IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO.
2, JUNE 2023
ARCADE: Adversarially Regularized Convolutional
Autoencoder for Network Anomaly Detection
Willian Tessaro Lunardi , Member, IEEE, Martin Andreoni Lopez , Member, IEEE, and Jean-Pierre Giacalone
Abstract—As the number of heterogenous IP-connected devices
and traffic volume increase, so does the potential for security
breaches. The undetected exploitation of these breaches can
bring severe cybersecurity and privacy risks. Anomaly-based
Intrusion Detection Systems (IDSs) play an essential role in
network security. In this paper, we present a practical unsu-
pervised anomaly-based deep learning detection system called
ARCADE (Adversarially Regularized Convolutional Autoencoder
for unsupervised network anomaly DEtection). With a convolu-
tional Autoencoder (AE), ARCADE automatically builds a profile
of the normal traffic using a subset of raw bytes of a few initial
packets of network flows so that potential network anomalies and
intrusions can be efficiently detected before they cause more dam-
age to the network. ARCADE is trained exclusively on normal
traffic. An adversarial training strategy is proposed to regular-
ize and decrease the AE’s capabilities to reconstruct network
flows that are out-of-the-normal distribution, thereby improv-
ing its anomaly detection capabilities. The proposed approach
is more effective than state-of-the-art deep learning approaches
for network anomaly detection. Even when examining only two
initial packets of a network flow, ARCADE can effectively detect
malware infection and network attacks. ARCADE presents 20
times fewer parameters than baselines, achieving significantly
faster detection speed and reaction time.
Index Terms—Unsupervised anomaly detection, autoencoder,
generative adversarial networks, automatic feature extraction,
deep learning, cybersecurity.
I. I NTRODUCTION
HE PROLIFERATION of IP-connected devices is sky-
T rocketing and is predicted to surpass three times the
world’s population by 2023 [1]. As the number of con-
nected devices increases and 5G technologies become more
ubiquitous and efficient, network traffic volume will follow
suit. This accelerated growth raises overwhelming security
concerns due to the exchange of vast amounts of sensi-
tive information through resource-constrained devices and
over untrusted heterogeneous technologies and communica-
tion protocols. Advanced security controls and analysis must
be applied to maintain a sustainable, reliable, and secure
cyberspace. IDSs play an essential role in network security,
allowing for detecting and responding to potential intrusions
Manuscript received 30 April 2022; revised 19 November 2022 and
25 November 2022; accepted 13 December 2022. Date of publication
16 December 2022; date of current version 6 July 2023. The associate editor
coordinating the review of this article and approving it for publication was
K. El-Khatib. (Corresponding author: Willian Tessaro Lunardi.)
The authors are with the Secure System Research Center, Technology
and Innovation Institute, Abu Dhabi, UAE (e-mail: [email protected];
[email protected]; [email protected]).
Digital Object Identifier 10.1109/TNSM.2022.3229706
1932-4537 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1305
and suspicious activities by monitoring network traffic. IDSs
can be implemented as signature-based, anomaly-based, or
hybrid. Signature-based IDSs detect intrusions by comparing
monitored behaviors with pre-defined intrusion patterns, while
anomaly-based IDSs focus on knowing normal behavior to
identify any deviation [2].
The vast majority of existing network IDSs are based on
the assumption that traffic signatures from known attacks can
be gathered so that new traffic can be compared to these sig-
natures for detection. Despite high detection capabilities for
known attacks, signature-based approaches cannot detect novel
attacks since they can only detect attacks for which a signature
was previously created. Regular database maintenance cycles
must be performed to add novel signatures for threats as they
are discovered. Acquiring labeled malicious samples, however,
can be extremely difficult or impossible to obtain. The defini-
tion of signature-based IDSs, or any other supervised approach
for the task, becomes even more challenging when the known
class imbalance problem is faced while dealing with public
network traffic datasets is considered. Network traffic datasets
are known for being highly imbalanced towards examples of
normality (non-anomalous/non-malicious) [3] while lacking in
examples of abnormality (anomalous/malicious) and offering
only partial coverage of all possibilities can encompass this
latter class [4].
In contrast, anomaly-based IDSs relies on building a pro-
file of the normal traffic. These systems attempt to estimate
the expected behavior of the network to be protected and gen-
erate anomaly alerts whenever a divergence between a given
observation and the known normality distribution exceeds a
pre-defined threshold. Anomaly-based IDSs do not require
a recurrent update of databases to detect novel attack vari-
ants, and their main drawback usually is the False Alarm Rate
(FAR), as it is challenging to find the boundary between the
normal and abnormal profiles. These approaches have gained
popularity in recent years due to the explosion of attack vari-
ants [5], [6], which relates to their ability to detect previously
unknown or zero-day threats. Additionally, they do not suf-
fer from the dataset imbalance problem since it only requires
normal traffic during training.
Deep Learning (DL) has emerged as a game-changer to help
automatically build network profiles through feature learning.
It can effectively learn structured and complex non-linear traf-
fic feature representations directly from the raw bytes of a
large volume of normal data. Based on a well-represented
traffic profile, it is expected that the system’s capabilities for
isolating anomalies from the normal traffic will increase while
1306 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023
decreasing the FAR. However, the naive adoption of DL may
lead to misleading design choices and the introduction of sev-
eral drawbacks, such as slow detection and reaction time. In
addition to carefully defining the model’s architecture, training
artifices could be exploited to improve the method’s effec-
tiveness without degrading the efficiency due to the increased
number of parameters and model size.
In this paper, we propose ARCADE, an unsupervised DL
approach for network anomaly detection that automatically
builds a profile of the normal traffic (training exclusively
on the normal traffic) using a subset of bytes of a few ini-
tial packets of network traffic flow as input data. It allows
early attack detection preventing any further damage to the
network security while mitigating any unforeseen downtime
and interruption. The network traffic can be originated from
real-time packet sniffing over a network interface card or from
a .pcap file. The proposed approach combines two deep
neural networks during training: (i) an AE trained to encode
and decode (reconstruct) normal traffic; (ii) a critic trained
to provide high score values for real normal traffic samples,
and low scores values for their reconstructions. An adversarial
training strategy is settled where the critic’s knowledge regard-
ing the normal traffic distribution is used to regularize the
AE, decreasing its potential to reconstruct anomalies, address-
ing the known generalization problem [7], [8], [9], where (in
some scenarios) anomalies are reconstructed as well as normal
samples. During detection, the error between the input traffic
sample and its reconstruction is used as an anomaly score, i.e.,
traffic samples with high reconstruction error are considered
more likely to be anomalous. The significant contributions of
this paper are summarized as follows:
• An unsupervised DL-based approach for early anomaly
detection that automatically builds the network traffic pro-
file based on the raw packet bytes of network flows of
the normal traffic. It can detect (novel) network anomalies
given a few initial packets of network flows, allowing it
to prevent network attacks before they could cause further
damage.
• A Wasserstein Generative Adversarial Networks with
Gradient Penality (WGAN-GP) adversarial training to
regularize AEs, decrease its generalization capabili-
ties towards out-of-the-normal distribution samples, and
improve its anomaly detection capabilities.
• A compact convolutional AE model inspired by Deep
Convolutional GAN (DCGAN) [10]. The model presents
higher accuracy, faster reaction time, 20 times fewer
parameters than baselines.
• An extensive validation of ARCADE conducted on sev-
eral network traffic datasets to assess its capabilities in
detecting anomalous traffic of several types of malware
and attacks.
The remainder of the paper is laid out as follows: Section II
provides the necessary background for Generative Adversarial
Networkss (GANs). Section III reviews and discusses previous
relevant works in the field of DL for anomaly detection and
network anomaly detection. Section IV describes the proposed
network flows preprocessing pipeline, model architecture, loss
functions, and adversarial training strategy. Section V presents
the ablation studies and experimental analysis and comparison
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
of ARCADE’s effectiveness and complexity with respect to the
considered baselines. Finally, Section VI concludes this paper.
II. BACKGROUND
A. Generative Adversarial Networks
The GANs [11] framework establishes a min-max adversar-
ial game between a generative model G and a discriminative
model D. The discriminator D(x) computes the probability that
a point x in data space is a sample from the data distribution
rather than a sample from our generative model. The gen-
erator G(z) maps samples z from the prior p(z) to the data
space. G(z) is trained to maximally confuse the discrimina-
tor into believing that the samples it generates come from the
data distribution. The process is iterated, leading to the famous
minimax game [11] between generator G and discriminator D
   
min max E log D(x) + E log 1 − D(x̃) , (1)
G D x ∼Pr x̃ ∼Pg
where Pr is the data distribution and Pg is the model distri-
bution implicitly defined by x̃ = G(z), where z ∼ p(z) is the
noise drawn from an arbitrary prior distribution.
Suppose the discriminator is trained to optimality before
each generator parameter update. In that case, minimiz-
ing the value function amounts to minimizing the Jensen-
Shannon divergence (JSD) between Pr and Pg [11], but doing
so often leads to vanishing gradients as the discriminator
saturates [12], [13].
B. Wasserstein Generative Adversarial Networks
To overcome the undesirable JSD behavior,
Arjovsky et al. [12] proposed Wasserstein Generative
Adversarial Networks (WGAN) that leverages Wasserstein
distance W(q, p) to produce a value function that has better
theoretical properties than the original. They modified the
discriminator to emit an unconstrained real number (score)
rather than a probability. In this context, the discriminator is
now called a critic. The min-max WGAN training objective
is given by
   
min max E C (x) − E C (x̃) . (2)
G C x∼Pr x̃∼Pg
When the critic C is Lipschitz smooth, this approach approx-
imately minimizes the Wasserstein-1 distance W (Pr , Pg ). To
enforce Lipschitz smoothness, the weights of C are clipped
to lie within a compact space [−c, c]. However, as described
in [12], weight clipping is a terrible approach to enforcing the
Lipschitz constraint.
Gulrajaniet al. [13] proposed an alternative approach where
a soft version of the constraint is enforced with a penalty on the
gradient norm for random samples x̂ ∼ Px̂ . When considering
the WGAN-GP proposed in [13], the critic’s loss is given by
   
E C (x) − E C (x̃) + λC LGP , (3)
x∼Pr x̃∼Pg
where λC is the penalty coefficient, and
 
LGP = E (∇x̂ C (x̂)2 − 1)2 , (4)
x̂∼Px̂
where Px̂ is the distribution defined by the following sampling
process: x ∼ Pr , x̃ ∼ Pg , α ∼ U (0, 1), and x̂ = αx+(1−α)x̃.
TESSARO LUNARDI et al.: ARCADE
III. R ELATED W ORK
Herein, we discuss the relevant works employing DL for
anomaly detection. We first present DL anomaly detection
approaches that have emerged as leading methodologies in
the field of image and video. Then, we comprehensively ana-
lyze these novel DL methods and their potential application
to network anomaly detection. We categorize unsupervised
anomaly detection methods into generative models or pre-
trained networks, introduced in Sections III-A and III-B,
respectively. Finally, Section III-C presents the DL-related
works for network traffic classification and baselines for
unsupervised anomaly detection.
A. Generative-Based Anomaly Detection
Generative models, such as AEs [6], [23] and GANs [11],
[12], [13], can generate samples from the manifold of the train-
ing data. Anomaly detection approaches using these models
are based on the idea that anomalies cannot be generated since
they do not exist in the training set.
AEs are neural networks that attempt to learn the iden-
tity function while having an intermediate representation of
reduced dimension (or some sparsity regularization) serving as
a bottleneck to induce the network to extract salient features
from some dataset. These approaches aim to learn some low-
dimensional feature representation space on which normal data
instances can be well reconstructed. The heuristic for using
these techniques in anomaly detection is that, since the model
is trained only on normal data, normal instances are expected
to be better reconstructed from the latent space than anomalies.
Thus, the distance between the input data and its reconstruc-
tion can be used as an anomaly score. Although AEs have been
successfully applied across many anomaly detection tasks, in
some cases, they fail due to their strong generalization capa-
bilities [7], i.e., sometimes anomalies can be reconstructed as
well as normal samples. Bergmann et al. [23] shows that AEs
using the Structural Similarity Index Measure (SSIM) [24]
can outperform complex architectures that rely on a per-pixel
value 2 -loss. Gong et al. [8] tackle the generalization problem
by employing memory modules which can be seen as a dis-
cretized latent space. Zhai et al. [9] connect regularized AEs
with energy-based models to model the data distribution and
classify samples with high energy as an anomaly.
GAN-based approaches assume that only positive samples
can be generated. These approaches generally aim to learn
a latent feature space of a generative network so that the
latent space well captures the normality underlying the given
data [25]. Some residual between the real and generated
instances is then defined as an anomaly score. One of the early
GAN-based methods for anomaly detection is AnoGAN [26].
The fundamental intuition is that given any data instance x; it
aims to search for an instance z in the learned latent features
space of the generative network G so that the correspond-
ing generated instance G(z) and x are as similar as possible.
Since the latent space is enforced to capture the underly-
ing distribution of training data, anomalies are expected to
be less likely to have highly similar generated counterparts
than normal instances. One main issue with AnoGAN is
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1307
the computational inefficiency, which can be addressed by
adding an extra network that learns the mapping from data
instances onto latent space, i.e., an inverse of the genera-
tor, resulting in methods like EBGAN [27]. Akcay et al. [28]
proposed GANomaly that further improves the generator over
the previous works by changing the generator to an encoder-
decoder-encoder network. The AE is trained to minimize a
per-pixel value loss, whereas the second encoder is trained to
reconstruct the latent codes produced by the first encoder. The
latent reconstruction error is used as an anomaly score.
The idea behind AEs is straightforward and can be defined
under different Artificial Neural Network (ANN) architectures.
Several authors have already investigated the applicability of
AEs for network anomaly detection [5], [6]. However, its naive
adoption can lead to unsatisfactory performance due to its vul-
nerability to noise in the training data and its generalization
capabilities. We propose an adversarial regularization strat-
egy with a carefully designed and compact AE parameterized
by 1D-Convolutional Neural Network (CNN). The adversar-
ial training is employed to deal with the aforementioned AE’s
weaknesses. Similarly to GANomaly, our approach employs
an adversarial penalty term to the AE to enforce it to pro-
duce normal-like samples. Therefore, we also consider the
GANomaly framework as a baseline and compare it with the
proposed ARCADE for network anomaly detection.
B. Pretrained-Based Anomaly Detection
Pretrained-based anomaly detection methods use mod-
els trained on large datasets, such as ImageNet, to extract
features [29]. These pre-trained models produce separable
semantic embeddings and, as a result, enable the detec-
tion of anomalies by using simple scoring methods such as
k-Nearest Neighbor (k-NN) or Gaussian Mixture Models [30].
Surprisingly, the embeddings produced by these algorithms
lead to good results even on datasets that are drastically dif-
ferent from the pretraining ones. Recently, [31] showed that
using a k-Nearest Neighbor for anomaly detection as a scor-
ing method on the extracted features of a pre-trained ResNet
model trained on the ImageNet produces highly effective and
general anomaly detection methods on images. That alone sur-
passed almost all unsupervised and self-supervised methods.
In [32], it is shown that fine-tuning the model using either
center loss or contrasting learning leads to even better results.
The application of those methods for network anomaly
detection is challenging primarily due to the detection’s com-
plexity related to the additional required scoring step. Even
with a compact model, such as the proposed in Section IV-B
with 184k parameters, or the EfficientNet B0 with 5.3M
parameters, the requirement for a post-processing scoring pro-
cedure makes it unsuitable for online detection, e.g., after
forwarding the sample through the model for feature extrac-
tion, computing the anomaly score for a given sample’s feature
vector with k-Nearest Neighbor as the scoring method (as
proposed in [31]), implies O(nl) time complexity, where n is
the number of training samples, and l is the length of the
feature vectors. These techniques appear unexplored and may
stand out for offline network anomaly detection.
1308 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023

TABLE I
D EEP L EARNING R ELATED W ORKS FOR N ETWORK I NTRUSION D ETECTION . F OR W ORKS T HAT U SED R AW N ETWORK T RAFFIC AS I NPUT,
W HEN S PECIFIED , W E P RESENT THE N UMBER OF PACKETS ( N ) AND B YTES ( L ) U SED AS I NPUT

TABLE II
ISCX-IDS DATASET

TABLE III
USTC-TFC DATASET

C. Deep Learning for Network Traffic Classification
Several works have studied DL network traffic classifi-
cation under the supervised setting. Few works also have
studied adversarial training strategies for network traffic clas-
sification based on hand-designed features. Nonetheless, fea-
ture learning-based unsupervised network anomaly detection
with adversarial training appears currently unexplored. Table I
summarizes our related works, which are categorized into:
(i) Unsupervised anomaly detection (UD) when only nor-
mal traffic is considered at the training stage. (ii) Adversarial
Training (AT) when GAN-based strategies are applied dur-
ing training. (iii) Raw Traffic (RT) when the input is the raw
network traffic. When RT is considered, the considered pro-
tocol layers, the number of initial bytes l, and the number of
packets n are presented.
Most deep learning-based traffic classification and anomaly
detection approaches rely on feature engineering. We highlight
a few works in which adversarial training or unsupervised
anomaly detection was addressed and which rely on hand-
designed features. Vu et al. [14] proposed the use of a GANs
for dealing with the imbalanced data problem in network traffic
classification. The synthetic samples are generated to aug-
ment the training dataset. The sample’s generation, as well
as the classification, is done based on 22 statistical features
extracted from network flows. Truong-Huu et al. [5] studied
the capability of a GAN for unsupervised network anomaly
detection where 39 hand-designed features extracted from traf-
fic flows and sessions are used as input. Results show that
their proposed approach managed to obtain better results when
compared to the autoencoder without any enhanced adver-
sarial training. Doriguzzi-Corin et al. [15] proposed a spatial
representation that enables a convolutional neural network to
learn the correlation between 11 packet’s features to detect
Distributed Denial of Service (DDoS) traffic.

Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
TESSARO LUNARDI et al.: ARCADE
Fig. 1. Visualization of network flows from four distinct traffic classes of
the USTC-TFC dataset. In this instance, 784 initial bytes of nine network
flows (of four traffic classes) were reshaped into 28 × 28 grayscale images.
(a) FTP. (b) Geodo. (c) Htbot. (d) World of Warcraft.
Network traffic feature learning is predominantly performed
through ANN architectures like 1D-CNN, 2D-CNN, and Long
Short-Term Memory (LSTM). Extracted bytes from network
traffic flows (or packets) are kept sequential for the 1D-
CNN and LSTM case, whereas for the 2D-CNNs, extracted
bytes are seen as pixels of grayscale images, as illustrated in
Figure 1. Wang et al. [16] proposed an approach that relies
on the advantages of both 2D-CNNs and LSTMs to extract
spatial-temporal features of network traffic. Results show that
accuracy is improved when both architectures are combined.
Wang et al. [17] proposed a supervised DL approach for
malware traffic classification that uses 2D-CNNs to extract
spatial features from headers and payloads of network flows
and sessions. Two different choices of raw traffic images
(named “ALL” and “L7”) dependent on the protocol layers
considered to extract the input data are used to feed the
classifier, showing that sessions with “ALL” are the most
informative and reach elevate performance for all the metrics
considered. Yu et al. [18] proposed a self-supervised learning
2D-CNN Stacked Autoencoder (SAE) for feature extraction,
which is evaluated through different classification tasks with
malware traffic data. Wang et al. [19] have shown that 1D-
CNN outperforms 2D-CNN for encrypted traffic classification.
Aceto et al. [20] performed an in-depth comparison on the
application of Multilayer Perceptron (MLP), 1D-CNN, 2D-
CNN, and LSTM architectures for encrypted mobile traffic
classification. Numerical results indicated that 1D-CNN is a
more appropriate choice for network traffic classification since
it can better capture spatial dependencies between adjacent
bytes in the network packets due to the nature of the input data
that is, by definition, one-dimensional. Lotfollahi et al. [21]
used 1D-CNN to automatically extract network traffic features
and identify encrypted traffic to distinguish Virtual Private
Network (VPN) and non-VPN traffic. Ahmad et al. [22]
employed 1D-CNN-based classifier for early detection of
network attacks. It is shown that a high degree of accuracy
can be achieved by analyzing 1 to 3 packets.
The works mentioned above perform the task of traf-
fic classification or anomaly detection based on labeled
datasets. Recently, [6] proposed an “unsupervised” approach
for anomaly detection, so-called D-PACK, in which only nor-
mal traffic is used during training. The model architecture is
composed of 1D-CNN that performs feature extraction, fol-
lowed by MLP softmax classifier given a labeled dataset of
normal traffic, i.e., they assume the normal traffic is labeled
into multiple classes (that is the reason why its respective
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1309
UD bullet is partially filled in Table I). The extracted fea-
tures from an intermediate layer of the MLP are used as the
input for a MLP-based AE. The anomaly score is based on a
2 -distance between the extracted features and the AE recon-
struction. Results indicate that normal and malware traffic,
such as the Mirai Botnet, can be effectively separated even
when only two packets are used for detection. We implemented
and included D-PACK in our experiments as a baseline model.
IV. M ETHODOLOGY
In this section, we present our so-called “ARCADE”
proposed approach. The network flow preprocessing proce-
dure is presented in Section IV-A. The model’s architec-
ture is presented in Section IV-B. The AE distance metrics
and adversarial training are presented in Section IV-C and
Section IV-D, respectively. Finally, the anomaly score calcu-
lation is presented in Section IV-E.
A. Network Traffic Flow Preprocessing
Network traffic classification or anomaly detection can be
performed at different granularity units, e.g., packet, flow, and
session. It is worth noting that most of the works shown
in Table I considered either flows or sessions as the rele-
vant classification objects. A network flow is a unidirectional
sequence of packets with the same 5-tuple (source IP, source
port, destination IP, destination port, and transport-level pro-
tocol) exchanged between two endpoints. A session is defined
as a bidirectional flow, including both directions of traffic.
We increment the aforementioned flow definition by consid-
ering that a network flow is to be terminated or inactivated
when the flow has not received a new packet within a spe-
cific flow timeout (e.g., 120 seconds). When the underlying
network protocol is TCP, we consider the network connection
closed (and the corresponding flow completed) upon detect-
ing the first flow packet containing a FIN flag. Note that, in
the case of TCP sessions, a network connection is considered
closed when both sides have sent a FIN packet. Upon the
termination of a network flow, unprocessed buffered packets
should be discarded.
It is well known that the initial packets of each network flow
contain the most information that allows for the discrimina-
tion between normal and abnormal activities [6], [20], [22],
depicting the fundamental concept behind early detection
approaches, which conduct the detection given a small num-
ber of initial packets of a flow. The smaller the number of
packets required as input for the anomaly detection procedure,
the lower the reaction time and overhead imposed by the DL
method. Instead of analyzing every packet of a network flow
on a time window, we use the n initial packets of a network
flow as input. In this sense, n denotes the exact number of
initial packets of a network flow required to form the input
for ARCADE. For each active flow, n packets are buffered
and trimmed into a fixed length of 100 bytes, starting with
the header fields, i.e., packets are truncated to 100 bytes if
larger, otherwise, padded with zeros. Packets are cleaned such
that MAC and IP addresses are anonymized. Finally, bytes
are normalized in [0, 1] and packets concatenated into the
1310 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023
Fig. 2. An illustration of the proposed network traffic preprocessing pipeline
with n = 2. Packets with the same color represent network flows. Traffic can
be originated from a real-time packet sniffing or a .pcap file. Packets are
filtered according to their 5-tuple, and n initial packets are buffered. MAC and
IP addresses are masked, and according to their length, packets are truncated
(if larger than l) or padded with zeros (if smaller than l). Finally, bytes are
normalized, and packets are concatenated. Traffic preemption is not required.
Fig. 3. An illustration of the proposed model architecture. Note that
ARCADE is parametrized by 1D CNNs, as described in Section IV-B.
final input form, i.e., a sample x can be denoted as x ∈ Rw
where w = 100n is the sequence length. Figure 2 illustrates
the essential steps of the proposed network traffic flow prepro-
cessing pipeline. Note that traffic preemption is not required.
However, it is crucial to consider the reaction time, which
relates to the processing power capabilities of the device in
which the ARCADE will run. The analysis of the complexity
and detection speed of ARCADE given different devices is
provided in Section V-E.
B. Model Architecture
Several recent papers focus on improving training stability
and the resulting quality of GAN samples [10], [12], [13]. Our
proposed model is inspired by DCGAN [10], who introduce a
convolutional generator network by removing fully connected
layers and using convolutional layers and batch-normalization
throughout the network. Strided convolutions replace pool-
ing layers. This results in a more robust model with higher
sample quality while reducing the model size and number
of parameters to learn. Our proposed architecture shown in
Figure 3 consists of two main components: (i) the AE (which
can be seen as the generator) composed of an encoder E and
a decoder D, and (ii) the critic C. Given the findinds in [20],
our functions E, D and C are parameterized by 1D-CNNs.
Note that ARCADE can be easily modified to be used as an
anomaly detection method for other anomaly detection tasks,
such as image or time series anomaly detection. Moreover, the
proposed adversarial regularization strategy can be applied to
any AE, independent of its ANN architecture.
The AE consists of an encoder function E : Rw → Rd
and a decoder function D : Rd → Rw , where d denotes the
dimensionality of the latent space. The overall encoding and
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
decoding process can be summarized as
 
x̃ = D E (x) = G(x), (5)
where x̃ is the reconstruction of the input. The encoder
uses strided convolutions to down-sample the input, fol-
lowed by batch normalization and Leaky Rectified Linear Unit
(Leaky ReLU). Differently from a deterministic pooling oper-
ation, strided convolutions allow the model to learn its own
downsampling/upsampling strategy. The decoder uses strided
transpose convolutions to up-sample the latent space, followed
by Rectified Linear Unit (ReLU) and batch normalization. The
critic function C : Rw → R, whose objective is to pro-
vide a score to the input x and the reconstruction x̃, has
a similar architecture to the encoder E. It also uses strided
convolutions to down-sample the input and Leaky ReLU; how-
ever, following [13], we use layer normalization instead of
batch normalization. The number of layers and filter size were
defined so that ARCADE could effectively detect anoma-
lies and still provide quick reaction time. Table X precisely
presents the proposed model architecture.
C. Autoencoder Distance Metric
The core idea behind ARCADE is that the model must
learn the normal traffic distribution to reconstruct it correctly.
The hypothesis is that the model is conversely expected to
fail to reconstruct attacks and malware traffic as it is never
trained on such abnormal situations. A loss function must be
defined to train an AE to reconstruct its input. For simplicity,
a per-value L2 loss is typically used between the input x and
reconstruction x̃, and can be expressed as

w
 2
L2 (x, x̃) = xi − x̃i , (6)
i=1
where xi is the i-th value in the sequence. During the evalu-
ation phase, the per-value 2 -distance of x and x̃ is computed
to obtain the residual map.
As demonstrated by [23], AEs that make use of L2 loss may
fail in some scenarios to detect structural differences between
the input and their reconstruction. Adapting the loss and
evaluation functions to the SSIM [24] that capture local inter-
dependencies between the input and reconstruction regions can
improve the AE‘s anomaly detection capabilities. This is also
verified in this work, as demonstrated in Section V. The SSIM
index defines a distance measure between two K × K patches
p and q is given by
  
2μp μq + c1 2σpq + c2
SSIM(p, q) =  2  , (7)
μp + μ2q + c1 σq2 + σq2 + c2
where μp and μq are the patches’ mean intensity, σp2 and σq2
are the variances, and σpq the covariance. The constants c1 and
c2 ensure numerical stability and are typically set to c1 = 0.01
and c2 = 0.03.
The SSIM is commonly used to measure the similarity
between images, performed by sliding a K × K window that
moves pixel-by-pixel. Since in our case x is a sequence, we
split it into n subsequences of length l, i.e., each subsequence
 
xi = xj ∈ [0, 1] : j ∈ {1 + (i − 1)l , . . . , il } ,
TESSARO LUNARDI et al.: ARCADE
Fig. 4. An illustration of the advantages of the SSIM over L2 for the
segmentation of the discrepancies between a subset of bytes of a packet and
their respective reconstructions.
where i ∈ {1, 2, . . . , n} and l = 100 can be seen as the
subset of 100 bytes of the i-th packet that was originally
used to compose the sequence x. Finally, subsequences are
√ 8:
reshaped xi ∈ Rl → xi ∈ RK ×K , where K = l and l is
a perfect square number. An illustration of this procedure is
shown in Figure 4. The mean SSIM gives the overall structural
similarity measure of the sequence (MSSIM), defined as
1 
n M
 
MSSIM(x, x̃) = SSIM xi (j ), x̃i (j ) , (8)
nM
i=1 j =1
where M is the number of local windows, and xi (j ) and
x̃i (j ) are the contents at the j-th local window of the i-th
subsequences xi and x̃i .
D. Adversarial Training
We address the generalization problem by regularizing the
AE through adversarial training. Additionally to maximiz-
ing MSSIM, we further maximize the reconstruction scores
provided by the critic C. By doing so, besides generating
contextually similar reconstructions, the AE must reconstruct
normal-like samples as faithfully as possible so the scores
given by the critic C are maximized. During training, the AE
is optimized to maximize
 
LG = E MSSIM(x, x̃) + λG C (x̃) , (9)
x∼Pr
where λG is the regularization coefficient that balance the
terms of the AE’s objective function.
In Equation (9), it is assumed that critic C can provide high
scores for real normal traffic samples and low scores for recon-
struction. To do so, the critic C must learn the normal and
reconstruction data distributions. Therefore, during training,
the critic C is optimized to maximize
 
LC = E C (x) − C (x̃) + λC LGP , (10)
x∼Pr
where LGP is given by Equation (4), and λC = 10 as sug-
gested in [13]. Our adversarial training strategy is based on the
WGAN-GP framework described in Section II-B. Algorithm 1
summarizes the essential steps of the proposed adversarial
training.
E. Anomaly Score
An anomaly score A(x) is a function that provides a score to
a sample x in the test set concerning samples in the training set.
Samples with more significant anomaly scores are considered
more likely to be anomalous. Traditionally, AE strategies for
anomaly detection rely on the reconstruction error between the
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1311
Algorithm 1 Proposed Adversarial Training. We Use m = 64,
λC = 10, λG = 100, α = 1e-4, β1 = 0, and β2 = 0.9
Require: Batch size m, maximum training iterations maxepoch , C
penalty coefficients λC and λG , Adam hyperparameters α, β1 , β2 ,
critic and autoencoder initial parameters ψ0 and θ0 , respectively.
1: while current epoch is smaller than maxepoch do
2: Sample a batch of normal traffic samples {x(i) }m
i=1 ∼ Pr
3: x̃ ← Gθ (x)
4: for i ← 1 to m do
5: Sample a random number  ∼ U (0, 1)
6: x̂ ← x(i) + (1 − )x̃(i)
(i)
7: LC ← Cψ (x(i) ) − Cψ (x̃(i) ) + λC (∇x̂ Cψ (x̂)2 − 1)2
ψ ← Adam(∇ψ m 1 m L(i) , ψ, α, β , β )
i=1 C 1 2
9: LG ← MSSIM(x, x̃) + λG Cψ (x̃)
10: θ ← Adam(∇θ m 1 m −L(i) , θ, α, β , β )
i=1 G 1 2
input, and the reconstruction of the input has been used as an
anomaly score. Another widely adopted anomaly score is the
feature matching error based on an intermediate layer of the
discriminator [5], [26].
Experiments with the feature matching error as an anomaly
score did not significantly improve ARCADE’s performance.
At the same time, it considerably increased the inference time
since it is required to feed x and x̃ through C for feature extrac-
tion. Similarly, we found that using MSSIM as an anomaly
score leads to a more discriminative anomaly function when
compared to L2 . However, the gains in efficiency are not
meaningful enough to justify the loss in efficiency due to the
SSIM’s complexity. Therefore, for a given sample x in the test
set, its anomaly score computed using ARCADE is denoted
as A(x) = L2 (x, x̃).
V. E XPERIMENTAL E VALUATION
The present section investigates and compares the
performance of ARCADE with baselines on three network
traffic datasets. The considered datasets and baselines are
described in Section V-A and Section V-B, respectively.
Implementation, training details, and hyper-parameter tuning
are described in Section V-C. In Section V-D, we assess
the effectiveness of ARCADE and baselines on the three
considered datasets. Section V-E present the analysis of the
complexity and the detection speed of ARCADE and D-PACK
baseline.
A. Datasets Description
We used three datasets to evaluate the performance of
the proposed approach with real-world normal and malicious
network traffic: ISCX-IDS [33], USTC-TFC [17], and MIRAI-
RGU [34]. The choice of datasets is based on the requirement
for raw network traffic. The selected datasets are among the
most well-known datasets for intrusion detection, which pro-
vide raw network traffic (.pcap) in addition to hand-designed
features (.csv). For example, the KDD’99 and NSL-KDD
datasets provide only hand-designed extracted features, which
limits their use in this work. It is worth noting that the number
of flows presented in dataset Table II, III, and IV described
1312
TABLE IV
MIRAI-RGU DATASET
below are the number of flows achieved after the preprocessing
procedure proposed in Section IV-A.
The ISCX-IDS dataset [33] is a realistic-like dataset orig-
inally proposed for the development of enhanced intrusion
detection and anomaly-based approaches. The network traf-
fic was collected for seven days. Packets collected on the first
and sixth days are normal traffic. Normal and attack pack-
ets are collected on the second and third days. In the fourth,
fifth, and seventh days, besides the normal traffic, HTTP DoS,
DDoS using an IRC Botnet, and Brute Force (BF) SSH pack-
ets are collected, respectively. Table II provides an overview of
the ISCX-IDS dataset. The USTC-TFC dataset [17] includes
ten classes of normal traffic and ten classes of malware traf-
fic from public websites, which were collected from a real
network environment from 2011 to 2015. Table III provides an
overview of the USTC-TFC dataset. The MIRAI-RGU dataset
includes normal traffic from Internet of the Things (IoT)
Internet Protocol (IP) cameras and ten classes of malicious
traffic from the Mirai botnet malware, such as HTTP flood,
UDP flood, DNS flood, Mirai infection traffic, VSE flood,
GREIP flood, GREETH flood, TCP ACK flood, TCP SYN
flood, and UDPPLAIN flood. Table IV provides an overview
of the MIRAI-RGU dataset.
We split each dataset into training, validation, and test sets.
The training set is composed only of normal samples. Normal
and anomaly samples are used only for testing and validation.
We balance the test set such that each subset of classes in the
test set presents the same number of samples. Note that the
normal traffic in the test set is not a subset of the training
set. The validation set is composed of 5% of the samples of
each class from the test set, randomly selected and removed
for validation purposes.
B. Competing Methods
We compare ARCADE to three shallow and four deep learn-
ing methods for anomaly detection. The chosen shallow base-
lines are well-known methods typically applied to anomaly
detection problems and commonly used as a benchmark for
novel anomaly detection methods. D-PACK is the state-of-
the-art unsupervised network anomaly detection method using
raw network traffic bytes as input. We implemented and
used D-PACK’s effectiveness and efficiency as a baseline for
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023
ARCADE. GANomaly was chosen due to the similarities in
the adversarial regularization strategies. Comparing ARCADE
with GANomaly allows us to assess the effectiveness of our
proposed adversarial strategy. Moreover, comparing ARCADE
with AE-2 and AE-SSIM allows us to confirm the find-
ings presented by [23] and also assess the effectiveness of
the proposed adversarial regularization since ARCADE with
λG = 0 is equivalent to AE-SSIM. We also implemented
and performed experiments with probabilistic models such as
Variational Autoencoder (VAE) and Adversarial Autoencoder
(AAE); however, they did not produce satisfactory results
when compared to deterministic AEs. Therefore, their results
are not reported. Below we describe each competing method
and its respective parameters.
1) Shallow Baselines: (i) One-Class SVM (OC-SVM) [35]
with Gaussian kernel. We optimize the hyperparameters
γ and ν via grid search using the validation set with
γ ∈ {2−10 , 2−9 , . . . , 20 }, and ν ∈ {0.01, 0.02, . . . , 0.1}.
(ii) Kernel density estimation (KDE). We optimize the band-
width h of the Gaussian kernel via grid search, given ten
values spaced evenly between −1 to 1 on a logarithmic scale.
(iii) Isolation Forest (IF) [36]. As recommended in the original
work, we set the number of trees to 100 and the subsampling
size to 256. For all three shallow baselines, we reduce the
dimensionality of the data via Principal Component Analysis
(PCA), where we choose the minimum number of eigenvectors
such that at least 95% of the variance is retained.
2) Deep Baselines: (i) D-PACK [6], recently proposed
for unsupervised network anomaly detection, can be consid-
ered the state-of-the-art DL method for the task. D-PACK’s
performance serves as a point of comparison for ARCADE’s
effectiveness and efficiency. The original D-PACK formula-
tion assumes that normal traffic is split into multiple classes,
as in the USTC-TFC dataset. However, this is not the cir-
cumstance for most public datasets, such as the other two
datasets considered here. We empirically assessed that remov-
ing the softmax classifier degrades the method’s efficiency.
Therefore, we keep the original D-PACK formulation even
for datasets without labeled normal training data. The network
architecture, training strategy, and hyperparameters were kept
as recommended in the original work. (ii) GANomaly [28]
was originally proposed for image anomaly detection. Here,
we do not employ it as an out-of-the-box anomaly detection
approach. However, we use its adversary training framework
with the proposed 1D-CNN model architecture presented in
Section IV-B. The idea is to compare GANomaly’s train-
ing strategy with our proposed adversarial training strategy.
Note that GANomaly defines the generator G as an encoder-
decoder-encoder. Therefore, a second encoder E  with the
same architecture of E (without sharing parameters) is added to
the proposed AE, where the input of E  is the outcome of the
decoder D, i.e., the input for encoder E  is the reconstruction
of the input. Finally, we modify the critic C to align with their
proposed discriminator D. We modify C, so batch normaliza-
tion is used instead of layer normalization, and a Sigmoid
activation function is added after the last layer. The anomaly
score is given by the 2 -distance between the latent space
of E and the latent space of E  . We performed grid search
TESSARO LUNARDI et al.: ARCADE
Fig. 5. ARCADE’s mean AUROC (%) convergence given varying values
for the adversarial regularization coefficient λG . In the case where λG = 0,
results are equivalent to the AE-SSIM.
TABLE V
ARCADE’ S M EAN AUROC (%) ON THE T HREE C ONSIDERED DATASETS
G IVEN VARYING I NPUT S IZES . R ESULTS A RE IN THE F ORMAT mean ± std.
O BTAINED OVER 10-F OLDS
TABLE VI
AUROC (%) OF ARCADE AND S HALLOW BASELINES . R ESULTS A RE IN
THE F ORMAT mean ± std. O BTAINED OVER 10-F OLDS . W E P RESENT
R ESULTS FOR THE ISCX-IDS W ITH n ∈ {2, 5},
D ENOTED AS ISCX-IDSn
optimize wrec ∈ {50, 75, 100, 125, 150} and results suggest
that wrec = 75 lead to best results. All the other parame-
ters were kept as suggested in the original work. (iii) AE-2
is an AE with the same proposed network architecture in
Section IV-B, where L2 loss is used as distance metric during
training, and L2 is also used for the anomaly score computa-
tion. (iv) AE-SSIM is an AE with the same proposed network
architecture in Section IV-B, where MSSIM loss is used for
training, and L2 is used for computing the anomaly scores.
In this work, we used the PyTorch Image Quality (PIQ) [37]
implementation of the SSIM loss with Gaussian kernel and
kernel size K = 3, obtained through a grid search optimization
with K ∈ {3, 5, 7, 9}.
C. Training Recipe and Ablation Study
The training objective (described in Section IV-D) is opti-
mized via Adam optimizer [38] with α = 1e −4, β1 = 0,
and β2 = 0.9. It is worth noting again that Algorithm 1
describes the main steps of the proposed adversarial train-
ing procedure. Additionally, we employ for all approaches a
two-phase (“searching” and “fine-tuning”) learning rate 1e−4
for 100 epochs. In the fine-tuning phase, we train with the
learning rate 1e−5 for another 50 epochs. The latent size d
is computed with PCA, equivalent to the minimum number of
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1313
eigenvectors such that the sum of their explained variance is
at least 95%, i.e., d ≈ 50 with n = 2 for all three datasets.
Given the hyperparameters and training recipe above, we
performed ablation experiments to assess the performance of
ARCADE with and without the proposed adversarial regu-
larization and varying input sizes. The validation set was
used for the ablation experiments. To assess the effective-
ness of the proposed adversarial regularization, we performed
experiments with the ICSX-IDS dataset with n = 5, and
λG ∈ {0, 0.001, 0.01, 0.02, 0.03}. Figure 5 illustrates the
mean AUROC convergence (lines) and standard deviation
(error bars amplified 50 times for visualization purposes).
We can verify that the proposed adversarial-based regulariza-
tion improves the capabilities of the AE for network anomaly
detection concerning the same AE without the adversarial
regularization, i.e., with λG = 0 ARCADE is equivalent to
AE-SSIM. The proposed adversarial training strategy can be
exploited to improve the network anomaly detection capabili-
ties of similar DL approaches, especially for scenarios where
increasing the model size is not an option due to hardware
constraints. Based on these results, we fix the adversarial
regularization coefficient to λG = 0.01 for all the follow-
ing experiments. We also analyze the ARCADE performance
given different input sizes. Table V presents the mean AUROC
and standard deviations on the three datasets with n ∈
{2, 3, 4, 5, 6}. ARCADE achieves nearly 100 AUROC with
n = 2 on the USTC-TFC and MIRAI-RGU datasets. For the
ISCX-IDS dataset, the method achieves 86.7 and 99.1 AUROC
with 2 and 4 packets, respectively. The following experiments
further investigate the considerable difference in performance
given varying values of n. For the MIRAI-RGU dataset, the
AUROC decreases with n > 5. Scaling the model depth and
width given the input size could help since, for larger input
sizes, more layers and channels would lead to an increased
receptive field and more fine-grained patterns. Note that addi-
tional ablation experiments concerning the 2 and SSIM loss
functions are provided in the following section.
D. Network Traffic Anomaly Detection Results
We now systematically compare the proposed ARCADE’s
effectiveness with the baselines. Table VI presents the results
of the considered shallow baselines on the three network traffic
datasets. ARCADE outperforms all of its shallow competitors.
Table VII presents the results of ARCADE and considered
deep baselines. Here, we expand the evaluations to include a
one-class anomaly detection setting, where each anomaly class
is evaluated separately. Therefore, the table also includes the
AUROC and F1-score concerning the evaluation performed
exclusively on each anomaly class presented in each dataset.
Note that the anomaly samples used for this evaluation are
not necessarily a subset of the test set and were fixed for all
methods. This allows each method to be evaluated separately
against each attack or malware in each dataset.
The results for the deep baselines, considering normal and
all anomalies, show that ARCADE outperforms all other
methods on the three considered datasets. The methods rank
ARCADE, AE-SSIM, AE-2 , GANomaly, and D-PACK for
1314 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023

TABLE VII
AUROC AND F1-S CORE (%) OF ARCADE AND D EEP BASELINES . E ACH M ETHOD WAS T RAINED E XCLUSIVELY ON N ORMAL
N ETWORK T RAFFIC , AND THE R ESULTS A RE IN THE F ORMAT M EAN (± STD .) O BTAINED OVER 10-F OLDS .
F OR THE ISCX-IDS, W E RUN T WO E XPERIMENTS W ITH n ∈ {2, 5}

results on the ISCX-IDS with n = 2, USTC-TFC with n = 2,
and MIRAI-RGU with n = 2. In experiments with the ISCX-
IDS with n = 5, the methods rank ARCADE, GANomaly,
AE-SSIM, AE-2 , and D-PACK. Despite having approxi-
mately 20 times more parameters than the proposed model,
D-PACK achieved the worst results among the deep baselines.
Results for the AE-SSIM and AE-2 , similarly to the results
provided in [23], show that using SSIM as a distance metric
during training can improve the AE’s capabilities in detecting
anomalies. ARCADE, which also uses SSIM as a distance
metric during training and employs the proposed adversarial
regularization strategy, achieved better results than AE-SSIM,
emphasizing the advantages of the proposed adversarial train-
ing strategy. The GANomaly framework, comprised of its
distinct model architecture, adversarial training strategy, and
anomaly score, did not achieve better results than ARCADE. It
is worth noting that GANomaly used the same AE architecture
as ARCADE with the requirement of an additional encoder,
as described in Section V-B2.
The isolated validations for the ISCX-IDS with n = 2 show
that ARCADE achieved the best F1-score values for all classes
and best AUROC values for Infiltration, DDoS, and BF SSH,
where D-PACK achieved the best AUROC for HTTP DoS.
With n = 5, ARCADE achieved the best results for Infiltration
and HTTP DoS, where D-PACK achieved the best results for
DDoS, and GANomaly achieved the best results for BF SSH.
The low performance of the considered methods on DoS and
DDoS with n = 2 indicates that analyzing the spatial relation
between bytes among multiple subsequent packets is essen-
tial to detect such attacks. A single packet of a flood attack
does not characterize an anomaly; e.g., an SYN packet can
be found within the normal traffic. However, multiple SYN

Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
TESSARO LUNARDI et al.: ARCADE
TABLE VIII
T HE ACCURACY, P RECISION , R ECALL , AND F1-S CORE VALUES IN % OF ARCADE AND D-PACK FOR THE 99 TH P ERCENTILE AND M AXIMUM
T HRESHOLDS . R ESULTS A RE IN THE F ORMAT OF THE M EAN (± STD .) O BTAINED OVER T EN S EEDS
packets in sequence can be characterized as an SYN flood
attack. This indicates that the spatial relation between bytes
among subsequent packets is essential to detect such attacks.
In isolated experiments with anomaly classes from the USTC-
TFC dataset, ARCADE achieved maximum results with 100
AUROC and 100 F1-score in all malware classes. Results
from the isolated experiments with anomaly classes from the
MIRAI-RGU show that, if we consider D-PACK, AE-2 , AE-
SSIM, and GANomaly, there is no clear winner. ARCADE
achieved the best AUROC and F1-score values on the 8 and 6
classes, respectively. GANomaly ranked second with four best
AUROC and three best F1-score values.
In practice, a threshold value must be set to distinguish
between normal and anomalous traffic based on the anomaly
score distribution of the normal traffic. In a supervised sce-
nario where the normal and known anomalies’ anomaly score
distribution does not overlap, the maximum anomaly score
of the normal traffic can lead to 100% Detection Rate (DR)
and 0% FAR. This is commonly adopted since it leads to
small FAR. To avoid the impact of extreme maximum anomaly
scores, the 99th percentile of the anomaly score distribu-
tion of the normal traffic can be used as an alternative. The
downside of this approach is that approximately 1% FAR
is expected. Regardless, the definition of the threshold is
problem-dependent and is strongly related to IDS architecture
altogether, e.g., in a hybrid IDS (anomaly-based and signature-
based), where the anomaly-based method is used as a filter
to avoid unnecessary signature verification, a high threshold
could lead to low detection rates. In this case, a lower thresh-
old, such as the 99th percentile (or even smaller), would be
preferable since the signature-based approach would further
validate false positives.
We further compare ARCADE and D-PACK considering
accuracy, precision, recall, and F1-score given two thresholds:
(i) the 99th percentile, and (ii) the maximum value of the
normal traffic anomaly scores. This comparison aims to ana-
lyze the effectiveness of ARCADE compared to the D-PACK
baseline, originally proposed for network anomaly detection.
The other deep baselines use the same model architecture
as ARCADE and can be seen as contributions to this work
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1315
we implemented. Table VIII presents the accuracy, precision,
recall, and F1-score of ARCADE and D-PACK given both
thresholds, with n = 2 for the USTC-TFC and MIRAI-RGU
datasets, and n = 5 for the ISCX-IDS dataset. The results of
the 99th threshold show that ARCADE achieved the highest
recall rate for the USTC-TFC and MIRAI-RGU datasets. This
is because ARCADE produced no false negatives. ARCADE
achieved an 11.79% higher F1-score than D-PACK. When
the maximum threshold is used, the ARCADE enhance-
ment in performance is more clearly seen. As expected,
both approaches were able to achieve the highest precision.
However, D-PACK only achieved 8.69% mean recall, while
ARCADE achieved 64.54%. This is an improvement of
642.69%. Figure 6 shows the anomaly score distribution of
ARCADE and D-PACK computed using the model parame-
ters that led to the best AUROC obtained over 10-folds on
the three datasets. The detection rate is reported and calcu-
lated using the 99th percentile threshold, also presented in the
figures. When considering the best model parameters and a
99th percentile threshold, ARCADE outperformed D-PACK in
terms of detection rates by 22.35%, 3.44%, and 0.14% on the
ISCX-IDS, USTC-TFC, and Mirai-RGU datasets, respectively.
E. Model Complexity and Detection Speed
Here we evaluate the efficiency of ARCADE by comparing
with D-PACK the number of samples processed per second,
model sizes, and floating-point operations (FLOPS). Figure 7
presents ARCADE and D-PACK efficiency, effectiveness, and
model size on the ISCX-IDS with n = 2 and n = 5, where
our ARCADE significantly outperforms D-PACK in all eval-
uated measures. We analyze the detection speed performance
of ARCADE and D-PACK by assessing how many samples
per second they can process in different environments with
distinct processing capabilities that we categorize as edge,
fog, and cloud. The device specifications and the experimen-
tal environment are summarized in Table XI. We consider a
Raspberry Pi 4B as an edge device, UP Xtreme and Jetson
Xavier NX as fog devices, and a desktop personal com-
puter with an AMD Ryzen Threadripper 3970X 32-core CPU,
1316 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023

Fig. 6. The anomaly score distributions for normal and abnormal traffic from the test set of each considered dataset. Anomaly scores were computed using
the best model’s parameters over 10-folds for each method. The DR was calculated based on the 99th percentile threshold of the normal traffic scores. Blue
and red bars represent normal and abnormal traffic flows, respectively.

TABLE IX
M EAN D ETECTION S PEED C OMPARISON B ETWEEN
ARCADE AND D-PACK

Fig. 7. Comparison between efficiency, effectiveness, and model size of

ARCADE and D-PACK. We report AUROC (%) vs. floating-point operations
(FLOPS) required for a single forward pass is reported with n ∈ {2, 5}.
The size of each circle corresponds to the model size (number of parame-
ters). ARCADE achieves higher AUROC with approximately 20 times fewer
parameters than D-PACK.
NVIDIA GeForce RTX 3090 GPU, and 128 GB RAM as a
cloud device. Detection speed experiments were conducted
with and without GPU support to account for the fact that edge
(and sometimes fog) nodes may not have a GPU device, as is
the case with the Raspberry Pi 4 and the UP Xtreme board.
The NVIDIA Jetson Xavier NX and the personal computer
were given a GPU warm-up stage of 5 seconds immediately
before starting the experiment. The mean amount of processed
flows per second was computed given ten runs. All experi-
ments were implemented in Python 3.8 PyTorch version 1.8
without any improvement to speed up inference. Table IX
present the detection speed results with n = 2. The results
show that ARCADE outperformed D-PACK in all environ-
ments, with ARCADE being approximately 8, 3, 2.8, 2, 2.16
times faster on the Raspberry Pi 4, UP Xtreme, NVIDIA
Jetson, Threadripper CPU, and RTX 3090 GPU, respectively.
ARCADE can process over 1.9M flows per second on the
RTX 3090 GPU. The definition of an “optimal model” in
an online network detection scenario cannot be well-defined
since there is a clear trade-off between the model’s effec-
tiveness and complexity. In this sense, the proposed model
can be easily adapted by changing the number of layers
and channels, together with the input size, to better suit the
needs of a particular environment given its processing power
capabilities.
VI. C ONCLUSION
In this work, we introduced ARCADE, a novel unsupervised
DL method for network anomaly detection that automatically
builds the normal traffic profile based on raw network bytes
as input without human intervention for feature engineering.
ARCADE is composed of a 1D-CNN AE that is trained exclu-
sively on normal network traffic flows and regularized through
a WGAN-GP adversarial strategy. We experimentally demon-
strated that the proposed adversarial regularization improves
the performance of the AE. The proposed adversarial regu-
larization strategy can be applied to any AE independently
of its model architecture, and it can also be applied to other
anomaly detection tasks. Once the AE is trained on the normal

Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
TESSARO LUNARDI et al.: ARCADE 1317

TABLE X
E NCODER , D ECODER , AND C RITIC A RCHITECTURE two initial packets of a network flow as input, ARCADE
can detect most of the malicious traffic with nearly 100%
F1-score, except for HTTP DoS and DDoS, where 68.70%
and 66.61% F1-scores were obtained. While considering five
packets, ARCADE achieved 91.95% and 93.19% F1-scores
for HTTP DoS and DDoS, respectively. Experiments show
that the proposed AE model is 20 times smaller than base-
lines and still presents significant improvement in accuracy,
model complexity, and detection speed.

A PPENDIX
See Tables X and XI.

R EFERENCES
[1] “Cisco annual Internet report (2018–2023),” Cisco, San Jose, CA, USA,
White Paper, 2020.
[2] H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection
system: A comprehensive review,” J. Netw. Comput. Appl., vol. 36, no. 1,
pp. 16–24, 2013.
[3] J. V. V. Silva, N. R. de Oliveira, D. S. Medeiros, M. A. Lopez, and
D. M. Mattos, “A statistical analysis of intrinsic bias of network security
datasets for training machine learning mechanisms,” Ann. Telecommun.,
vol. 77, pp. 555–571, Feb. 2022.
[4] Z. Ahmad, A. S. Khan, C. W. Shiang, J. Abdullah, and F. Ahmad,
“Network intrusion detection system: A systematic study of machine
learning and deep learning approaches,” Trans. Emerg. Telecommun.
Technol., vol. 32, no. 1, 2021, Art. no. e4150.
[5] T. Truong-Huu et al., “An empirical study on unsupervised network
anomaly detection using generative adversarial networks,” in Proc. 1st
ACM Workshop Security Privacy Artif. Intell., 2020, pp. 20–29.
[6] R.-H. Hwang, M.-C. Peng, C.-W. Huang, P.-C. Lin, and V.-L. Nguyen,
“An unsupervised deep learning model for early network traffic anomaly
detection,” IEEE Access, vol. 8, pp. 30387–30399, 2020.
[7] M. Rudolph, B. Wandt, and B. Rosenhahn, “Same same but DifferNet:
Semi-supervised defect detection with normalizing flows,” in Proc.
IEEE/CVF Winter Conf. Appl. Comput. Vis., 2021, pp. 1907–1916.
[8] D. Gong et al., “Memorizing normality to detect anomaly: Memory-
augmented deep autoencoder for unsupervised anomaly detection,” in
Proc. IEEE/CVF Int. Conf. Comput. Vis., 2019, pp. 1705–1714.
[9] S. Zhai, Y. Cheng, W. Lu, and Z. Zhang, “Deep structured energy based
models for anomaly detection,” in Proc. Int. Conf. Mach. Learn., 2016,
TABLE XI pp. 1100–1109.
S PECIFICATIONS OF C ONSIDERED E NVIRONMENTS FOR D ETECTION
[10] A. Radford, L. Metz, and S. Chintala, “Unsupervised representation
S PEED E XPERIMENTS
learning with deep convolutional generative adversarial networks,” 2015,
arXiv:1511.06434.
[11] I. Goodfellow et al., “Generative adversarial nets,” in Proc. Adv. Neural
Inf. Process. Syst., vol. 27, 2014, pp. 1–9.
[12] M. Arjovsky, S. Chintala, and L. Bottou, “Wasserstein generative adver-
sarial networks,” in Proc. Int. Conf. Mach. Learn., 2017, pp. 214–223.
[13] I. Gulrajani, F. Ahmed, M. Arjovsky, V. Dumoulin, and A. C. Courville,
“Improved training of Wasserstein GANs,” in Proc. Adv. Neural Inf.
Process. Syst., vol. 30, 2017, pp. 5769–5779.
[14] L. Vu, C. T. Bui, and Q. U. Nguyen, “A deep learning based method for
handling imbalanced problem in network traffic classification,” in Proc.
8th Int. Symp. Inf. Commun. Technol., 2017, pp. 333–339.
[15] R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martinez-del Rincon,
and D. Siracusa, “Lucid: A practical, lightweight deep learning solution
for ddos attack detection,” IEEE Trans. Netw. Service Manage., vol. 17,
no. 2, pp. 876–889, Jun. 2020.
[16] W. Wang et al., “Hast-IDS: Learning hierarchical spatial-temporal fea-
tures using deep neural networks to improve intrusion detection,” IEEE
Access, vol. 6, pp. 1792–1806, 2017.
[17] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, “Malware traffic classi-
fication using convolutional neural network for representation learning,”
network traffic using the proposed approach, ARCADE can in Proc. Int. Conf. Inf. Netw., 2017, pp. 712–717.
[18] Y. Yu, J. Long, and Z. Cai, “Network intrusion detection through stack-
effectively detect unseen network traffic flows from attacks ing dilated convolutional autoencoders,” Security and Communication
and malware. Our results suggest that even considering only Networks, vol. 2017, Nov. 2017, Art. no. 4184196.

Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
1318 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 20, NO. 2, JUNE 2023
[19] W. Wang, M. Zhu, J. Wang, X. Zeng, and Z. Yang, “End-to-end
encrypted traffic classification with one-dimensional convolution neu-
ral networks,” in Proc. Int. Conf. Intell. Security Informat., 2017,
pp. 43–48.
[20] G. Aceto, D. Ciuonzo, A. Montieri, and A. Pescapé, “Mobile encrypted
traffic classification using deep learning: Experimental evaluation,
lessons learned, and challenges,” IEEE Trans. Netw. Service Manage.,
vol. 16, no. 2, pp. 445–458, Jun. 2019.
[21] M. Lotfollahi, M. J. Siavoshani, R. S. H. Zade, and M. Saberian, “Deep
packet: A novel approach for encrypted traffic classification using deep
learning,” Soft Comput., vol. 24, no. 3, pp. 1999–2012, 2020.
[22] T. Ahmad, D. Truscan, J. Vain, and I. Porres, “Early detection of network
attacks using deep learning,” 2022, arXiv:2201.11628.
[23] P. Bergmann, S. Löwe, M. Fauser, D. Sattlegger, and C. Steger,
“Improving unsupervised defect segmentation by applying structural
similarity to autoencoders,” 2018, arXiv:1807.02011.
[24] Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, “Image
quality assessment: From error visibility to structural similarity,” IEEE
Trans. Image Process., vol. 13, pp. 600–612, 2004.
[25] G. Pang, C. Shen, L. Cao, and A. V. D. Hengel, “Deep learning for
anomaly detection: A review,” ACM Comput. Surveys, vol. 54, no. 2,
pp. 1–38, 2021.
[26] T. Schlegl, P. Seeböck, S. M. Waldstein, U. Schmidt-Erfurth, and
G. Langs, “Unsupervised anomaly detection with generative adversarial
networks to guide marker discovery,” in Proc. Int. Conf. Inf. Process.
Med. Imag., 2017, pp. 146–157.
[27] H. Zenati, C. S. Foo, B. Lecouat, G. Manek, and V. R. Chandrasekhar,
“Efficient GAN-based anomaly detection,” 2018, arXiv:1802.06222.
[28] S. Akcay, A. Atapour-Abarghouei, and T. P. Breckon, “Ganomaly: Semi-
supervised anomaly detection via adversarial training,” in Proc. Asian
Conf. Comput. Vis., 2018, pp. 622–637.
[29] J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “ImageNet:
A large-scale hierarchical image database,” in Proc. Int. Conf. Comput.
Vis. Pattern Recognit., 2009, pp. 248–255.
[30] Z. Xiao, Q. Yan, and Y. Amit, “Do we really need to learn
representations from in-domain data for outlier detection?” 2021,
arXiv:2105.09270.
[31] L. Bergman, N. Cohen, and Y. Hoshen, “Deep nearest neighbor anomaly
detection,” 2020, arXiv:2002.10445.
[32] T. Reiss, N. Cohen, L. Bergman, and Y. Hoshen, “Panda: Adapting
pretrained features for anomaly detection and segmentation,” in Proc.
IEEE/CVF Conf. Comput. Vis. Pattern Recognit., 2021, pp. 2806–2814.
[33] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward devel-
oping a systematic approach to generate benchmark datasets for intrusion
detection,” comput. Security, vol. 31, no. 3, pp. 357–374, 2012.
[34] C. D. McDermott, F. Majdani, and A. V. Petrovski, “BotNet detection
in the Internet of Things using deep learning approaches,” in Proc. Int.
Joint Conf. Neural Netw., 2018, pp. 1–8.
[35] B. Schölkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and
R. C. Williamson, “Estimating the support of a high-dimensional dis-
tribution,” Neural Comput., vol. 13, no. 7, pp. 1443–1471, 2001.
[36] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in Proc. Int.
Conf. Data Min., 2008, pp. 413–422.
[37] S. Kastryulin, D. Zakirov, and D. Prokopenko, “PyTorch image qual-
ity: Metrics and measure for image quality assessment.” 2019. [Online].
Available: https://github.com/photosynthesis-team/piq
[38] D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,”
2014, arXiv:1412.6980.
Authorized licensed use limited to: Northeastern University. Downloaded on August 11,2023 at 09:08:50 UTC from IEEE Xplore. Restrictions apply.
Willian Tessaro Lunardi (Member, IEEE) received
the Ph.D. degree in computer science from the
University of Luxembourg. He is a Senior Research
Scientist with the Secure Systems Research Centre,
Technology Innovation Institute, Abu Dhabi, UAE.
He has published over 25 research papers in inter-
national scientific journals, conferences, and book
chapters. His main area of research is machine learn-
ing and combinatorial optimization. He is currently
working on machine learning for network security,
physical layer security, and jamming detection.
Martin Andreoni Lopez (Member, IEEE) gradu-
ated as an electronic engineer from the Universidad
Nacional de San Juan, Argentina, in 2011,
the master’s degree in electrical engineering
from the Federal University of Rio de Janeiro
(COPPE/UFRJ) in 2014, and the Doctoral degree
from the Teleinformatics and Automation Group,
COPPE/UFRJ and the Phare team of Laboratoire
d’Informatique Paris VI, Sorbonne Université,
France, in 2018. He is a Network Security
Researcher with the Secure System Research Center,
Technology Innovation Institute, Abu Dhabi, UAE. He was a Researcher with
Samsung R&D Institute Brazil. He has coauthored several publications and
patents in security, virtualization, traffic analysis, and big data.
Jean-Pierre Giacalone received the engineer-
ing degree from the École nationale supérieure
d’électrotechnique, d’électronique, d’informatique,
d’hydraulique et des télécommunications, Toulouse,
France. He is the Vice President of Secure
Communications Engineering with the Secure
Systems Research Centre, Technology Innovation
Institute, Abu Dhabi, UAE. He is responsible
for researching secure communications, focusing
on improving the resilience of cyber-physical and
autonomous systems. He has worked as an Expert
in software architecture for advanced driving assistance systems with Renault
and as a Principal Engineer and Architect within Intel’s Mobile Systems
Technologies Group. He holds 19 patents and has coauthored 15 research
papers accepted for publication in international journals and conference
proceedings.