Unsupervized learning for packet analysis using K-Means Clustering?

Question

I am working on a project wherein i want to implement Unsupervized Learning on Network Packets to Monitor New Attacks. I have planned to use K_Means Clustering for that. I have therefore installed wireshark inorder to capture packets. Pls help me to determine the parameters on which i can apply clustering and the further approach ; and to determine if it were an attack eg DDoS Attack !

Answer 1

Unsupervised clustering will partition your packets into K groups, will the potential attack packets stand out in some way because they will have different features? Kmeans algorithms typically force you to specify K up front, which may not be optimal. There is a library called JavaML, and there is a clustering method called cobweb that will generate K clusters based on the data (it figures out how many Ks to make based on your vectors).

Another thought I have is, if the unsup clustering separates the data and attack packets actually end up in their own cluster (generally), you could then take those packets and create a classifier out of them (like bayes or something). This way you don't have to run the clustering on everything everytime to get some clusters, you can classify incoming packets based on supervised learning from the model you created from the unsupervised clustering.

I do something similar to this for document clustering on a very large corpus of unstructured text.

HTH