LUP Student Papers

Anomaly detection on edge networks

• Mark

Abstract

Network anomaly detection is an active research area, with numerous solutions that utilize statistical methods, neural networks, and other machine learning methods. Autoencoders, in particular, have shown great performance by learning representations solely from benign traffic, enabling the detection of zero-day attacks. In this thesis, we propose a methodology that uses transfer learning to train autoencoders specifically tailored to individual network devices, thereby improving detection performance over general autoencoder models trained on aggregated network data. Furthermore, benchmarking results indicate that the lightweight device-specific model is suitable for inference on resource-constrained devices, suggesting its feasibility... (More)

Network anomaly detection is an active research area, with numerous solutions that utilize statistical methods, neural networks, and other machine learning methods. Autoencoders, in particular, have shown great performance by learning representations solely from benign traffic, enabling the detection of zero-day attacks. In this thesis, we propose a methodology that uses transfer learning to train autoencoders specifically tailored to individual network devices, thereby improving detection performance over general autoencoder models trained on aggregated network data. Furthermore, benchmarking results indicate that the lightweight device-specific model is suitable for inference on resource-constrained devices, suggesting its feasibility for real-time anomaly detection on edge devices. We compare the device-specific model with the general model by evaluating them against 12 different attack types. The results demonstrate that the proposed method shows promise in improving the anomaly detection performance. The device-specific model outperforms the general model for certain attacks, while achieving similar performance in others. (Less)

Popular Abstract

With the increasing number of connected devices in homes and businesses, commonly known as the Internet of Things (IoT), verifying cybersecurity has become more challenging and critical than ever. Cyberattacks on IoT networks can lead to privacy breaches, financial losses, or even compro-
mise vital infrastructure. Detecting such attacks as they occur is important for maintaining secure networks.

This thesis addresses the challenge above by using a technique called anomaly detection, which takes advantage of recent advances in machine learning. Network anomaly detection identifies unusual activity within network traffic that deviates from what is normal or expected, making it effective in identifying threats to the network. Traditional... (More)

With the increasing number of connected devices in homes and businesses, commonly known as the Internet of Things (IoT), verifying cybersecurity has become more challenging and critical than ever. Cyberattacks on IoT networks can lead to privacy breaches, financial losses, or even compro-
mise vital infrastructure. Detecting such attacks as they occur is important for maintaining secure networks.

This thesis addresses the challenge above by using a technique called anomaly detection, which takes advantage of recent advances in machine learning. Network anomaly detection identifies unusual activity within network traffic that deviates from what is normal or expected, making it effective in identifying threats to the network. Traditional methods for detecting cyberattacks require explicit examples of both normal and malicious behavior. This thesis approach relies on learning the patterns from "normal" network traffic on the local network, making it better suitable for detecting previously unseen attacks, often called zero-day attacks.

We used a deep learning model known as an autoencoder, which is capable of learning and representing complex patterns in network data. Initially, the autoencoder was trained using normal traffic data from an entire local network consisting of several devices. Subsequently, transfer learning was applied to adapt the general model to individual devices on the local network. This two-step process allows the model to detect differences in traffic more tailored to each specific device.

In the thesis, the CIC IoT-DIAD 2024 dataset was used. It contains categorized network traffic data for both normal activity and various types of attacks. Our results showed that device-specific transfer learning significantly improved the detection capability for certain attacks, such as Vulnerability Scans and various forms of Distributed Denial of Service (DDoS) attacks. Although this approach notably improved the detection rate for certain attacks, further investigation into threshold selection methods could further improve the model in a deployment scenario.

To ensure that the model could realistically operate on resource constrained IoT devices, performance benchmarking was conducted. The results demonstrated that the model are computationally lightweight and suitable for real-time monitoring on edge devices without significantly impacting their primary functions. (Less)