A Network Traffic Anomaly Detection Method Integrating Unsupervised Adaptive Sampling with Enhanced Siamese Network

YIN Zinuo; CHEN Hongchang; MA Hailong; HU Tao; BAI Luxin

doi:10.11999/JEIT241115

Volume 47 Issue 7

Jul. 2025

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2025 > 47(7): 2211-2224

YIN Zinuo, CHEN Hongchang, MA Hailong, HU Tao, BAI Luxin. A Network Traffic Anomaly Detection Method Integrating Unsupervised Adaptive Sampling with Enhanced Siamese Network[J]. Journal of Electronics & Information Technology, 2025, 47(7): 2211-2224. doi: 10.11999/JEIT241115

Citation:

YIN Zinuo, CHEN Hongchang, MA Hailong, HU Tao, BAI Luxin. A Network Traffic Anomaly Detection Method Integrating Unsupervised Adaptive Sampling with Enhanced Siamese Network[J]. Journal of Electronics & Information Technology, 2025, 47(7): 2211-2224. doi: 10.11999/JEIT241115

Citation:

YIN Zinuo, CHEN Hongchang, MA Hailong, HU Tao, BAI Luxin. A Network Traffic Anomaly Detection Method Integrating Unsupervised Adaptive Sampling with Enhanced Siamese Network[J]. Journal of Electronics & Information Technology, 2025, 47(7): 2211-2224. doi: 10.11999/JEIT241115

PDF( 4045 KB)

A Network Traffic Anomaly Detection Method Integrating Unsupervised Adaptive Sampling with Enhanced Siamese Network

doi: 10.11999/JEIT241115 cstr: 32379.14.JEIT241115

YIN Zinuo¹,
CHEN Hongchang¹,
MA Hailong^{1, 2},
HU Tao^{1
,
,},
BAI Luxin¹

1.
Information Technology Institute, Information Engineering University, Zhengzhou 450001, China
2.
Key Laboratory of Cyberspace Security, Ministry of Education of China, Zhengzhou 450001, China

Funds: Xiong’an New Area Science and Technology Innovation Special Project (2022XAGG0111), The National Natural Science Foundation of China (62176264)

Received Date: 2024-12-19
Rev Recd Date: 2025-05-14

Available Online: 2025-06-03

Publish Date: 2025-07-22

Abstract

Abstract

Objective The increasing complexity of network architectures and the rising frequency of cyberattacks have heightened the demand for effective network traffic anomaly detection. While machine learning and deep learning approaches have been widely applied, their effectiveness is often limited by the class imbalance commonly observed in network traffic data. To address this limitation, this study proposes a network traffic anomaly detection method integrating unsupervised adaptive sampling with enhanced Siamese network. An adaptive sampling algorithm is developed to balance the distribution of normal and anomalous traffic, improving the representativeness of training data. A Siamese Multi-Layer Perceptron (SMLP) model is then trained using a robust loss function to capture both similarities and differences in traffic patterns. This architecture enhances the model’s ability to identify anomalies, particularly under class-imbalance conditions. The proposed framework provides a scalable and data-efficient approach for improving the accuracy of network anomaly detection and reinforcing cybersecurity. Methods The proposed K-medoids-based Adaptive Few-shot Sampling (KAFS) algorithm applies unsupervised K-medoids clustering to group traffic data within each category based on feature distributions, forming multiple subclasses. From these, a small number of representative samples are adaptively selected to construct a balanced few-shot training set. This approach maintains a proportionate representation of normal and attack traffic, reducing model bias toward the dominant normal class and ensuring more effective learning across categories. Sample quality is further improved by prioritizing representativeness during selection. For the constructed training set, a traffic anomaly detection model based on a SMLP is designed. The model’s loss function combines encoding loss from the MLP with a prediction loss defined by the distance between anchor samples and corresponding normal or malicious samples. This structure enables the model to distinguish both similarities and subtle differences in traffic behavior, thereby enhancing the accuracy of attack traffic detection. Results and Discussions The proposed network traffic anomaly detection method, which integrates unsupervised adaptive sampling with an enhanced Siamese network, demonstrates strong performance on the CICIDS2017 and CICIDS2018 datasets. As shown in Fig. 8, the SMLP model trained using traffic samples generated by the KAFS sampling algorithm achieves superior detection performance, confirming the effectiveness of the KAFS approach. In Fig. 9, detection accuracies of 99.80% and 98.26% are achieved for attack-class traffic in the CICIDS2017 and CICIDS2018 datasets, respectively. Evaluation metrics presented in Fig. 9 and Fig. 10 show that the proposed method consistently outperforms other Siamese network architectures and loss functions in terms of accuracy, precision, Detection Rate (DR), and F1-score, further supporting the validity of the SMLP design. As shown in Tables 4 and 6, the method attains detection performance comparable to that of state-of-the-art algorithms while using substantially fewer samples, highlighting its suitability for practical deployment where data availability may be limited. Statistical analysis of the results (Tables 5 and 8) confirms that the performance gains achieved by the proposed method are statistically significant. Fig. 11 and Fig. 12 further illustrate that the method delivers notable improvements over existing approaches in detecting unknown attack types, demonstrating its adaptability and robustness under evolving threat conditions. Conclusions This study addresses the challenges of sparse attack traffic and class imbalance in network traffic anomaly detection by proposing a method that combines unsupervised adaptive sampling with an enhanced Siamese network. A KAFS algorithm is designed to dynamically select representative training sets using unsupervised clustering. To enable accurate detection with limited input samples, an SMLP is developed to compute distances between traffic samples. A robust loss function is introduced, incorporating both encoding loss from the MLP and prediction loss based on the distance between anchor, normal, and malicious samples, thereby improving training efficiency. Experimental validation using the CICIDS2017 and CICIDS2018 datasets confirm the method’s effectiveness in detecting attack traffic with few samples. Future work will focus on further enhancing few-shot intrusion detection techniques to improve detection accuracy in real-world network environments.
- Network traffic anomaly detection,
- Class imbalance,
- Adaptive sampling,
- Siamese Multi-Layer Perceptron (SMLP)

FullText(HTML)

References(23)

References

[1]	潘成胜, 李志祥, 杨雯升, 等. 基于二次特征提取和BiLSTM-Attention的网络流量异常检测方法[J]. 电子与信息学报, 2023, 45(12): 4539–4547. doi: 10.11999/JEIT221296. PAN Chengsheng, LI Zhixiang, YANG Wensheng, et al. Anomaly detection method of network traffic based on secondary feature extraction and BiLSTM-attention[J]. Journal of Electronics & Information Technology, 2023, 45(12): 4539–4547. doi: 10.11999/JEIT221296.
[2]	GUPTA N, JINDAL V, and BEDI P. CSE-IDS: Using cost-sensitive deep learning and ensemble algorithms to handle class imbalance in network-based intrusion detection systems[J]. Computers & Security, 2022, 112: 102499. doi: 10.1016/j.cose.2021.102499.
[3]	LEEVY J L and KHOSHGOFTAAR T M. A survey and analysis of intrusion detection models based on CSE-CIC-IDS2018 Big Data[J]. Journal of Big Data, 2020, 7(1): 104. doi: 10.1186/s40537-020-00382-x.
[4]	HE Xiaoqiang, CHEN Qianbin, TANG Lun, et al. Federated continuous learning based on stacked broad learning system assisted by digital twin networks: An incremental learning approach for intrusion detection in UAV networks[J]. IEEE Internet of Things Journal, 2023, 10(22): 19825–19838. doi: 10.1109/jiot.2023.3282648.
[5]	WU Zhijun, GAO Pan, CUI Lei, et al. An incremental learning method based on dynamic ensemble RVM for intrusion detection[J]. IEEE Transactions on Network and Service Management, 2022, 19(1): 671–685. doi: 10.1109/tnsm.2021.3102388.
[6]	LI Zhida, RIOS A L G, and TRAJKOVIĆ L. Machine learning for detecting anomalies and intrusions in communication networks[J]. IEEE Journal on Selected Areas in Communications, 2021, 39(7): 2254–2264. doi: 10.1109/jsac.2021.3078497.
[7]	LEI Shengwei, XIA Chunhe, LI Zhong, et al. HNN: A novel model to study the intrusion detection based on multi-feature correlation and temporal-spatial analysis[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(4): 3257–3274. doi: 10.1109/tnse.2021.3109644.
[8]	JIN Zhigang, ZHOU Junyi, LI Bing, et al. FL-IIDS: A novel federated learning-based incremental intrusion detection system[J]. Future Generation Computer Systems, 2024, 151: 57–70. doi: 10.1016/j.future.2023.09.019.
[9]	RESENDE P A A and DRUMMOND A C. A survey of random forest-based methods for intrusion detection systems[J]. ACM Computing Surveys, 2019, 51(3): 48. doi: 10.1145/3178582.
[10]	SHAO Ling, WU Di, and LI Xuelong. Learning deep and wide: A spectral method for learning deep networks[J]. IEEE Transactions on Neural Networks and Learning Systems, 2014, 25(12): 2303–2308. doi: 10.1109/TNNLS.2014.2308519.
[11]	唐宏, 刘丹, 姚立霜, 等. 面向类不平衡网络流量的特征选择算法[J]. 电子与信息学报, 2021, 43(4): 923–930. doi: 10.11999/JEIT190992. TANG Hong, LIU Dan, YAO Lishuang, et al. Feature selection algorithm for class imbalanced internet traffic[J]. Journal of Electronics & Information Technology, 2021, 43(4): 923–930. doi: 10.11999/JEIT190992.
[12]	TELIKANI A, GANDOMI A H, CHOO K K R, et al. A cost-sensitive deep learning-based approach for network traffic classification[J]. IEEE Transactions on Network and Service Management, 2022, 19(1): 661–670. doi: 10.1109/tnsm.2021.3112283.
[13]	GUPTA N, JINDAL V, and BEDI P. LIO-IDS: Handling class imbalance using LSTM and improved one-vs-one technique in intrusion detection system[J]. Computer Networks, 2021, 192: 108076. doi: 10.1016/j.comnet.2021.108076.
[14]	LIU Lan, WANG Pengcheng, LIN Jun, et al. Intrusion detection of imbalanced network traffic based on machine learning and deep learning[J]. IEEE Access, 2021, 9: 7550–7563. doi: 10.1109/ACCESS.2020.3048198.
[15]	ZHANG Ying and LIU Qiang. On IoT intrusion detection based on data augmentation for enhancing learning on unbalanced samples[J]. Future Generation Computer Systems, 2022, 133: 213–227. doi: 10.1016/j.future.2022.03.007.
[16]	BALASUBRAMANIAM S, VIJESH JOE C, SIVAKUMAR T A, et al. Optimization enabled deep learning-based DDoS attack detection in cloud computing[J]. International Journal of Intelligent Systems, 2023, 2023: 2039217. doi: 10.1155/2023/2039217.
[17]	LAKE B M and BARONI M. Human-like systematic generalization through a meta-learning neural network[J]. Nature, 2023, 623(7985): 115–121. doi: 10.1038/s41586-023-06668-3.
[18]	KUMAR V and SINHA D. Synthetic attack data generation model applying generative adversarial network for intrusion detection[J]. Computers & Security, 2023, 125: 103054. doi: 10.1016/j.cose.2022.103054.
[19]	YAN Mi, HUI S C, and LI Ning. DML-PL: Deep metric learning based pseudo-labeling framework for class imbalanced semi-supervised learning[J]. Information Sciences, 2023, 626: 641–657. doi: 10.1016/j.ins.2023.01.074.
[20]	YAN Fei, LI Nianqiao, ILIYASU A M, et al. Insights into security and privacy issues in smart healthcare systems based on medical images[J]. Journal of Information Security and Applications, 2023, 78: 103621. doi: 10.1016/j.jisa.2023.103621.
[21]	XU Congyuan, SHEN Jizhong, and DU Xin. A method of few-shot network intrusion detection based on meta-learning framework[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 3540–3552. doi: 10.1109/tifs.2020.2991876.
[22]	YANG Jingcheng, LI Hongwei, SHAO Shuo, et al. FS-IDS: A framework for intrusion detection based on few-shot learning[J]. Computers & Security, 2022, 122: 102899. doi: 10.1016/j.cose.2022.102899.
[23]	SHARAFALDIN I, LASHKARI A H, and GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]. The 4th International Conference on Information Systems Security and Privacy, Funchal, Portugal, 2018: 108–116. doi: 10.5220/0006639801080116.