Assessing the Impact of a Supervised Classification Filter on Flow-based Hybrid Network Anomaly Detection

TL;DR

This paper evaluates how adding a supervised classification filter improves network anomaly detection by increasing attack detection rates and maintaining low false positives, using a hybrid autoencoder-based approach on real-world data.

Contribution

It introduces a hybrid anomaly detection method with a supervised prefilter, demonstrating improved detection performance over standalone autoencoder models.

Findings

AUC increased by over 11% with the prefilter

30% more attacks detected compared to baseline

False positive rate remained approximately the same

Abstract

Constant evolution and the emergence of new cyberattacks require the development of advanced techniques for defense. This paper aims to measure the impact of a supervised filter (classifier) in network anomaly detection. We perform our experiments by employing a hybrid anomaly detection approach in network flow data. For this purpose, we extended a state-of-the-art autoencoder-based anomaly detection method by prepending a binary classifier acting as a prefilter for the anomaly detector. The method was evaluated on the publicly available real-world dataset UGR'16. Our empirical results indicate that the hybrid approach does offer a higher detection rate of known attacks than a standalone anomaly detector while still retaining the ability to detect zero-day attacks. Employing a supervised binary prefilter has increased the AUC metric by over 11%, detecting 30% more attacks while keeping the number of false positives approximately the same.