Mapas auto-organizáveis crescentes para classificação de logs de firewall em fluxos contínuos de dados

Abstract

The exponential increase in data volume and the dynamic nature of computer networks have imposed significant challenges on information security. In this context, classification in Continuous Data Streams (CDS) becomes essential, especially for Network Security Systems (NSS). These applications require techniques that handle memory constraints, processing time, and non-stationary data. This work proposes an adaptation of the Growing Self-Organizing Map (GSOM) for classifying firewall logs in CDS. The GSOM architecture was considered suitable, as it adjusts neuron weights to follow the gradual evolution of patterns and expands its structure to represent new behaviors as they emerge. For evaluation, real data from an operational firewall was used, classified into the actions “Allow”, “Deny”, “Reset-Both”, or “Drop”. The experiments followed an approach with offline (initial training) and online phases, where three update strategies were proposed: (1) nearest winner neuron location, keeping the map fixed; (2) dynamic map expansion, adding new neurons to represent emerging patterns; and (3) refinement of existing neuron weights, adjusting the map without altering its structure. The performance of the GSOM was evaluated in four temporal scenarios, including a combined scenario, and compared with established methods such as Incremental SVM and Adaptive Random Forest (ARF). The comparison established an upper bound of performance for the ideal scenario of zerolabel latency. Although ARF demonstrated overall superiority, its high computational cost and dependence on immediate labeling limit its practical application. It is concluded that GSOM is a viable solution for real-world classification in CDS with infinite label latency, where complete supervision is operationally unfeasible.