Anomaly prediction of Internet behavior based on generative adversarial networks

Review of outlier prediction

Anomaly prediction is a process of detecting outliers in a dataset, and anomaly detection algorithms are widely used in security, commercial and industrial applications. Many unsupervised algorithms and DL-based methods are widely used in anomaly detection. Next, we will review the algorithms based on unsupervised learning.

The distance-based methods are used for anomaly detection successfully. Laurikkala et al. (2000) investigated informal box plots to identify outliers in medical data of real-world, and the removal of outliers increased the classification accuracy of discriminant analysis functions and the nearest neighbor method. The work of Zhang, Hutter & Jin (2009) defined a local distance-based outlier factor (LDOF) to better discover outliers with high precision and good stability. Jin et al. (2006) proposed a simple but effective method for local outliers based on a symmetric neighborhood relationship. The proposed method considers neighbors and reverses neighbors of an object when estimating its density distribution so that outliers can be presented more meaningfully.

Many scholars devote to anomaly detection for high dimensional data, for example, Rousseeuw & Van Driessen (2006) proposed a method for fast-least trimmed squares (FAST-LTS) regression for large datasets to make the LTS estimator available as a tool for analyzing large data sets and detecting outliers. Goldstein & Dengel (2012) proposed an unsupervised Histogram-based Outlier Score (HBOS) algorithm for anomaly detection that records scores in linear time.

In addition, nonparametric machine learning methods are also employed for anomaly detection. Latecki, Lazarevic & Pokrajac (2007) proposed an unsupervised algorithm for outlier detection, which used a nonparametric kernel to estimate the density of data instances to detect outliers. Kriegel, Schubert & Zimek (2008) proposed a parameter-free Angle-based Outlier Detection (ABOD) method for high-dimensional data, which performs well on high-dimensional data.

With the rapid development of DL, DL-based methods can achieve better anomaly detection with the powerful nonlinear processing of DNNs. For example, in An & Cho (2015), an anomaly detection method was proposed using reconstructed probabilities from a variational autoencoder, which is much more objective than using the reconstruction error of autoencoder and PCA-based methods. Zong et al. (2018) proposed a Deep Autoencoding Gaussian Mixture Model (DAGMM) for unsupervised anomaly detection, and their work suggests a promising direction for unsupervised anomaly detection on high-dimensional data. Zhou et al. (2021) proposed a deep support vector data description based on variational autoencoder (Deep SVDD-VAE) model to make anomaly detection with high precision.

Review of GAN applied to anomaly detection

Goodfellow et al. (2014) proposed GAN in 2014, which is an unsupervised generative model, and is also one of the most promising DL methods. GANs could model complex high-dimensional distributions of real data from our life, which suggests that they can be effective for anomaly detection (Zenati et al., 2018). As a form of unsupervised learning algorithm, GAN has been widely used in anomaly detection (Xia et al., 2022).

In the anomaly detection of physical systems, Li, Chen & Goh (2018) constructed a GAN for LSTM networks that can handle temporal signals to detect anomaly behavior of physical systems. In Hashimoto, Ide & Aritsugi (2021), GAN is used to detect visually undetectable anomalies successfully by analyzing multivariate time series of sensor data in semiconductor manufacturing. In the field of malware detection and malicious traffic detection, Amin et al. (2022) studied GAN’ application for malware detection of the Android system. Intrusion Detection System GAN (IDSGAN), a GAN-based framework, was constructed to generate adversarial malicious traffic records to attack intrusion detection systems by spoofing and evading detection. The original malicious traffic records are converted into adversarial malicious records by the generator in Lin, Shi & Xue (2018). A novel GAN-based IDS model detected unknown attacks using only normal data for in-vehicle networks in Seo, Song & Kim (2018). Rigaki & Garcia (2018) use GAN to generate network traffic to simulate other types of traffic. In particular, the approach modified the network behavior of real malware to mimic the traffic of legitimate applications to avoid detection. Fu et al. (2023) and Adiban, Siniscalchi & Salvi (2023) used GAN to accomplish anomaly detection of network.

GAN-based anomaly detection methods are employed in other application domains, including out-of-domain (OOD) sample detection. Marek, Naik & Auvray (2021) proposed Out-of-Domain GAN (OODGAN) based on Sequence GAN (SeqGAN) to detect out-of-domain data generation. An effective adversarial attack mechanism-based GAN was proposed to augment hard OOD samples and a new generative distance-based classifier was designed to detect OOD samples instead of the traditional discriminator classifier with the threshold value in Zeng et al. (2021). Furthermore, Xia et al. (2021) proposed a method named LogGAN using permutation event modeling GAN for anomaly detection, which detects log-level anomalies based on patterns. Ibrahim et al. (2020) proposed a new twist to generative models leveraging variational autoencoders as a source for uniform distributions to separate the inliers from the outliers.

The aforementioned methods achieve anomaly detection by learning the intrinsic representation of the data, and most of the referred methods are based on the classification of anomaly data. However, in the case of real-value anomaly prediction algorithms, it is necessary to learn the intrinsic representations of the data accurately to predict various outliers. Many applications require predictive models. Most approaches of anomaly detection or prediction use unsupervised algorithms, and the prediction of outliers is more challenging than anomaly classification. However, some researchers applied GAN in prediction tasks, such as the GAN-based method was used for tumor growth prediction in medical image processing by proposing a stacked 3D-GAN model named GP-GAN in Elazab et al. (2020). Experimental results showed that GP-GAN achieves state-of-the-art in glioma growth prediction tasks. Esmaeili et al. (2023) and Vyas & Rajendran (2023) used GAN to accomplish anomaly detection of medical image. Chen et al. (2021) introduced NM-GAN, an end-to-end pipeline that integrates an encode-decoder reconstruction network with a CNN-based discrimination network within a GAN-like architecture. Lee & Seok (2021) proposed a predictive probabilistic neural network model based on the conditional generative adversarial network (cGAN). By reversing the input and output of ordinary cGAN, the model can be used as a predictive model successfully. Wang, Miller & Kesidis (2023) proposed an unsupervised attack detector for DNN classifiers utilizing class-conditional GANs and modeling the distribution of clean data based on the predicted class label through an Auxiliary Classifier GAN (AC-GAN). Contreras-Cruz et al. (2023) developed the fast Anomaly Generative Adversarial Network (f-AnoGAN), a GAN architecture that exhibits superior accuracy when compared to bi-directional GAN and deep convolutional autoencoder. Qin et al. (2023) proposed a novel one-class classification-based ECG anomaly detection GAN. They innovatively integrated a bi-directional long-short term memory (Bi-LSTM) layer into the GAN architecture, and employed a mini-batch discrimination training strategy in the discriminator for synthesizing ECG signals. This approach facilitates the generation of samples that closely adhere to the data distribution of normal signals from healthy individuals, enabling the construction of a robust and generalized anomaly detector. Meng et al. (2023), Saravanan, Luo & Van Ngo (2023), and Brophy et al. (2023) also used GAN to accomplish the task of accurate time series prediction. Ma et al. (2024) used a multi-graph convolutional network (Multi-GCN) and gated recurrent unit (GRU) as the generator, revealing the hidden correlation between stock and stock time dependence. The aforementioned method demonstrates the advanced performance of GAN in prediction tasks and lays the foundation for using GAN for anomaly prediction of Internet behavior. However, there are few GAN-based methods for anomaly prediction of Internet behavior.

We propose APIBGAN to make anomaly prediction of Internet behavior. To learn a better data distribution, a data preprocessing method is designed for Internet behavior data and GAN is applied to anomaly prediction of Internet behavior and uses the data generated by the generator in GAN to predict the outliers. To facilitate the management of Internet behavior data, the outlier of Internet behavior data is defined by a number between 0 and 1 (CCF-BDCI, 2021). In this context, 0 represents normal behavior, while 1 represents abnormal behavior. The closer the outlier value is to 1, the higher the degree of abnormality of the Internet behavior, and the greater likelihood of privacy leakage. APIBGAN can also be applied in behavioral data from other domains for anomaly prediction, such as using credit card transaction information for antifraud of credit cards in financial field, using transaction data to detect “malicious buyers” in e-commerce industry, and detecting “lesions” through biological data in the biogenetic field, etc., is important.

Principle of GAN

A GAN consists of a generator G, and a discriminator D. G and D use the value function V(D, G) to learn data representation. G continuously fits the input noises z to the real data to learn the distribution of real data. D accurately discriminates whether the data is real or fake (real data is constructed the training set and fake data (generated data) is the data generated by G). Through the continuous confrontation of the two models, G eventually learns the probability distribution p_g of the generated data, which is infinitely close to the probability distribution p_data of real data. V(D, G) is shown in Eq. (1), (1)${\displaystyle \underset{G}{min}\underset{D}{max}V\left(D,G\right)=E_{x\sim p_{data}\left(x\right)}\left[logD\left(x\right)\right]+E_{z\sim p_z\left(z\right)}\left[log\left(1-D\left(G\left(z\right)\right)\right)\right],}$

where E denotes the expected distribution of the data (Goodfellow et al., 2014), D to maximize V(D, G), which is to maximize the difference between the real data and the generated data, we call the generated data from G fake data. The actual distribution D(x) is to be close to 1, while the generated distribution D(G(z)) is to be close to 0. Furthermore, G is to minimize the difference between G(z) and the real data with D(G(z)) being close to 1. The schematic of GAN is shown in Fig. 1. Real and Fake are labels for the training D, Real is denoted as 1 for the real data and Fake is denoted as 0 for the fake data, respectively.

We solve for the optimal D by maximizing V(D, G). According to Eq. (1), we obtain Eq. (2). Maximizing V(D, G) is also equal to maximizing the integration with Eq. (2) (Goodfellow et al., 2014), (2)${\displaystyle \begin{array}{c}V\left(D,G\right)=E_{x\sim P_{data}}\left[logD\left(x\right)\right]+E_{x\sim P_G}\left[log\left(1-D\left(x\right)\right)\right]\hfill \\ ={\int }_x{P}_{data}\left(x\right)logD\left(x\right)dx+{\int }_x{P}_G\left(x\right)log\left(1-D\left(x\right)\right)dx\hfill \\ ={\int }_x\left[P_{data}\left(x\right)logD\left(x\right)+P_G\left(x\right)log\left(1-D\left(x\right)\right)\right]dx.\hfill \end{array}}$

When D =D*, there exists the maximum value of V(D, G) (D* is shown in Eq. (3)). The final training criterion C(G) of D is obtained by substituting D =D*, as shown in Eq. (4), using KL scatter to represent the distribution difference (Goodfellow et al., 2014). (3)${\displaystyle D^{\ast }=\frac{p_{data}\left(x\right)}{p_{data}\left(x\right)+p_G\left(x\right)},}$ (4)${\displaystyle C\left(G\right)=\underset{D}{max}V\left(D,G\right)=-log\left(4\right)+KL\left(p_{data}\left|\right|\frac{p_{data}+p_g}{2}\right)+KL\left(p_g\left|\right|\frac{p_{data}+p_g}{2}\right).}$

The criterion for training D is to maximize the difference between the two distributions of p_data and p_g, and that for training G is to minimize the difference between the two distributions of p_data and p_g. When D* satisfies Eq. (3), the maximum value of V(D, G) can be obtained, and the virtual training standard C(G) reaches the minimum value −log4 if and only if p_g =p_data.

Internet behavior data

Problem description

Assume X = [x₁, x₂, ⋯, x_n] ∈ R^m∗nis the feature matrix of online behavior data without outliers, where x_i ∈ Rⁿis the i-th online behavior data, n is the number of online behavior data, and m is the dimension of the feature for each online behavior data (Xis used as the test set). Assume $X^{\ast }=\left[x_1^{\mathrm{\ast }},x_2^{\mathrm{\ast }},\cdots ,x_n^{\ast }\right]\in R^{\left(m+1\right)\ast n}$is the feature matrix of online behavior data with outliers, where x_i ∈ Rⁿis the i-th online behavior data, n is the number of online behavior data, m +1 is the feature dimension of the online behavior data with outliers, where the additional 1-dimensional feature is the outlier for each online behavior data (X^∗is used as the training set). The outlier is between 0 and 1 (CCF-BDCI, 2021). The closer the outlier is to 1, the more anomalous the online behavior is; the closer the outlier is to 0, the more normal the online behavior is.

Manual labeling of online behavior data is not only costly, but also is impractical for a large volume of data. Though unsupervised algorithms can save human resources, their accuracy in anomaly prediction of Internet behavior is often low. To address this challenge, an unsupervised generative model, GAN based DL, is utilized to improve the accuracy of anomaly prediction. The proposed method uses a small number of online behavior data with outliers labeled manually to train the DGGAN to obtain the fake data. After processing the data with the proposed data preprocessing algorithm, we use the three-layer FNNs to construct the generator and the discriminator. Because of the gaming between the G and D in DGGAN, DGGAN is effective for generating Internet behavioral data (fake data) with outliers, although the structure of DGGAN is simple. Then, APIBGAN uses fake data to perform anomaly prediction in a large set of online behavior data without outliers. This paper contributes to generate Internet behavioral data with outliers using DGGAN by feature extraction of Internet behavior data, which are the benchmark for anomaly prediction of Internet behavior. APIBGAN uses the unsupervised generative model GAN to train data X* without outliers and to perform real value prediction of outliers on data X with outliers to achieve anomaly prediction of Internet behavior. APIBGAN can also perform anomaly prediction for many application areas, such as anomaly prediction of a gene sequence in bioengineering and anomaly prediction of transaction records in the financial industry.

Loss function

Since D and G in GAN are gamed, the gradient update of the parameters of D and G is performed through the loss function by Adam optimizer from Kingma & Ba (2014) in our work. Therefore, the loss functions Binary Cross-Entropy Loss (BCELoss) and Mode Seeking Loss (MSLoss), which are shown in Eqs. (6) and (8), are used to train DGGAN in APIBGAN.

BCELoss is a binary cross-entropy loss function for D of the proposed method, and the loss is minimized when the actual label and output labels of D are closest. (6)${\displaystyle L_{\mathrm{BCE}}=-\frac{1}{N}\sum _{i=1}^N\left[y_{i}log\left(p_i\right)+\left(1-y_i\right)log\left(1-p_i\right)\right].}$

where y_i is the actual label for data in D, we define the label for the real data as 1 and that for the fake data as 0, p_i is the predicted label, and N is the amount of training data. When the discriminator is trained, the real data is first input to D, y_i is 1 at this time, so the loss is equivalent to the left part of Eq. (1). Then the fake data generated by G is input to D, and y_i is 0 at this time, so the loss is equivalent to the right part of Eq. (1).

MSLoss is the mode seeking loss in Mao et al. (2019), which is applied to the generator in GAN to resolve the singularity of generated data.

The diverse data is generated by the generator when L_MS is maximized. The distance between the generated data and that between the original noise is constrained by the distance function Distance so that the distance is maximized, which means that the local fit of the single pattern can be kept away so that the data output by the generator is more diversified. The absolute value-based Manhattan distance is used as the distance function for MSLoss, and the specific loss is shown in Eqs. (7) and (8), (7)${\displaystyle \begin{array}{c}\underset{G}{max}V\left(Distance\right)=\underset{G}{max}\left[\frac{Distance\left(G\left(z_1\right),G\left(z_2\right)\right)}{Distance\left(z_1,z_2\right)}\right]\hfill \\ =\underset{G}{max}\left[\frac{mean\left(abs\left(G\left(z_1\right)-G\left(z_2\right)\right)\right)}{mean\left(abs\left(z_1-z_2\right)\right)}\right],\hfill \end{array}}$ (8)${\displaystyle L_{MS}=\frac{1}{V\left(Distance\right)+\varepsilon }.}$

where z_i is the i-th noise vector, ɛis a very small number to avoid a denominator of 0.

Process of GAN-based anomaly prediction for Internet behavior

Training of DGGAN

DGGAN is used to fit a small amount of training data with outliers so that the G can generate a large amount of Internet behavior data with outliers which represents the distribution of real Internet behavior data. The data generated by G is used as a benchmark, and we can predict the outliers of the testing data by the benchmark generated by DGGAN. DGGAN uses FNNs as its structure, and the anomaly prediction based on Euclidean distance is employed to achieve anomaly prediction of Internet behavior. The detailed architecture and parameters of DGGAN are shown in Table 5. The more details and the source code for APIBGAN can be found at https://github.com/840962872/APIBGAN.

The training process of DGGAN is shown by Algorithm 1 . Before the data are input to the GAN, normalization is needed to accelerate the fitting speed. The MinMaxScaler method in Sklearn is used to normalize the input data and then input it to the DGGAN for fitting training.

Algorithm 1: Training of DGGAN

Anomaly prediction of internet behavior

APIBGAN aims to fit Internet behavior data with outliers by DGGAN. The trained G generates diverse Internet behavior data with outliers, and we use random noise as input of G to generate samples with uncertainty, which has a broader distribution than the used small real data. By setting the number of samples and inputting noise to the G, a fixed number of Internet behavior data can be generated, which defined as data_G. The test dataset of online behaviors without outliers is defined as data_X∗. The outlier of data_G is used as a benchmark to measure the similarity between data_X∗ and data_G. The data of data_G with the highest similarity to data_X∗ is taken as the predicted outlier of data_X∗. Distance-based methods can effectively discriminate the differences between benchmark and test set, so APIBGAN achieves anomaly prediction of Internet behavior. The prediction process of the outlier is shown in Algorithm 2 , and the trained G is used as the model for predicting anomalies. Figure 2 shows the framework of APIBGAN, which contains two units, the DGGAN training unit and anomaly prediction unit. The DGGAN training unit mainly trains the DGGAN to generate Internet behavior data with outliers, which is also called generated sample. The anomaly prediction unit uses the Internet behavior data generated by the trained G (G is the trained model in the DGGAN training unit) as a benchmark to calculate the similarity of the testing Internet behavior data with the benchmark to achieve anomaly prediction.

Algorithm 2: Prediction of outliers

Evaluation Metrics for anomaly prediction of Internet behavior data

RMSE is a commonly used metric to evaluate the deviation of predicted values from the actual values of a regression model, and the metrics based on RMSE are used in CCF-BDCI to evaluate the performance for anomaly prediction of Internet behavior. For this reason, we use RMSE-based metrics to evaluate the performance of APIBGAN for anomaly prediction of Internet behavior. The defined baseline result, which has the highest score in CCF-BDCI, utilizes an unsupervised method based on Isolation Forests for anomaly prediction over the entire data. However, the other unsupervised methods used in CCF-BDCI are not demonstrated except the method based on Isolation Forests in CCF-BDCI (2021).

To evaluate the proposed method of anomaly prediction, we use a score to measure the accuracy of prediction. The Score provided by CCF-BDCI is calculated based on RMSE as Eqs. (9) and (10), (9)${\displaystyle RMSE=\sqrt{\frac{\sum _{i=1}^n{\left(X_{real}-X_{predict}\right)}^2}{n}},}$ (10)${\displaystyle Score=\frac{1}{RMSE+1}.}$

where X_predict is the predicted outlier, X_real is the true outlier, and n is the number of test sets.

Experimental results

We have conducted three experiments on Internet behavior data provided by CCF-BDCI, and each experiment used different Internet behavior data. The labeled data is used as training data and the unlabeled data is used as test data. We divide the Internet behavior data into three groups: Group 1 includes the online behavior data of an individual in a department, and the data of multiple employees in the same departments and different departments are Group 2 and Group 3. In the experimental results, the predictive accuracies are retained to eight decimal places.

The scores of APIBGAN using 100 and 1,000 generated data by G for Group 1 are 0.87230913 and 0.87277953, for Group 2 0.83775343 and 0.85129635, and for Group 3 0.82936291 and 0.83470446, respectively, which are shown in Table 6, respectively. Besides, the best score of Isolation Forest in CCF-BDCI is 0.81353900 (CCF-BDCI, 2021), and the scores of APIBGAN are higher than that of the method based on Isolation Forest in CCF-BDCI (2021). From the experimental results we can see that the prediction accuracies of the data sets from the three groups have increased by 0.05%, 1.62%, and 0.6%, respectively with the generated data increased from 100 to 1,000. With the increasing amount of the generated data, we obtain higher prediction accuracies for the test sets, because GAN in APIBGAN uses random noise to generate various samples with the inherent uncertainty for both normal and abnormal Internet behavior, and a large volume of the generated samples broadens the distribution of the generated data. As the volume of generated data increases, the GAN generates diverse samples with the distribution of the real data. For 100 generated data, the accuracies of Group 1,2 are higher than that of Group 3 with 5.18% and 1.01%. For 1000 generated data, the accuracies of Group 1,2 are higher than that of Group 3 with 4.56% and 1.99%. With the Internet behavior data becoming complex from Group 1 to Group 3, it becomes hard for the G with the same structure to learn the high-level features of complex behavior data, and results in prediction accuracy decreasing. Even though, APIBGAN still makes anomaly prediction of Internet behavior effectively due to the inherent uncertainty of the generated samples.

From our experimental results and the best results in CCF-BDCI, we can draw such conclusion that it is effective to apply GAN to anomaly prediction of Internet behavior. In the future, we will research on new network structures to achieve anomaly prediction of Internet behavior, such as constructing cGAN-based networks for both the generator and discriminator to achieve anomaly prediction of Internet behavior.

The anomaly prediction scores of Internet behavior exhibit slight variations due to the different noises input into the generator in each experiment. We conducted 20 experiments to assess the performance of APIBGAN in predicting outliers compared to the baseline. The results of 20 experiments are presented in Fig. 3. As depicted in the figure, we can draw the conclusion that the APIBGAN method consistently outperforms the baseline across all 20 anomaly prediction scores of Internet behavior, despite some observed fluctuations.

Analysis for the experimental results

To explore how well the GAN fits the data, the probability density distributions of the actual and predicted outliers are visualized in Fig. 4. The same generative network model is used for generating data, the number of generated data in Figs. 4A and 4B is 100 and 1,000, respectively. The experimental results show that the prediction accuracy of small-scale and simple datasets is more accurate than large-scale and complex datasets, because the simple & small-scale data only represent specific behaviors, and the distribution of them is easy to be learned by DGGAN. The characteristics of complex & large-scale datasets are intricate, and it is difficult for DGGAN to accurately fit their Internet behavior features. However, the higher accuracy is achieved by increasing the number of the generated samples with higher computing cost. From the above analysis, we can draw the conclusions that it is effectively to apply the GAN in anomaly prediction of Internet behavior data. The proposed method can achieve higher accuracy than that of an unsupervised algorithm and predict the outliers of Internet behavior better.