Affiliations: [a] Institute of Software, Liaoning Technical University, Huludao, Liaoning 125105, China | [b] Department of Information Engineering, Harbin Institute of Technology, Harbin, Heilongjiang 150001, China
Correspondence:
[*]
Corresponding author: Jitao Qin, Institute of Software, Liaoning Technical University, Huludao, Liaoning 125105, China. E-mail: lgc_qinjitao@sina.com.
Abstract: In cyber anomaly detection, if the detected target is significantly different from the predefined normal network data pattern, it is considered an outlier. However, the degree of deviation from the normal model is often difficult to determine, making it difficult to effectively identify attack categories that are similar to normal network data and have small sample sizes. To address this problem, we propose a novel anomaly detection method called a comparison network (C-Net), which has a double-branch structure for a neural network. Instead of learning the correspondence between sample values and labels by neural networks, the C-Net model fits the difference values between different classes of samples and learns the correspondence between the difference values and the labels. This approach avoids the process of determining the degree of difference and addresses the problem of low attack recognition rates for attack classes that are similar to normal network data and have small sample sizes. Our model is split into the auto-encoder network and the comparison component. The former is applied to compress the normal data and detected object to collect essential features and reconstruct the input part of the network. The comparison component then uses the reconstructed input to find the difference between the normal data and the detected object. According the degree of difference, the detected object is categorized as normal or an outlier. We performed experiments using a water storage dataset. Our model’s detection rate of the Complex Malicious Response Injection (CMRI) attack category reached 95.5%, while the cyber anomaly detection algorithms based on machine learning (OCSVM, K-means, simple-One-Class, etc.) could not detect the attack. For the KDDCUP99 data, our model achieved a 99.52% detection rate in the R2L category compared to a rate of 54.62% achieved by the cyber anomaly detection algorithms based on machine learning.
