Utilização de algoritmos de agrupamento para detecção de anomalias em redes de computadores

Abstract

Network anomalies are frequent, unexpected and sudden deviations in data traffic. They may indicate a user spike, a system malfunction, or a cyberattack. One of the methods for anomaly detection is the use of clustering algorithms. These algorithms aim to group a dataset so that each cluster is distinguishable in relation to the others. With the intent of mitigating malicious agents’ attacks and better comprehending the network anomaly detection process, this paper presents a study of three clustering algorithms (k-Means, MCL and k-Shape), being used for detecting and classifying the anomalies, a network analysis branch in which the MCL and k-Shape algorithms have not been used before. After training and selecting the best hyperparameters, it was concluded that, considering the three implementations used, despite the MCL algorithm having obtained the best result in detecting benign events and the k-Shape having obtained the best accuracy, the k-Means algorithm is the best option, as it achieved an accuracy similar to k-Shape and a runtime more than ten times shorter.