2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)
Online Network Attack Detection using
Statistical Features
2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS) | 978-1-6654-4893-2/21/$31.00 ©2021 IEEE | DOI: 10.1109/ANTS52808.2021.9937015
Ritesh Ratti , Sukumar Nandi , Sanasam Ranbir Singh
Department of Computer Science & Engineering
Indian Institute of Technology, Guwahati, Assam, India 781039
Email : ritesh.ratti@iitg.ac.in , sukumar@iitg.ac.in , ranbir@iitg.ac.in
Abstract—In recent years, several supervised intrusion detec-
tion systems have been proposed. However, these methods require
labeled data for training and cannot automatically adapt to
frequently changing network traffic scenarios. It is also required
for data to be updated periodically and requires the model to
be retrained to detect new attacks. This emphasizes the need
for the development of unsupervised detection systems that can
target zero-day attacks. In this paper, we propose an unsuper-
vised solution that relies on detecting attacks in a discrete-time
sliding window using the distance between statistical features.
The proposed algorithm utilizes generated cluster profiles and
estimates the distance between statistical features to trigger an
attack event if it exceeds the predefined threshold. The proposed
method was applied to CICIDS-2018 dataset and tested for FTP
Brute Force and HTTP Distributed Denial of Service attacks.
I. I NTRODUCTION
With the rise of the Internet, attacks like DDoS, BruteForce,
Botnet, etc. have become destructive and pose a great threat to
overall security. The number of attacks on computer networks
has been increased a lot over the years. These attacks can
hamper the network performance, cause huge financial loss
and overall credibility loss to an enterprise. According to
Mcafee [1] the potential cost of cyber-crime to the global
community is enormous around $1 trillion, and a data breach
costs the average company about $3.8 million with an
average interruption to operation about 18 hours. Various
open-source tools like LOIC [13], Slowloris [16], Nmap [10],
Cain & Abel, etc can be used to perform different types of
attacks easily. These attacks are performed against existing
vulnerabilities in various networking protocols like SSH,
RDP, FTP, HTTP, ICMP, etc. Each of these different attacks
has a varied effect on network parameters. For example,
Port scanning allows a lot of packets generated from one
source port to multiple other destination ports that affect the
distribution in destination ports. During high volume DDoS
attacks sudden increase in packet transfer rate is identified.
The major challenge is to identify these malicious activities
with changing attack scenarios as model has to be updated
with time.
Since most of the proposed supervised learning-based mod-
els are trained using the labeled data and are used in pro-
duction systems later to detect attack activities. Most of these
supervised learning-based Intrusion Detection Systems (IDS)
require huge manual effort for label generation and require
Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-4893-2/21/$31.00 ©2021 IEEE
data update over time to incorporate new attacks. It emphasizes
the need for an unsupervised learning method that can identify
abnormal behavior automatically. On the other hand for the
continuous network traffic, it is expected that the model is
able to learn the new patterns automatically which is not
possible through offline systems. Since system behavior and
applications are changing with respect to time, it is expected
from the model to update itself and adapt to a frequently
changing environment so that it can be applied in real-time for
attack detection. Hence it is required to build the IDS system
that can be operated in an online manner using an unsupervised
machine learning method. We proposed a solution that relies
on identifying these anomalies in networking parameters over
the sliding time window. The proposed system process data
for each specific time window and detect the attack activity is
present or not. Our solution does not rely on input from the
last context and looks into only the current processing window
for attack detection.
A. Contributions
The main contribution of the paper can be summarized as
follows:
• We developed an unsupervised algorithm for network attack
detection using clustering method that eliminates the need
of labeled data.
• We proposed online method for detecting attack indepen-
dently for every time slot using flow-level information.
• Proposed system is based on extracting statistical features
from the data and using specific distance threshold for
attack detection.
• We proposed unified approach to detect multiple attacks
using different distance thresholds.
• We used recent benchmark dataset from Canadian Institute
for Cybersecurity (CICIDS2018) [14] to validate the
proposed method.
The paper is organized in different sections as follows.
In Section 2, we discuss the various solutions proposed for
online attack detection applied for various attacks. Section 3
describes the proposed methodology in detail and the compo-
nents involved. Section 4 highlights the implementation of the
proposed approach and experimentation results for the various
stage of processing. In Section 5 we provide a conclusion &
future work.
125
 2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)

II. BACKGROUND

We study various machine learning-based online systems to

detect network attacks. Most of the solutions devised are based
on unsupervised and supervised learning. Kitsune, [11] an
ensemble of auto-encoders based detection system is proposed
that can detect attacks without supervision. The proposed sys-
tem is initially trained with normal traffic and later anomaly is
identified based on reconstruction error. It consists of two parts
Ensemble Layer for training and Output Layer for producing Fig. 1. High level architecture diagram
the final score of anomaly. It uses a total of 115 statistical
features computed over 5 last time windows with damped
incremental statistics. Feature reduction is performed using periodically to detect the new attack.In this section, we have
agglomerative hierarchical clustering. The major limitation is explored major research in the area of Online attack detection
that it expects all traffic to be Benign in the training phase. for multiple different attacks. In the next section, we discuss
Another ensemble framework is discussed in [8] which is using the proposed solution and algorithm in detail.
an ensemble of generative model with weighted average. The
proposed model uses Mahalanobis distance to differentiate the III. P ROPOSED M ETHODOLOGY
anomaly from benign traffic. It expects Benign data available
A. Assumption
to train the ensemble models separately. However, training data
can be poisoned with attack data which is similar to Normal 1) We assume flow level records are available with required
traffic scenario. features for specific attack detection.
ORUNADA system [3] proposes an online and scalable 2) We assume an individual model is built for specific attack
method for detecting network anomalies. The proposed system only to distinguish between Normal and specific attack.
uses Incremental Density Grid-based clustering method with
continuous update of feature space for discrete-time win- B. Architecture
dows. It follows Evidence accumulation (EA4O) technique
The proposed solution for intrusion detection system con-
to identify anomalies. It uses aggregated features on source
sists of 3 major stages Data Pre-processing, Model Building &
IP and destination IP like the number of packets, percentage
Attack Detection. All the stages are performed in sequence for
of packets with different TCP flags set SYN/ACK/RST/FIN,
every incoming flow in ∆t time period to identify malicious
percentage of different ICMP error related packets, average
activity.
Packet Size, etc. Spanish ISP and MAWILab Dataset are used
for testing the results. 1) Data Pre-processing
Data Pre-processing is an initial step that is required
Another online anomaly detection method for augmented
for any modeling task. It consists of two main process
network flows [5] is proposed that is based on count-min
Feature Selection and Feature Scaling. Since flow-based
sketch for per-flow, per-node, per-network level statistics. It
records contain a lot of parameters therefore we need to
proposes SVM based adaptive mechanism and use dynamic
select those network parameters that are relevant for a
input normalization approach for scaling, that also monitors
specific attack. After proper analysis and using domain
the range and variance of observed values. Experimentation
knowledge we have selected subset of parameters that can
is performed on two datasets MAWI and Lawrence Berkeley
be used to identify the attack. The parameter set and its
National Laboratory. [6] discuss the method for detecting
description for an individual attack is provided in table I
anomalies using traffic feature distributions. It uses entropy
as a summarization tool to estimate the distributional changes Attack Type Parameter
in traffic features. Traffic flow consists of 4 tuples srcIP, dstIP, FTP Brute Size of packet and flow records like
srcPort, dstPort. Sample Entropy is evaluated using feature Force Segment Size, average Packet size, etc.
distribution constructed from packet counts. It uses Hierarchi-
Distributed Rate of flow like Packets/s , Bytes/s
cal Agglomerative clustering for and proposes a multi-way
Denial of etc.
subspace method for identifying anomalies across multiple
Service
traffic features and multiple origin-destination flows.
Supervised learning based solutions like DeepWindow [15]
TABLE I
propose an online supervised learning-based method using A FFECTED N ETWORK PARAMETERS
LSTM for abnormal traffic detection using CICIDS2018
Dataset. It uses Mutual Information and Maximal information Based on the parameter selection corresponding features
coefficient for feature selection. Features like count packets, are identified from the dataset. Once the feature is se-
count PSH flag, total time, packet max, average length, etc. lected for specific attack detection we need to scale the
are used with a window size of t periods. Another solution features in a definite range so that results should not get
[9] discusses online method for DDoS attack detection. Being biased to larger values. For this, we have used Min-Max
a supervised solution, it expects the data to be updated Scaling technique where features are transformed in the

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
126
 2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)
range [0,1]. If feature values are represented in X then
transformed value Xt is,
X − Xmin
Xt =
Xmax − Xmin
2) Model Building
The main objective of this stage is to build the unsu-
pervised model and generate the statistical features for
attack detection. To reduce the search space we require to
combine similar points of records together into multiple
groups. We perform the clustering for this purpose and
generate optimum cluster by analyzing the clustering
quality using various evaluation measures like Purity,
Homogeneity score, etc. After final clustering, we can
analyze that similar flow-level information is combined
together. The main objective of this step is to identify
the abnormal cluster in later stages. Once the clusters
are created we need to analyze the clusters and identify
if any attack cluster exists with differentiating behavior.
Profile Generation is executed to build the statistical
insights from clustering which is an important step to
compute the statistical features for every cluster. These
statistical features are computed on each identified cluster
and consist of various 1D and 2D features as described
in table II. Let Fi and Fj are two features with value set
as X <x1 , x2 , ...xn >and Y <y1 , y2 , ...yn >.
Dimension Feature Formula
n
1X
1D Mean µx = xi
n i=1
n threshold to identify the attack. The overall complexity of
1X
Variance σx2 = (xi − µx )2
n i=1
X ·Y
2D Cosine 1−
|X||Y |
Distance Pn
(xi − µx )(yi − µy )
Correlation 1 − i=1
σx · σy
Distance
TABLE II
L IST OF S TATISTICAL F EATURES
After this process, each of the generated features Vi
is named as <Si -Fi >Where Si represents a statistical
parameter and Fi represents feature or group of features
on which it is computed as based on statistical feature.
Once the statistical features are computed cluster is
represented in vector format as V which is called cluster
profile as represented in table III. Profile generation is an
important step that is used to map the clusters in vector
representation which is further used to identify the attack.
3) Attack Detection
Attack Detection is the main stage to identify if any
attack activity is present at the current time window.
Once the cluster profiles are generated attack detection
procedure follows to compute the inter-cluster distance
among every pair of cluster. These distances are com-
puted individually among created profile parameters and
summed up together to compute the total distance as
Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
represented in the equation 2. We consider the modulus
value of the computed distance because some of the
features affect positively and others affect negatively in
(1) terms of statistical distance.
N
X
Dij = |V i − V j | (2)
n=1
For N different clusters total (N 2 −N ) different distances
are computed among every pair of cluster. The maxi-
mum of the computed distance is compared with defined
threshold θ. If the magnitude of distance is greater than
θ attack is notified. Threshold value is adjusted based on
administrator input on the outcome of the last N window
results. It can also be updated based on requirement of
reducing false positives or false negatives.
C. Algorithm
The proposed algorithm involves multiple stages of execu-
tion as described earlier. These stages impart a specific role
in the overall process. Flow level records at a particular time
window ∆t and distance threshold θ are provided as input to
the algorithm. On this subset of flow records, required features
are selected and scaled at an early stage. Further clustering
is performed to represent a group of similar points. At a
later stage, statistical features are computed on each cluster
to generate a cluster profile. Now objective is to identify
the maximum distance attained among pairs of clusters. This
maximum distance is matched with a predefined distance
the proposed algorithm is (O(N log(N )) + O(C 2 )) where N
is number of data points in time slot t and C is the number of
clusters created from data, if DBSCAN algorithm is used for
clustering which has worst case complexity as O(N log(N )).
The whole process is explained as below in the algorithm 1
IV. E XPERIMENTATION R ESULTS
A. DataSet
We used CICIDS-2018 Dataset [14] to train and test the
proposed attack detection system. This is the recent dataset
developed at the Canadian Institute of Cybersecurity in which
records are collected over testbed with networking infras-
tructure containing 50 attacking machines and the victim
organization has 5 departments and includes 420 machines and
30 servers. FTP-Patator and SSH-Patator tools [12] are used
for performing brute force attacks. LOIC tool is used for DDoS
attack. Flows are captured using CICFlowMeter-V3 [7]. In
total 7 different types of attacks are captured at different dates.
We only selected the data for which FTP BruteForce attack
and HTTP DDOS attack are performed along with Benign
traffic as shown in the table V.
B. Implementation
We utilized flow level data captured on 14-02-2018 & 20-
02-2018 specifically for FTP brute force attack and Http DDoS
attack. We do not require the associated label information
127
 2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)

Cluster No. Mean- Var- Mean- Var- Cor- Cosine-

FwdSegSize FwdSegSize FwdPkts/s BwdPkts/s FwdSegSizeMin-FwdSegSizeMin-
Min Min FwdPkts/s FwdPkts/s
1 0.0 0.2 0.007 0.1 0.02 0.2
2 0.62 0.1 0.009 0.2 0.02 0.7

TABLE III
S AMPLE P ROFILE

Algorithm 1: ALGORITHM Attack Feature Explanation

FTP Fwd Seg Size Min Segment size in forward direc-
Input : Dataset at time window T as collection of
Brute- Min tion
flow level records with n attributes Fi where
Force
1 ≤i≤ n , Distance Threshold θ
Output: Attack or Benign Fwd Pkts/s Packets per sec in forward direction
1: Select feature set F for specific attack identification.
Bwd Pkts/s Packets per sec in backward direc-
2: Fscaled ←MIN-MAX-SCALING(F)
tion
3: Clusters C ←CLUSTERING (Fscaled ) Pkt Size Avg Average packet size
4: Initialize Profile set as V Fwd Pkt Len Standard Deviation of packet
5: Select 1D and 2D statistical feature set as S Std length in forward direction
6: for Ci ∈ C do Bwd Pkt Len Standard Deviation of packet
7: Initialize Profile vector as V i Std length in backward direction
8: for Sj ∈ S do HTTP Tot Fwd Pkts Total packets in forward direction
9: Vi ←STATISTICAL-FEATURE-COMPUTATION DDoS
(Fscaled , Sj ) Tot Bwd Pkts Total packets in backward direction
10: end for TotLen Fwd Total length of packets in forward
11: Append Profile V i ← Vi Pkts direction
12: end for TotLen Bwd Total length of packets in backward
13: Initialize distance array as D Pkts direction
14: for V i ∈ P do Fwd IAT Tot Total Inter-arrival time in forward
15: for V j ∈ P do direction
16: Dij ←DISTANCE-COMPUTATION (V i , V j ) Bwd IAT Tot Total Inter-arrival time in backward
17: Add Dij to D direction
18: end for Fwd Pkts/s Packets per sec in forward direction
19: end for Bwd Pkts/s Packets per sec in backward direc-
20: Dmax ← M AX − DIST AN CE(D) tion
21: if Dmax >θ then
end TABLE VI
FEATURES
22: return Attack else
end
23: return Benign clusters. This helps us to separate out the noise cluster which
can be avoided in distance estimation. We used Python ML
Class Records Class Records package i.e. scikit-learn [2] for the implementation.
Benign 667626 Benign 7372557
FTP- 193360 HTTP- 576191
BruteForce DDoS C. Performance Metrics

TABLE V
ATTACK DATASET
to start the process. The complete implementation is done
on Mac OS with 6 core intel core i7 processor with 16
GB RAM. Feature selection is performed based on attack
property as described earlier. Table VI provides the details on
selected features for each type of attack detection. We used
the DBSCAN Clustering algorithm [4] for the generation of
1) Clustering Metrics: We used labels from the data set for
the computation of clustering measures. These measures also
help us to select the best hyperparameters for clustering.
(a) Purity Score: Purity score is calculated based on the
number of correctly matched class and cluster labels
divided by the number of total data points. Score is
bounded between [0, 1]. Higher score denotes the better
clustering. Let N =Number of data points, K=Number of
clusters, Ci is a cluster in C, and Tj is the classification

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
128
 2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)

which has the max count for cluster Ci , Window Size Purity Score Homogeneity Score
K
2 min. 0.99 0.99
1 X 1 min. 0.99 0.97
purityscore = maxj |Ci ∩ Tj | (3)
N 1 30 sec. 0.98 0.96
15 sec. 0.98 0.93
(b) Homogeneity Score: Homogeneity score measures
whether a cluster contains only members of a single
class. Homogeneity score is bounded between [0, 1]. A TABLE VIII
C LUSTERING R ESULTS : FTP B RUTE F ORCE
higher score denotes better clustering.
We compute the mean of the above scores for a group of Window Size Purity Score Homogeneity Score
clusters identified at a time slot. In our proposed approach 2 min. 0.86 0.68
we also require each cluster to have a single class of 1 min. 0.87 0.71
examples and a higher purity score. 30 sec. 0.89 0.73
2) Classification Metrics: To estimate the performance of 15 sec. 0.93 0.82
the algorithm we need to estimate performance in terms of
precision, recall, f1-score, and accuracy metrics as described TABLE IX
below in table VII. We used timestamps to identify the event C LUSTERING R ESULTS : HTTP DD O S
i.e. attack or benign, associated with each window according to
the dataset. Let TP represents the True Positive, TN represents
the True Negatives, FP represents the False Positives and FN the detection performance we divided time range into multiple
represents the False Negatives. different slots based on window size and estimated the results
based on attack time duration. Overall classification metrics
Metrics Description Formula calculations are based on 2-class (Benign or Attack) classifi-
TP cation results. Threshold value 2.5 is used for FTP Brute Force
Precision Percentage of at-
TP + FP attack detection and value 47 is used for Http DDoS Attack
tacks detected out
of total outcomes detection. Detection results are represented in table X and XI
TP respectively with varying window size.
Recall Percentage of at- 2) Time Window Selection: A proper time window needs
TP + FN
tacks detected out to be selected for processing the results in an estimated time
of total attacks depending upon the flow arrival rate. We estimated time taken
2∗P ∗R
F1- Harmonic mean of for each batch to process for varying window size as shown
P +R in table XII & table XIII respectively. We see that per batch
Score precision P and re-
call R execution time is reduced on taking smaller window size
TP + TN and from the detection performance results, it is evident that
Accuracy Prediction
TP + FP + TN + FN reducing the window size after a certain point reduces the
Accuracy is for the
overall classification metrics. This can help us to select the
build model
optimum window size based on flow arrival rate. For HTTP
DDoS attack, processing time is larger than FTP Brute Force
TABLE VII
C LASSIFICATION M ETRICS
Window Precision Recall F1-score Accuracy
Size
D. Results and Analysis 2 min. 97% 81% 88% 88%
1) Detection Performance: We evaluated the detection per- 1 min. 98% 85% 91% 91%
formance of proposed method for FTP Brute Force and Http 30 sec. 98% 93% 95% 95%
DDoS Attack individually. As per CICIDS-2018 dataset, FTP 15 sec. 95% 87% 91% 90%
Brute Force attack is performed from 10:32 am till 12:09 pm
on 14-02-2018. We took data from 10:00 am till 1:00 pm TABLE X
time considering first 30 min and last 30 min as the Benign C LASSIFICATION R ESULTS : FTP B RUTE F ORCE
traffic. Similarly another attack Http DDoS is performed on
20-02-2018 from 10:12 am till 11:17 am time. We have taken Window Precision Recall F1-score Accuracy
data from 9:00 am till 12:30 pm to include the benign traffic Size
before and after attack. We estimated results for different 2 min. 90% 90% 90% 93%
time window size of 2 min, 1 min, 30 sec, and 15 sec. We 1 min. 91% 96% 93% 95%
used DBSCAN algorithm for clustering with configuration 30 sec. 74% 91% 81% 85%
parameters eps = 0.005 and min-sample = 10 for both the 15 sec. 54% 80% 64% 69%
attacks. Clustering evaluation metrics attained are attained
for various window sizes and shown in table VIII for FTP TABLE XI
BruteForce and table IX for HTTP DDoS attacks. To estimate C LASSIFICATION R ESULTS : HTTP DD O S

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
129
 2021 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS)

Fig. 2. ThresholdSelection: FTP BruteForce Fig. 3. ThresholdSelection: HTTP DDoS

because of the higher volume of traffic generated during the The proposed scheme can also be extended to detect various
DDoS attack. other attacks like Denial of service, Botnet Detection, etc.
Window No. of Total Time per
Size windows Time(sec.) Batch(sec.) R EFERENCES
2 min. 89 43 0.48 [1] Mcafee report https://ir.mcafee.com/news-releases/news-release-
details/new-mcafee-report-estimates-global-cybercrime-losses-exceed-1
1 min. 177 44 0.24 (2020)
30 sec. 348 46 0.13 [2] Buitinck, L., Louppe, G., Blondel, M., Pedregosa, F., Mueller, A., Grisel,
15 sec. 674 59 0.08 O., Niculae, V., Prettenhofer, P., Gramfort, A., Grobler, J., Layton, R.,
VanderPlas, J., Joly, A., Holt, B., Varoquaux, G.: API design for machine
learning software: experiences from the scikit-learn project. In: ECML
TABLE XII PKDD Workshop: Languages for Data Mining and Machine Learning.
FTP B RUTE F ORCE : W INDOW S IZE VS T IME pp. 108–122 (2013)
[3] Dromard, J., Roudière, G., Owezarski, P.: Online and scalable unsu-
pervised network anomaly detection method. IEEE Transactions on
Network and Service Management 14(1), 34–47 (2016)
Window No. of Total Time per [4] Ester, M., Kriegel, H.P., Sander, J., Xu, X., et al.: A density-based
Size windows Time(sec.) Batch(sec.) algorithm for discovering clusters in large spatial databases with noise.
2 min. 91 884 9.71 In: kdd. vol. 96, pp. 226–231 (1996)
[5] Ippoliti, D., Jiang, C., Ding, Z., Zhou, X.: Online adaptive anomaly
1 min. 181 524 2.89 detection for augmented network flows. ACM Transactions on Au-
30 sec. 358 405 1.13 tonomous and Adaptive Systems (TAAS) 11(3), 1–28 (2016)
15 sec. 693 404 0.58 [6] Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic
feature distributions. ACM SIGCOMM computer communication review
35(4), 217–228 (2005)
TABLE XIII [7] Lashkari, A.H., Draper-Gil, G., Mamun, M.S.I., Ghorbani, A.A.: Char-
H TTP DD O S : W INDOW S IZE VS T IME acterization of tor traffic using time based features. In: ICISSp. pp. 253–
262 (2017)
[8] Liao, J., Teo, S.G., Kundu, P.P., Truong-Huu, T.: Enad: An ensemble
3) Threshold Selection: Threshold plays a vital role in framework for unsupervised network anomaly detection
getting the good results. To decide the threshold we need to [9] Lima Filho, F.S.d., Silveira, F.A., de Medeiros Brito Junior, A., Vargas-
check the performance metrics at various thresholds. We select Solar, G., Silveira, L.F.: Smart detection: an online approach for
dos/ddos attack detection using machine learning. Security and Com-
the min and max distance achieved for a specific time window munication Networks 2019 (2019)
size of 2 min and estimated the metrics. We select the threshold [10] Lyon, G.F.: Nmap network scanning: The official Nmap project guide
which results on best performance metrics identified as 2.5 for to network discovery and security scanning. Insecure. Com LLC (US)
(2008)
FTP Brute Force and 47 for HTTP DDoS attacks as shown in [11] Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, A.: Kitsune: an ensemble
figure 2 & 3. of autoencoders for online network intrusion detection. arXiv preprint
arXiv:1802.09089 (2018)
[12] Patator: Ftp patator and ssh patator https://github.com/lanjelot/patator
V. C ONCLUSION AND F UTURE W ORK [13] Sauter, M.: “loic will tear us apart”: The impact of tool de-
We presented an online approach for attack detection which sign and media portrayals in the success of activist ddos at-
tacks. American Behavioral Scientist 57(7), 983–1007 (2013).
works in an unsupervised manner. The proposed system re- https://doi.org/10.1177/0002764213479370
duces the overhead of labeling every network flow data. The [14] Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a
administrator can decide the threshold based on networking new intrusion detection dataset and intrusion traffic characterization.
(2018)
scenarios and the kind of attack that needs to be detected. Our [15] Shi, Z., Li, J., Wu, C., Li, J.: Deepwindow: An efficient method
implementation of intrusion detection is based on the latest & for online network traffic anomaly detection. In: 2019 IEEE 21st
representative flow level dataset. The current approach does International Conference on High Performance Computing and Com-
munications; IEEE 17th International Conference on Smart City;
not require the previous context of time windows that allows IEEE 5th International Conference on Data Science and Systems
it to execute independently for each time step. In the future, we (HPCC/SmartCity/DSS). pp. 2403–2408. IEEE (2019)
plan to extend the strategy to include context for improvement. [16] Yaltirakli, G.: Slowloris. https://github.com/gkbrk/slowloris (2015)

Authorized licensed use limited to: UNIVERSITY OF HERTFORDSHIRE. Downloaded on June 26,2023 at 12:07:46 UTC from IEEE Xplore. Restrictions apply.
130