Algorithm for Detection and Classification of Anomalies in the Traffic of Electronic Network Resources
Abstract
This study addresses the challenge of detecting and classifying advanced cyber threats, including distributed denial-of-service (DDoS) and Stealth Attacks, in complex network environments. We propose a hybrid approach that combines machine learning models with a rule-based classifier to improve anomaly detection accuracy. The method uses Random Forest, Gradient Boosting, and Linear Regression to predict normal traffic volume with high precision (R² = 0.99, MSE = 0.000085). Key features include request rate, traffic volume, source IP entropy, flow duration, and protocol diversity. A deviation threshold of 0.5 standard deviations from predicted values effectively identifies anomalies under dynamic conditions. For classification, we introduce a rule-based system that utilizes thresholds, such as a request rate exceeding 100 requests per second for DDoS attacks or a source IP entropy of approximately 0.6907 for Stealth Attacks. This classifier identifies six types of anomalies: DDoS, Slow, Volumetric, Service Outage, Application Layer, and Stealth Attacks. The experimental results demonstrate the effectiveness of our hybrid approach. Compared to existing methods, it achieves higher F1-scores (0.97-1.00) across most attack types. Additionally, it correctly classifies 91% of real traffic (1,246,311 packets) as usual in a synthetic dataset containing 9,660 flows. The proposed method demonstrates strong performance in terms of precision, recall, and computational efficiency, making it suitable for real-time network monitoring.