Anomaly detection in network traffic based on connection-specific profiling

Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Security and Cloud Computing
Degree programme
Master’s Programme in Security and Cloud Computing (SECCLO)
Recent studies have shown that a number of network attacks that were used to target mainframes and personal computers are now being directed towards mobile devices. The ever-evolving nature of mobile attacks, coupled with the growing number of new vulnerabilities in mobile platforms poses a challenge to the security of mobile networks and devices. The intrusion detection systems based on attack signature fail to detect novel attacks or anomalies. In such scenarios, an anomaly-based detection approach is a necessary security measure against previously unknown attacks. Machine learning methods have been widely used in anomaly detection in various domains including network intrusion detection, credit card fraud detection, etc. In this work, we utilise machine learning algorithms for anomaly detection in mobile network traffic. We choose an unsupervised algorithm that does not require a labelled dataset. We define a connection as the flow instance using a particular combination of protocol type and network port. We observe that the network data comprises a variety of connections, each of which follows a different profile. We illustrate an anomaly detection approach, which is based on connection-specific profiling of network data. We develop the profile of each connection using the isolation forest model. We provide the evaluation of our approach using two use-cases of mobile traffic data with identified anomalies. The result illustrates that our approach works best when the distribution of anomalies in the incoming network traffic is similar to the distribution of anomalies in the learned profile. Our model achieves more than 95% F-1 measure in both use-cases. Even though our model is sensitive to the model parameters, it performs very well with the same distribution of anomalies in the new network traffic.
Aura, Tuomas
Thesis advisor
Reijonen, Joel
Slavov, Kristian
anomaly detection, mobile networks, network security, machine learning
Other note