Marrying Graph Kernel with Deep Neural Network: A Case Study for Network Anomaly Detection

  • Yepeng Yao
  • Liya Su
  • Chen Zhang
  • Zhigang LuEmail author
  • Baoxu Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11537)


Network anomaly detection has caused widespread concern among researchers and the industry. Existing work mainly focuses on applying machine learning techniques to detect network anomalies. The ability to exploit the potential relationships of communication patterns in network traffic has been the focus of many existing studies. Graph kernels provide a powerful means for representing complex interactions between entities, while deep neural networks break through new foundations for the reason that data representation in the hidden layer is formed by specific tasks and is thus customized for network anomaly detection. However, deep neural networks cannot learn communication patterns among network traffic directly. At the same time, deep neural networks require a large amount of training data and are computationally expensive, especially when considering the entire network flows. For these reasons, we employ a novel method AnoNG to marry graph kernels to deep neural networks, which exploits the relationship expressiveness among network flows and combines ability of neural networks to mine hidden layers and enhances the learning effectiveness when a limited number of training examples are available. We evaluate the proposed method on two real-world datasets which contains low-intensity network attacks and experimental results reveal that our model achieves significant improvements in accuracies over existing network anomaly detection tasks.


Network anomaly detection Deep neural network Graph kernel Communication graph embedding 



This research is supported by the National Natural Science Foundation of China (No. 61702508, No. 61802394, No. 61802404) and strategic priority research program of CAS (No. XDC02040100, No. XDC02030200, No. XDC02020200). This research is also supported by Key Laboratory of Network Assessment Technology, Chinese Academy of Sciences and Beijing Key Laboratory of Network Security and Protection Technology. We thank the anonymous reviewers for their insightful comments on the paper.


  1. 1.
    Alom, M.Z., Bontupalli, V., Taha, T.M.: Intrusion detection using deep belief networks. In: 2015 National Aerospace and Electronics Conference (NAECON), pp. 339–344. IEEE (2015)Google Scholar
  2. 2.
    Alrawashdeh, K., Purdy, C.: Toward an online anomaly intrusion detection system based on deep learning. In: 2016 15th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 195–200. IEEE (2016)Google Scholar
  3. 3.
    Borgwardt, K.M., Kriegel, H.P.: Shortest-path kernels on graphs. In: Fifth IEEE International Conference on Data Mining (ICDM 2005), p. 8 IEEE (2005)Google Scholar
  4. 4.
    Chawla, A., Lee, B., Fallon, S., Jacob, P.: Host based intrusion detection system with combined CNN/RNN model. In: Proceedings of Second International Workshop on AI in Security (2018)Google Scholar
  5. 5.
    Chiu, C., Zhan, J.: Deep learning for link prediction in dynamic networks using weak estimators. IEEE Access 6, 35937–35945 (2018)CrossRefGoogle Scholar
  6. 6.
    Ionut, A.: New DDoS attack method obfuscates source port data. Accessed 10 March 2019
  7. 7.
    Kim, G., Yi, H., Lee, J., Paek, Y., Yoon, S.: LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. arXiv preprint arXiv:1611.01726 (2016)
  8. 8.
    Liaskos, C., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9. IEEE (2016)Google Scholar
  9. 9.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)CrossRefGoogle Scholar
  10. 10.
    Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military Communications and Information Systems Conference (MilCIS), pp. 1–6. IEEE (2015)Google Scholar
  11. 11.
    Nadeem, M., Marshall, O., Singh, S., Fang, X., Yuan, X.: Semi-supervised deep neural network for network intrusion detection (2016)Google Scholar
  12. 12.
    Navarro, J., Deruyver, A., Parrend, P.: A systematic survey on multi-step attack detection. Comput. Secur. 76, 214–249 (2018)CrossRefGoogle Scholar
  13. 13.
    Orsini, F., Frasconi, P., De Raedt, L.: Graph invariant kernels. In: Twenty-Fourth International Joint Conference on Artificial Intelligence (2015)Google Scholar
  14. 14.
    Rahul, V.K., Vinayakumar, R., Soman, K., Poornachandran, P.: Evaluating shallow and deep neural networks for network intrusion detection systems in cyber security. In: 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp. 1–6. IEEE (2018)Google Scholar
  15. 15.
    Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: ICISSP, pp. 108–116 (2018)Google Scholar
  16. 16.
    Shervashidze, N., Schweitzer, P., Leeuwen, E.J., Mehlhorn, K., Borgwardt, K.M.: Weisfeiler-lehman graph kernels. J. Mach. Learn. Res. 12(Sep), 2539–2561 (2011)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Yanardag, P., Vishwanathan, S.: Deep graph kernels. In: Proceedings of the 21th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1365–1374. ACM (2015)Google Scholar
  18. 18.
    Yao, Y., Su, L., Lu, Z.: DeepGFL: deep feature learning via graph for attack detection on flow-based network traffic. In: MILCOM 2018–2018 IEEE Military Communications Conference (MILCOM), pp. 579–584. IEEE (2018)Google Scholar
  19. 19.
    Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)CrossRefGoogle Scholar
  20. 20.
    Zhang, M., Xu, B., Bai, S., Lu, S., Lin, Z.: A deep learning method to detect web attacks using a specially designed CNN. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 828–836. Springer, Cham (2017). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Yepeng Yao
    • 1
    • 2
  • Liya Su
    • 1
    • 2
  • Chen Zhang
    • 1
  • Zhigang Lu
    • 1
    • 2
    Email author
  • Baoxu Liu
    • 1
    • 2
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations