Two-layer malicious network flow detection system with sparse linear model based feature selection

Abstract

The amount of malicious network traffic of enterprise systems has increased due to spreading of botnets, fuzzers, shellcodes or exploits. This malicious threatens the everyday operation of enterprises. Building classification models from this malicious traffic is an important issue. Classification models can help us to discover new types of attacks based on previously built predictive models. The most prominent attacks on accessibility in the CIA Triad are distributed denial-of-service attacks. By using denial-of-service attacks targeted at the availability of CIA triad, it is intended to block access to services for legitimate users who need to be connected to the service. Just like the Mirai cyber-attack, major service providers like Twitter and Reddit can become inaccessible by simply attacking their DNS servers. The fact that distributed denial-of-service, a rather old type of attack, is still valid today. This paper describes two-stage filtering based network traffic identification based on network flow patterns. The paper shows that the predictive performance of the malicious traffic classification model increases with the filtering of network flow. We use L1 -norm based sparse linear models for feature selection to find an optimal feature set and determine the effect of different features. We demonstrate the effectiveness and performance of the proposed scheme with graphics and tables. Simulation results validate the effectiveness of the proposed classification scheme.