CBAM: A Contextual Model for Network Anomaly Detection

Henry Clausen, Gudmund Grov, David Aspinall

Research output: Contribution to journalArticlepeer-review

Abstract / Description of output

Anomaly-based intrusion detection methods aim to combat the increasing rate of zero-day attacks, however, their success is currently restricted to the detection of high-volume attacks using aggregated traffic features. Recent evaluations show that the current anomaly-based network intrusion detection methods fail to reliably detect remote access attacks. These are smaller in volume and often only stand out when compared to their surroundings. Currently, anomaly methods try to detect access attack events mainly as point anomalies and neglect the context they appear in. We present and examine a contextual bidirectional anomaly model (CBAM) based on deep LSTM-networks that is specifically designed to detect such attacks as contextual network anomalies. The model efficiently learns short-term sequential patterns in network flows as conditional event probabilities. Access attacks frequently break these patterns when exploiting vulnerabilities, and can thus be detected as contextual anomalies. We evaluated CBAM on an assembly of three datasets that provide both representative network access attacks, real-life traffic over a long timespan, and traffic from a real-world red-team attack. We contend that this assembly is closer to a potential deployment environment than current NIDS benchmark datasets. We show that, by building a deep model, we are able to reduce the false positive rate to 0.16% while effectively detecting six out of seven access attacks, which is significantly lower than the operational range of other methods. We further demonstrate that short-term flow structures remain stable over long periods of time, making the CBAM robust against concept drift.
Original languageEnglish
Article number79
Number of pages28
JournalComputers
Volume10
Issue number6
DOIs
Publication statusPublished - 11 Jun 2021

Keywords / Materials (for Non-textual outputs)

  • network intrusion detection
  • deep learning
  • anomaly detection
  • flow prediction
  • access attacks

Fingerprint

Dive into the research topics of 'CBAM: A Contextual Model for Network Anomaly Detection'. Together they form a unique fingerprint.

Cite this