MANomaly: Mutual adversarial networks for semi-supervised anomaly detection

In network intrusion detection, since the available attack traffic is much less than normal traffic, detecting attacks and intrusions from these unbalanced traffic can be a problem of semi-supervised learning, i.e., finding outliers (anomalies) from a data population that obeys a certain distribution. In this paper, we design a novel network model named the mutual adversarial network (MAN), which has two identical reconstruction autoencoder (RecAE) subnetworks. In training, these two subnetworks use the proposed mutual adver-sarial training to learn the data distribution of normal traffic samples. In detection, we identify anomalies based on the residual values obtained after different samples are recon-structed by MAN. In addition, we devise a novel method to identify anomalies from anom-aly scores named the high anomaly suppression (HAS) determination mechanism, which uses the mean values to suppress the effect of noisy data in the test sample. Then, we con-struct a novel semi-supervised reconstruction anomaly detection framework named MANomaly by combining MAN with the HAS determination mechanism. Meanwhile, we design three different mutual adversarial training approaches to MANomaly and evaluate them on two publicly available network traffic datasets: NSL-KDD and UNSW-NB15. Experimental results show that our method achieves excellent performance by using only 5% of normal training data. (c) 2022 Elsevier Inc. All rights reserved.

Automated summary

In this paper, a novel network model named the mutual adversarial network (MAN) is proposed for network intrusion detection. It utilizes mutual adversarial training to learn the data distribution of normal traffic samples and identifies anomalies based on residual values. The high anomaly suppression (HAS) determination mechanism is devised to suppress the effect of noisy data. The proposed MANomaly framework combines MAN with the HAS determination mechanism for semi-supervised reconstruction anomaly detection. Experimental results demonstrate excellent performance using only a small portion of normal training data.