NTFA: Network Flow Aggregator

Network intrusion detection systems (NIDS) play a vital role in defending against cybersecurity threats. One effective way of detecting attacks is to analyse their footprint on the network traffic logs. Flow-based logging is a standard method for logging network traffic. Given the high volume of traffic, it is unpractical to manually analyse it. This is where machine learning can play a great role by automatically analysing traffic logs and identifying attacks. One way to process the flow data is to aggregate the information and extract insight from the aggregated network traffic. This paper presents an open-source aggregator NTFA (Network Flow Aggregator). This customisable network flow aggregator can aggregate flow-based, from the standard NetFlow format, data based on the time as well as other criteria, while offering the operator the option of using different time windows. To evaluate the suitability of the output aggreates for the intrusion detection task, we use this tool to aggregate the CIDDS-001 dataset and train a classifier using a decision tree algorithm. The model can classify aggregated network traffic data with an accuracy of 99.8%. Our experiment demonstrates that the aggregated data can be used in various machine-learning research projects or industries related to intrusion detection scenarios.