FlowHacker: Detecting Unknown Network Attacks in Big Traffic Data Using Network Flows

Traditional Network Intrusion Detection Systems (NIDSs) inspect the payload of the packets looking for known intrusion signatures or deviations from normal behavior, but inspecting traffic at the current speed of Internet Service Provider (ISP) networks is difficult or even unfeasible. This paper presents an approach to detect malicious traffic and identify malicious hosts by inspecting flows, leveraging a combination of unsupervised machine learning and threat intelligence, without requiring either previous knowledge about attacks or traffic without attacks. The approach was implemented in the FlowHacker NIDS and evaluated with two kinds of traffic flows: synthetic traffic flows and real ISP traffic flows.