Variational Autoencoder for Network Anomaly Detection

TECHNOLOGY LICENSING OPPORTUNITY

Variational Autoencoder for Network Anomaly Detection

A novel variational autoencoder that uses reconstructed probability to detect network packet anomalies and enables the detection of zero-day attacks.

Opportunity:   Idaho National Laboratory (INL), managed and operated by Battelle Energy Alliance, LLC (BEA), is offering the opportunity to enter into a license and/or collaborative research agreement to commercialize this variational autoencoder for network anomaly detection. This technology transfer opportunity is part of a dedicated effort to convert government-funded research into job opportunities, businesses and ultimately an improved way of life for the American people.

Overview:        The cyberattack surface is expected to increase by an order of magnitude between now and 2025 while network attacks have increased by over 50 times between 2015 and 2020. While rule-based network packet security systems have previously been the gold standard for protection, INL’s research anticipates that auxiliary machine learning based systems will be needed to secure future systems analogous to the systems currently used for credit card fraud detection. Machine learning based classification models for attack detection are difficult to achieve with high classification speed and remain vulnerable to zero-day attacks while conventional rule-based classification systems are not scalable for high accuracy.

Description:    Researchers at Idaho National Lab have developed a mechanism for detection network packet anomalies that are indicative of a network attack using the reconstruction probability from a variational autoencoder. Network packet metadata shows significant distribution variability with multiple attack signatures ranging from malicious download, brute force attempts, vulnerability scans, and malicious command execution. This approach is a semi-supervised learning approach not built around binary classification but around anomaly detection to address the shortcomings mentioned previously.

                          Once the variational autoencoder is trained, separate packet metadata can be passed to the autoencoder to compute a reconstructed probability based on the multivariate normal probability distribution function. This system is orthogonal to rule-based network protection systems including firewall rule implementations and exceptions and can be deployed in conjunction with such technologies. Unlike rule-based systems, packets are blocked entirely based on the machine learning based reconstructed probability score with the only user tuned feature being the threshold for anomaly designation.

Benefits:          

• Allows organization to detect zero-day attacks.
• Applicable to existing rule-based network protection systems.

Applications:    

• IT organizations with hundreds to thousands of systems.

Development Status:  TRL 3, currently undergoing proof-of-concept work.

IP Status:         Patent Application No. 17/663,883, “Network Security and Related Apparatuses, Methods, and Security Systems,” BEA Docket No. BA-1297.

INL is seeking to license the above intellectual property to a company with a demonstrated ability to bring such inventions to the market. Exclusive rights in defined fields of use may be available. Added value is placed on relationships with small businesses, start-up companies, and general entrepreneurship opportunities.

Please visit Technology Deployment’s website at https://inl.gov/inl-initiatives/technology-deployment for more information on working with INL and the industrial partnering and technology transfer process.

Companies interested in learning more about this licensing opportunity should contact Andrew Rankin at td@inl.gov.