Yoon Dong Hyun, Koo Ja Hwan, Won Dong Ho

KIPS Transactions on Software and Data Engineering, Vol. 12, No. 2, pp. 99-110, Feb. 2023
https://doi.org/10.3745/KTSDE.2023.12.2.99,   PDF Download:
Keywords: Machine Learning, MITRE ATT&CK, UNSW-NB15, Network Traffic Classification, Network Security Monitoring
Abstract

This study proposed a classification of malicious network traffic using the cyber threat framework(Mitre ATT&CK) and machine learning to solve the real-time traffic detection problems faced by current security monitoring systems. We applied a network traffic dataset called UNSW-NB15 to the Mitre ATT&CK framework to transform the label and generate the final dataset through rare class processing. After learning several boosting-based ensemble models using the generated final dataset, we demonstrated how these ensemble models classify network traffic using various performance metrics. Based on the F-1 score, we showed that XGBoost with no rare class processing is the best in the multi-class traffic environment. We recognized that machine learning ensemble models through Mitre ATT&CK label conversion and oversampling processing have differences over existing studies, but have limitations due to (1) the inability to match perfectly when converting between existing datasets and Mitre ATT&CK labels and (2) the presence of excessive sparse classes. Nevertheless, Catboost with B-SMOTE achieved the classification accuracy of 0.9526, which is expected to be able to automatically detect normal/abnormal network traffic.

Statistics
Cite this article