Mineração de fluxo contínuo de dados para previsão da ação recomendada para o tráfego de rede em firewall

Abstract

The advancement of the Internet has resulted in an increase in the continuous generation of data, raising the risks of damage caused by cyber threats. Firewalls play a crucial role in network security by providing protection against these threats. They operate by organizing log records based on specific rules, considering criteria such as the purpose of connections and the policies established by the organization. Updating these rules is challenging, and inadequate choices can lead to security vulnerabilities. Related work on predicting recommended actions for network traffic still employs traditional machine learning methods, where the dataset is static and can be repeatedly traversed, while detecting new patterns requires a new cycle of training, testing, and implementing new models. However, network traffic is continuously captured by a firewall, and its behavior can change both abruptly and gradually. This is common in network environments, where it is necessary to adapt to frequent changes in security policies, network modifications, or new threats. This work proposes the application of the MINAS and Adapted CluStream algorithms to predict recommended actions in network traffic. The logs consist of sessions of network traffic captured by a firewall from an educational institution. Adaptation is necessary for these algorithms to classify the recommended actions (Allow, Deny, Drop, and ResetBoth) in a data stream scenario. CluStream is an incremental algorithm, while MINAS, besides being incremental, specializes in novelty detection. Both algorithms were selected for their specificities and capabilities in learning and evolving the model as new data arrives from the data stream. Experiments conducted demonstrate that both algorithms showed distinct results in the data stream, with satisfactory performance across different metrics throughout the experiments.