Network traffic anomaly detection model based on feature grouping and multi‐autoencoders integration

Abstract This paper presents a network traffic anomaly detection model based on feature grouping and multiple autoencoders (multi‐AEs) integration. This model comprises four modules: feature grouping module, feature learning module, AUC and optimal threshold calculation module, and anomaly detection application module. In the feature grouping module, multiple group features are constructed by selecting the different features according to their attributes and variances. In the feature learning module, the group features of normal traffic are learned based on multi‐AEs. In the AUC and optimal threshold calculation module, the AUC of each AE is calculated according to the ROC curve of the verification data, and the optimal thresholds for each AE are determined using the Youden index. In the anomaly detection application module, the AEs that participated in fusion are selected and their weights are calculated by analysing AUC value, and the scores of unknown traffic in each AE are evaluated considering both the reconstruction error distribution and the optimal threshold. Finally, the anomaly detection result can be obtained by the fusion of these multiple scores. Through validation on the UNSW‐NB15 and CICIDS2017 datasets, the accuracy of the proposed model is improved by 12.04% and 10.52%, respectively, compared to the baseline model.