A comparative evaluation of unsupervised deep architectures for intrusion detection in sequential data streams

•Thorough comparison of recurrent neural networks for anomaly detection.•Introduction of attentional component enabling explanations for end-users.•Evaluation focusing on ranking metrics with end-users in mind. Cybersecurity data remains a challenge for the machine learning community as the high volume of traffic makes it difficult to properly disambiguate anomalous from normal behaviour. That decision is the core of an intelligent Intrusion Detection System (IDS), a component responsible for raising alerts whenever a potential threat is detected. However, with high volume data in contemporary systems, these IDSs generate numerous alerts, too large for human operators to exhaustively investigate. Moreover, simply reporting a single possible threat is often not sufficient, since the security analyst has to investigate the alert without any further clues of the underlying cause. In order to combat these issues, we empirically compare popular deep neural learning architectures for the problem of intrusion detection in sequential data streams. Contrary to a majority of research studies, we do not take a classification-based approach that requires labeled examples of hostile attacks. Instead, we adopt an unsupervised anomaly detection approach that aims to model a benign sequential data distribution against which new test instances are compared to. We also examine one additional deep network in the form of an attention model capable of providing explanations in addition to its predictions; such information is of crucial importance to network operators since it provides additional guidance to resolve potential threats. For our experiments, we evaluate the models against a variety of data sets of different complexities, ranging from simple unidimensional (synthetic and Yahoo!) to more complex multi-source (CICIDS2017 and small real-world enterprise network) data streams. In order to facilitate end-user needs, we focus on ranking-based metrics for comparing different deep neural architectures. This evaluation is especially important for security analysts to prioritize their anomaly investigations. Overall, our experiments demonstrate that a variant of a recurrent neural network generally outperforms a popular non-sequential deep autoencoder commonly used for unsupervised anomaly detection. The attentional model did not provide sufficiently good performance and explanations that we discuss in our analysis. Nonetheless, given that the global financial outlays for cy