Unsupervised Anomaly Detection in NSL-KDD Using $β$-VAE: A Latent Space and Reconstruction Error Approach

TL;DR

An unsupervised approach to anomaly detection in network traffic using $\beta$-Variational Autoencoders on the NSL-KDD dataset is explored, leveraging the latent space structure by measuring distances from test samples to the training data projections, and using the reconstruction error as a conventional anomaly detection metric.

Abstract

As Operational Technology increasingly integrates with Information Technology, the need for Intrusion Detection Systems becomes more important. This paper explores an unsupervised approach to anomaly detection in network traffic using $β$-Variational Autoencoders on the NSL-KDD dataset. We investigate two methods: leveraging the latent space structure by measuring distances from test samples to the training data projections, and using the reconstruction error as a conventional anomaly detection metric. By comparing these approaches, we provide insights into their respective advantages and limitations in an unsupervised setting. Experimental results highlight the effectiveness of latent space exploitation for classification tasks.

Figures (4)

• Figure 1: Mean AUROC of $\mathcal{L}_{rec}$-classification and $\mathcal{Z}_{k}$-classification with variables $\beta$ and $k$
• Figure 2: ROC curves for the binary classification task with $\mathcal{L}_{rec}$-classification and $\mathcal{Z}_k$-classification
• Figure 3: ROC curves on $X_{test}$ and $X_{attack}$ with $\mathcal{L}_{rec}$-classification and $\mathcal{Z}_{5000}$-classification, per attack class
• Figure 4: Distribution of $\mathcal{Z}_{5000}$-classification and $\mathcal{L}_{rec}$-classification on $X_{test}$ and $X_{attack}$. Blue points are classified as normal, purple as Probe, orange as DoS, green as U2R, and red as R2L. The distribution of each category is represented as a density on the opposing axes.