Hybrid machine learning for a real-time anomaly detection system in computer networks with the ELK stack using system logs and netflow data | |
| Author | Sonakul Kamnuanchai |
| Call Number | AIT Thesis no.DSAI-25-08 |
| Subject(s) | Computer networks--Security measures Anomaly detection (Computer security) Machine learning Data protection |
| Note | A thesis submitted in partial fulfillment of the requirements for the degree of Master of Engineering in Data Science and Artificial Intelligence |
| Publisher | Asian Institute of Technology |
| Abstract | The increasing intricacy and prevalence of cyber threats in modern computer networks highlight the need for effective anomaly detection systems to protect sensitive information. Traditional methods face challenges such as limited real-time processing, reliance on simple binary classification, and inadequate evaluation using realistic datasets. To address these issues, this research proposes a hybrid machine learning framework for anomaly detection. In the first stage, an autoencoder is used to learn latent represen tations of normal traffic, while an Isolation Forest algorithm detects anomalies based on anomaly scores. The Receiver Operating Characteristic (ROC) curve and Youden’s Index are employed to determine thresholds, which are then validated against the test labels of the UNSW-NB15 dataset to obtain baseline performance metrics. In the sec ond stage, supervised models including Decision Tree, XGBoost, and Random Forest are trained on the latent features, reconstruction error of the autoencoder, and anomaly scores from the Isolation Forest. Among these, Random Forest achieved the best per formance, significantly improving upon the unsupervised baseline, with an accuracy of 98.81%, precision of 92.00%, recall of 99.25%, F1-score of 95.49%, and a false posi tive rate of only 1.25%. To enable real-time usage, the framework is deployed with the Elastic Stack (ELK), allowing automated alerting, continuous monitoring, and visual ization of security events. The deployed system is further evaluated using real-world NetFlow and Syslog data collected from the Operational Technology (OT) network of the Provincial Electricity Authority (PEA). Controlled attack scenarios including TCP, UDP, and ICMP flood attacks are generated using the Nping tool to validate real-time anomaly detection. The results confirm that the proposed framework performs effec tively under realistic operational conditions and is suitable for practical deployment in critical infrastructure environments. |
| Year | 2025 |
| Type | Thesis |
| School | School of Engineering and Technology |
| Department | Department of Information and Communications Technologies (DICT) |
| Academic Program/FoS | Data Science and Artificial Intelligence (DSAI) |
| Chairperson(s) | Chutiporn Anutariya |
| Examination Committee(s) | Chantri Polprasert;Aekavute Sujarae |
| Scholarship Donor(s) | PEA-AIT Education Cooperation Project;AIT Scholarship |
| Degree | Thesis (M. Eng.) - Asian Institute of Technology, 2025 |