Biblio

MIL-STD-1553 is a military standard that defines the specification of a serial communication bus that has been implemented in military and aerospace avionic platforms for over 40 years. MIL-STD-1553 was designed for a high level of fault tolerance while less attention was paid to cyber security issues. Thus, as indicated in recent studies, it is exposed to various threats. In this article, we suggest enhancing the security of MIL-STD-1553 communication buses by integrating a machine learning-based intrusion detection system (IDS); such anIDS will be capable of detecting cyber attacks in real time. The IDS consists of two modules: 1) a remote terminal (RT) authentication module that detects illegitimately connected components and data transfers and 2) a sequence-based anomaly detection module that detects anomalies in the operation of the system. The IDS showed high detection rates for both normal and abnormal behavior when evaluated in a testbed using real 1553 hardware, as well as a very fast and accurate training process using logs from a real system. The RT authentication module managed to authenticate RTs with +0.99 precision and +0.98 recall; and detect illegitimate component (or a legitimate component that impersonates other components) with +0.98 precision and +0.99 recall. The sequence-based anomaly detection module managed to perfectly detect both normal and abnormal behavior. Moreover, the sequencebased anomaly detection module managed to accurately (i.e., zero false positives) model the normal behavior of a real system in a short period of time ( 22 s).

With the rapid development of Internet, the issue of cyber security has increasingly gained more attention. An intrusion Detection System (IDS) is an effective technique to defend cyber-attacks and reduce security losses. However, the challenge of IDS lies in the diversity of cyber-attackers and the frequently-changing data requiring a flexible and efficient solution. To address this problem, machine learning approaches are being applied in the IDS field. In this paper, we propose an efficient scalable neural-network-based hybrid IDS framework with the combination of Host-level IDS (HIDS) and Network-level IDS (NIDS). We applied the autoencoders (AE) to NIDS and designed HIDS using word embedding and convolutional neural network. To evaluate the IDS, many experiments are performed on the public datasets NSL-KDD and ADFA. It can detect many attacks and reduce the security risk with high efficiency and excellent scalability.

Parallel with the developing world, transportation technologies have started to expand and change significantly year by year. This change brings with it some inevitable problems. Increasing human population and growing transportation-needs result many accidents in urban and rural areas, and this recursively results extra traffic problems and fuel consumption. It is obvious that the issues brought by this spiral loop needed to be solved with the use of some new technological achievements. In this context, self-driving cars or automated vehicles concepts are seen as a good solution. However, this also brings some additional problems with it. Currently many cars are provided with some digital security systems, which are examined in two phases, internal and external. These systems are constructed in the car by using some type of embedded system (such as the Controller Area Network (CAN)) which are needed to be protected form outsider cyberattacks. These attack can be detected by several ways such as rule based system, anomaly based systems, list based systems, etc. The current literature showed that researchers focused on the use of some artificial intelligence techniques for the detection of this type of attack. In this study, an intrusion detection system based on machine learning is proposed for the CAN security, which is the in-vehicle communication structure. As a result of the study, it has been observed that the decision tree-based ensemble learning models results the best performance in the tested models. Additionally, all models have a very good accuracy levels.

Internet of Things (IoT) development and the addition of billions of computationally limited devices prohibit the use of classical security measures such as Intrusion Detection Systems (IDS). In this paper, we study the influence of the implementation of different feed-forward type of Neural Networks (NNs) on the detection Rate of the Negative Selection Neural Network (NSNN) algorithm. Feed-forward and cascade forward NN structures with different number of neurons and different number of hidden layers are tested. For training and testing the NSNN algorithm the labeled KDD NSL dataset is applied. The detection rates provided by the algorithm with several NN structures to determine the optimal solution are calculated and compared. The results show how these different feed-forward based NN architectures impact the performance of the NSNN algorithm.

Intrusion Detection systems are important tools in preventing malicious traffic from penetrating into networks and systems. Recently, Intrusion Detection Systems are rapidly enhancing their detection capabilities using machine learning algorithms. However, these algorithms are vulnerable to new unknown types of attacks that can evade machine learning IDS. In particular, they may be vulnerable to attacks based on Generative Adversarial Networks (GAN). GANs have been widely used in domains such as image processing, natural language processing to generate adversarial data of different types such as graphics, videos, texts, etc. We propose a model using GAN to generate adversarial DDoS attacks that can change the attack profile and can be undetected. Our simulation results indicate that by continuous changing of attack profile, defensive systems that use incremental learning will still be vulnerable to new attacks.

Vehicular Ad-Hoc Networks (VANET) are liable to the Black, Worm and Gray Hole attacks because of the broadcast nature of the wireless medium and a lack of authority standards. Black Hole attack covers the situation when a malicious node uses its routing protocol in order to publicize itself for having the shortest route to the destination node. This aggressive node publicizes its availability of fresh routes regardless of checking its routing table. The consequences of these attacks could lead not only to the broken infrastructure, but could cause hammering people's lives. This paper aims to investigate and compare methods for preventing such types of attacks in a VANET.

Cyber-security is indispensable as malicious incidents are ubiquitous on the Internet. Intrusion Detection Systems have an important role in detecting and thwarting cyber-attacks. However, it is more effective in a centralized system but not in peer-to-peer networks which makes it subject to central point failure, especially in collaborated intrusion detection systems. The novel blockchain technology assures a fully distributed security system through its powerful features of transparency, immutability, decentralization, and provenance. Therefore, in this paper, we investigate and demonstrate several methods of collaborative intrusion detection with blockchain to analyze the suitability and security of blockchain for collaborative intrusion detection systems. We also studied the difference between the existing means of the integration of intrusion detection systems with blockchain and categorized the major vulnerabilities of blockchain with their potential losses and current enhancements for mitigation.

Computer Networks fights with a continues issues with attackers and intruders. Attacks on distributed systems becoming more powerful and more frequent day by day. Intrusion detection methods are performing main role to detect intruders and attackers. To identify intrusion on computer or computer networks an intrusion detection system methods are used. Network Intrusion Detection System (NIDS) performs an prime role by presenting the network security. It gives a defense layer by monitoring the traffic on network for predefined distrustful activity or pattern. In this paper we have analyze and compare existing signature based and anomaly based algorithm with Openstack private cloud.

Multi-agent architectures have been successful in attaining considerable attention among computer security researchers. This is so, because of their demonstrated capabilities such as autonomy, embedded intelligence, learning and self-growing knowledge-base, high scalability, fault tolerance, and automatic parallelism. These characteristics have made this technology a de facto standard for developing ambient security systems to meet the open and dynamic nature of today's online communities. Although multi-agent architectures are increasingly studied in the area of computer security, there is still not enough empirical evidence on their performance in intrusions and attacks detection. The aim of this paper is to report the systematic literature review conducted in the context of specific research questions, to investigate multi-agent IDS architectures to highlight the issues that affect their performance in terms of detection accuracy and response time. We used pertinent keywords and terms to search and retrieve the most recent research studies, on multi-agent IDS architectures, from the major research databases and digital libraries such as SCOPUS, Springer, and IEEE Explore. The search processes resulted in a number of studies; among them, there were journal articles, book chapters, conference papers, dissertations, and theses. The obtained studies were assessed and filtered out, and finally, there were over 71 studies chosen to answer the research questions. The results of this study have shown that multi-agent architectures include several advantages that can help in the development of ambient IDS. However, it has been found that there are several issues in the current multi-agent IDS architectures that may degrade the accuracy and response time of intrusions and attacks detection. Based on our findings, the issues of multi-agent IDS architectures include limitations in the techniques, mechanisms, and schemes used for multi-agent IDS adaptation and learning, load balancing, scalability, fault-tolerance, and high communication overhead. It has also been found that new measurement metrics are required for evaluating multi-agent IDS architectures.

In recent years, there has been a significant increase in network intrusion attacks which raises a great concern from the privacy and security aspects. Due to the advancement of the technology, cyber-security attacks are becoming very complex such that the current detection systems are not sufficient enough to address this issue. Therefore, an implementation of an intelligent and effective network intrusion detection system would be crucial to solve this problem. In this paper, we use deep learning techniques, namely, Convolutional Neural Networks (CNN) and Recurrent Neural Networks (RNN) to design an intelligent detection system which is able to detect different network intrusions. Additionally, we evaluate the performance of the proposed solution using different evaluation matrices and we present a comparison between the results of our proposed solution to find the best model for the network intrusion detection system.

Machine learning techniques help to understand underlying patterns in datasets to develop defense mechanisms against cyber attacks. Multilayer Perceptron (MLP) technique is a machine learning technique used in detecting attack vs. benign data. However, it is difficult to construct any effective model when there are imbalances in the dataset that prevent proper classification of attack samples in data. In this research, we use UGR'16 dataset to conduct data wrangling initially. This technique helps to prepare a test set from the original dataset to train the neural network model effectively. We experimented with a series of inputs of varying sizes (i.e. 10000, 50000, 1 million) to observe the performance of the MLP neural network model with distribution of features over accuracy. Later, we use Generative Adversarial Network (GAN) model that produces samples of different attack labels (e.g. blacklist, anomaly spam, ssh scan) for balancing the dataset. These samples are generated based on data from the UGR'16 dataset. Further experiments with MLP neural network model shows that a balanced attack sample dataset, made possible with GAN, produces more accurate results than an imbalanced one.

Aiming at the problem that the traditional intrusion detection method can not effectively deal with the massive and high-dimensional network traffic data of industrial control system (ICS), an ICS intrusion detection strategy based on bidirectional generative adversarial network (BiGAN) is proposed in this paper. In order to improve the applicability of BiGAN model in ICS intrusion detection, the optimal model was obtained through the single variable principle and cross-validation. On this basis, the supervised control and data acquisition (SCADA) standard data set is used for comparative experiments to verify the performance of the optimized model on ICS intrusion detection. The results show that the ICS intrusion detection method based on optimized BiGAN has higher accuracy and shorter detection time than other methods.

Modern industrial control systems (ICS) act as victims of cyber attacks more often in last years. These cyber attacks often can not be detected by classical information security methods. Moreover, the consequences of cyber attack's impact can be catastrophic. Since cyber attacks leads to appearance of anomalies in the ICS and technological equipment controlled by it, the task of intrusion detection for ICS can be reformulated as the task of industrial process anomaly detection. This paper considers the applicability of generative adversarial networks (GANs) in the field of industrial processes anomaly detection. Existing approaches for GANs usage in the field of information security (such as anomaly detection in network traffic) were described. It is proposed to use the BiGAN architecture in order to detect anomalies in the industrial processes. The proposed approach has been tested on Secure Water Treatment Dataset (SWaT). The obtained results indicate the prospects of using the examined method in practice.

Modbus TCP/IP protocol is a commonly used protocol in industrial automation control systems, systems responsible for sensitive operations such as gas turbine operation and refinery control. The protocol was designed decades ago with no security features in mind. Denial of service attack and malicious parameter command injection are examples of attacks that can exploit vulnerabilities in industrial control systems that use Modbus/TCP protocol. This paper discusses and explores the use of intrusion detection and prevention systems (IDPS) with deep packet inspection (DPI) capabilities and DPI industrial firewalls that have capability to detect and stop highly specialized attacks hidden deep in the communication flow. The paper has the following objectives: (i) to develop signatures for IDPS for common attacks on Modbus/TCP based network architectures; (ii) to evaluate performance of three IDPS - Snort, Suricata and Bro - in detecting and preventing common attacks on Modbus/TCP based control systems; and (iii) to illustrate and emphasize that the IDPS and industrial firewalls with DPI capabilities are not preventing but only mitigating likelihood of exploitation of Modbus/TCP vulnerabilities in the industrial and automation control systems. The results presented in the paper illustrate that it might be challenging task to achieve requirements on real-time communication in some industrial and automation control systems in case the DPI is implemented because of the latency and jitter introduced by these IDPS and DPI industrial firewall.

Existing cyber security solutions have been basically developed using knowledge-based models that often cannot trigger new cyber-attack families. With the boom of Artificial Intelligence (AI), especially Deep Learning (DL) algorithms, those security solutions have been plugged-in with AI models to discover, trace, mitigate or respond to incidents of new security events. The algorithms demand a large number of heterogeneous data sources to train and validate new security systems. This paper presents the description of new datasets, the so-called ToNİoT, which involve federated data sources collected from Telemetry datasets of IoT services, Operating system datasets of Windows and Linux, and datasets of Network traffic. The paper introduces the testbed and description of TONİoT datasets for Windows operating systems. The testbed was implemented in three layers: edge, fog and cloud. The edge layer involves IoT and network devices, the fog layer contains virtual machines and gateways, and the cloud layer involves cloud services, such as data analytics, linked to the other two layers. These layers were dynamically managed using the platforms of software-Defined Network (SDN) and Network-Function Virtualization (NFV) using the VMware NSX and vCloud NFV platform. The Windows datasets were collected from audit traces of memories, processors, networks, processes and hard disks. The datasets would be used to evaluate various AI-based cyber security solutions, including intrusion detection, threat intelligence and hunting, privacy preservation and digital forensics. This is because the datasets have a wide range of recent normal and attack features and observations, as well as authentic ground truth events. The datasets can be publicly accessed from this link [1].

In the paper, an intrusion detection system to safeguard computer software is proposed. The detection is based on negative selection algorithm, inspired by the human immunity mechanism. It is composed of two stages, generation of receptors and anomaly detection. Experimental results of the proposed system are presented, analyzed, and concluded.

The rapid growth of IPv6 traffic makes security issues become more important. This paper proposes an IPv6 network security system that integrates signature-based Intrusion Detection Systems (IDS) and machine learning classification technologies to improve the accuracy of IPv6 denial-of-service (DoS) attacks detection. In addition, this paper has also enhanced IPv6 network security defense capabilities through software-defined networking (SDN) and network function virtualization (NFV) technologies. The experimental results prove that the detection and defense mechanisms proposed in this paper can effectively strengthen IPv6 network security.

Industrial Internet of Things (IIoT) has arisen as an emerging trend in the industrial sector. Millions of sensors present in IIoT networks generate a massive amount of data that can open the doors for several cyber-attacks. An intrusion detection system (IDS) monitors real-time internet traffic and identify the behavior and type of network attacks. In this paper, we presented a deep random neural (DRaNN) based scheme for intrusion detection in IIoT. The proposed scheme is evaluated by using a new generation IIoT security dataset UNSW-NB15. Experimental results prove that the proposed model successfully classified nine different types of attacks with a low false-positive rate and great accuracy of 99.54%. To validate the feasibility of the proposed scheme, experimental results are also compared with state-of-the-art deep learning-based intrusion detection schemes. The proposed model achieved a higher attack detection rate of 99.41%.

Almost all smart appliances are operated through wireless sensor networks. With the passage of time, due to various applications, the WSN becomes prone to various external attacks. Preventing such attacks, Intrusion Detection strategy (IDS) is very crucial to secure the network from the malicious attackers. The proposed IDS methodology discovers the pattern in large data corpus which works for different types of algorithms to detect four types of Denial of service (DoS) attacks, namely, Grayhole, Blackhole, Flooding, and TDMA. The state-of-the-art detection algorithms, such as KNN, Naïve Bayes, Logistic Regression, Support Vector Machine (SVM), and ANN are applied to the data corpus and analyze the performance in detecting the attacks. The analysis shows that these algorithms are applicable for the detection and prediction of unavoidable attacks and can be recommended for network experts and analysts.

In this paper, we consider a novel method of mining biometric data for user authentication by replacing traditional captchas with game-like captchas. The game-like captchas present the user with a short game in which they attempt to get a high score. The data produced from a user's game play will be used to produce a behavior biometric based on user interactions, such as mouse movement, click patterns and game choices. The baseline expectation of interactive behavior will be used as a single factor in an intrusion detection system providing continuous authentication, considering the factors such as IP address, location, time of use, website interactions, and behavior anomalies. In addition to acting as a source of data, game-like captchas are expected to deter bots and automated systems from accessing web-based services and improving the user experience for the end-users who have become accustomed to monotonous alternatives, such as Google's re-captcha.

With the widespread of Artificial Intelligence (AI)-enabled security applications, there is a need for collecting heterogeneous and scalable data sources for effectively evaluating the performances of security applications. This paper presents the description of new datasets, named ToNİoT datasets that include distributed data sources collected from Telemetry datasets of Internet of Things (IoT) services, Operating systems datasets of Windows and Linux, and datasets of Network traffic. The paper aims to describe the new testbed architecture used to collect Linux datasets from audit traces of hard disk, memory and process. The architecture was designed in three distributed layers of edge, fog, and cloud. The edge layer comprises IoT and network systems, the fog layer includes virtual machines and gateways, and the cloud layer includes data analytics and visualization tools connected with the other two layers. The layers were programmatically controlled using Software-Defined Network (SDN) and Network-Function Virtualization (NFV) using the VMware NSX and vCloud NFV platform. The Linux ToNİoT datasets would be used to train and validate various new federated and distributed AI-enabled security solutions such as intrusion detection, threat intelligence, privacy preservation and digital forensics. Various Data analytical and machine learning methods are employed to determine the fidelity of the datasets in terms of examining feature engineering, statistics of legitimate and security events, and reliability of security events. The datasets can be publicly accessed from [1].

With the rapid development of networks, cyberspace security is facing increasingly severe challenges. Traditional alert aggregation process and alert correlation analysis process are susceptible to a large amount of redundancy and false alerts. To tackle the challenge, this paper proposes a network security situational awareness model KG-NSSA (Knowledge-Graph-based NSSA) based on knowledge graphs. This model provides an asset-based network security knowledge graph construction scheme. Based on the network security knowledge graph, a solution is provided for the classic problem in the field of network security situational awareness - network attack scenario discovery. The asset-based network security knowledge graph combines the asset information of the monitored network and fully considers the monitoring of network traffic. The attack scenario discovery according to the KG-NSSA model is to complete attack discovery and attack association through attribute graph mining and similarity calculation, which can effectively reflect specific network attack behaviors and mining attack scenarios. The effectiveness of the proposed method is verified on the MIT DARPA2000 data set. Our work provides a new approach for network security situational awareness.

With the rapid development of the Industrial Internet, the network security risks faced by industrial control systems (ICSs) are becoming more and more intense. How to do a good job in the security protection of industrial control systems is extremely urgent. For traditional network security, industrial control systems have some unique characteristics, which results in traditional intrusion detection systems that cannot be directly reused on it. Aiming at the industrial control system, this paper constructs all attack paths from the hacker's perspective through the attack tree model, and uses the LSTM algorithm to identify and classify the attack behavior, and then further classify the attack event by extracting atomic actions. Finally, through the constructed attack tree model, the results are reversed and predicted. The results show that the model has a good effect on attack recognition, and can effectively analyze the hacker attack path and predict the next attack target.

Internet of Things (IoT) combines the internet and physical objects to transfer information among the objects. In the emerging IoT networks, providing security is the major issue. IoT device is exposed to various security issues due to its low computational efficiency. In recent years, the Intrusion Detection System valuable tool deployed to secure the information in the network. This article exposes the Intrusion Detection System (IDS) based on deep learning and machine learning to overcome the security attacks in IoT networks. Long Short-Term Memory (LSTM) and K-Nearest Neighbor (KNN) are used in the attack detection model and performances of those algorithms are compared with each other based on detection time, kappa statistic, geometric mean, and sensitivity. The effectiveness of the developed IDS is evaluated by using Bot-IoT datasets.

Unauthorized access or intrusion is a massive threatening issue in the modern era. This study focuses on designing a model for an ideal intrusion detection system capable of defending a network by alerting the admins upon detecting any sorts of malicious activities. The study proposes a two layered anomaly-based detection model that uses filter co-relation method for dimensionality reduction along with Random forest and Support Vector Machine as its classifiers. It achieved a very good detection rate against all sorts of attacks including a low rate of false alarms as well. The contribution of this study is that it could be of a major help to the computer scientists designing good intrusion detection systems to keep an industry or organization safe from the cyber threats as it has achieved the desired qualities of a functional IDS model.