Network Traffic Classification Using Dynamic State Classifier

Our earlier work on uninterrupted learning using soft FSM (Yeophantong and Moemeng, 2004) has introduced an approach for allowing a system to learn to recognise new events, events that have never been observed by the system before, without having to shut the system down for an extensive training session. Soft FSM later evolved into dynamic state classifier (DSC) (Yeophantong et al., 2004), where the machine learns to construct new states while simultaneously performing its normal operations. New state construction occurs every time a new event signature is received, and the set of weighted final states are adjusted accordingly. In this paper, we investigate the use of DSC in the application domain of intrusion detection, where various network behaviors are classified. Network traffic data sets are obtained and fed to a sequence of DSC, forming clusters of network behaviors. These cluster are then mapped to the sets of behaviors as identified in network traffic data. The results show clusters of behaviors that are similar to those obtained through human classification, with the added advantage of being able to dynamically form new clusters and recognize them while the system is at work