Meta-UAD: A Meta-Learning Scheme for User-level Network Traffic Anomaly Detection
Tongtong Feng, Qi Qi, Lingqi Guo, Jingyu Wang
TL;DR
Meta-UAD addresses the challenge of detecting novel, highly imbalanced, and self-similar user-level network traffic anomalies by introducing a meta-learning framework based on Meta-SGD. It leverages CICFlowMeter to extract flow-level features, reduces them from 81 to 33, and trains a K-way M-shot meta-model with a DNN backbone to rapidly adapt to unseen anomaly classes using only a few labeled examples. Experimental results on CIC-AndMal2017 and CIC-IDS2017 show substantial gains in F1-score (15%–43% over baselines) and strong cross-dataset generalization, highlighting the approach's practicality for real-world, evolving threat landscapes. The work suggests Meta-UAD can be deployed at gateway-level defenses, enabling rapid, data-efficient anomaly detection for new attack families.
Abstract
Accuracy anomaly detection in user-level network traffic is crucial for network security. Compared with existing models that passively detect specific anomaly classes with large labeled training samples, user-level network traffic contains sizeable new anomaly classes with few labeled samples and has an imbalance, self-similar, and data-hungry nature. Motivation on those limitations, in this paper, we propose \textit{Meta-UAD}, a Meta-learning scheme for User-level network traffic Anomaly Detection. Meta-UAD uses the CICFlowMeter to extract 81 flow-level statistical features and remove some invalid ones using cumulative importance ranking. Meta-UAD adopts a meta-learning training structure and learns from the collection of K-way-M-shot classification tasks, which can use a pre-trained model to adapt any new class with few samples by few iteration steps. We evaluate our scheme on two public datasets. Compared with existing models, the results further demonstrate the superiority of Meta-UAD with 15{\%} - 43{\%} gains in F1-score.