Network traffic classification with Self Organizing Maps

Anomaly detection in network traffic is one of the most challenging topics in the study of computer science and networking. This paper introduces a classification method for analyzing network traffic behavior. In order to distinguish the normal traffic with well-known anomalies such as port scanning and DOS attacks, Self Organizing Maps (SOMs), one of the well- known artificial neural network architecture, is used. The measurement of traffic is performed by using Simple Network Management Protocol (SNMP). In this work, it is proposed a SOM-based classifier to discriminate three types of network traffic as port scanning, heavy-download and the rests. It is worth to mention that impressively satisfactory results have been obtained. The method has also been enhanced to obtain better results by trying to find trajectories on the map with sliding the input vectors in time and developed an alarm mechanism. Here it is possible to detect whether consecutive trajectories are hit by one of the classes or not. The success rate of the system is approximate to certain.