Business Context

NetShield operates managed firewalls for 8,000 mid-market customers and wants a lightweight ML classifier to flag potentially malicious network connections before they are allowed through the perimeter. The security team needs a model that complements rule-based firewall policies by prioritizing suspicious traffic for blocking or analyst review.

Dataset

You are given historical firewall connection logs labeled by the security operations team.

• Size: 420K connection records collected over 6 weeks, 42 features
• Target: Binary label — malicious connection (1) vs benign connection (0)
• Class balance: 6.5% malicious, 93.5% benign
• Missing data: ~10% missing in geo/device enrichment fields and ~3% missing in behavioral aggregates for newly observed IPs

Success Criteria

A strong solution should achieve recall >= 0.85 on malicious traffic while keeping precision >= 0.40, since missed attacks are costly but excessive false positives create alert fatigue. The model should also provide feature importance so analysts can understand why traffic was flagged.

Constraints

• Inference latency must stay under 20 ms per connection in an online scoring service
• The first production version must be explainable to security analysts
• Retraining can happen daily or weekly, but not continuously
• The solution should avoid leakage from future behavioral aggregates

Deliverables

1. Build a binary classification pipeline for malicious traffic detection
2. Explain model choice, preprocessing, and leakage prevention
3. Evaluate the model with appropriate imbalanced-class metrics and threshold tuning
4. Show how firewall-related features are engineered from raw logs
5. Describe how the model would be deployed alongside existing firewall rules