DETECTION OF CYBER INTRUSIONS BASED ON NETWORK TRAFFIC AND USER BEHAVIOR USING THE UNSW-NB15 DATASET
Abstract
The article focuses on the study of user behavior and the creation of behavioral models. This helps to improve the accuracy of anomaly detection and quickly identify non-standard network activity. The purpose of this study is to compare the effectiveness of two machine learning models – the multilayer perceptron (MLP) and the Random Forest algorithm – for detecting cyber intrusions based on the analysis of network traffic and user behavior. Behavioral models make it possible to detect deviations from normal user activity and network interactions, which significantly increases the completeness of cyber intrusion detection. The study used the UNSW-NB15 dataset, which includes current types of attacks and characteristics of both network traffic and user activity. Prior to the implementation of the models, preliminary data processing, feature selection, normalization and coding of categorical features were carried out. The models were evaluated using various metrics such as accuracy, recall, AUC-ROC, precision, F1-score, and others. The results of the study showed that the Random Forest algorithm provides high classification accuracy (95%), and the multilayer perceptron (MLP), in turn, achieved outstanding results in AUC (0.9830) and accuracy (precision, 0.9869). The paper presents an analysis and characterization of methods for analyzing user behavior and classifying network traffic, a comparison of data sets for intrusion detection systems (IDS), and practical recommendations for choosing models depending on operating conditions. The results of the study can be useful in the development of adaptive protection systems that combine high accuracy and speed
References
1. Chipiga A.F., Peleshenko V.S. Formalizatsiya protsedur obnaruzheniya i predotvrashcheniya setevykh atak [Formalization of procedures for detecting and preventing network attacks], Informatsionnoe pro-tivodeystvie ugrozam terrorizma [Information counteraction to terrorist threats], 2006, No. 8,
pp. 156-163.
2. Uskov E.D., Korepanova N.L. Analiz informativnykh priznakov anomaliy setevogo trafika korpora-tivnykh setey [Analysis of informative signs of anomalies in corporate network traffic], Sovremennye innovatsii [Modern innovations], 2019, No. 3 (31), pp. 13-16.
3. Abros'kina E.S. Analiz metodov vyyavleniya setevykh vtorzheniy i anomaliy [Analysis of methods for detecting network intrusions and anomalies], Ekonomika i sotsium [Economics and society], 2021,
No. 3-2 (82), pp. 688-698.
4. Charugin V.V., Chesalin A.N. Analiz i formirovanie naborov dannykh setevogo trafika dlya ob-naruzheniya komp'yuternykh atak [Analysis and formation of network traffic data sets for detecting computer attacks], International Journal of Open Information Technologies, 2023, pp. 100-105.
5. Isratova E.E. Primenenie neyronnykh setey dlya obnaruzheniya anomal'nogo trafika v setyakh Interneta veshchey [Application of neural networks to detect abnormal traffic in Internet of Things networks], In-ternational Journal of Open Information Technologies, 2024, pp. 65-69.
6. Gayfulina D.A., Kotenko I.V. Analiz modeley glubokogo obucheniya dlya zadach obnaruzheniya setevykh anomaliy interneta veshchey [Analysis of deep learning models for the detection of network anomalies of the Internet of Things], Informatsionno-upravlyayushchie sistemy [Information and Con-trol Systems], 2021, No. 1 (110), pp. 28-37.
7. Chastikova V.A., Sotnikov V.V. Method of analyzing computer traffic based on recurrent neural net-works, Journal of Physics: Conference Series. International Conference "High-Tech and Innovations in Research and Manufacturing," HIRM 2019, 2019, pp. 012133.
8. Kazhemskiy M.A., Shelukhin O.I. Mnogoklassovaya klassifikatsiya setevykh atak na informatsionnye resursy metodami mashinnogo obucheniya [Multiclass classification of network attacks on information resources by machine learning methods], Tr. uchebnykh zavedeniy svyazi [Proceedings of educational institutions of communication], 2019, Vol. 5, No. 1, pp. 107-115. DOI: 10.31854/1813-324X-2019-5-1-107-115.
9. Samatov M.A. Analiz effektivnosti IDS/IPS sistem na baze Suricata v obespechenii setevoy kiber-bezopasnosti [Analysis of the effectiveness of IDS/IPS systems based on Suricata in ensuring network cybersecurity], Vestnik nauki [Bulletin of Science], 2024, Vol. 2, No. 12, pp. 1352-1363.
10. Bolodurina I.P., Nefedov D.A. Primenenie bol'shoy yazykovoy modeli dlya umen'sheniya lozhnopozitivnykh srabatyvaniy v zadachakh vyyavleniya anomaliy v setevom trafike [The use of a large language model to reduce false positives in problems of detecting anomalies in network traffic], Vestnik YuUrGU. Seriya «Komp'yuternye tekhnologii, upravlenie, radioelektronika» [Bulletin of SUSU. The se-ries "Computer technology, control, radio electronics"], 2024, Vol. 24, No. 4, pp. 5-15. DOI: 10.14529/ctcr240401.
11. Chastikova V.A., Zherlitsyn S.A., Volya Ya.I., Sotnikov V.V. Neyrosetevaya tekhnologiya obnaruzheniya anomal'nogo setevogo trafika [Neural network technology for detecting abnormal network traffic], Pri-kaspiyskiy zhurnal: upravlenie i vysokie tekhnologii [Caspian Journal: Management and High Technolo-gies], 2020, No. 1 (49), pp. 20-32.
12. Get'man A.I., Goryunov M.N., Matskevich A.G., Rybolovlev D.A. Metodika sbora obuchayushchego nabora dannykh dlya modeli obnaruzheniya komp'yuternykh atak [A methodology for collecting a train-ing dataset for a computer attack detection model], Tr. ISP RAN [Proceedings of the ISP RAS], 2021, Vol. 33, No. 5, pp. 83-104. DOI: 10.15514/ISPRAS-2021-33(5)-5.
13. Chastikova V.A., Zherlitsyn S.A., Volya Y.I., Sotnikov V.V. Analysis of training of deep neural networks with heterogeneous architecture while detecting malicious network traffic, IOP Conference Series: Mate-rials Science and Engineering. Krasnoyarsk Science and Technology City Hall., Krasnoyarsk, Russian Federation, 2021, pp. 12135.
14. Chastikova V.A., Mitugov A.I. The method for detecting network attacks based on the neuroimmune approach, Journal of Physics: Conference Series. Krasnoyarsk Science and Technology City Hall of the Russian Union of Scientific and Engineering Associations. Krasnoyarsk, Russia, 2021, pp. 32035.
15. KDD Cup 1999 Data. Available at: https://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (ac-cessed 10 April 2025).
16. NSL-KDD. Available at: https://www.kaggle.com/datasets/hassan06/nslkdd (accessed 10 April 2025).
17. CSE-CIC-IDS2018. Available at: https://fkie-cad.github.io/COMIDDS/content/datasets/ cse_cic_ids2018/ (accessed 10 April 2025).
18. UNSW-NB15 Network Intrusion Detection Dataset. // Fraunhofer FKIE. Available at: https://fkie-cad.github.io/COMIDDS/content/datasets/unsw_nb15/ (accessed 10 April 2025).
19. Kingma D.P., Ba J. Adam. A Method for Stochastic Optimization, The 3rd International Conference for Learning Representations. San Diego, 2015, pp. 1-15.
20. Fawcett T. An Introduction to ROC Analysis, Pattern Recognition Letters, 2006, Vol. 27, No. 8,
pp. 861-874. DOI: 10.1016/j.patrec.2005.10.010.
