Meta-UAD: A Meta-Learning Scheme for User-level Network Traffic Anomaly Detection

TL;DR

Meta-UAD introduces a meta-learning approach for user-level network traffic anomaly detection, enabling rapid adaptation to new anomaly classes with few samples, outperforming existing models significantly.

Contribution

The paper presents Meta-UAD, a novel meta-learning scheme that effectively detects new network anomalies with limited labeled data, addressing class imbalance and data scarcity issues.

Findings

Meta-UAD achieves 15-43% higher F1-score than existing models.

It effectively adapts to new anomaly classes with few samples.

The approach demonstrates superior performance on public datasets.

Abstract

Accuracy anomaly detection in user-level network traffic is crucial for network security. Compared with existing models that passively detect specific anomaly classes with large labeled training samples, user-level network traffic contains sizeable new anomaly classes with few labeled samples and has an imbalance, self-similar, and data-hungry nature. Motivation on those limitations, in this paper, we propose \textit{Meta-UAD}, a Meta-learning scheme for User-level network traffic Anomaly Detection. Meta-UAD uses the CICFlowMeter to extract 81 flow-level statistical features and remove some invalid ones using cumulative importance ranking. Meta-UAD adopts a meta-learning training structure and learns from the collection of K-way-M-shot classification tasks, which can use a pre-trained model to adapt any new class with few samples by few iteration steps. We evaluate our scheme on two public datasets. Compared with existing models, the results further demonstrate the superiority of Meta-UAD with 15{\%} - 43{\%} gains in F1-score.