Unusual internet traffic detection at network edge

Network administrators ensure that all the users within network get fair share of bandwidth, any bandwidth limit violations is identified and provide some additional controls like denied access to particular websites, etc. To achieve this, network administrators monitor all the traffic between the LAN in campus-wide network and the outside Internet world. This monitoring is typically achieved by capturing and analyzing the traffic logs at the Proxy Server, installed between the LAN and the outside Internet. However, this monitoring is primarily statistical in nature and provides no significant actionable results. In our work we have made an attempt to provide a method for intelligent actionable information to network administrators by analyzing and predicting the Internet access behavior at network layer using machine learning algorithms. By network layer we mean that we focus on characterizing traffic at IP address level. For our study we have collected squid proxy server logs and performed analysis of various features of network traffic at network and user level. We estimate the most probable range of values for the various features and determine IP addresses deviating from the normal network access feature values. Thereafter, we have applied four different supervised machine learning algorithms on our labelled dataset and compared these algorithms on various classification matrices like TP, FP, TN and FN. Our results show that Decision Tree and Random Forest give an overall accuracy close to 95%, whereas Naive Bayes and SVM resulted in an overall accuracy of around 85%.