Network Traffic Classification Using Multiclass Classifier

7 downloads 0 Views 1MB Size Report
Keywords: Multiclass classification 4 Normal traffic 4 Anomalous traffic ... two sub-approaches i.e. (a) mapping multiple classes to individual binary classes;.
Network Traffic Classification Using Multiclass Classifier Prabhjot Kaur1(&), Prashant Chaudhary1, Anchit Bijalwan1, and Amit Awasthi2 1

Department of Computer Science and Engineering, Uttaranchal University, Dehradun, India [email protected], [email protected], [email protected] 2 University of Petroleum and Energy Studies, Dehradun, India [email protected]

Abstract. This paper aims to classify network traffic in order to segregate normal and anomalous traffic. There can be multiple classes of network attacks, so a multiclass model is implemented for ordering attacks in anomalous traffic. A supervised machine learning method SVM support Vector Machine has been used for multiclass classification. The most widely used dataset KDD Cup 99 has been used for analysis. Firstly, the dataset has been preprocessed using three way step and secondly the analysis has been performed using multi-classifier method. The results acquired exhibited the adequacy of the multiclass classification on the dataset to a fair extent. Keywords: Multiclass classification

 Normal traffic  Anomalous traffic

1 Introduction Human has always aspired to develop techniques that could replace human efforts to a great extent. In this era, machine and deep learning is superseding other techniques. If one can train the machine using the data instead of explicitly programming the machine, that’s where we need machine learning. Machine learning has empowered many domains such as web search, text recognition, speech recognition, medicine such as protein structure estimation, network traffic analysis and prediction, intrusion detection etc. Network traffic analysis is one of the emerging domains. An attack can be predicted from the current network traffic flow and it can held stop the intruders before actually attacking the network. This can be done using machine learning by training the network. There are three categories of machine learning: supervised, un-supervised and semi-supervised [1]. This paper focuses on Support Vector Machine (SVM) supervised machine learning technique for network traffic classification. Network traffic classification using SVM can include two approaches: binary or two-way classification and multi-class classification [2]. The first approach works simply by classifying the network between normal and anomalous traffic. The second approach can be applied using two sub-approaches i.e. (a) mapping multiple classes to individual binary classes; © Springer Nature Singapore Pte Ltd. 2018 M. Singh et al. (Eds.): ICACDS 2018, CCIS 905, pp. 208–217, 2018. https://doi.org/10.1007/978-981-13-1810-8_21

Network Traffic Classification Using Multiclass Classifier

209

(b) directly solving multi-class problem. In this paper, first sub-approach is used to classify multi-class traffic classification [2]. The word classifier is a type of algorithmic technique used to implement classification [3]. The classification techniques can either be applied to the active data collected on site or passively on already built dataset. There are widely available network traffic collection tools such as: Iris, NetIntercept, tcpdump, Snort, Bro etc. [4, 5]. The online data stores of network traffic datasets are widely available for analysis of network traffic [6]. The network traffic files are generally stored in packet capture format (.pcap) which can subsequently be converted to desired format for analysis. These network files consist of features showing the type of traffic. For classification of network traffic, the most relevant features are selected out of the all features set. Then classification is performed on network traffic using the reduced feature set. Reducing the features may lessen the computation time and affirmatively affect the accuracy of the learning classification technique [7]. There are various models provided for feature selection: Wrapper and filter method [7], Correlation based feature selection (CFS) [8], INTERACT algorithm [9], The Consistency-based filter [10], gini covariance method [11], information gain, attribute evaluation etc. [12]. Wrapper method aims to select the feature subset with high extrapolative power that optimizes the classifier. Whereas in filter method, the best possible feature subset is selected from the data set irrespective of the classifier optimization. CFS technique aims to select the features that are highly correlated with the class and least correlated with remaining features of the class. INTERACT deals with inspecting the contribution of individual feature in the whole dataset and how its removal affects the consistency. The contribution is generated based on the ratio between entropy and information gain (IG) known as symmetrical uncertainty (SU) [13]. Information gain aims to determine the maximum information obtained from a particular feature. Gini covariance method aims at checking the variability of the feature and assigning respective ranks using spatial ranking method. The features within a particular threshold value are selected and beyond are rejected. Information gain attribute evaluation is to determine the best possible feature or attribute in the dataset. Traditional binary classifiers work well with known patterns and their accuracy is fairly good. However, the drawback of these traditional binary classifiers is their inability to detect novel patterns in the data. This limitation has been removed for anomaly detection in wireless sensor networks by using a modified version of SVM for unknown traffic classification [14]. 1.1

Related Work

Numerous studies have been conducted for traffic analysis using KDD Cup’99 dataset [6]. A computational efficient technique called novel multilevel hierarchical Kohonen net focuses on reduced feature and network size. The subset from KDD Cup’99 data is selected consisting of combination of normal and anomalous traffic records, which can be used to train the classifier. However, the test data consists of more attacks than available in train set, are used for testing the classifier [15]. Evolutionary neural networks based novel approach for intrusion detection has been proposed over the same KDD dataset. This approach takes way less time to find the higher neural networks than the conventional neural network approaches by learning system-call orders [16].

210

P. Kaur et al.

Another technique applied on KDD Cup data set is modified and improved version of C4.5 decision tree classifier. In this method new rules are derived by evaluating the network traffic data and thereby applied to detect intrusion in the real time [17]. Another technique applied on the modified version of KDD’99 data set named NSLKDD that aims to decrease the false rate and increase the detection rate by optimizing the weighted average function [18]. A novel technique named Density peaks nearest neighbors (DPNN) is applied on KDD’99 cup data set to yield an improved accuracy over SVM method. This approach detects unknown attacks thus improving the sub categorical accuracy improvement of 15% on probe attacks and an overall efficiency improvement of 20.688% [23]. The authors used deep auto-encoder technique on KDD’99 cup dataset by constructing multilayer neurons showing improved accuracy over traditional attack identification techniques [24]. The authors performed a two way step on KDD’99 cup dataset: feature reduction using three different techniques i.e. gain ratio, mutual information, correlation and generated analysis score using Naïve Bayes, random forest, adaboost, SVM, bagging, kNN and stacking. Their results showed the maximum performance given by SVM with 99.91% score and closer performance score of 99.89 by random forest algorithm [25]. 1.2

Data Set: KDD Cup 99

The full train dataset consists of 4,898,431 records out of which 972,781 are normal records and 3,925,650 are attack records. In this full train dataset vast numbers of records are redundant and after redundancy removal the total records, normal and attack records become 1,074,992, 812,814 and 262,178 respectively [19]. However the 10% train dataset consists of total of records 494,021 out of which record are 97,278 normal whereas are 396,743 attack records. The test dataset consists of 311,027 records out of which 60,591 are normal records and 250,436 are attack records. In this test dataset vast numbers of records are redundant and after redundancy removal the total records, normal and attack records become 77,289, 47,911 and 29,378 respectively. There were two invalid records found in the test dataset having record number 136,489 and 136,497 consisting of unacceptable value for service feature as ICMP, henceforth removed these two records from test dataset [19]. KDD CUP 99 dataset includes four different categories of attacks which are further subcategorized into twenty two categories shown in Fig. 1. The four classes of attacks present in train dataset are: Denial of Service (DoS), User to Root (U2R), Remote to Local (R2L) and Probe. DoS attack denies user’s genuine access to the machine by either flooding the network with excess traffic or making the system resources over utilized. In U2R, the unauthorized user gains access to the system’s root directory, thereby attaining all rights of the super user. R2L deals with getting local access of the machine from remote location by exploiting unknown vulnerability. Probe attack deals with gaining control of the system by security breach [19]. Sub categories of the aforementioned attacks are depicted in Fig. 1. The frequency of the number of attacks present in the particular train and test data set files are mentioned clearly. Though the redundancy has already removed from both train and test datasets. Test dataset has unknown traffic category as well. Therefore total number of reduced records after redundancy removal in train dataset and test dataset are: 1,074,992 and 77289 respectively.

Network Traffic Classification Using Multiclass Classifier

211

Fig. 1. Train and Test network traffic data statistics (KDD Cup’99)

1.3

Support Vector Machine

SVM is one of the most widely used classification techniques. A decade ago it was typically used for binary classification, however with the advent of its variants; multiclass classification is most frequently in use today. A hyper plane need to be selected in

212

P. Kaur et al.

such a way that it precisely separates between two classes of data. The wider the hyper plane width, the better it is. The width points of the hyper plane are decided from the closest points to the hyper plane line known as support vectors. In context of network traffic data, there can be either normal traffic or anomalous traffic which comes under binary classification. Multiple subclasses of anomalous traffic can be determined using multi-class SVM. Binary classification is easy to implement as the classifier need to learn either the traffic is normal or anomalous. In order to perform multiple class classification, certain characterizations need to be considered i.e. One versus one (OvO) and one versus rest (OvR). In OvR, one class separates from other classes if binary characteristics of one class distinguish it from remaining set of classes. In OvO, here each classifier forms a pair with every other classifier and learns from the relationship formed [20]. Yet, there are many variants of SVM such as least squares SVM, v-SVM, nearly-isotonic SVM, Bounded SVM, NPSVM and Twin SVM, but this paper shall focus on multi-class categorization property of SVM [18].

2 Methodology In order to perform the whole scenario, a formal step line has been followed. In general it must follow the foursteps: Data selection, Pre-processing, Analysis and result evaluation [21] as shown in Fig. 2. In nearly every data analytical domain, the generic flow model steps are followed meticulously. The steps may vary depending upon the unalike analysis requirements. Based on the generic model, the stair step followed in this paper is shown in Fig. 3. The four steps are: data selection, data preprocessing, analysis and result respectively which further consists of sub-steps. Data selection may either include the primary dataset collected in hand or the secondary datasets selection from online repository. Data preprocessing is subdivided into three parts: (1) Removing redundancy, (2) Feature selection and (3) Data transformation. Fig. 2. Generic flow model Data analysis step involves extracting the relevant information from vast amount of data. The researcher may use different methods for data analysis. In this paper, supervised machine learning technique SVM for multi class classification has been used. The final step is obtaining results and accuracy. 2.1

Experimental Setup

The firsthand experiment is run on an Intel Core i5-5200U CPU @ 2.20 GHz computer with 8.00 GB RAM running operating system Linux (Ubuntu 16.04 LTS). Python 3.6 has been used for programming with scikit learn libraries such as Pandas and NumPy [22].

Network Traffic Classification Using Multiclass Classifier

213

Fig. 3. Proposed step line for data analysis

2.2

Data Selection

In Data selection step, KDD CUP 99 is selected for data analysis. The brief detail about this dataset is already mentioned in second section. This first step could either be data collection or data selection. Data collection can be done by deploying network traffic collection tools such as tcpdump, NetIntercept, Snort, Bro etc. [4, 5]. The data collected using these methods are called primary data collection. The collected data is stored as datasets having specific extension such as .pcap. These datasets are most often available publicly to researchers. If a data set is selected from these publicly available data sets then it is called secondary dataset selection [6]. The data is selected based on researcher’s area of interests. 2.3

Data Preprocessing

Data preprocessing means cleaning the data and making it readily available for further handling. In this step, the data in dataset is fine-tuned as per the input requirements to the model for processing. KDD Cup 99 dataset includes many redundant rows in training and testing datasets. There can be variant steps followed to preprocess the data. There is no generic step line for data pre-processing. In this paper three-step process is followed to preprocess data: (1) Removing redundancy, (2) Feature selection and (3) Data transformation [21]. KDD Cup 99 dataset has two sets of train data and test data: complete dataset and 10 percent of complete dataset. The size of complete train and test dataset is 4,898,431 rows X 41 features and 311,031 rows X 41 features respectively. Whereas the size of 10 percent of complete train dataset is 494,021 rows X 41 features. Both the above complete and 10 percent of complete data sets consist of redundant rows. After redundancy removal from 10 percent of complete train data set the records become 145586. The data redundancy may lead to the problem of biased results of the classifier towards frequently occurring records. Therefore, using a python script, the redundancy of training and testing dataset has been removed as a part of first step to data preprocessing. The second step to data preprocessing is feature extraction. Two widely used methods are used in combination and ranked the features accordingly.

214

P. Kaur et al.

These methods are information gain and Gini covariance [11]. The numeric values obtained using information gain method and Gini covariance method are in the range of 2.014–0.080 and 0.483–0.011 respectively for all 41 features. Based on combined values of both the methods, rank is assigned to the respective feature. The highest ranked 26 features are selected for further analysis. The numeric values range for information gain method and Gini covariance method are between 2.014–0.214 and 0.483–0.035 respectively for all selected 26 features. The third step to data preprocessing is data transformation that involved two tasks: dataset file format conversion and symbolic conversion. The first subtask means to convert the dataset files in a format required by the machine learning model. Python with scikit learn libraries are used in this paper for data conversion. Scikit-learn accept data in csv (comma separated value) format for further analysis. Therefore, all the dataset files are converted to .csv format. The second subtask of data transformation is to convert the symbolic values with numeric values. Python code has been written for symbolic value conversion in the train and test dataset. Therefore, data preprocessing step prepares the data for analysis in further steps. The authors have selected the subset of train set consisting of few attack sets from all four categories. 2.4

Analysis

Data analysis is the process of determining the relevant information by data modeling. In this paper, the authors have used Support Vector Machine (SVM) supervised machine learning technique for modeling the network traffic data. Since SVM can be implemented for both binary class and multiclass classification, thus multiclass SVM has been used in this paper. This has been implemented by using python programming with scikit learn libraries. A classifier known as Support Vector Classifier has been used requiring set of values to be passed as its parameters. The most relevant is the kernel which can take the values such as rbf, linear etc. but the default kernel is set to Radial Basis Function (rbf). Other parameters include C = 1.0, cache_size, coef, class_weight, kernel, degree, gamma and decision_function_shape, verbose etc. The parameter decision_function_shape can take either of two values: ovr or ovo. The results using One vs. One value of decision_function_shape obtained categorically [DoS, U2R, R2L, normal] is: 100, 66.66, 96, 98.12. The results using One vs. Rest value of decision_function_shape obtained categorically [DoS, U2R, R2L, normal] is: 100, 60, 96, 98.53. However the results are little improved when analysis is performed on the reduced feature dataset. In reduced feature dataset, the results using One vs. One value of decision_function_shape obtained categorically [DoS, U2R, R2L, normal] is: 100, 67.6, 96.1, 98.12. The results using One vs. Rest value of decision_function_shape obtained categorically [DoS, U2R, R2L, normal] is: 100, 60.37, 96, 98.79. The above values are obtained by using Eq. (1). Substantial amount of computational time has decreased due to analysis being performed on reduced feature set data.

Network Traffic Classification Using Multiclass Classifier

215

3 Results and Discussion The results aforementioned in the analysis part are calculated using the simple accuracy formula of: Accuracy ¼ ðCorrectPrediction=NumOfTestingSamplePerCatogryÞ  100

ð1Þ

The NumOfTestingSamplePerCatogry is implied as the number of testing samples per category. For experimental purpose the subset of the complete dataset is selected for analysis and NumOfTestingSamplePerCatogry list holds the number of attacks categorically in the selected subset. The outcome of the machine learning model is compared with the actual data label which is stored in the list named CorrectPrediction implied as correct predictions obtained. However, the authors felt that its accuracy can be improved if the four notations are duly considered: True Positives (TPs), True Negatives (TNs), False Positive (FPs) and False Negatives (FNs). True positives are the correct predictions for correct traffic which is the most ideal case and focus remains on maximizing TPs. True negatives denotes appropriately labeled the network traffic data records as normal. False positives, label as an attack to the normal record. False negative means considering attack traffic records as normal traffic records [18]. Therefore, the measurement terms are [18, 25]: Accuracy ¼ ðTPs þ TNsÞ=ðTPs þ TNs þ FPs þ FNsÞ

ð2Þ

ErrorRate ¼ ðFNs þ FPsÞ=ðTPs þ TNs þ FPs þ FNsÞ

ð3Þ

Precision ¼ TPs=ðTPs þ FPsÞ

ð4Þ

Recall ¼ TPs=ðTPs þ FNsÞ

ð5Þ

The Eq. (2) is preferred over Eq. (1) while calculating the accuracy of the proposed machine learning model. The error rate, precision and recall parameters are depicted in Eqs. (3), (4) and (5) respectively. Using python programming, the values of TPs, TNs, FPs and FNs are calculated which are subsequently put in the Eqs. (2) to (4) to obtain the values of different metrics. The accuracy, error rate, precision and recall obtained categorically [DoS, U2R, R2L, normal] is: [1.0, 0.55, 1.0, 0.99], [0, 0.44, 0, 0.0020], [1.,1.,1.,1.] and [1., 0.99, 0.2, 1.] respectively. However emphasis is done on maximizing TPs and minimizing FNs.

4 Conclusion and Future Scope In this paper, KDD cup dataset has been analyzed using multiclass SVM supervised machine learning technique. First of all the data preprocessing is done by removing the redundant rows, substituting the numeric values for columns consisting of text data and reducing the feature by applying appropriate feature selection technique. Thereafter the

216

P. Kaur et al.

dataset is converted in the format desired by appropriate classification technique. Then a subset of train data set is selected to train the classifier. After analysis is done, the results obtained using reduced feature set showed substantial improvement over the results obtained with full 41 feature analysis. However, significant improvement in computational time has been seen. Furthermore, accuracy has been derived using two different approaches which do show greater variability in accuracy of R2L attacks. Thus the overall analysis work helps to understand and apply the multiclass problem to a fair extent. On account of the technical limitations of the current work is the handling of big dataset. It is computationally expensive to process the complete dataset in one go. Therefore, subsets of dataset are selected to perform analysis. On part of future scope, cross validation can be performed by taking various folds of the dataset. Learners rules can be derived which can subsequently be used in domain of intrusion detection systems. Also, the SVM multiclass model can be applied with kernel function to check its accuracy with the given dataset.

References 1. Chapelle, O., Schölkopf, B., Zien, A.: Semi-Supervised Learning. MIT Press, London England (2006) 2. Bolón-Canedo, V., Sánchez-Maroño, N., Alonso-Betanzos, A.: Feature selection and classification in multiple class datasets: an application to KDD Cup 99 dataset. Expert Syst. Appl. 38, 5947–5957 (2011) 3. Kwon, D., Kim, H., Kim, J., Suh, S.C., Kim, I., Kim, K.J.: A survey of deep learning-based network anomaly detection. Cluster Comput. 20, 1–13 (2017) 4. Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: survey and research challenges. Digital Invest. 7, 14–27 (2010) 5. Kaur, P., Bijalwan, A., Joshi, R.C., Awasthi, A.: Network forensic process model and framework: an alternative scenario. In: Singh, R., Choudhury, S., Gehlot, A. (eds.) Intelligent Communication, Control and Devices. AISC, vol. 624, pp. 493–502. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-5903-2_50 6. KDD Cup 1999 Data. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html 7. Kohavi, R., John, G.H.: Wrappers for feature subset selection. Artif. Intell. 97, 273–324 (1997) 8. Doshi, M., Chaturvedi, S.k.: Correlation based feature selection (CFS) technique to predict student performance. Int. J. Comput. Netw. Com. (IJNC) 6(3) 197–206 (2014) 9. Zhao, Z., Liu, H.: Searching for interacting features. In: Proceedings of international joint conference on artificial intelligence, 1156–1167 (2007) 10. Dash, M., Liu, H.: Consistency-based search in feature selection. Artif. Intell. 151, 155–176 (2003) 11. Sang, Y., Dang, X., Sang, H.: Symmetric Gini Covariance and Correlation version. Can. J. Stat. 44(3), 1–20 (2016) 12. Bajaj, K., Arora, A.: Dimension reduction in intrusion detection features using discriminative machine learning approach. Int. J. Comput. Sci. 10(4), 324–328 (2013) 13. Forman, G.: An extensive empirical study of feature selection metrics for text classification. J Mach. Learn. Res. 3, 289–1305 (2003)

Network Traffic Classification Using Multiclass Classifier

217

14. Shilton, A., Rajasegarar, S., Palaniswami, M.: Combined multiclass classification and anomaly detection for large-scale wireless sensor networks. In: IEEE Eighth International Conference on Intelligent Sensors, Sensor Networks and Information Processing, pp 491– 496. IEEE Press, New York (2013) 15. Sarasamma, S., Zhu, Q., Huff, J.: Hierarchical Kohonen net for anomaly detection in network security. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 35(2), 302–312 (2005) 16. Han, S.J., Cho, S.B.: Evolutionary neural networks for anomaly detection based on the behavior of a program. IEEE Trans. Syst. Man Cybern. 36(3), 559–570 (2005) 17. Rajeswari, L.P., Arputharaj, K.: An active rule approach for network intrusion detection with enhanced C4.5 algorithm. Int. J. Commun. Netw. Syst. Sci. 4, 285–385 (2008) 18. Bamakan, S.M.H., Wang, H., Yingjie, T., Shi, Y.: An effective intrusion detection framework based on MCLP/SVM optimized by time-varying chaos particle swarm optimization. Neurocomputing 199, 90–102 (2016) 19. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.A.: A detailed analysis of the KDD CUP 99 data set. In: Proceedings of the 2009 IEEE Symposium on Computational Intelligence in Security and Defense Applications. IEEE Press, New York (2009) 20. Yukinawa, N., Oba, S., Kato, K., Ishii, S.: Optimal aggregation of binary classifiers for multi-class cancer diagnosis using gene expression profiles. IEEE/ACM Trans Comput. Biol. Bioinform. 6(2), 333–343 (2009) 21. Singh, R., Kumar, H., Singla, R.K.: Analysis of feature selection techniques for network traffic dataset. In: 2013 International Conference on Machine Intelligence and Research Advancement, pp. 42–46 (2013) 22. Scikit learn machine learning in python. http://scikit-learn.org/stable/auto_examples/svm/ plot_rbf_parameters.html 23. Li, L., Zhang, H., Peng, H., Yang, Y.: Nearest neighbors based density peaks approach to intrusion detection. Chaos, Solitons Fractals 110, 33–40 (2018) 24. Farahnakian, F., Heikkonen J.: A deep auto-encoder based approach for intrusion detection system. In: 20th International Conference on Advanced Communication Technology (ICACT), pp. 178–183 (2018) 25. Kushwaha, P., Buckchash, H., Raman, B.: Anomaly based intrusion detection using filter based feature selection on KDD-CUP 99. In: 2017 IEEE Region 10 Conference (TENCON), Malaysia (2017)