LEVERAGING MACHINE-LEARNING TO ENHANCE NETWORK SECURITY

Abstract

This research examines the use of machine-learning techniques to identify malicious traffic in an emulated tactical computer network. The intent is to identify low-cost solutions based on open-source software capable of employment on computer hardware of currently fielded tactical data networks. These machine-learning techniques are investigated for application where it is prohibitive to employ bulky alternate network security measures such as security information and event management products. These methods are evaluated as a complementary solution to existing security measures, rather than as a replacement. A test network is established with sixteen hosts emulating generation of normal baseline traffic for periods of 48 hours. One machine is infected with a botnet simulator and sends malicious traffic at four levels of intensity. The traffic flows are captured, labeled, and used as training and testing sets for four commonly used machine-learning algorithms to generate models for identifying the botnet traffic. The trained models are then tested against other flow datasets to evaluate their ability to classify malicious traffic without prior signatures. We identify the J48 Decision Tree as the strongest single algorithm across six of our seven metrics. Our work also produces a report for network administrators that is clear, easy to understand, and most importantly, provides actionable information that can drive decisions to best defend the network.