Towards a multi‐layers anomaly detection framework for analyzing network traffic

Summary Anomaly detection plays a crucial part in identifying unforeseen attacks for network and information security. However, the accuracy of existing network anomaly detection approaches is limited because of the lack of sufficient and high‐quality features. Most research works only take information from one network layer into account, which leads to a situation that some key features of other network layers are omitted. To address this issue, we propose a novel approach, named Multi‐Layers Anomaly Detection, which extracts and combines features from different network layers. In order to reduce redundancy and noise derived from the combination of multiple layers, an algorithm called RanPF is designed by applying principal components analysis (PCA) into random forest (RF) algorithm. RanPF uses features selected by PCA to decide the height of every tree in RF and provides a method to select which features for tree nodes to use according to the weights of principal components. To obtain high‐quality features, we adopt an attribute learning mechanism. Naive Bayes is used to characterize the attribute information, which is fast and simple compared with other learning algorithms such as SVM. In addition, a series of experiments conducted on two real‐life datasets demonstrate that our approach outperforms the state‐of‐the‐art methods in terms of detection rate and false alarm rate. MLAD achieves about 99 % detection rate and about 0.6 % false alarm rate on average when the ratio of the training set is 60 % . Copyright © 2016 John Wiley & Sons, Ltd.