Conversion of Decision Tree Into Deterministic Finite Automaton for High Accuracy Online SYN Flood Detection

While collecting data from network traffic, one can create classifiers that recognize threats, anomalies, or other events. The set of labelled Net Flow records collecting traffic statistics is a very useful source of decision rules that classify the records. These rules can be created automatically using machine learning techniques. However, the classifiers learned on such records may recognise only past events and cannot recognise current events, because not all data were collected. A deterministic finite automaton is a classifier that can recognise events online. However, the automaton is hard to project in case of complex issues. The paper proposes how to convert a decision tree into a deterministic finite automaton. The decision tree learns how to recognise threats using the collected data. Consequently, the set of decision rules is transformed into a finite automaton that can detect events before the full complement of data is collected. The method is limited to small trees, but can solve real problems. As an example, the detection of the TCP SYN flood attack is presented. For that example, the created automaton has the same high accuracy ratio as the decision tree, but can take decisions over three times faster.