Impact of generative adversarial networks on netflow-based traffic classification

Abstract

Long-Short-Term Memory (LSTM) networks can process sequential information and are a promising approach towards self-learning intrusion detection methods. Yet, this approach requires huge amounts of barely available labeled training data with recent and realistic behavior. This paper analyzes if the use of Generative Adversarial Networks (GANs) can improve the quality of LSTM classifiers on flow-based network data. GANs provide an opportunity to generate synthetic, but realistic data without creating exact copies. The classification objective is to separate flow-based network data into normal behavior and anomalies. To that end, we build a transformation process of the underlying data and develop a baseline LSTM classifier and a GAN-based model called LSTM-WGAN-GP. We investigate the effect of training the LSTM classifier only on real world data and training the LSTM-WGAN-GP on real and synthesized data. An experimental evaluation using the CIDDS-001 and ISCX Botnet data sets shows a general improvement in terms of Accuracy and F1-Score, while maintaining identical low False Positive Rates.