APPLYING MACHINE LEARNING METHODS TO DETECT ATTACKS IN A CORPORATE NETWORK BASED ON FLOW FEATURES

Abstract

Detecting malicious network activity in corporate information resources using statistical traffic flow characteristics is a practically important task, since detection effectiveness is determined not only by overall accuracy but also by the ratio of false alarms to missed attacks, which directly affects the workload of security operators and the level of residual risk for an organization. This paper presents an approach to attack detection in network connection streams based on flow features using tree-based machine learning methods and analyzes their behavior across different threat classes within a single reproducible experimental protocol. The experimental study employs the CSE-CIC-IDS2018 dataset with features extracted by CICFlowMeter and formulates a binary classification problem of benign versus attack for three malicious activity scenarios covering botnet activity, volumetric DDoS attacks (HOIC, LOIC-UDP), and web attacks (Brute Force-Web, Brute Force-XSS, SQL Injection). A comparison of Decision Tree and Random Forest models is implemented with class balancing and fixed train–test split parameters to ensure a consistent evaluation across different attack types. Performance is assessed using the confusion matrix and derived metrics for the attack class, including precision and recall, as well as an analysis of absolute FP and FN values, which are most informative in the presence of rare attacks. The obtained results demonstrate an almost complete separation between benign and attack classes for Bot and DDoS, which is consistent with the presence of pronounced traffic patterns and high class separability in the feature space. For web attacks, a fundamentally different error profile is observed: the Decision Tree achieves higher detection completeness at the cost of an increased number of false alarms and reduced alert precision, whereas the Random Forest produces substantially more precise alerts while increasing the number of missed attacks. It is shown that the choice of a detection method should account for the attack type, class imbalance, and the acceptable trade-off between false alarms and missed detections, and that result interpretation should rely on metrics that reflect operational consequences for corporate network monitoring systems.