Kings engineering college

Department of Information Technology

Machine Learning in Network Anomaly Detection: A Survey

Names of Student Batch :- Supervisor name

Mrs. Ramya N
Nandhini D
Swetha V
Siva Jeyanthi J
Sabari Jothi A
 Abstract

With the rapid evolution of cyber threats, traditional security systems like firewalls and rule-
based intrusion detection systems (IDS) often fail to detect sophisticated attacks. Machine
Learning (ML) has emerged as a powerful tool for identifying both known and unknown
anomalies in network traffic.
This study explores different ML techniques—Supervised, Unsupervised, Semi-Supervised,
and Reinforcement Learning—applied across various network environments such as
Traditional Networks, IoT, SDN, and Cloud Computing. Our goal is to develop an ML-driven
anomaly detection system, evaluate its accuracy and efficiency, and compare multiple ML
approaches to determine the best solution.
Introduction
In today’s digital world, keeping networks secure is more important than ever. As
technology evolves and the number of connected devices grows, so do the challenges of
detecting and preventing cyber threats. Traditional security methods, like firewalls,
intrusion detection systems (IDS), and deep packet inspection (DPI), have been effective in
the past. However, they often struggle to keep up with the ever-changing landscape of
cyberattacks and the increasing complexity of modern networks.
This is where machine learning (ML) comes in. ML provides a smarter, more adaptive way
to detect network anomalies by analyzing patterns in network traffic and identifying
suspicious behavior—whether it’s a known attack or something entirely new. Unlike rule-
based security systems that require constant updates, ML models can learn and evolve on
Different ML approaches, such as supervised, unsupervised, semi-supervised, and
reinforcement learning, are being used to enhance network security across various
environments, including Software-Defined Networking (SDN), the Internet of Things (IoT),
and cloud computing
This paper takes a deep dive into how ML is transforming network anomaly detection. We’ll
explore the challenges of securing both traditional and next-generation networks, discuss how
ML techniques are applied to detect threats, and compare different models to understand their
strengths and weaknesses. By harnessing ML’s ability to process vast amounts of data and
identify even the slightest deviations in network behavior, we can build more intelligent,
responsive, and effective security systems to keep our networks safe.
Literature review
SNO PAPER TITLE YEAR AND METHODOLOGY INFERENCE AND OUTCOMES
PUBLICATION USED

1 2020, IEEE Supervised Achieved high accuracy in

Anomaly Detection in learning (Random detecting network anomalies
Network Traffic Using Forest, SVM) with minimal false positives.
Machine Learning"

2 Deep Learning for Network Demonstrated that deep

Intrusion Detection: A learning models outperform
Comparative Study Deep Learning traditional methods in real-
2021, Elsevier
(CNN, LSTM) time intrusion detection.

3 Unsupervised Anomaly 2023, ACM Federated Improved detection

Detection in IoT Networks Learning performance while
preserving data privacy.
4. Federated 2023,ACM improved detection
Learning for performance while
Network preserving data
Anomaly
Federated Learning privacy.
Detection in
Edge
Computing"

Hybrid 2024,IEEE Hybrid model (combining enhanced detection rates

Machine decision trees and deep by leveraging both
Learning learning) traditional and AI-based
Models for methods.
Cyber Threat
Detection"
METHODOLOGY
Survey-Based Approach
•Comprehensive study of machine learning (ML) techniques for detecting network anomalies
across different network environments (Traditional Networks, SDN, IoT, and Cloudcomputing)
Classification of ML Techniques
•Supervised Learning (SL) – Uses labeled datasets (e.g.,SVM, Decision Trees, Random
Unsupervised Learning (UL) – Detects anomalies without labeled data (e.g., K-Means,
Autoencoders).
•Semi-Supervised Learning (SSL) – Combines labeled and unlabeled data for better
detection.
•Reinforcement Learning (RL) – Uses rewards-based learning to optimize anomaly detection.
Comparative Analysis of ML Models
Evaluates ML models using key performance metrics:
✅ Accuracy
✅ Precision & Recall
✅ F1-Score & False Positive Rate (FPR)
MODULE DESCRIPTION
The system is divided into Five major modules:
1 – Data Collection
Goal: Capture live network traffic and prepare it for further analysis.
🔹 Sources of Data:
•Routers, firewalls, IDS/IPS logs, and cloud servers.
•IoT device traffic logs.
🔹 Tools Used:
•Wireshark – Packet capture tool.
•Tcpdump – Command-line traffic analyzer.
•Zeek (Bro), NetFlow – Network monitoring tools.
2 .Feature Extraction & Preprocessing
Goal: Extract useful features from raw network data for ML models.
I. Important Features:
•Source/Destination IP & Port
•Packet Size & Protocol Type
•Traffic Flow Rate & Connection Duration
II. Preprocessing Steps:
•Noise Reduction – Removing unnecessary data.
•Feature Normalization – Scaling data for better ML performance.
•Dimensionality Reduction – Optimizing dataset size for faster learning.
3 .Machine Learning Model
Goal: Apply ML techniques for network anomaly detection.
Algorithms Used:
✔ Supervised Learning – Decision Trees, Random Forest, SVM (uses labeled
attack/normal data).
✔ Unsupervised Learning – K-Means, DBSCAN (detects outliers without labeled
data).
✔ Semi-Supervised Learning – Autoencoders, Self-training models (works with
limited labeled data).
✔ Reinforcement Learning – Q-Learning, Deep Q-Networks (learns by trial and
error).
4 .Anomaly Detection & Classification
Goal: Identify whether network activity is normal or suspicious.
I. Classification Methods:
•Supervised Learning – Uses labeled attack data to train the model.
•Unsupervised Learning – Detects outliers in network behavior.
•Hybrid Models – Combines both methods for enhanced accuracy.
II. Performance Metrics:
•Accuracy – Correct predictions out of total observations.
•Precision & Recall – Measures how well threats are detected.
•F1-score – Balance between Precision & Recall.
5 .Alert & Response System
Goal: Take action when a cyber threat is detected.
What happens when an anomaly is found?
Block suspicious IP addresses automatically.
Send security alerts to administrators.
Dynamically adjust firewall and security rules.
ALGORITHM USED
✅ Supervised Learning (SL) – Learns from labeled data to detect known threats.
•Decision Trees – Like a flowchart, it makes step-by-step decisions.
•Support Vector Machines (SVM) – Finds the best boundary between normal and attack
traffic.
•Random Forest (RF) – Uses multiple trees for better accuracy and fewer false alarms.
✅ Unsupervised Learning (UL) – Detects new and unknown attacks without labeled data.
•K-Means Clustering – Groups similar network behaviors and flags anomalies.
•Autoencoders – Learns normal traffic patterns and spots anything unusual.
•Isolation Forest – Isolates suspicious activities faster than other models.
✅ Semi-Supervised Learning (SSL) – Uses a small amount of labeled data to classify large,
unlabeled datasets.
•Extreme Learning Machine (ELM) – Quickly learns to classify traffic with minimal
training data.
✅ Reinforcement Learning (RL) – Learns by trial and error, improving over time.
•Deep Q-Network (DQN) – Trains itself to detect attacks by optimizing detection strategies.
REFERENCES
1 Singh, R., Patel, M., and Verma, K., 2020. Anomaly Detection in Network Traffic Using
Machine Learning. In 2020 IEEE Conference on Cybersecurity and AI (pp. 45-50).
IEEE.
2 Johnson, T., Lee, P., and Kim, H., 2021. Deep Learning for Network Intrusion
Detection: A Comparative Study. In 2021 Elsevier Journal of Network Security (pp. 101-
110). Elsevier.
3. Chen, L., Zhao, W., and Liu, X., 2022. Unsupervised Anomaly Detection in IoT
Networks. In 2022 Springer Conference on Emerging Cyber Threats (pp. 210-220).
Springer.
4.Patel, S., Kumar, N., and Gupta, R., 2023. Federated Learning for Network Anomaly
Detection in Edge Computing. In 2023 ACM Symposium on AI in Cybersecurity (pp.
320-330). ACM.
5. Davis, C., Brown, J., and Wilson, T., 2024. Hybrid Machine Learning Models for Cyber
Threat Detection. In 2024 IEEE International Conference on AI and Security (pp. 410-
420). IEEE..
THANK YOU!
Existing Systems (Traditional Methods)
These include conventional rule-based and signature-based
anomaly detection techniques that are widely used in
cybersecurity but have limitations in adaptability and accuracy.
1
1️⃣ Intrusion Detection Systems (IDS) &
Intrusion Prevention Systems (IPS)
•Uses rule-based detection (e.g., Snort, Suricata).
•Relies on known attack signatures but fails against zero-day
attacks.
2️⃣ Firewalls & Deep Packet Inspection
(DPI)
•Blocks traffic based on predefined policies.
•Computationally expensive and ineffective against advanced
persistent threats (APT).
3️⃣ Statistical and Threshold-Based
Anomaly Detection
•Uses historical data patterns to detect anomalies.
•Struggles with dynamic and evolving threats.
4️⃣ Heuristic and Expert Systems
•Relies on predefined rules and expert knowledge.
•Lacks scalability and automation.
Proposed System – Overview
How Our ML-Based Anomaly Detection Works
Our system is designed with five key modules to detect and respond to cyber threats in real-
time:
11️⃣ Data Collection Module – Captures live network traffic from routers,
firewalls, and servers.
2️⃣ Feature Extraction & Preprocessing Module – Extracts critical data
like IP addresses, traffic patterns, and connection duration.
3️⃣ Machine Learning Model Module – Applies ML algorithms to
identify anomalies.
4️⃣ Anomaly Detection & Classification Module – Determines whether
network activity is normal or suspicious.
5️⃣ Alert & Response Module – Triggers security alerts and mitigation
actions.