Applying bagging in finding network traffic anomalies

The authors consider approaches to solving the problem of identifying anomalous situations in information and telecommunication systems, based on artificial intelligence methods that analyze the statistical information on traffic packets in various modes and states. We propose a method for detecting an anomalous situation based on the obtained tuples of values of network traffic packets by applying bagging classifying algorithms of machine learning. The network traffic is treated as a set of tuples of packet parameters, distributed over sample time. In contrast to the existing ones, the method does not require special data preparation; the errors in the classification of tuples of package values by individual classification algorithms are averaged by “collective” voting of the classifying algorithms. The given solution to the increase of the accuracy index makes it possible to use the classifying algorithms optimized for different types of events and anomalies, trained on various training samples in the form of tuples of network packet parameters. The difference between the algorithms is achieved by introducing an imbalance to the training sets. We describe an experiment conducted by using Naïve Bayes, Hoeffding Tree, J48, Random Forest, Random Tree and REP Tree classification algorithms of machine learning. The evaluation was performed on the open NSL-KDD dataset while searching for parasitic traffic. The paper presents the results of evaluation for each classifier individually and with bagging classifying algorithms. The method can be used in information security monitoring systems to analyze network traffic. The peculiarity of the proposed solution is the possibility of scaling and combining it by adding new classifying algorithms of machine learning. In the future, in the course of operation, it is possible to make changes in the composition of the classifying algorithms, which will improve the accuracy of the identification of potential destructive impact.