Comparative Analysis of Machine Learning Algorithms for Malicious Network Traffic Classification

The classification of malicious network traffic is critical to cybersecurity. However, to the best of our knowledge, no previous studies have performed a comparative analysis of supervised algorithms for classifying malicious traffic specifically within the net-work environment of UTEQ, an academic setting with distinctive traffic patterns and security policies. For this reason, this study compared the performance of four super-vised machine learning algorithms (K-Nearest Neighbors, Decision Tree, SVM-RBF, and SVM-Polynomial) using the CRISP-DM methodology. The dataset consisted of 1,182 records with 30 variables from Hillstone Networks firewall logs at UTEQ, repre-senting three categories: Normal (74.3%), Botnet_Activity (16.4%), and Oth-er_Malware (9.3%). Preprocessing techniques were applied, including SMOTE balanc-ing and feature selection using Relief (reducing the variables to 8). The area under the curve was used as the primary discriminant metric; K-Nearest Neighbors (K=7) achieved the best performance with AUC=0.6147, outperforming Decision Tree (0.5724), SVM-RBF (0.5654), and SVM-Polynomial (0.5846), although SVM-RBF ob-tained higher accuracy (76.34%). The importance analysis revealed that dest_port was the dominant predictor (55%), explained by the concentration of legitimate traffic on standard ports (0–1023) versus threats on high ports (>49152). The results demon-strated that KNN offers the best probabilistic discriminative power for network traffic classification, establishing its superiority over more complex parametric algorithms in cybersecurity contexts where confidence in predictions is critical for reducing false positives.