Deep anomaly detection in packet payload

Liu, Jiaxin; Song, Xucheng; Zhou, Yingjie; Peng, Xi; Zhang, Yanru; Liu, Pei; Wu, Dapeng; Zhu, Changan

doi:10.1016/j.neucom.2021.01.146

Cited by 35 publications

(15 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach could improve the performance of existing models based on classical machine learning, while reducing the effort of labeling training data. Liu et al [14] designed a specially designed neural network that includes long short-term memory, convolutional neural networks and multi-head self attention mechanism to detect packet payload anomalies. It could learn the potential dependency relationships among the packet payload in both perspectives, i.e., a global perspective as well as a perspective from local features to aggregative representation.…”

Section: Related Work a Deep Supervised Anomaly Detectionmentioning

confidence: 99%

“…Depending on whether the anomaly samples are available at the training stage, the existing anomaly detection approaches can be categorized into three groups, i.e., supervised learning methods [1], [13], [14], unsupervised learning methods [2], [7], [15], [16], [17], [18] and weakly-supervised learning methods [19], [20], [21]. The supervised methods leverage both normal and abnormal data to train a detector.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Feature Encoding With Autoencoders for Weakly Supervised Anomaly Detection

Zhou

Song

Zhang

et al. 2022

IEEE Trans. Neural Netw. Learning Syst.

Self Cite

View full text Add to dashboard Cite

Weakly-supervised anomaly detection aims at learning an anomaly detector from a limited amount of labeled data and abundant unlabeled data. Recent works build deep neural networks for anomaly detection by discriminatively mapping the normal samples and abnormal samples to different regions in the feature space or fitting different distributions. However, due to the limited number of annotated anomaly samples, directly training networks with the discriminative loss may not be sufficient. To overcome this issue, this paper proposes a novel strategy to transform the input data into a more meaningful representation that could be used for anomaly detection. Specifically, we leverage an autoencoder to encode the input data and utilize three factors, hidden representation, reconstruction residual vector, and reconstruction error, as the new representation for the input data. This representation amounts to encode a test sample with its projection on the training data manifold, its direction to its projection and its distance to its projection. In addition to this encoding, we also propose a novel network architecture to seamlessly incorporate those three factors. From our extensive experiments, the benefits of the proposed strategy are clearly demonstrated by its superior performance over the competitive methods. Code is available at: https://github.com/yjzhou/Feature Encoding with AutoEncoders for Weakly-superv ised Anomaly Detection.

show abstract

Section: Related Work a Deep Supervised Anomaly Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Feature Encoding With Autoencoders for Weakly Supervised Anomaly Detection

Zhou

Song

Zhang

et al. 2022

IEEE Trans. Neural Netw. Learning Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Moreover, no information is given regarding the extraction and labeling of raw packet files. Similarly, [6] also utilizes the CIC-IDS2017 dataset. In this approach, the author employs the payload data to construct a block sequence that contains two kinds of information that retain short-term and long-term dependency relationships among the malicious byte in payload data.…”

Section: B Approaches Based On Modern Datamentioning

confidence: 99%

“…NIDS utilizes various approaches for the detection of malicious attack instances. The most prominent of these approaches are rulebased, flow-based, and packet-based methods [6]. Rule-based methods are typically based on feature selection to construct domain-specific rules.…”

Section: Introductionmentioning

confidence: 99%

“…The anomalies in attack instances might appear as a number of specific strings. For example, an SQL injection attack injects anomalous codes such as " or 1 = 1 --" into SQL queries to make them always true [6]. Moreover, many attacks such as Worms, Ransomware, and Trojans are based on payload delivery, and these types of attacks might be hidden from flow-based approaches.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Payload-Byte: A Tool for Extracting and Labeling Packet Capture Files of Modern Network Intrusion Detection Datasets

Farrukh¹,

Khan²,

Wali³

et al. 2022

Preprint

View full text Add to dashboard Cite

<p>Adapting modern approaches for network intrusion detection is becoming critical, given the rapid technological advancement and adversarial attack rates. Therefore, packet-based methods utilizing payload data are gaining much popularity due to their effectiveness in detecting certain attacks. However, packet-based approaches suffer from a lack of standardization, resulting in incomparability and reproducibility issues. Unlike flow-based datasets, no standard labeled dataset exists, forcing researchers to follow bespoke labeling pipelines for individual approaches. Without a standardized baseline, proposed approaches cannot be compared and evaluated with each other. One cannot gauge whether the proposed approach is a methodological advancement or is just being benefited from the proprietary interpretation of the dataset. Addressing comparability and reproducibility issues, we introduce Payload-Byte, an open-source tool for extracting and labeling network packets in this work. Payload-Byte utilizes metadata information and labels raw traffic captures of modern intrusion detection datasets in a generalized manner. Moreover, we transformed the labeled data into a byte-wise feature vector that can be utilized for training machine learning models. The whole cycle of processing and labeling is explicitly stated in this work. Furthermore, source code and processed data are made publicly available so that it may act as a standardized baseline for future research work. Lastly, we present a brief comparative analysis of machine learning models trained on packet-based and flow-based data.</p> <p>UNSW-NB15 and CIC-IDS2017.</p>

show abstract

Using Deep Learning to Perform Payload Classification

Thakur

Rane

2023

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

Deep anomaly detection in packet payload

Cited by 35 publications

References 21 publications

Feature Encoding With Autoencoders for Weakly Supervised Anomaly Detection

Feature Encoding With Autoencoders for Weakly Supervised Anomaly Detection

Payload-Byte: A Tool for Extracting and Labeling Packet Capture Files of Modern Network Intrusion Detection Datasets

Using Deep Learning to Perform Payload Classification

Contact Info

Product

Resources

About