One of the ways of ensuring information security are intrusion detection systems (IDS). IDS are used to detect malicious activity on the network. The standard approach to the detection of attacks it is looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This approach is highly efficient, but it does not able to detect the attacks without patterns. Modern approaches to detection of attacks use deep learning. The

more »

... se of this work was to explore the possibility of building a universal classifier of network traffic based on a deep neural network. For this, a recurrent autoencoder was trained on TCP packets from the CICIDS2017 dataset. During training the neural network was a model in which the expected vector was set the same as the original one. And learning was on normal traffic. The main idea was that a recurrent autoencoder trained in this way should recover anomalous traffic with a high loss. The TCP package is considered malicious if the recovery loss is above the threshold. However, the accuracy of recovering normal TCP packets was low due to the insufficient model capacity and the lack of the suitable representation learning method. After the results analyzing, we proposed an approach that can improve accuracy of detection for some attacks. Based on this approach, the VAEGAN network was trained on normal network flows from CICIDS2017. The VAEGAN was used to detect malicious network flows: to calculate the anomaly score for flow; if score is above the threshold – the flow is malicious. The VAEGAN network showed a high percentage of attacks detection and the F-score value – 0.933.