Anomaly Detection in Event-triggered Traffic Time Series via Similarity Learning

TL;DR

This paper introduces an unsupervised framework that leverages hierarchical autoencoders and GMM to learn and visualize similarities among event-triggered time series, enhancing anomaly detection and clustering in cybersecurity.

Contribution

It presents a novel unsupervised learning approach combining autoencoders and GMM to effectively model similarities in complex event-triggered time series.

Findings

Outperforms existing similarity learning methods significantly

Provides interpretable similarity visualizations

Improves anomaly detection accuracy

Abstract

Time series analysis has achieved great success in cyber security such as intrusion detection and device identification. Learning similarities among multiple time series is a crucial problem since it serves as the foundation for downstream analysis. Due to the complex temporal dynamics of the event-triggered time series, it often remains unclear which similarity metric is appropriate for security-related tasks, such as anomaly detection and clustering. The overarching goal of this paper is to develop an unsupervised learning framework that is capable of learning similarities among a set of event-triggered time series. From the machine learning vantage point, the proposed framework harnesses the power of both hierarchical multi-resolution sequential autoencoders and the Gaussian Mixture Model (GMM) to effectively learn the low-dimensional representations from the time series. Finally, the obtained similarity measure can be easily visualized for the explanation. The proposed framework aspires to offer a stepping stone that gives rise to a systematic approach to model and learn similarities among a multitude of event-triggered time series. Through extensive qualitative and quantitative experiments, it is revealed that the proposed method outperforms state-of-the-art methods considerably.