An Investigation of Learning Model Technologies for Network Traffic Classification Design in Cyber Security Exercises

Abstract

With the proliferation of network systems, the boundaries between cyber and physical environments are blurring, leading to an increased risk of sophisticated cyber-attacks equipped with advanced technologies. In particular, as advancements in artificial intelligence through learning models have led to automated attacks and attack scenarios, countries are implementing cyber training and constructing training systems to respond to cyber security threats. This cyber training is based on existing cyber-attacks and conducted in virtual spaces similar to reality, generating network traffic through simulators and focusing on training for attack response and cyber resilience. However, the exponential increase in the number of network-based devices and the amount of network traffic they generate is leading to a gradual increase in threats to cyber security. In this study, first investigated the existing port number-based network traffic classification technologies and payload-based network traffic classification technologies to identify their shortcomings in the current network environment. We then categorized existing studies into supervised, unsupervised, and reinforcement learning to analyze the technology of classifying network traffic based on learning models as well as classification methods, procedures, performance standards, evaluation methods, quality of service/quality of experience, etc. Based on the analysis, presented limitations for application to training networks according to the learning method and suggested recommendations for establishing future research directions. Therefore, refining learning model-based network traffic classification technology will contribute to the construction of automated cyber training grounds such as cyber-attack-defense scenarios, network traffic anomaly detection, and maximizing cumulative rewards.