SuperB: Superior Behavior-based Anomaly Detection Defining Authorized Users' Traffic Patterns

Abstract

Network anomalies are correlated to activities that deviate from regular behavior patterns in a network, and they are undetectable until their actions are defined as malicious. Current work in network anomaly detection includes network-based and host-based intrusion detection systems. However, most of them suffer from high false detection rates due to the base rate fallacy. To overcome such a drawback, this paper proposes a superior behavior-based anomaly detection system (SuperB) that defines legitimate network behaviors of authorized users in order to identify unauthorized accesses. We define the network behaviors of the authorized users by training the proposed deep learning model with time-series data extracted from network packets of each of the users. Then, the trained model is used to classify all other behaviors (we define these as anomalies) from the defined legitimate behaviors. As a result, SuperB effectively detects all anomalies of network behaviors. Our simulation results show that the proposed algorithm needs at least five end-toend conversations to achieve over 95% accuracy and over 93% recall rate. Some simulations show 100% accuracy and recall rate. Our simulations use live network data combined with the CICIDS2017 data set. The performance has an average of less than 1.1% false-positive rate with some simulations showing 0%. The execution time to process each conversation is 85.20 +/- 0.60 milliseconds (ms), and thus it takes about only 426 ms to process five conversations to identify anomaly.