Детектирование и классификация сетевых атак с помощью Splunk Machine Learning Toolkit

Abstract

In modern conditions of digital technologies implementation in various sectors of the economy, the digitalization of public administration, healthcare, education, and science, the growth in the number of Internet services and mobile devices the issues of ensuring the security of cellular communication systems are becoming increasingly relevant. It is becoming increasingly difficult to detect multiple and complex cyber security threats as the sources and methods ofcyber-attacks evolve and expand. Classic network attack detection approaches that rely heavily on static matching, such as signature analysis, blacklisting, or regular expression patterns, are limited in flexibility and are ineffective for early anomaly detection and rapid response to information security incidents. To solve this problem, the use of machine learning (ML) algorithms is proposed. ML methods can provide new approaches and higher rates of detection of malicious activity on the network. In this work, the Splunk Enterprise data analysis platform and the Splunk Machine Learning Toolkit for creating, training, testing, and validating a network attack classifier are used. The performance of the proposed model was evaluatedby applying four machine learning algorithms such as a decision tree, a support vector machine, a random forest, and adouble random forest. Experimental results show that all used ML algorithms can be effectively used to detect network attacks, and the double random forest method has the best accuracy in detecting distributed denial-of-service attacks.