Abstract
Network intrusion detection systems (IDS) typically analyze complete network flows to identify malicious traffic, requiring flows to conclude before classification. This approach creates detection delays for attacks like Slowloris that intentionally keep connections open for extended periods of time. This paper introduces a novel approach that classifies network traffic using only features available from the first few packets of a flow, enabling faster detection while maintaining high accuracy. We evaluate three random forest models on the CICIDS2017 dataset using expanding sets of features: the first-packet model trained on on features available from the first backward packet, the few-packet model which includes features estimable from the first few packets of a flow, and a full-flow model using all features in the dataset for reference. Our few-packet model achieves 99.64% accuracy, 99.80% precision, and 99.64% recall-comparable to state-of-the-art approaches using full-flow information-while enabling significantly faster detection. This approach is particularly effective against slow-rate DoS attacks, achieving over 99% F1 scores for both Slowloris and Slowhttptest traffic. At a low false positive rate of 0.01%, our model maintains a 99.17% true positive rate. These results demonstrate that carefully selected early-flow features can provide effective intrusion detection without sacrificing accuracy.
Faculty Advisor/Mentor
Ayan Roy
Document Type
Paper
Disciplines
Cybersecurity
DOI
10.25777/etd9-8w46
Upload File
wf_yes
Included in
FIDS: Accelerating Network Intrusion Detection Through Strategic Feature Selection
Network intrusion detection systems (IDS) typically analyze complete network flows to identify malicious traffic, requiring flows to conclude before classification. This approach creates detection delays for attacks like Slowloris that intentionally keep connections open for extended periods of time. This paper introduces a novel approach that classifies network traffic using only features available from the first few packets of a flow, enabling faster detection while maintaining high accuracy. We evaluate three random forest models on the CICIDS2017 dataset using expanding sets of features: the first-packet model trained on on features available from the first backward packet, the few-packet model which includes features estimable from the first few packets of a flow, and a full-flow model using all features in the dataset for reference. Our few-packet model achieves 99.64% accuracy, 99.80% precision, and 99.64% recall-comparable to state-of-the-art approaches using full-flow information-while enabling significantly faster detection. This approach is particularly effective against slow-rate DoS attacks, achieving over 99% F1 scores for both Slowloris and Slowhttptest traffic. At a low false positive rate of 0.01%, our model maintains a 99.17% true positive rate. These results demonstrate that carefully selected early-flow features can provide effective intrusion detection without sacrificing accuracy.