An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection

An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection

Table of Contents


Various attacks have emerged as the major threats to the success of a connected world like the Internet of Things (IoT), in which billions of devices interact with each other to facilitate human life. By exploiting the vulnerabilities of cheap and insecure devices such as IP cameras, an attacker can create hundreds of thousands of zombie devices and then launch massive volume attacks to take down any target. For example, in 2016, a record large-scale DDoS attack launched by millions of Mirai-injected IP cameras and smart printers blocked the accessibility of several high-profile websites. To date, the state-of-the-art defense systems against such attacks rely mostly on pre-defined features extracted from the entire flows or signatures. The feature definitions are manual, and it would be too late to block a malicious flow after extracting the flow features. In this work, we present an effective anomaly traffic detection mechanism, namely D-PACK, which consists of a Convolutional Neural Network (CNN) and an unsupervised deep learning model (e.g., Autoencoder) for auto-profiling the traffic patterns and filtering abnormal traffic. Notably, D-PACK inspects only the first few bytes of the first few packets in each flow for early detection. Our experimental results show that, by examining just the first two packets in each flow, D-PACK still performs with nearly 100% accuracy, while features an extremely low false-positive rate, e.g., 0.83%. The design can inspire the emerging efforts towards online anomaly detection systems that feature reducing the volume of processed packets and blocking malicious flows in time.

Author Keywords

  • IoT security,
  • anomaly detection,
  • a convolutional neural network,
  • autoencoder,
  • online DL-based anomaly detection

IEEE Keywords

  • Anomaly detection,
  • Feature extraction,
  • Deep learning,
  • Internet of Things,
  • Buildings,
  • Telecommunication traffic,
  • IP networks


In recent years, with increasingly massive IoT applications and connected devices, distributed denial-of-service (DDoS) attacks have caught the attention of the security community with a series of record-high attack magnitude. Given a small proportion of billions of IoT devices, e.g., cheap and insecure IP cameras, injected to be zombies, an adversary can generate a massive volume of flooding traffic to take down a target such as a critical Internet service. Although this kind of attack is by no means new, it still poses a tremendous threat to most state-of-the-art defense systems [1]–[2][3][4]. To stop malicious traffic, including that from DDoS attacks, the first step is to detect traffic anomaly as soon as possible by analyzing network traffic at the gateways, at edge servers, or in a scrubbing center [5].

To date, existing approaches such as signature-based and statistical detection systems still have several flaws, e.g., the rule maintenance cycle cannot keep up with soaring attack variants [3]. When the ecosystem of Internet-connected systems expands and the diversity of IoT devices increases rapidly, it is inevitable that there are more potential vulnerabilities for an attacker to exploit. As a result, a signature-based detection system, which may be able to detect well-known attacks with high accuracy, can quickly lose its advantage because unknown attacks may appear nearly per minute [1], [2]. Dealing with the explosion of the attack variants, the anomaly detection approaches, as opposed to the signature-based ones, can significantly help. Unlike signature-based approaches, anomaly detection systems can monitor network flows and classify them as either normal or anomalous ones; thus, new attack variants are less likely to bypass the detection. Nonetheless, anomaly detection approaches often face high false alarm rates, since the systems must be taught to recognize normal activities [6]. So far, such systems are often designed with strict mathematical models and a set of predefined features [7]. Fortunately, deep learning (DL) promises to be the game-changer to help to solve the learning problem, i.e., automatically building the traffic profile. The most benefit of deep learning is to build a thorough pattern that can precisely characterize specific objects through automatically learning a large volume of data and species.

DL-based approaches have been well investigated in many fields over the years, including anomaly detection. However, many challenges remain, e.g., speeding up the detection and auto-profiling the traffic patterns effectively, which are also the target of this work. From the design perspective, the detection systems should characterize normal network flows and define well-represented traffic profiling. Based on this profiling, the systems can identify and isolate anomalous network activities. In the literature, the common profiling method is building a pre-defined list of features [6], [8] from flow statistics, e.g., sending rate, packet count or flow size, and then using the DL models such as a convolutional neural network (CNN) for learning [9]. However, defining a list of well-represented features manually for effective learning poses tremendous challenges, e.g., labor time, particularly if the network has a diversity of application traffic. Recently, a promising approach is to use CNN to automatically extract such features directly from raw traffic, instead of from the summarized data, e.g., [10]. In this work, we go further in building the traffic patterns (e.g., of benign applications) by examining only the first few bytes of the first few packets of the flows. This approach promises to have many advantages, particularly for online anomaly detection systems. For example, the detection does not need to waste remarkable computation and time for checking redundant data and storage in a whole long session, while a few first packets of the flows are sufficient for the detection. As a result, our system has a significant advantage of speeding up the detection. Note that summarizing the traffic in a flow-based approach may demand much memory space for flow tracking in a large network, particularly if many long flows exist.

The proposed system, namely D-PACK, consists of two main parts: (1) A CNN module is designed for auto-learning the features from the raw data; (2) An unsupervised DL model (autoencoder) trained with the output data of (1) targets at building the profile of benign traffic and then precisely judge whether the traffic in the examined flows is abnormal. The experimental results show that D-PACK is competitive and prominently outperforms prior studies in terms of accuracy, precision, recall, and F1-measure. Specifically, it can detect malicious traffic with nearly 100% accuracy and less than 1% FNR and FPR, even if it examines only two packets from each flow and 80 bytes from each packet. To train the system with the normal traffic characteristics and activities, the training is set to run at the time of deploying the devices to ensure the devices are in the clean state before any possible compromising. The detection is also deployed close to the devices (i.e., the traffic sources) to identify traffic anomaly.


In this work, we present a novel early malicious traffic detection framework, namely D-PACK, based on traffic sampling, traffic auto-profiling (CNN), and an unsupervised DL model (autoencoder). By targeting at examining as few packets and number of bytes from each packet as possible, our system can significantly reduce the traffic volume for processing. The evaluation results show that D-PACK can detect malicious traffic with nearly 100% accuracy and less than 1% FNR and FPR, even if it examines only two packets from each flow and 80 bytes from each packet. Moreover, it is supposed to consume much less flow pre-processing time and detection time than prior works because much fewer packets and bytes are inspected. Thus, the important advantage of this framework is to speed up detection. We believe that this first attempt can inspire the research community to consider further optimization methods, particularly by exploiting the advantages of deep learning to build effective online anomaly detection systems without suffering significant detection delay.

About KSRA

The Kavian Scientific Research Association (KSRA) is a non-profit research organization to provide research / educational services in December 2013. The members of the community had formed a virtual group on the Viber social network. The core of the Kavian Scientific Association was formed with these members as founders. These individuals, led by Professor Siavosh Kaviani, decided to launch a scientific / research association with an emphasis on education.

KSRA research association, as a non-profit research firm, is committed to providing research services in the field of knowledge. The main beneficiaries of this association are public or private knowledge-based companies, students, researchers, researchers, professors, universities, and industrial and semi-industrial centers around the world.

Our main services Based on Education for all Spectrum people in the world. We want to make an integration between researches and educations. We believe education is the main right of Human beings. So our services should be concentrated on inclusive education.

The KSRA team partners with local under-served communities around the world to improve the access to and quality of knowledge based on education, amplify and augment learning programs where they exist, and create new opportunities for e-learning where traditional education systems are lacking or non-existent.

FULL Paper PDF file:

An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection



R. Hwang, M. Peng, C. Huang, P. Lin, and V. Nguyen,




An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection


in IEEE Access, vol. 8, pp. 30387-30399, 2020



PDF reference and original file: Click here



+ posts

Somayeh Nosrati was born in 1982 in Tehran. She holds a Master's degree in artificial intelligence from Khatam University of Tehran.

Website | + posts

Professor Siavosh Kaviani was born in 1961 in Tehran. He had a professorship. He holds a Ph.D. in Software Engineering from the QL University of Software Development Methodology and an honorary Ph.D. from the University of Chelsea.

Website | + posts

Nasim Gazerani was born in 1983 in Arak. She holds a Master's degree in Software Engineering from UM University of Malaysia.