Biblio

In recent years, almost all the real-world operations are transferred to cyber world and these market computers connect with each other via Internet. As a result of this, there is an increasing number of security breaches of the networks, whose admins cannot protect their networks from the all types of attacks. Although most of these attacks can be prevented with the use of firewalls, encryption mechanisms, access controls and some password protections mechanisms; due to the emergence of new type of attacks, a dynamic intrusion detection mechanism is always needed in the information security market. To enable the dynamicity of the Intrusion Detection System (IDS), it should be updated by using a modern learning mechanism. Neural Network approach is one of the mostly preferred algorithms for training the system. However, with the increasing power of parallel computing and use of big data for training, as a new concept, deep learning has been used in many of the modern real-world problems. Therefore, in this paper, we have proposed an IDS system which uses GPU powered Deep Learning Algorithms. The experimental results are collected on mostly preferred dataset KDD99 and it showed that use of GPU speed up training time up to 6.48 times depending on the number of the hidden layers and nodes in them. Additionally, we compare the different optimizers to enlighten the researcher to select the best one for their ongoing or future research.

Industrial Control systems traditionally achieved security by using proprietary protocols to communicate in an isolated environment from the outside. This paradigm is changed with the advent of the Industrial Internet of Things that foresees flexible and interconnected systems. In this contribution, a device acting as a connection between the operational technology network and information technology network is proposed. The device is an intrusion detection system related to legacy systems that is able to collect and reporting data to and from industrial IoT devices. It is based on the common signature based intrusion detection system developed in the information technology domain, however, to cope with the constraints of the operation technology domain, it exploits anomaly based features. Specifically, it is able to analyze the traffic on the network at application layer by mean of deep packet inspection, parsing the information carried by the proprietary protocols. At a later stage, it collect and aggregate data from and to IoT domain. A simple set up is considered to prove the effectiveness of the approach.

In this contemporary world, working on internet is a crucial task owing to the security threats in the network like intrusions, injections etc. To recognize and reduce these system attacks, analysts and academicians have introduced Intrusion Detection Systems (IDSs) with the various standards and applications. There are different types of Intrusion Detection Systems (IDS) arise to solve the attacks in various environments. Though IDS is more powerful, it produces the results on the abnormal behaviours said to be attacks with false positive and false negative rates which leads to inaccurate detection rate. The other problem is that, there are more number of attacks arising simultaneously with different behaviour being detected by the IDS with high false positive rates which spoils the strength and lifetime of the system, system's efficiency and fault tolerance. Complex Event Processing (CEP) plays a vital role in handling the alerts as events in real time environment which mainly helps to recognize and reduce the redundant alerts.CEP identifies and analyses relationships between events in real time, allowing the system to proactively take efficient actions to respond to specific alerts.In this study, the tendency of Complex Event Processing (CEP) over Intrusion Detection System (IDS) which offers effective handling of the alerts received from IDS in real time and the promotion of the better detection of the attacks are discussed. The merits and challenges of CEP over IDS described in this paper helps to understand and educate the IDS systems to focus on how to tackle the dynamic attacks and its alerts in real time.

Machine-learning solutions are successfully adopted in multiple contexts but the application of these techniques to the cyber security domain is complex and still immature. Among the many open issues that affect security systems based on machine learning, we concentrate on adversarial attacks that aim to affect the detection and prediction capabilities of machine-learning models. We consider realistic types of poisoning and evasion attacks targeting security solutions devoted to malware, spam and network intrusion detection. We explore the possible damages that an attacker can cause to a cyber detector and present some existing and original defensive techniques in the context of intrusion detection systems. This paper contains several performance evaluations that are based on extensive experiments using large traffic datasets. The results highlight that modern adversarial attacks are highly effective against machine-learning classifiers for cyber detection, and that existing solutions require improvements in several directions. The paper paves the way for more robust machine-learning-based techniques that can be integrated into cyber security platforms.

Modern operating systems are typical multitasking systems: Running multiple tasks at the same time. Therefore, a large number of system calls belonging to different processes are invoked at the same time. By associating these invocations, one can construct the system dependency graph. In rapidly evolving system dependency graphs, how to quickly find outliers is an urgent issue for intrusion detection. Clustering analysis based on graph similarity will help solve this problem. In this paper, an extended Weisfeiler-Lehman(WL) kernel is proposed. Firstly, an embedded vector with indefinite dimensions is constructed based on the original dependency graph. Then, the vector is compressed with Simhash to generate a fingerprint. Finally, anomaly detection based on clustering is carried out according to these fingerprints. Our scheme can achieve prominent detection with high efficiency. For validation, we choose StreamSpot, a relevant prior work, to act as benchmark, and use the same data set as it to carry out evaluations. Experiments show that our scheme can achieve the highest detection precision of 98% while maintaining a perfect recall performance. Moreover, both quantitative and visual comparisons demonstrate the outperforming clustering effect of our scheme than StreamSpot.

With the proposal of the national industrial 4.0 strategy, the integration of industrial control network and Internet technology is getting higher and higher. At the same time, the closeness of industrial control networks has been broken to a certain extent, making the problem of industrial control network security increasingly serious. S7 protocol is a private protocol of Siemens Company in Germany, which is widely used in the communication process of industrial control network. In this paper, an industrial control intrusion detection model based on S7 protocol is proposed. Traditional protocol parsing technology cannot resolve private industrial control protocols, so, this model uses deep analysis algorithm to realize the analysis of S7 data packets. At the same time, in order to overcome the complexity and portability of static white list configuration, this model dynamically builds a white list through white list self-learning algorithm. Finally, a composite intrusion detection method combining white list detection and abnormal behavior detection is used to detect anomalies. The experiment proves that the method can effectively detect the abnormal S7 protocol packet in the industrial control network.

With the deep integration of industrial control systems and Internet technologies, how to effectively detect whether industrial control systems are threatened by intrusion is a difficult problem in industrial security research. Aiming at the difficulty of high dimensionality and non-linearity of industrial control system network data, the stacked auto-encoder is used to extract the network data features, and the multi-classification support vector machine is used for classification. The research results show that the accuracy of the intrusion detection model reaches 95.8%.

In this paper, RBF-based multistage auto-encoders are used to detect IDS attacks. RBF has numerous applications in various actual life settings. The planned technique involves a two-part multistage auto-encoder and RBF. The multistage auto-encoder is applied to select top and sensitive features from input data. The selected features from the multistage auto-encoder is wired as input to the RBF and the RBF is trained to categorize the input data into two labels: attack or no attack. The experiment was realized using MATLAB2018 on a dataset comprising 175,341 case, each of which involves 42 features and is authenticated using 82,332 case. The developed approach here has been applied for the first time, to the knowledge of the authors, to detect IDS attacks with 98.80% accuracy when validated using UNSW-NB15 dataset. The experimental results show the proposed method presents satisfactory results when compared with those obtained in this field.

The Internet of things networks is vulnerable to many DOS attacks. Among them, Blackhole attack is one of the severe attacks as it hampers communication among network devices. In general, the solutions presented in the literature for Blackhole detection are not efficient. In addition, the existing approaches do not factor-in, the consumption in resources viz. energy, bandwidth and network lifetime. Further, these approaches are also insensitive to the mechanism used for selecting a parent in on Blackhole formation. Needless to say, a blackhole node if selected as parent would lead to orchestration of this attack trivially and hence it is an important factor in selection of a parent. In this paper, we propose SIEWE (Strainer based Intrusion Detection of Blackhole in 6LoWPAN for the Internet of Things) - an Intrusion detection mechanism to identify Blackhole attack on Routing protocol RPL in IoT. In contrast to the Watchdog based approaches where every node in network runs in promiscuous mode, SIEWE filters out suspicious nodes first and then verifies the behavior of those nodes only. The results that we obtain, show that SIEWE improves the Packet Delivery Ratio (PDR) of the system by blacklisting malicious Blackhole nodes.

Smart grid has evolved as the next generation power grid paradigm which enables the transfer of real time information between the utility company and the consumer via smart meter and advanced metering infrastructure (AMI). These information facilitate many services for both, such as automatic meter reading, demand side management, and time-of-use (TOU) pricing. However, there have been growing security and privacy concerns over smart grid systems, which are built with both smart and legacy information and operational technologies. Intrusion detection is a critical security service for smart grid systems, alerting the system operator for the presence of ongoing attacks. Hence, there has been lots of research conducted on intrusion detection in the past, especially anomaly-based intrusion detection. Problems emerge when common approaches of pattern recognition are used for imbalanced data which represent much more data instances belonging to normal behaviors than to attack ones, and these approaches cause low detection rates for minority classes. In this paper, we study various machine learning models to overcome this drawback by using CIC-IDS2018 dataset [1].

This paper focuses on the secure integration of distributed energy resources (DERs), especially pluggable electric vehicles (EVs), with the power grid. We consider the vehicle-to-grid (V2G) system where EVs are connected to the power grid through an `aggregator' In this paper, we propose a novel Cyber-Physical Anomaly Detection Engine that monitors system behavior and detects anomalies almost instantaneously (worst case inspection time for a packet is 0.165 seconds1). This detection engine ensures that the critical power grid component (viz., aggregator) remains secure by monitoring (a) cyber messages for various state changes and data constraints along with (b) power data on the V2G cyber network using power measurements from sensors on the physical/power distribution network. Since the V2G system is time-sensitive, the anomaly detection engine also monitors the timing requirements of the protocol messages to enhance the safety of the aggregator. To the best of our knowledge, this is the first piece of work that combines (a) the EV charging/discharging protocols, the (b) cyber network and (c) power measurements from physical network to detect intrusions in the EV to power grid system.1Minimum latency on V2G network is 2 seconds.

Information systems are becoming more and more complex and closely linked. These systems are encountering an enormous amount of nefarious traffic while ensuring real - time connectivity. Therefore, a defense method needs to be in place. One of the commonly used tools for network security is intrusion detection systems (IDS). An IDS tries to identify fraudulent activity using predetermined signatures or pre-established user misbehavior while monitoring incoming traffic. Intrusion detection systems based on signature and behavior cannot detect new attacks and fall when small behavior deviations occur. Many researchers have proposed various approaches to intrusion detection using machine learning techniques as a new and promising tool to remedy this problem. In this paper, the authors present a combination of two machine learning methods, unsupervised clustering followed by a supervised classification framework as a Fast, highly scalable and precise packets classification system. This model's performance is assessed on the new proposed dataset by the Canadian Institute for Cyber security and the University of New Brunswick (CICIDS2017). The overall process was fast, showing high accuracy classification results.

In view of the problem that the intrusion detection method based on One-Class Support Vector Machine (OCSVM) could not detect the outliers within the industrial data, which results in the decision function deviating from the training sample, an anomaly intrusion detection algorithm based on Robust Incremental Principal Component Analysis (RIPCA) -OCSVM is proposed in this paper. The method uses RIPCA algorithm to remove outliers in industrial data sets and realize dimensionality reduction. In combination with the advantages of OCSVM on the single classification problem, an anomaly detection model is established, and the Improved Particle Swarm Optimization (IPSO) is used for model parameter optimization. The simulation results show that the method can efficiently and accurately identify attacks or abnormal behaviors while meeting the real-time requirements of the industrial control system (ICS).

Security and privacy of smart grid communication data is crucial given the nature of the continuous bidirectional information exchange between the consumer and the utilities. Data security has conventionally been ensured using cryptographic techniques implemented at the upper layers of the network stack. However, it has been shown that security can be further enhanced using physical layer (PHY) methods. To aid and/or complement such PHY and upper layer techniques, in this paper, we propose a PHY design that can detect and locate not only an active intruder but also a passive eavesdropper in the network. Our method can either be used as a stand-alone solution or together with existing techniques to achieve improved smart grid data security. Our machine learning based solution intelligently and automatically detects and locates a possible intruder in the network by reusing power line transmission modems installed in the grid for communication purposes. Simulation results show that our cost-efficient design provides near ideal intruder detection rates and also estimates its location with a high degree of accuracy.

The majority of security breaches in cloud infrastructure in recent years are caused by human errors and misconfigured resources. Novel security models are imperative to overcome these issues. Such models must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection and adopt proactive techniques. Thus, this paper proposes CloudStrike, a cloud security system that implements the principles of Chaos Engineering to enable the aforementioned properties. Chaos Engineering is an emerging discipline employed to prevent non-security failures in cloud infrastructure via Fault Injection Testing techniques. CloudStrike employs similar techniques with a focus on injecting failures that impact security i.e. integrity, confidentiality and availability. Essentially, CloudStrike leverages the relationship between dependability and security models. Preliminary experiments provide insightful and prospective results.

With the development of computer technology and the popularization of network, network brings great convenience to colleagues and risks to people from all walks of life all over the world. The data in the network world is growing explosively. Various kinds of intrusions are emerging in an endless stream. The means of network intrusion are becoming more and more complex. The intrusions occur at any time and the security threats become more and more serious. Defense alone cannot meet the needs of system security. It is also necessary to monitor the behavior of users in the network at any time and detect new intrusions that may occur at any time. This will not only make people's normal network needs cannot be guaranteed, but also face great network risks. So that people not only rely on defensive means to protect network security, this paper explores block chain network intrusion detection system. Firstly, the characteristics of block chain are briefly introduced, and the challenges of block chain network intrusion security and privacy are proposed. Secondly, the intrusion detection system of WLAN is designed experimentally. Finally, the conclusion analysis of block chain network intrusion detection system is discussed.

A significant amount of attempt has been lately committed for the progress of Database Management Systems (DBMS) that ensures high assertion and high security. Common security measures for database like access control measures, validation, encryption technologies, etc are not sufficient enough to secure the data from all the threats. By using an anomaly detection system, we are able to enhance the security feature of the Database management system. We are taking an assumption that the database access control is role based. In this paper, a mechanism is proposed for finding the anomaly in database by using machine learning technique such as classification. The importance of providing anomaly detection technique to a Role-Based Access Control database is that it will help for the protection against the insider attacks. The experimentation results shows that the system is able to detect intrusion effectively with high accuracy and high F1-score.

In this paper, we introduce a sequential autoencoder framework using long short term memory (LSTM) neural network for computer network intrusion detection. We exploit the dimensionality reduction and feature extraction property of the autoencoder framework to efficiently carry out the reconstruction process. Furthermore, we use the LSTM networks to handle the sequential nature of the computer network data. We assign a threshold value based on cross-validation in order to classify whether the incoming network data sequence is anomalous or not. Moreover, the proposed framework can work on both fixed and variable length data sequence and works efficiently for unforeseen and unpredictable network attacks. We then also use the unsupervised version of the LSTM, GRU, Bi-LSTM and Neural Networks. Through a comprehensive set of experiments, we demonstrate that our proposed sequential intrusion detection framework performs well and is dynamic, robust and scalable.

The advent of machine learning has made it a popular tool in various areas. It has also been applied in network intrusion detection. However, machine learning hasn't been sufficiently explored in the cyberphysical domains such as smart grids. This is because a lot of factors weigh in while using these tools. This paper is about intrusion detection in smart grids and how some machine learning techniques can help achieve this goal. It considers the problems of feature and classifier selection along with other data ambiguities. The goal is to apply the machine learning ensemble classifiers on the smart grid traffic and evaluate if these methods can detect anomalies in the system.

With the advent of deep learning based methods, facial recognition algorithms have become more effective and efficient. However, these algorithms have usually the disadvantage of requiring the use of dedicated hardware devices, such as graphical processing units (GPUs), which pose restrictions on their usage on embedded devices with limited computational power. In this paper, we present an approach that allows building an intrusion detection system, based on face recognition, running on embedded devices. It relies on deep learning techniques and does not exploit the GPUs. Face recognition is performed using a knn classifier on features extracted from a 50-layers Residual Network (ResNet-50) trained on the VGGFace2 dataset. In our experiment, we determined the optimal confidence threshold that allows distinguishing legitimate users from intruders. In order to validate the proposed system, we created a ground truth composed of 15,393 images of faces and 44 identities, captured by two smart cameras placed in two different offices, in a test period of six months. We show that the obtained results are good both from the efficiency and effectiveness perspective.

Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection. This is done by assigning individual weights to observables listed in a STIX™ report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIX™-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79.

In internet based communication, various types of attacks have been evolved. Hence, attacker easily breaches the securities. Traditional intrusion detection techniques to observe these attacks have failed and thus hefty systems are required to remove these attacks before they expose entire network. With the ability of artificial intelligence systems to adapt high computational speed, boost fault tolerance, and error resilience against noisy information, a hybrid particle swarm optimization(PSO) fuzzy rule based inference engine has been designed in this paper. The fuzzy logic based on degree of truth while the PSO algorithm based on population stochastic technique helps in learning from the scenario, thus their combination will increase the toughness of intrusion detection system. The proposed network intrusion detection system will be able to classify normal as well as anomalism behaviour in the network. DARPA-KDD99 dataset examined on this system to address the behaviour of each connection on network and compared with existing system. This approach improves the result on the basis of precision, recall and F1-score.

Software defined networking is a concept proposed to replace traditional networks by separating control plane and data plane. It makes the network more programmable and manageable. As there is a single point of control of the network, it is more vulnerable to intrusion. The idea is to train the network controller by machine learning algorithms to let it make the intelligent decisions automatically. In this paper, we have discussed our approach to make software defined networking more secure from various malicious attacks by making it capable of detecting and preventing such attacks.

Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Advanced persistent threat (APT) has been considered globally as a serious social problem since the 2010s. Adversaries of this threat, at first, try to penetrate into targeting organizations by using a backdoor which is opened with drive-by-download attacks, malicious e-mail attachments, etc. After adversaries' intruding, they usually execute benign applications (e.g, OS built-in commands, management tools published by OS vendors, etc.) for investigating networks of targeting organizations. Therefore, if they penetrate into networks once, it is difficult to rapidly detect these malicious activities only by using anti-virus software or network-based intrusion systems. Meanwhile, enterprise networks are managed well in general. That means network administrators have a good grasp of installed applications and routinely used applications for employees' daily works. Thereby, in order to find anomaly behaviors on well-managed networks, it is effective to observe changes executing their applications. In this paper, we propose a lightweight host-based intrusion detection system by using process generation patterns. Our system periodically collects lists of active processes from each host, then the system constructs process trees from the lists. In addition, the system detects anomaly processes from the process trees considering parent-child relationships, execution sequences and lifetime of processes. Moreover, we evaluated the system in our organization. The system collected 2, 403, 230 process paths in total from 498 hosts for two months, then the system could extract 38 anomaly processes. Among them, one PowerShell process was also detected by using an anti-virus software running on our organization. Furthermore, our system could filter out the other 18 PowerShell processes, which were used for maintenance of our network.