Network traffic anomaly detection using shallow packet inspection and parallel k-means data clustering

Abstract

IT infrastructures around the world are targeted by malicious entities that want to steal data or compromise services. Protection measures for complex computer networks are expensive to deploy and maintain, and often do not offer protection against zero-day exploits. In-depth analysis of incoming and outgoing traffic can be problematic from legal and technical perspectives. The current work explores the possibility of implementing reliable security measures using machine learning algorithms to perform traffic classification. The new framework is mapped on existing parallel hardware and aims to provide a versatile solution for the detection of anomalous behaviour in network traffic through k-means clustering and without performing deep packet inspection. Trace analysis metadata is obtained by exploiting the features available in the pcapng file format. K-means clustering is implemented using multiple parallel APIs and a comparative analysis is presented together with performance considerations.