Authors: Rohan Singh, Assistant Professor Jitender Kumar
Abstract: The proliferation of encrypted network traffic and the accelerating sophistication of cyber-attack methodologies have rendered signature-based intrusion detection fundamentally inadequate for contemporary Security Operations Centre (SOC) and Network Operations Centre (NOC) environments, a problem underscored by a global cyberattack cost exceeding eight trillion United States dollars in 2023. This paper reviews the methodological evolution of network traffic anomaly detection, tracing the progression from signature-matching platforms through statistical and behavioural baselining to deep learning architectures spanning convolutional neural networks, recurrent and attention-augmented sequence models, graph neural networks, and Transformer-based classifiers. Particular attention is given to the limitations of single-modality architectures, which capture either the spatial packet-level structure or the temporal session-level dynamics of network traffic but not both simultaneously, and to the comparative strengths and weaknesses of early, late, and attention-based multi-stream fusion paradigms. The review further examines loss-level strategies for the severe class imbalance characteristic of intrusion-detection benchmarks, and surveys the explainability mechanisms required for analyst trust and MITRE ATT&CK alignment in production SOC deployment. Based on the gaps identified, the paper discusses an emerging direction—lightweight cross-stream attention CNN-BiLSTM frameworks exemplified by TrafficGuardNet—and outlines future research priorities, including model compression for ultra-high-throughput deployment, continual learning under concept drift, and feature-engineering adaptations for TLS 1.3-encrypted environments.
International Journal of Science, Engineering and Technology