Supporting features for flow-level packet analysis towards cyber threat detection: a pilot study

Thousands of new threats and threat categories emerge every second in cyberspace, even as known threats keep adapting robustly to existing solutions, thus challenging modern approaches to threat detection. While many contemporary detection solutions continue to rely largely on flow-level packet analysis by monitoring trends and patterns of activity in supporting flow features of interest, little attention has been paid to whether such supporting flow features still present an effective means of reaching accurate conclusions regarding imminent or occurrent cyber threat incidents, especially in light of the rapidly evolving threat landscape. Hence, this pilot study reinvestigates four commonly-used supporting flow features in modern threat detection solutions, viz.: flow packet count, flow packet throughput (bytes/s), flow packet throughput (packets/s) and average flow packet size (bytes), to ascertain/verify their continued relevance for cyber threat detection. The study adopts the methodology of data simulation with descriptive infographic analysis using the UNSW-NB15 dataset.