Two-layer malicious network flow detection system with sparse linear model based feature selection

The amount of malicious network traffic in enterprise systems has increased due to the spreading of botnets, fuzzers, shellcodes or exploits, which threatens everyday operation of enterprises. Building classification models from this malicious traffic is an important issue. Classification models can help to discover new types of attacks based on previously built predictive models. The most prominent attacks on accessibility in the CIA Triad are distributed denial-of-service attacks. By using denial-of-service attacks targeted at the availability of CIA triad, it is intended to block access to services for legitimate users who need to be connected to the service. Just like the Mimi cyber-attack, major service providers such as Twitter and Reddit can become inaccessible by simply attacking the DNS servers. Hence, distributed denial-of-service, a rather old type of attack, is still valid today. This paper describes two-stage filtering based network traffic identification based on network flow patterns. The paper also shows that the predictive performance of the malicious traffic classification model increases with the filtering of network flow. L1-norm based sparse linear models were used for feature selection to find an optimal feature set and determine the effect of different features. Simulation results validate the effectiveness of the proposed classification scheme.