Network Traffic Anomaly Detection using Machine
Learning Approaches
Ashlesha Shetty Sohan Rai
CSE, SCEM CSE, SCEM
Mangalore, India Mangalore, India
Abstract—The rise of IoT technology and the surge in wireless
networking devices have triggered a significant uptick in network
attacks originating from diverse sources. Safeguarding networks
has become paramount, making Intrusion Detection Systems
(IDS) pivotal. These systems are geared to identify abnormal
behaviors or unauthorized usage, offering more intricate se-
curity measures than simple access control barriers. While
IDS functions at endpoint or network levels, the progression
to intrusion prevention systems allows real-time responses to
breaches. Detailed visibility into network traffic is essential for
an accurate IDS, enabling detection of internal threats and
access control breaches. Traditionally, IDS relied on rule and
signature-based approaches, effective in reducing false positives
but limited in detecting new attacks. The current landscape
demands a data-driven approach due to escalated connectivity
leading to a surge in attacks. This paper utilizes the KDD dataset
to train an unsupervised machine learning algorithm, Isolation
Forest, addressing the dataset’s imbalances and redundancies.
This model aims to detect outliers and potential attacks within
network traffic, evaluated through anomaly scores.
I. I NTRODUCTION
The proliferation of networking devices is exponential, espe-
cially within workplaces handling sensitive data communica-
tion. The surge in unknown attacks, originating both internally
and externally, underscores the critical need to ensure secure
network access for customers and users while safeguarding
against attacks. Intrusion Detection Systems (IDS) offer a key
strategy in thwarting digital attacks, functioning as a vital
component of system security. They scrutinize data traffic to
identify interruptions or anomalies, with this study focusing
on an anomaly-based IDS.
Anomaly detection systems presume abnormal behavior as
potentially malicious, employing machine learning models
trained to discern normal behavior and flag deviations as alerts.
This approach aligns well with addressing such challenges.
Although IDS have existed for decades, early models relying
on heuristics and thresholds managed false positives and
negatives but struggled with new attack detection.
Given the surge in wireless devices and cloud comput-
ing, the frequency of attacks has soared, necessitating a
shift toward data-driven strategies for companies. However,
machine learning-based approaches face challenges, such as
misidentifying normal instances as false positives, leading to
wastage of time and resources.
Sunil Kumar Vaishnavi D Rane
CSE, SCEM CSE, SCEM
Mangalore, India Mangalore, India
II. L ITERATURE S URVEY
A. Using Machine Learning to Analyze Network Traffic
Anomalies
Anastasia Khudoyarovaet. ed [1] studied the application of
machine learning methods, as well as spectral and statistical
methods for real time network traffic anomaly detection.
They determine the strengths and weaknesses of the existing
methods and compare them in terms of efficiency. They then
build a system of criteria to ensure the most efficient anomaly
detection while meeting the specified system performance and
resource consumption requirements.
B. Anomaly detection in Network Traffic Using Unsupervised
Machine learning Approach.
Aditya Vikram et.ed [2] used the KDD data set to train
the unsupervised machine learning algorithm called Isolation
Forest. The data set is highly imbalanced and contains various
attacks such as DOS, Probe, U2R, R2L. Since this data set
suffers from a redundancy of values and class imbalance,
the data preprocessing will be performed first and also used
unsupervised learning. For this network traffic based anomaly
detection model isolation forest was used to detect outliers and
probable attacks the results were evaluated using the anomaly
score.
C. Machine Learning Mechanisms for Network Anomaly De-
tection System.
Sweety Singh et. Ed [3] used a comparative study about
few machine learning methods in this article using NSL-KDD
dataset for the analysis purpose. Finally, the simulated results
have been compared by implementing of Na¨ıve Bayes classi-
fier (NB), Support Vector Machine (SVM) and Decision Tree
classifier on NSL-KDD dataset. Recursive Feature Elimination
(RFE) and Principal Component Analysis (PCA) have been
used for selecting the appropriate features among all features
present in the dataset to improve the accuracy and processing
speed of the IDS.
D. Anomaly Detection Method Based on Clustering Under-
sampling and Ensemble Learning
Wenming Huan et. Ed [4] have used , an undersampling
method based on clustering to process imbalanced data sets.
Set the number of clusters in normal flow samples to the
number of abnormal flow samples, and then use the cluster
center nearest neighbor sample points as retained sample
individuals to achieve the purpose of under-sampling. The
effective fusion of clustering undersampling and Adaboost
algorithm makes the algorithm pay more attention to samples
that are difficult to judge in the data set, and further improves
the effect of network traffic anomaly detection. K-RUSboost
algorithm is simulated in Moore data set and iscxvpn2016 data
set.
E. Data Analysis for Anomaly Detection to Secure Rail Net-
work
Huaqun Guo et. Ed [14] in focuses on data analysis for
anomaly detection with Wireshark and packet analysis system.
An alert function is also developed to provide an alert when
abnormality happens. Rail network traffic data have been cap-
tured and analyzed so that their network features are obtained
and used to detect the abnormality. To improve efficiency, a
packet analysis system is introduced to receive the network
flow and analyze data automatically. The provision of two
detection methods, i.e., the Wireshark detection and the packet
analysis system together with the alert function will facilitate
the timely detection of abnormality and triggering of alert in
the rail network.
III. DESIGN METHODOLOGY AND
IMPLEMENTATION
Fig. 1. Figure 2
The block diagram depicted in Figure 2 intricately illustrates
the mechanics of anomaly detection through the application
of Isolation Forest algorithms.In the realm of unsupervised
anomaly detection, these algorithms employ a distinctive ap-
proach—constructing random forests and subsequently scru-
tinizing the average depth required to isolate individual data
points. A nuanced array of parameters is strategically utilized
in the construction and instantiation of the Isolation Forest
model. Among these parameters, the contamination parameter
assumes a pivotal role, exercising control over the decision
function’s threshold in determining when a scored data point
should be deemed an outlier.
The temporal complexity of the Isolation Forest is a note-
worthy characteristic, quantified as O(number of samples *
n-estimators * log(sample size)). This linear time complexity
renders the Isolation Forest remarkably efficient, rendering
it particularly well-suited for real-time anomaly detection
applications.
In the instantiation of the Isolation Forest object, specific
parameters play a pivotal role. Notably, n-estimators governs
the number of trees or base estimators to be erected for
estimation and outlier detection, while max-sample dictates
the quantity of training data points sampled for the analysis
of each tree. The contamination-param assumes significance
as it represents the proportion of outliers within the dataset,
thereby influencing the threshold for identifying anomalous
data points. In the context of the current implementation, a
contamination factor of 1
Evaluation metrics are paramount in gauging the efficacy
and robustness of the Isolation Forest model. In this imple-
mentation, the anomaly score and AUC score were deemed
as pivotal metrics, providing a lucid indication of the model’s
performance. The ensuing flowchart, delineated in Figure 3,
serves as a comprehensive visual guide to the process of outlier
detection.
Fig. 2. Figure 3
Training models necessitated a meticulous division between
training and test data, a practice conducive to enhancing
algorithmic performance. Given the unsupervised nature of the
Isolation Forest, obviating the need for target labels during
training, a judicious analysis of various arguments was un-
dertaken to initialize the Isolation Forest model appropriately.
Remarkably, the Isolation Forest stands out in the realm of
anomaly detection due to its celerity when juxtaposed with
alternative algorithms, reinforcing its stature as an efficacious
and expeditious solution.
IV. PROPOSED SYSTEM
Proposing an advanced system to elevate the existing
machine-learning model for anomaly detection in network
security involves a comprehensive and intricate strategy. Build-
ing on the strong foundation laid by the current model,
characterized by an impressive AUC score and carefully tuned
parameters, the proposed enhancements aim to fortify the
system’s capabilities in addressing the ever-evolving landscape
of cybersecurity threats.
Firstly, the system will implement dynamic parameter op-
timization mechanisms, allowing the model to adapt in real-
time to shifting network conditions. This entails automating
the tuning of critical parameters, such as ”n-estimators” and
”contamination,” based on the dynamic characteristics of in-
coming data streams.
Ensemble techniques will be explored to complement the
existing model’s predictive prowess. By combining multiple
anomaly detection algorithms or models, the system seeks to
provide a more nuanced and robust approach to identifying
and mitigating diverse threats.
Feature engineering will be a key focus, delving deeper
into network traffic patterns to extract more relevant and
discriminative features. This comprehensive analysis aims to
uncover new indicators of anomalous behavior, enhancing
the model’s ability to discern subtle deviations from normal
network activity.
Real-time learning capabilities will be integrated into the
system to facilitate continuous model updates. This adaptive
learning approach ensures that the model stays attuned to
emerging threats without the need for periodic and resource-
intensive retraining sessions.
Additionally, the proposed system will incorporate external
threat intelligence feeds, providing valuable context to the
anomaly detection process. This integration enhances the sys-
tem’s understanding of potential threats, enabling it to make
more informed decisions and reducing false positive rates.
Addressing scalability challenges is paramount, and the
system will be optimized to handle larger datasets and in-
creased traffic volumes. This may involve the implementation
of parallel processing, distributed computing, or the utilization
of cloud resources to ensure efficient scaling.
A user-friendly interface will be developed, featuring visu-
alization tools and real-time dashboards tailored for security
analysts. This intuitive interface empowers analysts to interpret
and act upon the system’s insights swiftly and effectively.
The proposed system will establish a continuous evaluation
process, incorporating feedback loops from security analysts.
This iterative approach ensures ongoing refinement and opti-
mization based on real-world insights, enhancing the system’s
adaptability and effectiveness.
Furthermore, strict adherence to security and privacy com-
pliance standards will be prioritized, encompassing robust
encryption, stringent access controls, and alignment with reg-
ulatory frameworks such as GDPR.
Comprehensive documentation, coupled with training ini-
tiatives for security personnel, will ensure the successful
deployment and management of the enhanced anomaly de-
tection system. A well-informed and trained team is crucial
for leveraging the system’s full potential and navigating the
complex landscape of network security challenges. In sum-
mary, the proposed system integrates dynamic adaptability,
ensemble techniques, advanced feature engineering, and real-
time learning to create a sophisticated, responsive, and user-
friendly anomaly detection system tailored to the evolving
nature of network security threats.
V. CONCLUSION
In response to the inherent challenges posed by highly
imbalanced data, a meticulous endeavor led to the construction
of an unsupervised machine-learning model. The resulting
AUC score, a formidable 98.3
This model takes shape within the context of a dynamic
cybersecurity landscape, characterized by a burgeoning array
of sophisticated network attacks. Recognizing the imperative
of real-time threat detection, organizations are investing in the
development of highly efficient Intrusion Detection Systems
(IDS). Anomaly detection emerges as a beacon of promise
in this endeavor, leveraging its efficiency in training and
its capacity to minimize false positives and false negatives,
thereby offering a nuanced approach to threat identification.
The implementation process not only yielded commendable
results but also provided valuable insights into opportunities
for refining the anomaly detection process. Experimentation
with diverse parameter values emerged as a key strategy for
optimizing model performance. Moreover, a notable revelation
was the significant impact of dataset quality on outcomes. A
more comprehensive and clean dataset consistently correlated
with improved anomaly detection results, underscoring the
symbiotic relationship between data quality and model effi-
cacy.
Within this evolving landscape, the contamination parame-
ter’s pivotal role becomes even more pronounced, influencing
the model’s ability to accurately identify the proportion of
anomalies. It serves as a critical lever for fine-tuning the
model’s performance, emphasizing the importance of param-
eter tuning in anomaly detection frameworks.
However, it is crucial to acknowledge the relatively nascent
status of machine learning and deep learning applications in
the network security domain. Challenges, particularly related
to scalability and efficiency, persist as the field continues to
mature. Ongoing efforts are dedicated to addressing these
challenges, reflecting a commitment to refining and optimizing
the application of these advanced technologies in fortifying
network security infrastructures.
R EFERENCES
[1] [1] Khudoyarova, Anastasia, Mikhail Burlakov, and Mikhail
Kupriyashin. ”Using Machine Learning to Analyze Network Traffic
Anomalies.” In 2021 IEEE Conference of Russian Young Researchers
in Electrical and Electronic Engineering (ElConRus), pp. 2344-2348.
IEEE, 2021.
[2] [2] Vikram, Aditya. ”Anomaly detection in network traffic using unsu-
pervised machine learning approach.” In 2020 5th International Confer-
ence on Communication and Electronics Systems (ICCES), pp. 476-479.
IEEE, 2020.
[3] [3] Singh, Sweety, and Subhasish Banerjee. ”Machine learning mech-
anisms for network anomaly detection system: A review.” In 2020
International Conference on Communication and Signal Processing
(ICCSP), pp. 0976-0980. IEEE, 2020.
[4] [4] Huan, Wenming, Haitao Lin, Haixue Li, Yan Zhou, and Yiming
Wang. ”Anomaly detection method based on clustering undersampling
and ensemble learning.” In 2020 IEEE 5th Information Technology and
Mechatronics Engineering Conference (ITOEC), pp. 980-984. IEEE,
2020.
[5] [5] Guo, Huaqun, Xiaoyi Shen, Wang Ling Goh, and Luying Zhou.
”Data Analysis for Anomaly Detection to Secure Rail Network.” In 2018
International Conference on Intelligent Rail Transportation (ICIRT), pp.
1-5. IEEE, 2018.