Evaluating Security Anomalies by Classifying Traffic Using a Multi-Layered Model

Document Type : Original Article


Department of Computer Iranians University an E-Institute of Higher Education, Tehran, Iran


Accurate traffic classification is important for various network activities such as accurate network management and proper resource utilization. Port-based approaches, deep packet inspection, and machine learning are widely used techniques for classifying and analyzing network traffic flows. Most classification methods are suitable for small-scale datasets and cannot achieve a high classification accuracy owing to their shallow learning structure and limited learning ability. The emergence of deep learning technology and software-driven networks has enabled the application of classification methods for processing large-scale data.
In this study, a two-step classification method based on deep learning algorithms is presented, which can achieve high classification accuracy without manually selecting and extracting features. In the proposed method, an Autoencoder was used to extract features and remove unnecessary and redundant features. In the second step, the proposed method uses the features extracted by the autoencoder from a hybrid deep-learning model based on the CNN and LSTM algorithms to classify network traffic.
To evaluate the proposed method, the results of the proposed two-stage hybrid method is compared with comparative algorithms including decision tree, Naïve Bayes, random forest. The proposed combined CNN+LSTM method obtains the best results by obtaining values of 0.997, 0.972, 0.959, and 0.964, respectively, for the evaluation criteria of, accuracy, precision, recall, and F1 score.
The proposed method is a practical and operational method with high accuracy, which can be applied in the real world and used in the detection of security anomalies in networks using traffic classification and network data.


Main Subjects

  • Naughton, “The evolution of the Internet: from military experiment to General Purpose Technology,” Journal of Cyber Policy, vol. 1, no. 1, pp. 5-28, 2016. https://doi.org/10.1080/23738871.2016.1157619.
  • Cisco, “Cisco annual internet report (2018–2023) white paper. 2020,” Acessado em, vol. 10, no. 01, 2021.
  • Al Khater and R. E. Overill, “Network traffic classification techniques and challenges,” in 2015 Tenth international conference on digital information management (ICDIM), IEEE, 2015, pp. 43-48. https://doi.org/10.1109/ICDIM.2015.7381869.
  • Xue, D. Wang, and L. Zhang, “Traffic classification: Issues and challenges,” in 2013 International Conference on Computing, Networking and Communications (ICNC), IEEE, 2013, pp. 545-549. https://doi.org/10.1109/ICCNC.2013.6504144.
  • Xie, F. R. Yu, T. Huang, R. Xie, J. Liu, C. Wang, and Y. Liu, “A survey of machine learning techniques applied to software defined networking (SDN): Research issues and challenges,” IEEE Communications Surveys & Tutorials, vol. 21, no. 1, pp. 393-430, 2018. https://doi.org/10.1109/COMST.2018.2866942.
  • Mestres et al., “Knowledge-defined networking,” ACM SIGCOMM Computer Communication Review, vol. 47, no. 3, pp. 2-10, 2017. https://doi.org/10.1145/3138808.3138810.
  • Shirmarz and A. Ghaffari, “Performance issues and solutions in SDN-based data center: a survey,” The Journal of Supercomputing, vol. 76, no. 10, pp. 7545-7593, 2020. https://doi.org/10.1007/s11227-020-03180-7.
  • Kalkan, L. Altay, G. Gür, and F. Alagöz, “JESS: Joint entropy-based DDoS defense scheme in SDN,” IEEE Journal on Selected Areas in Communications, vol. 36, no. 10, pp. 2358-2372, 2018. https://doi.org/10.1109/JSAC.2018.2869997.
  • A. Lima and M. P. Fernandez, "Towards an efficient DDoS detection scheme for software-defined networks," IEEE Latin America Transactions, vol. 16, no. 8, pp. 2296-2301, 2018. https://doi.org/10.1109/TLA.2018.8528249.
  • Kumar, M. Tripathi, A. Nehra, M. Conti, and C. Lal, “SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN,” IEEE Transactions on Network and Service Management, vol. 15, no. 4, pp. 1545-1559, 2018. https://doi.org/10.1109/TNSM.2018.2861741.
  • Peng, Z. Sun, X. Zhao, S. Tan, and Z. Sun, “A detection method for anomaly flow in software defined network,” IEEE Access, vol. 6, pp. 27809-27817, 2018. https://doi.org/10.1109/ACCESS.2018.2839684.
  • -D. Zang, J. Gong, and X.-Y. Hu, “An adaptive profile-based approach for detecting anomalous traffic in backbone,” IEEE Access, vol. 7, pp. 56920-56934, 2019. https://doi.org/10.1109/ACCESS.2019.2914303.
  • Xu, H. Sun, F. Xiang, and Z. Sun, “Efficient DDoS detection based on K-FKNN in software defined networks,” IEEE access, vol. 7, pp. 160536-160545, 2019. https://doi.org/10.1109/ACCESS.2019.2950945.
  • Kokila, S. T. Selvi, and K. Govindarajan, “DDoS detection and analysis in SDN-based environment using support vector machine classifier,” in 2014 sixth international conference on advanced computing (ICoAC), IEEE, 2014, pp. 205-210. https://doi.org/10.1109/ICoAC.2014.7229711.
  • Dang-Van and H. Truong-Thu, “A multi-criteria based software defined networking system Architecture for DDoS-attack mitigation,” REV Journal on Electronics and Communications, vol. 6, no. 3-4, 2017. http://dx.doi.org/10.21553/rev-jec.123
  • Baldi, “Autoencoders, unsupervised learning, and deep architectures,” in Proceedings of ICML workshop on unsupervised and transfer learning, 2012: JMLR Workshop and Conference Proceedings, vol. 27, pp. 37-49. https://proceedings.mlr.press/v27/baldi12a.html.
  • Misra, S. Thakur, M. Ghosh, and S. K. Saha, “An autoencoder based model for detecting fraudulent credit card transaction,” Procedia Computer Science, vol. 167, pp. 254-262, 2020. https://doi.org/10.1016/j.procs.2020.03.219.
  • Zamini and G. Montazer, “Credit card fraud detection using autoencoder based clustering,” in 2018 9th International Symposium on Telecommunications (IST), Tehran, Iran, IEEE, 2018, pp. 486-491. https://doi.org/10.1109/ISTEL.2018.8661129.
  • Saha, “A comprehensive guide to convolutional neural networks—the ELI5 way,” Towards data science, vol. 15, 2018
  • Khan, H. Rahmani, S. A. A. Shah, and M. Bennamoun, A guide to convolutional neural networks for computer vision, Synthesis Lectures on Computer Vision, vol. 8, no. 1, pp. 1-207, 2018. https://doi.org/10.1007/978-3-031-01821-3
  • Samadzadeh and N. F. Ghohroud, “Evaluating Security Anomalies by Classifying Traffic Using Deep Learning,” 2023 9th International Conference on Web Research (ICWR), Tehran, Iran, 2023, pp. 135-141, https://doi.org/10.1109/ICWR57742.2023.10138963.