Classifying TCP Network Traffic Flows Via Traffic Interaction Graphs and Machine Learning
Abstract
Detecting malicious traffic on networks is a critical problem facing the Department of Defense. In this thesis we utilize cutting edge machine learning techniques to detect malicious network traffic. We begin with two real-world datasets. First, real internet traffic collected on the NPS Enterprise Research Network, and second, the IoT23 dataset consisting of internet of things (IoT) devices that have been infected with malware. We convert raw packet captures into TCP streams using the 5-tuple definition from RFC6146. We then apply the traffic interaction graph (TIG) framework to these flows to capture burst patterns among signed packet lengths. Finally, we train these flows on a random forest classifier (RFC), a simple convolutional neural network (CNN), and a graph convolutional network (GCN). Additionally, we simulate various attack levels by combining the two datasets at various levels (99% NPS to 1% IoT, 99 to 5, 90 to 10, and IoT23 only). In each of these models we get exceptional results in accuracy, precision, and recall. This work specifically provides a proof of concept for using the TIG framework and graph neural networks to classify TCP flows. Future work should explore model enhancement, data enrichment, or stream-lining the entire process into a real-time software package.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2023
- Accession Number
- AD1224851
Entities
People
- Matthew N. Straughn
Organizations
- Naval Postgraduate School