Sequence To Sequence Pattern Learning Algorithm For Real-Time Anomaly Detection In Network Traffic

Network intrusions can be modeled as anomalies in network traffic in which the expected order of packets and their attributes deviate from regular traffic. Algorithms that predict the next sequence of events based on previous sequences are a promising avenue for detecting such anomalies. In this paper, we present a novel multi-attribute model for predicting a network packet sequence based on previous packets using a sequence-to-sequence (Seq2Seq) encoder-decoder model. This model is trained on an attack-free dataset to learn the normal sequence of packets in CP connections and then it is used to detect anomalous packets in TCP traffic. We show that in DARPA 1999 dataset, the proposed multi-attribute Seq2Seq model detects anomalous raw TCP packets which are part of intrusions with 97% accuracy. Also, it can detect selected intrusions in real-time with 100% accuracy and outperforms existing algorithms based on recurrent neural network models such as LSTM.