An Ensemble Approach for Firewall Log Classification using Stacked Machine Learning Models

Abstract

Firewall logs are still challenging to evaluate, while being important data sources. Machine Learning has become a popular technology for creating strong security measures because of their ability to react quickly to complicated attacks. Firewall logs generate high-volume, complex, and often imbalanced data, where malicious activities are rare compared to normal traffic. The challenge is further compounded by the dynamic nature of cyber threats and the presence of noise or redundant information in the logs. In this research, a stacking classifier called Decision Tree Classifier + Bagging Classifier (DB) for Firewall logs is proposed using the ensemble machine learning models.  A comparison is performed to evaluate the classifier's overall performance based on F1-score, accuracy, precision, and recall. A firewall that was set up with Snort and TWIDS had its logs taken. The 65532 occurrences of the receiving log record include a total of 12 attributes. Creating multi-class machine learning models that can analyze the firewall logs dataset and classify the necessary actions in response to learned classes as "Reset-both," "Allow," "Deny," or "Drop". For assessment, a variety of machine learning methods have been used, such as Random Forest, K-Nearest Neighbor, Logistic Regression, and AdaBoost Classifier. The experiment's 99.89% accuracy rate for the proposed model using stacking classifier DB is an interesting interpretation of the findings. However, the high accuracy rates produced as compared to other algorithms show that the recommended points were crucial in increasing the firewall classification rate.