Embed Size (px)
Citation preview
On the Usage of Generative Models for Network Anomaly Detection in Multivariate Time-Series
1
Diary
• Anomaly Detection in Multivariate Time-Series
• Generative Models
• Our Approach
• Experiments
On the Usage of Generative Models for Network Anomaly 2
Anomaly Detection in Multivariate Time-Series
On the Usage of Generative Models for Network Anomaly 3
Different univariate time series of the same system
Anomalies in an univariate time series
Anomaly Detection in Multivariate Time-Series• All univariate series as a single
multivariate series.
• A single model to detect anomalies in all series of the system. Multivariate
Model
𝑝(𝑿) Ƹ𝑝(𝑿)
⋮
On the Usage of Generative Models for Network Anomaly 4
Diary
• Anomaly Detection in Multivariate Time-Series
• Generative Models
• Our Approach
• Experiments
On the Usage of Generative Models for Network Anomaly 5
Generative Models
• Generative Adversarial Networks (GAN)
• Variational Auto-Encoders (VAE)
On the Usage of Generative Models for Network Anomaly 6
GeneratorNoise
GeneratedData
Real Data
Discriminator
Generated
Real
DecoderEncoder
Data CodeReconstructions
Diary
• Anomaly Detection in Multivariate Time-Series
• Generative Models
• Our Approach
• Experiments
On the Usage of Generative Models for Network Anomaly 7
Our Approach
• Change the data space
• Samples: matrix with n (number of variables) x T (length of sequence)
𝑛
𝑇
𝑋𝑖
On the Usage of Generative Models for Network Anomaly 8
𝑋𝑖+1
Our Approach
• Net-GAN:• Recurrent Neural Networks (LSTM)
trained through a GAN framework
Train DatasetG LS
TM
Gaussian Noise
D LSTM
01
Trainingphase
On the Usage of Generative Models for Network Anomaly 9
Our ApproachR
eal
Ge
ne
rate
d
Generator
On the Usage of Generative Models for Network Anomaly 10
Discriminator
Inp
ut
Ou
tpu
t
Normal Anomaly Anomaly
Aplicationphase
Our Approach
• Net-VAE
𝑋
𝑋∗
Alignment
𝑧
Reconstruction
On the Usage of Generative Models for Network Anomaly 11
Decoder
Encoder
Our Approach
Rea
lR
eco
nst
ruct
ed
On the Usage of Generative Models for Network Anomaly 12
Aplicationphase
Diary
• Anomaly Detection in Multivariate Time-Series
• Generative Models
• Our Approach
• Experiments
On the Usage of Generative Models for Network Anomaly 13
Experiments
On the Usage of Generative Models for Network Anomaly 14
• 51 variables• Detect close to
70% of the attacks withoutfalse alarms.
SWaT (CPS) CICIDS2017 (SYN-NET)
• 80 variables• Detect close to
93%, 100%,89%, and 78%,without falsealarms, forbotnet,infiltration,port scan, andDDos,respectively.
Authors
Gastón García González Pedro Casas Alicia Fernández Gabriel Gómez
On the Usage of Generative Models for Network Anomaly 15
Acknowledgments:
