Clustering analysis for malicious network traffic

© 2017 IEEE. With the volume and variety of network attacks increasing, efficient approaches to detect and stop network attacks before they damage the system or steal data is paramount to users and network administrators. Although many different detection mechanisms have been proposed, exiting detection methods generally tend to successfully detect attacks only after the attacks have finished and caused damage to the system. As recent attacks employ polymorphism technology and complicated attack techniques, it has become even more difficult for these approaches to detect attacks in a timely manner. In this paper, we propose an efficient network attack detection algorithm called seed expanding (SE) that detects attacks before they damage the system. SE employs the Two-Seed-Expanding network traffic clustering scheme, which clusters attack traffic into different attack phases. First we pre-process the networks traffic, including constructing the network flow, changing continuous-valued attributes into nominal attributes by adopting the discretization method, and further turning into binary features. Then based on these features, SE computes a weight for each flow and iteratively selects seeds to expand until all flows are divided into clusters. To investigate the effectiveness of the proposed approach, we undertook extensive experimental analyses. The results of the experiment show that the pre-procession greatly improves clustering performance, and the Two-Seed-Expanding Algorithm is better than K-Means and other kinds of Seed-Expanding in attack-flow clustering. These cluster results can be further used in attack detection.