Biblio

In this paper, we propose a novel deep learning and blockchain-based energy framework for smart grids, entitled DeepCoin. The DeepCoin framework uses two schemes, a blockchain-based scheme and a deep learning-based scheme. The blockchain-based scheme consists of five phases: setup phase, agreement phase, creating a block phase and consensus-making phase, and view change phase. It incorporates a novel reliable peer-to-peer energy system that is based on the practical Byzantine fault tolerance algorithm and it achieves high throughput. In order to prevent smart grid attacks, the proposed framework makes the generation of blocks using short signatures and hash functions. The proposed deep learning-based scheme is an intrusion detection system (IDS), which employs recurrent neural networks for detecting network attacks and fraudulent transactions in the blockchain-based energy network. We study the performance of the proposed IDS on three different sources the CICIDS2017 dataset, a power system dataset, and a web robot (Bot)-Internet of Things (IoT) dataset.

In this paper, an Intrusion Detection System (IDS) in the Controller Area Network (CAN) bus of modern vehicles has been proposed. NESLIDS is an anomaly detection algorithm based on the supervised Deep Neural Network (DNN) architecture that is designed to counter three critical attack categories: Denial-of-service (DoS), fuzzy, and impersonation attacks. Our research scope included modifying DNN parameters, e.g. number of hidden layer neurons, batch size, and activation functions according to how well it maximized detection accuracy and minimized the false positive rate (FPR) for these attacks. Our methodology consisted of collecting CAN Bus data from online and in real-time, injecting attack data after data collection, preprocessing in Python, training the DNN, and testing the model with different datasets. Results show that the proposed IDS effectively detects all attack types for both types of datasets. NESLIDS outperforms existing approaches in terms of accuracy, scalability, and low false alarm rates.

Nowadays, machine learning is a popular method for DDoS detection. However, machine learning algorithms are very vulnerable under the attacks of adversarial samples. Up to now, multiple methods of generating adversarial samples have been proposed. However, they cannot be applied to LSTM-based DDoS detection directly because of the discrete property and the utility requirement of its input samples. In this paper, we propose two methods to generate DDoS adversarial samples, named Genetic Attack (GA) and Probability Weighted Packet Saliency Attack (PWPSA) respectively. Both methods modify original input sample by inserting or replacing partial packets. In GA, we evolve a set of modified samples with genetic algorithm and find the evasive variant from it. In PWPSA, we modify original sample iteratively and use the position saliency as well as the packet score to determine insertion or replacement order at each step. Experimental results on CICIDS2017 dataset show that both methods can bypass DDoS detectors with high success rate.

The Security is a vital aspect of cloud service as it comprises of data that belong to multiple users. Cloud service providers are responsible for maintaining data integrity, confidentiality and availability. They must ensure that their infrastructure and data are protected from intruders. In this research work Intrusion Detection System is designed to detect malicious server by using Cuckoo Search (CS) along with Artificial Intelligence. CS is used for feature optimization with the help of fitness function, the server's nature is categorized into two types: normal and attackers. On the basis of extracted features, ANN classify the attackers which affect the networks in cloud environment. The main aim is to distinguish attacker servers that are affected by DoS/DDoS, Black and Gray hole attacks from the genuine servers. Thus, instead of passing data to attacker server, the server passes the data to the genuine servers and hence, the system is protected. To validate the performance of the system, QoS parameters such as PDR (Packet delivery rate), energy consumption rate and total delay before and after prevention algorithm are measured. When compared with existing work, the PDR and the delay have been enhanced by 3.0 %and 21.5 %.

Large scale deployment of IoT devices has made Bluetooth Protocol (IEEE 802.15.1) the wireless protocol of choice for close-range communications. Devices such as keyboards, smartwatches, headphones, computer mouse, and various wearable connecting devices use Bluetooth network for communication. Moreover, Bluetooth networks are widely used in medical devices like heart monitors, blood glucose monitors, asthma inhalers, and pulse oximeters. Also, Bluetooth has replaced cables for wire-free equipment in a surgical environment. In hospitals, devices communicate with one another, sharing sensitive and critical information over Bluetooth scatter-networks. Thus, it is imperative to secure the Bluetooth networks against attacks like Man in the Middle attack (MITM), eavesdropping attacks, and Denial of Service (DoS) attacks. This paper presents a Multi-Level Bluetooth Intrusion Detection System (ML-BIDS) to detect malicious attacks against Bluetooth devices. In the ML-IDS framework, we perform continuous device identification and authorization in Bluetooth networks following the zero-trust principle [ref]. The ML-BIDS framework includes an anomaly-based intrusion detection system (ABIDS) to detect attacks on the Bluetooth protocol. The ABIDS tracks the normal behavior of the Bluetooth protocol by comparing it with the Bluetooth protocol state machine. Bluetooth frame flows consisting of Bluetooth frames received over 10 seconds are split into n-grams to track the current state of the protocol in the state machine. We evaluated the performance of several machine learning algorithms like C4.5, Adaboost, SVM, Naive Bayes, Jrip, and Bagging to classify normal Bluetooth protocol flows from abnormal Bluetooth protocol flows. The ABIDS detects attacks on Bluetooth protocols with a precision of up to 99.6% and recall up to 99.6%. The ML-BIDS framework also performs whitelisting of the devices on the Bluetooth network to prevent unauthorized devices from connecting to the network. ML-BIDS uses a combination of the Bluetooth Address, mac address, and IP address to uniquely identify a Bluetooth device connecting to the network, and hence ensuring only authorized devices can connect to the Bluetooth network.

While internet technologies are developing day by day, threats against them are increasing at the same speed. One of the most serious and common types of attacks is Distributed Denial of Service (DDoS) attacks. The DDoS intrusion detection approach proposed in this study is based on fuzzy logic and entropy. The network is modeled as a graph and graphics-based features are used to distinguish attack traffic from non-attack traffic. Fuzzy clustering is applied based on these properties to indicate the tendency of IP addresses or port numbers to be in the same cluster. Based on this uncertainty, attack and non-attack traffic were modeled. The detection stage uses the fuzzy relevance function. This algorithm was tested on real data collected from Boğaziçi University network.

Supervisory Control and Data Acquisition (SCADA) systems have been a frequent target of cyberattacks in Industrial Control Systems (ICS). As such systems are a frequent target of highly motivated attackers, researchers often resort to intrusion detection through machine learning techniques to detect new kinds of threats. However, current research initiatives, in general, pursue higher detection accuracies, neglecting the detection of new kind of threats and their proposal detection scope. This paper proposes a novel, reliable host-based intrusion detection for SCADA systems through the Operating System (OS) diversity. Our proposal evaluates, at the OS level, the SCADA communication over time and, opportunistically, detects, and chooses the most appropriate OS to be used in intrusion detection for reliability purposes. Experiments, performed through a variety of SCADA OSs front-end, shows that OS diversity provides higher intrusion detection scope, improving detection accuracy by up to 8 new attack categories. Besides, our proposal can opportunistically detect the most reliable OS that should be used for the current environment behavior, improving by up to 8%, on average, the system accuracy when compared to a single OS approach, in the best case.

Much research is concentrated on improving models for host-based intrusion detection systems (HIDS). Typically, such research aims at improving a model's results (e.g., reducing the false positive rate) in the familiar static training/testing environment using the standard data sources. Matching advancements in the machine learning community, researchers in the syscall HIDS domain have developed many complex and powerful syscall-based models to serve as anomaly detectors. These models typically show an impressive level of accuracy while emphasizing on minimizing the false positive rate. However, with each proposed model iteration, we get further from the setting in which these models are intended to operate. As kernels become more ornate and hardened, the implementation space for anomaly detection models is narrowing. Furthermore, the rapid advancement of operating systems and the underlying complexity introduced dictate that the sometimes decades-old datasets have long been obsolete. In this paper, we attempt to bridge the gap between theoretical models and their intended application environments by examining the recent Linux kernel 5.7.0-rc1. In this setting, we examine the feasibility of syscall-based HIDS in modern operating systems and the constraints imposed on the HIDS developer. We discuss how recent advancements to the kernel have eliminated the previous syscall trace collect method of writing syscall table wrappers, and propose a new approach to generate data and place our detection model. Furthermore, we present the specific execution time and memory constraints that models must meet in order to be operable within their intended settings. Finally, we conclude with preliminary results from our model, which primarily show that in-kernel machine learning models are feasible, depending on their complexity.

In 5G networks, the Cloud Radio Access Network (C-RAN) is considered a promising future architecture in terms of minimizing energy consumption and allocating resources efficiently by providing real-time cloud infrastructures, cooperative radio, and centralized data processing. Recently, given their vulnerability to malicious attacks, the security of C-RAN networks has attracted significant attention. Among various anomaly-based intrusion detection techniques, the most promising one is the machine learning-based intrusion detection as it learns without human assistance and adjusts actions accordingly. In this direction, many solutions have been proposed, but they show either low accuracy in terms of attack classification or they offer just a single layer of attack detection. This research focuses on deploying a multi-stage machine learning-based intrusion detection (ML-IDS) in 5G C-RAN that can detect and classify four types of jamming attacks: constant jamming, random jamming, deceptive jamming, and reactive jamming. This deployment enhances security by minimizing the false negatives in C-RAN architectures. The experimental evaluation of the proposed solution is carried out using WSN-DS (Wireless Sensor Networks DataSet), which is a dedicated wireless dataset for intrusion detection. The final classification accuracy of attacks is 94.51% with a 7.84% false negative rate.

DDoS attacks impose serious threats to many large or small organizations; therefore DDoS attacks have to be detected as soon as possible. In this study, a methodology to detect DDoS attacks is proposed and implemented on online systems. In the scope of the proposed methodology, Multi Layer Perceptron (MLP), Random Forest (RF), K-Nearest Neighbor (KNN), C-Support Vector Machine (SVC) machine learning methods are used with scaling and feature reduction preprocessing methods and then effects of preprocesses on detection accuracy rates of HTTP (Hypertext Transfer Protocol) flood, TCP SYN (Transport Control Protocol Synchronize) flood, UDP (User Datagram Protocol) flood and ICMP (Internet Control Message Protocol) flood DDoS attacks are analyzed. Obtained results showed that DDoS attacks can be detected with high accuracy of 99.2%.

The Internet of Things (IoT) as a demanding technology require the best features of information security for effective development of the IoT based smart city and technological activity. There are huge number of recent security threats searching for some loopholes which are ready to exploit any network. Against the back-drop of recent rapidly growing technological advancement of IoT, security-threats have become a critical challenge which demand responsive and continuous action. As privacy and security exhibit an ever-present flourishing issue, so loopholes detection and analysis are indispensable process in the network. This paper presents Block chain based security analysis of data generated from IoT devices to prevent malicious attacks and intrusion in the IoT network.

At present, our life is almost inseparable from the network, the network provides a lot of convenience for our life. However, a variety of network security incidents occur very frequently. In recent years, with the continuous development of neural network technology, more and more researchers have applied neural network to intrusion detection, which has developed into a new research direction in intrusion detection. As long as the neural network is provided with input data including network data packets, through the process of self-learning, the neural network can separate abnormal data features and effectively detect abnormal data. Therefore, the article innovatively proposes an intrusion detection method based on deep convolutional neural networks (CNN), which is used to test on public data sets. The results show that the model has a higher accuracy rate and a lower false negative rate than traditional intrusion detection methods.

In this paper, a new intrusion detection mechanism is proposed based on Trust and Packet Loss Rate at Sensor Node in WSNs. To find the true malicious nodes, the proposed mechanism performs a deep analysis on the packet loss. Two independent metrics such as buffer capacity metric and residual energy metric are considered for packet loss rate evaluation. Further, the trust evaluation also considers the basic communication interactions between sensor nodes. Based on these three metrics, a new composite metric called Packet Forwarding Probability (PFP) is derived through which the malicious nodes are identified. Simulation experiments are conducted over the proposed mechanism and the performance is evaluated through False Positive Rate (FPR) and Malicious Detection Rate (MDR). The results declare that the proposed mechanism achieves a better performance compared to the conventional approaches.

To reduce cost and ease maintenance, industrial control systems (ICS) have adopted Ethernetbased interconnections that integrate operational technology (OT) systems with information technology (IT) networks. This integration has made these critical systems vulnerable to attack. Security solutions tailored to ICS environments are an active area of research. Anomalybased network intrusion detection systems are well-suited for these environments. Often these systems must be optimized for their specific environment. In prior work, we introduced a method for assessing the impact of various anomaly-based network IDS settings on security. This paper reviews the experimental outcomes when we applied our method to a full-scale ICS test bed using actual attacks. Our method provides new and valuable data to operators enabling more informed decisions about IDS configurations.

Development of an intrusion detection system, which tries to detect signs of technology of malware, is discussed. The system can detect signs of technology of malware such as peer to peer (P2P) communication, DDoS attack, Domain Generation Algorithm (DGA), and network scanning. The system consists of beneficial botnet and the R statistical computing system. The beneficial botnet is a group of Wiki servers, agent bots and analyzing bots. The script in a Wiki page of the Wiki server controls an agent bot or an analyzing bot. An agent bot is placed between a LAN and its gateway. It can capture every packet between hosts in the LAN and hosts behind the gateway from the LAN. An analyzing bot can be placed anywhere in the LAN or WAN if it can communicate with the Wiki server for controlling the analyzing bot. The analyzing bot has R statistical computing system and it can analyze data which is collected by agent bots.

Trust management is a promising alternative solution to different complex security algorithms for Underwater Wireless Sensor Networks (UWSN) applications due to its several resource constraint behaviour. In this work, we have proposed a trust management model to improve location privacy of the UWSN. Adaptive Neuro Fuzzy Inference System (ANFIS) has been exploited to evaluate trustworthiness of a sensor node. Also Markov Decision Process (MDP) has been considered. At each state of the MDP, a sensor node evaluates trust behaviour of forwarding node utilizing the FIS learning rules and selects a trusted node. Simulation has been conducted in MATLAB and simulation results show that the detection accuracy of trustworthiness is 91.2% which is greater than Knowledge Discovery and Data Mining (KDD) 99 intrusion detection based dataset. So, in our model 91.2% trustworthiness is necessary to be a trusted node otherwise it will be treated as a malicious or compromised node. Our proposed model can successfully eliminate the possibility of occurring any compromised or malicious node in the network.

The domain of securing in-vehicle networks has attracted both academic and industrial researchers due to high danger of attacks on drivers and passengers. While securing wired and wireless interfaces is important to defend against these threats, detecting attacks is still the critical phase to construct a robust secure system. There are only a few results on securing communication inside vehicles using anomaly-detection techniques despite their efficiencies in systems that need real-time detection. Therefore, we propose an intrusion detection system (IDS) based on Multi-Layer Perceptron (MLP) neural network for Controller Area Networks (CAN) bus. This IDS divides data according to the ID field of CAN packets using K-means clustering algorithm, then it extracts suitable features and uses them to train and construct the neural network. The proposed IDS works for each ID separately and finally it combines their individual decisions to construct the final score and generates alert in the presence of attack. The strength of our intrusion detection method is that it works simultaneously for two types of attacks which will eliminate the use of several separate IDS and thus reduce the complexity and cost of implementation.

Most serious occurrence of modern malware is Botnet. Botnet is a rapidly evolving problem that is still not well understood and studied. One of the main goals for modern network security is to create adequate techniques for the detection and eventual termination of Botnet threats. The article presents an approach for implementing a host-based Intrusion Detection System for Botnet attack detection. The approach is based on a variation of a genetic algorithm to detect anomalies in a case of attacks. An implementation of the approach and experimental results are presented.

The presence of security vulnerabilities in automotive networks has already been shown by various publications in recent years. Due to the specification of the Controller Area Network (CAN) as a broadcast medium without security mechanisms, attackers are able to read transmitted messages without being noticed and to inject malicious messages. In order to detect potential attackers within a network or software system as early as possible, Intrusion Detection Systems (IDSs) are prevalent. Many approaches for vehicles are based on techniques which are able to detect deviations from specified CAN network behaviour regarding protocol or payload properties. However, it is challenging to detect attackers who secretly connect to CAN networks and do not actively participate in bus traffic. In this paper, we present an approach that is capable of successfully detecting unknown CAN devices and determining the distance (cable length) between the attacker device and our sensing unit based on Time Domain Reflectometry (TDR) technique. We evaluated our approach on a real vehicle network.

Distributed Denial of Service (DDoS) attacks have been the prominent attacks over the last decade. A Network Intrusion Detection System (NIDS) should seamlessly configure to fight against these attackers' new approaches and patterns of DDoS attack. In this paper, we propose a NIDS which can detect existing as well as new types of DDoS attacks. The key feature of our NIDS is that it combines different classifiers using ensemble models, with the idea that each classifier can target specific aspects/types of intrusions, and in doing so provides a more robust defense mechanism against new intrusions. Further, we perform a detailed analysis of DDoS attacks, and based on this domain-knowledge verify the reduced feature set [27, 28] to significantly improve accuracy. We experiment with and analyze NSL-KDD dataset with reduced feature set and our proposed NIDS can detect 99.1% of DDoS attacks successfully. We compare our results with other existing approaches. Our NIDS approach has the learning capability to keep up with new and emerging DDoS attack patterns.

Situation awareness consists of "the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future". Being aware of the security situation is then mandatory to launch proper security reactions in response to cybersecurity attacks. Security Incident and Event Management solutions are deployed within Security Operation Centers. Some vendors propose machine learning based approaches to detect intrusions by analysing networks behaviours. But cyberattacks like Wannacry and NotPetya, which shut down hundreds of thousands of computers, demonstrated that networks monitoring and surveillance solutions remain insufficient. Detecting these complex attacks (a.k.a. Advanced Persistent Threats) requires security administrators to retain a large number of logs just in case problems are detected and involve the investigation of past security events. This approach generates massive data that have to be analysed at the right time in order to detect any accidental or caused incident. In the same time, security administrators are not yet seasoned to such a task and lack the desired skills in data science. As a consequence, a large amount of data is available and still remains unexplored which leaves number of indicators of compromise under the radar. Building on the concept of situation awareness, we developed a situation-driven framework, called dynSMAUG, for dynamic security management. This approach simplifies the security management of dynamic systems and allows the specification of security policies at a high-level of abstraction (close to security requirements). This invited paper aims at exposing real security situations elicitation, coming from networks security experts, and showing the results of exploratory analysis techniques using complex event processing techniques to identify and extract security situations from a large volume of logs. The results contributed to the extension of the dynSMAUG solution.

Most of the security algorithms proposed for the sensor networks such as secure routing, data encryption and authentication, and intrusion detection target protecting the content of the collected data from being exposed to different types of attacks. However, the context of the collected data, such as event occurrence, event time, and event location, is not addressed by these security mechanisms and can still be leaked to the adversaries. Therefore, we propose in this paper a novel and efficient unobservability scheme for source/sink location privacy for wireless multimedia sensor networks. The proposed privacy scheme is based on a cross-layer design between the application and routing layers in order to exploit the multimedia processing technique with multipath routing to hide the event occurrences and locations of important nodes without degrading the network performance. Simulation analysis shows that our proposed scheme satisfies the privacy requirements and has better performance compared to other existing techniques.

The exponential growth of Internet-of-Things (IoT) devices not only brings convenience but also poses numerous challenging safety and security issues. IoT devices are distributed, highly heterogeneous, and more importantly, directly interact with the physical environment. In IoT systems, the bugs in device firmware, the defects in network protocols, and the design flaws in system configurations all may lead to catastrophic accidents, causing severe threats to people's lives and properties. The challenge gets even more escalated as the possible attacks may be chained together in a long sequence across multiple layers, rendering the current vulnerability analysis inapplicable. In this paper, we present ForeSee, a cross-layer formal framework to comprehensively unveil the vulnerabilities in IoT systems. ForeSee generates a novel attack graph that depicts all of the essential components in IoT, from low-level physical surroundings to high-level decision-making processes. The corresponding graph-based analysis then enables ForeSee to precisely capture potential attack paths. An optimization algorithm is further introduced to reduce the computational complexity of our analysis. The illustrative case studies show that our multilayer modeling can capture threats ignored by the previous approaches.

Air-gap attacks and mimic defense are two emerging techniques in the field of network attack and defense, respectively. However, direct confrontation between them has not yet appeared in the real world. Who will be the winner, if air-gap attacks encounter mimic defense? To this end, a preliminary analysis is conducted for exploring the possible the strategy space of game according to the core principles of air-gap attacks and mimic defense. On this basis, an architecture model is proposed, which combines some detectors for air-gap attacks and mimic defense devices. First, a Dynamic Heterogeneous Redundancy (DHR) structure is employed to be on guard against malicious software of air-gap attacks. Second, some detectors for air-gap attacks are used to detect some signal sent by air-gap attackers' transmitter. Third, the proposed architecture model is obtained by organizing the DHR structure and the detectors for air-gap attacks with some logical relationship. The simulated experimental results preliminarily confirm the power of the new model.

Controller Area Network is the most widely adopted communication standard in automobiles. The CAN protocol is robust and is designed to minimize overhead. The light-weight nature of this protocol implies that it can't efficiently process secure communication. With the exponential increase in automobile communications, there is an urgent need for efficient and effective security countermeasures. We propose a support vector machine based intrusion detection system that is able to detect anomalous behavior with high accuracy. We outline a process for parameter selection and feature vector selection. We identify strengths and weaknesses of our system and propose to extend our work for time-series based data.