Open Access

Dominik Binder

• In the field of network security, the detection of intrusions is an important task to prevent and analyse attacks. In recent years, an increasing number of works have been published on this subject, which perform this detection based on machine learning techniques. Thereby not only the well-studied detection of intrusions, but also the real-time capability must be considered. This thesisIn the field of network security, the detection of intrusions is an important task to prevent and analyse attacks. In recent years, an increasing number of works have been published on this subject, which perform this detection based on machine learning techniques. Thereby not only the well-studied detection of intrusions, but also the real-time capability must be considered. This thesis addresses the real-time functionality of machine learning based network intrusion detection. For this purpose we introduce the network feature generator library PyNetFlowGen, which is designed to allow real-time processing of network data. This library generates 83 statistical features based on reassembled data flows. The introduced performant Cython implementation allows processing individual packets within 4.58 microseconds. Based on the generated features, machine learning models were examined with regard to their runtime and real-time capabilities. The selected Decision-Tree-Classifier model created in Python was further optimised by transpiling it into C-Code, what reduced the prediction time of a single sample to 3.96 microseconds on average. Based on the feature generator and the machine learning model, an basic IDS system was implemented, which allows a data throughput between 63.7 Mbit/s and 2.5 Gbit/s.…