FlowGANAnomaly: Flow-Based Anomaly Network Intrusion Detection with Adversarial Learning

In recent years, low recall rates and high dependencies on data labelling have become the biggest obstacle to developing deep anomaly detection (DAD) techniques. Inspired by the success of generative adversarial networks (GANs) in detecting anomalies in computer vision and imaging, we propose an anomaly detection model called FlowGANAnomaly for detecting anomalous traffic in network intrusion detection systems (NIDS). Unlike traditional GAN-based approaches, which are composed of a flow encoder, a convolutional encoder-decoder-encoder, a flow decoder and a convolutional encoder, the architecture of this model consists of a generator (G) and a discriminator (D). FlowGANAnomaly maps the different types of traffic feature data from separate datasets to a uniform feature space, thus can capture the normality of network traffic data more accurately in an adversarial manner to mitigate the problem of the high dependence on data labeling. Moreover, instead of simply detecting the anomalies by the output of D, we proposed a new anomaly scoring method that integrates the deviation between the output of two Gs’ convolutional encoders with the output of D as weighted scores to improve the low recall rate of anomaly detection. We conducted several experiments comparing existing machine learning algorithms and existing deep learning methods (AutoEncoder and VAE) on four public datasets (NSL-KDD, CIC-IDS2017, CIC-DDoS2019, and UNSW-NB15). The evaluation results show that FlowGANAnomaly can significantly improve the performance of anomaly-based NIDS.