FlowGANAnomaly: Flow-Based Anomaly Network Intrusion Detection with Adversarial Learning

In recent years, low recall rates and high dependencies on data labelling have become the biggest obstacle to developing deep anomaly detection(DAD) techniques. Inspired by the success of generative adversarial networks(GANs) in detecting anomalies in computer vision and imaging, we propose an anomaly detection model called Flow GANAnomaly for detecting anomalous traffic in network intrusion detection systems(NIDS). Unlike traditional GAN-based approaches, which are composed of a flow encoder, a convolutional encoder-decoder-encoder, a flow decoder and a convolutional encoder, the architecture of this model consists of a generator(G) and a discriminator(D).Flow GANAnomaly maps the different types of traffic feature data from separate datasets to a uniform feature space,thus can capture the normality of network traffic data more accurately in an adversarial manner to mitigate the problem of the high dependence on data labeling. Moreover, instead of simply detecting the anomalies by the output of D, we proposed a new anomaly scoring method that integrates the deviation between the output of two Gs’ convolutional encoders with the output of D as weighted scores to improve the low recall rate of anomaly detection. We conducted several experiments comparing existing machine learning algorithms and existing deep learning methods(Auto Encoder and VAE) on four public datasets(NSL-KDD, CIC-IDS2017, CIC-DDo S2019, and UNSW-NB15). The evaluation results show that Flow GANAnomaly can significantly improve the performance of anomaly-based NIDS.