See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/354914936

Autoencoder-based IDS for cloud and mobile devices

Conference Paper · May 2021

DOI: 10.1109/CCGrid51090.2021.00088

CITATIONS READS
15 256

3 authors:

Kamil Faber Lukasz Faber

AGH University of Science and Technology in Kraków AGH University of Science and Technology in Kraków
21 PUBLICATIONS 109 CITATIONS 15 PUBLICATIONS 103 CITATIONS

SEE PROFILE SEE PROFILE

Bartłomiej Śnieżyński
AGH University of Science and Technology in Kraków
97 PUBLICATIONS 618 CITATIONS

SEE PROFILE

All content following this page was uploaded by Bartłomiej Śnieżyński on 04 October 2021.

The user has requested enhancement of the downloaded file.

 Autoencoder-based IDS for cloud and mobile
devices
Kamil Faber∗ , Lukasz Faber† and Bartlomiej Sniezynski‡
Institute of Computer Science
AGH University of Science and Technology
Cracow, Poland
Email: ∗
[email protected]
, †
[email protected]
, ‡
[email protected]
Abstract—Along with the popularization of cloud computing
and the increase in responsibilities of mobile devices, there is a
need for intrusion detection systems available for working in these
two new areas. At the same time, the increase in computational
power of mobile devices gives us the possibility to use them to do
a part of data preprocessing. Similarly, more complex operations
can be executed in the cloud – this concept is known as mobile
cloud computing. In this paper, we propose an autoencoder-based
intrusion detection system applicable to cloud and mobile envi-
ronments. The system provides multiple data gathering points,
allowing to monitor either fully controlled networks, like virtual
networks in the cloud, or mobile devices scattered in different
networks. The monitoring process uses both mobile devices and
cloud computational power. Gathered network traffic records
are sent to a proper intrusion detection node, which executes the
detection process. In case of suspicious behavior, an alert of a
possible intrusion can be sent to the device owner. The detection
process is based on an autoencoder neural network, which brings
significant advantages: an anomaly-based approach, training
only on benign samples, and a good performance. To improve
detection results, we created time-window-based features, and
there is also a possibility to share computed statistics between
intrusion detection nodes. In the experiments, we construct three
models using pure network flows data and time-window-based
features. The results show that the autoencoder-based approach
can detect with a high performance attacks not known during
the training process. We also prove that created derived features
have a significant impact on detection results.
Index Terms—intrusion detection system, autoencoder, ma-
chine learning, security, mobile cloud computing
I. I NTRODUCTION
As the years go by, the number of devices connected to the
global network grows steadily. According to the IoT Analytics
report by [1], there are almost 22 billion active connected
devices worldwide. Simultaneously, the number of hacker
attacks increases – according to [2], in 2020 Q2, the number of
unique incidents grew by 59% compared to the previous year.
A significant part of providing security is analyzing network
traffic to detect abnormal behaviors, which can signal that
the system is under attack. This task is usually carried by
Intrusion Detection System (IDS), which is responsible for
detecting an intrusion and then alerting an administrator. With
the increasing use of the cloud architecture and mobile devices,
there are new challenges that need to be faced, including the
possibility to monitor mobile devices and hosts located in
different networks. More issues and challenges were indicated
in a study of intrusion detection techniques in mobile cloud
computing environments in [3].
In this work, we propose a novel idea of an autoencoder-
based intrusion detection system, which have the following
features:
• It works on network flows data, without analyzing
packet’s payload, which allows to work with encrypted
traffic and protects users privacy.
• It allows us to monitor mobile devices and detect anoma-
lies in their behavior, therefore to notify their user about
possible intrusion.
• It allows us to monitor networks in which we have access
to all packets passing through (using packet sniffing) –
like virtual networks in cloud environments.
• It can use mobile devices computing power to do some
preprocessing, but most of the computation is done out-
side those devices.
• It shares data between different networks.
• It uses a neural network – autoencoder – to execute
intrusion detection with an anomaly-based approach.
In the next section, we shortly overview related works, in-
cluding machine learning methods used in intrusion detection,
cloud-based IDS, and an autoencoder architecture. Then, we
describe the proposed intrusion detection system indicating
its most essential features. After that, we run experiments
to show that the proposed autoencoder-based approach is
suitable for intrusion detection on network flows. There are
significant improvements if we use derived time-window-
based features. At the end, we summarize our conclusions and
indicate possible future works.
II. R ELATED WORKS
A. Intrusion Detection Systems
There are two main classifications for intrusion detection
systems, discussed by [4]. One is based on a detection method,
and the second one on a place where the detection process is
applied. Moreover, it is possible to differentiate two main cat-
egories of detection methods. The first one is signature-based
intrusion detection, which bases on previously accumulated
knowledge about attacks and vulnerabilities. Advantages and
disadvantages of such an approach were pointed out in many
papers like [4] or [5]. The most crucial advantage is a low
false positive ratio and a high detection level of known attacks.
Unfortunately, this approach can not handle the detection of
previously unknown attacks. Another category is anomaly-
based intrusion detection, which assumes that it is possible
to detect an intrusion by observing deviations from the users’
normal behavior or the system. It recognizes any abnormal
activity as an intrusion. The main advantage of anomaly-based
systems is that they can detect new, never-seen attacks, and
the main disadvantage is usually a high false positive ratio.
Other advantages and disadvantages were presented in [5], [6]
and [7].
Taking into account a source of data, intrusion detection
systems usually were divided into host-based (HIDS) and
network-based intrusion detection systems (NIDS). In HIDS,
data are gathered from hosts, while in NIDS, the detection can
base on pure information about network flows or, with a tech-
nique called Deep Packet Inspection, on extracted payload of
network packets. Recently, there were also multiple mentions
(for example, in [8]) about a distributed intrusion detection
system (DIDS), which contains a lot of smaller detection nodes
that can communicate with each other or with a centralized
server.
B. Machine learning methods for intrusion detection
Machine learning techniques were used in the intrusion
detection problem for many years. However, recently, the
deep neural network architecture is becoming more and more
popular and this trend also impacts intrusion detection. Many
of the new research papers focus on applying deep learning
techniques in this domain.
In [9] the authors provided a complex overview of deep
learning approaches applied in intrusion detection task. They
also listed the most important data sets used during the last
20 years. The authors applied seven deep learning models to
two modern data sets – CSE-CIC-IDS2018 and the Bot-IoT.
Their work provides valuable insights and a summary of many
machine learning approaches to the intrusion detection task.
In [6], the authors did an overview of flow-based anomaly
detection techniques, including the older ones and the most
modern ones. They indicated that the anomaly-based approach
working on network flows data has great potential and may
answer the needs of the intrusion detection systems. However,
they also note that there are still many difficulties that need
to be challenged, like minimizing the false positive ratio and
improving detection results.
In [10] the authors applied deep neural networks with
three different architectures, each with three layers and with
different sizes of the hidden layer. They executed experiments
on the original data distribution and more balanced data
obtained using down-sampling, up-sampling, class balances,
and spread sub-sampling. In the original distribution, they
were able to achieve an accuracy 99.65%. In other cases, their
results were slightly worse. In the up-sampling and spread
sub-sample cases, the authors did not manage to achieve over
97%.
2
In [11] the authors attempted to detect port scan attacks with
the Deep Neural Network (DNN) architecture. They used the
same data set that we use – CICIDS2017. They filtered only
attacks labeled as port scans, and applied the down-sampling
method to get a subset with balanced classes. The results
achieved for port scan were very high – both the precision and
recall had value 99%. In the same paper, they applied SVM
architecture to the same task; however, it had low results – the
precision at level 80% and the recall – 70%.
The long short-term memory (LSTM) architecture (first
proposed by [12]) is well-suited for tasks based on time and
sequence series data. Since network traffic is an example of
a time series, the LSTM was also applied in the intrusion
detection problem. In [13] the authors implemented a classifier
based on LSTM-RNN and compared it to other methods (like
KNN, SVM, PNN). LSTM was also tested on CIDDS-001
data set by [14]. They tried a few different LSTM architectures
and compared them to other methods (C4.5, Random Forest,
Hoeffding Tree, Naive Bayes, SVM). The experiment results
shown that LSTM achieves similar or better results like other
methods, which indicates that considering a perspective more
comprehensive than just a single network flow may improve
results.
Over the last few years, there have been a few approaches to
apply autoencoders – a particular type of neural network which
we also use in our approach. In [15] the authors proposed
a complex framework based on an ensemble of autoencoders
with prior feature extraction, including window-based features.
One of their main focus was creating a detection method
capable of running online on devices with low resources. The
authors tested the proposed solution in a real environment
built from a few IoT devices and achieved promising results.
In [16] the authors applied a deep autoencoder trained in a
greedy layer-wise way and tested it on KDD-99 data set. A
similar approach, but with additional random-forest feature
selection, was applied in [17]. In [18] the authors proposed
optimization of computational cost by using just one detector
for most of the network flows and the second one only for
the most challenging cases. There were also approaches to
use specialized types of autoencoders – for example, in [19] a
denoising autoencoder was applied and verified on NSL-KDD
data set, achieving high results.
C. Cloud-based IDS
A need to create intrusion detection systems explicitly
adapted for the cloud environment was mentioned and empha-
sized in [20] and in [8], in which the authors provided a study
of challenges and solutions for cloud intrusion detection. There
is also a comprehensive study of computational intelligence
intrusion detection techniques in mobile cloud computing
environments [3]. The authors compared data sets and methods
applied since the beginning of the cloud. They also indicated
many open research issues, including the location of the IDS.
In [21] the authors proposed an intrusion detection method
using deep neural network architecture build with Improved
Genetic. Their solution achieved good results in detecting
attacks basing on network flows from the data set used
also in our experiments, CICIDS2017. In [22] the authors
created a multi-layer neural network optimized with hybrid
glow swarm optimization–tabu search for intrusion detection
system in cloud environment. This optimization helped them
improve detection performance. The innovative, hypervisor-
level distributed network security framework was proposed in
[23] to increase the cloud’s security. The authors also applied
an anomaly-based detection method and tested it on three data
sets, including CICIDS2017. However, their work was more
focused on protecting services based in the cloud than on
mobile devices.
In [24] the authors proposed a hybrid intrusion detection
system, which comprises two parts – the first one for de-
tection on the virtual machines level and the second one for
network threats detection, which is also our concern. Another
innovative intrusion detection scheme, based on clustering
algorithm and distance-based traffic filtration, was proposed
in [25]. The authors of [3] provided in-depth analysis and
overview of existing intrusion detection systems for mobile
cloud computing. They also described open issues in this
research area, including the IDS location, heterogeneity of
environment, and lack of the up-to-date signatures.
D. Autoencoder
An autoencoder is a special type of neural network archi-
tecture. We may consider it as built of three parts:
1) Code: A code layer is a hidden layer placed between the
encoder and the decoder. It represents a code h used to
encode the input.
2) Encoder: The goal of the encoder is to transform the
input into the code. It can be formally written as:
h = f (x) (1)
where x the input and f is the encoding function
provided by the encoder.
3) Decoder: The goal of the decoder is transforming the
code into the output, which reflects the previously en-
coded input. It can be formally written as:
y = g(h) = g(f (x)) (2)
where y is the output, h the code and g is the decoding
function provided by the decoder.
As indicated by [26], in a training phase, we do not want
the autoencoder to learn to simply copy an input, as it would
not be advantageous. The goal is to restrict the model so that it
must do an approximate copy. As a result, we force the model
to choose which aspects of the input it should copy. Thanks to
that, the autoencoder is often able to learn valuable properties
of the data.
We may consider the autoencoder as a particular case of a
feedforward network and train it with all the same techniques.
The goal of the learning process is minimizing the given loss
function, which is calculated by comparing the input and the
output of the model.
3
Input Layer ∈ ℝ⁶ Hidden Layer ∈ ℝ² Output Layer ∈ ℝ⁶
Fig. 1. Structure of the shallow undercomplete autoencoder.
According to [26], the autoencoders were initially usually
used for features learning and dimensionality reduction, as
they achieve better results than PCA. However, in the last
years, the autoencoders have much wider application – they
are used, or example, in generative modeling and anomaly
detection. That last application is the main point of interest in
that work.
Undercomplete autoencoder: One way to get useful prop-
erties in the hidden layer is to constrain the size of the code to
have a smaller dimension than the input. This approach should
force the autoencoder to capture the structure of the training
data. The autoencoder with the code dimension smaller than
the input size is named undercomplete. Its sample structure is
presented in Figure 1.
III. P ROPOSED SOLUTION
We propose a distributed IDS architecture that can monitor
mobile devices and, at the same time, does most computation
outside of those devices. We present the structure of the system
in figure 2. We can differentiate three main elements of the
proposed IDS:
• M – a set of Monitors;
• N – a set of Intrusion Detection Nodes;
• C – a set of connections between Monitors and Intrusion
Detection Nodes.
Monitor is an element responsible for gathering data neces-
sary for the intrusion detection process, preprocessing them,
and sending them to Intrusion Detection Node (IDN). Every
IDN receives data from a few Monitors and creates new
derived features based on the time-window. In the next step,
it shares computed statistics with other IDNs to improve
detection performance. The core work of the IDN is to execute
an anomaly-based detection process. We provide the details of
every part of the system in the further paragraphs.
A. Gathering data in IDS
The data used by the proposed IDS are records of bidirec-
tional network flows. There is no need to analyze the contents
of the paylods of the packets. This approach results in two
critical advantages: the ability to handle encrypted traffic and
the protection of users’ privacy.
 Fig. 2. A structure of the proposed IDS.
We differentiate two cases of data gathering and, therefore,
two types of Monitors. As the first case, we consider a situation
in which there is a possibility to monitor the whole traffic in
the network. It concerns cases like controlled local networks,
cellular base stations, or virtual switches in some cloud
environments. As the second case, we consider monitoring
mobile devices scattered in various networks, in which we do
not have access to the provider’s infrastructure and can not
monitor them as a whole. In such a situation, we use those
mobile devices as monitoring points. All of them gather data
about their network traffic, preprocess them, and then send it
to the monitor, which forwards it to the intrusion detection
node.
We can consider a case in which mobile devices are infected
and malware blocks or alters data before sending it to the
monitor. In such a situation, there are two possible scenarios.
If no data are sent, the intrusion detection node notices it
and notify the owner about the issue. If data received from a
mobile device are altered to hide malware actions and pretend
to behave appropriately, the intrusion detection process may
not detect infection. However, it does not affect the ability of
the system to detect other intrusions.
B. Transforming data into features
There are two steps of processing gathered data to features.
The first one is done at Monitors or the monitored mobile
devices. Raw network traffic records are transformed to basic
statistics describing every bidirectional network. Examples of
such features are the duration time of the network flow and
the number of bytes sent in the flow. This process can be done
using tools like CICFlowMeter provided by [27].
The second step is executed at Intrusion Detection Node,
and it includes computing statistics based on a broader per-
spective than the one available for a single monitor. The
purpose of those derived features is to improve detection
performance. They are computed based on data gathered from
all Monitors assigned to the given Intrusion Detection Node
and grouped into so-called time-window. Time-window data
4
are network flows from some period. They can be limited
either by time measurement (for example, 10 minutes) or a
number of last connections that should be stored (for example,
last 100 connections). We create the following features based
on a time-window:
1) Number of connections from the source IP address;
2) Number of different destination ports referenced by the
source IP address;
3) Number of different pairs (destination IP, destination
port) referenced by the source IP address;
4) Number of connections to the same destination IP ad-
dress;
5) Number of connections to the same destination IP ad-
dress and destination port number;
6) Total flows duration between source and destination IP
addresses.
C. Data shared between Intrusion Detection Nodes
To improve computing derived features, we also consider a
possibility to share data between Intrusion Detection Nodes.
IDN can periodically send minimal statistics required to com-
pute features 1-3 from the previous paragraph. The decision
which nodes share data must find a balance between pros and
cons. Sharing data between too many nodes may increase
data transfer and slow down the detection process. On the
other hand, narrowing data exchange too much may lower the
detection ratio.
D. Detection process
Detection process is executed by autoencoders – the neural
network architecture shortly introduced in section II-D. There
are several reasons why we decided to use autoencoders:
• Anomaly detection based approach;
• Good performance and detection results;
• A training phase requires only a benign class;
• Possibility to improve a model with the use of incremen-
tal learning.
Below, we shortly explain how we apply the autoencoder in
the intrusion detection problem.
1) Training phase: The first step is training the model so
that it learns the characteristics of the benign network traffic.
A training process uses only normal data. The goal of the
model is to minimize the value of reconstruction error. We use
Mean Squared Error as a loss function – mean of the squares
of the differences between the output and the input. During
the training phase, the autoencoder learns how to reconstruct
samples from typical characteristics. It means that it should
provide a low reconstruction error for a benign sample.
2) Detection phase: In a detection process, the model is
used to reconstruct an input sample. After that, we calculate a
reconstruction error comparing predicted values to the original
input. If the reconstruction error is high, it indicates that
the sample is from different characteristics than the training
data and therefore can be classified as an anomaly. It can be
formally written as:
( is to provide data for the training module, we do not have
Normal, if RE ≤ Threshold
Label = (3)
Anomaly, if RE > Threshold
where
RE = p(g(f (x)) − x) (4)
where RE is a Reconstruction Error and p is a metric function
(in our case the mean squared error) and the threshold for a
cut-off point is chosen arbitrarily. The choice of the threshold
should be made concerning the potential cost of false positives
and false negatives. All anomalies are classified as malicious
traffic. In our experiments we do not choose a single value of
the threshold, we show true positives ratio results for a few
false positives values.
E. Notification for mobile device owner
If an intrusion detection node detects some suspicious
behavior originating from an end-type device monitored by
Monitors, notification about it may be sent to this device.
Therefore, it is possible to inform an owner of the device
(for example, a mobile phone) about suspicious behavior and
a possible threat (malware, access without permission). It can
be achieved, for example, by the use of push notifications from
a dedicated mobile app or email messages to a user protected
by the system. This approach can help in the detection of
compromised mobile devices, while at the same time, it does
not require running the whole detection process on mobile
devices. Thanks to that, it is possible to optimize how much
computation is done on the mobile phone while moving the
rest to the Monitors or Intrusion Detection Nodes.
F. Model retraining
In real-life situations, the characteristic of network traffic
is not constant – it evolves due to changes in infrastructure
or users’ behavior. Such changes are known as concept drift.
To keep the models up to date, the system should be extended
with the possibility to improve the model with time. It requires
periodic gathering records of network traffic in the Traffic
5
Database and using them to improve the model in the Training
Module. The model can be fully retrained or improved with
the use of incremental learning. After that, the new model can
be uploaded to the intrusion detection nodes. That approach
requires administrators activity, as they must decide when the
model should be retrained and filter training samples so that
they contain only benign traffic.
G. Potential of scalability
The distributed nature of the proposed intrusion detection
system also makes it easier to scale. The first issue to consider
is creating smaller subsets of intrusion detection nodes that
share data between them but not between all the detection
nodes. It may have a slight negative impact on detection
results, but at the same time, it minimizes the volume of shared
data.
We also should consider whether the central traffic database
will become a bottleneck. As the database’s primary goal
to send and store all records of network flows there. As
we mentioned in section III-F, this process requires only
periodic gathering records of network traffic. We can also
have a separate traffic database and training module for every
separated subset of intrusion detection nodes. This approach
can lead to the creation of models specialized for a particular
part of the network. However, there is still a need to examine
in which situations it will improve detection results and in
which it can have a negative impact.
IV. E XPERIMENTS
Experiments concentrate on testing the proposed approach
to detect intrusions at Intrusion Detection Node. We set the
following goals for them:
• We would like to show that the proposed autoencoder-
based architecture is suitable for the intrusion detection
task using network flows as input data.
• We would like to show improvement in detection perfor-
mance due to derived features based on a time-window.
In the experiments, we compare the effectiveness of three
types of models:
1) Undercomplete autoencoder for single flow features;
2) Undercomplete autoencoder for single flow features and
prepared by us window-based features, where the win-
dow contains last 100 samples;
3) Undercomplete autoencoder for single flow features and
window-based features, where the window contains sam-
ples from the last 10 minutes.
The hyperparameters in the used models were chosen
manually based on many executions of experiments and are
presented in tables I and II.
To evaluate proposed models, we use CICIDS2017 [28] –
a modern data set generated by the Canadian Institute for
Cybersecurity. In [29], a comprehensive survey of available
data sets for network-based intrusion detection, the authors
reviewed 35 different data sets, analyzing them from the
 TABLE I TABLE III
A RCHITECTURE OF THE UNDERCOMPLETE AUTOENCODER ( MODEL 1). ROC-AUC VALUES FOR ALL USED MODELS .

L. no. Type Size Activation function Model ROC-AUC

1 Input 79 – 1 Single flow features 0.884
2 Dense 36 relu 2 100 samples window 0.926
3 Output 79 sigmoid 3 10 minutes window 0.988

TABLE II TABLE IV
A RCHITECTURE OF THE UNDERCOMPLETE AUTOENCODER WITH FPR AND TPR PAIRS FOR THE EXPERIMENTS .
TIME - WINDOW- BASED FEATURES ( MODELS 2 AND 3).
FPR 0 0.001 0.01 0.05
L. no. Type Size Activation function Model 1 0 0.36 0.50 0.60

TPR
1 Input 85 – Model 2 0.0 0.28 0.42 0.49
2 Dense 36 relu Model 3 0.34 0.79 0.89 0.94
3 Output 85 sigmoid

precise values easier than from a ROC plot and provides

perspective of 15 various properties. They have shown that an easy way to compare the model’s ability to achieve a
CICIDS2017 is a significant improvement compared to the high detection rate while keeping a low false detection
previous ones. It contains 3.1M network flows gathered in an rate.
emulated environment over five days. Normal user behavior
We provide the ROC-AUC values for every model in the
was generated by Benign Profile Agent simulating 25 users,
table III, while FPR and TPR pairs are in the table IV. We
while attacks were executed with the use of common tools.
also present the ROC-AUC values for model 3 for every attack
The data set contains the following attacks: DoS GoldenEye,
in the table V and confusion matrix for model 3 in the table
Heartbleed, DoS Hulk, DoS Slowhttp, DoS slowloris, SSH-
VI. Below we provide a thorough analysis of those results,
Patator, FTP-Patator, Web Attack, Infiltration, Bot, PortScan,
and we also show detailed results for different attacks.
and DDoS. Gathered network flows were transformed into 80
features by CICFlowMeter [27]. In our experiments, we use all Impact of working with more than a single network flow
of them except for timestamp. Details of the creation process
Looking at the results in the table IV we can see that
and data set description are provided in [28]. The authors
adding time-window-based features significantly improves re-
followed the criteria of a benchmark data set defined in [30].
sults achieved by models. The second and the third models
The choice of executed attacks bases on a list of currently
are significantly better in detecting malicious traffic than the
common attack families, and some have built-in obfuscation.
It is suitable for our experiments as it contains records of
network flows and can simulate network traffic present in the TABLE V
cloud. Before experiments, we cleaned data removing records ROC-AUC VALUES FOR EVERY ATTACK IN MODEL 3
with missing values. We also applied MinMaxScaler from
scikit-learn python library. Detailed analysis of the data set Attack type ROC-AUC Attack type ROC-AUC
was provided in [31]. Bot 0.850 Heartbleed 0.999
DDoS 0.998 Infiltration 0.980
V. A NALYSIS OF THE RESULTS
DoS GoldenEye 0.991 PortScan 0.990
To evaluate the results of experiments, we decided to use
the following metrics: DoS Hulk 0.999 SSH Patator 0.817

• Receiver Operating Characteristic (ROC) curve plot DoS Slowhttptest 0.980 Web Brute Force 0.635
shows a true positive rate (TPR) against a false positive DoS slowloris 0.907 SQL Injection 0.898
rate (FPR) [32]. TPR is also known as a detection rate FTP-Patator 0.792 Web XSS 0.600
and FPR as a false alarm rate.
• ROC-AUC is the Area Under ROC Curve. We decided to
TABLE VI
use ROC-AUC because those two metrics are very intu- C ONFUSION MATRIX FOR FPR=0.01 ( MODEL 3)
itive for the intrusion detection problem, as they provide
dependence between TPR and FPR. It is beneficial, as Actual
detection rate and false alarm rates are very natural and P N
easy to interpret in the considered context.
Predict

P 499211 4543
• A table with typical false positive rates (0.001, 0.01, 0.05)
N 57345 449720
and corresponding true positive rates. It allows to read

6
 Bot DDoS DoS GoldenEye
1.0 1.0 1.0
0.8 0.8 0.8
0.6 0.6 0.6

TPR
0.4 0.4 0.4
0.2 0.2 0.2
0.0 0.0 0.0
0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00
DoS Hulk DoS Slowhttptest DoS slowloris
1.0 1.0 1.0
0.8 0.8 0.8
TPR 0.6 0.6 0.6
0.4 0.4 0.4
0.2 0.2 0.2
0.0 0.0 0.0
0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00
FTP-Patator Heartbleed Infiltration
1.0 1.0 1.0
0.8 0.8 0.8
0.6 0.6 0.6
TPR

0.4 0.4 0.4

0.2 0.2 0.2
0.0 0.0 0.0
0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00
PortScan SSH-Patator Web Attack Brute Force
1.0 1.0 1.0
0.8 0.8 0.8
0.6 0.6 0.6
TPR

0.4 0.4 0.4

0.2 0.2 0.2
0.0 0.0 0.0
0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00
FPR
Web Attack Sql Injection Web Attack XSS
1.0 1.0
0.8 0.8
0.6 0.6
TPR

0.4 0.4
0.2 0.2
0.0 0.0
0.00 0.25 0.50 0.75 1.00 0.00 0.25 0.50 0.75 1.00
FPR FPR

Fig. 3. ROC curves for every attack type in the experiment 3.

undercomplete model with only single network flow features
as input.
In Figure 3 we present our analysis of separate ROC curves
for every label in experiment 3 (the model trained with features
computed for 10 minutes window).
We can notice that the following attacks are very well
detected for the enhanced features set: DDoS, DoS GoldenEye,
DoS Hulk, DoS Slowhttptest, Heartbleed, Infiltration. Most of
these attacks are based on sending many requests continuously,
which may be why time-window features improve their detec-
tion. We can also notice that the mobile devices can be used
in some of those attacks, like DDoS. Therefore, applying that
approach may improve the detection of compromised devices
and allow to notify the owners about possible threats.
By comparing results for model 1 (single flows) and model
3 (10 minutes window), we observed the following results of
adding time-window-based features:
1) The ability to detect DDoS attacks, DoS Hulk, PortScan
was significantly improved.
2) The ability to detect SSH-Patator, FTP-Patator, and Bot
attacks was slightly improved.
3) There was no significant improvement in the detection
of Web Attacks.
The first conclusion seems to be pretty obvious – all these
attacks are based on sending many requests. The fascinating
thing is that the detection of FTP-Patator is much better, while
there is just a slight improvement in SSH-Patator detection.
One possible explanation is that SSH protocol is encrypted

7
– however, solving this issue would require further studies.
Lack of improvement in the detection of Web Attacks can
be explained by the fact that those attacks depend more on
a packet payload than some time-window-based features (see
below).
Possibility of detecting all types of attacks
As we have already described, the autoencoders can detect
some attacks using just features containing information about
single data flows without a deep packet inspection. However,
even with the usage of time-window features, some attacks are
still undetectable, which means the proposed model cannot
differentiate them from benign characteristics. It raises the
question about the possibility of detecting such attacks without
analyzing packets payload. The undetectable attacks are Web
Attack Brute Force and Web Attack XSS.
It is not surprising that the model cannot detect web attacks,
as they are usually distinguished by packet payload or analysis
of logs from the victim device. From the perspective of
network flows, web attacks may look like benign traffic. For
example, XSS may have the same packet’s characteristics.
The only difference may be in the packet’s payload, and its
analysis requires deep packet inspection. It is worth noticing
that web attacks usually are neither carried out by mobile
devices nor targeted at mobile devices. Therefore, they are not
the main problem from the perspective of protecting mobile
devices. There are also other methods allowing applicable on
application-level and capable of dealing with such attacks.
Comparison to the results of other studies
It is hard to compare our results to the ones achieved by
the authors of the data set [30]. We apply a different approach
(anomaly detection instead of standard classifiers). We also
do not know how many samples of each class their test data
set contained. Our test data set contains 45% of benign traffic
and 55% of malicious traffic. The best results achieved by [30]
were for algorithm ID3 (Iterative Dichotomiser 3): Precision =
0.98 and Recall = 0.98. The results achieved by us for the
third model (for 0.05 FPR value) are: Precision = 0.94 and
Recall = 0.95, which means that our results are similar (but
slightly worse) comparing to theirs. However, we should note
that the authors of [30] trained an instance of a model for
every single attack type. They also applied feature selection
on the full data set and chose 3 or 4 best features for every
attack type. We use one model and train it with only benign
traffic to check the model’s ability to detect previously unseen
attacks. Therefore, an advantage of our approach is the lack
of need to know all attacks a priori.
In the following points, we shortly summarize the results of
the experiments:
• The neural network autoencoder architecture can achieve
high results in the intrusion detection problem and, there-
fore, suitable for use in intrusion detection nodes.
• New time-window-based derived features improve detec-
tion results.
8
• Not all types of attacks can be detected with this ap-
proach, probably because they are invisible from the
network flows perspective (like web attacks).
VI. C ONCLUSIONS
In this paper, we have proposed the autoencoder-based
intrusion detection system specifically designed to work in
cloud and mobile environments. It can monitor both: networks,
in which we have access to all packets passing through,
like in some virtual cloud environments, and mobile devices
scattered into various networks around the world. It is also
possible to notify the owners of the mobile devices that their
devices may be compromised. Our experiments show that the
autoencoder architecture, in connection with network flows
data and derived features, can achieve high detection results.
Therefore, it is suitable for use in the intrusion detection
system operating in the cloud. However, it is worth noticing
that not all types of attacks can be detected with this approach
due to the use of network flows data only.
In future works, we would like to focus on defining a
more generic framework for intrusion detection in cloud
environments and preparing tools to monitor mobile devices.
Another attractive research area is automatizing the decision of
whether preprocessing should be executed on a mobile device
or in the cloud, taking into account the computing power
and resources available on a given mobile device. It would
also be worthwhile to gather data other than network flows
from mobile devices and create new features to improve the
detection of compromised devices.
ACKNOWLEDGMENT
The research presented in this paper was supported by the
funds assigned to AGH University of Science and Technology
by the Polish Ministry of Science and Higher Education.
R EFERENCES
[1] Knud Lasse Lueth, “State of the IoT 2020,” tech. rep., 2020. Avail-
able online: https://iot-analytics.com/state-of-the-iot-2020-12-billion-
iot-connections-surpassing-non-iot-for-the-first-time/.
[2] P. Technologies, “Cybersecurity threatscape: Q2 2020,” tech. rep.,
2019. Available online: https://www.ptsecurity.com/ww-en/analytics/
cybersecurity-threatscape-2020-q2/.
[3] S. Shamshirband, M. Fathi, A. Chronopoulos, A. Montieri, F. Palumbo,
and A. Pescapè, “Computational intelligence intrusion detection tech-
niques in mobile cloud computing environments: Review, taxonomy, and
open research issues,” Journal of Information Security and Applications,
vol. 55, 2020.
[4] H. Debar, M. Dacier, and A. Wespi, “Towards a taxonomy of intrusion-
detection systems,” Computer Networks, vol. 31, pp. 805–822, apr 1999.
[5] A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman, “Survey
of intrusion detection systems: techniques, datasets and challenges,”
Cybersecurity, vol. 2, p. 20, dec 2019.
[6] R. Sharma, A. Guleria, and R. Singla, “An overview of flow-based
anomaly detection,” International Journal of Communication Networks
and Distributed Systems, vol. 21, no. 2, p. 220, 2018.
[7] A. Patcha and J.-M. Park, “An overview of anomaly detection tech-
niques: Existing solutions and latest technological trends,” Computer
Networks, vol. 51, pp. 3448–3470, aug 2007.
[8] Y. Mehmood, A. Shibli, U. Habiba, and R. Masood, “Intrusion detection
system in cloud computing: Challenges and opportunities,” pp. 59–66,
12 2013.
 [9] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep [29] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, “A
learning for cyber security intrusion detection: Approaches, datasets, and survey of network-based intrusion detection data sets,” Computers &
comparative study,” Journal of Information Security and Applications, Security, vol. 86, pp. 147–167, sep 2019.
vol. 50, p. 102419, feb 2020. [30] I. Sharafaldin, A. Gharib, A. H. Lashkari, and A. A. Ghorbani, “Towards
[10] R. Abdulhammed, M. Faezipour, A. Abuzneid, and A. AbuMallouh, a Reliable Intrusion Detection Benchmark Dataset,” Software Network-
“Deep and Machine Learning Approaches for Anomaly-Based Intrusion ing, vol. 2017, pp. 177–200, jan 2017.
Detection of Imbalanced Network Traffic,” IEEE Sensors Letters, vol. 3, [31] R. Panigrahi and S. Borah, “A detailed analysis of cicids2017 dataset for
pp. 1–4, jan 2019. designing intrusion detection systems,” vol. 7, pp. 479–482, 01 2018.
[11] D. Aksu and M. Ali Aydin, “Detecting Port Scan Attempts with [32] T. Fawcett, “An introduction to ROC analysis,” Pattern Recognition
Comparative Analysis of Deep Learning and Support Vector Machine Letters, vol. 27, pp. 861–874, jun 2006.
Algorithms,” in 2018 International Congress on Big Data, Deep Learn-
ing and Fighting Cyber Terrorism (IBIGDELFT), ANKARA, Turkey,
pp. 77–80, IEEE, dec 2018.
[12] S. Hochreiter and J. Schmidhuber, “Long Short-Term Memory,” Neural
Computation, vol. 9, pp. 1735–1780, nov 1997.
[13] J. Kim, J. Kim, H. L. T. Thu, and H. Kim, “Long Short Term
Memory Recurrent Neural Network Classifier for Intrusion Detection,”
in 2016 International Conference on Platform Technology and Service
(PlatCon), Jeju, South Korea, pp. 1–5, IEEE, feb 2016.
[14] L. Nicholas, S. Y. Ooi, Y. H. Pang, S. O. Hwang, and S.-Y. Tan, “Study
of long short-term memory in flow-based network intrusion detection
system,” Journal of Intelligent & Fuzzy Systems, vol. 35, pp. 5947–
5957, dec 2018.
[15] Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: An
Ensemble of Autoencoders for Online Network Intrusion Detection,”
feb 2018.
[16] F. Farahnakian and J. Heikkonen, “A deep auto-encoder based approach
for intrusion detection system,” in 2018 20th International Conference
on Advanced Communication Technology (ICACT), pp. 178–183, 2018.
[17] X. Li, W. Chen, Q. Zhang, and L. Wu, “Building auto-encoder intrusion
detection system based on random forest feature selection,” Computers
& Security, vol. 95, p. 101851, 2020.
[18] M. Gharib, B. Mohammadi, S. H. Dastgerdi, and M. Sabokrou, “Autoids:
Auto-encoder based method for intrusion detection system,” ArXiv,
vol. abs/1911.03306, 2019.
[19] R. C. Aygun and A. G. Yavuz, “Network Anomaly Detection with
Stochastically Improved Autoencoder Based Models,” in Proceedings
- 4th IEEE International Conference on Cyber Security and Cloud
Computing, CSCloud 2017 and 3rd IEEE International Conference of
Scalable and Smart Cloud, SSC 2017, pp. 193–198, Institute of Electrical
and Electronics Engineers Inc., jul 2017.
[20] A. Patel, M. Taghavi, K. Bakhtiyari, and J. Celestino Júnior, “An intru-
sion detection and prevention system in cloud computing: A systematic
review,” Journal of Network and Computer Applications, vol. 36, no. 1,
pp. 25 – 41, 2013.
[21] Z. Chiba, N. Abghour, K. Moussaid, A. El Omri, and M. Rida,
“Smart approach to build a deep neural network based ids for cloud
environment using an optimized genetic algorithm,” in Proceedings of
the 2nd International Conference on Networking, Information Systems
& Security, NISS19, (New York, NY, USA), Association for Computing
Machinery, 2019.
[22] M. Manickam and S. Rajagopalan, “A hybrid multi-layer intrusion de-
tection system in cloud,” Research Journal of Biotechnology, vol. 2017,
pp. 167–174, 03 2019.
[23] R. Patil, H. Dudeja, and C. Modi, “Designing an efficient security frame-
work for detecting intrusions in virtual network of cloud computing,”
Computers and Security, vol. 85, pp. 402–422, 2019.
[24] H. Toumi, A. Eddaoui, and M. Talea, “Cooperative intrusion detection
system framework using mobile agents for cloud computing,” Journal of
Theoretical and Applied Information Technology, vol. 70, no. 1, pp. 76–
84, 2014.
[25] S. Dey, Q. Ye, and S. Sampalli, “A machine learning based intrusion de-
tection scheme for data fusion in mobile clouds involving heterogeneous
client networks,” Information Fusion, vol. 49, pp. 205–215, 2019.
[26] A. Goodfellow, Ian; Bengio, Yoshua; Courville, Deep learning, MIT
Press, vol. 26. 2016.
[27] Canadian Institute for Cybersecurity, “CICFlowmeter - Network Traffic
Flow analyzer,” 2021. Available online: https://github.com/ahlashkari/
CICFlowMeter.
[28] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward Generating
a New Intrusion Detection Dataset and Intrusion Traffic Characteriza-
tion,” pp. 108–116, aug 2019.

View publication stats