Biblio

In recent years, with the continuous development of artificial intelligence algorithms, their applications in network intrusion detection have become more and more widespread. However, as the network speed continues to increase, network traffic increases dramatically, and the drawbacks of traditional machine learning methods such as high false alarm rate and long training time are gradually revealed. CNN(Convolutional Neural Networks) can only extract spatial features of data, which is obviously insufficient for network intrusion detection. In this paper, we propose an intrusion detection model that combines CNN and BiSRU (Bi-directional Simple Recurrent Unit) to achieve the goal of intrusion detection by processing network traffic logs. First, we extract the spatial features of the original data using CNN, after that we use them as input, further extract the temporal features using BiSRU, and finally output the classification results by softmax to achieve the purpose of intrusion detection.

Internet of Thing (IoT) devices are being widely used in smart homes and organizations. An IoT device has some intended purposes, but may also have hidden functionalities. Typically, the device is installed in a home or an organization and the network traffic associated with the device is captured and analyzed to infer high-level functionality to the extent possible. However, such analysis is dynamic in nature, and requires the installation of the device and access to network data which is often hard to get for privacy and confidentiality reasons. We propose an alternative static approach which can infer the functionality of a device from vendor materials using Natural Language Processing (NLP) techniques. Information about IoT device functionality can be used in various applications, one of which is ensuring security in a smart home. We demonstrate how security policies associated with device functionality in a smart home can be formally represented using the NIST Next Generation Access Control (NGAC) model and automatically analyzed using Alloy, which is a formal verification tool. This will provide assurance to the consumer that these devices will be compliant to the home or organizational policy even before they have been purchased.

While the need for content distribution proliferates - becoming more mammoth and complex on the Internet - the P2P network perseveres as one of the best avenues to service the demand for content distribution. It enjoys a wide range of clients that transport data in bits securely, making it susceptible to moving dubious contents, hence becoming exposed to varying security threats that require credible digital investigation to address. The tools and techniques used in performing digital investigations are still mostly lagging, successfully slowing down law enforcement agencies in general. The acquisition of digital evidence over the Internet is still elusive in the battle against cybercrime. This paper considers a new technique for detecting passive peers that participate in a P2P network. As part of our study, we crawled the µTorrent P2P client over 10 days while logging all participating peers. We then employed digital forensic techniques to analyze the popular users and generate evidence within them with high accuracy. Finally, we evaluated our proposed approach against the standard Analysis, Design, Development, Implementation, and Evaluation, or ADDIE model for digital investigation to arrive at the credible digital evidence presented in this paper.

This advanced research survey aims to perform intrusion detection and routing in ad hoc networks in wireless MANET networks using machine learning techniques. The MANETs are composed of several ad-hoc nodes that are randomly or deterministically distributed for communication and acquisition and to forward the data to the gateway for enhanced communication securely. MANETs are used in many applications such as in health care for communication; in utilities such as industries to monitor equipment and detect any malfunction during regular production activity. In general, MANETs take measurements of the desired application and send this information to a gateway, whereby the user can interpret the information to achieve the desired purpose. The main importance of MANETs in intrusion detection is that they can be trained to detect intrusion and real-time attacks in the CIC-IDS 2019 dataset. MANETs routing protocols are designed to establish routes between the source and destination nodes. What these routing protocols do is that they decompose the network into more manageable pieces and provide ways of sharing information among its neighbors first and then throughout the whole network. The landscape of exciting libraries and techniques is constantly evolving, and so are the possibilities and options for experiments. Implementing the framework in python helps in reducing syntactic complexity, increases performance compared to implementations in scripting languages, and provides memory safety.

The power terminal network has the characteristics of a large number of nodes, various types, and complex network topology. After the power terminal network is attacked, the impact of power terminals in different business scenarios is also different. Traditional impact assessment methods based on network traffic or power system operation rules are difficult to achieve comprehensive attack impact analysis. In this paper, from the three levels of terminal security itself, terminal network security and terminal business application security, it constructs quantitative indicators for analyzing the impact of power terminals after being attacked, so as to determine the depth and breadth of the impact of the attack on the power terminal network, and provide the next defense measures with realistic basis.

Intrusion Detection System (IDS) is one of the most important security tool for many security issues that are prevailing in today's cyber world. Intrusion Detection System is designed to scan the system applications and network traffic to detect suspicious activities and issue an alert if it is discovered. So many techniques are available in machine learning for intrusion detection. The main objective of this project is to apply machine learning algorithms to the data set and to compare and evaluate their performances. The proposed application has used the SVM (Support Vector Machine) and ANN (Artificial Neural Networks) Algorithms to detect the intrusion rates. Each algorithm is used to detect whether the requested data is authorized or contains any anomalies. While IDS scans the requested data if it finds any malicious information it drops that request. These algorithms have used Correlation-Based and Chi-Squared Based feature selection algorithms to reduce the dataset by eliminating the useless data. The preprocessed dataset is trained and tested with the models to obtain the prominent results, which leads to increasing the prediction accuracy. The NSL KDD dataset has been used for the experimentation. Finally, an accuracy of about 48% has been achieved by the SVM algorithm and 97% has been achieved by ANN algorithm. Henceforth, ANN model is working better than the SVM on this dataset.

To provide web browsing and video streaming services with desirable quality, cache servers have been widely used to deliver digital data to users from locations close to users. For example, in the MEC (mobile edge computing), cache memories are provided at base stations of 5G cellular networks to reduce the traffic load in the backhaul networks. Cache servers are also connected to many edge routers in the CDN (content delivery network), and they are provided at routers in the ICN (information-centric networking). However, the cache pollution attack (CPA) which degrades the cache hit ratio by intentionally sending many requests to non-popular contents will be a serious threat in the cache networks. Quickly detecting the CPA hosts and protecting the cache servers is important to effectively utilize the cache resources. Therefore, in this paper, we propose a method of accurately detecting the CPA hosts using a limited amount of memory resources. The proposed method is based on a Bloom filter using the combination of identifiers of host and content as keys. We also propose to use two Bloom filters in parallel to continuously detect CPA hosts. Through numerical evaluations, we show that the proposed method suppresses the degradation of the cache hit ratio caused by the CPA while avoiding the false identification of legitimate hosts.

For a long time, there have been a number of malicious APP discovery and detection services in the Android security field. There are multiple and multiple sensitive actions in most malicious apps. This paper is based on the research of dynamic and static detection technology to analyze the sensitive behaviors in APP, combined with automated testing technology to achieve automated detection, which can improve the detection efficiency and accuracy of malicious APP.

Whilst machine learning has been widely adopted for various domains, it is important to consider how such techniques may be susceptible to malicious users through adversarial attacks. Given a trained classifier, a malicious attack may attempt to craft a data observation whereby the data features purposefully trigger the classifier to yield incorrect responses. This has been observed in various image classification tasks, including falsifying road sign detection and facial recognition, which could have severe consequences in real-world deployment. In this work, we investigate how these attacks could impact on network traffic analysis, and how a system could perform misclassification of common network attacks such as DDoS attacks. Using the CICIDS2017 data, we examine how vulnerable the data features used for intrusion detection are to perturbation attacks using FGSM adversarial examples. As a result, our method provides a defensive approach for assessing feature robustness that seeks to balance between classification accuracy whilst minimising the attack surface of the feature space.

With the rapid development of the Internet, cyberspace security has become a potentially huge problem. At the same time, the disclosure of cyberspace vulnerabilities is getting faster and faster. Traditional protection methods based on known features cannot effectively defend against new network attacks. Network attack is no more a single vulnerability exploit, but an APT attack based on multiple complicated methods. Cyberspace attacks have become ``rationalized'' on the surface. Currently, there are a lot of researches about visualization of attack paths, but there is no an overall plan to reproduce the attack path. Most researches focus on the detection and characterization individual based on single behavior cyberspace attacks, which loose it's abilities to help security personnel understand the complete attack behavior of attackers. The key factors of this paper is to collect the attackers' aggressive behavior by reverse retrospective method based on the actual shooting range environment. By finding attack nodes and dividing offensive behavior into time series, we can characterize the attacker's behavior path vividly and comprehensively.

Distributed denial of service attacks threaten the security and health of the Internet. Remediation relies on up-to-date and accurate attack signatures. Signature-based detection is relatively inexpensive computationally. Yet, signatures are inflexible when small variations exist in the attack vector. Attackers exploit this rigidity by altering their attacks to bypass the signatures. Our previous work revealed a critical problem with conventional machine learning models. Conventional models are unable to generalize on the temporal nature of network flow data to classify attacks. We thus explored the use of deep learning techniques on real flow data. We found that a variety of attacks could be identified with high accuracy compared to previous approaches. We show that a convolutional neural network can be implemented for this problem that is suitable for large volumes of data while maintaining useful levels of accuracy.

The increase in online activity during the COVID 19 pandemic has generated a surge in network traffic capable of expanding the scope of DDoS attacks. Cyber criminals can now afford to launch massive DDoS attacks capable of degrading the performances of conventional machine learning based IDS models. Hence, there is an urgent need for an effective DDoS attack detective model with the capacity to handle large magnitude of DDoS attack traffic. This study proposes a deep learning based DDoS attack detection system using Long Short Term Memory (LSTM). The proposed model was evaluated on UNSW-NB15 and NSL-KDD intrusion datasets, whereby twenty-three (23) and twenty (20) attack features were extracted from UNSW-NB15 and NSL-KDD, respectively using Singular Value Decomposition (SVD). The results from the proposed model show significant improvement when compared with results from some conventional machine learning techniques such as Naïve Bayes (NB), Decision Tree (DT), and Support Vector Machine (SVM) with accuracies of 94.28% and 90.59% on both datasets, respectively. Furthermore, comparative analysis of LSTM with other deep learning results reported in literature justified the choice of LSTM among its deep learning peers in detecting DDoS attacks over a network.

With the increasing scale of network, the scale of attack graph has been becoming larger and larger, and the number of nodes in attack graph is also increasing, which can not directly reflect the impact of nodes on the whole system. Therefore, in this paper, a method was proposed to determine the key nodes of network attack graph of power information physical system to solve the problem of uncertain emphasis of security protection of attack graph.

In order to guarantee the normal operation of the power Internet of things devices, the zero-trust idea was used for studying the security protection strategies of devices from four aspects: user authentication, equipment trust, application integrity and flow baselines. Firstly, device trust is constructed based on device portrait; then, verification of device application integrity based on MD5 message digest algorithm to achieve device application trustworthiness. Next, the terminal network traffic baselines are mined from OpenFlow, a southbound protocol in SDN. Finally, according to the dynamic user trust degree attribute access control model, the comprehensive user trust degree was obtained by weighting the direct trust degree. It obtained from user authentication and the trust degree of user access to terminal communication traffic. And according to the comprehensive trust degree, users are assigned the minimum authority to access the terminal to realize the security protection of the terminal. According to the comprehensive trust degree, the minimum permissions for users to access the terminal were assigned to achieve the security protection of the terminal. The research shows that the zero-trust mechanism is applied to the terminal security protection of power Internet of Things, which can improve the reliability of the safe operation of terminal equipment.

We are attending a severe zero-day cyber attacks. Machine learning based anomaly detection is definitely the most efficient defence in depth approach. It consists to analyzing the network traffic in order to distinguish the normal behaviour from the abnormal one. This approach is usually implemented in a central server where all the network traffic is analyzed which can rise privacy issues. In fact, with the increasing adoption of Cloud infrastructures, it is important to reduce as much as possible the outsourcing of such sensitive information to the several network nodes. A better approach is to ask each node to analyze its own data and then to exchange its learning finding (model) with a coordinator. In this paper, we investigate the application of federated learning for network-based intrusion detection. Our experiment was conducted based on the C ICIDS2017 dataset. We present a f ederated learning on a deep learning algorithm C NN based on model averaging. It is a self-learning system for detecting anomalies caused by malicious adversaries without human intervention and can cope with new and unknown attacks without decreasing performance. These experimentation demonstrate that this approach is effective in detecting intrusion.

Traditionally, Industrial Control Systems (ICS) have been operated as air-gapped networks, without a necessity to connect directly to the Internet. With the introduction of the Internet of Things (IoT) paradigm, along with the cloud computing shift in traditional IT environments, ICS systems went through an adaptation period in the recent years, as the Industrial Internet of Things (IIoT) became popular. ICS systems, also called Cyber-Physical-Systems (CPS), operate on physical devices (i.e., actuators, sensors) at the lowest layer. An anomaly that effect this layer, could potentially result in physical damage. Due to the new attack surfaces that came about with IIoT movement, precise, accurate, and prompt intrusion/anomaly detection is becoming even more crucial in ICS. This paper proposes a novel method for real-time intrusion/anomaly detection based on a cyber-physical system network traffic. To evaluate the proposed anomaly detection method's efficiency, we run our implementation against a network trace taken from a Secure Water Treatment Testbed (SWAT) of iTrust Laboratory at Singapore.

With the rapid development of networks, cyberspace security is facing increasingly severe challenges. Traditional alert aggregation process and alert correlation analysis process are susceptible to a large amount of redundancy and false alerts. To tackle the challenge, this paper proposes a network security situational awareness model KG-NSSA (Knowledge-Graph-based NSSA) based on knowledge graphs. This model provides an asset-based network security knowledge graph construction scheme. Based on the network security knowledge graph, a solution is provided for the classic problem in the field of network security situational awareness - network attack scenario discovery. The asset-based network security knowledge graph combines the asset information of the monitored network and fully considers the monitoring of network traffic. The attack scenario discovery according to the KG-NSSA model is to complete attack discovery and attack association through attribute graph mining and similarity calculation, which can effectively reflect specific network attack behaviors and mining attack scenarios. The effectiveness of the proposed method is verified on the MIT DARPA2000 data set. Our work provides a new approach for network security situational awareness.

In order to improve production and management efficiency, traditional industrial control systems are gradually connected to the Internet, and more likely to use advanced modern information technologies, such as cloud computing, big data technology, and artificial intelligence. Industrial control system is widely used in national key infrastructure. Meanwhile, a variety of attack threats and risks follow, and once the industrial control network suffers maliciously attack, the loss caused is immeasurable. In order to improve the security and stability of the industrial Internet, this paper studies the industrial control network traffic threat identification technology based on machine learning methods, including GK-SVDD, RNN and KPCA reconstruction error algorithm, and proposes a heuristic method for selecting Gaussian kernel width parameter in GK-SVDD to accelerate real-time threat detection in industrial control environments. Experiments were conducted on two public industrial control network traffic datasets. Compared with the existing methods, these methods can obtain faster detection efficiency and better threat identification performance.

A distributed denial of service attack is a major security challenge in modern communications networks. In this article, we propose models that capture all the key performance indicators of synchronized denial of service protection mechanisms. As a result of the conducted researches, it is found out that thanks to the method of delay detection it is possible to recognize semi-open connections that are caused by synchronous flood and other attacks at an early stage. The study provides a mechanism for assessing the feasibility of introducing and changing the security system of a wireless sensor network. The proposed methodology will allow you to compare the mechanisms of combating denial of service for synchronized failures and choose the optimal protection settings in real-time.

This paper presents Forensic methods for detection and prevention of multiple attacks along with neural networks like Denial-of-Service (DoS), probe, vampire, and User-to-Root (U2R) attacks, in a Mobile Ad hoc Network (MANET). We accomplish attacker(s) detection and prevention percentage upto 99% in varied node density scenarios 50/100/150.

Denial of Service (DoS) attacks are very common type of computer attack in the world of internet today. Automatically detecting such type of DDoS attack packets & dropping them before passing through is the best prevention method. Conventional solution only monitors and provide the feedforward solution instead of the feedback machine-based learning. A Design of Deep neural network has been suggested in this paper. In this approach, high level features are extracted for representation and inference of the dataset. Experiment has been conducted based on the ISCX dataset for year 2017, 2018 and CICDDoS2019 and program has been developed in Matlab R17b using Wireshark.

In today's world computer communication is used almost everywhere and majority of them are connected to the world's largest network, the Internet. There is danger in using internet due to numerous cyber-attacks which are designed to attack Confidentiality, Integrity and Availability of systems connected to the internet. One of the most prominent threats to computer networking is Distributed Denial of Service (DDoS) Attack. They are designed to attack availability of the systems. Many users and ISPs are targeted and affected regularly by these attacks. Even though new protection technologies are continuously proposed, this immense threat continues to grow rapidly. Most of the DDoS attacks are undetectable because they act as legitimate traffic. This situation can be partially overcome by using Intrusion Detection Systems (IDSs). There are advanced attacks where there is no proper documented way to detect. In this paper authors present a Machine Learning (ML) based DDoS detection mechanism with improved accuracy and low false positive rates. The proposed approach gives inductions based on signatures previously extracted from samples of network traffic. Authors perform the experiments using four distinct benchmark datasets, four machine learning algorithms to address four of the most harmful DDoS attack vectors. Authors achieved maximum accuracy and compared the results with other applicable machine learning algorithms.

Using erasure codes increases consumption of network traffic and disk I/O tremendously when systems recover data, resulting in high latency of degraded reads. In order to mitigate this problem, we present an adaptive storage scheme based on data access skew, a fact that most data accesses are applied in a small fraction of data. In this scheme, we use both Local Reconstruction Code (LRC), whose recovery cost is low, to store frequently accessed data, and Hitchhiker (HH) code, which guarantees minimum storage cost, to store infrequently accessed data. Besides, an efficient switching algorithm between LRC and HH code with low network and computation costs is provided. The whole system will benefit from low degraded read latency while keeping a low storage overhead, and code-switching will not become a bottleneck.

Currently as the widespread use of virtual monetary units (like Bitcoin, Ethereum, Ripple, Litecoin) has begun, people with bad intentions have been attracted to this area and have produced and marketed ransomware in order to obtain virtual currency easily. This ransomware infiltrates the victim's system with smartly-designed methods and encrypts the files found in the system. After the encryption process, the attacker leaves a message demanding a ransom in virtual currency to open access to the encrypted files and warns that otherwise the files will not be accessible. This type of ransomware is becoming more popular over time, so currently it is the largest information technology security threat. In the literature, there are many studies about detection and analysis of this cyber-bullying. In this study, we focused on crypto-ransomware and investigated a forensic analysis of a current attack example in detail. In this example, the attack method and behavior of the crypto-ransomware were analyzed and it was identified that information belonging to the attacker was accessible. With this dimension, we think our study will significantly contribute to the struggle against this threat.

The Internet Protocol Version 6 (IPV6) proposed to replace IPV4 to solve scalability challenges and improve quality of service and security. Current implementation of IPv6 uses static value that is determined from the Media Access Control (MAC) address as the Interface Identifier (IID). This results in a deterministic IID for each user that is the same regardless of any network changes. This provides an eavesdropper with the ability to easily track the physical location of the communicating nodes using simple tools, such as ping and traceroute. Moreover, this address generation method provides a means to correlate network traffic with a specific user which can be achieved by filtering the IID and traffic analysis. These serious privacy breaches need to be addressed before widespread deployment of IPv6. In this paper we propose a privacy-enhanced method for generating IID which combines different network parameters. The proposed method generates non-deterministic IIDs that is resistance against correlation attack. We validate our approach using Wireshark, ping and traceroute tools and show that our proposed approach achieves better privacy compared to the existing IID generation methods.