms state-of-the-art one-class classifiers in detection accuracy.

Achieves lower false positive rates on benchmark datasets.

Demonstrates effectiveness with two benchmark NIDS datasets.

Abstract

Machine Learning (ML) approaches have been used to enhance the detection capabilities of Network Intrusion Detection Systems (NIDSs). Recent work has achieved near-perfect performance by following binary- and multi-class network anomaly detection tasks. Such systems depend on the availability of both (benign and malicious) network data classes during the training phase. However, attack data samples are often challenging to collect in most organisations due to security controls preventing the penetration of known malicious traffic to their networks. Therefore, this paper proposes a Deep One-Class (DOC) classifier for network intrusion detection by only training on benign network data samples. The novel one-class classification architecture consists of a histogram-based deep feed-forward classifier to extract useful network data features and use efficient outlier detection. The DOC classifier has been extensively evaluated using two benchmark NIDS datasets. The results demonstrate its superiority over current state-of-the-art one-class classifiers in terms of detection and false positive rates.