Reduce the False Positive and False Negative from Real Traffic with Intrusion Detection

ABSTRACT - In a typical network, the traffic through the network is heterogeneous and consists of flows from<br>multiple applications and utilities. Considering today threats in network there is yet not a single solution to<br>solve all the issues because the traditional methods of port-based and payload-based with machine learning<br>algorithm suffers from dynamic ports and encrypted application. Many international network equipment<br>manufactures like cisco, juniper also working to reduce these issues in the hardware side. Here this paper<br>presents a new approach considering the idea of service-based. This method is, in some sense, orthogonal to<br>current approaches and it can be used as an efficient complement to existing methods to reduce computation<br>and memory requirements. Experimental results on real traffic confirm that this method is extremely effective<br>and may improve considerably the accuracy of traffic classification, while it is suitable to a large number of<br>applications. Finally, it is also possible to adopt a service database built offline, possibly provided by a third<br>party and modeled after the signature database of antivirus programs, which in term reduce the work of<br>training procedure and over fitting of parameters in case of parametric classifier of supervised traffic<br>classification.<br>Index terms – network operations, security, traffic classification.

摘要 - 在典型的网络环境中，网络流量具有异构性，由多种应用程序与实用工具产生的数据流共同构成。针对当前网络面临的各类威胁，目前尚无单一方案可解决所有问题：传统基于端口与负载、结合机器学习算法的方法，难以应对动态端口与加密应用的场景。诸多国际网络设备制造商，如思科（Cisco）、瞻博网络（Juniper）等，也在硬件层面致力于缓解此类问题。为此，本文提出一种基于服务理念的全新方案。该方法在本质上与现有主流技术路径正交，可作为现有方法的高效补充，有效降低计算与内存开销。基于真实网络流量的实验结果证实，该方法具备极高的有效性，可显著提升流量分类的准确率，且适配大量应用场景。此外，还可采用第三方构建的离线服务数据库，其设计参考了杀毒软件的特征数据库范式，从而减少训练流程的工作量并缓解参数过拟合问题，尤其适用于监督式流量分类的参数分类器场景。关键词——网络运维、网络安全、流量分类。