loading page

APEX: Characterizing Attack Behaviors from Network Anomalies
  • +2
  • Kushan Sudheera Kalupahana Liyanage ,
  • Zixu Tian ,
  • Dinil Mon Divakaran ,
  • Mun Choon Chan ,
  • Mohan Gurusamy
Kushan Sudheera Kalupahana Liyanage
Author Profile
Zixu Tian
National University of Singapore, National University of Singapore

Corresponding Author:[email protected]

Author Profile
Dinil Mon Divakaran
Author Profile
Mun Choon Chan
Author Profile
Mohan Gurusamy
Author Profile


Networks regularly face various threats and attacks that manifest in their communication traffic. Recent works proposed unsupervised approaches, e.g., using a variational autoencoder, that are not only effective in detecting anomalies in network traffic, but also practical as they do not require ground truth or labeled data. However, the problem of characterizing anomalies into different attack behaviors is still less explored; in this work, we study this specific problem. We develop APEX, a framework that employs data mining approaches in a semi-supervised way to extract the attack patterns from anomalous traffic and links them to specific attack types. APEX comprises two levels of mining; the first level extracts patterns in anomalous network flows, and the second level characterizes behaviors in the extracted patterns into four different attack classes. We carry out extensive experiments on real network traces obtained from the MAWI traffic archive. The evaluations demonstrate that APEX is effective in extracting distinguishable behaviors of network attacks from anomalous traffic, which we believe, provides useful insights to security analysts investigating the anomalies.