Explainable Anomaly Detection in Network Traffic Using Normalizing Flows

Anomaly detection in network traffic is critical for identifying deviations from normal behavior—including sophisticated cyber threats and previously unseen attacks—especially when anomalous examples are absent from the training data. The escalating complexity of cyber-attacks necessitates developing methods that not only identify low-likelihood traffic but also provide insights into its anomalous nature and deviations from normal behavior, enabling effective response and troubleshooting. In this work, we leverage the unique capabilities of normalizing flows (NF), a state-of-the-art reversible generative model for exact density estimation, to detect anomalies using only normal traffic. Our approach fundamentally differs from previous methods by utilizing NF’s exact likelihood computation for unsupervised detection and combining it with Shapley values to introduce a novel feature selection framework for guiding the selection of discriminative features in anomaly detection, while also providing statistically grounded enhanced explanations for detected anomalies, pinpointing potential root causes. Through experiments on CICIoT-2023, ISCXTor2016, and CICIDS2017, we demonstrate that our NF-based approach outperforms existing state-of-the-art methods for unsupervised anomaly detection. Notably, on the CICIoT-2023 dataset, we achieve an accuracy of 0.9951, comparable or higher than supervised methods, despite being trained solely on normal data.