FlowADGAN: Adversarial Learning for Deep Anomaly Network Intrusion Detection

Abstract

Due to the increasingly evolved attacks on the Internet, especially IoT, 5G, and vehicle networking, a robust Network Intrusion Detection System (NIDS) has gained increasing attention from academic and industrial communities. Anomaly-based intrusion detection algorithms aim to detect unexpected deviations in the expected network behaviour, thus detecting unknown or novel attacks compared to signature-based methods. Deep Anomaly Detection (DAD) technologies have attracted much attention for their ability to detect unknown attacks without manually building the traffic behaviours profile. However, low recall rates and high dependencies on data labels still hinder the development of DAD technologies. Inspired by the successes of Generative Adversarial Networks (GANs) for detecting anomalies in the area of Computer Vision and Images, we have proposed a deep end-to-end architecture called FlowADGAN for detecting anomalies in NIDS. Unlike traditional GAN-based NIDS methods that usually construct Generator (G) and Discriminator (D) based on vanilla GAN, the proposed architecture is composed of a flow encoder-decoder-encoder for G, and a flow encoder for D. FlowADGAN can learn a latent flow feature space of G so that the latent space better captures the normality underlying the network traffic data. We conduct several experimental comparisons with existing machine learning algorithms like One-Class SVM, LOF, and PCA and existing deep learning methods, including AutoEncoder and VAE, on three public datasets, NSL-KDD CICIDS2017 and UNSW-NB15. The evaluation results show that FlowADGAN can significantly improve the performance of the anomaly-based NIDS.