WonderWall: A Machine-Learned Network Filtering Engine Kruesit Upatising Christian Barcenas Yesha Ouyang Scott Collins Dr. Jonathan M. Smith ABSTRACT Wonderwall is a proofofconcept network filtering engine utilizing machine learning to identify malicious network packets. Trained using modern profilegenerated datasets, Wonderwall aims to augment human reaction and rulesbased IDSs to respond to attacks in realtime. It is designed to be integrated into a virtual network such as one built with OpenFlow to scalably handle malicious network attacks. 1. INTRODUCTION Computer networks are traditionally defended against malicious activity by proactive network administrators using active traffic management techniques. For example, a network administrator may react to an active DDoS attack by manually modifying firewall rules and routing policies. A web system administrator may respond to repeated SQL injection attempts by installing a web application firewall (WAF) that matches and rejects HTTP requests containing parameters containing known strings used in SQL injection. However, tactics such as these have proven inadequate in the face of increasingly complex and adaptive cyberattacks which drive up the timetoresponse of an incident as well as required to respond to that incident. Humans are illsuited for the tedious task of differentiating between malicious and normal network traffic; it is difficult to manually generate a rulesbased model to represent all possible attacks against a network. Further, rulesbased IDS’s after deployment are often seen as too inflexible and unable to cope with the rapidly changing nature of network attacks. The security community at large is moving away from static rules and signaturebased attack classification. We developed a network filtering engine which utilizes machine learning to identify malicious network traffic. Our model is trained on different datasets for different attack scenarios. This setup allows the classifier to be updated easily when a new attack appears. A packet to be classified is passed to an ensemble of classifiers. These classifiers output binary classifications and confidence scores based on their belief that an individual packet or window of packets represent a certain kind of network attack. Our filtering engine integrates easily with any OpenFlowcapable software defined network. When an attack is identified by a classifier, OpenFlow can be used to instruct the network switch to block the individual offending packet or to install routing rules to block the source of malicious traffic entirely. To