Real-Time Traffic Analysis: Enhancing Network Security with Machine

and Deep Learning for Intrusion, Anomaly Detection and Application

Classification

A report submitted to

RAMAIAH INSTITUTE OF TECHNOLOGY

Bengaluru

MSWE42 – Project Work

as partial fulfillment of the requirement for the award of degree of

Master of Technology (MTech) in Software Engineering

By

Pallavi L V 1MS21SSE05

Under the Guidance of

Dr. Vijaya Kumar B P
Professor

DEPARTMENT OF INFORMATION SCIENCE AND ENGINEERING

RAMAIAH INSTITUTE OF TECHNOLOGY
(Autonomous Institute, Affiliated to VTU)
BANGALORE - 54

JULY 2023
 Department of Information Science and Engineering
Ramaiah Institute of Technology
Bengaluru - 54

CERTIFICATE

This is to certify that the dissertation work entitled ”Real-Time Traffic Analysis: Enhancing Network Se-
curity with Machine and Deep Learning for Intrusion, Anomaly Detection and Application Classification” is
carried out by Pallavi L V (USN -1MS21SSE05), a bonafide student of Ramaiah Institute of Technology, Ban-
galore , in partial fulfillment for the award of Master of Technology in Software Engineering of the Visvesvaraya
Technological Univeristy, Belgaum during the year 2021 - 2023. It is certified that all corrections / suggestions
indicated for Internal Assessment have been incorporated in the thesis deposited in the department library. the
thesis has been approved as its satisfies the academic requirements in respect to dissertation work prescribed
for the said degree.

Name and Signature of the Guide Signature of the HOD Signature of the HOD

External Viva

Name of the examiners Signature with date

1.
2.

i
 DECLARATION

I Pallavi L V(USN -1MS21SSE05), a student of Master of Technology in SOFTWARE ENGINEER-

ING Department of Information Science and Engineering, Ramaiah Institute of Technology, Bangalore hereby
declare that the project entitled ”Real-Time Traffic Analysis: Enhancing Network Security with Ma-
chine and Deep Learning for Intrusion, Anomaly Detection and Application Classification” has
been carried out independently at the Institute under the guidance of Dr. Vijaya Kumar B P.
We hereby declare that the entire work embodied in this thesis is my own , except where acknowledged
in the text and has not been previously submitted for the award of the degree of Visvesvaraya Technological
University, Belagavi or any other institute of University.

Pallavi L V 1MS21SSE05

Place: Bangalore
Date:

ii
 ABSTRACT

Ensuring network security is highly necessary in today’s technological landscape, especially with the prolifer-
ation of Internet of Things (IoT) devices and mobile computing, along with an enormous number of applications
and interactions occurring across various sectors. The increasing connectivity brings the possibility of potential
attacks or misbehaviour, emphasizing the need to bolster network security.

In order to tackle the above problem the proposed framework and design techniques include machine and
deep learning for intrusion and anomaly detection with application-level classification and prediction. Here,
the framework supports in collecting real-time traffic patterns from any organization data-center to predict
and classify different applications, intrusions and attacks based on traffic patterns. Moreover, anomalies are
detected by analysing user activity with spatio-temporal variations using deep neuro-Computing modules. To
evaluate the performance of the system and ensure stability and reliability, the work incorporates in considering
real-time & non-real-time packets. Some of the non-real-time packet dataset includes, The Canadian Institute
for Cybersecurity Intrusion Detection Evaluation Dataset (CICIDS-2017), comprising 2.55 million data samples.
Real-time network traffic data is captured from our data-center server using Wireshark, enabling the collection
of real-time traffic patterns from network packets. Additionally, the project utilizes Random Forest, XGBoost
and PCA for dimensionality reduction to enhance the efficiency of machine learning models. Furthermore, a
deep learning framework is introduced to enhance the performance of anomaly detection based on user activity
within specific time intervals. Comparisons are made across different days to identify traffic patterns that
indicate anomalies and optimize detection techniques.

Overall, this project significantly contributes to the effective real-time network traffic analysis, thereby
increases network security against potential threats. The combination of machine learning and deep learning
approaches, along with real-time data capture, enhances the accuracy and responsiveness of the network security
system.

iii
 ACKNOWLEDGMENT

The satisfaction that accompanies the successful completion of any task would be incomplete without the
mention of the people who have constantly guided me and supported for the completion of my task with success.
I am grateful to my institution, Ramaiah Institute of Technology with its ideals and inspirations for having
provided with the facilities, which has made this project a success.

First of all, special thanks to my guide Dr. Vijaya Kumar B P, Professor, Dept. of ISE, who guided me
well throughout the project and focused on the betterment of the project, his supervision, support and vital
contribution from an early stage of this research and providing me extraordinary experiences throughout the
work.

I express my sincere gratitude to Dr. Sanjay H A Professor and Head of Dept. of ISE for his valuable
encouragement and suggestions throughout the work. I would like to extend my hearty gratitude to Dr. N V
R Naidu, Principal, for his kind support and permission to use the facilities available in the institute.

I am highly grateful to faculties, library and laboratory staff of ISE department for their extended long-term
support and coordination. This project would never have been completed without the unending encouragement
and devotion of my family and friends.

iv
Contents

Abstract iii

List of Figures vi

List of Tables vii

1 Introduction 1
1.1 Motivation and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Issues and Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Organization of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Literature Review 4
2.1 Review Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Existing System and Models 7

3.1 Existing models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.1 Principal Component Analysis (PCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.2 Random Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.3 XGBoost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Neural Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 CNN architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.2 LSTM architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

4 Proposed design and framework 11

4.1 Design Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2 Proposed Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2.1 Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.2 Architectural Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.3 Pseudocode of the Proposed system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

5 Implementation 17
5.1 Feature Importance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.2 Dimensionality Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3 Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.3.1 CNN Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.3.2 LSTM Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6 Results and Discussion 26

6.1 Intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6.2 Application classification and Anomaly detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.2.1 Anomaly detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

v
7 Conclusion and Future Scope 33
7.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.2 Future Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

vi
List of Figures

3.1 Represents CNN architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.2 Represents LSTM architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4.1 Capturing the network traffic data using wireshark. . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.2 Represents the flow of intrusion detection model. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.3 Represents the flow of application classification and anomaly detection model. . . . . . . . . . . . 14
4.4 Represents the architecture diagram of complete model. . . . . . . . . . . . . . . . . . . . . . . . 14

5.1 Extracted features from real-time network traffic data. . . . . . . . . . . . . . . . . . . . . . . . . 17

5.2 Feature importance and its corresponding score. . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.3 Convolutional Neural network model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.4 Long-short term memory model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

6.1 Dataset attack types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6.2 Shows the class distribution of attacks after the prediction using the Network traffic dataset. . . 27
6.3 Predicted attack labels of real-time data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.4 Application names of Network traffic dataset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6.5 Other application names of Network traffic dataset. . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.6 Shows the class distribution of applications after the prediction . . . . . . . . . . . . . . . . . . . 29
6.7 Predicted application labels of real-time data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.8 Google application w.r.t Time and Number of Users plot of day1 and day2 of same duration. . . 31
6.9 HTTP application w.r.t Time and Number of Users plot of day1 and day2 of same duration. . . 31
6.10 SSL application w.r.t Time and Number of Users plot of day1 and day2 of same duration. . . . . 32

vii
viii
List of Tables

6.1 Evaluation Results of Intrusion detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6.2 Evaluation Results of Application Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.3 Shows the drastic changes in the increase/decrease in the number of users of particular application 32

ix
Chapter 1

Introduction

Network security is a pressing concern in today’s interconnected world, with evolving cyber threats posing
significant risks to organizations and individuals. Real-time traffic analysis plays a vital role in enhancing
network security by promptly detecting and mitigating intrusions and anomalies. Recent advancements in
machine learning and deep learning techniques have revolutionized the field of network security, offering advanced
capabilities for accurate and efficient detection.

Concurrently, real-time network traffic data is captured from the college server using the widely-used packet
analysis tool, Wireshark. This real-world data serves as a valuable resource for validating and testing the trained
models in a real-time environment. The developed framework aims to predict and classify various intrusion
types, such as DDoS attacks, brute force attempts, and DDoS Hulk attacks. Additionally, it performs real-
time application classification, detecting anomalies based on the number of users utilizing specific applications
within designated time intervals throughout the day. Anomaly detection is a crucial aspect of the project.
By comparing current-day anomaly patterns with those from the same time duration on the previous day, the
system can identify abnormal activities and generate alerts for further investigation. This approach enhances
anomaly detection by considering the temporal aspects of network traffic behavior.

The primary objective of this project is to develop an effective system for real-time network traffic analysis,
facilitating accurate detection of network intrusions, anomalies, and application classification. The insights
and findings from this research contribute to ongoing efforts in enhancing network security and countering
potential threats. By harnessing the power of machine learning and deep learning techniques, this project aims
to provide a robust and proactive approach to network security, enabling organizations and individuals to stay
ahead of malicious activities in the ever-evolving digital landscape. This project aims to leverage a machine and
deep learning framework to enhance network security through real-time traffic analysis. The study utilizes the
CICIDS 2017 dataset, a comprehensive collection of network traffic data consisting of approximately 2.5 million
rows. This dataset serves as the foundation for training various machine learning and deep learning models,
enabling effective detection and classification of network intrusions, anomalies, and applications. The project
starts by utilizing the random forest algorithm to determine feature importances, identifying the most significant
factors in the network traffic data. Principal Component Analysis (PCA) is applied for dimensionality reduction,
improving model training and processing efficiency. Multiple models, including random forest, XGBoost, deep
learning convolutional neural networks (CNN), and long short-term memory (LSTM) architectures, are trained
using the reduced dataset.

1
1.1 Motivation and Scope
In today’s interconnected world, the rise in complex and sophisticated cyber threats has made network security
a top priority. Conventional network security methods often struggle to keep up with emerging threats and may
fail to detect and mitigate them in real-time. This creates a critical need to explore more advanced approaches,
such as machine learning and deep learning, to bolster network security through real-time traffic analysis. By
harnessing the power of these techniques and leveraging extensive network traffic data, it becomes possible
to achieve higher levels of accuracy in detecting and classifying intrusions, anomalies, and applications. This
motivation stems from the urgency to enhance overall network security and effectively combat evolving cyber
threats.
The scope of this project is comprehensive, covering various aspects of network security and real-time traffic
analysis. The focal point is also the utilization of the non-real-time dataset, which serves as a valuable resource
for training and evaluating machine learning and deep learning models. A significant aspect of the project
is the comparison of anomaly patterns of specific applications between the current day and the previous day,
which enhances the system’s ability to identify abnormal network behavior. When anomalies are detected, the
system raises alerts for further investigation. The ultimate goal of this project is to develop an effective system
for real-time network traffic analysis, significantly strengthening network security measures. The findings and
insights gained from this research contribute to the field of network security, providing valuable knowledge to
mitigate emerging threats. By leveraging the power of machine learning and deep learning techniques, the
project aims to provide organizations and individuals with a proactive approach to network security, enabling
timely detection and response to intrusions and anomalies.

1.2 Issues and Challenges

This section typically discusses the obstacles and difficulties encountered during the implementation and exe-
cution of proposed design and framework.
• Network traffic is diverse and complex, consisting of various protocols, data formats, and traffic patterns.
Capturing and interpreting this heterogeneous data accurately poses a challenge.

• The sheer volume of network traffic data generated in real time can be overwhelming. Capturing and pro-
cessing this high-speed data stream requires robust infrastructure and efficient data handling mechanisms
to manage the large influx of information effectively.
• Domain knowledge is crucial for real-time network traffic analysis, enabling accurate data interpretation,
feature identification, and informed decision-making for effective network security. It enhances analysis
accuracy and reliability, enabling proactive threat detection and response.
• Additionally, the issue of imbalanced data arises when certain types of intrusions or anomalies occur less
frequently, resulting in skewed class distributions. Addressing this challenge involves techniques such as
data balancing or employing specialized methods to handle class imbalance, ensuring accurate detection
of rare events.

• Robust algorithms and techniques are required to handle different types of traffic and extract relevant
information for analysis.
• Capturing real-time network data necessitates the implementation of precise time synchronization mecha-
nisms across diverse devices and systems. It is vital to ensure consistent and accurate timestamps to avoid
any discrepancies that might compromise the integrity of data analysis and the correlation of events. Syn-
chronization ensures that captured data is accurately timestamped, facilitating accurate event correlation
and enabling more effective network monitoring and security analysis.

2
1.3 Problem Statement
Existing network security measures often struggle to detect and mitigate evolving cyber threats in a timely
manner, leaving organizations and individuals vulnerable to potential risks. Leveraging machine learning and
deep learning techniques for real-time traffic analysis presents an opportunity to enhance network security with
advanced detection capabilities. However, there is a need for an effective system that effectively applies these
techniques to detect and classify network intrusions, anomalies, and applications in real-time.

Additionally, capturing and analyzing real-time network traffic data poses challenges such as accurate time
synchronization and the utilization of domain knowledge for accurate interpretation and contextualization of
analysis results. Therefore, this project aims to develop a machine and deep learning framework that enables
real-time traffic analysis, addressing the challenges associated with capturing real-time data and leveraging
domain knowledge for precise threat detection and interpretation.

1.4 Organization of the Report

The organization of this report is as follows:
• Chapter 1 gives a brief introduction of this project and problem statement to define the proposed model.
It also defines motivation behind the proposed model, Issues and challenges faced during building the
model.
• Chapter 2 contains the literature survey of projects and research works carried out. It also gives a brief
description of the outcome of the literature survey.
• Chapter 3 gives the detailed overview of existing system and models and its generic workflow.
• Chapter 4 contains Proposed design and framework of the model which gives the design overview and
related diagrams to understand more about proposed model.

• Chapter 5 gives the implementation procedure for the proposed system and also how the model is evalu-
ated.
• Chapter 6 describes results and analysis taken by the proposed system. It also gives information about
the dataset used by the system and performance analysis taken by the system.

• Chapter 7 includes the conclusions and future scope of the project.

3
Chapter 2

Literature Review

This section provides an overview of relevant research works in the areas of packet capturing, application
classification, anomaly detection, and machine learning-based anomaly classification and detection. These
studies contribute to enhancing network security by employing flow-based approaches and leveraging machine
learning algorithms to analyze network traffic, improve intrusion detection systems, and accurately detect
anomalies.

Hardegen et al. [9] proposed a flow-based traffic classification pipeline utilizing machine learning techniques
to predict real-world traffic flow characteristics in a campus network. However, the system’s performance and
scalability were not adequately evaluated, limiting the assessment of its effectiveness.

Another study [18] introduced an Anomaly Detection System (ADS) that employed a semi-supervised ma-
chine learning approach. The system trained network packets with tagged applications using K-Nearest Neighbor
(KNN) algorithms and clustered the packets based on KNN’s classifications using Kohonen’s Self-Organizing
Maps (KSOM). The proposed model achieved high accuracy in categorizing network activities and detecting
anomalies using both initial network packets with application tags and live packets from a data center’s server.

Rezaei et al. [10] presented a multi-project learning framework for classifying community data in cybersecu-
rity, focusing on forecasting bandwidth requirements and traffic patterns of online applications. They introduced
Deep Packet, a deep learning-based approach utilizing models such as Stacked Autoencoder (SAE) and Con-
volutional Neural Network (CNN) to accurately classify encrypted VPN traffic. However, the limited training
data hindered Deep Packet’s ability to recognize a wide range of online applications [7].

NetScrapper [6] developed a flow-based network traffic classifier for online applications using three machine
learning models: K-Nearest Neighbors (KNN), Random Forest (RF), and Artificial Neural Network (ANN).
It achieved a high overall classification accuracy, demonstrating its effectiveness in identifying popular online
services [16].
A unique approach based on payload size sequence signatures [15] was proposed for application-level traffic
classification, achieving accurate and rapid classification of specific applications with high completeness rates.

Furthermore, a deep learning-based anomaly detection system [13] utilizing GPU-enabled TensorFlow and
benchmark datasets showed promising results in classifying anomalies using unsupervised deep autoencoders.
Anomaly detection in IoT network environments faced challenges due to limited dataset usability [2].
SARIMA auto-regressive methods and recurrent encoder-decoder algorithms were utilized [11] to classify net-
work packet time series and identify abnormalities. Various machine learning algorithms, including deep learn-
ing, were employed for anomaly categorization and detection in different scenarios, such as email and social
media data, using benchmark datasets [12].

Self-Organizing Network (SON) functions [3] were developed to automate mobile network management,
including self-healing through anomaly or outlier detection. A statistics-based method using performance and

4
failure Key Performance Indicators (KPIs) was proposed for anomaly detection in mobile networks, offering a
computationally efficient alternative to machine learning-based algorithms [8].

Traffic classification plays a critical role in effective network management [14]. This research presents a
novel approach for online and offline traffic classification using deep learning techniques within a software-
defined network (SDN) testbed. The integrated deep learning model, consisting of a multilayer perceptron
(MLP), convolutional neural network (CNN), and Stacked Auto-Encoder (SAE), demonstrates its effectiveness
in traffic classification.

The system proposed by [1] leverages the behavioral patterns exhibited in network traffic to accurately
classify user activities. By considering all the traffic generated within specific time windows and extracting
relevant features from network and transport layer headers, the system achieves high classification accuracy
through a three-layer model utilizing K-Means clustering and a Random Forest algorithm [4].
Machine learning algorithms have revolutionized the ability of systems to observe and learn from real data
[8]. They play a vital role in analyzing abnormal instances within a network and are instrumental in network
anomaly detection and security.

Detecting abnormal behaviors in industrial systems is crucial for preventing severe damages and ensuring
security [16]. A novel deep generative model called Latent Enhanced regression/classification Deep Generative
Model (LEDGM) is introduced for multidimensional data anomaly detection. LEDGM adopts an end-to-end
learning approach, prioritizing better anomaly detection over reconstruction accuracy. Experimental results
demonstrate improved anomaly detection performance, even with sparse labels, and highlight the value of both
labeled anomalies and labeled normal data for semi-supervised learning.

The Internet of Things (IoT) [5] enables the connectivity of diverse devices through wireless and mobile
communication technologies. These devices collect data from target areas and transmit it to a central processing
center for analysis and aggregation, forming the foundation of IoT services. The accuracy and integrity of this
collected data are crucial for ensuring the quality of IoT services. However, due to environmental factors or
device malfunctions, anomalies can occur in the collected data. Therefore, the development of effective anomaly
detection methods is essential for maintaining service quality.
Deep learning has garnered significant attention in recent years as it enables automatic feature extraction
from raw data. In this article, proposed an integrated model that combines a convolutional neural network
(CNN) with a recurrent autoencoder for anomaly detection. Simple combination of CNN and autoencoder
may not effectively improve classification performance, particularly for time series data. To address this, we
introduce a two-stage sliding window approach in the data preprocessing stage to learn better representations.
Considering the characteristics of the Yahoo Webscope S5 dataset, we extend raw time series data containing
anomalous points to fixed-length sequences with normal or anomaly labels using the first-stage sliding window.
Subsequently, each sequence is transformed into continuous time-dependent subsequences using a smaller sliding
window. The preprocessing step involving the two-stage sliding window can be seen as a means of low-level
temporal feature extraction. Importantly, empirical evidence demonstrates that this preprocessing technique
enhances high-level feature extraction within the integrated model [5].

Time series anomaly [17] detection plays a crucial role in numerous research fields and practical applications,
such as manufacturing and healthcare. Anomalies in time series data can signify unexpected or novel events,
including production faults, system defects, and abnormal heart palpitations, making their detection of great
importance. Given the large size and intricate patterns present in time series data, researchers have developed
specialized deep learning models to identify anomalous patterns. This survey aims to provide a comprehensive
and organized overview of the current state-of-the-art in deep learning approaches for time series anomaly
detection.
The survey establishes a taxonomy based on different anomaly detection strategies and deep learning models.
It not only describes the fundamental techniques employed for anomaly detection in each category but also
examines their respective advantages and limitations. Moreover, the study presents real-world examples of
deep anomaly detection in time series data across diverse application domains, highlighting the breadth of its
applicability in recent years. Finally, the survey outlines the open research issues and challenges that arise when
applying deep anomaly detection models to time series data [17].

5
2.1 Review Summary
In summary, the aforementioned research works make significant contributions to the field of network security
by utilizing flow-based approaches, machine learning algorithms, and deep learning techniques to effectively
analyze network traffic, enhance intrusion detection systems, and improve anomaly detection in diverse network
environments. Flow-based approaches, which involve capturing and analyzing network traffic flows, play a
crucial role in understanding network behavior. By employing machine learning algorithms, these studies aim
to accurately classify and categorize network activities based on flow characteristics. This classification enables
better identification of normal and abnormal network behavior, leading to improved intrusion detection systems.

Furthermore, the integration of deep learning techniques enhances the capabilities of anomaly detection
systems. Deep learning models, such as convolutional neural networks (CNNs) and stacked autoencoders (SAEs),
provide advanced pattern recognition and feature extraction capabilities. These models can effectively analyze
and identify complex patterns in network traffic data, enabling more accurate detection of anomalies that may
indicate security breaches or malicious activities. The research works also emphasize the importance of training
data in achieving accurate anomaly detection. Some studies address the challenge of limited or insufficient
training data by utilizing semi-supervised learning approaches. By combining labeled anomalies and labeled
normal data, these approaches improve the anomaly detection performance, even when labeled data is sparse.

The application of these techniques extends beyond traditional network environments. Researchers ex-
plore anomaly detection in specific contexts such as IoT networks, industrial systems, and mobile networks.
These studies recognize the unique challenges and characteristics of these environments and propose tailored
approaches to effectively detect anomalies and ensure network security. Overall, these research works showcase
the significant potential of flow-based approaches and machine learning algorithms, particularly deep learning
techniques, in enhancing network security. By accurately analyzing network traffic, improving intrusion de-
tection systems, and detecting anomalies in various network environments, these advancements contribute to
strengthening the overall security posture and resilience of network systems.

6
Chapter 3

Existing System and Models

The current method involves analyzing the data using different machine learning models such as Random
Forest , Regression and deep learning without dimensionality reduction. However, this approach may suffer
from overfitting due to the high-dimensional nature of the data. This chapter gives about the overview of
existing models and the working of the existing systems.

3.1 Existing models

3.1.1 Principal Component Analysis (PCA)
PCA is a widely used dimensionality reduction technique in machine learning and data analysis. It aims to
identify the most significant features or patterns in high-dimensional data and represent them in a lower-
dimensional space.
The core idea of PCA is to transform the original variables into a new set of uncorrelated variables called
principal components. Finding linear combinations of the original variables that capture the most volatility
in the data allows us to obtain these components. The first principal component represents the direction of
maximum variance, followed by subsequent components in descending order of variance.
PCA offers several benefits, including data visualization, noise reduction, and feature selection. By reducing
the dimensionality of the data, it simplifies complex datasets and enables easier interpretation and analysis.
PCA finds applications in various domains such as image recognition, genetics, and finance.

3.1.2 Random Forest

An ensemble learning technique called Random Forest uses several decision trees to produce predictions. It is
a potent algorithm used for both regression and classification tasks.
In a Random Forest, each decision tree is built on a randomly selected subset of the training data and a
random subset of features. The algorithm aggregates the predictions of all the trees to make the final prediction.
This ensemble approach helps to reduce overfitting and improve the model’s generalization capability.
Random Forests are known for their robustness, flexibility, and ability to handle high-dimensional data.
They effectively capture complex relationships and interactions between features, making them suitable for
various applications such as image recognition, fraud detection, and recommendation systems.

3.1.3 XGBoost
XGBoost (Extreme Gradient Boosting) is an advanced gradient boosting algorithm that has gained popularity
in machine learning competitions and real-world applications. It is an ensemble learning method that combines
weak learners, typically decision trees, to create a powerful predictive model.
XGBoost optimizes an objective function by iteratively adding decision trees to the ensemble. Each tree is
built to correct the mistakes of the previous trees, with a greater emphasis on samples that were incorrectly
predicted. This gradient boosting approach leads to a highly accurate and robust model.
XGBoost excels in handling large-scale datasets, missing values, and delivering excellent predictive perfor-
mance. It incorporates regularization techniques to control overfitting and offers flexibility in defining custom

7
objective functions. XGBoost finds application in various domains, including web analytics, credit scoring, and
anomaly detection.
Both Random Forest and XGBoost are powerful machine learning algorithms, each with its own strengths
and characteristics. They have been proven effective in numerous applications and are widely embraced in the
data science community.

3.2 Neural Network

A neural network, also referred to as an artificial neural network or simply a neural net, is a computational
model inspired by the structure and function of the human brain. It comprises interconnected nodes known as
artificial neurons or nodes, which collaborate to process and analyze intricate patterns and relationships within
data.
Neural networks find extensive application in machine learning and deep learning tasks such as classification,
regression, pattern recognition, and decision-making. Their strength lies in addressing problems involving non-
linear relationships and high-dimensional data. At the core of a neural network lies the artificial neuron or
perceptron. Each neuron receives inputs, applies weights to these inputs, and applies an activation function
to generate an output. The weights represent the strength of connections between neurons and are adjusted
during the learning process to optimize the network’s performance. A neural network has layers that are made
up of neurons. While the output layer generates final predictions or outputs, the input layer receives initial
data. If there are additional intermediate hidden layers, they help the network learn and extract more complex
representations of the input data. Backpropagation is a technique used in neural network training. The network
adjusts its weights based on the difference between the predicted and desired outputs during this phase. The
weights are updated iteratively to reduce mistakes and improve network efficiency.
Deep neural networks, also known as deep learning models, encompass multiple hidden layers. Deep learning
has garnered significant attention due to its ability to automatically learn hierarchical representations from
data, facilitating the capture of intricate patterns and features. It has excelled in a number of areas, including
speech recognition, natural language processing, and computer vision. Different neural network architectures
exist, including feedforward neural networks, convolutional neural networks (CNNs), recurrent neural networks
(RNNs), and generative adversarial networks (GANs). Each architecture is tailored to handle specific data
types and tasks.
Neural networks have emerged as powerful tools for solving complex problems, propelling advancements in
artificial intelligence. They continue to be an active area of research and development, with ongoing efforts to
enhance their efficiency, interpretability, and performance across diverse applications.

3.2.1 CNN architecture

The Convolutional Neural Network (CNN) architecture is a specialized deep learning model widely used for
image classification, object detection, and computer vision tasks. CNNs are designed to automatically learn
and extract relevant features from input.

CNN architecture comprises several key components that work together to process and analyze visual data:
1. Convolutional Layers: These layers apply learnable filters to input, convolving them across the image to
compute dot products between filter weights and input pixels. This process generates feature maps that
capture spatial information and local patterns.
2. Pooling Layers: After convolutional layers, pooling layers are employed to downsample feature maps by
summarizing local information. Popular pooling techniques include max pooling, where the maximum
value within a region is selected, and average pooling, which computes the average value. Pooling aids in
reducing spatial dimensions while preserving essential features.
3. Fully Connected Layers: Typically positioned at the end of a CNN architecture, fully connected layers
establish connections between every neuron in one layer and every neuron in the next layer. These layers
capture high-level representations and learn intricate relationships between features. Activation functions
like ReLU (Rectified Linear Unit) introduce non-linearity to the network.
4. Output Layer: The final layer in the CNN architecture produces the desired output. For image classifi-
cation tasks, it usually employs softmax activation to provide a probability distribution across different
classes.

8
 Figure 3.1: Represents CNN architecture.

To prevent overfitting, CNN architectures often incorporate regularization techniques like dropout or batch nor-
malization. Several CNN architectures have been developed, including LeNet, AlexNet, VGGNet, GoogLeNet,
and ResNet, each with unique configurations and layer arrangements.
Overall, the CNN architecture’s design enables automatic learning of hierarchical representations in visual
data, making it highly effective for tasks involving image analysis, recognition, and understanding.

3.2.2 LSTM architecture

The LSTM (Long Short-Term Memory) architecture is a specialized type of recurrent neural network (RNN)
designed to process and analyze sequential data, such as time series or natural language data. LSTMs are widely
used in applications like speech recognition, language modeling, sentiment analysis, and machine translation.

Figure 3.2: Represents LSTM architecture.

At the core of the LSTM architecture are memory cells and gates that control the flow of information within

9
the network. Here is a breakdown of its key components:
1. Memory Cells: LSTM networks employ memory cells to store and update information over time. These
cells are specifically designed to address the vanishing gradient problem often encountered in conventional
RNNs. By mitigating this issue, LSTMs can effectively capture long-term dependencies in sequential data.

2. Forget Gate: The forget gate determines which information from the previous cell state should be dis-
carded. It takes the current input and the output from the previous time step as inputs, producing a
forget gate activation value between 0 and 1 for each element in the cell state. A value of 0 means the
information is forgotten, while a value of 1 means it is retained.
3. Input Gate: In LSTM networks, the input gate controls the flow of information into the current cell state.
It takes the current input and the output from the previous time step as inputs and produces an activation
value between 0 and 1 for each element in the cell state. This activation value determines the amount of
new information that should be added to the cell state.
4. Output Gate: The output gate controls the information that is output from the current cell state. It
takes the current input and the output from the previous time step as inputs, producing an output gate
activation value between 0 and 1 for each element in the cell state. This value determines how much of
the cell state should be output.
5. Cell State: The cell state acts as a memory unit within the LSTM architecture. It traverses through the
forget gate, input gate, and output gate to update and retain relevant information over time.

LSTM networks are capable of capturing both short-term and long-term dependencies in sequential data by
effectively managing the flow of information through memory cells and gates.

3.3 Summary
CNNs are primarily used for image classification and computer vision tasks. The implementation of CNNs in-
volves preprocessing the image data, designing the architecture with convolutional and pooling layers, compiling
the model with appropriate loss and optimization functions, training the network using backpropagation, and
evaluating the performance on validation or test data. CNNs require a sufficient amount of labeled image data
for training and are computationally intensive.
Long Short-Term Memory (LSTM): LSTMs are commonly used for analyzing sequential data such as natural
language processing and time series prediction. The implementation of LSTMs involves preprocessing the se-
quential data, designing the LSTM architecture with recurrent layers, compiling the model with suitable loss
and optimization functions, training the network using backpropagation through time, and evaluating the per-
formance on validation or test data. LSTMs are effective in capturing long-term dependencies in sequential
data and can handle inputs of variable length.
XGBoost is a gradient boosting algorithm widely utilized for structured/tabular data analysis and prediction
tasks. The implementation of XGBoost includes creating DMatrix objects for training and validation data,
setting algorithm parameters such as the objective, number of classes, and evaluation metrics, training the
model for a specific number of boosting rounds, and making predictions on validation or test data. XGBoost
offers excellent performance, handles missing values, and supports various objective functions and evaluation
metrics.
Principal Component Analysis (PCA): PCA is a dimensionality reduction technique employed to transform
high-dimensional data into a lower-dimensional space. The implementation of PCA involves standardizing the
input features, calculating the covariance matrix, computing the eigenvalues and eigenvectors, sorting the eigen-
values, selecting the top-k eigenvectors, forming a projection matrix, and projecting the input features onto the
projection matrix. PCA is valuable for reducing data dimensionality, identifying important features, and vi-
sualizing high-dimensional data. In summary, CNNs and LSTMs are suitable for different data types (images
vs. sequential), while XGBoost, PCA, and Random Forest are commonly employed for structured/tabular data
analysis. The choice of algorithm depends on the data characteristics and the specific task requirements.

10
Chapter 4

Proposed design and framework

To begin with the proposed design and framework, several techniques relating to machine learning and deep
learning are modeled. The description of the proposed packet capturing, machine and deep learning, pseudo-
code with evaluation methods are given in this chapter.

4.1 Design Overview

Design plays a crucial role in the development of any system, product, or solution by providing a blueprint that
outlines the structure, components, and interactions of the intended solution. It aims to translate requirements
and objectives into a tangible and implementable design. Systems requiring complex algorithms or logic involve
designing the algorithms or logical processes to solve specific problems or implement desired functionalities.
This includes defining inputs, outputs, and the steps involved in the algorithm or logic. The design process
incorporates security and privacy considerations by identifying potential vulnerabilities, defining security mea-
sures, and ensuring the protection of sensitive data throughout the system. The design process often follows an
iterative and incremental approach, where the design is refined and improved based on feedback, testing, and
evaluation. Design decisions may be revisited and modified as the design evolves.

4.2 Proposed Model

The proposed system for real-time network traffic analysis aims to enhance network security through the uti-
lization of machine learning and deep learning techniques.

The first crucial component of the system is data collection, where real-time network traffic data is captured
from the data-center server using the popular packet analysis tool Wireshark. The figure 4.1 illustrates a
comprehensive process for capturing and analyzing network traffic data using Wireshark, a popular network
packet capturing and analysis tool.
The first step in the process is to launch Wireshark, which provides a user-friendly interface to monitor
and capture network packets from the selected network interface. By capturing packets in real-time, Wireshark
enables users to collect the raw data that is being transmitted over the network.
Once the packets are captured, filters are applied to select specific types of packets based on various criteria
such as the source IP address, destination IP address, port number, and protocol type. Applying filters helps
to narrow down the data and focus on the packets of interest, making it easier to analyze and extract relevant
information.
The filtered packets are then saved in a .pcap file format, which is a common file format used for storing
network packet capture data. Saving the filtered packets in a .pcap file allows users to access and analyze the
data at a later time, ensuring that the captured information is retained for further investigation.
Next, the .pcap file is loaded into the analysis environment, where packet-level features are extracted from
the captured data. These packet-level features include information such as packet size, timestamp, protocol
type, and other relevant metadata.
To gain a higher-level perspective of the network traffic, the packets are aggregated into sessions. A session
is a logical grouping of packets that belong to a single communication between two devices. By aggregating

11
 Figure 4.1: Capturing the network traffic data using wireshark.

packets into sessions, the analysis can focus on the interactions between devices rather than individual packets,
providing a more coherent view of the network traffic.
During the session-level analysis, additional features are extracted, providing a more comprehensive under-
standing of the communication patterns between devices. These session-level features may include the duration
of the communication, the number of packets exchanged, the total data transferred, and other characteristics
that can help identify specific network activities.
Finally, data preprocessing is performed to prepare the extracted features for further analysis and modeling.
Additionally, the project utilizes Random forest, XGBoost and PCA for dimensionality reduction to enhance
the efficiency of machine learning models. Furthermore, a deep learning framework is introduced to enhance the
performance of anomaly detection based on user activity within specific time intervals. Comparisons are made
across different days to identify traffic patterns that indicate anomalies and optimize detection techniques.
The detailed overview of the model is shown in the next sections. The feature extraction process involves
extracting relevant information or characteristics from raw network traffic packets using the Scapy library and
Flow attributes. Feature extraction and other process is shown in chapter 5. Overall, the proposed system
significantly contributes to the effective real-time network traffic analysis.

4.2.1 Flow Chart

A flowchart is a visual representation of a process or system, illustrating the sequence of steps or activities
involved. It utilizes different symbols and connectors to demonstrate the flow of information, materials, or
actions within the system. Flowcharts find application in various domains, such as software development,
business processes, project management, and creative problem-solving. The primary objective of a flowchart
is to visually present the logical flow of a process, aiding comprehension and analysis. It offers a structured
and transparent depiction of the steps, decision points, and potential outcomes within a process. Flowcharts
prove particularly valuable in navigating complex systems or processes that encompass multiple stakeholders or
decision-making junctures.
The flowchart represents the process of intrusion detection and its practical application in analyzing real-time
network traffic. Let’s delve into the description of each step.
In the initial phase, data collection involves gathering network traffic data. The collected data is then
subjected to data preprocessing, which includes tasks such as data cleaning, handling missing values, and
normalizing the features to ensure data quality and consistency. The next step focuses on determining the
importance of different features in distinguishing between normal network traffic and intrusions. This is achieved
by employing the Random Forest algorithm, which provides insights into the most significant features for
intrusion detection.
Once the relevant features are identified, feature extraction techniques are applied to extract meaningful
information or attributes from the network traffic data. These techniques involve statistical analysis, pattern
recognition, or machine learning algorithms to capture distinctive patterns associated with different types of in-
trusions. The dataset is then divided into input features (X) and intrusion labels (Y) to facilitate the subsequent

12
 Figure 4.2: Represents the flow of intrusion detection model.

training and evaluation processes. Principal Component Analysis (PCA) is utilized to reduce the dimensionality
of the feature space while retaining essential information, thereby simplifying the dataset’s complexity.
To train and evaluate the models, the dataset is split into training and testing subsets. Multiple models,
including XGBoost, Convolutional Neural Network (CNN), and Long Short-Term Memory (LSTM), are trained
using the training data. The models’ performance is evaluated using metrics such as accuracy, precision, recall,
and F1-score to assess their effectiveness in detecting and classifying network intrusions.

Once the models demonstrate satisfactory performance, they are saved for future use. This ensures their
availability for real-time intrusion detection in network traffic. Furthermore, a parallel process runs alongside
the main flowchart. It involves capturing real-time packets using Wireshark, filtering the captured packets,
performing feature extraction based on the trained model, predicting attacks using the trained model, and
visualizing the results. This parallel process enables real-time intrusion detection and analysis on live network
traffic which detects different types of attacks such as DOS, DDOS, DDOS HULK, BRUTE-FORCE etc...
In summary, the flowchart provides an overview of the intrusion detection process, covering data collection,
preprocessing, feature extraction, model training and evaluation, and real-time analysis. It emphasizes the
interconnections and iterative nature of the steps involved in detecting and mitigating network intrusions.

Figure 4.3 illustrates the flow of anomaly detection and application classification, building upon the design
depicted in Figure 4.2. However, in this case, the target variable is the different types of applications.
To capture real-time network traffic, various applications such as WhatsApp, Google Meet, YouTube, Google,
HTTP, HTTPS, HTTPS-PROXY, SSL, Wikipedia, Skype, and more are opened and run. These applications
record detailed user activity for each specific application at different times throughout the week. The captured
network traffic is saved as pcap files. The saved pcap files are then loaded for feature extraction and normal-
ization. This process involves extracting relevant information and attributes from the network traffic data and
preparing it for further analysis. Features such as timestamp, application type, and user activity are extracted
to capture the characteristics of each application. Next, the trained model, which has been previously saved, is
utilized to predict and classify different applications. By inputting the normalized features into the model, it
can accurately classify the applications based on the observed network traffic patterns. To visualize the applica-
tions, timestamps are used as a reference. Anomalies are identified by comparing the volume of users utilizing
a particular application during specific time intervals, such as between 10:30 AM to 11:00 AM on Wednesdays,
with the corresponding time interval on the following day. Significant increases or decreases in the number of
users accessing the same application at the same time can be considered anomalies.
The purpose of this anomaly detection and application classification flow is to identify abnormal patterns in
application usage based on network traffic data. By comparing usage patterns across different days, potential

13
 Figure 4.3: Represents the flow of application classification and anomaly detection model.

anomalies can be detected, helping to ensure network security and monitor application performance. Overall,
this process provides a systematic approach to analyze network traffic and identify anomalies in application
usage, enabling proactive measures to address potential issues and enhance network management.

4.2.2 Architectural Design

The architecture diagram of an Machine Learning model provides a visual representation of the system’s design
and structure, focusing on the components and their interactions. It illustrates the flow of data and operations
in the ML pipeline.

Figure 4.4: Represents the architecture diagram of complete model.

At a high level, the architecture diagram includes components such as data sources, preprocessing modules,
feature extraction, ML algorithms or models, and the output stage. These components show the sequential or

14
parallel flow of data and operations. Data sources can be diverse, including structured or unstructured data,
images, text, or time-series data. Preprocessing modules handle tasks like data cleaning, handling missing
values, and normalizing features to ensure data quality and consistency.

The architecture diagram showcases the key components involved in an ML model for intrusion detec-
tion,anomaly and application classification based on network traffic data. The data sources provide network
traffic data as input, which is then processed through preprocessing modules. These modules handle tasks
such as data cleaning, handling missing values, and feature normalization to ensure the data’s quality and
consistency.
The preprocessed data is then fed into the feature extraction component, where relevant information and
attributes are extracted from the network traffic data. This step captures characteristics like timestamps, ap-
plication types, and user activity, which serve as features for analysis. The ML models component comprises
various machine learning techniques used for intrusion detection and application classification. These models
are trained on the extracted features using supervised or unsupervised learning methods. The output stage rep-
resents the final results generated by the ML model. It can include identified intrusions, classified applications,
or other relevant outputs based on the system’s objective.
The overall purpose of this architecture is to detect and classify network intrusions by analyzing network
traffic data. By comparing usage patterns across different days and applying ML techniques, anomalies and
malicious activities can be identified, enabling proactive measures for network security and performance moni-
toring.

4.2.3 Pseudocode of the Proposed system

• Step 1: Random Forest Feature Extraction
function random forest feature extraction(X train, y train, X test, k):
random forest model = initialize random forest model()
random forest model.fit(X train, y train)
feature importance = random forest model.feature importances
top k features = select top k features(feature importance, k)
X train rf = X train[:, top k features]
X test rf = X test[:, top k features]
return X train rf, X test rf
• Step 2: Principal Component Analysis (PCA) for Dimensionality Reduction
function perform pca(X train, X test, m):
X train pca, X test pca = initialize pca model(m)
X train pca.fit transform(X train)
X test pca.transform(X test)
return X train pca, X test pca

15
 • Step 3: XGBoost Model Training
function xgboost model training(X train, y train, X test):
xgboost model = initialize xgboost model()
xgboost model.fit(X train, y train)
y pred xgboost = xgboost model.predict(X test)
return y pred xgboost
• Step 4: Convolutional Neural Network (CNN) Model Training
function cnn model training(X train, y train, X test):
cnn model = initialize cnn model()
cnn model.fit(X train, y train)
y pred cnn = cnn model.predict(X test)
return y pred cnn
• Step 5: Long Short-Term Memory (LSTM) Model Training
function lstm model training(X train, y train, X test):
lstm model = initialize lstm model()
lstm model.fit(X train, y train)
y pred lstm = lstm model.predict(X test)
return y pred lstm
• Step 6: Evaluate the Model.

4.3 Summary
In summary, The proposed design and framework aim to enhance network security through real-time traffic
analysis using machine and deep learning algorithms. The framework utilizes the non-real-time and real-time
data to extract features using Random Forest, reduce dimensionality with PCA, and train an XGBoost model
for intrusion prediction. Additionally, it integrates CNN and LSTM models for effective anomaly detection
based on user activity. Real-time network traffic data is captured using Wireshark, enabling real-time analysis.
The framework contributes to improved network security by predicting intrusions, classifying applications, and
detecting anomalies in real-time network traffic data.

16
Chapter 5

Implementation

This Chapter gives the detailed overview of how the project is implemented and the implementation of different
algorithms to compare the results.
Firstly, Wireshark was installed, a powerful network packet capturing and filtering tool available for both Mac
and Windows users. It allowed examining and analyzing network traffic. Next, the Scapy package was installed,
a Python library that enabled processing and manipulating network packets. Scapy provided a flexible and
efficient way to handle network data.
Python, the versatile programming language commonly used in data analysis, machine learning, and various
other applications, was ensured to be installed with the latest version. For interactive data analysis and
collaborative coding, Jupyter Notebook was chosen and installed. It provided an interactive environment to
create code cells, add explanatory text, and perform data analysis.
Optionally, Google Colab, a cloud-based Jupyter Notebook service offered by Google, was explored. It en-
abled collaborative coding and provided access to GPUs for machine learning tasks. Tkinter, another optional
package, was a Python library that allowed creating graphical user interfaces (GUIs). With these tools and
packages set up, the system was well-equipped to embark on network analysis and data processing endeavors
using the proposed framework. This setup facilitated efficient and productive work in handling network data
and performing various analyses.

Next, The feature extraction process involves extracting relevant information or characteristics from raw
network traffic packets using the Scapy library and Flow attributes. To extract these features, the Scapy library
is used to capture and analyze individual network packets. Scapy provides functions to read, dissect, and
analyze packet contents. By parsing the packet headers, relevant information such as source and destination IP
addresses, protocol types, packet lengths, and timestamps can be extracted. The following Flow attributes are
extracted:

Figure 5.1: Extracted features from real-time network traffic data.

17
 1. Flow.IAT.Max (Flow Inter-Arrival Time Maximum): This feature represents the maximum time interval
between consecutive packets in a flow.
2. Fwd.Packets.s (Forward Packets per second): It denotes the number of forward packets transmitted per
second in the flow.

3. Flow.Duration: This attribute indicates the duration of the flow, i.e., the time elapsed between the first
and last packet in the flow.
4. Flow.Packets.s (Flow Packets per second): It represents the average number of packets per second in the
flow.

5. Flow.IAT.Mean (Flow Inter-Arrival Time Mean): This feature calculates the average time interval between
consecutive packets in the flow.
6. Bwd.Packets.s (Backward Packets per second): It denotes the number of backward packets transmitted
per second in the flow.

7. Bwd.Header.Length: This attribute represents the total length of headers in the backward direction.
8. Fwd.IAT.Max (Forward Inter-Arrival Time Maximum): It indicates the maximum time interval between
consecutive forward packets in the flow.
9. Fwd.IAT.Mean (Forward Inter-Arrival Time Mean): This feature calculates the average time interval
between consecutive forward packets in the flow.

10. Fwd.Packet.Length.Max (Forward Packet Length Maximum): It represents the maximum length of for-
ward packets in the flow.
11. Fwd.IAT.Total (Forward Inter-Arrival Time Total): This attribute calculates the total time between the
first and last forward packet in the flow.

12. Avg.Fwd.Segment.Size: It denotes the average size of forward segments in the flow.
13. Subflow.Fwd.Bytes: This attribute represents the total number of bytes in the forward direction for a
specific subflow.
14. Total.Backward.Packets: It indicates the total number of backward packets in the flow.

15. Total.Length.of.Fwd.Packets: This feature represents the total length of forward packets in the flow.
16. Subflow.Bwd.Packets: It denotes the total number of backward packets for a specific subflow.
17. Fwd.Packet.Length.Mean: This attribute calculates the average length of forward packets in the flow.
18. Fwd.Packet.Length.Std: It represents the standard deviation of the length of forward packets in the flow.

19. Average.Packet.Size: This feature denotes the average size of packets in the flow.
20. Down.Up.Ratio: It calculates the ratio of downstream packets to upstream packets in the flow.
Flow attributes such as Flow.IAT.Max, Fwd.Packets.s, Flow.Duration, and others are then computed based
on the extracted packet-level information. These attributes provide insights into the temporal characteristics,
packet rates, and flow durations of the network traffic. The extracted features is used as inputs for machine
learning and deep learning models to train them on the dataset and enable accurate detection and classification
of network intrusions, anomalies, and applications. In summary, the feature extraction process involves using
the Scapy library to analyze individual network packets and extract relevant information, which is then used to
compute flow-level attributes such as Flow.IAT.Max, Fwd.Packets.s, Flow.Duration, and others. These features
provide valuable insights into the characteristics of network traffic and can be utilized in subsequent analysis
and modeling tasks. This data serves as the foundation for analysis and model validation, ensuring the system
operates in a real-world environment.Once the data is collected, it undergoes preprocessing to ensure its quality
and compatibility with the machine learning models. This stage involves several steps such as data cleaning,
filtering, and normalization, which enhance the data’s suitability for subsequent analysis. The next step is
feature extraction, where relevant features are extracted from the preprocessed data.

18
 Random forest is employed to identify the most important features and The current method incorporates
Principal Component Analysis (PCA) for dimensionality reduction to overcome overfitting and enhance the
efficiency of the models. By reducing the dimensionality of the feature space, PCA retains the most important
information while removing redundant or less significant features. This allows the models to focus on the most
relevant aspects of the data and improving their performance.

Intrusion Detection: To identify network intrusions, the system employs machine learning and deep
learning techniques that are trained on a labeled dataset containing instances of known intrusion types. The
training data comprises network traffic instances associated with various intrusion types like DDoS attacks,
brute force attempts, and DDoS Hulk attacks.
The models learn to recognize patterns and indicators of different intrusion types within the network traffic
data. They identify specific features and behaviors that differentiate normal traffic from intrusive activities.
By leveraging these learned patterns, the system can effectively and accurately detect and classify instances of
network intrusions in real-time.

Anomaly Detection: Anomaly detection plays a vital role in network security by identifying abnormal
activities that deviate from expected network behavior. The proposed system incorporates anomaly detection
techniques to identify suspicious patterns and activities within the network traffic data.
One approach to anomaly detection involves comparing the current network traffic patterns with historical data
of different applications where applications are classified, from the same time duration on the previous day. This
temporal analysis enables the system to identify any deviations or anomalies in network traffic behavior. This
system integrates intrusion and anomaly detection as essential components of real-time network traffic analysis.
Machine learning and deep learning techniques, including XGBoost, CNN, and LSTM models, are applied to
train and evaluate the data. To evaluate the models, various metrics such as accuracy, precision, recall, and F1
score are used. Accuracy measures the overall correctness of the model’s predictions, while precision quantifies
the model’s ability to correctly identify true positive instances. Recall, on the other hand, assesses the model’s
capability to capture all positive instances, while the F1 score provides a balance between precision and recall.

19
5.1 Feature Importance
Random forest is used to select important features from the existing vast set of unwanted features which are
not suitable for our proposed framework. This type of feature selection helps to improve the model accuracy
and fits the data well to our model. The output of the random forest gives the feature name with the score of
its feature. Where, higher the score represents higher the priority of a feature.

Algorithm 5.1: Random Forest

1 Input:
• Training dataset with input features (X),

Where X = 21 features

• Target labels (Y),

Where Y = Attacks OR ApplicationName

Procedure:
• Initialize an empty dictionary to store the cumulative importance scores for each feature.

L = {F low.IAT.M axi : 0.079785i , F low.Durationi : 0.072338i ............., Subf low.BW D.P acketsN :
0.033291N }

• For each decision tree in the Random Forest ensemble:

- Retrieve the feature importances of the decision tree.
- For each feature and its importance score in the decision tree:
- If the feature is not already in the dictionary, add it with the importance score as its value.
- If the feature is already in the dictionary, increment its importance score by the current importance
score.

• To calculate the average importance score for each feature, divide the cumulative importance score by
the number of decision trees in the ensemble. This will give you an average importance score that
represents the relative importance of each feature in the XGBoost model.
• Normalize the importances so that they sum up to 1 or are scaled within a specific range:
- Compute the sum of all importances.
- For each feature, divide its importance score by the sum of all importances.
• Return the list of feature importances L.

Output:
List of feature importances

20
 Figure 5.2: Feature importance and its corresponding score.

5.2 Dimensionality Reduction

Principal component analysis(PCA) is a dimensionality reduction technique which helps in reducing the number
of components to 14. By applying PCA for dimensionality reduction, the framework can handle high-dimensional
data more efficiently and avoid the curse of dimensionality. This not only speeds up the training process but also
helps in reducing the risk of overfitting. PCA also aids in identifying the most significant features or patterns in
the dataset, allowing the subsequent models (such as XGBoost, CNN, and LSTM) to focus on the most relevant
information. It simplifies the representation of the data and provides a more concise and interpretable feature
space, which can lead to better understanding and insights into the underlying relationships within the network
traffic data.

21
 Algorithm 5.2: Principal Component Analysis (PCA)
1 Input:
• Training dataset with input features (X),

Where X = 21 features

Procedure:
1. Standardize the input features:

• For each feature, calculate the mean:

µ = (1/10000) ∗ Σ(F low.IAT.M axi , F low.Duration i, ..., Subf low.BW D.P ackets N )
where N is the number of samples and xi is the value of the feature for the ith sample.
• Calculate the standard deviation: n components = 14

• Standardize each feature: xi-standardized

2. Calculate the covariance matrix:

• Construct a matrix X with standardized features, where each row represents a sample and each
column represents a feature. where m = 14 X 14 matrix.
3. Compute eigenvalues and eigenvectors:

• Perform eigenvalue decomposition

V on the covariance matrix C: C = V ∗ ∧ ∗ V T , where V is a matrix
of eigenvectors and is a diagonal matrix of eigenvalues.
4. Sort eigenvalues and select top-k eigenvectors:
• Sort the eigenvalues in descending order: λ1 ≥ λ2 ≥ ... ≥ λp, where p is the number of features.
• To select the top-k eigenvectors, we need to identify the eigenvectors that correspond to the largest
eigenvalues.

5. Form a projection matrix:

Construct a projection matrix W by stacking the selected eigenvectors as columns: W = [v1, v2, ..., vk],
where vi is the ith eigenvector.

Output: Project the standardized input features onto the projection matrix:
Xpca = X − standardized ∗ W ,
Xpca = array([[-1.59093641e+07, -1.52894771e+06, -4.16477194e+05,....., 2.92979470e+00,
-1.57600025e+01, 5.98503117e+00],........................................., [-1.70675943e+07, -1.56801724e+06,
7.07752748e+04 , ..., 1.58513999e+01, -1.44711504e+01, -3.12404865e+00]])

where Xpca represents the transformed features in the lower-dimensional space.

Finally, the standardized input features are projected onto the projection matrix, resulting in transformed
features in the lower-dimensional space. These transformed features, denoted as Xpca in the example, have
reduced dimensionality from the original 21 columns to 14 components.

22
5.3 Models
XGBoost (Extreme Gradient Boosting) is employed in the proposed design and framework due to its high
predictive accuracy, capability to handle high-dimensional data efficiently, and inclusion of regularization tech-
niques to control overfitting. Additionally, XGBoost’s ability to handle missing data, parallel processing for
faster training, and feature importance analysis makes it well-suited for enhancing the accuracy and efficiency
of predictive models in various tasks.
Algorithm 5.3: XGBoost Algorithm
1 The XGBoost algorithm, short for Extreme Gradient Boosting, is an ensemble learning method that
combines multiple weak prediction models (typically decision trees) to create a powerful predictive
model. It uses a gradient boosting framework to iteratively train new models that correct the errors
made by previous models.
Input:
• Training dataset after PCA applied Xpca

• Training dataset with input features (xtrain) and corresponding target labels (ytrain).
• Validation dataset with input features (xtest) and corresponding target labels (ytest).
Procedure:

1. Create DMatrix objects for XGBoost:

• Create a DMatrix (data matrix) for the training set (dtrain) using xgb.DMatrix(). Provide the
input features (xtrain) and the target labels (ytrain).
• Create a DMatrix for the validation set (dval) using xgb.DMatrix(). Provide the input features
(xtest) and the target labels (ytest).
2. Set the parameters for XGBoost:
• Define a dictionary called ”params” to store the XGBoost parameters.
• Set the ’objective’ parameter to ’multi:softmax’ for multiclass classification tasks.
• Set the ’numclass’ parameter to the number of classes in the dataset .
• Set the ’evalmetric’ parameter to [’merror’, ’mlogloss’] to specify the evaluation metrics as
multiclass error rate and multiclass log loss.
3. Train the XGBoost model:

• Specify the number of boosting rounds (numrounds = 100) as a hyperparameter.

• Use the xgb.train() function to train the XGBoost model. Provide the parameters (params), the
training data (dtrain), and the number of boosting rounds (numrounds=100).
4. Make predictions on the validation set:
• Invoke the predict() method on the model object and pass the validation data (dval) as input.
Store the predicted labels in the variable ypred.
Output:
• The XGBoost model is trained on the training set to make predictions and learn patterns from the data.
• Predicted labels (ypred) for the validation set.

• XGboost gave accuracy, precision, recall and F1-score of 73.99% for application classification which is
highest compared to other models.

23
5.3.1 CNN Model

Convolutional Neural Networks (CNNs) are utilized for their exceptional ability to extract spatial features
from data, particularly in image and sequence-related tasks. In the context of network traffic analysis, CNNs
can learn to recognize patterns, dependencies, and structures in the packet sequences, making them highly
suitable for tasks such as intrusion detection and application classification. Additionally, CNNs can handle
the sequential nature of packet data, effectively learning and identifying temporal dependencies and patterns,
which is crucial in real-time analysis of network traffic. Their ability to learn hierarchical representations allows
them to capture both low-level and high-level features from the data, contributing to better understanding and
detection of network anomalies.
By incorporating CNNs into the framework, it becomes well-equipped to analyze and process the time-series
network data, thereby improving the precision of intrusion detection, application classification, and anomaly
detection tasks, and enhancing the overall network security.

Figure 5.3: Convolutional Neural network model.

• The input shape of the CNN is (xtrain.shape[1], 1), indicating the number of time steps and the number
of channels (1).
• The model consists of multiple Conv1D layers with increasing filter sizes: 32, 64, 128, 256, and 512.
• Each Conv1D layer uses a kernel size of 3, applies the ReLU activation function, and uses padding to
maintain the same input size.
• The output of the last Conv1D layer is flattened using the Flatten layer.
• The flattened output is then fed into a Dense layer with 256 units and the ReLU activation function.
Finally, the output is passed through another Dense layer with numclasses units and the softmax activation
function, which produces the predicted class probabilities.

CNN gave the accuracy of 88% for Intrusion detection and 65% for application classification which is second
highest compare to other models.

24
5.3.2 LSTM Model
Long Short-Term Memory (LSTM) models are employed due to their ability to capture long-term dependencies
and temporal patterns in sequential data. In the context of network traffic analysis, LSTM models are well-suited
for handling time-series data, such as the sequence of network packets.
Additionally, LSTM models complement the other machine learning algorithms in the framework, such as
Random Forest and XGBoost, by providing a deep learning-based approach to anomaly detection and prediction.
This combination of machine learning and deep learning techniques ensures comprehensive analysis and robust
performance in handling diverse and dynamic network traffic data.

Figure 5.4: Long-short term memory model.

• The input shape of the LSTM is (xlstm.shape[1], 1), indicating the number of time steps and the number
of features (1).

• The LSTM layer is represented by a block with the number of units (32) written inside.
• The ReLU activation function is applied after the LSTM layer. layer.
• The Dense layers are represented by blocks with the number of units (64, numclasses) written inside.

• The Softmax activation function is applied after the Dense(numclasses) layer.

• The final output is labeled as ”Output”.

LSTM gave the accuracy of 95% in detecting the Intrusion and 61% for application classification.

LSTMs are designed to capture long-term dependencies in time-series data by utilizing memory cells and
a gating mechanism to retain information over extended sequences. This unique structure enables LSTMs
to effectively recognize and remember recurring patterns, trends, and seasonality, making them proficient at
encoding the temporal patterns present in time-series data. By leveraging these capabilities, LSTMs prove
valuable in tasks such as forecasting and gaining insights into the underlying dynamics of the time series.

25
Chapter 6

Results and Discussion

This chapter presents the implementation results and visualizations of the dataset, along with the evaluation of
different models. We explore the performance of each model and analyze their differences in terms of results.

6.1 Intrusion detection

Figure 6.1: Dataset attack types.

26
 The fig 6.1 represents different attack types, where x-axis shows the different attacks and y-axis is the number
of users in the dataset. This dataset is used to train different models.

Figure 6.2: Shows the class distribution of attacks after the prediction using the Network traffic dataset.

The fig 6.2 represents the class distributions after prediction using a model for CICIDS dataset, where 0-5
is 2: ’DoS Hulk’, 0: ’BENIGN’, 1: ’DDoS’, 4: ’SSH-Patator’, 5: ’Web Attack-Brute Force’, 3: ’PortScan’.

Table 6.1: Evaluation Results of Intrusion detection

PCA
Random forest CNN LSTM
Acuuracy 99.84% TrainLoss 695.77 0.1159
Precision 99.84% TrainAcc 88% 95.35%
Recall 99.84% ValLoss 234.92 0.1240
F1-score 99.84% ValAcc 93% 95.51%

The Table 6.1 represents model evalutaion of random forest, CNN, LSTM models. From the table we can
conclude that the random forest is giving highest accuarcy of 99 percent and it is well-fitting to our model
compare to LSTM and CNN for intrusion detection.
The fig 6.3 represents the predicted results. After loading and extracting the features from real-time data
the saved training model is applied to predict the attacks. From the plot we can conclude that there were more
number of benign packets and some number of DoS hulk and DDoS in real-time collected data using wireshark.

27
 Figure 6.3: Predicted attack labels of real-time data.

6.2 Application classification and Anomaly detection

Figure 6.4: Application names of Network traffic dataset.

The fig 6.4 and 6.5 represents different application names, where x-axis shows the different applications and
y-axis is the number of users in the CICIDS 2017 dataset. This dataset is used to train models.
The fig 6.6 represents the class distributions after prediction using a model for CICIDS dataset, where 17:

28
 Figure 6.5: Other application names of Network traffic dataset.

Figure 6.6: Shows the class distribution of applications after the prediction

’HTTP-PROXY’, 14: ’HTTP’, 15: ’HTTP-CONNECT’, 28: ’SSL’, 13: ’GOOGLE’, 38: ’YOUTUBE’, 10:
’FACEBOOK’, 6: ’CONTENT-FLASH’, 8: ’DROPBOX’, 36: ’WINDOWS-UPDATE’, 0: ’AMAZON’, 19:
’MICROSOFT’, 30: ’TOR’, 12: ’GMAIL’, 37: ’YAHOO’, 21: ’MSN’, 29: ’SSL-NO-CERT’, 27: ’SKYPE’, 23:
’MS-ONE-DRIVE’, 22: ’MSSQL’, 31: ’TWITTER’, 2: ’APPLE-ICLOUD’, 5: ’CLOUDFLARE’, 32: ’UBUN-
TUONE’, 26: ’OFFICE-365’, 35: ’WIKIPEDIA’, 16: ’HTTP-DOWNLOAD’, 4: ’CITRIX’, 34: ’WHATSAPP’,
1: ’APPLE’, 20: ’MQTT’, 3: ’APPLE-ITUNES’, 18: ’INSTAGRAM’, 9: ’EBAY’, 7: ’DNS’, 25: ’NTP’, 11:
’FTP-DATA’, 33: ’UNENCRYPED-JABBER’, 24: ’NETFLIX’.

29
 Table 6.2: Evaluation Results of Application Classification

PCA
XGBoost Random forest CNN LSTM
Acuuracy 73.99% 72.82% TrainLoss 1.9839 1.7709
Precision 73.99% 72.82% TrainAcc 65.21% 61.84%
Recall 73.99% 72.72% ValLoss 1.9839 1.8401
F1-score 73.99% 72.82% ValAcc 68.01% 62.04%

The Table 6.2 represents model evalutaion of XGBoost, random forest, CNN, LSTM models. From the table
we can conclude that the XGBoost is giving highest accuarcy of 73 percent and it is well-fitting to our model
compare to Random forest, LSTM and CNN for application classification.

Figure 6.7: Predicted application labels of real-time data.

The fig 6.7 represents the predicted results. After loading and extracting the features from real-time data
the saved training model is applied to predict the applications. From the plot we can conclude that there were
more number of HTTP and Google users in real-time collected data using wireshark.

30
6.2.1 Anomaly detection

Figure 6.8: Google application w.r.t Time and Number of Users plot of day1 and day2 of same duration.

Figure 6.9: HTTP application w.r.t Time and Number of Users plot of day1 and day2 of same duration.

31
 Figure 6.10: SSL application w.r.t Time and Number of Users plot of day1 and day2 of same duration.

Table 6.3: Shows the drastic changes in the increase/decrease in the number of users of particular application

Number of users (10.20AM to 11.20AM)

Applications Wednesday Thursday Friday
Google 465 351 608
Wikipidea 107 156 95
SSL 596 459 623
Youtube 320 377 448
Microsoft 568 472 787
Gmail 626 259 880
Whatsapp 897 562 943

The study on the number of users for different types of application in different days in a week time will
provide Pattern that relates to specific organization. Hence an implementation and categorization of number
of users and application types is platted for two different days w.r.t time. This behaviours and plot depicts
that there is a variation of number of users at different time instant. These results will support in getting the
patterns to learn by the machine learning model and if any unusual patterns leads to anomalies. Applications
like Google, HTTP, SSL is shown w.r.t No. of users at different time and delay in fig 6.8, 6.9, 6.10 and table
6.3 represents the predicted results of particular application of real-time data. The real-time data was captured
each day at specific time in this case its 21:56 to 21:58 of different days of different applications. After loading
and extracting the features from real-time data the saved training model is applied to predict the applications.
From the plot we can detect anomaly based on time duration and no. of users, in fig 6.8 GOOGLE the first
plot is day1 which shows that there were less number of users and in day2 there is sudden increase in the no.
of users in same application we can consider that as anomaly.

32
Chapter 7

Conclusion and Future Scope

7.1 Conclusion
In conclusion, this project focuses on harnessing machine learning and deep learning techniques to improve
network security through real-time traffic analysis.
The project initiates by identifying the significance of features using the random forest algorithm and em-
ploying Principal Component Analysis (PCA) for dimensionality reduction. Multiple models, including random
forest, XGBoost, convolutional neural networks (CNN), and long short-term memory (LSTM) architectures,
are then trained using the reduced dataset. Validation and testing of the trained models are conducted using
real-time network traffic data captured from the college server through Wireshark. This real-world data serves
as a valuable resource to evaluate the effectiveness and precision of the developed framework.

The framework’s objectives encompass predicting and classifying various intrusion types, such as DDoS
attacks, brute force attempts, and DDoS Hulk attacks. By leveraging the CICIDS 2017 dataset and capturing
real-world network traffic data, in this project, a framework ia developed that is capable of accurately detecting
and classifying network intrusions, anomalies, and application behavior.

Additionally, it performs real-time application classification and anomaly detection by comparing current-
day patterns with historical data. The primary goal of this project is to create an efficient system for real-time
network traffic analysis, enabling the accurate detection of network intrusions, anomalies, and application
behavior. By integrating machine learning and deep learning techniques, this project contributes to the ongoing
efforts in enhancing network security and presents a proactive approach to counter potential threats in the
dynamic digital landscape of today.

7.2 Future Scope

In the realm of network security and real-time traffic analysis, there are several potential areas for future
research and development. These areas include advanced threat detection, dynamic model updating, behav-
ioral analysis, integration with Security Information and Event Management (SIEM) systems, automation and
orchestration, transfer learning and federated learning, real-time visualization and reporting, and continued
dataset development.

Advanced threat detection involves further exploration of advanced machine learning and deep learning
models to improve the identification of emerging and sophisticated cyber threats. Techniques such as recurrent
neural networks (RNNs), generative adversarial networks (GANs), and reinforcement learning algorithms can be
employed to enhance the framework’s capability to detect complex attack patterns. Dynamic model updating
focuses on investigating methods to dynamically update and adapt trained models based on evolving network
traffic patterns and emerging threats. This involves establishing mechanisms for continuous model retraining
using fresh data, ensuring that the system remains effective against new attack vectors.

33
 Behavioral analysis involves integrating techniques that can detect anomalies in network traffic beyond tra-
ditional statistical methods. By considering the behavioral patterns of users, devices, or applications, it becomes
possible to identify deviations from normal behavior and detect insider threats or targeted attacks. Integra-
tion with SIEM systems enhances overall security monitoring and incident response capabilities. By combining
real-time traffic analysis with other security data sources such as log files and security events, organizations can
obtain a comprehensive view of their network security posture.

Automation and orchestration techniques can streamline incident response processes. Integrating the frame-
work with automated response systems or security orchestration platforms enables immediate actions to mitigate
or contain threats, thereby reducing response time and minimizing potential damage. Transfer learning and fed-
erated learning approaches can be explored to enhance network security. Transfer learning utilizes pre-trained
models or knowledge from related domains to improve the accuracy and efficiency of network intrusion detec-
tion. Federated learning enables collaborative model training across different organizations while maintaining
data privacy, resulting in more robust and diverse models.

Real-time visualization and reporting involve the development of interactive and user-friendly techniques to
present network security insights to security analysts and stakeholders. This may include creating dashboards,
graphs, and visual representations that facilitate easy interpretation of network traffic patterns, anomalies, and
detected threats. Continued dataset development efforts are essential to create and maintain updated datasets
that accurately reflect the evolving nature of network traffic and cyber threats. This ensures that the training
data used by the framework remains relevant and representative of real-world scenarios, improving the accuracy
and adaptability of the models.

By pursuing these future research directions, the field of network security can make significant advancements
in addressing emerging challenges and proactively staying ahead of sophisticated cyber threats.

34
Bibliography

[1] Abdelmoamen Ahmed and Agunsoye Gbenga. A real-time network traffic classifier for online applications
using machine learning. Algorithms, 14.8:250, 2021.

[2] Levente Bodrog. A robust algorithm for anomaly detection in mobile networks. Annual International
Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), 2016.

[3] Lin-Huang Chang, Lee Tsung-Han, Chu Hung-Chi, and Su Cheng-Wei. Application-based online traffic
classification with deep learning models on sdn networks. Adv. Technol. Innov, 5:216–229, 2020.

[4] Anshika Chaudhary, Mittal Himangi, and Arora Anuja. Anomaly detection using graph neural networks.
International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon),
2019.

[5] Yin Chunyong, Zhang Sun, Wang Jin, and Xiong Neal N. Anomaly detection based on convolutional
recurrent autoencoder for iot time series. IEEE Transactions on Systems, Man, and Cybernetics, 52:112 –
122, 2022.

[6] Christoph Hardegen. Predicting network flow characteristics using deep learning and real-world network
traffic. IEEE Transactions on Network and Service Management, 17:2662–2676, 2020.

[7] itti Annie Abraham; V. R. Bindu. Intrusion detection and prevention in networks using machine learn-
ing and deep learning approaches: A review. International Conference on Advancements in Electrical,
Electronics, Communication, Computing and Automation, 2021.

[8] Kriangkrai Limthong and Tawsook Thidarat. Network traffic anomaly detection using machine learning
approaches. IEEE Network Operations and Management Symposium, 2012.

[9] Mohammad; Ramin Shirali hossein zade; Mahdi Jafari Siavoshani; Mohammadsadegh Saberian Lotfollahi.
Deep packet: A novel approach for encrypted traffic classification using deep learning. Soft Computing,
24.3:1999–2010, 2020.

[10] Anish Nediyanchath. Anomaly detection in mobile networks. IEEE Wireless Communications and Net-
working Conference Workshops (WCNCW), 2020.

[11] Nilesh Kumar Sahu and Mukherjee Indrajit. Machine learning based anomaly detection for iot net-
work:(anomaly detection in iot network). International Conference on Trends in Electronics and Informat-
ics, 4:48184, 2020.

[12] Kyu-Seok Shim. Application traffic classification using payload size sequence signature. International
Journal of Network Management, 27.5:1981, 2017.

[13] Nathan Shone. A deep learning approach to network intrusion detection. IEEE transactions on emerging
topics in computational intelligence, 2.1:41–50, 2018.

[14] BP Vijaya Kumar, Chongtham Pankaj, and E Naresh. An approach for semi-supervised machine learning-
based mobile network anomaly detection with tagging. International Journal of Knowledge Based Organi-
zations, 12.3:1–16, 2022.

[15] Sonali B Wankhede. Anomaly detection using machine learning techniques. International Conference for
Convergence in Technology (I2CT), 5, 2019.

35
[16] Qin Xie; Peng Zhang; Boseon Yu and Jaesik Choi. Semisupervised training of deep generative models for
high-dimensional anomaly detection. IEEE Transactions on Neural Networks and Learning Systems, 33,
2022.
[17] ZAMANZADEH DARBAN ZAHRA, GEOFFREY I. WEBB, CHARU C. AGGARWAL PAN, SHIRUI,
and SALEHI MAHSA. Deep learning for time series anomaly detection: A survey. ACM, page 43, 2022.
[18] Yi Zeng. Deep-full-range: a deep learning based network encrypted traffic classification and intrusion
detection framework. IEEE Access, 7:45182–45190, 2019.

36