Improving Real-Time Detection of Abnormal Traffic Using MobileNetV3 in a Cloud Environment
Abstract
1. Introduction
- (1)
- A four-stage flow-image transformation mechanism is designed to enhance spatiotemporal pattern analysis ability through mirror filling and multi-channel gradient feature enhancement;
- (2)
- The Efficient Channel Attention (ECA) attention mechanism is adopted to optimize the feature weight allocation, and one-dimensional convolution is used instead of Multilayer Perceptron (MLP) to improve the efficiency;
- (3)
- The model hierarchy is reconstructed, the initial receptive field is expanded, redundant channels are compressed, and global average pooling (GAP) and global maximum pooling (GMP) dual-channel pooling are introduced to improve the tail feature extraction ability; and
- (4)
- The transfer learning strategy and prior knowledge of ImageNet are combined to accelerate the convergence of the model.
2. Related Works
3. Proposed Work
3.1. Four-Stage Flow Data Imaging
- Feature standardization
- 2.
- Time window division
- 3.
- Spatial mapping
- 4.
- Image remodeling
Algorithm 1. Four stages of flow data to image | |
import: | D // Original flow data |
output: | image_matrices // The three-channel image set |
1 | ND= MinMaxScaler (feature_range= (−1, 1)).fit_transform (D) // Stage 1: Feature standardization |
2 | window_size = 224, stride = 112, windows = [] // Stage 2: Time window division |
for i in range(0, len(ND), stride): | |
if len(window= ND[i:i+window_size]) < window_size: | |
window = mirror_padding (window, target_length=window_size) // Mirror padding | |
windows.append(window) | |
3 | image_matrices = [] // Stage 3:Spatial mapping |
for window in windows: | |
matrix = reshape (window, (window_size, 78)) // Converts to a 224 by 78 matrix | |
4 | mirrored_matrix = mirror_padding(matrix, axis=1, target_length=224) // Stage 4: Image remodeling |
Channel 1 = mirrored_matrix, channel2 = time_axis_diff (channel 1), channel3 = feature_axis_diff (channel 1) // Generates three channels | |
Image = stack([channel1, channel2, channel3], axis=2) // Merge three channels | |
If add_noise: // Add random noise | |
image += random_noise(image.shape) | |
image_matrices.append(image) | |
5 | return image_matrices |
3.2. Flow Anomaly Detection Framework
3.2.1. Original MobileNetV3
3.2.2. ECA Mechanism
3.2.3. Transfer Learning
3.2.4. IM-MobileNetV3
- Attention Mechanism Improvement: the original SE attention module in the model has been replaced with an ECA module, which uses a one-dimensional convolutional structure instead of an MLP structure. This change avoids information loss during dimensionality reduction, maintains detection accuracy, and reduces computational complexity. Additionally, the ECA module is applied to all bneck structures and convolutional layers (except for 1 × 1 convolutions) throughout the network, enabling adaptive channel weight allocation. This enhances the model’s sensitivity to abnormal traffic by efficiently capturing network traffic features.
- Optimization of the initial convolution layer: the size of the convolution kernel in the first layer of the model is adjusted from 3 × 3 to 5 × 5 to increase the receptive field; meanwhile, the convolution stride is changed from 2 to 1, so as to better retain the detailed feature information at the bottom layer and ensure the fine-grained flow pattern is not lost too early.
- Bottleneck Layer Structure Design: to preserve more of the model’s early features, the stride of the first bneck block is set to 1, and the stride gradually increases in subsequent bneck blocks while controlling the magnitude of stride changes, achieving an ideal balance between feature map size and computational efficiency. Additionally, since the task has shifted from a thousand-category classification task in ImageNet to a binary anomaly detection task, adjustments are made accordingly. In terms of feature expansion, the initial part maintains the expansion size to ensure the extraction of basic features, while later stages moderately reduce the expansion size to mitigate overfitting risks. In terms of channel dimensions, the number of output channels is reduced to better suit the needs of the binary detection task. Compared to the original model, the total number of modules is reduced, but each module’s feature extraction capability is enhanced, leading to a decrease in overall model parameters and computational complexity, and improved performance in anomaly traffic detection tasks.
- Enhancing the tail structure: replace the 1 × 1 convolutional layer with a 3 × 3 convolutional layer to improve the feature extraction of local abnormal patterns. Implement a dual-channel pooling strategy using GAP and GMP to complementarily extract features, where GMP effectively captures the sudden peak characteristics of abnormal traffic. Introduce high-probability Dropout in the classification layer to mitigate overfitting caused by the scarcity of abnormal samples. Additionally, replace the Softmax activation function with the Sigmoid function to better fit the probability output for binary classification tasks.
- Dynamic Learning Rate Scheduling Strategy: during training, the ReduceLROnPlateau learning rate scheduling is employed. If the loss function on the validation set decreases, the learning rate remains constant. Conversely, if there is no improvement, the learning rate is linearly reduced through annealing until it reaches a certain threshold, after which it stops decreasing. This approach helps prevent overfitting and enables the model to escape local optima, thereby accelerating convergence and enhancing detection accuracy.
Algorithm 2. Traffic anomaly detection process | |
import: | image_matrices, D // The preprocessed image set and the original traffic data |
output: | results // Anomaly detection results set |
1 | model = load_pretrained_IM_MobileNetV3() // Load the pre-trained IM-MobileNetV3 model |
2 | batch_size = 32, results = [] // Batch processing of images |
for batch in range(0, len(image_matrices), batch_size): | |
Batch images = image_matrices[batch: batch+batch_size] // Extract the current batch of images | |
3 | Logits = model.forward(batch_images) // The forward inference is used to obtain the predicted value |
4 | Probabilities = sigmoid (logits) // Sigmoid activates the output probability value// Stage 4: Image remodeling |
5 | For prob in probability: // Determine the result |
if prob > 0.5: | |
results.append (“exceptional traffic”) | |
else: | |
results.append (“Normal traffic”) | |
6 | return results |
4. Experiments and Results
4.1. Experimental Settings
4.2. Evaluation Indicators
4.3. Component-Level Analysis
- The introduction of Component A increased both the accuracy rate and the F1 score by four percentage points (84.5%→88.7%) while reducing the number of model parameters by 4.4% and lowering the inference time by 6.3%. This verifies that the ECA module effectively retains the feature information by avoiding the channel dimension reduction of SE; at the same time, its lightweight design improves the computational efficiency.
- Although Component B is associated with a slight increase in computational overhead, the accuracy rate further improves to 90.1%, and the F1 score further increases to 90.2%, demonstrating the importance of 5 × 5 convolution kernels increasing the receptive field and stride = 1 to preserve detailed features for traffic detection.
- Component C is responsible for the most significant performance improvement. The accuracy rate rises by 5.6 percentage points, the F1 score increases by 5.3 percentage points, while the number of parameters decreases by 31.2% and the inference time drops by 12.5%, indicating that the bottleneck layer structure optimized for traffic characteristics can extract key features more efficiently and accurately.
- Component D further increased the accuracy rate to 96.0% and the F1 score to 95.8% through the dual-pooling strategy and 3 × 3 convolution, verifying the effectiveness of the complementary feature extraction of GAP and GMP in capturing abnormal traffic patterns.
- Component E eventually increased the model accuracy rate and F1 score to 96.9%, indicating that the adaptive learning rate adjustment helps the model surpass the local optimum and achieve a better convergence effect.
4.4. System-Level Verification
4.4.1. Classification Performance Comparison
4.4.2. Model Complexity and Efficiency Analysis
4.4.3. Model Generalization Analysis
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
ECA | Efficient Channel Attention. |
SE | Squeeze-and-excitation networks. |
DDoS | Distributed Denial of Service. |
SVM | Support Vector Machine. |
LSTM | Long Short-Term Memory. |
CNN | Convolutional Neural Network. |
MLP | Multilayer Perceptron. |
GAP | Global average pooling. |
GMP | Global maximum pooling. |
DPCA | Dynamic Principal Component Analysis. |
HMM | Hidden Markov Models. |
TCP | Transmission Control Protocol. |
DNS | Domain Name System. |
ICMP | Internet Control Message Protocol. |
NAS | Neural Architecture Search. |
BN | Batch normalization. |
TP | True positives. |
FP | False positives. |
FN | False negatives. |
TN | True negatives. |
IoT | Internet of Things. |
References
- Huawei Technologies Co., Ltd. Analysis of the Current Situation and Trends of Global DDoS Attacks in 2023. Available online: https://e.huawei.com/cn/material/networking/security/333e0bdd9694437e80aac4b436781fe3 (accessed on 20 February 2025).
- Yoachimik, O.; Pacheco, J. DDoS Report. Available online: https://blog.cloudflare.com/zh-cn/tag/ddos-reports/ (accessed on 20 February 2025).
- Cortes, C.; Vapnik, V. Support-vector networks. Mach. Learn. 1995, 20, 273–297. [Google Scholar] [CrossRef]
- Breiman, L. Random forests. Mach. Learn. 2001, 45, 5–32. [Google Scholar] [CrossRef]
- He, K.; Zhang, X.; Ren, S.; Sun, J. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NE, USA, 26 June–1 July 2016. [Google Scholar]
- Hochreiter, S.; Schmidhuber, J. Long short-term memory. Neural Comput. 1997, 9, 1735–1780. [Google Scholar] [CrossRef] [PubMed]
- Lecun, Y.; Bottou, L.; Bengio, Y.; Haffner, P. Gradient-based learning applied to document recognition. Proc. IEEE 1998, 86, 2278–2324. [Google Scholar] [CrossRef]
- Howard, A.; Sandler, M.; Chu, G.; Chen, L.C.; Chen, B.; Tan, M.; Wang, W.; Zhu, Y.; Pang, R.; Vasudevan, V.; et al. Searching for MobileNetV3. In Proceedings of the 2019 IEEE/CVF International Conference on Computer Vision (ICCV), Seoul, Republic of Korea, 27 October–2 November 2019. [Google Scholar]
- Alajlan, A.M.; Almasri, M.M. Malicious behavior detection in cloud using self-optimized dynamic kernel convolutional neural network. Trans. Emerg. Telecommun. Technol. 2022, 33, e4449. [Google Scholar] [CrossRef]
- Huang, D.; Shi, X.; Zhang, W.A. False Data Injection Attack Detection for Industrial Control Systems Based on Both Time- and Frequency-Domain Analysis of Sensor Data. IEEE Internet Things J. 2021, 8, 585–595. [Google Scholar] [CrossRef]
- Ramprasath, J.; Ramakrishnan, S.; Tharani, V.; Sushmitha, R.; Arunima, D. Cloud service anomaly traffic detection using random forest. In Advances in Data and Information Sciences: Proceedings of ICDIS 2022; Springer: Berlin/Heidelberg, Germany, 2022; pp. 269–279. [Google Scholar]
- Bamasag, O.; Alsaeedi, A.; Munshi, A.; Alghazzawi, D.; Alshehri, S.; Jamjoom, A. Real-time DDoS flood attack monitoring and detection (RT-AMD) model for cloud computing. PeerJ Comput. Sci. 2022, 7, e814. [Google Scholar] [CrossRef]
- Girish, L.; Rao, S.K.N. Anomaly detection in cloud environment using artificial intelligence techniques. Computing 2023, 105, 675–688. [Google Scholar] [CrossRef]
- Sujatha, M.P.; Kumar, S.N. Anomaly Detection of Industrial Control Systems Based on Transfer Learning. Int. J. Health Sci. 2022, 6, 5782–5792. [Google Scholar] [CrossRef]
- Lin, K.; Xu, X.; Xiao, F. MFFusion: A Multi-level Features Fusion Model for Malicious Traffic Detection based on Deep Learning. Comput. Netw. 2022, 202, 108658. [Google Scholar] [CrossRef]
- Liu, H.; Han, F.; Zhang, Y. Malicious traffic detection for cloud-edge-end networks: A deep learning approach. Comput. Commun. 2024, 215, 150–156. [Google Scholar] [CrossRef]
- Hao, W.; Yang, T.; Yang, Q. Hybrid Statistical-Machine Learning for Real-Time Anomaly Detection in Industrial Cyber–Physical Systems. IEEE Trans. Autom. Sci. Eng. 2023, 20, 32–46. [Google Scholar] [CrossRef]
- Lv, X.; Han, D.; Li, D.; Xiao, L.; Chang, C.-C. Network abnormal traffic detection method based on fusion of chord similarity and multiple loss encoder. EURASIP J. Wirel. Commun. Netw. 2022, 2022, 105. [Google Scholar] [CrossRef]
- Yin, X.; Li, W.; Li, Z.; Yi, L. Recognition of grape leaf diseases using MobileNetV3 and deep transfer learning. Int. J. Agric. Biol. Eng. 2022, 15, 184–194. [Google Scholar] [CrossRef]
- Cao, Z.; Li, J.; Fang, L.; Li, Z.; Yang, H.; Dong, G. Research on efficient classification algorithm for coal and gangue based on improved MobilenetV3-small. Int. J. Coal Prep. Util. 2025, 45, 437–462. [Google Scholar] [CrossRef]
- Tian, X.; Shi, L.; Luo, Y.; Zhang, X. Garbage Classification Algorithm Based on Improved MobileNetV3. IEEE Access 2024, 12, 44799–44807. [Google Scholar] [CrossRef]
- Farrukh, Y.A.; Wali, S.; Khan, I.; Bastian, N.D. SeNet-I: An approach for detecting network intrusions through serialized network traffic images. Eng. Appl. Artif. Intell. 2023, 126, 107169. [Google Scholar] [CrossRef]
- Hu, J.; Shen, L.; Sun, G. Squeeze-and-excitation networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, 18–22 June 2018. [Google Scholar]
- Jin, X.; Xie, Y.; Wei, X.-S.; Zhao, B.-R.; Chen, Z.-M.; Tan, X. Delving deep into spatial pooling for squeeze-and-excitation networks. Pattern Recognit. 2022, 121, 108159. [Google Scholar] [CrossRef]
- Wang, J.; Luan, Z.; Yu, Z.; Ren, J.; Gao, J.; Yuan, K.; Xu, H. Superpixel segmentation with squeeze-and-excitation networks. Signal Image Video Process. 2022, 16, 1161–1168. [Google Scholar] [CrossRef]
- Mkindu, H.; Wu, L.; Zhao, Y. Lung nodule detection of CT images based on combining 3D-CNN and squeeze-and-excitation networks. Multimed. Tools Appl. 2023, 82, 25747–25760. [Google Scholar] [CrossRef]
- Zhang, G.; Choi, D.; Jung, J. Reconstruction of arterial blood pressure waveforms based on squeeze-and-excitation network models using electrocardiography and photoplethysmography signals. Knowl. Based Syst. 2024, 295, 111798. [Google Scholar] [CrossRef]
- Wang, Q.; Wu, B.; Zhu, P.; Li, P.; Zuo, W.; Hu, Q. ECA-Net: Efficient Channel Attention for Deep Convolutional Neural Networks. In Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Virtual, 14–19 June 2020. [Google Scholar]
- Wei, X.; Wang, Z. TCN-attention-HAR: Human activity recognition based on attention mechanism time convolutional network. Sci. Rep. 2024, 14, 7414. [Google Scholar] [CrossRef] [PubMed]
- Zhang, Y.; Zhan, Q.; Ma, Z. EfficientNet-ECA: A lightweight network based on efficient channel attention for class-imbalanced welding defects classification. Adv. Eng. Inform. 2024, 62, 102737. [Google Scholar] [CrossRef]
- Hosna, A.; Merry, E.; Gyalmo, J.; Alom, Z.; Aung, Z.; Azim, M.A. Transfer learning: A friendly introduction. J. Big Data 2022, 9, 102. [Google Scholar] [CrossRef]
- Zhao, Z.; Alzubaidi, L.; Zhang, J.; Duan, Y.; Gu, Y. A comparison review of transfer learning and self-supervised learning: Definitions, applications, advantages and limitations. Expert Syst. Appl. 2024, 242, 122807. [Google Scholar] [CrossRef]
- Yao, S.; Kang, Q.; Zhou, M.; Rawa, M.J.; Abusorrah, A. A survey of transfer learning for machinery diagnostics and prognostics. Artif. Intell. Rev. 2023, 56, 2871–2922. [Google Scholar] [CrossRef]
Input | Operator | Exp Size | Out | SE | NL | s |
---|---|---|---|---|---|---|
224*224*3 | conv2d,3*3 | - | 16 | - | HS | 2 |
112*112*16 | bneck,3*3 | 16 | 16 | √ | RE | 2 |
56*56*16 | bneck,3*3 | 72 | 24 | - | RE | 2 |
28*28*24 | bneck,3*3 | 88 | 24 | - | RE | 1 |
28*28*24 | bneck,5*5 | 96 | 40 | √ | HS | 2 |
14*14*40 | bneck,5*5 | 240 | 40 | √ | HS | 1 |
14*14*40 | bneck,5*5 | 240 | 40 | √ | HS | 1 |
14*14*40 | bneck,5*5 | 120 | 48 | √ | HS | 1 |
14*14*48 | bneck,5*5 | 144 | 48 | √ | HS | 1 |
14*14*48 | bneck,5*5 | 288 | 96 | √ | HS | 2 |
7*7*96 | bneck,5*5 | 576 | 96 | √ | HS | 1 |
7*7*96 | bneck,5*5 | 576 | 96 | √ | HS | 1 |
7*7*96 | conv2d,1*1 | - | 576 | √ | HS | 1 |
7*7*576 | GAP,7*7 | - | - | - | - | 1 |
1*1*576 | conv2d,1*1,NBN | - | 1280 | - | HS | 1 |
1*1*1280 | conv2d,1*1,NBN | - | 1000 | - | - | 1 |
Input | Operator | Exp Size | Out | ECA | NL | s |
---|---|---|---|---|---|---|
224*224*3 | conv2d,5*5 | - | 16 | - | HS | 1 |
224*224*16 | bneck,3*3 | 16 | 16 | √ | RE | 1 |
224*224*16 | bneck,3*3 | 72 | 24 | √ | RE | 2 |
1112*112*24 | bneck,3*3 | 88 | 24 | √ | RE | 1 |
112*112*24 | bneck,5*5 | 96 | 40 | √ | HS | 2 |
56*56*40 | bneck,5*5 | 240 | 48 | √ | HS | 2 |
28*28*40 | bneck,5*5 | 120 | 48 | √ | HS | 2 |
14*14*48 | bneck,5*5 | 120 | 64 | √ | HS | 1 |
14*14*64 | bneck,5*5 | 288 | 96 | √ | HS | 2 |
7*7*96 | bneck,5*5 | 576 | 96 | √ | HS | 1 |
7*7*96 | conv2d,3*3 | - | 384 | √ | HS | 1 |
7*7*384 | GAP + GMP,7*7 | - | - | - | - | 1 |
1*1*384 | conv2d,1*1,NBN | - | 576 | - | HS | 1 |
1*1*576 | conv2d,1*1,NBN | - | 2 | - | - | 1 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Mao, Y.; Fu, W.; Zhao, Y.; Chen, J. Improving Real-Time Detection of Abnormal Traffic Using MobileNetV3 in a Cloud Environment. Electronics 2025, 14, 2707. https://doi.org/10.3390/electronics14132707
Mao Y, Fu W, Zhao Y, Chen J. Improving Real-Time Detection of Abnormal Traffic Using MobileNetV3 in a Cloud Environment. Electronics. 2025; 14(13):2707. https://doi.org/10.3390/electronics14132707
Chicago/Turabian StyleMao, Yihuan, Wei Fu, Yue Zhao, and Jinhong Chen. 2025. "Improving Real-Time Detection of Abnormal Traffic Using MobileNetV3 in a Cloud Environment" Electronics 14, no. 13: 2707. https://doi.org/10.3390/electronics14132707
APA StyleMao, Y., Fu, W., Zhao, Y., & Chen, J. (2025). Improving Real-Time Detection of Abnormal Traffic Using MobileNetV3 in a Cloud Environment. Electronics, 14(13), 2707. https://doi.org/10.3390/electronics14132707