Search

EP-4736369-A1 - NETWORK ANOMALY DETECTION

EP4736369A1EP 4736369 A1EP4736369 A1EP 4736369A1EP-4736369-A1

Abstract

A method comprising accessing network traffic data collected from a node in a core of a communications network; computing an encoding of the network traffic data by processing the network traffic data using an adversarially trained encoder; concatenating the encoding with the network traffic data to form an input; classifying the input as benign or anomalous; and in response to a classification of anomalous, triggering a security action.

Inventors

  • ZIA, Muhammad Fahad
  • KALIDASS, Sri Harish

Assignees

  • British Telecommunications public limited company

Dates

Publication Date
20260506
Application Date
20240607

Claims (15)

  1. 1. A computer implemented method comprising: accessing network traffic data collected from a node in a core of a communications network; computing an encoding of the network traffic data by processing the network traffic data using an adversarially trained encoder; concatenating the encoding with the network traffic data to form an input; classifying the input as benign or anomalous; and in response to a classification of anomalous, triggering a security action.
  2. 2. The method of claim 1 comprising computing the encoding of the network traffic data by processing the network traffic data using an adversarially trained encoder and bypassing a decoder and a critic that was used to adversarially train the encoder.
  3. 3. The method of any preceding claim wherein the network traffic data excludes raw packet data.
  4. 4. The method of any preceding claim wherein the network traffic data comprises internet protocol traffic statistics.
  5. 5. The method of any preceding claim wherein classifying the input comprises using a trained decision tree.
  6. 6. The method of any preceding claim wherein classifying the input comprises using extreme gradient boosting.
  7. 7. The method of any preceding claim comprising triggering a security action by one or more of: automatically isolating a node of the communications network, sending an alert message to an operator, automatically deactivating a node of the communications network.
  8. 8. The method of any preceding claim comprising training a classifier using supervised learning and using the trained classifier to carry out the classifying.
  9. 9. The method of any preceding claim comprising training the encoder using a loss function that takes into account a critic score and a reconstruction error.
  10. 10. The method of any preceding claim comprising training the encoder using training data comprising only benign network traffic data.
  11. 11. An apparatus comprising: a processor; a memory storing network traffic data collected from a node in a core of a communications network; an adversarially trained encoder; a classifier; wherein the memory stores instructions which when executed on a processor: encode the network traffic data using the adversarially trained encoder to produce an encoding; concatenate the encoding with the network traffic data to form an input; classify the input as benign or anomalous using the classifier; and in response to a classification of anomalous, trigger a security action.
  12. 12. The apparatus of claim 11 absent a decoder and wherein the network traffic data excludes raw packet data.
  13. 13. The apparatus of claim 11 wherein the classifier is a decision tree implementing extreme gradient boosting.
  14. 14. The apparatus of claim 11 wherein the instructions comprise training the encoder using only benign network traffic data.
  15. 15. A communications network comprising the apparatus of any of claims 11 to 14.

Description

NETWORK ANOMALY DETECTION [0001] The present disclosure relates to network anomaly detection for use in communications networks. BACKGROUND [0002] There has been a sharp increase in communications devices such as smart phones, smartwatches and other devices connected to communications networks. There has also been an increase in the number of network intrusion and cyberattack incidents across the globe. Undetected threats on a communications network have severe impact and consequences such as, data loss, decline in an organisation’s reputation, and potential loss of essential or emergency communications network services. [0003] The early detection and identification of anomalies, which are often threats, is key to keeping a communications network protected since early detection and identifications enables action to be taken reducing the impact of any attacks or avoiding them completely. Recent technical advancements and access to technologies by cyber criminals has made it easier to orchestrate a devastating attack on a vulnerable communications network. Threats such as advanced persistent threats and denial of service attacks (DDoS) can easily propagate through traditional security systems and remain undetected. [0004] The examples described herein are not limited to examples which solve problems mentioned in this background section. SUMMARY [0005] Examples of preferred aspects and embodiments of the invention are as set out in the accompanying independent and dependent claims. [0006] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. [0007] A first aspect of the disclosed technology comprises a computer implemented method comprising: accessing network traffic data collected from a node in a core of a communications network; computing an encoding of the network traffic data by processing the network traffic data using an adversarially trained encoder; concatenating the encoding with the network traffic data to form an input; classifying the input as benign or anomalous; and in response to a classification of anomalous, triggering a security action. The combination of using the adversarially trained encoder and the classifying of the concatenation is found to give results which are more accurate than using the classifier alone, or than using a combination of the classifier and outlier mining algorithms. The combination of using the adversarially trained encoder and the classifying of the concatenation is found to be more resilient to a decrease in an amount of labelled data available for training than using the classifier alone. The combination of using the adversarially trained encoder and the classifying of the concatenation is found to have a low inference time. [0008] In some examples, the encoding of the network traffic data is computed by processing the network traffic data using an adversarially trained encoder and bypassing a decoder and a critic that was used to adversarially train the encoder. As a result the deployment of an anomaly and threat detector is more compact than deployments which include a decoder. In addition, inference time is reduced since a decoder is absent in an inference process. [0009] In various examples, the network traffic data excludes raw packet data. Excluding raw packet data improves security and also improves efficiency. [0010] In various examples, the network traffic data comprises internet protocol traffic statistics. Using internet protocol traffic statistics is found to give accurate performance and thus improves security of a communications network. [0011] In examples, classifying the input comprises using a trained decision tree. In various examples, classifying the input comprises using a decision tree based classifier. Using a trained decision tree based classifier is found to give accurate results in an efficient manner as compared with other types of classifiers such as support vector machines, neural networks or other classifiers. [0012] In examples, the trained decision tree based classifier implements extreme gradient boosting. Using extreme gradient boosting in combination with the adversarially trained encoder and the concatenated input is found to give particularly accurate results. [0013] In examples, triggering a security action comprises one or more of: automatically isolating a node of the communications network, sending an alert message to an operator, automatically deactivating a node of the communications network. Thus by early and accurate detection of anomalies, which are often threats, it is possible to take automated mitigating action and so improve security. [0014] In various examples, training a classifier using supervised learning and using the trained classifie