As a countermeasure against cyber-attacks on IoT devices, anomaly detection in communication using flow data such as IPFIX is being conducted. Obtaining communication data such as IPFIX or PCAP in an operating system requires additional software, which can be difficult to implement due to the potential impact on services.
Cloud services such as AWS provide flow log capabilities, such as VPC Flow Logs, that allow data collection with minimal impact to services. However, these logs only contain information on unidirectional packet counts and byte counts, which makes them more difficult to handle compared to flow data because session information is spread across multiple records.
Our previous research has proposed methods to improve the accuracy of anomaly detection using VPC Flow Logs by appropriately merging records into session units and converting them into bidirectional data. However, this method does not consider the presence or absence of responses to requests, which may affect the detection accuracy.
This study proposes to split the data considering the presence or absence of responses for anomaly detection.