Abnormal Traffic Identification Based On Machine Learning Method

This research presents the results of the application of supervised learning anomaly detection systems and access control to network traffic.supervised anomaly detection is an intrusion detection system that is able to classify different traffic and detect abnormal behaviors with prior knowledge of data labels.Access control aims to regulate access to sensitive information based on users privileges as well as behavior.A major issue of supervised anomaly detection is the unpredictable performance of detection method with respect to accuracy and the false positive rate.The scope is to analyze the network flow and classify its traffic into normal or abnormality using machine learning algorithms.Furthermore,our aim is to examine the feasibility of increasing accuracy and reducing false positive rates and by combining anomaly intrusion detection systems and access control evaluation tools.For users'activities after they accessed the network interface by evaluating whether those activities should have been permitted or behavior did no harm the said network.In order to achieve our scope and overcome those issues,we have developed a method that combines anomaly detection and access control.In this Master thesis,the methods,experiments and results of our approach are presented.The approach consists of three steps,Data extraction,Anomaly detection and Alert verification.In every step,the appropriate tools are used in order to conduct the experiments and results.Data extraction step aims to capture network traffic and select features.Wireshark is used as a capture tool and packet analyzer.From the analysis of captured data,we are able to select features and extract dataset.Anomaly detection step performs algorithms to detect abnormal instances from normal ones.MATLAB interface tool is used to perform anomaly detection.Support vector machine（SVM）,K-nearest neighbor（K-NN）,random forest（RF）are used in the first part and feedforward neural network（FNN）,convolutional neural network（CNN）and others classic machine learning algorithms are applied in the second part for abnormal detection in the dataset of step two.The analysis of anomaly detection algorithms performance is occurred by ROC curves with all the relevant evaluation metrics.Alert verification step is a verification process of abnormal instances with respect to access control policies and requests.The policies and requests are defined in XACML and evaluated using SAFAX tool.To demonstrate the proposed approach,we used the case study presented on consumers,customers,organizations;a situation awareness in multi-national network traffic as regards to attacks and false alarms directly and indirectly.The communication between the different components of traffic investigation held by UCI library network where the first data of network traffic have been acquired.The outcome of this thesis is according to our study case with the aim of developing a system of a-posteriori access control that succeeds to identify,evaluate and verify users within the specific network.Our approach combines the advantages of supervised anomaly detection and access control.This research experimental work is divided in two parts,mainly study and investigates abnormal traffic identification method based on supervised machine learning algorithm by analyzing the features,characteristics and attributes of abnormal traffic in communication.Part I:Using MATLAB as an experimental ML platform we will analyzed and compare three most vigorous algorithms SVM,K-NN and RF to see the most effect and highly skilled ML algorithm among them,that can be effective in the identification of abnormal behavior as well as reducing false alarms which make up most part of traffic activities.Respectively using each individual model in the process.The performance of their models is evaluated by Credit cards client dataset.Among them SVM prove to be of higher identifier as compare to K-NN and RF respectively.The recognition effects of common machine learning algorithms such as support vector machines,k-nearest neighbor,and random forest in abnormal traffic flow.Because of its high accuracy rate SVM algorithm has been used as the core to illustrate how swift and precise it is in the identification process.The scheme is evaluated by SVM,KNN,RF learning from the aspects of recognition accuracy and detection speed in classifying traffic proves effectives with good results.Part II:This experiment presents an anomaly detection method using deep learning models,specifically the feedforward neural network（FNN）model and convolutional neural network（CNN）model.The performance of the model is evaluated by several experiments with a popular NSL-KDD dataset^[46].The experimental results,shows FNN,CNN and SVM models not only have a strong modeling ability for network anomaly detection,but also have high accuracy.Compared machine learning methods in part one to that of part two,which are Random Forest,K-NN and SVM,the proposed models obtain a higher accuracy and detection rate with lower false positive rate.The deep learning models have effectively improve both the detection accuracy and the ability to identify anomaly types in any network traffic environment with K-NN falling short due to data structure and RF obtaining（78.3%）greater accuracy than that of the first experiment.The aim of the experiment was obtained by proving that machine learning methods is not just capable of anomalies detection but its by far the best applied one.Both experiments clearly proved that fact,in the first we saw K-NN,SVM and RF obtaining very good results again in the second experiment FNN and CNN when compare to K-NN,SVM and RF results clearly proves the amount of effectiveness machine learning algorithms has over abnormalities detection and the reduction of false positive alerts.Note that the font is consistent with the template and spacing is correct.The paper has 47 pictures,30 tables,and 124 references.