Identifying Malicious Hosts Involved in Periodic Communications Using Machine Learning

Network intrusion detection systems still have a lot of space for improvement after years of research. This work presents a novel approach to the automatic and timely analysis of traffic produced by big networks, which can detect malicious external nodes even when their actions trigger no alarms in the defence mechanisms now in place. Since our experimental evaluation indicates that periodic communications are more closely associated with harmful actions and may be readily incorporated with other detection systems, that is the focus of our suggestion. We point out that intermittent network activity can happen over a wide range of times, from seconds to hours. As a result, it can be difficult to analyse large time rooms of traffic produced by big businesses in a timely manner. While the approach presented in this research tries to discover external nodes that are likely implicated due to malicious interaction, existing work focuses exclusively on botnet identification. The output of the proposed method is a manageable Suspected List of external sources that are distinguished by a significantly higher probability of being malicious in comparison of the entire set of external nodes contacted by the analysed network, given that network actions linked to malware can be viewed as uncommon occurrences in the overall traffic. Our proposal's usefulness is demonstrated by a comprehensive evaluation on real huge network traffic. It can automatically choose only a few dozen suspect hosts out of more than thousands, allowing network administrator operators to focus the analysis on a small number of likely hostile targets.