UCLA

The detection of attack traffic is important for maintaining internet security and correctlyidentifying the precise type of attack behavior in complex attack traffic provides the necessary guidelines to enhance security mechanism. To address the problem of detecting and identifying attack behavior in complex network traffic, this paper proposes an abnormal behavior detection method based on multi-gated mixture-of-experts (MMOE) and deep factorization machine (DeepFM). The attack traffic data will be first segmented into separate datasets based on their attack label (Normal, Structured Query Language (SQL) Injection, Transmission Control Protocol (TCP) based Distributed Denial-of-Service (DDoS), etc.). Synthetic minority oversampling technique (SMOTE) and synthetic data will be applied to address the issue of imbalance data caused by number gap between majority and minority attack labels. Next, extreme gradient boosting (XGBoost) feature importance is modeled, and feature selection is performed based on feature importance score. This action effectively reduces the size of feature pools, removing less important features and reducing time complexity for model training. Finally, datasets with different attack labels are concatenated and attack types are one-hot encoded. The selected features and transformed labels are used to train the models. Model performances are evaluated based on area under the curve (AUC), accuracy, precision, recall, and f1-score. The experimental results show promising feedback on both models’ ability in correctly detecting and identifying different attack traffic.