Most operating systems services and network devices, such as Firewalls, generate huge amounts of network data in the form of logs and alarms. Theses log files can be used for network supervision and debugging. One important function of log files is logging security related or debug information, for example logging error logging and unsuccessful authentication. In this study, 500,000 instances, which have been generated from Snort and TWIDS, have been examined using 6 features. The Action attribute was selected as the class attribute. The “Allow” and “Drop” parameters have been specified for Action class. The firewall logs dataset is analyzed and the features are inserted to machine learning classifiers including Naive Bayes, kNN, One R and J48 using Spark in Weka tool. In addition, we compared the classification performance of these algorithms in terms of measurement metrics including Accuracy, F-measure and ROC values.

Machine Learning Algorithms, Classification, log analysis, firewall, Spark

[1] Rizzardi, A.Security in Internet of Things: networked smart objects. (Doctoral Thesis, Università degli Studi dell`Insubria, 2016).
[2] Roesch, M. (1999, November). Snort: Lightweight intrusion detection for networks. In Lisa (Vol. 99, No. 1, pp. 229-238).
[3] F. Ertam and M. Kaya, "Classification of firewall log files with multiclass support vector machine," 2018 6th International Symposium on Digital Forensic and Security (ISDFS), Antalya, 2018, pp.1-4. doi: 10.1109/ISDFS.2018.8355382.
[4] R. Hunt, “Internet/Intranet firewall security - Policy, architecture and transaction services,” Comput. Commun., vol. 21, no. 13, pp. 1107–1123, 1998.
[5] Golnabi, K., Min, R. K., Khan, L., & Al-Shaer, E. (2006). Analysis of firewall policy rules using data mining techniques. In 10th IEEE/IFIP Network Operations and Management Symposium NOMS 2006 (Vol. 5, pp. 305–315). IEEE. doi:10.1109/NOMS.2006.1687561.
[6] Breier, J., & Branišová, J. (2017). A dynamic rule creation based anomaly detection method for identifying security breaches in log records. Wireless Personal Communications, 94(3), 497-511.
[7] Ucar, E., Ozhan, E.: The analysis of firewall policy through machine learning and data mining. Wirel. Pers. Commun. 96, 2891 (2017). https://doi.org/10.1007/s11277-017-4330-0.

[8] Al-Shaer, E. S., & Hamed, H. H. (2003, March). Firewall policy advisor for anomaly discovery and rule editing. In International Symposium on Integrated Network Management (pp. 17-30). Springer, Boston, MA.
[9] Al-Shaer, E., Hamed, H., Boutaba, R., & Hasan, M. (2005). Conflict classification and analysis of distributed firewall policies. IEEE journal on selected areas in communications, 23(10), 2069-2084.
[10] Snort. An open source network intrusion detection system. http://www.Snort.org/.
[11] Link to download TWIDS tool: http://twids.cute.edu.tw/en.
[12] As-Suhbani, H., Khamitkar, S.D. (2017): Enhancing snort IDS performance using TWIDS for collecting network logs dataset. Int. J. Res. Adv. Eng. Technol. 42–45 (2017). https://doi.org/10.22271/engineering.
[13] Link to download Weka:
http://www.cs.waikato.ac.nz/ml/weka/
[14] Z. C. Lipton, C. Elkan, and B. Naryanaswamy, “Optimal thresholding of classifiers to maximize F1 measure,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2014, vol. 8725 LNAI, no. PART 2, pp. 225–239.