Network intrusion detection using machine learning on resource-constrained edge devices

This paper addresses the problem of anomaly detection in univariate unbalanced time series, where most anomalies are collective anomalies. It investigates a semi-supervised approach based on autoencoders, including three different versions: Feed-forward Autoencoder (AE), Convolutional Neural Network Autoencoder (CNN-AE), and Long-short Term Memory Autoen-coder (LSTM-AE). The reconstruction error of an autoencoder is used to perform the anomaly detection task. If the reconstruction error is higher than a certain threshold, the data point is considered anomalous. Four distinct methods to select this threshold are proposed and evaluated. The threshold selection method which optimizes over both point and collective anomalies showed the best results. In addition, comparative analyzes are conducted among various autoencoder versions, as well as against simple baseline models. The performance of the AE versions is evaluated with different window sizes and threshold selection methods. The feed-forward AE was the best option every time, except for the largest window size tested, where LSTM-AE and CNN-AE are slightly better.