Enhancing Cybersecurity Through Comparative Analysis of Deep

Learning Models for Anomaly Detection

Kate

ˇ

rina Mackov

´

a

1 a

, Dominik Benk

1

and Martin

Novicom, s.r.o., Na schodech 65/1, 140 00, Prague, Czech Republic

2

are insufficient, leading to the necessity of integrating deep learning and neural network approaches. This

paper presents a comparative analysis of the most powerful deep learning methods for such anomaly detection.

We analysed existing datasets for syslog and dataflow, compared several preprocessing methods and identified

their strengths and weaknesses. Additionally, we trained and evaluated several deep learning models to provide

a comprehensive overview of the current state-of-the-art in cybersecurity. The CNN model achieves excellent

results, with 0.999 supervised and 0.938 semi-supervised F1-score in syslog anomaly detection on the BGL

dataset and 0.985 F1-score in dataflow anomaly detection on the NIDS dataset. This research contributes to

the field of cybersecurity by aiding researchers and practitioners in selecting effective deep-learning models

for robust real-life anomaly detection systems. Our findings highlight the reusability of these models in real-

life systems.

neural network techniques for improved anomaly de-

tection.

In this paper, we present a summary of existing

datasets for syslog and dataflow and compare dif-

ferent preprocessing methods with emphasis on their

benefits and disadvantages. We compare different ap-

proaches of AI models based on the most common

deep learning methods to provide a general summary

of the current state-of-the-art in the area of cyber-

security. Moreover, we emphasized the reusability

a

https://orcid.org/0000-0001-9815-2763

b

https://orcid.org/0000-0003-0049-4381

13 datasets and different approaches to dataflow pre-

processing. We reached the best results with the CNN

model on the NIDS dataset with a 0.985 F1 score

highlighting the reusability of CNN models in real-

life systems.

2 MOTIVATION

to their accessibility and comprehensive representa-

tion of network aspects. Utilizing deep learning tech-

nologies, we can create robust systems for monitoring

network security and detecting attacks. Deep neural

networks outperform traditional methods and manual

rule creation (Chen et al., 2021), (Tang et al., 2016),

thanks to their multiple layers that efficiently handle

complex features and computational tasks.

Existing papers analyse either anomaly detection

in syslog or anomaly detection in dataflow. They

present different approaches and algorithms on sev-

eral datasets. Therefore, it is impossible to compare

their results and the methods directly. We present

a transparent analysis and comparison of existing

approaches on the most common datasets for sys-

log Loghub (He et al., 2020) and the most common

datasets for dataflow NIDS (Sarhan et al., 2021) and

clusion.

3 SYSLOG

A device, system or application performs actions with

certain parameters during its operation. The infor-

mation about these actions is stored in the system

log (syslog). Syslog is an unstructured text message

written by the programmer during the development

of a given application, system or software. It con-

sists of characteristics of the syslog source (IP, MAC,

DHCP, system information, type, name) and opera-

cess all these data and extract important information

from them to reveal possible attacks.

Most of the current experiments on anomaly detec-

tion in syslog were performed on the largest collection

of labelled and unlabeled datasets for syslog anomaly

detection LogHub (He et al., 2020) dataset which is

the only dataset used in all the related work. Unfor-

tunately, no other labelled large enough datasets were

found.

in related work but a comprehensive overview of all

combinations of the best deep learning-based meth-

ods with the best log preprocessing methods is not

available in any.

Table 1: Sizes and proportions of train and test data of indi-

vidual syslog datasets.

3.1.1 Datasets

Loghub (He et al., 2020) is a collection of 17 system

log datasets with a total size of 77GB created by a

group of scientists at the Chinese University of Hong

Kong (CUHK). Logs come from real traffic in a lab-

oratory environment from 6 different systems: dis-

tributed supercomputer systems, operating systems,

mobile systems, server applications and standalone

neural network model to learn word associations from

a large unlabelled corpus of text and creates embed-

dings keeping similar words close and distant words

far from each other.

LogAnomaly. LogAnomaly (Meng et al., 2019)

is another RNN-based model, which is similar to

DeepLog but instead of word2vec uses a tem-

learning technique based on Transformer language

sions by time, the most appropriate length was set to

be 6 hours (and 1 hour) (He et al., 2016), see Table 1

During the evaluation, some of the sessions were

too long so we also grouped all of the datasets by

fixed-length windows of 10 logs to speed up the de-

tection process. However, during the experiments, we

also tested different lengths. During training, we also

several techniques to find the most suitable for each

and randomly number them and no semantic mean-

ing of the logs is included. Log2Vec is based on

the idea of word2vec but in the context of logs in-

volving the semantics of words in the embedding cre-

ation. The emphasis is put on antonyms, synonyms

Table 2: Number of templates from train and test logs in all

syslog datasets.

Table 3: Numbers of triplets, synonyms and antonyms.

Dataset Triplets Synonyms Antonyms

BGL 423 1070 54

significant impact on anomaly detection

. We trained

the Log2Vec model for every dataset separately as

the creation of one Log2vec model for all gave very

poor results. Moreover, a special model called MIM-

ICK

was trained to predict embeddings for out-of-

vocabulary words and to generate embeddings for un-

seen logs. We computed the numbers of synonyms,

antonyms and triplets found in each dataset, see Ta-

prediction is a semi-supervised approach to predicting

the probability distribution of all logs that can follow

the given log sequence. If the observed log is different

from the top k

1

For example embeddings for TURN ON and TURN

OFF would be close in word2vec, which is not desirable

in case of logs.

2

3

Hyperparameter optimized for each dataset.

Table 4: F1 scores of all syslog experiments after selecting

the best model for each supervised setup.

techniques to find the best model for anomaly detec-

tion. We involved LSTM, CNN and Transformers

for both supervised and semi-supervised approaches.

These models were selected based on the experiments

in (Chen et al., 2021) and the extensive overview of

methods provided in (Li and Jung, 2022).

During the training process, we considered sev-

eral preprocessing methods of template creation as

described in Section 3.2.2 which we combined with

both techniques for embedding creation described in

We compared the results of the best-performing mod-

els from different combinations of setups described in

the previous section, see Table 4 and 5. In this set of

experiments, we fixed the following parameters for all

models: K = 10, strides = 1, window size = 10, and

no attention.

Datasets. The results vary a lot among the

datasets. Real-life use cases would require to se-

lection of the dataset closest to the real data. BGL

from other datasets are ambiguous: Hadoop has

very low variability in F1 score and OpenStack is

Table 5: F1 scores of all syslog experiments after selecting

the best model for each semi-supervised setup.

Regex full,

Regex content,

Sophisticated template parsing,

Cell colours: CNN, LSTM, Transformer.

very difficult to train in general

. This might also

be the reason that the literature usually employs

only BGL and HDFS 1.

in practice. Therefore, we considered a window

evaluation more suitable for the reality.

Supervised and Unsupervised. A supervised ap-

proach generally yields better results, but labelled

data is usually not available in reality. Therefore,

a semi-supervised approach should provide more

valuable insights about real performance. Even

though some of the semi-supervised models ap-

pear to be underperforming compared to (Chen

et al., 2021), we believe this can be fixed by fine-

teresting observation was that none of the sophis-

ticated parsing algorithms was universal for all

datasets. Therefore, the regular expression pars-

ing methods in reality are more suitable.

Embeddings Creation. The results when com-

paring Log2Vec and embeddings without seman-

tics are also surprising. According to (Liu et al.,

2019), Log2Vec should significantly improve the

results but as to our analysis, the results were

4

ing as suggested by experiments (Zhu et al., 2019).

nearly the same and Log2Vec only slowed the pro-

cess. Nevertheless, we still believe that Log2Vec

has a lot of exploring potential if the model is fur-

ther tuned and optimized, however, its inclusion

in reality is not suitable.

MAC addresses of source and target devices, commu-

nication ports and protocols, packet and byte sizes,

and communication start time with duration. Due to

computational demands, specific exchanged data is

excluded. Typically formatted in standardized IPFIX

or Netflow formats, parsing and preprocessing com-

plexity is significantly reduced.

4.1.2 Models

which contains 367 time series and each has a length

of 1500 dataflows. According to the results, tradi-

tional RNN and CNN approaches were significantly

outperformed by C-LSTM. We decided to employ

larger data and verify these results along with differ-

ent IP preprocessing approaches.

All the characteristic features in dataflow are numer-

ical or categorical except for IP. We preprocessed

features either by normalization

or categorization

columns independently. In the case of packets and

bytes features, we normalised both input and output

columns together using common min and max values

to preserve the relationship between those values.

Categorization. We limited the number of categories

in some features to improve the generalization of the

model. In feature protocol number (0-255), all pro-

5

8

t-numbers/service-names-port-numbers.xhtml

Table 6: Number of rows, anomalies and unique values in

dataflow datasets.

NIDS CTU-13

source port 4064 3969 4165 3969

target port 4082 3944 4010 3889

protocol 147 147 7 6

l7 protocol 127 122 - -

sum tcp flags 48 49 - -

flow duration 108417 72597 4298221 1320011

direction 21 10 6 6

label 2 2 2 2

attacks 21 10 12 12

are unassigned. The other ports were grouped based

on the first word of the name

.

IP Addresses. During the IP preprocessing, we ex-

perimented with several approaches: 1) convert each

context of IPs is learnt from other features and then

a vector embedding is calculated, grouping IPs with

similar behaviour close to each other, while keeping

IPs with distinct behaviour far away.

We created 12 numerical features for NIDS and 9

for CTU-13. Along with the binary label of whether

the flow is anomalous, we trained several AI models

for anomaly prediction. We computed the descriptive

statistics of all features from both datasets split into

train and test, see Table 6. Note that NIDS are ap-

model for anomaly prediction evaluated on CTU-13

and NIDS datasets. We used CNN, and RNN, and we

9

Inspired by (Cotton et al., 2013)

Table 7: Results of all dataflow experiments on NIDS

dataset.

Raw IP Cat IP IP2Vec

Accuracy 0.980 0.983 0.870 0.508 0.873 0.528

Precision 0.965 0.952 0.985 0.319 0.990 0.330

Recall 0.946 0.976 0.448 0.991 0.456 0.999

F1 0.956 0.964 0.616 0.483 0.625 0.496

Accuracy 0.768 0.234 0.864 0.869 0.867 0.386

Precision 0.000 0.233 0.987 0.966 0.992 0.274

Recall 0.000 0.999 0.418 0.450 0.430 0.999

Accuracy 0.986 0.985 0.986 0.983 0.993 0.989

Precision 0.970 0.958 0.989 0.959 0.994 0.955

Recall 0.970 0.979 0.952 0.970 0.976 0.999

F1 0.970 0.968 0.970 0.965 0.985 0.976

Accuracy 0.986 0.983 0.986 0.983 0.993 0.988

Precision 0.966 0.950 0.989 0.958 0.990 0.953

Recall 0.972 0.979 0.953 0.969 0.979 0.999

F1 0.969 0.964 0.970 0.964 0.985 0.976

learning methods.

Also, as we already noted, the ratio of anomalies

in both training datasets is very low. Therefore, we

included upsampling and evaluated the models with

and without it. In the case of NIDS, anomalies were

upsampled 4 times, while in CTU-13 we upsampled

all scenarios individually to balance the total number

of anomalies.

We compared the results of all neural network models

with NIDS as in (Sarhan et al., 2021) and (Kim and

Cho, 2018). With CTU-13, the results were much

worse except for models with IP2Vec, which im-

proves the results in deep-learning models up to an

F1 score and accuracy of 0.99. This demonstrates

the strong dependency on IP addresses in the CTU-

13 dataset, which is the reason why addresses are

completely excluded during training in other litera-

Table 8: Results of all dataflow experiments on CTU-13

dataset.

Raw IP Cat IP IP2Vec

Model Upsample No Yes No Yes No Yes

NN

Accuracy 0.983 0.983 0.993 0.945 0.999 0.999

Precision 0.000 0.000 0.869 0.230 0.988 0.974

Recall 0.000 0.000 0.678 0.955 0.946 0.947

F1 0.000 0.000 0.762 0.371 0.967 0.960

NN HC

Accuracy 0.983 0.017 0.993 0.907 0.999 0.999

Precision 0.000 0.017 0.851 0.149 0.993 0.958

Recall 0.000 0.999 0.693 0.954 0.945 0.979

CNN

Accuracy 0.983 0.921 0.993 0.980 0.999 0.999

Precision 0.496 0.168 0.811 0.460 0.999 0.999

Recall 0.024 0.923 0.764 0.930 0.999 0.999

F1 0.045 0.284 0.787 0.616 0.999 0.999

RCNN

Accuracy 0.983 0.912 0.988 0.980 0.999 0.999

Precision 0.528 0.154 0.869 0.453 0.999 0.999

Recall 0.049 0.927 0.365 0.932 0.999 0.999

F1 0.089 0.264 0.514 0.610 0.999 0.999

model’s learning is usually improved by balancing the

data. We are not sure about the origin of this and it

might be interesting to perform more experiments to

verify this problem.

IP Preprocessing. In all models except for sim-

ple NN, IP categorization into 6 categories helps to

achieve better results compared to keeping original

IPs as single categories. This indicates that simple

NN is strongly dependent on particular IP addresses.

IP addresses are not stable and every time one de-

life models in spite as claimed in (Ring et al., 2017).

Model Selection. Deep-learning-based methods

(CNN, RNN, RCNN) have significantly better results

in general confirming the complexity of data and the

necessity for advanced predictive models. The best

results seem to be obtained by RNN. However, the

recurrence in these is not within the following flows,

but instead, it is involved in the features in one flow

caused by the missing time information in the NIDS,

making it impossible to order the flows and evalu-

ate the dependencies among them. Therefore, we

selected CNN as the best model, it slightly over-

performs RCNN and we do not confirm the benefits

claimed in (Kim and Cho, 2018). As to the simple

NN and simple NN HC, our hypothesis with an in-

sufficient capacity of simple NN was not confirmed

5 CONCLUSION

adaptability of deep learning to evolving attacks is

crucial, enabling the processing of unstructured data,

uncovering dependencies, and enhancing attack de-

tection.

For syslog anomaly detection, key findings in-

clude segmenting log sequences into windows for in-

sightful evaluation. Preference leans towards super-

vised over semi-supervised approaches, with LSTM

In net flow anomaly detection, dataset selection is

pivotal, favoring NIDS over CTU-13 for its richer fea-

REFERENCES

He, P., Zhu, J., Zheng, Z., and Lyu, M. R. (2017). Drain: An

(DASC/PiCom/DataCom/CyberSciTech), pages 151–

bersecurity: A comprehensive review. arXiv preprint

arXiv:2107.01185.

Ring, M., Dallmann, A., Landes, D., and Hotho, A. (2017).

Ip2vec: Learning similarities between ip addresses. In

2017 IEEE International Conference on Data Mining

Workshops (ICDMW), pages 657–666.

Sarhan, M., Layeghy, S., Moustafa, N., and Portmann,

M. (2021). Netflow datasets for machine learning-

based network intrusion detection systems. In Big

Data Technologies and Applications: 10th EAI Inter-

work intrusion detection in software defined network-

ing. In 2016 international conference on wireless net-

works and mobile communications (WINCOM), pages

258–263. IEEE.

Zhang, X., Xu, Y., Lin, Q., Qiao, B., Zhang, H., Dang, Y.,

Xie, C., Yang, X., Cheng, Q., Li, Z., et al. (2019).

Robust log-based anomaly detection on unstable log

data. In Proceedings of the 2019 27th ACM Joint

Meeting on European Software Engineering Confer-

ence and Symposium on the Foundations of Software

neering in Practice, pages 121–130. IEEE.