A no el app oach o con inual and ede a ed
ne wo k anomaly de ec ion
Ped o R. Tomas12, Ped o Felix1, Luis Rosa1, And e S. Gomes1, and Luis
Co dei o1
1One Sou ce Consul o ia In o m´a ica Lda, Rua D. Jo˜ao de Cas o Lo e 12, Coimb a,
Po ugal,
{ped o. omas,ped o. elix,luis. osa,gomes,co dei o}@onesou ce.p
2Depa amen o de Engenha ia In o m´a ica, Uni e sidade de Coimb a,
Po ugal
Abs ac . Nowadays, sys ems p esen an e e -inc easing su ace a ea,
decen alised na u e o he dis ibu ed sys ems and da a p i acy con-
ce ns, among o he cha ac e is ics, making secu i y a p ima y conce n.
Being able o iden i y anomalous a ic in such challenging condi ions
while ensu ing he p i acy o he analysed da a is qui e a challenging
ask. This wo k p esen s a combina ion o a Fede a ed Lea ning-based
app oach wi h con inual lea ning using unsupe ised machine lea ning
echniques o ne wo k anomaly de ec ion. This also includes he discus-
sion o a Holis ic Secu i y and P i acy F amewo k and i s e alua ion in a
Kube ne es en i onmen . Indeed, he Con inual Lea ning concep s we e
applied o enable a quick adap a ion o he e e -changing ne wo k a ic
cha ac e is ics by pe o ming equen aining sessions wi h he exis en
Machine Lea ning models, which a e suppo ed by collec ed da a, whils
simul aneously pe o ming ne wo k anomaly de ec ion and ne e expos-
ing he o iginal ne wo k in o ma ion. Fo i s e alua ion, we alida ed i
using a mic o-se ices-o ien ed applica ion, whe e he gene a ed no mal
a ic was used o ain he di e en Machine Lea ning models, which
we e ained in se e al aining pe iods and equencies. In addi ion, we
conside ed ou di e en ypes o a acks: Denial o Se ice, Po Scan,
B u e Fo ce and SQL Injec ion o u he e alua e he capabili y o he
de ec ion module o dis inguish no mal and anomalous a ic. Th ough-
ou he di e en alida ion scena ios, he de ec ion module achie ed an
1-sco e o 93.80% o one o he a ge ed componen s and a pe cen age
o no mal lows co ec ly iden i ied o 99,13%.
Keywo ds: anomaly de ec ion; unsupe ised machine lea ning; au oen-
code s; ede a ed lea ning; con inual lea ning
1 In oduc ion
In an e a domina ed by in e connec ed sys ems and digi al dependencies, he
secu i y o ne wo k in as uc u es s ands as a pa amoun conce n. The escala -
ing sophis ica ion o cybe h ea s has educed he e ec i eness o con en ional
2 Ped o Tomas e al.
secu i y measu es such as i ewalls and VPNs, p omp ing a c i ical eassessmen
o de ensi e s a egies. Recognising he dynamic na u e o con empo a y cybe -
secu i y challenges such as phishing, b u e o ce, DDoS a acks (among o he s)
becomes an impo an ac o . To ackle such issues, his pape p esen s a secu-
i y amewo k ounded on Fede a ed Lea ning (FL) p inciples and Con inual
Lea ning (CL) de o ed o ne wo k a ic anomaly de ec ion. The choice o hese
echniques comes om he p o ec ion o da a ha is imposed om FL, keeping
he communica ions o whoe e is in ol ed clea om passage ac oss ne wo k
channels, while CL comes as a solu ion o he e e -e ol ing na u e o ne wo k
con igu a ions, keeping he model- ained wi h he la es ne wo k in o ma ion.
The p oposed Holis ic Secu i y and P i acy F amewo k (HSPF), ailo ed o Ku-
be ne es [8] en i onmen s, can accompany any ype o mic o-se ices composing
o an applica ion h ough an injec ion sc ip which in oduces ou solu ion as a
sideca con aine o he de ined se ices. Wi h i s inse ion on a mic o-se ice,
ou mul ip ocessing execu ion is able o p ocess he e olu ion o mul iple ap-
plica ion models, classi ying ongoing se ice a ic and e ining he models, all
while using an unsupe ised me hod whe e pa e ns a e lea n exclusi ely om
unlabelled da a.
To he bes o ou knowledge, he combina ion o CL, FL, and unsupe ised
ML echniques o ne wo k a ic anomaly de ec ion has no been ex ensi ely
in es iga ed in he li e a u e. This pape discusses hei ele ance, how hey
can be combined and p esen s a no el amewo k o le e age such echniques.
As a o emen ioned, such a kind o amewo k is inc easingly needed o allow
e ec i e ne wo k anomaly de ec ion in dis ibu ed Cloud Na i e en i onmen s.
This pape is s uc u ed as ollows: Sec ion 2 p esen s a b ie li e a u e e-
iew; Sec ion 3 de ails he p oposed app oach, desc ibing he in e nal beha iou
o each HSPF componen , how hese wo k oge he and how he concep s o
CL, FL and unsupe ised ML in eg a e he amewo k; Sec ion 4 p esen s he
e alua ion scena io and he ob ained esul s; Sec ion 5 p esen s he discussion
on he opic. Finally, Sec ion 6 p esen s he inal ema ks.
2 Rela ed Wo k
Vi aaji e al. [9] in oduce a supe ised FL-based app oach o ime-se ies anomaly
de ec ion using GRUs and a Random Fo es ensemble. They compa e Ga ed
Recu en Uni s (GRU) and Long Sho Te m Memo y (LSTMs), wi h GRUs
ou pe o ming in accu acy and compu a ional e iciency. Thei app oach is e al-
ua ed in a i ual scena io wi h edge de ices and a cen al agg ega o , and he
Modbus-based ne wo k da ase is used. Resul s indica e ha he FL app oach
achie es highe accu acy in ewe epochs, some imes only equi ing 50% o ain-
ing ime when compa ed o he cen al one. On a e age, FL achie es 90.26%
accu acy s. 86.13% o non-FL. The au ho s sugges using p e- ained models
wi h known a acks o eal-wo ld scena ios.
B e e al. [14] s udied da a augmen a ion’s ole in enhancing GAN pe -
o mance in IoT anomaly de ec ion wi hin an FL app oach. They examined
A no el app oach o con inual and ede a ed ne wo k anomaly de ec ion 3
ou augmen a ion me hods (RAND, STRAT, SMOTE, ADASYN) ac oss h ee
da ase s (Modbus, Wea he , DS2OS). STRAT consis en ly ou pe o med he
emaining app oaches o he Modbus da ase , achie ing a minimum 1-sco e
o 57.31% wi h 100 clien s. STRAT and RAND yielded be e esul s o he
Wea he and DS2OS da ase s (e alua ed wi h 100 clien s only). The au ho s
ound ha FL can be mo e ad an ageous o lea ning om da ase s wi h a
lowe p opo ion o anomalies, as pa i ioning he ins ances o clien s and mak-
ing smalle inc emen al upda es can lead o accu a e models. The au ho s claim
ha da a augmen a ion can enhance ML algo i hms’ pe o mance.
Xiao eng e al. [13] in oduce an inno a i e anomaly de ec ion me hod o IoT
ne wo ks using deep neu al ne wo ks (DNNs) and ede a ed lea ning (FL). They
enhance hei app oach by using mu ual in o ma ion (MI) o ea u e selec ion
while also ocusing on he p i acy conce ns linked o IoT de ices ha ans e
sensi i e da a o e he in e ne . They e alua ed hei app oach wi h he BoTIoT
da ase and ob ained an accu acy o 98.5%, a ue posi i e a e o 99.2%, a ue
nega i e a e o 97.8%, and an F1 sco e o 0.986. The p ima y ou come o his
s udy is ha he p oposed app oach using DNNs and FL wi h MI can e ec i ely
de ec anomalies in IoT ne wo ks wi h high accu acy and wi hou comp omising
he p i acy o indi idual de ices.
Me yem e al. [7] in oduce Fed-ANIDS, a FL amewo k o anomaly-based
ne wo k in usion de ec ion sys ems using Au oencode s. I add esses he limi a-
ions o cen alised ML-based AD me hods by p ese ing da a p i acy and han-
dling he e ogeneous da ase s. They e alua ed he amewo k wi h h ee da ase s
(USTC-TFC2016, CIC-IDS2017, CSE-CIC-IDS2018), h ee Au oencode a ia-
ions (AE, VAE, AAE), and wo local model agg ega ion app oaches (FedA g,
FedP ox). Fo USTC-TFC2016, AAE wi h FedP ox achie ed he bes esul ,
wi h an 1-sco e o 99.94%. Fo CIC-IDS2017, a simple AE wi h FedP ox ou -
pe o med o he s, wi h a 92.73% 1-sco e, whils o CSE-CIC-IDS2018, a VAE
wi h FedP ox eached 90.65% 1-sco e. The p oposed app oach consis en ly ou -
pe o ms baseline algo i hms, highligh ing FedP ox’s e ec i eness. The au ho s
emphasise he easibili y o using Au oencode s o la ge-scale in usion de ec-
ion sys ems.
Vuco ich e al. [12] p esen ed an FL anomaly de ec ion amewo k, whose
de ec ion is assu ed by he use o an Au oEncode and o a bina y classi-
ie . The au ho s p esen a no el agg ega ion mechanism, FedSam, which co -
esponds o a combina ion o Mini-Ba ch and Mul i-Epoch FedA g s a egies.
The au ho s e alua ed he pe o mance o hei app oach wi h he CIC-IDS2017,
CIC-IDS2018, Na ional Collegia e Cybe De ense Compe i ion (NCC-DC), and
MAWI-Lab da ase s. The au ho s compa ed he pe o mance o a cen alised
wi h a dis ibu ed app oach, wi h he o me p esen ing a e age classi ica ions
o 60% p ecision, 58% ecall and 57% 1-sco e, and he la e p esen ing a e age
classi ica ions o 70% p ecision, 69% ecall and 68% 1-sco e. The use o hei
min-max scala imp o ed esul s in a d as ic manne , as p ecision a e aged 87%,
ecall a e aged 86% and 1-sco e a e aged 86%. The bes esul s we e achie ed
when combining hei min-max scala app oach and he FedSam agg ega ion
4 Ped o Tomas e al.
s a egy, achie ing esul s in he o de o 91% p ecision, 91% ecall and 91%
1-sco e.
Amalapu am e al. [1], explo ed he applica ion o CL o imp o e he pe o -
mance o Anomaly-based Ne wo k In usion De ec ion Sys ems (A-NIDS). The
au ho s iden i y se e al challenges, namely Ca as ophic Fo ge ing (CF) and
Class Imbalance (CI), s a ing ha he mos common ML app oaches used in
NIDS sys ems su e om CF and also ha he majo i y o he exis ing da ase s
o ain NIDS sys ems p esen CI, o en impac ing he abili y o he ML mod-
els o de ec a acks co ec ly. The au ho s explo e he applica ion o h ee CL
algo i hms: Elas ic Weigh Consolida ion (EWC), G adien Episodic Memo y
(GEM) and a Na¨ı e CL algo i hm in conjunc ion wi h wo NN a chi ec u es:
Mul i-Laye Pe cep on (MLP) and a Con olu ional Neu al Ne wo k (CNN)
and seek o e alua e he pe o mance o such combina ions, o di e en asks,
using CIC-IDS2017 and CSE-IDS-2018 da ase s. The au ho s de ine se e al se
o asks p esen ing scena ios o Class Inc emen al Lea ning (CIL) and Domain
Inc emen al Lea ning (DIL). Beyond he usual ou e alua ion me ics (accu-
acy, p ecision, ecall, 1-sco e), he au ho s also conside Rela i e Expe ience
Fo ge ing (REF) and ecu en ly calcula e i s alue o unde s and which com-
bina ion p esen s a be e esilience o CF and how ha e ec esembles wi h
he inal classi ica ion pe o mance when such combina ions a e ini ially ained
wi h a se o asks, hen con inue o ain wi h ano he se o asks o se e al
aining i e a ions and a e hen aced wi h he ini ial se o asks. The au ho s
ind ha CIL is mo e suscep ible o Task Execu ion O de Sensi i i y (TEOS)
han DIL, wi h DIL esembling eal-wo ld a ic pa e ns and, when combined
wi h ad anced memo y popula ion s a egies, p esen ing as he mos sui able
app oach o ne wo k a ic anomaly de ec ion.
Wiewel e al. [15], explo ed he p oblem o ca as ophic o ge ing when ain-
ing a Va ia ional Au oencode s (VAE) on con inually g owing da a. being ha
hey p opose an ex ension o CL o his anomaly de ec ion p oblem. Fo e al-
ua ion pu poses hey u ilise MNIST and KDDCup99. In o de o e i y he
pa e ns which cha ac e ise anomalies de ia ion om no mal da a, hey ha e
a ocus on empo al changes o he de ini ion o no mal da a as in no mal ap-
p oaches u ilise a ce ain da ase Di o he i- h ound which, in he long e m,
leads o his ca as ophic o ge ing. To deal wi h his hey buil a gene a o
called R which is ained wi h all he p e ious e ie ed da a in a o m o gen-
e a ing a no mal da a dis ibu ion o he old in o ma ion. This gene a ed da a
is hen used wi h he cu en da a in use o o m an expanded aining da ase
which con ains da a om he cu en and all p e ious asks. In o de o e alu-
a e he p e iously men ioned da ase s hey used di e en ly size laye ed VAEs.
Ac oss hei e alua ion hey concluded ha his solu ion b ough be e o e all
esul s o he KDDCup99 da ase .
On he one hand, he majo i y o he exis ing app oaches used o ne wo k
anomaly de ec ion ely on supe ised ML echniques, ha usually p esen good
classi ica ion pe o mances when acing known anomalies, howe e , hese p esen
a conside able handicap when i comes o aining such models on he ly due
A no el app oach o con inual and ede a ed ne wo k anomaly de ec ion 5
o he need o conside ably la ge da ase s o he p ocess. On he o he hand,
and al hough unsupe ised ML-based app oaches ha e gi en p oo o de ec ing
anomalies ha all ou side he no mal pa e ns, he exis ing li e a u e usually
does no use o combine such app oaches wi h CL and/o FL echniques, which
we do. In addi ion, unlike no mal Fede a ed-based ones, ou app oach u ilises
eal- ime e ie ed da a o aining pu poses o main ain oe- o- oe wi h he ex-
ensi eness and con inuous changes in he ne wo k communica ions. As demon-
s a ed la e in his pape , ou solu ion can be said o un as i in a eal-wo ld
en i onmen .
3 Con inual and Fede a ed Ne wo k Anomaly De ec ion
FL enables mul iple ac o s o build a common obus Machine Lea ning (ML)
model wi hou needing o sha e p i a e da a. The no mal pa icipan s in his
app oach a e a cen al se e uni and a ious clien uni s. The Clien uni s a e
esponsible o ca ying ou local aining on local in o ma ion and hen, in each
ained ound, sha e he ained model weigh s wi h he Se e . The cen al
Se e hen akes he job o agg ega ing he in o ma ion which is passed om
he ede a ed clien s and hen edis ibu es he upda ed model.
In ou app oach, we le e age he unc ionali ies p o ided by he Flowe
FL amewo k [4] and he NFS eam ne wo k da a collec ion [11]. Ou solu-
ion is composed o h ee main componen s: Collec o , Agen and Agg ega o .
In eg a ed wi h exis ing applica ions, he Collec o , and Agen collabo a i ely
ga he and classi y ne wo k a ic while con inually e ining hei unde s anding
h ough unsupe ised ML, being ha he pai o hem ep esen he clien uni .
Meanwhile, he Agg ega o , posi ioned as he amewo k cen al se e , akes
cha ge o managing and coo dina ing he e ol ing mul iple applica ion models.
This beha iou is shown in Figu e 3.
In his sec ion we u he desc ibe he di e en componen s o he amewo k
along wi h hei main unc ions, s a ing om he ede a ed aining o he
classi ica ion o he analysed ne wo k in o ma ion, and inally going h ough he
amewo k implemen a ion on cloud en i onmen s.
3.1 Con inual Fede a ed T aining
The HSPF Collec o componen con inuously collec s ne wo k a ic, which is
hen sha ed wi h he HSPF Agen . The HSPF Agen ains he local ML model
e e y ime he Agg ega o ini ia es a ede a ed aining ound. On comple ion
o he aining ound, he Agen e alua es he pe o mance o he agg ega ed
model, sha es i wi h he Agg ega o and inally upda es i s model wi h he
newes one (in case i p esen s be e pe o mance).
To con inuously ain he ML model, se e al s eps need o be aken, namely
he s anda disa ion o he collec ed da a and he classi ica ion o he ne wo k
a ic based on he econs uc ion e o p o ided by he algo i hm. The s an-
da disa ion is conduc ed wi h he applica ion o he usual s anda disa ion o -
6 Ped o Tomas e al.
mula, whe e each alue (pa o each low), has he mean (o all he alues o
ha ea u e) sub ac ed, and hen di ided by he espec i e s anda d de ia ion.
The h eshold applied when classi ying he ne wo k a ic was calcula ed
based on he uppe ence o alues dis ibu ion and he mean alue o he whole
da a, in o de o ake in o accoun alues which would de ia e om he no mal
in o ma ion. Being he o mula used h eshold =µ+ (x∗σ), whe e µand x
co espond o he a i hme ic a e age o he econs uc ion e o s ob ained du ing
he i s aining i e a ion and σ o he s anda d de ia ion o he econs uc ion
e o s. Due o he high a iance o econs uc ion e o s, a Range-based ou lie
app oach has been applied, co esponding o he di e ence be ween he 75%
pe cen ile and he 25% pe cen ile o he da a, wi h he alues ou side o his
in e al being emo ed.
3.2 Con inual Analysis o Ne wo k T a ic
The HSPF Collec o componen con inually collec s ne wo k a ic, which is
sha ed wi h he co-loca ed HSPF Agen , in cha ge o pe o ming he analysis
o he ne wo k a ic. Such analysis s a s immedia ely a e he i s ained
model ( o he mic o-se ice in ques ion) being a ailable, which may ake place
a e he i s local aining o a e he ecep ion o an al eady ained model
om he HSPF Agg ega o , should i exis .
To dis inguish be ween no mal and anomalous lows, he HSPF Agen , con-
side s he econs uc ion e o p o ided by he Au oencode model, which is
hen compa ed o a h eshold whose de ini ion has been p e iously explained.
I he econs uc ion e o is lowe o g ea e han his h eshold, he low is
classi ied as no mal o anomalous, espec i ely.
3.3 F om anomalies o a ack classi ica ion
To ein o ce he us le el in he HSPF de ec ion module, a classi ica ion p ocess
was de eloped o classi y he de ec ed anomalies in o a acks, while diminishing
he po en ial e ec s ha a misclassi ica ion migh ha e. This p ocess is ca ied
ou by he Agen , which con ains wo lis s: a g eyed lis , which is used as a g ey
zone o IPs ha ha e al eady been in he o igin o anomalous a ic bu ha e no
ye been blocked, and a blocked lis , whe e he blocked IPs a e egis e ed. Upon
iden i ying an anomaly, which happens when a low (o se o lows) is classi ied
as anomalous a ic, he Agen will e i y i he Sou ce IP o he iden i ied low
is al eady ma ked as g eyed in he in e nal lis . In cases whe e he IP is no
in he g eyed lis , i is added, and he espec i e coun e o occu ences is se
o 1. On he o he hand, i he IP is al eady in he lis , he espec i e en y is
inc emen ed by 1, and he coun e alue is compa ed wi h a h eshold. Whene e
he coun e exceeds he h eshold, a message is sen epo ing he inciden . This
p ocess is p esen ed in Figu e 1.
The e is also a pe iodic ask in cha ge o cleaning bo h in e nal lis s, which is
illus a ed in Figu e 2. IPs a e emo ed om he blocked lis i he las de ec ed
anomalous low happened Nhou s ago (con igu able alue). Fo he g eyed lis ,
A no el app oach o con inual and ede a ed ne wo k anomaly de ec ion 7
Fig. 1. HSPF: F om anomalies o a acks
coun e s associa ed wi h each IP a e dec eased on each execu ion o his ask.
I mus be no ed ha all h esholds, pe iodici y in e als and inc ease/dec ease
alues may be de ined while deploying he amewo k, hus allowing his p ocess
o be ailo ed o he needs o he in as uc u e whe e his amewo k will be
deployed.
Fig. 2. HSPF: F om anomalies o a acks (cleaning s a egy)
3.4 Cloud-Na i e Implemen a ion
The HSPF is composed o h ee main componen s: (i) Agg ega o , (ii) Collec o ,
and (iii) Agen . The Agg ega o co esponds o he main amewo k Uni , being
esponsible o coo dina ing he Fede a ed T aining p ocedu e, as well as o
pe o ming he managemen and dis ibu ion o he di e en ML models used
o anomaly de ec ion by he di e en ede a ed agen s.
The Agen componen , whe e he ede a ed agen esides, is esponsible o
in e ing he inbound and ou bound a ic and aining acco dingly, being he
ne wo k a ic collec ed by he Collec o . Bo h componen s, he Agen and he
Collec o , a e injec ed as sideca s nex o any exis ing con aine whe e he o-be-
secu ed applica ion is execu ing. Figu e 3 p esen s he HSPF unc ional a chi-
ec u e. The igu e highligh s he mo e ele an in e ac ions be ween he HSPF
8 Ped o Tomas e al.
Fig. 3. HSPF A chi ec u e
componen s, which ake place in he ollowing o de (al hough hey a e no con-
secu i e):
–Re ie e o ne wo k in o ma ion
–Handling local da a
–Pe o m in e ence o e local da a
–T ain local ML model
–Exchange weigh s wi h cen al ede a ed uni
–Recei e upda ed ML model
4 E alua ion and Resul s
4.1 Scena io desc ip ion
In o de o alida e he co ec beha iou o he HSPF amewo k, he mic o-
se ices o ien ed Mobi us [5] applica ion was used. Ten simula ed de ices we e
employed in he expe imen , wi h each de ice p oducing da a om six dis inc
IoT senso s: a geo-loca ion senso , gas senso , in e nal con olle , wea able T-
shi senso , came a senso , and c i ical o gans senso . The geo-loca ion senso
ansmi ed coo dina e upda es e e y 60 seconds, while he gas senso p o ided
da a on gas and empe a u e measu emen s e e y second. The sma T-shi
senso emula ed da a collec ed by a Hexoskin T-shi [6], o e ing in o ma ion
on empe a u e, hea a e, espi a o y a e, and ba e y le els. The came a
senso eplica ed eal ideo ansmission by simula ing he ideo s eam using
a dummy ile. The c i ical o gans senso con eyed da a conce ning hea a e,
body empe a u e, espi a o y a e, ca bon dioxide le els, and ba e y s a us,
which in a p ac ical se ing would be ga he ed by a Bi alino de ice [2]. These
gene a ed messages we e published o he in e nal Mobi us message b oke
and subsequen ly eached he Mobi us Po al a e unde going h ough p e-
p ocessing and s o age in a da abase.
To e alua e he pe o mance o he HSPF de ec ion module, di e en aining
pe iods we e conside ed, as p esen in Table 1. Beyond he single ain ollowed
A no el app oach o con inual and ede a ed ne wo k anomaly de ec ion 9
by he injec ion o simula ed a acks, expe imen s we e also conduc ed o y o
unde s and he cumula i e e ec o aining (i.e., wo ounds o aining wi h
no mal da a ollowed by he injec ion o a acks) on he pe o mance o he
de ec ion module.
Table 1. T aining in e als
Single Cumula i e
2h 2h+2h
4h 4h+4h
6h 6h+6h
8h 8h+8h
Th ee ypes o a acks we e simula ed agains he Mobi us se ices: DDOS,
B u e Fo ce and SQL Injec ion. The i s was conduc ed wi h he mq -s esse
[10] ool and a ge ed he message-b oke componen , whils he second and
he hi d bo h a ge ed he m -ga eway componen and we e conduc ed wi h
cu l[3], ecu ing o a se o mos common use names and passwo ds, as well as
o ecu ing commands a emp ed du ing SQL Injec ion.
4.2 Resul s
The esul s om he di e en expe imen a ion scena ios a e p esen ed in his
sec ion. The esul s ha e been g ouped wi h each able p esen ing he esul s
o he single and cumula i e scena ios o a speci ic numbe o hou s, wi h he
amoun o T ue Posi i es (TP), T ue Nega i es (TN), False Posi i es (FP) and
False Nega i es (FN) being de ailed in each able, o a sub-se o Mobi us
mic o-se ices.
Table 2 p esen s he esul s o he scena ios wi h wo hou s. Fo he single
scena io, he de ec ion module co ec ly iden i ied 91,43% o he malicious lows
a ge ing he message-b oke and he ga eway componen s. Despi e his and im-
pulsed wi h a high numbe o FP, he achie ed 1-sco e alues o he men ioned
componen s we e o 86.50% and 55,00%, espec i ely. As o he cumula i e sce-
na io, he de ec ion module co ec ly iden i ied 99,39% o he malicious lows and
he achie ed 1-sco es we e o 63.10% and 58,50%, espec i ely. Fo he moni o ,
o ches a o and pos g esql mic o-se ices, he de ec ion module misclassi ied
3.55%, 5,04% and 20,41% no mal lows o he single scena io and 7,44%, 9,82%
and 18,96% no mal lows o he cumula i e scena io, espec i ely.
Table 3 p esen s he esul s o he scena ios wi h ou hou s. Fo he single
scena io, he de ec ion module iden i ied 35.25% o he malicious lows, a con-
side able low pe cen age, caused by he mis-classi ica ion o he malicious lows
a ge ing he message-b oke componen . Such classi ica ion a e imp o ed du -
ing he cumula i e scena io, wi h 91.66% o he malicious lows being co ec ly
iden i ied. The no mal lows inco ec ly classi ied as a acks o he moni o , o -
ches a o and pos g esql mic o-se ices we e o 2.27%, 3.46% and 14.90% o
