Received April 5, 2019, accepted April 26, 2019, date of publication May 14, 2019, date of current version

June 3, 2019.
Digital Object Identifier 10.1109/ACCESS.2019.2916648

Unsupervised Machine Learning for Networking:

Techniques, Applications and
Research Challenges
MUHAMMAD USAMA 1 , JUNAID QADIR 1, AUNN RAZA2 , HUNAIN ARIF2 ,
KOK-LIM ALVIN YAU 3 , YEHIA ELKHATIB 4, AMIR HUSSAIN5,6 , AND ALA AL-FUQAHA 7,8
1 Information Technology University (ITU)-Punjab, Lahore 54000, Pakistan
2 National University of Science and Technology (NUST), Islamabad 44000, Pakistan
3 Sunway University, Subang Jaya 47500, Malaysia
4 The School of Computing and Communications, Lancaster University, Lancaster LA1 4WA, U.K.
5 School of Computing, Edinburgh Napier University, Edinburgh EH11 4BN, U.K.
6 Taibah Valley, Taibah University, Medina 42353, Saudi Arabia
7 Information and Computing Technology (ICT) Division, College of Science and Engineering (CSE), Hamad Bin Khalifa University, Doha, Qatar
8 Department of Computer Science, Western Michigan University, Kalamazoo, MI 49008, USA

Corresponding author: Ala Al-Fuqaha ([email protected])

The publication of this article was funded by the Qatar National Library (QNL). The statements made herein are solely the responsibility of
the authors.

ABSTRACT While machine learning and artificial intelligence have long been applied in networking
research, the bulk of such works has focused on supervised learning. Recently, there has been a rising
trend of employing unsupervised machine learning using unstructured raw network data to improve network
performance and provide services, such as traffic engineering, anomaly detection, Internet traffic classifica-
tion, and quality of service optimization. The growing interest in applying unsupervised learning techniques
in networking stems from their great success in other fields, such as computer vision, natural language
processing, speech recognition, and optimal control (e.g., for developing autonomous self-driving cars).
In addition, unsupervised learning can unconstrain us from the need for labeled data and manual handcrafted
feature engineering, thereby facilitating flexible, general, and automated methods of machine learning. The
focus of this survey paper is to provide an overview of applications of unsupervised learning in the domain of
networking. We provide a comprehensive survey highlighting recent advancements in unsupervised learning
techniques, and describe their applications in various learning tasks, in the context of networking. We also
provide a discussion on future directions and open research issues, while identifying potential pitfalls. While
a few survey papers focusing on applications of machine learning in networking have previously been
published, a survey of similar scope and breadth is missing in the literature. Through this timely review,
we aim to advance the current state of knowledge, by carefully synthesizing insights from previous survey
papers, while providing contemporary coverage of the recent advances and innovations.

INDEX TERMS Machine learning, deep learning, unsupervised learning, computer networks.

I. INTRODUCTION methods for optimization and automated decision-making

Networks—such as the Internet and mobile telecom
networks—serve the function of the central hub of modern
human societies, which the various threads of modern
life weave around. With networks becoming increasingly
dynamic, heterogeneous, and complex, the management of
such networks has become less amenable to manual admin-
istration, and it can benefit from leveraging support from
The associate editor coordinating the review of this manuscript and
approving it for publication was Nuno Garcia.
from the fields of artificial intelligence (AI) and machine
learning (ML). Such AI and ML techniques have already
transformed multiple fields—e.g., computer vision, natural
language processing (NLP), speech recognition, and opti-
mal control (e.g., for developing autonomous self-driving
vehicles)—with the success of these techniques mainly
attributed to firstly, significant advances in unsupervised
ML techniques such as deep learning, secondly, the ready
availability of large amounts of unstructured raw data
amenable to processing by unsupervised learning algorithms,

2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 7, 2019 Personal use is also permitted, but republication/redistribution requires IEEE permission. 65579
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
and finally, advances in computing technologies through
advances such as cloud computing, graphics processing unit
(GPU) technology and other hardware enhancements. It is
anticipated that AI and ML will also make a similar impact
on the networking ecosystem and will help realize a future
vision of cognitive networks [1], [2], in which networks will
self-organize and will autonomously implement intelligent
network-wide behavior to solve problems such as routing,
scheduling, resource allocation, and anomaly detection. The
initial attempts towards creating cognitive or intelligent
networks have relied mostly on supervised ML methods,
which are efficient and powerful but are limited in scope
by their need for labeled data. With network data becom-
ing increasingly voluminous (with a disproportionate rise
in unstructured unlabeled data), there is a groundswell of
interest in leveraging unsupervised ML methods to utilize
unlabeled data, in addition to labeled data where available,
to optimize network performance [3]. The rising interest in
applying unsupervised ML in networking applications also
stems from the need to liberate ML applications from restric-
tive demands of supervised ML. Another reason of employing
unsupervised ML in networking is the expensiveness of
curating labeled network data at scale, since labeled data
may be unavailable and manual annotation is prohibitively
inconvenient, in addition, to be outdated quickly (due to the
highly dynamic nature of computer networks) [4].
We are already witnessing the failure of human network
administrators to manage and monitor all bits and pieces
of network [5], and the problem will only exacerbate with
further growth in the size of networks with paradigms such as
becoming the Internet of things (IoT). An ML-based network
management system (NMS) is desirable in such large net-
works so that faults/bottlenecks/anomalies may be predicted
in advance with reasonable accuracy. In this regard, networks
already have ample amount of untapped data, which can pro-
vide us with decision-making insights making networks more
efficient and self-adapting. With unsupervised ML, the pipe
dream is that every algorithm for adjusting network parame-
ters (be it, TCP congestion window or rerouting network traf-
fic during peak time) will optimize itself in a self-organizing
fashion according to the environment and application, user,
and network Quality of Service (QoS) requirements and
constraints [6]. Unsupervised ML methods, in concert with
existing supervised ML methods, can provide a more efficient
method that lets a network manage, monitor, and optimize
itself while keeping the human administrators in the loop with
the provisioning of timely actionable information.
Next generation networks are expected to be self-driven,
which means they have the ability to self-configure, optimize,
and heal [7]. All these self-driven properties can be achieved
by building artificial intelligence in the system using ML
techniques. Self-driven networks are supposed to utilize the
network data to perform networking chores and most of
the network data is imbalanced and unlabeled. In order to
develop a reliable data-driven network, data quality must be
taken care before subjecting it to an appropriate unsupervised
65580
ML [8]. Unsupervised ML techniques facilitate the analy-
sis of raw datasets, thereby helping in generating analytic
insights from unlabeled data. Recent advances in hierarchical
learning, clustering algorithms, factor analysis, latent models,
and outlier detection, have helped significantly advance the
state of the art in unsupervised ML techniques. In particular,
recent unsupervised ML advances—such as the development
of ‘‘deep learning’’ techniques [22]—have however signif-
icantly advanced the ML state of the art by facilitating the
processing of raw data without requiring careful engineering
and domain expertise for feature crafting. Deep learning is
a class of machine learning, where hierarchical architectures
are used for unsupervised feature learning and these learned
features are then used for classification and other related tasks
[23]. The versatility of deep learning and distributed ML
can be seen in the diversity of their applications that range
from self-driving cars to the reconstruction of brain circuits
[22]. Unsupervised learning is also often used in conjunction
with supervised learning in semi-supervised learning setting
to preprocess the data before analysis and thereby help in
crafting a good feature representation and in finding patterns
and structures in unlabeled data.
The rapid advances in deep neural networks, the democ-
ratization of enormous computing capabilities through cloud
computing and distributed computing, and the ability to store
and process large swathes of data have motivated a surging
interest in applying unsupervised ML techniques in the net-
working field. The field of networking also appears to be well
suited to, and amenable to applications of unsupervised ML
techniques, due to the largely distributed decision-making
nature of its protocols, the availability of large amounts of
network data, and the urgent need for intelligent/cognitive
networking. Consider the case of routing in networks. Net-
works these days have evolved to be very complex, and
they incorporate multiple physical paths for redundancy and
utilize complex routing methodologies to direct the traffic.
The application traffic does not always take the optimal
path we would expect, leading to unexpected and inefficient
routing performance. To tame such complexity, unsupervised
ML techniques can autonomously self-organize the network
taking into account a number of factors such as real-time
network congestion statistics as well as application QoS
requirements [24].
The purpose of this paper is to highlight the important
advances in unsupervised learning, and after providing a
tutorial introduction to these techniques, to review how such
techniques have been, or could be, used for various tasks in
modern next-generation networks comprising both computer
networks as well as mobile telecom networks.
A. CONTRIBUTION OF THE PAPER
To the best of our knowledge, there does not exist a survey that
specifically focuses on the important applications of unsu-
pervised ML techniques in networks, even though a number
of surveys exist that focus on specific ML applications per-
taining to networking—for instance, surveys on using ML
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 1. Comparison of our paper with existing survey and review papers (Legend:
for cognitive radios [11], traffic identification and classifica-
tion [10], and anomaly detection [9], [15]. Previous survey
papers have either focused on specific unsupervised learning
techniques (e.g., [25] have provided a survey of the applica-
tions of neural networks in wireless networks) or on some
specific applications of computer networking ([13] have pro-
vided a survey of the applications of ML in cyber intru-
sion detection). Our survey paper is timely since there is
great interest in deploying automated and self-taught unsu-
pervised learning models in the industry and academia. Due
to relatively limited applications of unsupervised learning
in networking—in particular, the deep learning trend has
not yet impacted networking in a major way—unsupervised
learning techniques hold a lot of promises for advancing
the state of the art in networking in terms of adaptability,
flexibility, and efficiency. The novelty of this survey is that it
covers many different important applications of unsupervised
ML techniques in computer networks and provides readers
with a comprehensive discussion of the unsupervised ML
trends, as well as the suitability of various unsupervised ML
techniques. A tabulated comparison of our paper with other
existing survey and review articles is presented in Table 1.
B. ORGANIZATION OF THE PAPER
The organization of this paper is depicted in Figure 1.
Section II provides a discussion on various unsupervised ML
techniques (namely, hierarchical learning, data clustering,
latent variable models, and outlier detection). Section III
presents a survey of the applications of unsupervised ML
specifically in the domain of computer networks. Section IV
VOLUME 7, 2019
√
means covered; × means not covered; ≈ means partially covered.).
describes future work and opportunities with respect to the
use of unsupervised ML in future networking. Section V dis-
cusses a few major pitfalls of the unsupervised ML approach
and its models. Finally, Section VI concludes this paper. For
the reader’s facilitation, Table 2 shows all the acronyms used
in this survey for convenient referencing.
II. TECHNIQUES FOR UNSUPERVISED LEARNING
In this section, we will introduce some widely used
unsupervised learning techniques and their applications in
computer networks. We have divided unsupervised learning
techniques into six major categories: hierarchical learning,
data clustering, latent variable models, dimensionality reduc-
tion, and outlier detection. Figure 2 depicts a taxonomy of
unsupervised learning techniques and also the relevant sec-
tions in which these techniques are discussed. To provide a
better understanding of the application of unsupervised ML
techniques in networking, we have added few subsections
highlighting significant applications of unsupervised ML
techniques in networking domain.
A. HIERARCHICAL LEARNING
Hierarchical learning is defined as learning simple and
complex features from a hierarchy of multiple linear and
nonlinear activations. In learning models, a feature is a mea-
surable property of the input data. Desired features are ideally
informative, discriminative, and independent. In statistics,
features are also known as explanatory (or independent) vari-
ables [26]. Feature learning (also known as data representa-
tion learning) is a set of techniques that can learn one or more
65581
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges

FIGURE 1. Outline of the paper.

FIGURE 2. Taxonomy of unsupervised learning techniques.

features from input data [27]. It involves the transformation
of raw data into a quantifiable and comparable representation,
which is specific to the property of the input but general
enough for comparison to similar inputs. Conventionally,
features are handcrafted specific to the application on hand.
It relies on domain knowledge but even then they do not
generalize well to the variation of real-world data, which
gives rise to automated learning of generalized features from
the underlying structure of the input data. Like other learning
algorithms, feature learning is also divided among domains
of supervised and unsupervised learning depending on the
type of available data. Almost all unsupervised learning
algorithms undergo a stage of feature extraction in order to
learn data representation from unlabeled data and generate

65582 VOLUME 7, 2019

M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 2. List of common acronyms used.
a feature vector on the basis of which further tasks are
performed.
Hierarchical learning is intimately related to how deep
learning is performed in modern multi-layer neural networks.
In particular, deep learning techniques benefits from the
fundamental concept of artificial neural networks (ANNs),
a deep structure consists of multiple hidden layers with mul-
tiple neurons in each layer, a nonlinear activation function,
a cost function, and a back-propagation algorithm. Deep
learning [40] is a hierarchical technique that models high-
level abstraction in data using many layers of linear and
nonlinear transformations. With deep enough stack of these
VOLUME 7, 2019
transformation layers, a machine can self-learn a very com-
plex model or representation of data. Learning takes place
in hidden layers and the optimal weights and biases of the
neurons are updated in two passes, namely, the forward pass
and backward pass. A typical ANN and typical cyclic and
acyclic topologies of interconnection between neurons are
shown in Figure 3. A brief taxonomy of Unsupervised NNs
is presented in Figure 4.
An ANN has three types of layers (namely input,
hidden and output, each having different activation
parameters). Learning is the process of assigning optimal
activation parameters enabling ANN to perform input to
output mapping. For a given problem, an ANN may require
multiple hidden layers involving a long chain of computa-
tions, i.e., its depth [41]. Deep learning has revolutionized
ML and is now increasingly being used in diverse settings—
e.g., object identification in images, speech transcription into
text, matching user’s interests with items (such as news items,
movies, products) and making recommendations, etc. But
until 2006, relatively few people were interested in deep
learning due to the high computational cost of deep learning
procedures. It was widely believed that training deep learning
architectures in an unsupervised manner was intractable, and
supervised the training of deep NNs (DNN) also showed poor
performance with large generalization errors [42]. However,
recent advances [43]–[45] have shown that deep learning
can be performed efficiently by separate unsupervised pre-
training of each layer with the results revolutionizing the field
of ML. Starting from the input (observation) layer, which acts
as an input to the subsequent layers, pre-training tends to learn
data distributions while the usual supervised stage performs
a local search for fine-tuning.
1) UNSUPERVISED MULTILAYER FEED FORWARD NN
Unsupervised multilayer feedforward NN, with reference
to graph theory, has a directed graph topology as shown
in Figure 3. It consists of no cycles, i.e., does not have a feed-
back path in input propagation through NN. Such kind of NN
is often used to approximate a nonlinear mapping between
inputs and required outputs. Autoencoders are the prime
examples of unsupervised multilayer feedforward NNs.
a: AUTOENCODERS
An autoencoder is an unsupervised learning algorithm for
ANN used to learn compressed and encoded representation
of data, mostly for dimensionality reduction and for unsu-
pervised pre-training of feedforward NNs. Autoencoders are
generally designed using approximation function and trained
using backpropagation and stochastic gradient descent (SGD)
techniques. Autoencoders are the first of their kind to use
the back-propagation algorithm to train with unlabeled data.
Autoencoders aim to learn a compact representation of the
function of input using the same number of input and output
units with usually less hidden units to encode a feature vector.
They learn the input data function by recreating the input
at the output, which is called encoding/decoding, to learn
65583
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
FIGURE 3. Illustration of an ANN (left); Different types of ANN topologies (right).
FIGURE 4. Taxonomy of unsupervised neural networks.
at the time of training NN. In short, a simple autoencoder
learns a low-dimensional representation of the input data by
exploiting similar recurring patterns.
Autoencoders have different variants [46] such as vari-
ational autoencoders, sparse autoencoders, and denoising
autoencoders. Variational autoencoder is an unsupervised
learning technique used clustering, dimensionality reduction,
and visualization, and for learning complex distributions [47].
In a sparse autoencoder, a sparse penalty on the latent layer
is applied for extracting a unique statistical feature from
unlabeled data. Finally, denoising autoencoders are used to
learn the mapping of a corrupted data point to its original
location in the data space in an unsupervised manner for
manifold learning and reconstruction distribution learning.
2) UNSUPERVISED COMPETITIVE LEARNING NN
Unsupervised competitive learning NNs is a winner-take-all
neuron scheme, where each neuron competes for the right of
the response to a subset of the input data. This scheme is used
to remove the redundancies from the unstructured data. Two
major techniques of unsupervised competitive learning NNs
are self-organizing maps and adaptive resonance theory NNs.
65584
a: SELF-ORGANIZING/ KOHONEN MAPS
Self-Organizing Maps (SOM), also known as Kohonen’s
maps [48], [49], are a special class of NNs that uses the
concept of competitive learning, in which output neurons
compete amongst themselves to be activated in a real-valued
output, results having only single neuron (or group of neu-
rons), called winning neuron. This is achieved by creat-
ing lateral inhibition connections (negative feedback paths)
between neurons [50]. In this orientation, the network deter-
mines the winning neuron within several iterations; subse-
quently, it is forced to reorganize itself based on the input data
distribution (hence they are called Self-Organizing Maps).
They were initially inspired by the human brain, which has
specialized regions in which different sensory inputs are rep-
resented/processed by topologically ordered computational
maps. In SOM, neurons are arranged on vertices of a lattice
(commonly one or two dimensions). The network is forced
to represent higher-dimensional data in lower-dimensional
representation by preserving the topological properties of
input data by using neighborhood function while transform-
ing the input into a topological space in which neuron posi-
tions in the space are representatives of intrinsic statistical
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
features that tell us about the inherently nonlinear nature
of SOMs.
Training a network comprising SOM is essentially a
three-stage process after random initialization of weighted
connections. The three stages are as follow [51].
• Competition: Each neuron in the network computes its
value using a discriminant function, which provides the
basis of competition among the neurons. Neuron with
the largest discriminant value in the competition group
is declared the winner.
• Cooperation: The winner neuron then locates the center
of the topological neighborhood of excited neurons in
the previous stage, providing a basis for cooperation
among excited neighboring neurons.
• Adaption: The excited neurons in the neighborhood
increase/decrease their individual values of the discrimi-
nant function in regard to input data distribution through
subtle adjustments such that the response of the winning
neuron is enhanced for similar subsequent input. Adap-
tion stage is distinguishable into two sub-stages: (1) the
ordering or self-organizing phase, in which weight vec-
tors are reordered according to topological space; and
(2) the convergence phase, in which the map is fine-
tuned and declared accurate to provide statistical quan-
tification of the input space. This is the phase in which
the map is declared to be converged and hence trained.
One essential requirement in training a SOM is the
redundancy of the input data to learn about the underlying
structure of neuron activation patterns. Moreover, sufficient
quantity of data is required for creating distinguishable clus-
ters; withstanding enough data for classification problem,
there exist a problem of gray area between clusters and cre-
ation of infinitely small clusters where input data has minimal
patterns.
b: ADAPTIVE RESONANCE THEORY
Adaptive Resonance Theory (ART) is another different cat-
egory of NN models that is based on the theory of human
cognitive information processing. It can be explained as an
algorithm of incremental clustering which aims at forming
multi-dimensional clusters, automatically discriminating and
creating new categories based on input data. Primarily, ART
models are classified as an unsupervised learning model;
however, there exist ART variants that employ supervised
and semi-supervised learning approaches as well. The main
setback of most NN models is that they lose old information
(updating/diminishing weights) as new information arrives,
therefore an ideal model should be flexible enough to accom-
modate new information without losing the old one, and this
is called the plasticity-stability problem. ART models provide
a solution to this problem by self-organizing in real time and
creating a competitive environment for neurons, automati-
cally discriminating/creating new clusters among neurons to
accommodate any new information.
ART model resonates around (top-down) observer
expectations and (bottom-up) sensory information while
VOLUME 7, 2019
keeping their difference within the threshold limits of vigi-
lance parameter, which in result is considered as the member
of the expected class of neurons [52]. Learning of an ART
model primarily consists of a comparison field, recognition
field, vigilance (threshold) parameter, and a reset module.
The comparison field takes an input vector, which in result is
passed, to best match in the recognition field; the best match
is the current winning neuron. Each neuron in the recognition
field passes a negative output in proportion to the quality of
the match, which inhibits other outputs, therefore, exhibiting
lateral inhibitions (competitions). Once the winning neuron
is selected after a competition with the best match to the input
vector, the reset module compares the quality of the match to
the vigilance threshold. If the winning neuron is within the
threshold, it is selected as the output, else the winning neuron
is reset and the process is started again to find the next best
match to the input vector. In case where no neuron is capable
to pass the threshold test, a search procedure begins in which
the reset module disables recognition neurons one at a time to
find a correct match whose weight can be adjusted to accom-
modate the new match, therefore ART models are called self-
organizing and can deal with the plasticity/stability dilemma.
3) UNSUPERVISED DEEP NN
In recent years unsupervised deep NN has become the most
successful unsupervised structure due to its application in
many benchmarking problems and applications [53]. Three
major types of unsupervised deep NNs are deep belief NNs,
deep autoencoders, and convolutional NNs.
a: DEEP BELIEF NN
Deep Belief Neural Network or simply Deep Belief Networks
(DBN) is a probability-based generative graph model that is
composed of hierarchical layers of stochastic latent variables
having binary valued activations, which are referred as hidden
units or feature detectors. The top layers in DBNs have
undirected, symmetric connections between them forming
an associative memory. DBNs provide a breakthrough in
unsupervised learning paradigm. In the learning stage, DBN
learns to reconstruct its input, each layer acting as feature
detectors. DBN can be trained by greedy layer-wise training
starting from the top layer with raw input, subsequent layers
are trained with the input data from the previously visible
layer [43]. Once the network is trained in an unsupervised
manner and learned the distribution of the data, it can be
fine-tuned using supervised learning methods, or supervised
layers can be concatenated in order to achieve the desired task
(for instance, classification).
b: DEEP AUTOENCODER
Another famous type of DBN is the deep autoencoder, which
is composed of two symmetric DBNs—the first of which is
used to encode the input vector, while the second decodes.
By the end of the training of the deep autoencoder, it tends
to reconstruct the input vector at the output neurons, and
65585
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
therefore the central layer between both DBNs is the actual
compressed feature vector.
c: CONVOLUTIONAL NN
Convolutional NN (CNN) are feed forward NN in which
neurons are adapted to respond to overlapping regions in
two-dimensional input fields such as visual or audio input.
It is commonly achieved by local sparse connections among
successive layers and tied shared weights followed by rec-
tifying and pooling layers which results in transformation
invariant feature extraction. Another advantage of CNN over
simple multilayer NN is that it is comparatively easier to train
due to sparsely connected layers with the same number of
hidden units. CNN represents the most significant type of
architecture for computer vision as they solve two challenges
with the conventional NNs: 1) scalable and computationally
tractable algorithms are needed for processing high-
dimensional images; and 2) algorithms should be transfor-
mation invariant since objects in an image can occur at an
arbitrary position. However, most CNN’s are composed of
supervised feature detectors in the lower and middle hidden
layers. In order to extract features in an unsupervised manner,
a hybrid of CNN and DBN, called Convolutional Deep Belief
Network (CDBN), is proposed in [54]. Making probabilistic
max-pooling1 to cover larger input area and convolution as
an inference algorithm makes this model scalable with higher
dimensional input. Learning is processed in an unsupervised
manner as proposed in [44], i.e., greedy layer-wise (lower to
higher) training with unlabeled data.
CDBN is a promising scalable generative model for learn-
ing translation invariant hierarchical representation from any
high-dimensional unlabeled data in an unsupervised man-
ner taking advantage of both worlds, i.e., DBN and CNN.
CNN, being widely employed for computer vision applica-
tions, can be employed in computer networks for optimiza-
tion of Quality of Experience (QoE) and Quality of Service
(QoS) of multimedia content delivery over networks, which
is an open research problem for next-generation computer
networks [55].
4) UNSUPERVISED RECURRENT NN
Recurrent NN (RNN) is the most complex type of NN,
and hence the nearest match to an actual human brain that
processes sequential inputs. It can learn temporal behaviors
of a given training data. RNN employs an internal memory
per neuron to process such sequential inputs in order to
exhibit the effect of the previous event on the next. Compared
to feed forward NNs, RNN is a stateful network. It may
contain computational cycles among states and uses time
as the parameter in the transition function from one unit to
another. Being complex and recently developed, it is an open
research problem to create domain-specific RNN models and
train them with sequential data. Specifically, there are two
1 Max-pooling is an algorithm of selecting the most responsive receptive
field of a given interest region.
65586
perspectives of RNN to be discussed in the scope of this
survey, namely, the depth of the architecture and the training
of the network. The depth, in the case of a simple artificial
NN, is the presence of hierarchical nonlinear intermediate
layers between the input and output signals. In the case of an
RNN, there are different hypotheses explaining the concept
of depth. One hypothesis suggests that RNNs are inherently
deep in nature when expanded with respect to sequential
input; there are a series of nonlinear computations between
the input at time t(i) and the output at time t(i + k).
However, at an individual discrete time step, certain tran-
sitions are neither deep nor nonlinear. There exist input-to-
hidden, hidden-to-hidden, and hidden-to-output transitions,
which are shallow in the sense that there are no intermediate
nonlinear layers at discrete time step. In this regard, different
deep architectures are proposed in [56] that introduce inter-
mediate nonlinear transitional layers in between the input,
hidden and output layers. Another novel approach is also
proposed by stacking hidden units to create a hierarchical
representation of hidden units, which mimic the deep nature
of standard deep NNs.
Due to the inherently complex nature of RNN, to the best
of our knowledge, there is no widely adopted approach for
training RNNs and many novel methods (both supervised
and unsupervised) are introduced to train RNNs. Considering
unsupervised learning of RNN in the scope of this paper, [57]
employ Long Short-term Memory (LSTM) RNN to be trained
in an unsupervised manner using unsupervised learning algo-
rithms, namely Binary Information Gain Optimization and
non parametric Entropy Optimization, in order to make a
network to discriminate between a set of temporal sequences
and cluster them into groups. Results have shown remarkable
ability of RNNs for learning temporal sequences and cluster-
ing them based on a variety of features. Two major types of
unsupervised recurrent NN are Hopfield NN and Boltzmann
machine.
a: HOPFIELD NN
Hopfield NN is a cyclic recurrent NN where each node is
connected to others. Hopfield NN provides an abstraction
of circular shift register memory with nonlinear activation
functions to form a global energy function with guaranteed
convergence to local minima. Hopfield NNs are used for
finding clusters in the data without a supervisor.
b: BOLTZMANN MACHINE
The Boltzmann machine is a stochastic symmetric recur-
rent NN that is used for search and learning problems.
Due to binary vector based simple learning algorithm of
Boltzmann machine, very interesting features representing
the complex unstructured data can be learned [58]. Since
the Boltzmann machine uses multiple hidden layers as fea-
ture detectors, the learning algorithm becomes very slow.
To avoid slow learning and to achieve faster feature detection
instead of Boltzmann machine, a faster version, namely the
restricted Boltzmann machine (RBM), is used for practical
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
FIGURE 5. Clustering process.
problems [59]. Restricted Boltzmann machine learns a prob-
ability distribution over its input data but since it is restricted
in its layer to layer connectivity RBM loses its property of
recurrence. It is faster than a Boltzmann machine because it
only uses one hidden layer as a feature detector layer. RBM
is used for dimensionality reduction, clustering and feature
learning in computer networks.
5) SIGNIFICANT APPLICATIONS OF HIERARCHICAL
LEARNING IN NETWORKS
ANNs/DNNs are the most researched topic when creat-
ing intelligent systems in computer vision and natural lan-
guage processing whereas their application in computer
networks are very limited, they are employed in differ-
ent networking applications such as classification of traffic,
anomaly/intrusion detection, detecting Distributed Denial of
Service (DDoS) attacks, and resource management in cogni-
tive radios [60]. The motivation of using DNN for learning
and predicting in networks is the unsupervised training that
detects hidden patterns in ample amount of data that is near
to impossible for a human to handcraft features catering for
all scenarios. Moreover, many new research shows that a
single model is not enough for the need of some applications,
so developing a hybrid NN architecture having pros and
cons of different models creates a new efficient NN which
provides even better results. Such an approach is used in [61],
in which a hybrid model of ART and RNN is employed to
learn and predict traffic volume in a computer network in
real time. Real-time prediction is essential to adaptive flow
control, which is achieved by using hybrid techniques so that
ART can learn new input patterns without re-training the
entire network and can predict accurately in the time series
of RNN. Furthermore, DNNs are also being used in resource
allocation and QoE/QoS optimizations. Using NN for opti-
mization, efficient resource allocation without affecting the
user experience can be crucial in the time when resources are
scarce. Authors of [62], [63] propose a simple DBN for opti-
mizing multimedia content delivery over wireless networks
by keeping QoE optimal for end users. Table 3 also provides
a tabulated description of hierarchical learning in networking
applications. However, these are just a few notable examples
of deep learning and neural networks in networks, refer to
Section III for more applications and detailed discussion on
deep learning and neural networks in computer networks.
VOLUME 7, 2019
B. DATA CLUSTERING
Clustering is an unsupervised learning task that aims to find
hidden patterns in unlabeled input data in the form of clus-
ters [64]. Simply put, it encompasses the arrangement of data
in meaningful natural groupings on the basis of the similarity
between different features (as illustrated in Figure 5) to learn
about its structure. Clustering involves the organization of
data in such a way that there are high intra-cluster and low
inter-cluster similarity. The resulting structured data is termed
as data-concept [65]. Clustering is used in numerous applica-
tions from the fields of ML, data mining, network analysis,
pattern recognition, and computer vision. The various tech-
niques used for data clustering are described in more detail
later in Section II-B. In networking, clustering techniques
are widely deployed for applications such as traffic analysis
and anomaly detection in all kinds of networks (e.g., wireless
sensor networks and mobile ad-hoc networks), with anomaly
detection [66].
Clustering improves performance in various applications.
McGregor et al. [67] propose an efficient packet tracing
approach using the Expectation-Maximization (EM) proba-
bilistic clustering algorithm, which groups flows (packets)
into a small number of clusters, where the goal is to analyze
network traffic using a set of representative clusters.
A brief overview of different types of clustering methods
and their relationships can be seen in Figure 6. Clustering can
be divided into three main types [68], namely hierarchical
clustering, Bayesian clustering, and partitional clustering.
Hierarchical clustering creates a hierarchical decomposition
of data, whereas Bayesian clustering forms a probabilistic
model of the data that decides the fate of a new test point
probabilistically. In contrast, partitional clustering constructs
multiple partitions and evaluates them on the basis of certain
criterion or characteristic such as the Euclidean distance.
Before delving into the general sub-types of clustering,
there are two unique clustering techniques, which need to be
discussed, namely density-based clustering and grid-based
clustering. In some cases, density-based clustering is classi-
fied as a partitional clustering technique; however, we have
kept it separate considering its applications in networking.
Density-based models target the most densely populated area
of data space and separate it from areas having low densities,
thus forming clusters [69]. [70] use density-based clustering
to cluster data stream in real time, which is important in many
65587
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges

TABLE 3. Applications of hierarchical learning/ deep learning in networking applications.

FIGURE 6. Clustering taxonomy.

applications (e.g., intrusion detection in networks). Another 1) HIERARCHICAL CLUSTERING

technique is grid-based clustering, which divides the data
space into cells to form a grid-like structure; subsequently,
all clustering actions are performed on this grid [71]. [71]
also present a novel approach that uses a customized grid-
based clustering algorithm to detect anomalies in networks.
[72] proposed a novel method for clustering the time series
data, this scheme was based on a distance measure between
temporal features of the time series.
We move on next to describe three major types of data clus-
tering approaches as per the taxonomy is shown in Figure 6.
Hierarchical clustering is a well-known strategy in data min-
ing and statistical analysis in which data is clustered into a
hierarchy of clusters using an agglomerative (bottom-up) or a
divisive (top-down) approach. Almost all hierarchical clus-
tering algorithms are unsupervised and deterministic. The
primary advantage of hierarchical clustering over unsuper-
vised K-means and EM algorithms is that it does not require
the number of clusters to be specified beforehand. However,
this advantage comes at the cost of computational efficiency.
Common hierarchical clustering algorithms have at least

65588 VOLUME 7, 2019

M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
quadratic computational complexity compared to the linear
complexity of K-means and EM algorithms. Hierarchical
clustering methods have a pitfall: these methods fail to accu-
rately classify messy high-dimensional data as its heuristic
may fail due to the structural imperfections of empirical
data. Furthermore, the computational complexity of the com-
mon agglomerative hierarchical algorithms is NP-hard. SOM,
as discussed in Section II-A.2, is a modern approach that can
overcome the shortcomings of hierarchical models [73].
2) BAYESIAN CLUSTERING
Bayesian clustering is a probabilistic clustering strategy
where the posterior distribution of the data is learned on the
basis of a prior probability distribution. Bayesian clustering
is divided into two major categories, namely parametric and
non-parametric [74]. The major difference between para-
metric and non-parametric techniques is the dimensionality
of parameter space: if there are finite dimensions in the
parameter space, the underlying technique is called Bayesian
parametric; otherwise, the underlying technique is called
Bayesian non-parametric. A major pitfall with the Bayesian
clustering approach is that the choice of the wrong prior prob-
ability distributions can distort the projection of the data. [75]
performed Bayesian non-parametric clustering of network
traffic data to determine the network application type.
3) PARTITIONAL CLUSTERING
Partitional clustering corresponds to a special class of cluster-
ing algorithms that decomposes data into a set of disjoint clus-
ters. Given n observations, the clustering algorithm partitions
a data into k < n clusters [76]. Partitional clustering is further
classified into K-means clustering and mixture models.
a: K-MEANS CLUSTERING
K-means clustering is a simple, yet widely used approach
for classification. It takes a statistical vector as an input to
deduce classification models or classifiers. K-means cluster-
ing tends to distribute m observations into n clusters where
each observation belongs to the nearest cluster. The member-
ship of observation to a cluster is determined using the cluster
mean. K-means clustering is used in numerous applications
in the domains of network analysis and traffic classifica-
tion. [77] used K-means clustering in conjunction with super-
vised ID3 decision tree learning models to detect anomalies
in a network. An ID3 decision tree is an iterative supervised
decision tree algorithm based on the concept learning system.
K-means clustering provided excellent results when used
in traffic classification. [78] showed that K-means cluster-
ing performs well in traffic classification with an accuracy
of 90%.
K-means clustering is also used in the domain of network
security and intrusion detection. Reference [79] proposed
a K-means algorithm for intrusion detection. Experimental
results on a subset of KDD-99 dataset shows that the detec-
tion rate stays above 96% while the false alarm rate stays
below 4%. Results and analysis of experiments on K-means
VOLUME 7, 2019
algorithm have demonstrated a better ability to search clusters
globally.
Another variation of K-means is known as K-medoids,
in which rather than taking the mean of the clusters, the most
centrally located data point of a cluster is considered as the
reference point of the corresponding cluster [80]. Few of
the applications of K-medoids in the spectrum of anomaly
detection can be seen here [80], [81].
b: MIXTURE MODELS
Mixture models are powerful probabilistic models for uni-
variate and multivariate data. Mixture models are used to
make statistical inferences and deductions about the prop-
erties of the sub-populations given only observations on the
pooled population. They have also used to statistically model
data in the domains of pattern recognition, computer vision,
ML, etc. Finite mixtures, which are a basic type of mixture
model, naturally model observations that are produced by
a set of alternative random sources. Inferring and deduc-
ing different parameters from these sources based on their
respective observations lead to clustering of the set of obser-
vations. This approach to clustering tackles drawbacks of
heuristic-based clustering methods, and hence it is proven to
be an efficient method for node classification in any large-
scale network and has shown to yield effective results com-
pared to techniques commonly used. For instance, K-means
and hierarchical agglomerative methods rely on supervised
design decisions, such as the number of clusters or validity
of models [82]. Moreover, combining the EM algorithm with
mixture models produces remarkable results in deciphering
the structure and topology of the vertices connected through a
multi-dimensional network [83]. Reference [84] used Gaus-
sian mixture model (GMM) to outperform signature based
anomaly detection in network traffic data.
4) SIGNIFICANT APPLICATIONS OF
CLUSTERING IN NETWORKS
Clustering can be found in mostly all unsupervised learning
problems, and there are diverse applications of clustering
in the domain of computer networks. Two major network-
ing applications where significant use of clustering can be
seen are intrusion detection and Internet traffic classifica-
tion. One novel way to detect anomaly is proposed in [85],
this approach preprocesses the data using Genetic Algo-
rithm (GA) combined with hierarchical clustering approach
called Balanced Iterative Reducing using Clustering Hier-
archies (BIRCH) to provide an efficient classifier based on
Support Vector Machine (SVM). This hierarchical cluster-
ing approach stores abstracted data points instead of the
whole dataset, thus giving more accurate and quick clas-
sification compared to all past methods, producing bet-
ter results in detecting anomalies. Another approach [71]
discusses the use of grid-based and density-based cluster-
ing for anomaly and intrusion detection using unsupervised
learning. Reference [86] used k-shape clustering scheme
for analyzing spatiotemporal heterogeneity in mobile usage.
65589
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 4. Applications of data clustering in networking applications.
Basically, a scalable parallel framework for clustering large
datasets with high dimensions is proposed and then improved
by inculcating frequency pattern trees. Table 4 also provides
a tabulated description of data clustering applications in net-
works. These are just a few notable examples of clustering
approaches in networks: refer to Section III for the detailed
discussion on some salient clustering applications in the con-
text of networks.
C. LATENT VARIABLE MODELS
A latent variable model is a statistical model that relates
the manifest variables with a set of latent or hidden vari-
ables. Latent variable model allows us to express relatively
complex distributions in terms of tractable joint distributions
over an expanded variable space [95]. Underlying variables
of a process are represented in higher dimensional space
using a fixed transformation, and stochastic variations are
known as latent variable models where the distribution in
higher dimension is due to small number of hidden variables
acting in a combination [96]. These models are used for
data visualization, dimensionality reduction, optimization,
distribution learning, blind signal separation and factor anal-
ysis. Next we will begin our discussion on various latent
variable models, namely mixture distribution, factor analysis,
blind signal separation, non-negative matrix factorization,
Bayesian networks & probabilistic graph models (PGM),
hidden Markov model (HMM), and nonlinear dimensional-
ity reduction techniques (which further includes generative
topographic mapping, multi-dimensional scaling, principal
curves, Isomap, localliy linear embedding, and t-distributed
stochastic neighbor embedding).
1) MIXTURE DISTRIBUTION
Mixture distribution is an important latent variable model
that is used for estimating the underlying density function.
65590
Mixture distribution provides a general framework for den-
sity estimation by using the simpler parametric distributions.
Expectation maximization (EM) algorithm is used for esti-
mating the mixture distribution model [97], through max-
imization of the log-likelihood of the mixture distribution
model.
2) FACTOR ANALYSIS
Another important type of latent variable model is factor
analysis, which is a density estimation model. It has been
used quite often in collaborative filtering and dimensionality
reduction. It is different from other latent variable models
in terms of the allowed variance for different dimensions
as most latent variable models for dimensionality reduction
in conventional settings use a fixed variance Gaussian noise
model. In the factor analysis model, latent variables have
diagonal covariance rather than isotropic covariance.
3) BLIND SIGNAL SEPARATION
Blind Signal Separation (BSS), also referred to as Blind
Source Separation, is the identification and separation of
independent source signals from mixed input signals with-
out or very little information about the mixing process.
Figure 7 depicts the basic BSS process in which source
signals are extracted from a mixture of signals. It is a funda-
mental and challenging problem in the domain of signal pro-
cessing although the concept is extensively used in all types of
multi-dimensional data processing. Most common techniques
employed for BSS are principal component analysis (PCA)
and independent component analysis (ICA).
a) Principal Component Analysis (PCA) is a statisti-
cal procedure that utilizes orthogonal transformation on
the data to convert n number of possibly correlated vari-
ables into lesser k number of uncorrelated variables named
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
FIGURE 7. Blind signal separation (BSS): A mixed signal composed of various input signals mixed by some
mixing process is blindly processed (i.e., with no or minimal information about the mixing process) to
show the original signals.
principal components. Principal components are arranged in
the descending order of their variability, first one catering
for the most variable and the last one for the least. Being a
primary technique for exploratory data analysis, PCA takes a
cloud of data in n dimensions and rotates it such that maxi-
mum variability in the data is visible. Using this technique,
it brings out the strong patterns in the dataset so that these
patterns are more recognizable thereby making the data easier
to explore and visualize.
PCA has primarily been used for dimensionality reduction
in which input data of n dimensions is reduced to k dimen-
sions without losing critical information in the data. The
choice of the number of principal components is a question
of the design decision. Much research has been conducted on
selecting the number of components such as cross-validation
approximations [98]. Optimally, k is chosen such that the
ratio of the average squared projection error to the total
variation in the data is less than or equal to 1% by which
99% of the variance is retained in the k principal components.
But, depending on the application domain, different designs
can increase/decrease the ratio while maximizing the required
output. Commonly, many features of a dataset are often
highly correlated; hence, PCA results in retaining 99% of the
variance while significantly reducing the data dimensions.
b) Independent Component Analysis (ICA) is another tech-
nique for BSS that focuses on separating multivariate input
data into additive components with the underlying assump-
tion that the components are non-Gaussian and statistically
independent. The most common example to understand ICA
is the cocktail party problem in which there are n people
talking simultaneously in a room and one tries to listen to
a single voice. ICA actually separates source signals from
input mixed signal by either minimizing the statistical depen-
dence or maximizing the non-Gaussian property among the
components in the input signals by keeping the underly-
ing assumptions valid. Statistically, ICA can be seen as the
extension of PCA, while PCA tries to maximize the second
moment (variance) of data, hence relying heavily on Gaussian
features; on the other hand, ICA exploits inherently non-
Gaussian features of the data and tries to maximize the fourth
moment of linear combination of inputs to extract non-normal
source components in the data [99].
VOLUME 7, 2019
4) NON-NEGATIVE MATRIX FACTORIZATION
Non-Negative Matrix Factorization (NMF) is a technique to
factorize a large matrix into two or more smaller matrices
with no negative values, that is when multiplied, it recon-
structs the approximate original matrix. NMF is a novel
method in decomposing multivariate data making it easy
and straightforward for exploratory analysis. By NMF, hid-
den patterns and intrinsic features within the data can be
identified by decomposing them into smaller chunks, enhanc-
ing the interpretability of data for analysis, with posi-
tivity constraints. However, there exist many classes of
algorithms [100] for NMF having different generalization
properties, for example, two of them are analyzed in [101],
one of which minimizes the least square error and while the
other focuses on the Kullback-Leibler divergence keeping
algorithm convergence intact.
5) HIDDEN MARKOV MODEL
Hidden Markov Models (HMM) are stochastic models of
great utility, especially in domains where we wish to analyze
temporal or dynamic processes such as speech recognition,
primary users (PU) arrival pattern in cognitive radio net-
works (CRNs), etc. HMMs are highly relevant to CRNs since
many environmental parameters in CRNs are not directly
observable. An HMM-based approach can analytically model
a Markovian stochastic process in which we do not have
access to the actual states, which are assumed to be unob-
served or hidden; instead, we can observe a state that is
stochastically dependent on the hidden state. It is for this
reason that an HMM is defined to be a doubly stochastic
process.
6) BAYESIAN NETWORKS & PROBABILISTIC
GRAPH MODELS (PGM)
In Bayesian learning we try to find the posterior proba-
bility distributions for all parameter settings, in this setup,
we ensure that we have a posterior probability for every
possible parameter setting. It is computationally expensive
but we can use complicated models with a small dataset and
still avoid overfitting. Posterior probabilities are calculated by
dividing the product of sampling distribution and prior dis-
tribution by marginal likelihood; in simple words, posterior
65591
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
probabilities are calculated using Bayes theorem. The basis
of reinforcement learning was also derived by using Bayes
theorem [102]. Since Bayesian learning is computationally
expensive a new research trend is approximate Bayesian
learning [103]. Authors in [104] have given a comprehensive
survey of different approximate Bayesian inference algo-
rithms. With the emergence of Bayesian deep learning frame-
work the deployment of Bayes learning based solution is
increasing rapidly.
Probabilistic graph modeling is a concept associated with
Bayesian learning. A model representing the probabilistic
relationship between random variables through a graph is
known as a probabilistic graph model (PGM). Nodes and
edges in the graph represent a random variable and their prob-
abilistic dependence, respectively. PGM are of two types:
directed PGM and undirected PGM. Bayes networks also
fall in the regime of directed PGM. PGM is used in many
important areas such as computer vision, speech processing,
and communication systems. Bayesian learning combined
with PGM and latent variable models forms a probabilistic
framework where deep learning is used as a substrate for mak-
ing improved learning architecture for recommender systems,
topic modeling, and control systems [105].
7) SIGNIFICANT APPLICATIONS OF LATENT VARIABLE
MODELS IN NETWORKS
In [106], authors have applied latent structure on email corpus
to find interpretable latent structure as well as evaluating
its predictive accuracy on missing data task. A dynamic
latent model for a social network is represented in [107].
Characterization of the end-to-end delay using a Weibull
mixture model is discussed in [108]. Mixture models for end
host traffic analysis have been explored in [109]. BSS is a
set of statistical algorithms that are widely used in differ-
ent application domains to perform different tasks such as
dimensionality reduction, correlating and mapping features,
etc. [110] employed PCA for Internet traffic classification in
order to separate different types of flows in a network packet
stream. Similarly, authors of [111] used a semi-supervised
approach, where PCA is used for feature learning and an
SVM classifier for intrusion detection in an autonomous
network system. Another approach for detecting anomalies
and intrusions proposed in [112] uses NMF to factorize differ-
ent flow features and cluster them accordingly. Furthermore,
ICA has been widely used in telecommunication networks to
separate mixed and noisy source signals for efficient service.
For example, [113] extends a variant of ICA called Efficient
Fast ICA (EF-ICA) for detecting and estimating the symbol
signals from the mixed CDMA signals received from the
source endpoint.
In other literature, PCA uses a probabilistic approach to
find the degree of confidence in detecting an anomaly in
wireless networks [114]. Furthermore, PCA is also chosen
as a method of clustering and designing Wireless Sensor
Networks (WSNs) with multiple sink nodes [115]. However,
these are just a few notable examples of BSS in networks,
65592
refer to Section III for more applications and detailed discus-
sion on BSS techniques in the networking domain.
Bayesian learning has been applied for classifying Inter-
net traffic, where Internet traffic is classified based on the
posterior probability distributions. For early traffic identifi-
cation in campus network real discretized conditional proba-
bility has been used to construct a Bayesian classifier [116].
Host-level intrusion detection using Bayesian networks is
proposed in [117]. Authors in [118] purposed a Bayesian
learning based feature vector selection for anomalies classi-
fication in BGP. Port scan attacks prevention scheme using
a Bayesian learning approach is discussed in [119]. Inter-
net threat detection estimation system is presented in [120].
A new approach towards outlier detection using Bayesian
belief networks is described in [121]. Application of Bayesian
networks in MIMO systems has been explored in [122].
Location estimation using Bayesian network in LAN is dis-
cussed in [123]. Similarly, Bayes theory and PGM are both
used in Low-Density Parity Check (LDPC) and Turbo codes,
which are the fundamental components of information coding
theory. Table 5 also provides a tabulated description of latent
variable models applications in networking.
D. DIMENSIONALITY REDUCTION
Representing data in fewer dimensions is another well-
established task of unsupervised learning. Real world data
often have high dimensions—in many datasets, these dimen-
sions can run into thousands, even millions, of potentially
correlated dimensions [133]. However, it is observed that the
intrinsic dimensionality (governing parameters) of the data is
less than the total number of dimensions. In order to find the
essential pattern of the underlying data by extracting intrinsic
dimensions, it is necessary that the real essence is not lost;
e.g., it may be the case that a phenomenon is observable
only in higher-dimensional data and is suppressed in lower
dimensions, these phenomena are said to suffer from the
curse of dimensionality [134]. While dimensionality reduc-
tion is sometimes used interchangeably with feature selection
[135], [136], a subtle difference exists between the two [137].
Feature selection is traditionally performed as a supervised
task with a domain expert helping in handcrafting a set of
critical features of the data. Such an approach generally
can perform well but is not scalable and prone to judgment
bias. Dimensionality reduction, on the other hand, is more
generally an unsupervised task, where instead of choosing
a subset of features, it creates new features (dimensions) as
a function of all features. Said differently, feature selection
considers supervised data labels, while dimensionality reduc-
tion focuses on the data points and their distributions in an
N-dimensional space.
There exist different techniques for reducing data dimen-
sions [138] including projection of higher dimensional points
onto lower dimensions, independent representation, and
sparse representation, which should be capable of recon-
structing the approximate data. Dimensionality reduction is
useful for data modeling, compression, and visualization.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 5. Applications of latent variable models in networking applications.
By creating representative functional dimensions of the data
and eliminating redundant ones, it becomes easier to visualize
and form a learning model. Independent representation tries
to disconnect the source of variation underlying the data
distribution such that the dimensions of the representation
are statistically independent [40]. Sparse representation tech-
nique represents the data vectors in linear combinations of
small basis vectors.
It is worth noting here that many of the latent variable mod-
els (e.g., PCA, ICA, factor analysis) also function as tech-
niques for dimensionality reduction. In addition to techniques
such as PCA, ICA—which infer the latent inherent structure
of the data through a linear projection of the data—a number
of nonlinear dimensionality reduction techniques have also
been developed and will be focused upon in this section to
avoid repetition of linear dimensionality reduction techniques
that have already been covered as part of the previous subsec-
tion. Linear dimensionality reduction techniques are useful in
many settings but these methods may miss important nonlin-
ear structure in the data due to their subspace assumption,
which posits that the high-dimensional data points lie on a
linear subspace (for example, on a 2-D or 3D plane). Such
an assumption fails in high dimensions when data points are
random but highly correlated with neighbors. In such environ-
ments nonlinear dimensionality reductions through manifold
learning techniques—which can be construed as an attempt
to generalize linear frameworks like PCA so that nonlinear
structure in data can also be recognized—become desirable.
VOLUME 7, 2019
Even though some supervised variants also exist, manifold
learning is mostly performed in an unsupervised fashion
using the nonlinear manifold substructure learned from the
high-dimensional structure of the data from the data itself
without the use of any predetermined classifier or labeled
data. Some nonlinear dimensionality reduction (manifold
learning) techniques are described below:
1) ISOMAP
Isomap is a nonlinear dimensionality reduction technique that
finds the underlying low dimensional geometric information
about a dataset. Algorithmic features of PCA and MDS
are combined to learn the low dimensional nonlinear man-
ifold structure in the data [139]. Isomap uses geodesic dis-
tance along the shortest path to calculate the low dimension
representation shortest path, which can be computed using
Dijkstra’s algorithm.
2) GENERATIVE TOPOGRAPHIC MODEL
Generative topographic mapping (GTM) represents the
nonlinear latent variable mapping from continuous low
dimensional distributions embedded in high dimensional
spaces [140]. Data space in GTM is represented as reference
vectors and these vectors are a projection of latent points in
data space. It is a probabilistic variant of SOM and works
by calculating the Euclidean distance between data points.
GTM optimizes the log-likelihood function, and the resulting
probability defines the density in data space.
65593
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 6. Applications of dimensionality reduction in networking applications.
3) LOCALLY LINEAR EMBEDDING
Locally linear embedding (LLE) [133] is an unsupervised
nonlinear dimensionality reduction algorithm. LLE repre-
sents data in lower dimensions yet preserving the higher
dimensional embedding. LLE depicts data in a single global
coordinate of lower dimensional mapping of input data. LLE
is used to visualize multi-dimensional dimensional manifolds
and feature extraction.
4) PRINCIPAL CURVES
The principal curve is a nonlinear dataset summarizing tech-
nique where non-parametric curves pass through the middle
of multi-dimensional dataset providing the summary of the
dataset [141]. These smooth curves minimize the average
squared orthogonal distance between data points, this process
also resembles the maximum likelihood for nonlinear regres-
sion in the presence of Gaussian noise [142].
5) NONLINEAR MULTI-DIMENSIONAL SCALING
Nonlinear multi-dimensional scaling (NMDS) [143] is a non-
linear latent variable representation scheme. It works as an
alternative scheme for factor analysis. In factor analysis,
a multivariate normal distribution is assumed and similari-
ties between different objects are expressed as a correlation
matrix. Whereas NMDS does not impose such a condition,
and it is designed to reach the optimal low dimensional con-
figuration where similarities and dissimilarities among matri-
ces can be observed. NMDS is also used in data visualization
and mining tools for depicting the multi-dimensional data in 3
dimensions based on the similarities in the distance matrix.
6) T-DISTRIBUTED STOCHASTIC NEIGHBOR EMBEDDING
t-distributed stochastic neighbor embedding (t-SNE) is
another nonlinear dimensionality reduction scheme. It is used
to represent high dimensional data in 2 or 3 dimensions.
65594
t-SNE constructs a probability distribution in high dimen-
sional space and constructs a similar distribution in lower
dimensions and minimizes the KullbackâĂŞLeibler (KL)
divergence between two distributions (which is a useful
way to measure the difference between two probability
distributions) [144].
Table 6 also provides a tabulated description of dimen-
sionality reduction applications in networking. The applica-
tions of nonlinear dimensionality reduction methods are later
described in detail in Section III-D.
E. OUTLIER DETECTION
Outlier detection is an important application of unsupervised
learning. A sample point that is distant from other samples is
called an outlier. An outlier may occur due to noise, measure-
ment error, heavy tail distributions and a mixture of two dis-
tributions. There are two popular underlying techniques for
unsupervised outlier detection upon which many algorithms
are designed, namely the nearest neighbor based technique
and clustering based method.
1) NEAREST NEIGHBOR BASED OUTLIER DETECTION
The nearest neighbor method works on estimating the
Euclidean distances or average distance of every sample from
all other samples in the dataset. There are many algorithms
based on nearest neighbor based techniques, with the most
famous extension of the nearest neighbor being a k-nearest
neighbor technique in which only k nearest neighbors par-
ticipate in the outlier detection [154]. Local outlier factor is
another outlier detection algorithm, which works as an exten-
sion of the k-nearest neighbor algorithm. Connectivity-based
outlier factors [155], influenced outlierness [156], and local
outlier probability models [157] are few famous examples of
the nearest neighbor based techniques.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
2) CLUSTER BASED OUTLIER DETECTION
Clustering based methods use the conventional K-means
clustering technique to find dense locations in the data and
then perform density estimation on those clusters. After den-
sity estimation, a heuristic is used to classify the formed clus-
ter according to the cluster size. Anomaly score is computed
by calculating the distance between every point and its cluster
head. Local density cluster based outlier factor [158], cluster-
ing based multivariate Gaussian outlier score [159], [160] and
histogram based outlier score [161] are the famous cluster
based outlier detection models in literature. SVM and PCA
are also suggested for outlier detection in literature.
3) SIGNIFICANT APPLICATIONS OF OUTLIER
DETECTION IN NETWORKS
Outlier detection algorithms are used in many different appli-
cations such as intrusion detection, fraud detection, data leak-
age prevention, surveillance, energy consumption anomalies,
forensic analysis, critical state detection in designs, elec-
trocardiogram and computed tomography scan for tumor
detection. Unsupervised anomaly detection is performed by
estimating the distances and densities of the provided non-
annotated data [162]. More applications of outlier detection
schemes will be discussed in Section III.
F. LESSONS LEARNT
Key lessons drawn from the review of unsupervised learning
techniques are summarized below.
1) Hierarchical learning techniques are the most pop-
ular schemes in literature for feature detection and
extraction.
2) Learning the joint distribution of a complex distribution
over an expanded variable space is a difficult task.
Latent variable models have been the recommended
and well-established schemes in literature for this prob-
lem. These models are also used for dimensionality
reduction and better representation of data.
3) Visualization of unlabeled multidimensional data is
another unsupervised task. In this research, we have
explored the dimensionality reduction as an underlying
scheme for developing better multidimensional data
visualization tools.
III. APPLICATIONS OF UNSUPERVISED
LEARNING IN NETWORKING
In this section, we will introduce some significant appli-
cations of the unsupervised learning techniques that have
been discussed in Section II in the context of computer net-
works. We highlight the broad spectrum of applications in
networking and emphasize the importance of ML-based tech-
niques, rather than classical hard-coded statistical methods,
for achieving more efficiency, adaptability, and performance
enhancement.
A. INTERNET TRAFFIC CLASSIFICATION
Internet traffic classification is of prime importance in net-
working as it provides a way to understand, develop and
VOLUME 7, 2019
measure the Internet. Internet traffic classification is an
important component for service providers to understand
the characteristics of the service such as quality of service,
quality of experience, user behavior, network security and
many other key factors related to the overall structure of a
network [163]. In this subsection, we will survey the unsuper-
vised learning applications in network traffic classification.
As networks evolve at a rapid pace, malicious intruders are
also evolving their strategies. Numerous novel hacking and
intrusion techniques are being regularly introduced causing
severe financial jolts to companies and headaches to their
administrators. Tackling these unknown intrusions through
accurate traffic classification on the network edge, therefore,
becomes a critical challenge and an important component of
the network security domain. Initially, when networks used
to be small, simple port-based classification technique that
tried to identify the associated application with the corre-
sponding packet based on its port number was used. However,
this approach is now obsolete because recent malicious soft-
ware uses a dynamic port-negotiation mechanism to bypass
firewalls and security applications. A number of contrast-
ing Internet traffic classification techniques have been pro-
posed since then, and some important ones are discussed
next.
Most of the modern traffic classification methods use
different ML and clustering techniques to produce accurate
clusters of packets depending on their applications, thus pro-
ducing efficient packet classification [10]. The main purpose
of classifying network’s traffic is to recognize the destination
application of the corresponding packet and to control the
flow of the traffic when needed such as prioritizing one flow
over others. Another important aspect of traffic classification
is to detect intrusions and malicious attacks or screen out
forbidden applications (packets).
The first step in classifying Internet traffic is selecting
accurate features, which is an extremely important, yet com-
plex task. Accurate feature selection helps ML algorithms
to avoid problems like class imbalance, low efficiency, and
low classification rate. There are three major feature selec-
tion methods in Internet traffic for classification: the fil-
ter method, the wrapper based method, and the embedded
method. These methods are based on different ML and
genetic learning algorithms [164]. Two major concerns in
feature selection for Internet traffic classification are the
large size of data and imbalanced traffic classes. To deal
with these issues and to ensure accurate feature selection,
a min-max ensemble feature selection scheme is proposed
in [165]. A new information-theoretic approach for feature
selection for skewed datasets is described in [166]. This
algorithm has resolved the multi-class imbalance issue but
it does not resolve the issues of feature selection. In 2017,
an unsupervised autoencoder based scheme has outperformed
previous feature learning schemes, autoencoders were used
as a generative model and were trained in a way that the
bottleneck layer learned a latent representation of the feature
set; these features were then used for malware classification
65595
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
and anomaly detection to produce results that improved the
state of the art in feature selection [30].
Much work has been done on classifying traffic based on
supervised ML techniques. Initially, in 2004, the concept of
clustering bi-directional flows of packets came out with the
use of EM probabilistic clustering algorithm, which clusters
the flows depending on various attributes such as packet size
statistics, inter-arrival statistics, byte counts, and connection
duration, etc. [67]. Furthermore, clustering is combined with
the above model [172]; this strategy uses Naïve Bayes clus-
tering to classify traffic in an automated fashion. Recently,
unsupervised ML techniques have also been introduced in
the domain of network security for classifying traffic. Major
developments include a hybrid model to classify traffic in
more unsupervised manner [173], which uses both labeled
and unlabeled data to train the classifier making it more
durable and efficient. However, later on, completely unsuper-
vised methods for traffic classification have been proposed,
and still, much work is going on in this area. Initially, a com-
pletely unsupervised approach for traffic classification was
employed using the K-means clustering algorithm combined
with log transformation to classify data into corresponding
clusters. Then, [78] highlighted that using K-means and this
method for traffic classification can improve accuracy by
10% to achieve an overall 90% accuracy.
Another improved and faster approach was proposed
in 2006 [174], which examines the size of the first five
packets and determines the application correctly using unsu-
pervised learning techniques. This approach has shown to
produce better results than the state-of-the-art traffic classi-
fier, and also has removed its drawbacks (such as dealing
with outliers or unknown packets, etc.). Another similar auto-
mated traffic classifier and application identifier can be seen
in [175], and they use the auto-class unsupervised Bayesian
classifier, which automatically learns the inherent natural
classes in a dataset.
In 2013, another novel strategy for traffic classification
known as network traffic classification using correlation was
proposed [167], which uses non-parametric NN combined
with statistical measurement of correlation within data to
efficiently classify traffic. The presented approach addressed
the three major drawbacks of supervised and unsupervised
learning classification models: firstly, they are inappropriate
for sparse complex networks as labeling of training data takes
too much computation and time; secondly, many supervised
schemes such as SVM are not robust to training data size; and
lastly, and most importantly, all supervised and unsupervised
algorithms perform poorly if there are few training samples.
Thus, classifying the traffic using correlations appears to
be more efficient and adapting. [176] compared four ANN
approaches for computer network traffic, and modeled the
Internet traffic like a time series and used mathematical
methods to predict the time series. A greedy layer-wise train-
ing for unsupervised stacked autoencoder produced excellent
classification results, but at the cost of significant system
complexity. Genetic algorithm combined with constraint
65596
clustering process is used for Internet traffic data characteri-
zation [177]. In another work, a two-phased ML approach for
Internet traffic classification using K-means and C5.0 deci-
sion tree is presented in [178] where the average accuracy of
classification was 92.37%.
A new approach for Internet traffic classification has been
introduced in 2017 by [88] in which unidirectional and bidi-
rectional information is extracted from the collected traffic,
and K-means clustering is performed on the basis of statistical
properties of the extracted flows. A supervised classifier then
classifies these clusters. Another unsupervised learning based
algorithm for Internet traffic detection is described in [179]
where a restricted Boltzmann machine based SVM is pro-
posed for traffic detection, this paper model the detection as
a classification problem. Results were compared with ANN
and decision tree algorithms on the basis of precision and
recall. Application of deep learning algorithms in Internet
traffic classification has been discussed in [16], with this work
also outlining the open research challenges in applying deep
learning for Internet traffic classification. These problems
are related to training the models for big data since Internet
data for deep learning falls in big data regime, optimiza-
tion issues of the designed models given the uncertainty in
Internet traffic and scalability of deep learning architectures
in Internet traffic classification. To cope with the challenges
of developing a flexible high-performance platform that can
capture data from a high-speed network operating at more
than 60 Gbps, [180] have introduced a platform for high-
speed packet to tuple sequence conversion which can sig-
nificantly advance the state of the art in real-time network
traffic classification. In another work, [181] used stacked
autoencoders for Internet traffic classification and produced
more than 90% accurate results for the two classes in KDD
99 dataset.
Deep belief network combined with Gaussian model
employed for Internet traffic prediction in wireless mesh
backbone network has been shown to outperform the pre-
vious maximum likelihood estimation technique for traffic
prediction [182]. Given the uncertainty of WLAN channel
traffic classification is very tricky, [169] proposed a new
variant of Gaussian mixture model by incorporating universal
background model and used it for the first time to classify
the WLAN traffic. A brief overview of the different Internet
traffic classification systems, classified on the basis of unsu-
pervised technique and tasks discussed earlier, is presented in
the Table 7.
B. ANOMALY/INTRUSION DETECTION
The increasing use of networks in every domain has increased
the risk of network intrusions, which makes user privacy and
the security of critical data vulnerable to attacks. According
to the annual computer crime and security survey 2005 [199],
conducted by the combined teams of CSI (Computer Security
Institute) and FBI (Federal Bureau of Investigation), total
financial losses faced by companies due to the security attacks
and network intrusions were estimated as US $130 million.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 7. Internet traffic classification with respect to unsupervised learning techniques and tasks.
Moreover, according to the Symantec Internet Security
Threat Report [200], approximately 5000 new vulnerabilities
were identified in the year 2015. In addition, more than
400 million new variants of malware programs and 9 major
breaches were detected exposing 10 million identities. There-
fore, insecurity in today’s networking environment has given
rise to the ever-evolving domain of network security and
intrusion/anomaly detection [200].
In general, Intrusion Detection Systems (IDS) recognize
or identify any act of security breach within a computer or a
network; specifically, all requests which could compromise
the confidentiality and availability of data or resources of a
system or a particular network. Generally, intrusion detection
systems can be categorized into three types: (1) signature-
based intrusion detection systems; (2) anomaly detection
systems; and (3) compound/hybrid detection systems, which
include selective attributes of both preceding systems.
Signature detection, also known as misuse detection, is a
technique that was initially used for tracing and identify-
ing misuses of user’s important data, computer resources,
and intrusions in the network based on the previously col-
lected or stored signatures of intrusion attempts. The most
important benefit of a signature-based system is that a com-
puter administrator can exactly identify the type of attack a
computer is currently experiencing based on the sequence
of the packets defined by stored signatures. However, it is
nearly impossible to maintain the signature database of all
evolving possible attacks, thus this pitfall of the signature-
based technique has given rise to anomaly detection systems.
Anomaly Detection System (ADS) is a modern intrusion
and anomaly detection system. Initially, it creates a baseline
image of a system profile, its network and user program
activity. Then, on the basis of this baseline image, ADS classi-
fies any activity deviating from this behavior as an intrusion.
Few benefits of this technique are: firstly, they are capable
VOLUME 7, 2019
of detecting insider attacks such as using system resources
through another user profile; secondly, each ADS is based on
a customized user profile which makes it very difficult for
attackers to ascertain which types of attacks would not set an
alarm; and lastly, it detects unknown behavior in a computer
system rather than detecting intrusions, thus it is capable of
detecting any unknown sophisticated attack which is different
from the users’ usual behavior. However, these benefits come
with a trade-off, in which the process of training a system on
a user’s ‘normal’ profile and maintaining those profiles is a
time consuming and challenging task. If an inappropriate user
profile is created, it can result in poor performance. Since
ADS detects any behavior that does not align with a user’s
normal profile, its false alarm rate can be high. Lastly, another
pitfall of ADS is that a malicious user can train ADS gradually
to accept inappropriate traffic as normal.
As anomaly and intrusion detection have been a popular
research area since the origin of networking and Internet,
numerous supervised as well as unsupervised [201] learning
techniques have been applied to efficiently detect intrusions
and malicious activities. However, latest research focuses on
the application of unsupervised learning techniques in this
area due to the challenge and promise of using big data for
optimizing networks.
Initial work focuses on the application of basic unsu-
pervised clustering algorithms for detecting intrusions and
anomalies. In 2005, an unsupervised approach was proposed
based on density and grid-based clustering to accurately
classify the high-dimensional dataset in a set of clusters;
those points which do not fall in any cluster are marked
as abnormal [71]. This approach has produced good results
but the false positive rate was very high. In follow-up work,
another improved approach that used fuzzy rough C-means
clustering was introduced [85], [195]. K-means clustering is
also another famous approach used for detecting anomalies
65597
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
which were later proposed in 2009 [79], which showed great
accuracy and outperformed existing unsupervised methods.
However, later in 2012, an improved method which used
K-means clustering combined with the C4.5 decision tree
algorithm was proposed [192] to produce more efficient
results than prior approaches. [202] combines cluster centers
and nearest neighbors for effective feature representation
which ensures a better intrusion detection, however, a limi-
tation with this approach is that it is not able to detect user to
resource and remote to local attacks. Another scheme using
unsupervised learning approach for anomaly detection is pre-
sented in [203]. The presented scheme combines subspace
clustering and correlation analysis to detect anomalies and
provide protection against unknown anomalies; this exper-
iment used WIDE backbone networks data [204] spanning
over six years and produced better results than previous
K-means based techniques. Work presented in [205] shows
that for different intrusions schemes, there are a small set
of measurements required to differentiate between normal
and anomalous traffic; the authors used two co-clustering
schemes to perform clustering and to determine which
measurement subset contributed the most towards accurate
detection.
Another famous approach for increasing detection accu-
racy is ensemble learning, work presented in [206] employed
many hybrid incremental ML approaches with gradient
boosting and ensemble learning to achieve better detection
performance. Authors in [207] surveyed anomaly detection
research from 2009 to 2014 and find out the unique algo-
rithmic similarity for anomaly detection in Internet traf-
fic: most of the algorithms studied have following sim-
ilarities 1) Removal of redundant information in training
phase to ensure better learning performance 2) Feature selec-
tion usually performed using unsupervised techniques and
increases the accuracy of detection 3) Use ensembles clas-
sifiers or hybrid classifiers rather than baseline algorithms
to get better results. Authors in [208] have developed an
artificial immune system based intrusion detection system
they have used density-based spatial clustering of applica-
tions with noise to develop an immune system against the
network intrusion detection.
The application of unsupervised intrusion detection in
cloud network is presented in [209] where authors have pro-
posed a fuzzy clustering ANN to detect the less frequent
attacks and improve the detection stability in cloud networks.
Another application of unsupervised intrusion detection sys-
tem for clouds is surveyed in [210], where fuzzy logic based
intrusion detection system using supervised and unsupervised
ANN is proposed for intrusion detection; this approach is
used for DOS and DDoS attacks where the scale of the attack
is very large. Network intrusion anomaly detection system
(NIDS) based on K-means clustering are surveyed in [211];
this survey is unique as it provides distance and similarity
measure of the intrusion detection and this perspective has not
been studied before 2015. Unsupervised learning based appli-
cations of anomaly detection schemes for wireless personal
65598
area networks, wireless sensor networks, cyber-physical sys-
tems, and WLANs are surveyed in [212].
Another paper [213] reviewing anomaly detection has pre-
sented the application of unsupervised SVM and clustering
based applications in network intrusion detection systems.
Unsupervised discretization algorithm is used in Bayesian
network classifier for intrusion detection, which is based on
Bayesian model averaging [214]; the authors show that the
proposed algorithm performs better than the Naïve Bayes
classifier in terms of accuracy on the NSL-KDD intru-
sion detection dataset. Border gateway protocol (BGP)—
the core Internet inter-autonomous systems (inter-AS) rout-
ing protocol—is also error prone to intrusions and anoma-
lies. To detect these BGP anomalies, many supervised and
unsupervised ML solutions (such as hidden Markov models
and principal component analysis) have been proposed in
literature [215]. Another problem for anomaly detection is
low volume attacks, which have become a big challenge for
network traffic anomaly detection. While long-range depen-
dencies (LRD) are used to identify these low volume attacks,
LRD usually works on aggregated traffic volume; but since
the volume of traffic is low, the attacks can pass undetected.
To accurately identify low volume abnormalities, [216] pro-
posed the examination of LRD behavior of control plane and
data plane separately to identify low volume attacks.
Other than clustering, another widely used unsupervised
technique for detecting malicious and abnormal behavior in
networks is SOMs. The specialty of SOMs is that they can
automatically organize a variety of inputs and deduce patterns
among themselves, and subsequently determine whether the
new input fits in the deduced pattern or not, thus detecting
abnormal inputs [184], [185]. SOMs have also been used
in host-based intrusion detection systems in which intruders
and abusers are identified at a host system through incom-
ing data traffic [188], later on, a more robust and efficient
technique was proposed to analyze data patterns in TCP
traffic [186]. Furthermore, complex NNs have also been
applied to solve the same problem and remarkable results
have been produced. A few examples include the application
of ART combined with SOM [189]. The use of PCA can also
be seen in detecting intrusions [197]. NMF has also been
used for detecting intruders and abusers [112], and lastly
dimensionality reduction techniques have also been applied
to eradicate intrusions and anomalies in the system [198]. For
more applications, refer to Table 8, which classifies different
network anomaly and intrusion detection systems on the basis
of unsupervised learning techniques discussed earlier.
C. NETWORK OPERATIONS, OPTIMIZATIONS,
AND ANALYTICS
Network management comprises of all the operations
included in initializing, monitoring and managing of a com-
puter network based on its network functions, which are the
primary requirements of the network operations. The general
purpose of network management and monitoring systems
is to ensure that basic network functions are fulfilled, and
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 8. Anomaly & network intrusion detection systems (A-NIDS) with respect to unsupervised learning techniques.
if there is any malfunctioning in the network, it should be
reported and addressed accordingly. Following is a summary
of different network optimization tasks achieved through
unsupervised learning models.
1) QOS/QOE OPTIMIZATION
QoS and QoE are measures of service performance and end-
user experience, respectively. QoS mainly deals with the
performance as seen by the user being measured quantita-
tively, while QoE is a qualitative measure of subjective met-
rics experienced by the user. QoS/QoE for Internet services
(especially multimedia content delivery services) is crucial in
order to maximize the user experience. With the dynamic and
bursty nature of Internet traffic, computer networks should
be able to adapt to these changes without compromising
end-user experiences. As QoE is quite subjective, it heavily
relies on the underlying QoS which is affected by different
network parameters. References [232] and [233] suggested
VOLUME 7, 2019
different measurable factors to determine the overall approx-
imation of QoS such as error rates, bit rate, throughput, trans-
mission delay, availability, jitters, etc. Furthermore, these
factors are used to correlate QoS with QoE in the perspective
of video streaming where QoE is essential to end-users.
The dynamic nature of the Internet dictates network design
for different applications to maximize QoS/QoE since there
is no predefined adaptive algorithm that can be used to fulfill
all the necessary requirements for prospective application.
Due to this fact, ML approaches are employed in order to
adapt to the real-time network conditions and take measures
to stabilize/maximize the user experience. Reference [234]
employed a hybrid architecture having unsupervised feature
learning with a supervised classification for QoE-based video
admission control and resource management. Unsupervised
feature learning in this system is carried out by using a fully
connected NN comprising RBMs, which capture descriptive
features of video that are later classified by using a supervised
65599
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
classifier. Similarly, [235] presents an algorithm to estimate
the Mean Opinion Score, a metric for measuring QoE, for
VoIP services by using SOM to map quality metrics to
features.
Moreover, research has shown that QoE-driven content
optimization leads to the optimal utilization of the network.
Reference [236] showed that 43% of the bit overhead on
average can be reduced per image delivered on the web. This
is achieved by using the quality metric VoQS (Variation of
Quality Signature), which can arbitrarily compare two images
in terms of web delivery performance. By applying this met-
ric for unsupervised clustering of the large image dataset,
multiple coherent groups are formed in device-targeted and
content-dependent manner. In another study [237], deep
learning is used to assess the QoE of 3D images that have
yet to show good results compared with the other determin-
istic algorithms. The outcome is a Reduced Reference QoE
assessment process for automatic image assessment, and it
has a significant potential to be extended to work on 3D video
assessment.
In [238], a unique technique of the model-based RL
approach is applied to improve bandwidth availability, and
hence throughput performance, of a network. The MRL
model is embedded in a node that creates a model of the
operating environment and uses it to generate virtual states
and rewards for the virtual actions taken. As the agent does
not need to wait for the real states and rewards from the
operating environment, it can explore various kinds of actions
on the virtual operating environment within a short period
of time which helps to expedite the learning process, and
hence the convergence rate to the optimal action. In [239],
a MARL approach is applied in which nodes exchange
Q-values among themselves and select their respective next-
hop nodes with the best possible channel conditions while
forwarding packets towards the destination. This helps to
improve throughput performance as nodes in a network
ensure that packets are successfully sent to the destination in
a collaborative manner.
2) TCP OPTIMIZATION
Transmission Control Protocol (TCP) is the core end-to-end
protocol in TCP/IP stack that provides reliable, ordered and
error-free delivery of messages between two communicating
hosts. Due to the fact that TCP provides reliable and in-order
delivery, congestion control is one of the major concerns of
this protocol, which is commonly dealt with the algorithms
defined in RFC 5681. However, classical congestion control
algorithms are sub-optimal in hybrid wired/wireless networks
as they react to packet loss in the same manner in all net-
work situations. In order to overcome this shortcoming of
classical TCP congestion control algorithms, an ML-based
approach is proposed in [240], which employs a supervised
classifier based on features learned for classifying a packet
loss due to congestion or link errors. Other approaches to
this problem currently employed in literature include using
RL that uses fuzzy logic based reward evaluator based on
65600
game theory [241]. Another promising approach, named
Remy [242], uses a modified model of Markov decision pro-
cess based on three factors: 1) prior knowledge about the
network; 2) a traffic model based on user needs (i.e., through-
put and delay); and 3) an objective function that is to be
maximized. By this learning approach, a customized best-
suited congestion control scheme is produced specifically for
that part of the network, adapted to its unique requirements.
However, classifying packet losses using unsupervised learn-
ing methods is still an open research problem and there is a
need for real-time adaptive congestion control mechanism for
multi-modal hybrid networks.
For more applications, refer to Table 9, which classifies
different various network optimization and operation works
on the basis of their network type and the unsupervised
learning technique used.
D. DIMENSIONALITY REDUCTION & VISUALIZATION
Network data usually consists of multiple dimensions.
To apply machine learning techniques effectively the num-
ber of variables is needed to be reduced. Dimensionality
reduction schemes have a number of significant potential
applications in networks. In particular, dimensionality reduc-
tion can be used to facilitate network operations (e.g., for
anomaly/intrusion detection, reliability analysis, or for fault
prediction) and network management (e.g., through visual-
ization of high-dimensional networking data). A tabulated
summary of various research works using dimensionality
reduction techniques for various kinds of networking appli-
cations is provided in Table 10.
Dimensionality reduction techniques have been used to
improve the effectiveness of the anomaly/intrusion detec-
tion system. Reference [255] proposed a DDoS detection
system in SDN where dimensionality reduction is used for
feature extraction and reduction in an unsupervised manner
using stacked sparse autoencoders. Reference [256] proposed
a flow-based anomaly intrusion detection using replicator
neural network. Proposed network is based on an encoder
and decoder where the hidden layer between encoder and
decoder performs the dimensionality reduction in an unsu-
pervised manner, this process also corresponds to PCA.
Similarly, [257] have proposed another anomaly detection
procedure where dimensionality reduction for feature extrac-
tion is performed using multi-scale PCA and then using
wavelet analysis, so that the anomalous traffic is separated
from the flow. Dimensionality reduction using robust PCA
based on minimum covariance determinant estimator for
anomaly detection is presented in [258]. [259] applied PCA
for dimensionality reduction in network intrusion detec-
tion application. To improve the performance of intrusion
detection scheme, another algorithm based on dimensionality
reduction for new feature learning using PCA is presented
in [260], [261]. [262] have reviewed the dimensionality
reduction schemes for intrusion detection in multimedia
traffic and proposed an unsupervised feature selection
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 9. Unsupervised learning techniques employed for network operations, optimizations and analytics.
scheme based on the dimensionality-reduced multimedia
data.
Dimensionality reduction using autoencoders performs a
vital role in fault prediction and reliability analysis of the
cellular networks, this work also recommends deep belief
networks and autoencoders as logical fault prediction tech-
niques for self-organizing networks [263]. Most of the Inter-
net applications use encrypted traffic for communication,
previously deep packet inspection (DPI) was considered a
standard way of classifying network traffic but with the vary-
ing nature of the network application and randomization of
port numbers and payload size DPI has lost its significance.
Authors in [264] have proposed a hybrid scheme for network
traffic classification. The proposed scheme uses extreme
machine learning, genetic algorithms and dimensionality
reduction for feature selection and traffic classification.
Reference [265] applied fuzzy set theoretic approach for
VOLUME 7, 2019
dimensionality reduction along with fuzzy C-mean clustering
algorithm for the quality of web usage. In another work, [266]
used Shrinking Sparse AutoEncoders (SSAE) for represent-
ing high-dimensional data and utilized SSAE in compressive
sensing settings.
Visualization of high dimensional data in lower dimension
representation is another application of dimensionality reduc-
tion. There are many relevant techniques such as PCA and
t-SNE that can be used to extract the underlying structure of
high-dimensional data, which can then be visualized to aid
human insight seeking and decision making [144]. A num-
ber of researchers have proposed to utilize dimensionality
reduction techniques to aid visualization of networking data.
[252] proposed a manifold learning based visualization tool
for network traffic visualization and anomaly detection.
Reference [267] proposed a PCA-based solution for the
detection and visualization of networking attacks, in which
65601
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
TABLE 10. Dimensionality reduction techniques employed for networking applications.
PCA is used for the dimensionality reduction of the feature
vector extracted from KDD network traffic dataset. [268]
used t-SNE for depicting malware fingerprints in their pro-
posed network intrusion detection system. Reference [269]
proposed a rectangular dualization scheme for visualiz-
ing the underlying network topology. Reference [270] used
dimensionality reduction and t-SNE of clustering and visu-
alization of botnet traffic. Finally, a lightweight platform
for home Internet monitoring is presented in [271] where
PCA and t-SNE are used for dimensionality reduction and
visualization of the network traffic. A number of tools
are readily available—e.g., Divvy [272], Weka [273]—that
implement dimensionality reduction and other unsupervised
ML techniques (such as PCA and manifold learning) and
allow exploratory data analysis and visualization of high-
dimensional data.
Dimensionality reduction techniques and tools have been
utilized in all kinds of networks and we present some recent
examples related to self-organizing networks (SONs) and
software-defined radios (SDRs). Reference [274] proposed
a semi-supervised learning scheme for anomaly detection in
SON based on dimensionality reduction and fuzzy classifica-
tion technique. Reference [275] used minor component anal-
ysis (MCA) for dimensionality reduction as a preprocessing
step for user-level statistical data in LTE-A networks to detect
the cell outage. Reference [247] used multi-dimensional scal-
ing (MDS), a dimensionality reduction scheme, as part of the
preprocessing step for cell outage detection in SON. Another
data-driven approach by [276] also uses MDS for getting
a low dimensional embedding of target key point indicator
vector as a preprocessing step to automatically detect cell
65602
outage in SON. Reference [277] used PCA for dimension-
ality reduction of drive test samples to detect cell outages
autonomously in SON. Conventional routing schemes are not
sufficient for the fifth generation of communication systems.
Reference [278] proposed a supervised deep learning based
routing scheme for heterogeneous network traffic control.
Although supervised approach performed well, gathering a
lot of heterogeneous traffic with labels, and then processing
them with a plain ANN is computationally extensive and
prone to errors due to the imbalanced nature of the input
data and the potential for overfitting. In 2017, [279] has
presented a deep learning based approach for routing and
cost-effective packet processing. The proposed model uses
deep belief architecture and benefits from the dimensionality
reduction property of the restricted Boltzmann machine. The
proposed work also provides a novel Graphics Processing
Unit (GPU) based router architecture. The detailed analysis
shows that deep learning based SDR and routing technique
can meet the changing network requirements and massive
network traffic growth. The routing scheme proposed in [279]
outperforms conventional open shortest path first (OSPF)
routing technique in terms of throughput and average delay
per hop.
E. EMERGING NETWORKING APPLICATIONS
OF UNSUPERVISED LEARNING
Next generation network architectures such as Software-
defined Networks (SDN), Self Organizing Networks (SON),
and the Internet of Things (IoT) are expected to be the basis
of future intelligent, adaptive, and dynamic networks [280].
ML techniques will be at the center of this revolution provid-
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges

ing the aforementioned properties. This subsection covers the in the self-organization and achieves the task by learning
recent applications of unsupervised ML techniques in SDNs, from the surrounding environment. As the connected net-
SONs, and IoTs. work devices are growing exponentially, and the communi-
cation cell size has reduced to femtocells, the property of
1) SOFTWARE DEFINED NETWORKS
self-organization is becoming increasingly desirable [290].
SDN is a disruptive new networking architecture that sim-
Feasibility of SON application in the fifth generation (5G)
plifies network operating and managing tasks and provides
of wireless communication is studied in [291] and the study
infrastructural support for novel innovations by making the
shows that without (supervised as well as unsupervised)
network programmable [281]. In simple terms, the idea of
ML support, SON is not possible. Application of ML tech-
programmable networks is to simply decouple the data for-
niques in SON has become a very important research area
warding plane and control/decision plane, which is rather
as it involves learning from the surroundings for intelligent
tightly coupled in the current infrastructure. The use of SDN
decision-making and reliable communication [2].
can also be seen in managing and optimizing networks as
Application of different ML-based SON for heterogeneous
network operators go through a lot of hassle to imple-
networks is considered in [292], this paper also describes
ment high-level security policies in term of distributed low-
the unsupervised ANN and hidden Markov models tech-
level system configurations, thus SDN resolves this issue
niques employed for better learning from the surroundings
by decoupling the planes and giving network operators bet-
and adapting accordingly. PCA and clustering are the two
ter control and visibility over network, enabling them to
most used unsupervised learning schemes utilized for param-
make frequent changes to network state and providing sup-
eter optimization and feature learning in SON [290]. These
port for high-level specification language for network con-
ML schemes are used in self-configuration, self-healing, and
trol [282]. SDN is applicable in a wide variety of areas
self-optimization schemes. Game theory is another unsuper-
ranging from enterprise networks, data centers, infrastructure
vised learning approach used for designing self-optimization
based wireless access networks, optical networks to home
and greedy self-configuration design of SON systems [293].
and small businesses, each providing many future research
Authors in [294] proposed an unsupervised ANN for link
opportunities [281].
quality estimation of SON which outperformed simple mov-
Unsupervised ML techniques are seeing a surging interest
ing average and exponentially weighted moving averages.
in SDN community as can be seen by a spate of recent work.
A popular application of unsupervised ML techniques in
3) INTERNET OF THINGS
SDNs relates to the application of intrusion detection and mit-
IoT is an emerging paradigm with a growing academic and
igation of security attacks [283]. Another approach for detect-
industry interest. IoT is an abstraction of intelligent, phys-
ing anomalies in a cloud environment using unsupervised
ical and virtual devices with unique identities, connected
learning model has been proposed by [284] that uses SOM to
together to form a cyber-physical framework. These devices
capture emergent system behavior and predict unknown and
collect, analyze and transmit data to public or private cloud
novel anomalies without any prior training or configuration.
for intelligent [295]. IoT is a new networking paradigm and
A DDoS detection system for SDN is presented in [255]
it is expected to be deployed in health care, smart cities,
where stacked autoencoders are used to detect DDoS attacks.
home automation, agriculture, and industry. With such a vast
A density peak based clustering algorithm for DDoS attack is
plane of applications, IoT needs ML to collect and analyze
proposed as a new method to review the potentials of using
data to make intelligent decisions. The key challenge that
SDN to develop an efficient anomaly detection method [285].
IoT must deal with is the extremely large scale (billions of
[286] have recently presented an intelligent threat aware
devices) of future IoT deployments [296]. Designing, analyz-
response system for SDN using reinforcement learning, this
ing and predicting are the three major tasks and all involve
work also recommends using unsupervised feature learning
ML, a few examples of unsupervised ML are shared next.
to improve the threat detection process. Another framework
Reference [297] recommend using unsupervised ML tech-
for anomaly detection, classification, and mitigation for SDN
niques for feature extraction and supervised learning for
is presented in [287] where unsupervised learning is used
classification and predictions. Given the scale of the IoT,
for traffic feature analysis. Reference [288] have presented
a large amount of data is expected in the network and there-
a forensic framework for SDN and recommended K-means
fore requires a load balancing method, a load balancing
clustering for anomaly detection in SDN. Another work [289]
algorithm based on a restricted Boltzmann machine is pro-
discusses the potential opportunities for using unsupervised
posed in [298]. Online clustering scheme forms dynamic IoT
learning for traffic classification in SDN. Moreover, deep
data streams is described in [299]. Another work describing
learning and distributed processing can also be applied to
an ML application in IoT recommends a combination of
such models in order to better adapt to evolving networks and
PCA and regression for IoT to get better prediction [300].
contribute to the future of SDN infrastructure as a service.
Usage of clustering technique in embedded systems for
2) SELF ORGANIZING NETWORKS IoT applications is presented in [301]. An application using
SON is another new and popular research regime in network- denoising autoencoders for acoustic modeling in IoT is
ing, SON is inspired by the biological system which works presented in [302].

VOLUME 7, 2019 65603

 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
F. LESSONS LEARNT
Key lessons drawn from the review of unsupervised learning
in networking applications are summarized below:
1) A recommended and well-studied method for unsu-
pervised Internet traffic classification in literature is
data clustering combined with the latent representation
learning on traffic feature set by using autoencoders.
Min-max ensemble learning will help to increase the
efficiency of unsupervised learning if required.
2) Semi-supervised learning is also an appropriate method
for Internet traffic classification given some labeled
traffic data and channel characteristics are available for
initial model training.
3) Application of generative models and transfer learn-
ing for the Internet traffic classification has not been
explored properly in literature and can be a potential
research direction.
4) The overwhelming growth in network traffic and
expected surge in traffic with the evolution of 5G and
IoT also elevates the level of threat and anomalies in
network traffic. To deal with these anomalies in Internet
traffic, data clustering, PCA, SOM, and ART are well
explored unsupervised learning techniques in the liter-
ature. Self-taught learning has also been explored as a
potential solution for anomaly detection and remains
a possible research direction for future research in
anomaly detection in network traffic.
5) Current state of the art in dimensionality reduction in
network traffic is based on PCA and multidimensional
scaling. Autoencoders, t-SNE, and manifold learning
are potential areas of research in terms of dimensional-
ity reduction and visualization.
IV. FUTURE WORK: SOME RESEARCH CHALLENGES
AND OPPORTUNITIES
This section provides a discussion on some open directions
for future work and the relevant opportunities in applying
unsupervised ML in the field of networking.
A. SIMPLIFIED NETWORK MANAGEMENT
While new network architectures such as SDN have been
proposed in recent years to simplify network management,
network operators are still expected to know too much,
and to correlate between what they know about how their
network is designed with the current network’s condition
through their monitoring sources. Operators who manage
these requirements by wrestling with complexity manu-
ally will definitely welcome any respite that they can
get from (semi-)automated unsupervised machine learning.
As highlighted in by [303], for ML to become pervasive in
networking, the ‘‘semantic gap’’—which refers to the key
challenge of transferring ML results into actionable insights
and reports for the network operator—must be overcome.
This can facilitate a shift from a reactive interaction style
for network management, where the network manager is
expected to check maps and graphs when things go wrong,
to a proactive one, where automated reports and notifications
65604
are created for different services and network regions. Ideally,
this would be abstract yet informative, such as Google Maps
Directions, e.g. ‘‘there is heavier traffic than usual on your
route’’ as well as suggestions about possible actions. This
could be coupled with an automated correlation of different
reports coming from different parts of the network. This will
require a move beyond mere notifications and visualizations
to more substantial synthesis through which potential sources
of problems can be identified. Another example relates to
making measurements more user-oriented. Most users would
be more interested in QoE instead of QoS, i.e., how the
current condition of the network affects their applications and
services rather than just raw QoS metrics. The development
of measurement objectives should be from a business-eyeball
perspective—and not only through presenting statistics gath-
ered through various tools and protocols such as traceroute,
ping, BGP, etc. with the burden of putting the various pieces
of knowledge together being on the user.
B. SEMI-SUPERVISED LEARNING FOR
COMPUTER NETWORKS
Semi-supervised learning lies between supervised and unsu-
pervised learning. The idea behind semi-supervised learning
is to improve the learning ability by using unlabeled data
incorporation with a small set of labeled examples. In com-
puter networks, semi-supervised learning is partially used
in anomaly detection and traffic classification and has great
potential to be used with deep unsupervised learning archi-
tectures like generative adversarial networks for improving
the state of the art in anomaly detection and traffic classi-
fication. Similarly, user behavior learning for cybersecurity
can also be tackled in a semi-supervised fashion. A semi-
supervised learning based anomaly detection approach is pre-
sented in [304]. The presented approach used large amounts
of unlabeled samples together with labeled samples to build
a better intrusion detection classifier. In particular, a single
hidden layer feed-forward NN has trained to output a
fuzzy membership vector. The results show that using unla-
beled samples help significantly improve the classifier’s
performance. In another work, [305] have proposed semi-
supervised learning with 97% accuracy to filter out non-
malicious data in millions of queries that Domain Name
Service (DNS) servers receive.
C. TRANSFER LEARNING IN COMPUTER NETWORKS
Transfer learning is an emerging ML technique in which
knowledge learned from one problem is applied to a different
but related problem [306]. Although it is often thought that
for ML algorithms, the training and future data must be in
the same feature space and must have the same distribution,
this is not necessarily the case in many real-world applica-
tions. In such cases, it is desirable to have transfer learn-
ing or knowledge transfer between the different task domains.
Transfer learning has been successfully applied in computer
vision and NLP applications but its implementation for net-
working has not been witnessed—even though in principle,
this can be useful in networking as well due to the similar
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
nature of Internet traffic and enterprise network traffic in
many respects. Reference [307] used transfer learning based
caching procedure for wireless networks providing backhaul
offloading in 5G networks.
D. FEDERATED LEARNING IN COMPUTER NETWORKS
Federated learning is a collaborative ML technique, which
does not make use of centralized training data, and works
by distributing the processing on different machines. Feder-
ated learning is considered to be the next big thing in cloud
networks as they ensure the privacy of the user data and less
computation on the cloud to reduce the cost and energy [308].
System and method for network address management in the
federated cloud are presented in [309] and the application
of federated IoT and cloud computing for health care is
presented in [310]. An end-to-end security architecture for
federated cloud and IoT is presented in [311].
E. GENERATIVE ADVERSARIAL NETWORKS (GANS)
IN COMPUTER NETWORKS
Adversarial networks—based on generative adversarial net-
work (GAN) training originally proposed by Goodfellow
and colleagues at the University of Montreal [312]—have
recently emerged as a new technique using which machines
can be trained to predict outcomes by only the observing
the world (without necessarily being provided labeled data).
An adversarial network has two NN models: a generator
which is responsible for generating some type of data from
some random input and a discriminator, which has the task of
distinguishing between input from the generator or a real data
set. The two NNs optimize themselves together resulting in a
more realistic generation of data by the generator, and a better
sense of what is plausible in the real world for the discrimina-
tor. Reference [313] proposed a GAN for generating malware
examples to attack a malware classifier and then proposes a
defense against it. Another adversarial perturbation attack on
malware classifier is proposed in [314]. The use of GANs for
ML in networking can improve the performance of ML-based
networking applications such as anomaly detection in which
malicious users have an incentive to adversarial craft new
attacks to avoid detection by network managers.
V. PITFALLS AND CAVEATS OF USING UNSUPERVISED
ML IN NETWORKING
With the benefits and intriguing results of unsupervised learn-
ing, there also exist many shortcomings that are not addressed
widely in the literature. Some potential pitfalls and caveats
related to unsupervised learning are discussed next.
A. INAPPROPRIATE TECHNIQUE SELECTION
To start with, the first potential pitfall could be the selection
of technique. Different unsupervised learning and predicting
techniques may have excellent results on some applications
while performing poorly on others—it is important to choose
the best technique for the task at hand. Another reason could
be a poor selection of features or parameters on which basis
VOLUME 7, 2019
predictions are made—thus parameter optimization is also
important for unsupervised algorithms.
B. LACK OF INTERPRETABILITY OF SOME
UNSUPERVISED ML ALGORITHMS
Some unsupervised algorithms such as deep NNs operate as
a black box, which makes it difficult to explain and interpret
the working of such models. This makes the use of such
techniques unsuitable for applications in which interpretabil-
ity is important. As pointed out in [303], understandability
of the semantics of the decisions made by ML is especially
important for the operational success of ML in large-scale
operational networks and its acceptance by operators, net-
work managers, and users. But prediction accuracy and sim-
plicity are often in conflict [315]. As an example, the greater
accuracy of NNs accrues from its complex nature in which
input variables are combined in a nonlinear fashion to build
a complicated hard-to-explain model; with NNs it may not
be possible to get interpretability as well since they make
a tradeoff in which they sacrifice interpretability to achieve
high accuracy. There are various ongoing research efforts
that are focused on making techniques such as NNs less
opaque [316]. Apart from the focus on NNs, there is a gen-
eral interest in making AI and ML more explainable and
interpretable—e.g., the Defense Advanced Research Projects
Agency or DARPA’s explainable AI project2 is aiming to
develop explainable AI models (leveraging various design
options spanning the performance-vs-explainability trade-
off space) that can explain the rationale of their decision-
making so that users are able to appropriately trust these
models particularly for new envisioned control applications
in which optimization decisions are made autonomously by
algorithms.
C. LACK OF OPERATIONAL SUCCESS
OF ML IN NETWORKING
In literature, researchers have noted that despite substantial
academic research, and practical applications of unsupervised
learning in other fields, we see that there is a dearth of prac-
tical applications of ML solutions in operational networks—
particular for applications such as network intrusion detec-
tion [303], which are challenging problems for a number of
reasons including 1) the very high cost of errors; 2) the lack
of training data; 3) the semantic gap between results and their
operational interpretation; 4) enormous variability in input
data; and finally, 5) fundamental difficulties in conducting
sound performance evaluations. Even for other applications,
the success of ML and its wide adoption in practical systems
at scale lags the success of ML solutions in many other
domains.
D. IGNORING SIMPLE NON-MACHINE-LEARNING
BASED TOOLS
One should also keep in mind a common pitfall that aca-
demic researchers may suffer from which is not realizing that
2 https://www.darpa.mil/program/explainable-artificial-intelligence
65605
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
FIGURE 8. Intuitively, we expect the ML model’s performance to improve with more data but to
deteriorate in performance if the model becomes overly complex for the data. Figure adapted from [317].
network operators may have simpler non-machine learning
based solutions that may work as well as naïve ML-based
solutions in practical settings. Failure to examine the ground
realities of operational networks will undermine the effec-
tiveness of ML-based solutions. We should expect ML-based
solutions to augment and supplement rather than replace
other non-machine-learning based solutions—at least for the
foreseeable future.
E. OVERFITTING
Another potential issue with unsupervised models is overfit-
ting; it corresponds to a model representing the noise or ran-
dom error rather than learning the actual pattern in data.
While commonly associated with supervised ML, the prob-
lem of overfitting lurks whenever we learn from data and
thus is applicable to unsupervised ML as well. As illustrated
in Figure 8, ideally speaking, we expect ML algorithms to
provide improved performance with more data; but with
increasing model complexity, performance starts to deterio-
rate after a certain point—although, it is possible to get poorer
results empirically with increasing data when working with
unoptimized out-of-the-box ML algorithms [317]. According
to the Occam Razor principle, the model complexity should
be commensurate with the amount of data available, and with
overly complex models, the ability to predict and generalize
diminishes. Two major reasons for overfitting could be the
overly large size of the learning model and fewer sample data
used for training purposes. Generally, data is divided into
two portions (actual data and stochastic noise); due to the
unavailability of labels or related information, unsupervised
learning model can overfit the data, which causes issues in
testing and deployment phase. Cross-validation, regulariza-
tion, and Chi-squared testing are highly recommended for
designing or tweaking an unsupervised learning algorithm to
avoid overfitting [318].
F. DATA QUALITY ISSUES
It should be noted that all ML is data dependent, and the per-
formance of ML algorithms is affected largely by the nature,
volume, quality, and representation of data. In the case of
unsupervised ML data quality issues must be carefully con-
sidered since any problem with the data quality will seriously
65606
mar the performance of ML algorithms. A potential prob-
lem is that dataset may be imbalanced if the samples size
from one class is very much smaller or larger than the other
classes [319]. In such imbalanced datasets, the algorithm
must be careful not to ignore the rare class by assuming
it to be noise. Although imbalanced datasets are more of a
nuisance for supervised learning techniques, they may also
pose problems for unsupervised and semi-supervised learn-
ing techniques.
G. INACCURATE MODEL BUILDING
It is difficult to build accurate and generic models since
each model is optimized for certain kind of applications.
Unsupervised ML models should be applied after carefully
studying the application and the suitability of the algorithm in
such settings [320]. For example, we highlight certain issues
related to the unsupervised task of clustering: 1) random
initialization in K-means is not recommended; 2) number of
clusters is not known before the clustering operation as we do
not have labels; 3) in the case of hierarchical clustering, we do
not know when to stop and this can cause increase in the time
complexity of the process, and 4) evaluating the clustering
result is very tricky since the ground truth is mostly unknown.
H. MACHINE LEARNING IN
ADVERSARIAL ENVIRONMENTS
Many networking problems, such as anomaly detection, are
adversarial problems in which the malicious intruder is con-
tinually trying to outwit the network administrators (and the
tools used by the network administrators). In such settings,
machine learning that learns from historical data may not
perform due to clever crafting of attacks specifically for
circumventing any schemes based on previous data.
Due to these challenges, pitfalls, and weaknesses, due
care must be exercised while using unsupervised and semi-
supervised ML. These pitfalls can be avoided in part by using
various best practices [321], such as end-to-end learning
pipeline testing, visualization of the learning algorithm, regu-
larization, proper feature engineering, dropout, sanity checks
through human inspection—whichever is appropriate for the
problem’s context.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
VI. CONCLUSIONS
We have provided a comprehensive survey of machine learn-
ing tasks, latest unsupervised learning techniques, and trends,
along with a detailed discussion of the applications of these
techniques in networking related tasks. Despite the recent
wave of success of unsupervised learning, there is a scarcity
of unsupervised learning literature for computer networking
applications, which this survey aims to address. The few
previously published survey papers differ from our work in
their focus, scope, and breadth; we have written this paper
in a manner that carefully synthesizes the insights from these
survey papers while also providing contemporary coverage of
recent advances. Due to the versatility and evolving nature of
computer networks, it was impossible to cover each and every
application; however, an attempt has been made to cover all
the major networking applications of unsupervised learning
and the relevant techniques. We have also presented concise
future work and open research areas in the field of network-
ing, which is related to unsupervised learning, coupled with a
brief discussion of significant pitfalls and challenges in using
unsupervised machine learning in networks.
ACKNOWLEDGEMENT
The statements made herein are solely the responsibility of
the authors.
REFERENCES
[1] R. W. Thomas et al., ‘‘Cognitive networks,’’ in Cognitive Radio, Soft-
ware Defined Radio, and Adaptive Wireless Systems. Dordrecht, The
Netherlands: Springer, 2007, pp. 17–41.
[2] S. Latif, F. Pervez, M. Usama, and J. Qadir. (2017). ‘‘Artificial intel-
ligence as an enabler for cognitive self-organizing future networks.’’
[Online]. Available: https://arxiv.org/abs/1702.02823
[3] J. Qadir, K.-L. A. Yau, M. A. Imran, Q. Ni, and A. V. Vasilakos, ‘‘IEEE
access special section editorial: Artificial intelligence enabled network-
ing,’’ IEEE Access, vol. 3, pp. 3079–3082, 2015.
[4] S. Suthaharan, ‘‘Big data classification: Problems and challenges in net-
work intrusion prediction with machine learning,’’ ACM SIGMETRICS
Perform. Eval. Rev., vol. 41, no. 4, pp. 70–73, Apr. 2014.
[5] S. Shenker, M. Casado, T. Koponen, and N. McKeown, ‘‘The future of
networking, and the past of protocols,’’ Open Netw. Summit, vol. 20,
pp. 1–30, Oct. 2011.
[6] A. Malik, J. Qadir, B. Ahmad, K.-L. A. Yau, and U. Ullah, ‘‘QoS in
IEEE 802.11-based wireless networks: A contemporary review,’’ J. Netw.
Comput. Appl., vol. 55, pp. 24–46, Sep. 2015.
[7] N. Feamster and J. Rexford. (2017). ‘‘Why (and how) networks should
run themselves,’’ [Online]. Available: https://arxiv.org/abs/1710.11583
[8] J. Jiang et al., ‘‘Unleashing the potential of data-driven networking,’’ in
Proc. Int. Conf. Commun. Syst. Netw. Cham, Switzerland: Springer, 2017.
[9] A. Patcha and J.-M. Park, ‘‘An overview of anomaly detection tech-
niques: Existing solutions and latest technological trends,’’ Comput.
Netw., vol. 51, no. 12, pp. 3448–3470, Aug. 2007.
[10] T. T. T. Nguyen and G. Armitage, ‘‘A survey of techniques for Internet
traffic classification using machine learning,’’ IEEE Commun. Surveys
Tuts., vol. 10, no. 4, pp. 56–76, 4th Quart., 2008.
[11] M. Bkassiny, Y. Li, and S. K. Jayaweera, ‘‘A survey on machine-learning
techniques in cognitive radios,’’ IEEE Commun. Surveys Tuts., vol. 15,
no. 3, pp. 1136–1159, Jul. 2013.
[12] M. A. Alsheikh, S. Lin, D. Niyato, and H. P. Tan, ‘‘Machine learning in
wireless sensor networks: Algorithms, strategies, and applications,’’ IEEE
Commun. Surveys Tuts., vol. 16, no. 4, pp. 1996–2018, 4th Quart., 2014.
[13] A. L. Buczak and E. Guven, ‘‘A survey of data mining and machine
learning methods for cyber security intrusion detection,’’ IEEE Commun.
Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart., 2016.
[14] P. V. Klaine, M. A. Imran, O. Onireti, and R. D. Souza, ‘‘A survey
of machine learning techniques applied to self-organizing cellular net-
works,’’ IEEE Commun. Surveys Tuts., vol. 19, no. 4, pp. 2392–2431,
4th Quart., 2017.
VOLUME 7, 2019
[15] A. Meshram and C. Haas, ‘‘Anomaly detection in industrial networks
using machine learning: A roadmap,’’ in Machine Learning for Cyber
Physical Systems. Berlin, Germany: Springer, 2017, pp. 65–72.
[16] Z. M. Fadlullah et al., ‘‘State-of-the-art deep learning: Evolving machine
intelligence toward tomorrow’s intelligent network traffic control sys-
tems,’’ IEEE Commun. Surveys Tuts., vol. 19, no. 4, pp. 2432–2455,
4th Quart., 2017.
[17] E. Hodo, X. Bellekens, A. Hamilton, C. Tachtatzis, and R. Atkinson.
(2017). ‘‘Shallow and deep networks intrusion detection system: A taxon-
omy and survey.’’ [Online]. Available: https://arxiv.org/abs/1701.02145
[18] M. A. Al-Garadi, A. Mohamed, A. Al-Ali, X. Du, and M. Guizani. (2018).
‘‘A survey of machine and deep learning methods for Internet of Things
(IoT) security.’’ [Online]. Available: https://arxiv.org/abs/1807.11023
[19] M. S. Mahdavinejad, M. Rezvan, M. Barekatain, P. Adibi, P. Barnaghi,
and A. P. Sheth, ‘‘Machine learning for Internet of Things data analysis:
A survey,’’ Digit. Commun. Netw., vol. 4, no. 3, pp. 161–175, 2018.
[20] R. Boutaba et al., ‘‘A comprehensive survey on machine learning for net-
working: Evolution, applications and research opportunities,’’ J. Internet
Services Appl., vol. 9, p. 16, Jun. 2018.
[21] L. Cui, S. Yang, F. Chen, Z. Ming, N. Lu, and J. Qin, ‘‘A survey on
application of machine learning for Internet of Things,’’ Int. J. Mach.
Learn. Cybern., vol. 9, no. 8, pp. 1399–1417, 2018.
[22] Y. LeCun, Y. Bengio, and G. Hinton, ‘‘Deep learning,’’ Nature, vol. 521,
pp. 436–444, May 2015.
[23] L. Deng, ‘‘A tutorial survey of architectures, algorithms, and applications
for deep learning,’’ APSIPA Trans. Signal Inf. Process., vol. 3, pp. 1–29,
May 2014.
[24] J. Qadir, ‘‘Artificial intelligence based cognitive routing for cognitive
radio networks,’’ Artif. Intell. Rev., vol. 45, no. 1, pp. 25–96, Jan. 2016.
[25] N. Ahad, J. Qadir, and N. Ahsan, ‘‘Neural networks in wireless networks:
Techniques, applications and guidelines,’’ J. Netw. Comput. Appl., vol. 68,
pp. 1–27, Jun. 2016.
[26] I. Guyon, S. Gunn, M. Nikravesh, and L. A. Zadeh, Eds., Feature Extrac-
tion: Foundations and Applications, vol. 207. Heidelberg, Germany:
Springer, 2008.
[27] A. Coates, A. Y. Ng, and H. Lee, ‘‘An analysis of single-layer networks
in unsupervised feature learning,’’ in Proc. Int. Conf. Artif. Intell. Statist.,
2011, pp. 215–223.
[28] M. J. S. M. S. Mohammad Lotfollahi and R. Shirali. (2017). ‘‘Deep
packet: A novel approach for encrypted traffic classification using deep
learning.’’ [Online]. Available: https://arxiv.org/abs/1709.02656
[29] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, ‘‘Malware traffic classi-
fication using convolutional neural network for representation learning,’’
in Proc. Int. Conf. Inf. Netw. (ICOIN), Jan. 2017, pp. 712–717.
[30] M. Yousefi-Azar, V. Varadharajan, L. Hamey, and U. Tupakula,
‘‘Autoencoder-based feature learning for cyber security applications,’’ in
Proc. Int. Joint Conf. Neural Netw. (IJCNN), May 2017, pp. 3854–3861.
[31] R. C. Aygun and A. G. Yavuz, ‘‘Network anomaly detection with stochas-
tically improved autoencoder based models,’’ in Proc. IEEE 4th Int. Conf.
Cyber Secur. Cloud Comput. (CSCloud), Jun. 2017, pp. 193–198.
[32] M. K. Putchala, ‘‘Deep learning approach for intrusion detection system
(IDS) in the Internet of Things (IoT) network using gated recurrent neural
networks (GRU),’’ Ph.D. dissertation, Wright State Univ., Dayton, OH,
USA, 2017.
[33] A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and S. Robinson, ‘‘Deep
learning for unsupervised insider threat detection in structured cyberse-
curity data streams,’’ in Proc. Workshops 31st AAAI Conf. Artif. Intell.,
2017, pp. 1–8.
[34] E. Aguiar, A. Riker, M. Mu, and S. Zeadally, ‘‘Real-time QoE
prediction for multimedia applications in wireless mesh networks,’’
in Proc. IEEE Consum. Commun. Netw. Conf. (CCNC), Jan. 2012,
pp. 592–596.
[35] K. Piamrat, A. Ksentini, C. Viho, and J.-M. Bonnin, ‘‘QoE-aware admis-
sion control for multimedia applications in IEEE 802.11 wireless net-
works,’’ in Proc. IEEE 68th Veh. Technol. Conf. (VTC-Fall), Sep. 2008,
pp. 1–5.
[36] K. Karra, S. Kuzdeba, and J. Petersen, ‘‘Modulation recognition using
hierarchical deep neural networks,’’ in Proc. IEEE Int. Symp. Dyn. Spectr.
Access Netw. (DySPAN), Mar. 2017, pp. 1–3.
[37] M. D. Ming Zhang and L. Guo, ‘‘Convolutional neural networks for
automatic cognitive radio waveform recognition,’’ IEEE Access, vol. 5,
pp. 11074–11082, 2017.
65607
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[38] J. Moysen and L. Giupponi. (2017). ‘‘From 4G to 5G: Self-organized
network management meets machine learning.’’ [Online]. Available:
https://arxiv.org/abs/1707.09300
[39] X. Xie, D. Wu, S. Liu, and R. Li. (2017). ‘‘IoT data analytics using deep
learning.’’ [Online]. Available: https://arxiv.org/abs/1708.03854
[40] I. Goodfellow, Y. Bengio, and A. Courville, Deep Learning. Cambridge,
MA, USA: MIT Press, 2016.
[41] J. Schmidhuber, ‘‘Deep learning in neural networks: An overview,’’ Neu-
ral Netw., vol. 61, pp. 85–117, Jan. 2015.
[42] Y. Bengio, ‘‘Learning deep architectures for AI,’’ Found. Trends Mach.
Learn., vol. 2, no. 1, pp. 1–127, 2009.
[43] G. E. Hinton, S. Osindero, and Y.-W. Teh, ‘‘A fast learning algorithm for
deep belief nets,’’ Neural Comput., vol. 18, no. 7, pp. 1527–1554, 2006.
[44] Y. Bengio, P. Lamblin, D. Popovici, and H. Larochelle, ‘‘Greedy layer-
wise training of deep networks,’’ in Advances in Neural Information
Processing Systems, vol. 19. Cambridge, MA, USA: MIT Press, 2007,
p. 153.
[45] C. Poultney, S. Chopra, and Y. L. Cun, ‘‘Efficient learning of sparse
representations with an energy-based model,’’ in Proc. Adv. Neural Inf.
Process. Syst., 2006, pp. 1137–1144.
[46] J. Ngiam, A. Coates, A. Lahiri, B. Prochnow, Q. V. Le, and A. Y. Ng,
‘‘On optimization methods for deep learning,’’ in Proc. 28th Int. Conf.
Mach. Learn. (ICML), 2011, pp. 265–272.
[47] C. Doersch. (2016). ‘‘Tutorial on variational autoencoders.’’ [Online].
Available: https://arxiv.org/abs/1606.05908
[48] T. Kohonen, ‘‘The self-organizing map,’’ Proc. IEEE, vol. 78, no. 9,
pp. 1464–1480, Sep. 1990.
[49] T. Kohonen, ‘‘The self-organizing map,’’ Neurocomputing, vol. 21,
nos. 1–3, pp. 1–6, 1998.
[50] F. Rosenblatt, ‘‘The perceptron: A probabilistic model for information
storage and organization in the brain,’’ Psychol. Rev., vol. 65, no. 6, p. 386,
1958.
[51] S. S. Haykin, Neural Networks and Learning Machines, vol. 3.
Upper Saddle River, NJ, USA: Pearson, 2009.
[52] G. A. Carpenter and S. Grossberg, Adaptive Resonance Theory. Boston,
MA, USA: Springer, 2010, pp. 22–35.
[53] J. Karhunen, T. Raiko, and K. Cho, ‘‘Unsupervised deep learning: A short
review,’’ in Advances in Independent Component Analysis and Learning
Machines. New York, NY, USA: Academic, 2015, pp. 125–142.
[54] H. Lee, R. Grosse, R. Ranganath, and A. Y. Ng, ‘‘Convolutional deep
belief networks for scalable unsupervised learning of hierarchical rep-
resentations,’’ in Proc. 26th Annu. Int. Conf. Mach. Learn., 2009,
pp. 609–616.
[55] S. Baraković and L. Skorin-Kapov, ‘‘Survey and challenges of QoE
management issues in wireless networks,’’ J. Comput. Netw. Commun.,
vol. 2013, Dec. 2013, Art. no. 165146.
[56] R. Pascanu, C. Gulcehre, K. Cho, and Y. Bengio. (2013). ‘‘How
to construct deep recurrent neural networks.’’ [Online]. Available:
https://arxiv.org/abs/1312.6026
[57] M. Klapper-Rybicka, N. N. Schraudolph, and J. Schmidhuber, ‘‘Unsuper-
vised learning in LSTM recurrent neural networks,’’ in Proc. Int. Conf.
Artif. Neural Netw.. Berlin, Germany: Springer, 2001, pp. 684–691.
[58] G. E. Hinton, ‘‘Boltzmann machine,’’ Encyclopedia Mach. Learn., vol. 2,
no. 5, p. 1668, 2007.
[59] R. Salakhutdinov and G. Hinton, ‘‘Deep Boltzmann machines,’’ in Proc.
Int. Conf. Artif. Intell. Statist. (AISTATS), Clearwater Beach, FL, USA,
2009, pp. 448–455.
[60] K. Tsagkaris, A. Katidiotis, and P. Demestichas, ‘‘Neural network-
based learning schemes for cognitive radio systems,’’ Comput. Commun.,
vol. 31, no. 14, pp. 3394–3404, 2008.
[61] F. Henrique, T. Vieira, and L. L. Lee, ‘‘A neural architecture based on the
adaptive resonant theory and recurrent neural networks,’’ in Proc. IJCSA,
vol. 4, no. 3, 2007, pp. 45–56.
[62] D. Munaretto, D. Zucchetto, A. Zanella, and M. Zorzi, ‘‘Data-driven QoE
optimization techniques for multi-user wireless networks,’’ in Proc. Int.
Conf. Comput., Netw. Commun. (ICNC), Feb. 2015, pp. 653–657.
[63] L. Badia, D. Munaretto, A. Testolin, A. Zanella, and M. Zorzi,
‘‘Cognition-based networks: Applying cognitive science to multimedia
wireless networking,’’ in Proc. IEEE 15th Int. Symp. World Wireless,
Mobile Multimedia Netw. (WoWMoM), Jun. 2014, pp. 1–6.
[64] N. Grira, M. Crucianu, and N. Boujemaa, ‘‘Unsupervised and semi-
supervised clustering: A brief survey,’’ Rev. Mach. Learn. Techn. Process.
Multimedia Content, vol. 1, pp. 9–16, Jul. 2004.
[65] P. Berkhin, ‘‘A survey of clustering data mining techniques,’’ in
Grouping Multidimensional Data. Berlin, Germany: Springer, 2006,
pp. 25–71.
65608
[66] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, ‘‘Network anomaly
detection: Methods, systems and tools,’’ IEEE Commun. Surveys Tuts.,
vol. 16, no. 1, pp. 303–336, 1st Quart., 2014.
[67] A. McGregor et al., ‘‘Flow clustering using machine learning tech-
niques,’’ in Proc. Int. Workshop Passive Act. Netw. Meas. Berlin,
Germany: Springer, 2004, pp. 205–214.
[68] R. Xu and D. Wunsch, II, ‘‘Survey of clustering algorithms,’’ IEEE Trans.
Neural Netw., vol. 16, no. 3, pp. 645–678, May 2005.
[69] M. Rehman and S. A. Mehdi, ‘‘Comparison of density-based clustering
algorithms,’’ Lahore College Women Univ., Lahore, Pakistan, Tech. Rep.,
2005.
[70] Y. Chen and L. Tu, ‘‘Density-based clustering for real-time stream data,’’
in Proc. 13th ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining,
2007, pp. 133–142.
[71] K. Leung and C. Leckie, ‘‘Unsupervised anomaly detection in network
intrusion detection using clusters,’’ in Proc. 28th Australas. Conf. Com-
put. Sci., vol. 38, 2005, pp. 333–342.
[72] J. Paparrizos and L. Gravano, ‘‘k-shape: Efficient and accurate clustering
of time series,’’ in Proc. ACM SIGMOD Int. Conf. Manage. Data, 2015,
pp. 1855–1870.
[73] P. Mangiameli, S. K. Chen, and D. West, ‘‘A comparison of SOM neural
network and hierarchical clustering methods,’’ Eur. J. Oper. Res., vol. 93,
no. 2, pp. 402–417, 1996.
[74] P. Orbanz and Y. W. Teh, ‘‘Bayesian nonparametric models,’’ in Ency-
clopedia of Machine Learning. Boston, MA, USA: Springer, 2010,
pp. 81–89.
[75] B. Kurt, A. T. Cemgil, M. Mungan, and E. Saygun, ‘‘Bayesian nonpara-
metric clustering of network traffic data,’’ Tech. Rep.
[76] X. Jin and J. Han, ‘‘Partitional clustering,’’ in Encyclopedia of Machine
Learning, Boston, MA, USA: Springer, 2010, p. 766.
[77] S. R. Gaddam, V. V. Phoha, and K. S. Balagani,
‘‘K-means+ID3: A novel method for supervised anomaly detection
by cascading k-means clustering and ID3 decision tree learning
methods,’’ IEEE Trans. Knowl. Data Eng., vol. 19, no. 3, pp. 345–354,
Mar. 2007.
[78] L. Yingqiu, L. Wei, and L. Yunchun, ‘‘Network traffic classification using
K-Means clustering,’’ in Proc. 2nd Int. Multi-Symp. Comput. Comput. Sci.
(IMSCCS), Aug. 2007, pp. 360–365.
[79] M. Jianliang, S. Haikun, and B. Ling, ‘‘The application on intrusion
detection based on k-means cluster algorithm,’’ in Proc. Int. Forum Inf.
Technol. Appl. (IFITA), vol. 1, 2009, pp. 150–152.
[80] R. Chitrakar and H. Chuanhe, ‘‘Anomaly detection using support vector
machine classification with k-medoids clustering,’’ in Proc. 3rd Asian
Himalayas Int. Conf. Internet (AH-ICI), Nov. 2012, pp. 1–5.
[81] R. Chitrakar and H. Chuanhe, ‘‘Anomaly based intrusion detection using
hybrid learning approach of combining k-medoids clustering and naive
Bayes classification,’’ in Proc. 8th Int. Conf. Wireless Commun., Netw.
Mobile Comput. (WiCOM), Sep. 2012, pp. 1–5.
[82] M. A. T. Figueiredo and A. K. Jain, ‘‘Unsupervised learning of finite
mixture models,’’ IEEE Trans. Pattern Anal. Mach. Intell., vol. 24, no. 3,
pp. 381–396, Mar. 2002.
[83] M. E. Newman and E. A. Leicht, ‘‘Mixture models and exploratory
analysis in networks,’’ Proc. Nat. Acad. Sci. USA, vol. 104, no. 23,
pp. 9564–9569, 2007.
[84] M. Bahrololum and M. Khaleghi, ‘‘Anomaly intrusion detection system
using Gaussian mixture model,’’ in 3rd Int. Conf. Converg. Hybrid Inf.
Technol. (ICCIT), vol. 1, Nov. 2008, pp. 1162–1167.
[85] W. Chimphlee, A. H. Abdullah, M. N. M. Sap, S. Srinoy, and
S. Chimphlee, ‘‘Anomaly-based intrusion detection using fuzzy rough
clustering,’’ in Proc. Int. Conf. Hybrid Inf. Technol. (ICHIT), vol. 1,
Nov. 2006, pp. 329–334.
[86] C. Marquez, M. Gramaglia, M. Fiore, A. Banchs, C. Ziemlicki, and
Z. Smoreda, ‘‘Not all apps are created equal: Analysis of spatiotemporal
heterogeneity in nationwide mobile service usage,’’ in Proc. 13th Int.
Conf. Emerg. Netw. Exp. Technol., 2017, pp. 180–186.
[87] M. Adda, K. Qader, and M. Al-Kasassbeh, ‘‘Comparative analysis of
clustering techniques in network traffic faults classification,’’ Int. J.
Innov. Res. Comput. Commun. Eng., vol. 5, no. 4, pp. 6551–6563,
2017.
[88] A. Vlăduţu, D. Comăneci, and C. Dobre, ‘‘Internet traffic classification
based on flows’ statistical properties with machine learning,’’ Int. J. Netw.
Manage., vol. 27, no. 3, p. e1929, 2017.
[89] J. Liu, Y. Fu, J. Ming, Y. Ren, L. Sun, and H. Xiong, ‘‘Effective and
real-time in-app activity analysis in encrypted Internet traffic streams,’’
in Proc. 23rd ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining,
2017, pp. 335–344.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[90] M. S. Parwez, D. Rawat, and M. Garuba, ‘‘Big data analytics for user-
activity analysis and user-anomaly detection in mobile wireless network,’’
IEEE Trans. Ind. Informat., vol. 13, no. 4, pp. 2058–2065, Aug. 2017.
[91] T. Lorido-Botran, S. Huerta, L. Tomás, J. Tordsson, and B. Sanz,
‘‘An unsupervised approach to online noisy-neighbor detection
in cloud data centers,’’ Expert Syst. Appl., vol. 89, pp. 188–204,
Dec. 2017.
[92] G. Frishman, Y. Ben-Itzhak, and O. Margalit, ‘‘Cluster-based load bal-
ancing for better network security,’’ in Proc. Workshop Big Data Anal.
Mach. Learn. Data Commun. Netw., 2017, pp. 7–12.
[93] G. R. Kumar, N. Mangathayaru, and G. Narsimha, ‘‘A feature clustering
based dimensionality reduction for intrusion detection (FCBDR),’’ Int. J.
Comput. Sci. Inf. Syst., vol. 12, no. 1, pp. 26–44, 2017.
[94] T. Wiradinata and A. S. Paramita, ‘‘Clustering and feature selection
technique for improving Internet traffic classification using K-NN,’’ J.
Adv. Comput. Netw., Singapore, vol. 4, no. 1, Mar. 2016.
[95] C. M. Bishop, ‘‘Latent variable models,’’ in Learning in Graphical Mod-
els. Dordrecht, The Netherlands: Springer, 1998, pp. 371–403.
[96] A. Skrondal and S. Rabe-Hesketh, ‘‘Latent variable modelling: A survey,’’
Scandin. J. Statist., vol. 34, no. 4, pp. 712–745, 2007.
[97] C. M. Bishop, Neural Networks for Pattern Recognition. London, U.K.:
Oxford Univ. Press, 1995.
[98] J. Josse and F. Husson, ‘‘Selecting the number of components in principal
component analysis using cross-validation approximations,’’ Comput.
Statist. Data Anal., vol. 56, no. 6, pp. 1869–1879, 2012.
[99] A. Hyvärinen and E. Oja, ‘‘Independent component analysis: Algorithms
and applications,’’ Neural Netw., vol. 13, no. 4, pp. 411–430, 2000.
[100] Y.-X. Wang and Y.-J. Zhang, ‘‘Nonnegative matrix factorization: A com-
prehensive review,’’ IEEE Trans. Knowl. Data Eng., vol. 25, no. 6,
pp. 1336–1353, Jun. 2013.
[101] D. D. Lee and H. S. Seung, ‘‘Algorithms for non-negative matrix factor-
ization,’’ in Proc. Adv. Neural Inf. Process. Syst., 2001, pp. 556–562.
[102] M. O. Duff, ‘‘Optimal learning: Computational procedures for Bayes-
adaptive Markov decision processes,’’ Ph.D. dissertation, Univ. Mas-
sachusetts Amherst, Amherst, MA, USA, 2002.
[103] M. J. Beal, Variational Algorithms for Approximate Bayesian Inference.
London, U.K.: Univ. of London, 2003.
[104] T. P. Minka, ‘‘A family of algorithms for approximate Bayesian infer-
ence,’’ Ph.D. dissertation, Massachusetts Inst. Technol., Cambridge, MA,
USA, 2001.
[105] H. Wang and D.-Y. Yeung. (2016). ‘‘Towards Bayesian deep learning:
A survey.’’ [Online]. Available: https://arxiv.org/abs/1604.01662
[106] C. DuBois, J. R. Foulds, and P. Smyth, ‘‘Latent set models for two-mode
network data,’’ in Proc. ICWSM, 2011, pp. 1–8.
[107] J. R. Foulds, C. DuBois, A. U. Asuncion, C. T. Butts, and P. Smyth,
‘‘A dynamic relational infinite feature model for longitudinal social net-
works,’’ in Proc. AISTATS, vol. 11, 2011, pp. 287–295.
[108] J.-A. Hernández and I. W. Phillips, ‘‘Weibull mixture model to char-
acterise end-to-end Internet delay at coarse time-scales,’’ IEE Proc.-
Commun., vol. 153, no. 2, pp. 295–304, 2006.
[109] J. M. Agosta, J. Chandrashekar, M. Crovella, N. Taft, and D. Ting,
‘‘Mixture models of endhost network traffic,’’ in Proc. IEEE INFOCOM,
Apr. 2013, pp. 225–229.
[110] R. Yan and R. Liu, ‘‘Principal component analysis based network traffic
classification,’’ J. Comput., vol. 9, no. 5, pp. 1234–1240, 2014.
[111] X. Xu and X. Wang, ‘‘An adaptive network intrusion detection method
based on PCA and support vector machines,’’ in Proc. Int. Conf. Adv.
Data Mining Appl. Berlin, Germany: Springer, 2005, pp. 696–703.
[112] X. Guan, W. Wang, and X. Zhang, ‘‘Fast intrusion detection based on
a non-negative matrix factorization model,’’ J. Netw. Comput. Appl.,
vol. 32, no. 1, pp. 31–44, 2009.
[113] Z. Albataineh and F. Salem, ‘‘New blind multiuser detection in DS-
CDMA based on extension of efficient fast independent component anal-
ysis (EF-ICA),’’ in Proc. 4th Int. Conf. Intell. Syst., Modelling Simulation,
Jan. 2013, pp. 543–548.
[114] N. Ahmed, S. S. Kanhere, and S. Jha, ‘‘Probabilistic coverage in wireless
sensor networks,’’ in Proc. 30th Anniversary IEEE Conf. Local Comput.
Netw., Nov. 2005, pp. 1–8.
[115] V. Chatzigiannakis, S. Papavassiliou, M. Grammatikou, and B. Maglaris,
‘‘Hierarchical anomaly detection in distributed large-scale sensor net-
works,’’ in Proc. 11th IEEE Symp. Comput. Commun. (ISCC), Jun. 2006,
pp. 761–767.
[116] R. Gu, H. Wang, and Y. Ji, ‘‘Early traffic identification using Bayesian
networks,’’ in Proc. 2nd IEEE Int. Conf. Netw. Infrastruct. Digit. Content,
Sep. 2010, pp. 564–568.
VOLUME 7, 2019
[117] J. Xu and C. R. Shelton, ‘‘Continuous time Bayesian networks for
host level network intrusion detection,’’ in Proc. Joint Eur. Conf. Mach.
Learn. Knowl. Discovery Databases. Berlin, Germany: Springer, 2008,
pp. 613–627.
[118] N. Al-Rousan, S. Haeri, and L. Trajković, ‘‘Feature selection for classi-
fication of BGP anomalies using Bayesian models,’’ in Proc. Int. Conf.
Mach. Learn. (ICMLC), vol. 1, Jul. 2012, pp. 140–147.
[119] D.-P. Liu, M.-W. Zhang, and T. Li, ‘‘Network traffic analysis using refined
Bayesian reasoning to detect flooding and port scan attacks,’’ in Proc. Int.
Conf. Adv. Comput. Theory Eng. (ICACTE), Dec. 2008, pp. 1000–1004.
[120] M. Ishiguro, H. Suzuki, I. Murase, and H. Ohno, ‘‘Internet threat detection
system using Bayesian estimation,’’ in Proc. 16th Annu. Comput. Secur.
Incident Handling Conf., 2004, pp. 1–5.
[121] D. Janakiram, V. A. Reddy, and A. P. Kumar, ‘‘Outlier detection in
wireless sensor networks using Bayesian belief networks,’’ in Proc. 1st
Int. Conf. Commun. Syst. Softw. Middleware (Comsware), Jan. 2006,
pp. 1–6.
[122] S. Haykin, K. Huber, and Z. Chen, ‘‘Bayesian sequential state estima-
tion for MIMO wireless communications,’’ Proc. IEEE, vol. 92, no. 3,
pp. 439–454, Mar. 2004.
[123] S. Ito and N. Kawaguchi, ‘‘Bayesian based location estimation system
using wireless LAN,’’ in Proc. 3rd IEEE Int. Conf. Pervasive Comput.
Commun. Workshops (PerCom), Mar. 2005, pp. 273–278.
[124] S. Liu, J. Hu, S. Hao, and T. Song, ‘‘Improved EM method for Internet
traffic classification,’’ in Proc. 8th Int. Conf. Knowl. Smart Technol.(KST),
Feb. 2016, pp. 13–17.
[125] H. Shi, H. Li, D. Zhang, C. Cheng, and W. Wu, ‘‘Efficient and robust
feature extraction and selection for traffic classification,’’ Comput. Netw.,
vol. 119, pp. 1–16, Jun. 2017.
[126] S. Troia, G. Sheng, R. Alvizu, G. A. Maier, and A. Pattavina, ‘‘Identifi-
cation of tidal-traffic patterns in metro-area mobile networks via matrix
factorization based model,’’ in Proc. IEEE Int. Conf. Pervasive Comput.
Commun. Workshops (PerCom Workshops), Mar. 2017, pp. 297–301.
[127] L. Nie, D. Jiang, and Z. Lv, ‘‘Modeling network traffic for traffic matrix
estimation and anomaly detection based on Bayesian network in cloud
computing networks,’’ Ann. Telecommun., vol. 72, nos. 5–6, pp. 297–305,
2017.
[128] J.-H. Bang, Y.-J. Cho, and K. Kang, ‘‘Anomaly detection of network-
initiated LTE signaling traffic in wireless sensor and actuator networks
based on a hidden semi-Markov model,’’ Comput. Secur., vol. 65,
pp. 108–120, Mar. 2017.
[129] X. Chen, K. Irie, D. Banks, R. Haslinger, J. Thomas, and M. West,
‘‘Scalable Bayesian modeling, monitoring, and analysis of dynamic net-
work flow data,’’ J. Amer. Stat. Assoc., vol. 113, no. 522, pp. 519–533,
2017.
[130] B. Mokhtar and M. Eltoweissy, ‘‘Big data and semantics management
system for computer networks,’’ Ad Hoc Netw., vol. 57, pp. 32–51,
Mar. 2017.
[131] A. Furno, M. Fiore, and R. Stanica, ‘‘Joint spatial and temporal classifi-
cation of mobile traffic demands,’’ in Proc. 36th Annu. IEEE Int. Conf.
Comput. Commun. (INFOCOM), May 2017, pp. 1–9.
[132] M. Malli, N. Said, and A. Fadlallah, ‘‘A new model for rating users’
profiles in online social networks,’’ Comput. Inf. Sci., vol. 10, no. 2, p. 39,
2017.
[133] S. T. Roweis and L. K. Saul, ‘‘Nonlinear dimensionality reduction by
locally linear embedding,’’ Science, vol. 290, no. 5500, pp. 2323–2326,
Dec. 2000.
[134] E. Keogh and A. Mueen, ‘‘Curse of dimensionality,’’ in Encyclo-
pedia of Machine Learning. Boston, MA, USA: Springer, 2010,
pp. 257–258.
[135] P. Pudil and J. Novovičová, ‘‘Novel methods for feature subset selection
with respect to problem knowledge,’’ in Feature Extraction, Construction
Selection. Boston, MA, USA: Springer, 1998, pp. 101–116.
[136] L. Yu and H. Liu, ‘‘Feature selection for high-dimensional data: A fast
correlation-based filter solution,’’ in Proc. Int. Conf. ICML, vol. 3, 2003,
pp. 856–863.
[137] W. M. Hartmann, ‘‘Dimension reduction vs. variable selection,’’ in Proc.
Int. Workshop Appl. Parallel Comput. Berlin, Germany: Springer, 2004,
pp. 931–938.
[138] I. K. Fodor, ‘‘A survey of dimension reduction techniques,’’ Lawrence
Livermore Nat. Lab., Berkeley, CA, USA, Tech. Rep. UCRL-ID-148494,
2002.
[139] J. B. Tenenbaum, V. de Silva, and J. C. Langford, ‘‘A global geometric
framework for nonlinear dimensionality reduction,’’ Science, vol. 290,
no. 5500, pp. 2319–2323, Dec. 2000.
65609
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[140] C. M. Bishop, M. Svensén, and C. K. I. Williams, ‘‘GTM: The generative
topographic mapping,’’ Neural Comput., vol. 10, no. 1, pp. 215–234,
1998.
[141] T. Hastie and W. Stuetzle, ‘‘Principal curves,’’ J. Amer. Statist. Assoc.,
vol. 84, no. 406, pp. 502–516, 1989.
[142] D. Lee. (2002). Estimations of Principal Curves. [Online]. Available:
http://www.dgp.toronto.edu/~dwlee/pcurve/pcurve_csc2515.pdf
[143] J. B. Kruskal, ‘‘Nonmetric multidimensional scaling: A numerical
method,’’ Psychometrika, vol. 29, no. 2, pp. 115–129, Jun. 1964.
[144] L. van der Maaten and G. Hinton, ‘‘Visualizing data using
t-SNE,’’ J. Mach. Learn. Res., vol. 9, pp. 2579–2605,
Nov. 2008.
[145] J. Cao, Z. Fang, G. Qu, H. Sun, and D. Zhang, ‘‘An accurate traffic
classification model based on support vector machines,’’ Int. J. Netw.
Manage., vol. 27, no. 1, p. e1962, 2017.
[146] W. Zhou, X. Zhou, S. Dong, and B. Lubomir, ‘‘A SOM and PNN
model for network traffic classification,’’ Boletín Técnico, vol. 55, no. 1,
pp. 174–182, 2017.
[147] S. M. Erfani, S. Rajasegarar, S. Karunasekera, and C. Leckie, ‘‘High-
dimensional and large-scale anomaly detection using a linear one-class
SVM with deep learning,’’ Pattern Recognit., vol. 58, pp. 121–134,
Oct. 2016.
[148] M. Nicolau and J. McDermott, ‘‘A hybrid autoencoder and density estima-
tion model for anomaly detection,’’ in Proc. Int. Conf. Parallel Problem
Solving Nature, 2016, pp. 717–726.
[149] S. T. Ikram and A. K. Cherukuri, ‘‘Improving accuracy of intrusion detec-
tion model using PCA and optimized SVM,’’ J. Comput. Inf. Technol.,
vol. 24, no. 2, pp. 133–148, 2016.
[150] J. Moysen, L. Giupponi, and J. Mangues-Bafalluy, ‘‘A mobile network
planning tool based on data analytics,’’ Mobile Inf. Syst., vol. 2017,
Feb. 2017, Art. no. 6740585.
[151] S. A. Ossia et al. (2017). ‘‘A hybrid deep learning architecture for
privacy-preserving mobile analytics.’’ [Online]. Available: https://arxiv.
org/abs/1703.02952
[152] S. Rajendran, W. Meert, D. Giustiniano, V. Lenders, and S. Pollin.
(2017). ‘‘Deep learning models for wireless signal classification with
distributed low-cost spectrum sensors.’’ [Online]. Available: https://arxiv.
org/abs/1707.08908
[153] M. H. Sarshar, ‘‘Analyzing large scale Wi-Fi data using supervised and
unsupervised learning techniques,’’ Ph.D. dissertation, Dalhousie Univ.,
Halifax, NS, Canada, 2017.
[154] S. Ramaswamy, R. Rastogi, and K. Shim, ‘‘Efficient algorithms for
mining outliers from large data sets,’’ ACM SIGMOD Rec., vol. 29, no. 2,
pp. 427–438, 2000.
[155] J. Tang et al., ‘‘Enhancing effectiveness of outlier detections for low
density patterns,’’ in Proc. Pacific–Asia Conf. Knowl. Discovery Data
Mining. Berlin, Germany: Springer, 2002, pp. 535–548.
[156] W. Jin, A. Tung, J. Han, and W. Wang, ‘‘Ranking outliers using sym-
metric neighborhood relationship,’’ in Proc. Adv. Knowl. Discovery Data
Mining, 2006, pp. 577–593.
[157] H.-P. Kriegel, P. Kröger, E. Schubert, and A. Zimek, ‘‘LoOP: Local outlier
probabilities,’’ in Proc. 18th ACM Conf. Inf. Knowl. Manage., 2009,
pp. 1649–1652.
[158] Z. He, X. Xu, and S. Deng, ‘‘Discovering cluster-based local outliers,’’
Pattern Recognit. Lett., vol. 24, nos. 9–10, pp. 1641–1650, 2003.
[159] M. Goldstein and S. Uchida, ‘‘Behavior analysis using unsupervised
anomaly detection,’’ in Proc. 10th Joint Workshop Mach. Perception
Robot. (MPR), 2014, pp. 1–6.
[160] M. Goldstein and S. Uchida, ‘‘A comparative evaluation of unsupervised
anomaly detection algorithms for multivariate data,’’ PLoS ONE, vol. 11,
no. 4, 2016, Art. no. e0152173.
[161] M. Goldstein and A. Dengel, ‘‘Histogram-based outlier score (HBOS):
A fast unsupervised anomaly detection algorithm,’’ in Proc. KI-Poster
Demo Track, 2012, pp. 59–63.
[162] V. Chandola, A. Banerjee, and V. Kumar, ‘‘Anomaly detection: A survey,’’
ACM Comput. Surv., vol. 41, no. 3, p. 15, 2009.
[163] M. Shafiq, X. Yu, A. A. Laghari, L. Yao, N. K. Karn, and F. Abdessamia,
‘‘Network traffic classification techniques and comparative analysis using
machine learning algorithms,’’ in Proc. 2nd IEEE Int. Conf. Comput.
Commun. (ICCC), Oct. 2016, pp. 2451–2455.
[164] Y. Dhote, S. Agrawal, and A. J. Deen, ‘‘A survey on feature selection
techniques for Internet traffic classification,’’ in Proc. Int. Conf. Comput.
Intell. Commun. Netw. (CICN), Dec. 2015, pp. 1375–1380.
65610
[165] Y. Huang, Y. Li, and B. Qiang, ‘‘Internet traffic classification based on
min-max ensemble feature selection,’’ in Proc. Int. Joint Conf. Neural
Netw. (IJCNN), Jul. 2016, pp. 3485–3492.
[166] L. Zhen and L. Qiong, ‘‘A new feature selection method for Internet
traffic classification using ML,’’ Phys. Procedia, vol. 33, pp. 1338–1345,
Jan. 2012.
[167] J. Zhang, Y. Xiang, Y. Wang, W. Zhou, Y. Xiang, and Y. Guan, ‘‘Network
traffic classification using correlation information,’’ IEEE Trans. Parallel
Distrib. Syst., vol. 24, no. 1, pp. 104–117, Jan. 2013.
[168] J. Erman, A. Mahanti, and M. Arlitt, ‘‘Qrp05-4: Internet traffic identifica-
tion using machine learning,’’ in Proc. IEEE Global Telecommun. Conf.
(GLOBECOM), Nov. 2006, pp. 1–6.
[169] J. Kornycky, O. Abdul-Hameed, A. Kondoz, and B. C. Barber, ‘‘Radio
frequency traffic classification over WLAN,’’ IEEE Trans. Netw., vol. 25,
no. 1, pp. 56–68, May 2016.
[170] X. Liu, L. Pan, and X. Sun, ‘‘Real-time traffic status classification
based on Gaussian mixture model,’’ in Proc. IEEE Int. Conf. Data Sci.
Cyberspace (DSC), Jun. 2016, pp. 573–578.
[171] J. Erman, M. Arlitt, and A. Mahanti, ‘‘Traffic classification using clus-
tering algorithms,’’ in Proc. SIGCOMM Workshop Mining Netw. Data,
2006, pp. 281–286.
[172] T. T. Nguyen and G. Armitage, ‘‘Clustering to assist supervised machine
learning for real-time IP traffic classification,’’ in Proc. IEEE Int. Conf.
Commun. (ICC), May 2008, pp. 5857–5862.
[173] J. Erman, A. Mahanti, M. Arlitt, I. Cohen, and C. Williamson,
‘‘Offline/realtime traffic classification using semi-supervised learning,’’
Perform. Eval., vol. 64, nos. 9–12, pp. 1194–1213, Oct. 2007.
[174] L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian,
‘‘Traffic classification on the fly,’’ ACM SIGCOMM Comput. Commun.
Rev., vol. 36, no. 2, pp. 23–26, 2006.
[175] S. Zander, T. Nguyen, and G. Armitage, ‘‘Automated traffic classifi-
cation and application identification using machine learning,’’ in Proc.
30th Anniversary IEEE Conf. Local Comput. Netw. (LCN), Nov. 2005,
pp. 250–257.
[176] T. P. Oliveira, J. S. Barbar, and A. S. Soares, ‘‘Computer network traffic
prediction: A comparison between traditional and deep learning neural
networks,’’ Int. J. Big Data Intell., vol. 3, no. 1, pp. 28–37, 2016.
[177] N. Shrivastava and A. Dubey, ‘‘Internet traffic data categorization using
particle of swarm optimization algorithm,’’ in Proc. Symp. Colossal Data
Anal. Netw. (CDAN), Mar. 2016, pp. 1–8.
[178] T. Bakhshi and B. Ghita, ‘‘On Internet traffic classification: A two-phased
machine learning approach,’’ J. Comput. Netw. Commun., vol. 2016,
May 2016, Art. no. 2048302.
[179] J. Yang, J. Deng, S. Li, and Y. Hao, ‘‘Improved traffic detection with
support vector machine based on restricted Boltzmann machine,’’ Soft
Comput., vol. 21, no. 11, pp. 3101–3112, 2017.
[180] R. Gonzalez et al. (2017). ‘‘Net2Vec: Deep learning for the network.’’
[Online]. Available: https://arxiv.org/abs/arXiv:1705.03881
[181] M. E. Aminanto and K. Kim. (2016). Deep Learning-Based Feature
Selection for Intrusion Detection System in Transport Layer. [Online].
Available: http://caislab.kaist.ac.kr/publication/paper_files/2016/
20160623_AM.pdf
[182] L. Nie, D. Jiang, S. Yu, and H. Song, ‘‘Network traffic prediction based
on deep belief network in wireless mesh backbone networks,’’ in Proc.
IEEE Wireless Commun. Netw. Conf. (WCNC), Mar. 2017, pp. 1–5.
[183] C. Zhang, J. Jiang, and M. Kamel, ‘‘Intrusion detection using hierarchical
neural networks,’’ Pattern Recognit. Lett., vol. 26, no. 6, pp. 779–791,
2005.
[184] B. C. Rhodes, J. A. Mahaffey, and J. D. Cannady, ‘‘Multiple self-
organizing maps for intrusion detection,’’ in Proc. 23rd Nat. Inf. Syst.
Secur. Conf., 2000, pp. 16–19.
[185] H. G. Kayacik, A. N. Zincir-Heywood, and M. I. Heywood, ‘‘On the
capability of an SOM based intrusion detection system,’’ in Proc. Int.
Joint Conf. Neural Netw., vol. 3, 2003, pp. 1808–1813.
[186] S. Zanero, ‘‘Analyzing TCP traffic patterns using self organizing maps,’’
in Proc. Int. Conf. Image Anal. Process. Berlin, Germany: Springer, 2005,
pp. 83–90.
[187] P. Lichodzijewski, A. N. Zincir-Heywood, and M. I. Heywood, ‘‘Host-
based intrusion detection using self-organizing maps,’’ in Proc. IEEE Int.
Joint Conf. Neural Netw., 2002, pp. 1714–1719.
[188] P. Lichodzijewski, A. N. Zincir-Heywood, and M. I. Heywood, ‘‘Dynamic
intrusion detection using self-organizing maps,’’ in Proc. 14th Annu. Can.
Inf. Technol. Secur. Symp. (CITSS), 2002, pp. 1–5.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[189] M. Amini, R. Jalili, and H. R. Shahriari, ‘‘RT-UNNID: A practical solu-
tion to real-time network-based intrusion detection using unsupervised
neural networks,’’ Comput. Secur., vol. 25, no. 6, pp. 459–468, 2006.
[190] O. Depren, M. Topallar, E. Anarim, and M. K. Ciliz, ‘‘An intelligent
intrusion detection system (IDS) for anomaly and misuse detection in
computer networks,’’ Expert Syst. Appl., vol. 29, no. 4, pp. 713–722,
2005.
[191] V. Golovko and L. Vaitsekhovich, ‘‘Neural network techniques for intru-
sion detection,’’ in Proc. Int. Conf. Neural Netw. Artif. Intell., 2006,
pp. 65–69.
[192] A. P. Muniyandi, R. Rajeswari, and R. Rajaram, ‘‘Network anomaly
detection by cascading k-means clustering and C4.5 decision tree algo-
rithm,’’ Procedia Eng., vol. 30, pp. 174–182, Jan. 2012.
[193] P. Casas, J. Mazel, and P. Owezarski, ‘‘Unsupervised network intrusion
detection systems: Detecting the unknown without knowledge,’’ Comput.
Commun., vol. 35, no. 7, pp. 772–783, 2012.
[194] S. Zanero and S. M. Savaresi, ‘‘Unsupervised learning techniques for an
intrusion detection system,’’ in Proc. ACM Symp. Appl. Comput., 2004,
pp. 412–419.
[195] S. Zhong, T. M. Khoshgoftaar, and N. Seliya, ‘‘Clustering-based net-
work intrusion detection,’’ Int. J. Rel., Qual., Saf. Eng., vol. 14, no. 2,
pp. 169–187, 2007.
[196] N. Greggio, ‘‘Anomaly Detection in IDSs by means of unsupervised
greedy learning of finite mixture models,’’ Soft Comput., vol. 22, no. 10,
pp. 3357–3372, 2017.
[197] W. Wang and R. Battiti, ‘‘Identifying intrusions in computer networks
with principal component analysis,’’ in Proc. 1st Int. Conf. Availability,
Rel. Secur. (ARES), Apr. 2006, pp. 1–8.
[198] V. A. Golovko, L. U. Vaitsekhovich, P. A. Kochurko, and U. S. Rubanau,
‘‘Dimensionality reduction and attack recognition using neural network
approaches,’’ in Proc. Int. Joint Conf. Neural Netw. (IJCNN), Aug. 2007,
pp. 2734–2739.
[199] L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, ‘‘2005
CSI/FBI computer crime and security survey,’’ Comput. Secur. J., vol. 21,
no. 3, p. 1, 2005.
[200] Symantec. (2016). Internet Security Threat Report. Accessed:
Feb. 2, 2017. [Online]. Available: https://www.symantec.com/security-
center/threat-report
[201] C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, and W.-Y. Lin, ‘‘Intrusion detection
by machine learning: A review,’’ Expert Syst. Appl., vol. 36, no. 10,
pp. 11994–12000, 2009.
[202] W.-C. Lin, S.-W. Ke, and C.-F. Tsai, ‘‘CANN: An intrusion detection sys-
tem based on combining cluster centers and nearest neighbors,’’ Knowl.-
Based Syst., vol. 78, pp. 13–21, Apr. 2015.
[203] J. Mazel, P. Casas, R. Fontugne, K. Fukuda, and P. Owezarski, ‘‘Hunting
attacks in the dark: Clustering and correlation analysis for unsupervised
anomaly detection,’’ Int. J. Netw. Manage., vol. 25, no. 5, pp. 283–305,
2015.
[204] C. Sony and K. Cho, ‘‘Traffic data repository at the WIDE project,’’ in
Proc. USENIX Annu. Tech. Conf., FREENIX Track, 2000, pp. 263–270.
[205] E. E. Papalexakis, A. Beutel, and P. Steenkiste, ‘‘Network anomaly detec-
tion using co-clustering,’’ in Encyclopedia of Social Network Analysis
and Mining. New York, NY, USA: Springer, 2014, pp. 1054–1068.
[206] V. Miškovic et al., ‘‘Application of hybrid incremental machine learn-
ing methods to anomaly based intrusion detection,’’ in Proc. 1st Int.
Conf. Elect., Electron. Comput. Eng. (IcETRAN), Vrnjačka Banja, Serbia,
Jun. 2014.
[207] N. F. Haq et al., ‘‘Application of machine learning approaches in intrusion
detection system: A survey,’’ Int. J. Adv. Res. Artif. Intell., vol. 4, no. 3,
pp. 9–18, 2015.
[208] F. Hosseinpour, P. V. Amoli, F. Farahnakian, J. Plosila, and
T. Hämäläinen, ‘‘Artificial immune system based intrusion detection:
Innate immunity using an unsupervised learning approach,’’ Int. J. Digit.
Content Technol. Appl., vol. 8, no. 5, p. 1, 2014.
[209] G. K. Chaturvedi, A. K. Chaturvedi, and V. R. More, ‘‘A study of
intrusion detection system for cloud network using FC-ANN algorithm,’’
Tech. Rep., 2016.
[210] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel, and M. Rajarajan,
‘‘A survey of intrusion detection techniques in cloud,’’ J. Netw. Comput.
Appl., vol. 36, no. 1, pp. 42–57, 2013.
[211] D. J. Weller-Fahy, B. J. Borghetti, and A. A. Sodemann, ‘‘A survey of
distance and similarity measures used within network intrusion anomaly
detection,’’ IEEE Commun. Surveys Tuts., vol. 17, no. 1, pp. 70–91, 1st
Quart., 2015.
VOLUME 7, 2019
[212] R. Mitchell and I.-R. Chen, ‘‘A survey of intrusion detection in wire-
less network applications,’’ Comput. Commun., vol. 42, no. 3, pp. 1–23,
Apr. 2014.
[213] M. Ahmed, A. N. Mahmood, and J. Hu, ‘‘A survey of network anomaly
detection techniques,’’ J. Netw. Comput. Appl., vol. 60, pp. 19–31,
Jan. 2016.
[214] L. Xiao, Y. Chen, and C. K. Chang, ‘‘Bayesian model averaging of
Bayesian network classifiers for intrusion detection,’’ in Proc. IEEE 38th
Int. Comput. Softw. Appl. Conf. Workshops (COMPSACW), Jul. 2014,
pp. 128–133.
[215] B. Al-Musawi, P. Branch, and G. Armitage, ‘‘BGP anomaly detection
techniques: A survey,’’ IEEE Commun. Surveys Tuts., vol. 19, no. 1,
pp. 377–396, 1st Quart., 2017.
[216] B. AsSadhan, K. Zeb, J. Al-Muhtadi, and S. Alshebeili, ‘‘Anomaly detec-
tion based on LRD behavior analysis of decomposed control and data
planes network traffic using SOSS and FARIMA models,’’ IEEE Access,
vol. 5, pp. 13501–13519, 2017.
[217] A. Kulakov, D. Davcev, and G. Trajkovski, ‘‘Application of wavelet
neural-networks in wireless sensor networks,’’ in Proc. 6th Int. Conf.
Softw. Eng., Artif. Intell., Netw. Parallel/Distrib. Comput., 1st ACIS Int.
Workshop Self-Assembling Wireless Netw. (SNPD/SAWN), May 2005,
pp. 262–267.
[218] S. G. Akojwar and R. M. Patrikar, ‘‘Improving life time of wireless
sensor networks using neural network based classification techniques
with cooperative routing,’’ Int. J. Commun., vol. 2, no. 1, pp. 75–86, 2008.
[219] C. Li, X. Xie, Y. Huang, H. Wang, and C. Niu, ‘‘Distributed data mining
based on deep neural network for wireless sensor network,’’ Int. J. Distrib.
Sensor Netw., vol. 11, no. 7, p. 157453, 2014.
[220] E. Gelenbe, R. Lent, A. Montuori, and Z. Xu, ‘‘Cognitive packet net-
works: QoS and performance,’’ in Proc. 10th IEEE Int. Symp. Modeling,
Anal. Simulation Comput. Telecommun. Syst. (MASCOTS), Oct. 2002,
pp. 3–9.
[221] M. Cordina and C. J. Debono, ‘‘Increasing wireless sensor network
lifetime through the application of som neural networks,’’ in Proc. 3rd
Int. Symp. Commun., Control Signal Process. (ISCCSP), Mar. 2008,
pp. 467–471.
[222] N. Enami and R. A. Moghadam, ‘‘Energy based clustering self organiz-
ing map protocol for extending wireless sensor networks lifetime and
coverage,’’ Can. J. Multimedia Wireless Netw., vol. 1, no. 4, pp. 42–54,
2010.
[223] L. Dehni, F. Krief, and Y. Bennani, ‘‘Power control and clustering in
wireless sensor networks,’’ in Proc. IFIP Annu. Medit. Ad Hoc Netw.
Workshop. Boston, MA, USA: Springer, 2005, pp. 31–40.
[224] F. Oldewurtel and P. Mahonen, ‘‘Neural wireless sensor networks,’’ in
Proc. Int. Conf. Syst. Netw. Commun. (ICSNC), Oct. 2006, p. 28.
[225] G. A. Barreto, J. C. M. Mota, L. G. M. Souza, R. A. Frota, and L. Aguayo,
‘‘Condition monitoring of 3G cellular networks through competitive neu-
ral models,’’ IEEE Trans. Neural Netw., vol. 16, no. 5, pp. 1064–1075,
Sep. 2005.
[226] A. I. Moustapha and R. R. Selmic, ‘‘Wireless sensor network modeling
using modified recurrent neural networks: Application to fault detection,’’
IEEE Trans. Instrum. Meas., vol. 57, no. 5, pp. 981–988, May 2008.
[227] D. C. Hoang, R. Kumar, and S. K. Panda, ‘‘Fuzzy C-means clustering
protocol for wireless sensor networks,’’ in in Proc. IEEE Int. Symp. Ind.
Electron. (ISIE), Jul. 2010, pp. 3477–3482.
[228] E. I. Oyman and C. Ersoy, ‘‘Multiple sink network design problem in
large scale wireless sensor networks,’’ in Proc. IEEE Int. Conf. Com-
mun. (ICC), vol. 6, Jun. 2004, pp. 3663–3667.
[229] W. Zhang, S. K. Das, and Y. Liu, ‘‘A trust based framework for secure data
aggregation in wireless sensor networks,’’ in Proc. 3rd Annu. IEEE Com-
mun. Soc. Sensor Ad Hoc Commun. Netw. (SECON), vol. 1, Sep. 2006,
pp. 60–69.
[230] G. Kapoor and K. Rajawat, ‘‘Outlier-aware cooperative spectrum sensing
in cognitive radio networks,’’ Phys. Commun., vol. 17, pp. 118–127,
Dec. 2015.
[231] T. Ristaniemi and J. Joutsensalo, ‘‘Advanced ICA-based receivers for
block fading DS-CDMA channels,’’ Signal Process., vol. 82, no. 3,
pp. 417–431, Mar. 2002.
[232] M. S. Mushtaq, B. Augustin, and A. Mellouk, ‘‘Empirical study based on
machine learning approach to assess the QoS/QoE correlation,’’ in Proc.
17th Eur. Conf. Netw. Opt. Commun. (NOC), Jun. 2012, pp. 1–7.
[233] M. Alreshoodi and J. Woods, ‘‘Survey on QoE\QoS correlation models
for multimedia services,’’ Int. J. Distrib. Parallel Syst., vol. 4, no. 3, p. 53,
2013.
65611
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[234] A. Testolin, M. Zanforlin, M. De Filippo De Grazia, D. Munaretto,
A. Zanella, and M. Zorzi, ‘‘A machine learning approach to QoE-based
video admission control and resource allocation in wireless systems,’’
in Proc. 13th Annu. Medit. Ad Hoc Netw. Workshop (MED-HOC-NET),
Jun. 2014, pp. 31–38.
[235] S. Przylucki, ‘‘Assessment of the QoE in voice services based on the self-
organizing neural network structure,’’ in Proc. Int. Conf. Comput. Netw.
Berlin, Germany: Springer, 2011, pp. 144–153.
[236] P. Ahammad, B. Kennedy, P. Ganti, and H. Kolam, ‘‘QoE-driven unsu-
pervised image categorization for optimized Web delivery: Short paper,’’
in Proc. ACM Int. Conf. Multimedia, 2014, pp. 797–800.
[237] D. C. Mocanu, G. Exarchakos, and A. Liotta, ‘‘Deep learning for objec-
tive quality assessment of 3D images,’’ in Proc. IEEE Int. Conf. Image
Process. (ICIP), Oct. 2014, pp. 758–762.
[238] B. Francisco, A. Ramon, P.-R. Jordi, and S. Oriol, ‘‘Distributed spectrum
management based on reinforcement learning,’’ in Proc. 14th Int. Conf.
Cognit. Radio Oriented Wireless Netw. Commun., 2009, pp. 1–6.
[239] L. Xuedong, C. Min, X. Yang, B. Llangko, and L. C. M. Victo, ‘‘MRL-
CC: A novel cooperative communication protocol for QoS provisioning in
wireless sensor networks,’’ Int. J. Sensor Netw., vol. 8, no. 2, pp. 98–108,
2010.
[240] P. Geurts, I. El Khayat, and G. Leduc, ‘‘A machine learning approach to
improve congestion control over wireless computer networks,’’ in Proc.
4th IEEE Int. Conf. Data Mining (ICDM), Nov. 2004, pp. 383–386.
[241] K.-S. Hwang, S.-W. Tan, M.-C. Hsiao, and C.-S. Wu, ‘‘Cooperative
multiagent congestion control for high-speed networks,’’ IEEE Trans.
Syst., Man, Cybern. B, Cybern., vol. 35, no. 2, pp. 255–268, Apr. 2005.
[242] K. Winstein and H. Balakrishnan, ‘‘TCP ex machina: Computer-
generated congestion control,’’ ACM SIGCOMM Comput. Commun. Rev.,
vol. 43, no. 4, pp. 123–134, 2013.
[243] T. J. O’Shea and J. Hoydis. (2017). ‘‘An introduction to machine
learning communications systems.’’ [Online]. Available: https://arxiv.org/
abs/1702.00832
[244] T. J. O’Shea, T. Erpek, and T. C. Clancy. (2017). ‘‘Deep learn-
ing based MIMO communications.’’ [Online]. Available: https://arxiv.
org/abs/1707.07980
[245] T. J. O’Shea, J. Corgan, and T. C. Clancy, ‘‘Unsupervised representa-
tion learning of structured radio communication signals,’’ in Proc. 1st
Int. Workshop Sens., Process. Learn. Intell. Mach. (SPLINE), Jul. 2016,
pp. 1–5.
[246] T. Huang, H. Sethu, and N. Kandasamy, ‘‘A new approach to dimension-
ality reduction for anomaly detection in data traffic,’’ IEEE Trans. Netw.
Service Manage., vol. 13, no. 3, pp. 651–665, Sep. 2016.
[247] A. Zoha, A. Saeed, A. Imran, M. A. Imran, and A. Abu-Dayya,
‘‘A learning-based approach for autonomous outage detection and cov-
erage optimization,’’ Trans. Emerg. Telecommun. Technol., vol. 27, no. 3,
pp. 439–450, 2016.
[248] A. Shirazinia and S. Dey, ‘‘Power-constrained sparse gaussian linear
dimensionality reduction over noisy channels,’’ IEEE Trans. Signal Pro-
cess., vol. 63, no. 21, pp. 5837–5852, Nov. 2015.
[249] S. Hou, R. C. Qiu, Z. Chen, and Z. Hu. (2011). ‘‘Svm and dimensionality
reduction in cognitive radio with experimental validation.’’ [Online].
Available: https://arxiv.org/abs/1106.2325
[250] C. Khalid, E. Zyad, and B. Mohammed, ‘‘Network intrusion detection
system using L1-norm PCA,’’ in Proc. 11th Int. Conf. Inf. Assurance
Secur. (IAS), Dec. 2015, pp. 118–122.
[251] E. Goodman, J. Ingram, S. Martin, and D. Grunwald, ‘‘Using bipartite
anomaly features for cyber security applications,’’ in Proc. IEEE 14th Int.
Conf. Mach. Learn. Appl. (ICMLA), Dec. 2015, pp. 301–306.
[252] N. Patwari, A. O. Hero, III, and A. Pacholski, ‘‘Manifold learning visu-
alization of network traffic data,’’ in Proc. ACM SIGCOMM Workshop
Mining Netw. Data, 2005, pp. 191–196.
[253] D. López-Sánchez, A. G. Arrieta, and J. M. Corchado, ‘‘Deep neural
networks and transfer learning applied to multimedia Web mining,’’
in Proc. Int. Symp. Distrib. Comput. Artif. Intell. Cham, Switzerland:
Springer, 2017, p. 124.
[254] T. Ban, S. Pang, M. Eto, D. Inoue, K. Nakao, and R. Huang,
‘‘Towards early detection of novel attack patterns through the lens
of a large-scale darknet,’’ in Proc. Int. IEEE Conf. Ubiquitous
Intell. Comput., Adv. Trusted Comput., Scalable Comput. Commun.,
Cloud Big Data Comput., Internet People, Smart World Congr.
(UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), Jul. 2016, pp. 341–349.
65612
[255] Q. Niyaz, W. Sun, and A. Y. Javaid. (2016). ‘‘A deep learning based DDoS
detection system in software-defined networking (SDN).’’ [Online].
Available: https://arxiv.org/abs/1611.07400
[256] C. G. Cordero, S. Hauke, M. Mühlhäuser, and M. Fischer, ‘‘Analyz-
ing flow-based anomaly intrusion detection using replicator neural net-
works,’’ in Proc. 14th Annu. Conf. Privacy, Secur. Trust (PST), Dec. 2016,
pp. 317–324.
[257] Z. Chen, C. K. Yeo, B. S. Lee, and C. T. Lau, ‘‘A novel anomaly detection
system using feature-based MSPCA with sketch,’’ in Proc. 26th Wireless
Opt. Commun. Conf. (WOCC), Apr. 2017, pp. 1–6.
[258] T. Matsuda, T. Morita, T. Kudo, and T. Takine, ‘‘Traffic anomaly detec-
tion based on robust principal component analysis using periodic traf-
fic behavior,’’ IEICE Trans. Commun., vol. 100, no. 5, pp. 749–761,
2017.
[259] I. S. Thaseen and C. A. Kumar, ‘‘Intrusion detection model using fusion of
PCA and optimized SVM,’’ in Proc. Int. Conf. Contemp. Comput. Inform.
(IC3I), Nov. 2014, pp. 879–884.
[260] B. Subba, S. Biswas, and S. Karmakar, ‘‘Enhancing performance of
anomaly based intrusion detection systems through dimensionality reduc-
tion using principal component analysis,’’ in Proc. IEEE Int. Conf. Adv.
Netw. Telecommun. Syst. (ANTS), Nov. 2016, pp. 1–6.
[261] I. Z. Muttaqien and T. Ahmad, ‘‘Increasing performance of IDS by
selecting and transforming features,’’ in Proc. IEEE Int. Conf. Commun.,
Netw. Satell. (COMNETSAT), Dec. 2016, pp. 85–90.
[262] N. Y. Almusallam et al., ‘‘Dimensionality reduction for intrusion detec-
tion systems in multi-data streams—A review and proposal of unsu-
pervised feature selection scheme,’’ in Emergent Computation. Cham,
Switzerland: Springer, 2017, pp. 467–487.
[263] Y. Kumar, H. Farooq, and A. Imran, ‘‘Fault prediction and reliability
analysis in a real cellular network,’’ in Proc. 13th Int. Wireless Commun.
Mobile Comput. Conf. (IWCMC), Jun. 2017, pp. 1090–1095.
[264] Z. Nascimento, D. Sadok, S. Fernandes, and J. Kelner, ‘‘Multi-objective
optimization of a hybrid model for network traffic classification by
combining machine learning techniques,’’ in Proc. Int. Joint Conf. Neural
Netw. (IJCNN), Jul. 2014, pp. 2116–2122.
[265] Z. Ansari, M. Azeem, A. V. Babu, and W. Ahmed. (2015).
‘‘A fuzzy approach for feature evaluation and dimensionality reduction
to improve the quality of Web usage mining results.’’ [Online]. Available:
https://arxiv.org/abs/1509.00690
[266] M. A. Alsheikh, S. Lin, H.-P. Tan, and D. Niyato, ‘‘Toward a robust sparse
data representation for wireless sensor networks,’’ in Proc. IEEE 40th
Conf. Local Comput. Netw. (LCN), Oct. 2015, pp. 117–124.
[267] K. Labib and V. R. Vemuri, ‘‘An application of principal component
analysis to the detection and visualization of computer network attacks,’’
Ann. Telecommun., vol. 61, no. 1, pp. 218–234, 2006.
[268] J. Lokoč et al., ‘‘k-NN classification of malware in HTTPS traffic using
the metric space approach,’’ in Proc. Pacific–Asia Workshop Intell. Secur.
Inform. Cham, Switzerland: Springer, 2016, pp. 131–145.
[269] M. Ancona, W. Cazzola, S. Drago, and G. Quercini, ‘‘Visualizing and
managing network topologies via rectangular dualization,’’ in Proc. 11th
IEEE Symp. Comput. Commun. (ISCC), Jun. 2006, pp. 1000–1005.
[270] G. Cherubin et al., ‘‘Conformal clustering and its application to botnet
traffic,’’ in Proc. SLDS, 2015, pp. 313–322.
[271] I. Marsh, ‘‘A lightweight measurement platform for home Internet mon-
itoring,’’ in Proc. IEEE IFIP Netw. Conf. (IFIP Netw.) Workshops,
2017.
[272] J. M. Lewis, V. R. De Sa, and L. Van Der Maaten, ‘‘Divvy: Fast and
intuitive exploratory data analysis,’’ J. Mach. Learn. Res., vol. 14, no. 1,
pp. 3159–3163, 2013.
[273] G. Holmes, A. Donkin, and I. H. Witten, ‘‘Weka: A machine learning
workbench,’’ in Proc. 2nd Austral. New Zealand Conf. Intell. Inf. Syst.,
1994, pp. 357–361.
[274] Q. Liao and S. Stanczak, ‘‘Network state awareness and proactive
anomaly detection in self-organizing networks,’’ in Proc. IEEE Globecom
Workshops (GC Wkshps), Dec. 2015, pp. 1–6.
[275] S. Chernov, D. Petrov, and T. Ristaniemi, ‘‘Location accuracy impact on
cell outage detection in LTE-A networks,’’ in Proc. Int. Wireless Commun.
Mobile Comput. Conf. (IWCMC), Aug. 2015, pp. 1162–1167.
[276] A. Zoha, A. Saeed, A. Imran, M. A. Imran, and A. Abu-Dayya, ‘‘Data-
driven analytics for automated cell outage detection in self-organizing
networks,’’ in Proc. 11th Int. Conf. Design Reliable Commun. Netw.
(DRCN), Mar. 2015, pp. 203–210.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
[277] J. Turkka, F. Chernogorov, K. Brigatti, T. Ristaniemi, and J. Lempiäinen,
‘‘An approach for network outage detection from drive-testing
databases,’’ J. Comput. Netw. Commun., vol. 2012, Sep. 2012,
Art. no. 163184.
[278] N. Kato et al., ‘‘The deep learning vision for heterogeneous network traf-
fic control: Proposal, challenges, and future perspective,’’ IEEE Wireless
Commun., vol. 24, no. 3, pp. 146–153, Jun. 2017.
[279] B. Mao et al., ‘‘Routing or computing? The paradigm shift towards intel-
ligent computer network packet transmission based on deep learning,’’
IEEE Trans. Comput., vol. 66, no. 11, pp. 1946–1960, Nov. 2017.
[280] J. Qadir, N. Ahad, E. Mushtaq, and M. Bilal, ‘‘SDNs, clouds, and big
data: New opportunities,’’ in Proc. 12th Int. Conf. Frontiers Inf. Technol.
(FIT), Dec. 2014, pp. 28–33.
[281] B. A. A. Nunes, M. Mendonca, X.-N. Nguyen, K. Obraczka, and
T. Turletti, ‘‘A survey of software-defined networking: Past, present,
and future of programmable networks,’’ IEEE Commun. Surveys Tuts.,
vol. 16, no. 3, pp. 1617–1634, 3rd Quart., 2014.
[282] H. Kim and N. Feamster, ‘‘Improving network management with software
defined networking,’’ IEEE Commun. Mag., vol. 51, no. 2, pp. 114–119,
Feb. 2013.
[283] J. Ashraf and S. Latif, ‘‘Handling intrusion and DDoS attacks in software
defined networks using machine learning techniques,’’ in Proc. Nat.
Softw. Eng. Conf. (NSEC), Nov. 2014, pp. 55–60.
[284] D. J. Dean, H. Nguyen, and X. Gu, ‘‘Ubl: Unsupervised behavior learning
for predicting performance anomalies in virtualized cloud systems,’’ in
Proc. 9th Int. Conf. Auton. Comput., 2012, pp. 191–200.
[285] D. He, S. Chan, X. Ni, and M. Guizani, ‘‘Software-defined-networking-
enabled traffic anomaly detection and mitigation,’’ IEEE Internet Things
J., vol. 4, no. 6, pp. 1890–1898, Dec. 2017.
[286] K. K. Goswami. (2017). Intelligent Threat-Aware Response System
in Software-Defined Networks. [Online]. Available: http://scholarworks.
sjsu.edu/etd_theses/4801/
[287] A. S. da Silva, J. A. Wickboldt, L. Z. Granville, and A. Schaeffer-Filho,
‘‘ATLANTIC: A framework for anomaly traffic detection, classification,
and mitigation in SDN,’’ in Proc. IEEE/IFIP Netw. Oper. Manage. Symp.
(NOMS), Apr. 2016, pp. 27–35.
[288] S.-H. Zhang, X.-X. Meng, and L.-H. Wang, ‘‘SDNForensics: A compre-
hensive forensics framework for software defined network,’’ in Proc. Int.
Conf. Comput. Netw. Commun. Technol., vol. 3, no. 4, 2017, p. 5.
[289] P. Amaral, J. Dinis, P. Pinto, L. Bernardo, J. Tavares, and H. S. Mamede,
‘‘Machine learning in software defined networks: Data collection and
traffic classification,’’ in Proc. IEEE 24th Int. Conf. Netw. Protocols
(ICNP), Nov. 2016, pp. 1–5.
[290] O. G. Aliu, A. Imran, M. A. Imran, and B. Evans, ‘‘A survey of self
organisation in future cellular networks,’’ IEEE Commun. Surveys Tuts.,
vol. 15, no. 1, pp. 336–361, 1st Quart., 2013.
[291] A. Imran, A. Zoha, and A. Abu-Dayya, ‘‘Challenges in 5G: How to
empower SON with big data for enabling 5G,’’ IEEE Netw., vol. 28, no. 6,
pp. 27–33, Nov./Dec. 2014.
[292] X. X. Wang Li and V. C. M. Leung, ‘‘Artificial intelligence-based tech-
niques for emerging heterogeneous network: State of the arts, opportuni-
ties, and challenges,’’ IEEE Access, vol. 3, pp. 1379–1391, 2015.
[293] A. Misra and K. K. Sarma, ‘‘Self-organization and optimization in het-
erogenous networks,’’ in Interference Mitigation and Energy Manage-
ment in 5G Heterogeneous Cellular Networks. Hershey, PA, USA: IGI
Global, 2017, pp. 246–268.
[294] Z. Zhang, K. Long, J. Wang, and F. Dressler, ‘‘On swarm intelligence
inspired self-organized networking: Its bionic mechanisms, designing
principles and optimization approaches,’’ IEEE Commun. Surveys Tuts.,
vol. 16, no. 1, pp. 513–537, 1st Quart., 2014.
[295] S. Latif, J. Qadir, S. Farooq, and M. A. Imran, ‘‘How 5G wireless
(and concomitant technologies) will revolutionize healthcare?’’ Future
Internet, vol. 9, no. 4, p. 93, 2017.
[296] Z. Wen, R. Yang, P. Garraghan, T. Lin, J. Xu, and M. Rovatsos,
‘‘Fog orchestration for Internet of Things services,’’ IEEE Internet Com-
put., vol. 21, no. 2, pp. 16–24, Feb. 2017.
[297] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, ‘‘Internet of
Things (IoT): A vision, architectural elements, and future directions,’’
Future Generat. Comput. Syst., vol. 29, no. 7, pp. 1645–1660, 2013.
[298] H.-Y. Kim and J.-M. Kim, ‘‘A load balancing scheme based on deep-
learning in IoT,’’ Cluster Comput., vol. 20, no. 1, pp. 873–878, 2017.
VOLUME 7, 2019
[299] D. Puschmann, P. Barnaghi, and R. Tafazolli, ‘‘Adaptive clustering for
dynamic IoT data streams,’’ IEEE Internet Things J., vol. 4, no. 1,
pp. 64–74, Feb. 2017.
[300] H. Assem, L. Xu, T. S. Buda, and D. O’Sullivan, ‘‘Machine learning as
a service for enabling Internet of Things and people,’’ Pers. Ubiquitous
Comput., vol. 20, no. 6, pp. 899–914, 2016.
[301] J. Lee, M. Stanley, A. Spanias, and C. Tepedelenlioglu, ‘‘Integrating
machine learning in embedded sensor systems for Internet-of-Things
applications,’’ in Proc. IEEE Int. Symp. Signal Process. Inf. Technol.
(ISSPIT), Dec. 2016, pp. 290–294.
[302] P. Lin, D.-C. Lyu, F. Chen, S.-S. Wang, and Y. Tsao, ‘‘Multi-style
learning with denoising autoencoders for acoustic modeling in the Inter-
net of Things (IoT),’’ Comput. Speech Lang., vol. 46, pp. 481–495,
Nov. 2017.
[303] R. Sommer and V. Paxson, ‘‘Outside the closed world: On using machine
learning for network intrusion detection,’’ in Proc. IEEE Symp. Secur.
Privacy (SP), May 2010, pp. 305–316.
[304] R. A. R. Ashfaq, X.-Z. Wang, J. Z. Huang, H. Abbas, and Y.-L. He,
‘‘Fuzziness based semi-supervised learning approach for intrusion detec-
tion system,’’ Inf. Sci., vol. 378, pp. 484–497, Feb. 2017.
[305] L. Watkins et al., ‘‘Using semi-supervised machine learning to address the
big data problem in DNS networks,’’ in Proc. IEEE 7th Annu. Comput.
Commun. Workshop Conf. (CCWC), Jan. 2017, pp. 1–6.
[306] S. J. Pan and Q. Yang, ‘‘A survey on transfer learning,’’ IEEE Trans.
Knowl. Data Eng., vol. 22, no. 10, pp. 1345–1359, Oct. 2010.
[307] E. Baştuğ, M. Bennis, and M. Debbah, ‘‘A transfer learning approach
for cache-enabled wireless networks,’’ in Proc. 13th Int. Symp. Mod-
eling Optim. Mobile, Ad Hoc, Wireless Netw. (WiOpt), May 2015,
pp. 161–166.
[308] J. Konečnỳ, H. B. McMahan, F. X. Yu, P. Richtárik, A. T. Suresh,
and D. Bacon. (2016). ‘‘Federated learning: Strategies for improving
communication efficiency.’’ [Online]. Available: https://arxiv.org/abs/
1610.05492
[309] A. Gokhale and A. V. Bhagwat, ‘‘System and method for network address
administration and management in federated cloud computing networks,’’
U.S. Patent 9 667 486, May 30, 2017.
[310] J. H. Abawajy and M. M. Hassan, ‘‘Federated Internet of Things and
cloud computing pervasive patient health monitoring system,’’ IEEE
Commun. Mag., vol. 55, no. 1, pp. 48–53, Jan. 2017.
[311] P. Massonet, L. Deru, A. Achour, S. Dupont, A. Levin, and M. Villari,
‘‘End-to-end security architecture for federated cloud and IoT networks,’’
in Proc. IEEE Int. Conf. Smart Comput. (SMARTCOMP), May 2017,
pp. 1–6.
[312] I. Goodfellow et al., ‘‘Generative adversarial nets,’’ in Proc. Adv. Neural
Inf. Process. Syst., 2014, pp. 2672–2680.
[313] W. Hu and Y. Tan. (2017). ‘‘Generating adversarial malware examples
for black-box attacks based on GAN.’’ [Online]. Available: https://arxiv.
org/abs/1702.05983
[314] K. Grosse, N. Papernot, P. Manoharan, M. Backes, and
P. McDaniel. (2016). ‘‘Adversarial perturbations against deep
neural networks for malware classification.’’ [Online]. Available:
https://arxiv.org/abs/1606.04435
[315] L. Breiman, ‘‘Statistical modeling: The two cultures (with comments and
a rejoinder by the author),’’ Statist. Sci., vol. 16, no. 3, pp. 199–231,
Aug. 2001.
[316] I. Sturm, S. Lapuschkin, W. Samek, and K.-R. Müller, ‘‘Interpretable
deep neural networks for single-trial EEG classification,’’ J. Neurosci.
Methods, vol. 274, pp. 141–145, Dec. 2016.
[317] X. Zhu, C. Vondrick, C. C. Fowlkes, and D. Ramanan, ‘‘Do we need more
training data?’’ in Int. J. Comput. Vis., vol. 119, no. 1, pp. 76–92, 2016.
[318] P. Domingos, ‘‘A few useful things to know about machine learning,’’
Commun. ACM, vol. 55, no. 10, pp. 78–87, 2012.
[319] A. Amin et al., ‘‘Comparing oversampling techniques to handle the class
imbalance problem: A customer churn prediction case study,’’ IEEE
Access, vol. 4, pp. 7940–7957, 2016.
[320] G. P. Zhang, ‘‘Avoiding pitfalls in neural network research,’’ IEEE
Trans. Syst., Man, Cybern. C, Appl. Rev., vol. 37, no. 1, pp. 3–16,
Jan. 2007.
[321] A. Ng, ‘‘Advice for applying machine learning,’’ Stanford Univ., Stan-
ford, CA, USA, Tech. Rep., 2011. [Online]. Available: http://cs229.
stanford.edu/materials/ML-advice.pdf
65613
 M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges
MUHAMMAD USAMA received the bachelor’s
degree in telecommunication engineering from
the Government College University, Faisalabad,
Pakistan, in 2010, and the master’s degree from
the National University of Computer and Emerg-
ing Sciences, Islamabad. He is currently pursuing
the Ph.D. degree in electrical engineering with
the Information Technology University, Lahore,
Pakistan. His research interests include adversarial
machine learning and computer networks.
JUNAID QADIR is currently an Associate Pro-
fessor with the Information Technology Univer-
sity (ITU)-Punjab, Lahore, Pakistan, where he
is also the Director of the IHSAN Lab that
focuses on deploying ICT for development, and is
engaged in systems and networking research. Prior
to joining ITU, he was an Assistant Professor
with the School of Electrical Engineering and
Computer Sciences (SEECS), National University
of Sciences and Technology (NUST), Pakistan.
At SEECS, he directed the Cognet Lab, which focused on cognitive net-
working and the application of computational intelligence techniques in
networking. His research interests include the application of algorithmic,
machine learning, and optimization techniques in networks. In particular, he
is interested in the broad areas of wireless networks, cognitive networking,
software-defined networks, and cloud computing. He has been a recipient of
the Highest National Teaching Award in Pakistan and the Higher Education
Commission’s (HEC) Best University Teacher Award (2012–2013). He is
a member of the ACM. He serves as an Associate Editor for the IEEE
ACCESS, the IEEE Communication Magazine, and the Springer Nature Big
Data Analytics.
AUNN RAZA received the B.S. degree in com-
puter science from the National University of Sci-
ences and Technology (NUST), Pakistan, in 2016.
He is currently pursuing the Ph.D. degree with the
Data Intensive Applications and Systems (DIAS)
Laboratory, EPFL, Switzerland. His research inter-
ests include distributed, high-performance, and
data management systems. In particular, he is
interested in scalability and adaptivity of data man-
agement systems and their designs for modern
hardware.
HUNAIN ARIF received the B.S. degree in
computer science from the National University
of Sciences and Technology (NUST), Pakistan,
in 2016, and the M.S. degree in computer science
(with a specialization in data analytics) from the
Swinburne University of Technology, Australia,
in 2019. He is currently a CRM System Ana-
lyst with BUPA Health Insurance. His role entails
the deployment of the latest business intelligence
and data analytics tools and processes in their
CRM/ERP Systems. He is also currently involved with the Microsoft in
BUPA’s Employee Exchange Program for the performance enhancement of
their latest CRM, Microsoft Dynamics 365.
65614
KOK-LIM ALVIN YAU received the B.Eng. degree
(Hons.) in electrical and electronics engineering
from Universiti Teknologi PETRONAS, Malaysia,
in 2005, the M.Sc. degree in electrical engineer-
ing from the National University of Singapore,
in 2007, and the Ph.D. degree in network engi-
neering from the Victoria University of Welling-
ton, New Zealand, in 2010. He is currently a
Professor with the Department of Computing and
Information Systems, Sunway University. He is
also a Researcher, Lecturer, and Consultant in cognitive radio, wireless
networks, applied artificial intelligence, applied deep learning, and rein-
forcement learning. He was a recipient of the 2007 Professional Engineer
Board of the Singapore Gold Medal for being the Best Graduate of the
M.Sc. degree, in 2006 and 2007, respectively. He serves as a TPC member
and a Reviewer for major international conferences, including the ICC,
VTC, LCN, GLOBECOM, and AINA. He also served as the Vice General
Co-Chair of the ICOIN’18, the Co-Chair of the IET ICFCNA’14, and the
Co-Chair (Organizing Committee) of the IET ICWCA’12. He serves as
an Editor for the KSII Transactions on Internet and Information Systems,
an Associate Editor for the IEEE ACCESS, a Guest Editor for the Special
Issues of the IEEE ACCESS, the IET Networks, the IEEE Computational Intel-
ligence Magazine, and the Journal of Ambient Intelligence and Humanized
Computing (Springer), and a regular Reviewer for over 20 journals, includ-
ing the IEEE journals and magazines, the Ad Hoc Networks, and the IET
Communications.
YEHIA ELKHATIB is currently a Lecturer (Assis-
tant Professor) of distributed systems with the
School of Computing and Communications, Lan-
caster University, U.K., and a Visiting Professor
with the Ecole de Technologie Superieure, Mon-
treal. He works to enable distributed applications
to traverse infrastructural boundaries. In the con-
text of cloud computing, this entails looking into
interoperability and migration challenges, as well
as, related decision support issues. He is the Cre-
ator and Chair of the International Cross-Cloud Workshop Series. Beyond
the cloud, he works on border-free network architectures in intent-driven
systems, systems of systems, and information centric networks. He also
works on advocating network-awareness which involves measuring net-
worked systems, evaluating network protocols, and proposing new network
management strategies.
VOLUME 7, 2019
M. Usama et al.: Unsupervised Machine Learning for Networking: Techniques, Applications, and Research Challenges

AMIR HUSSAIN received the B.Eng. degree ALA AL-FUQAHA received the Ph.D. degree in
(Hons.) and the Ph.D. degree (in novel neural net- computer engineering and networking from the
work architectures and algorithms for real-world University of Missouri-Kansas City, Kansas City,
applications) from the University of Strathclyde, MO, USA, in 2004. His research interests include
Glasgow, U.K., in 1992 and 1997, respectively. the use of machine learning in general and deep
Following the postdoctoral and senior academic learning, in particular, in support of the data-driven
positions held at the Universities of West of and self-driven management of large-scale deploy-
Scotland (1996–1998), Dundee (1998–2000), and ments of the IoT and smart city infrastructure and
Stirling (2000–2018) respectively, he joined Edin- services, wireless vehicular networks (VANETs),
burgh Napier University, U.K., in 2018, as the cooperation and spectrum access etiquette in cog-
founding Director of the Cognitive Big Data and Cybersecurity (CogBiD) nitive radio networks, and management and planning of software defined
Research Lab, managing over 25 academic and research staff. He is invited networks (SDN). He is an ABET Program Evaluator (PEV). He serves on the
Visiting Professor with leading universities and research & innovation cen- editorial boards and technical program committees of multiple international
ters world-wide, including with Taibah Valley, Taibah University, Medina, journals and conferences.
Saudi Arabia. His research interests are cross-disciplinary and industry
focused, aimed at pioneering brain-inspired and cognitive Big Data tech-
nology for solving complex real-world problems. He has coauthored three
international patents, over 400 publications (with nearly 150 journal papers),
and over a dozen Books. He has led major multi-disciplinary research
projects, funded by the national and European research councils, local and
international charities and industry, and has supervised over 30 PhDs until
now. Amongst other distinguished roles, he is the General Chair for the
IEEE WCCI 2020 (the world’s largest and top IEEE technical event in
Computational Intelligence, comprising IJCNN, FUZZ-IEEE, and the IEEE
CEC), the Vice-Chair of the Emergent Technologies Technical Committee
of the IEEE Computational Intelligence Society, and the Chapter Chair of
the IEEE UK & Ireland, Industry Applications Society Chapter. He is the
founding Editor-in-Chief of the Cognitive Computation Journal (Springer)
and the BMC Big Data Analytics Journal. He has been appointed as an
Associate Editor of several other world-leading journals, including the IEEE
TRANSACTIONS ON NEURAL NETWORKS AND LEARNING SYSTEMS, the Information
Fusion Journal, (Elsevier), the IEEE TRANSACTIONS ON EMERGING TOPICS
IN COMPUTATIONAL INTELLIGENCE, and the IEEE Computational Intelligence
Magazine.

VOLUME 7, 2019 65615