Carlos Sarraute,Fernando Miranda,Jose I. Orlicki

DOI: https://doi.org/10.48550/arXiv.1006.2407

2010-06-12

Abstract:In this work we present a prototype for simulating computer network attacks. Our objective is to simulate large networks (thousands of hosts, with applications and vulnerabilities) while remaining realistic from the attacker's point of view. The foundation for the simulator is a model of computer intrusions, based on the analysis of real world attacks. In particular we show how to interpret vulnerabilities and exploits as communication channels. This conceptual model gives a tool to describe the theater of operations, targets, actions and assets involved in multistep network attacks. We conclude with applications of the attack simulator.

Cryptography and Security

Vladimir Ciric,Marija Milosevic,Danijel Sokolovic,Ivan Milentijevic

DOI: https://doi.org/10.1016/j.simpat.2024.102916

IF: 4.199

2024-02-01

Simulation Modelling Practice and Theory

Abstract:In an increasingly digitalized world, cybersecurity has emerged as a critical component of safeguarding sensitive information and infrastructure from malicious threats. The threat actors are often in line or even one step ahead of the defense, causing the increasing reliance of security teams on artificial intelligence while trying to detect zero-day attacks. However, most of the cybersecurity solutions based on artificial intelligence that can be found in the literature are trained and tested on reference datasets that are at least five or more years old, which gives a vague insight into their security performances. Moreover, they often tend to be designed as isolated, self-focused components. The aim of this paper is to design and implement a modular network intrusion detection architecture capable of simulating cyberattacks based on real-world scenarios while evaluating its defense capabilities. The architecture is designed as a full pipeline from real-time network data collection and transformation to threat-information presentation and visualization, with a pre-trained artificial intelligence module at its core. Well-known components like CICFlowMeter, Prometheus, and Grafana are used and modified to fit our data preparation and core modules to form the proposed architecture for real-world network traffic security monitoring. For the sake of cyberattack simulation, the proposed architecture is situated within a virtual environment, surrounded by the Kali Linux-based penetration simulation agent on one side and a vulnerable agent on the other. The intrusion detection artificial intelligence module is trained on the CICIDS-2017 dataset, and it is demonstrated using the proposed architecture that, despite being trained on an outdated dataset, the trained module is still effective in detecting sophisticated modern attacks. Two case studies are given to illustrate how modular architectures and virtual environments can be valuable tools to assess the security properties of artificial intelligence-based solutions through simulation in real-world scenarios.

computer science, interdisciplinary applications, software engineering

Giovanni Apruzzese,Mauro Andreolini,Luca Ferretti,Mirco Marchetti,Michele Colajanni

DOI: https://doi.org/10.1145/3469659

2021-06-19

Digital Threats: Research and Practice

Abstract:The incremental diffusion of machine learning algorithms in supporting cybersecurity is creating novel defensive opportunities but also new types of risks. Multiple researches have shown that machine learning methods are vulnerable to adversarial attacks that create tiny perturbations aimed at decreasing the effectiveness of detecting threats. We observe that existing literature assumes threat models that are inappropriate for realistic cybersecurity scenarios because they consider opponents with complete knowledge about the cyber detector or that can freely interact with the target systems. By focusing on Network Intrusion Detection Systems based on machine learning, we identify and model the real capabilities and circumstances required by attackers to carry out feasible and successful adversarial attacks. We then apply our model to several adversarial attacks proposed in literature and highlight the limits and merits that can result in actual adversarial attacks. The contributions of this paper can help hardening defensive systems by letting cyber defenders address the most critical and real issues, and can benefit researchers by allowing them to devise novel forms of adversarial attacks based on realistic threat models.

Gang Chen,Shang Xiang,GuanQun Ji,YiLong Jia

DOI: https://doi.org/10.1109/iccms.2009.52

2009-01-01

Abstract:Soldiers possessing of network attack-defense ability are the key factor for future information war. Aiming at the problem of lacking daily training and drilling environment, a method of building Network Attack-Defense Simulation Training System (NADSTS) based on HLA is put forward. With the method, attack and defense training are designed as different federation member. The system is divided to presentation, application and adapter layer clearly. Key technologies involves network attack-defense, network simulation and simulation driving are also presented. Software is developed based on plug-in framework. Its simulation examples show greatest traits on building similar large-scale simulation system.

DOI: https://doi.org/10.52866/ijcsm.2022.02.01.008

2022-03-18

Iraqi Journal for Computer Science and Mathematics

Abstract:The need for network intrusion detection systems (NIDS) to protect against different attacks grows as the scale of cyber attacks increases. The main areas of cyber attack research are its detection and prevention. Traditional machine learning (ML) algorithms with low accuracy are used by the current NIDS, but it is not suitable for newer anonymous cyber attacks. In this paper, an NIDS model with ensemble ML methods, which can detect and prevent different types of attacks compared with traditional ML methods, is proposed. Our specific system detects known attacks and blocks unknown attacks. The selected system uses four different machine learning methods, including data processing techniques for data preprocessing and data labeling. The entire NSL-KDD database is used to evaluate the performance of various ML classifiers based on different parameters. The simulation analysis shows that the developed NIDS system is better than the existing single ML methods. The detection accuracy rate of intrusion detection system (IDS) is increased by the model, which is essential for NIDS.

Yannis Nikoloudakis,Ioannis Kefaloukos,Stylianos Klados,Spyros Panagiotakis,Evangelos Pallis,Charalabos Skianis,Evangelos K. Markakis

DOI: https://doi.org/10.3390/s21144939

IF: 3.9

2021-07-20

Sensors

Abstract:The ever-increasing number of internet-connected devices, along with the continuous evolution of cyber-attacks, in terms of volume and ingenuity, has led to a widened cyber-threat landscape, rendering infrastructures prone to malicious attacks. Towards addressing systems’ vulnerabilities and alleviating the impact of these threats, this paper presents a machine learning based situational awareness framework that detects existing and newly introduced network-enabled entities, utilizing the real-time awareness feature provided by the SDN paradigm, assesses them against known vulnerabilities, and assigns them to a connectivity-appropriate network slice. The assessed entities are continuously monitored by an ML-based IDS, which is trained with an enhanced dataset. Our endeavor aims to demonstrate that a neural network, trained with heterogeneous data stemming from the operational environment (common vulnerability enumeration IDs that correlate attacks with existing vulnerabilities), can achieve more accurate prediction rates than a conventional one, thus addressing some aspects of the situational awareness paradigm. The proposed framework was evaluated within a real-life environment and the results revealed an increase of more than 4% in the overall prediction accuracy.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Sung -Do Chi,Jong Sou Park,Ki -Chan Jung,Jang -Se Lee

DOI: https://doi.org/10.1007/3-540-47719-5_26

2001-01-01

Abstract:The major objective of this paper is to develop the network security modeling and cyber attack simulation that is able to classify threats, specify attack mechanisms, verify protection mechanisms, and evaluate consequences. To do this, we have employed the advanced modeling and simulation concepts such as System Entity Structure / Model Base framework, DEVS (Discrete Event System Specification) formalism, and experimental frame concept underlying the object-oriented S/W environment. Our approach is to show the difference from others in that (i) it supports a hierarchical and modular modeling environment, (ii) it generates the command-level behavior of cyber attack scenario, (iii) it provides an efficient model building environment based on the experimental frame concept, and (iv) it supports the vulnerability analysis of given node on the network. Simulation test performed on sample network system will illustrate our techniques.

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.3390/fi13050111

2021-04-28

Future Internet

Abstract:Software-defined Networking (SDN) has recently developed and been put forward as a promising and encouraging solution for future internet architecture. Managed, the centralized and controlled network has become more flexible and visible using SDN. On the other hand, these advantages bring us a more vulnerable environment and dangerous threats, causing network breakdowns, systems paralysis, online banking frauds and robberies. These issues have a significantly destructive impact on organizations, companies or even economies. Accuracy, high performance and real-time systems are essential to achieve this goal successfully. Extending intelligent machine learning algorithms in a network intrusion detection system (NIDS) through a software-defined network (SDN) has attracted considerable attention in the last decade. Big data availability, the diversity of data analysis techniques, and the massive improvement in the machine learning algorithms enable the building of an effective, reliable and dependable system for detecting different types of attacks that frequently target networks. This study demonstrates the use of machine learning algorithms for traffic monitoring to detect malicious behavior in the network as part of NIDS in the SDN controller. Different classical and advanced tree-based machine learning techniques, Decision Tree, Random Forest and XGBoost are chosen to demonstrate attack detection. The NSL-KDD dataset is used for training and testing the proposed methods; it is considered a benchmarking dataset for several state-of-the-art approaches in NIDS. Several advanced preprocessing techniques are performed on the dataset in order to extract the best form of the data, which produces outstanding results compared to other systems. Using just five out of 41 features of NSL-KDD, a multi-class classification task is conducted by detecting whether there is an attack and classifying the type of attack (DDoS, PROBE, R2L, and U2R), accomplishing an accuracy of 95.95%.

Abdulsalam O. Alzahrani,Mohammed J. F. Alenazi

DOI: https://doi.org/10.1002/cpe.7438

2022-11-13

Concurrency and Computation: Practice and Experience

Abstract:Summary Software‐defined networking (SDN) has been developed to separate network control plane from forwarding plane which can decrease operational costs and the time it takes to deploy new services compared to traditional networks. Despite these advantages, this technology brings threats and vulnerabilities. Consequently, developing high‐performance real‐time intrusion detection systems (IDSs) to classify malicious activities is a vital part of SDN architecture. This article introduces two created datasets generated from SDN using Mininet and Ryu controller with different feature extraction tools that contain normal traffic and different types of attacks (Fin flood, UDP flood, ICMP flood, OS probe scan, port probe scan, TCP bandwidth flood, and TCP syn flood) that is used for training a number of supervised binary classification machine learning algorithms such as k‐nearest neighbor, AdaBoost, decision tree (DT), random forest, naive Bayes, multilayer perceptron, support vector machine, and XGBoost. The DT algorithm has achieved high scores to fit a real‐time application achieving F1 score on attack class of 0.9995, F1 score on normal class of 0.9983, and throughput score of 6,737,147.275 samples per second with a total number of three features. In addition, using data preprocessing to reduce the model complexity, thereby increasing the overall throughput to fit a real‐time system.

Vincenzo Giuliano,Valerio Formicola

DOI: https://doi.org/10.48550/arXiv.1909.01910

2019-09-04

Cryptography and Security

Abstract:Maintenance staff of Industrial Control Systems (ICS) is generally not aware about information technologies, and even less about cyber security problems. The scary impact of cyber attacks in the industrial world calls for tools to train defensive skills and test effective security measures. Cyber range offers this opportunity, but current research is lacking cost-effective solutions verticalized for the industrial domain. This work proposes ICSrange, a simulation-based cyber range platform for Industrial Control Systems. ICSrange adopts Commercial-Off-The-Shelf (COTS) technologies to virtualize an enterprise network connected to Industrial Control Systems. ICSrange is the outcome of a preliminary study intended to investigate challenges and opportunities to build a configurable and extensible cyber range with simulated industrial processes. Literature shows that testbeds based on realistic mock-ups are effectively employed to develop complex exploits like Advanced Persistent Threats (APTs), hence motivating their usage to train and test security in ICS. We prove the effectiveness of ICSrange through the execution of a multi-staged attack that breaches an enterprise network and progressively intrudes a simulated ICS with water tanks. The attack mimics lateral movements as observed in APTs.

Zaid Mustafa,Rashid Amin,Hamza Aldabbas,Naeem Ahmed

DOI: https://doi.org/10.1007/s10586-024-04430-6

2024-04-27

Cluster Computing

Abstract:There has been a discernible rise in the growth and progress of the Internet, networking, and mobile communication. The complexity of networking systems has increased due to the advancements in devices, resources, and infrastructure. A novel and developing network technology called software-defined networking (SDN), gets beyond the drawbacks of conventional networks and gives networking systems intelligent control. While SDN is the most adaptable and promising network management control solution, its implementation also introduces a number of new security risks. There is a need to deploy networking systems intelligently to manage, optimize, and organize these complex systems. Machine learning (ML) approaches have been extensively utilized to detect many attacks, and an ML technique may assist the network administrator in taking the necessary precautions to avoid intrusions. In SDN, ML techniques are used to manage the network and make Network Intrusion Detection Systems (NIDS) detect network attacks like Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. This paper comprehensively surveys ML and Deep Learning (DL) algorithms and techniques used for intrusion detection in SDN. Different studies are categorized accordingly, such as supervised, unsupervised, and deep learning models. Research studies are compared in the form of a table, and learned lessons are also leveraged for each category. Finally, this survey presents the key challenges faced in implementing different intrusion detection techniques in SDN before comprehensively highlighting future research directions.

computer science, information systems, theory & methods

Khushnaseeb Roshan,Aasim Zafar,Shiekh Burhan Ul Haque

2023-08-01

Abstract:Network Intrusion Detection System (NIDS) is an essential tool in securing cyberspace from a variety of security risks and unknown cyberattacks. A number of solutions have been implemented for Machine Learning (ML), and Deep Learning (DL) based NIDS. However, all these solutions are vulnerable to adversarial attacks, in which the malicious actor tries to evade or fool the model by injecting adversarial perturbed examples into the system. The main aim of this research work is to study powerful adversarial attack algorithms and their defence method on DL-based NIDS. Fast Gradient Sign Method (FGSM), Jacobian Saliency Map Attack (JSMA), Projected Gradient Descent (PGD) and Carlini & Wagner (C&W) are four powerful adversarial attack methods implemented against the NIDS. As a defence method, Adversarial Training is used to increase the robustness of the NIDS model. The results are summarized in three phases, i.e., 1) before the adversarial attack, 2) after the adversarial attack, and 3) after the adversarial defence. The Canadian Institute for Cybersecurity Intrusion Detection System 2017 (CICIDS-2017) dataset is used for evaluation purposes with various performance measurements like f1-score, accuracy etc.

Cryptography and Security,Artificial Intelligence,Machine Learning

Safras Iqbal,Peter Ball,Muhammad H Kamarudin,Andrew Bradley

DOI: https://doi.org/10.48550/arXiv.2202.07704

2022-02-16

Abstract:Connected and Autonomous Vehicles (CAVs) rely on Vehicular Adhoc Networks with wireless communication between vehicles and roadside infrastructure to support safe operation. However, cybersecurity attacks pose a threat to VANETs and the safe operation of CAVs. This study proposes the use of simulation for modelling typical communication scenarios which may be subject to malicious attacks. The Eclipse MOSAIC simulation framework is used to model two typical road scenarios, including messaging between the vehicles and infrastructure - and both replay and bogus information cybersecurity attacks are introduced. The model demonstrates the impact of these attacks, and provides an open dataset to inform the development of machine learning algorithms to provide anomaly detection and mitigation solutions for enhancing secure communications and safe deployment of CAVs on the road.

Cryptography and Security,Machine Learning

Asma Hassan Alshehri

DOI: https://doi.org/10.7717/peerj-cs.2257

2024-08-30

PeerJ Computer Science

Abstract:The Internet of Things (IoT) is revolutionizing diverse sectors like business, healthcare, and the military, but its widespread adoption has also led to significant security challenges. IoT networks, in particular, face increasing vulnerabilities due to the rapid proliferation of connected devices within smart infrastructures. Wireless sensor networks (WSNs) comprise software, gateways, and small sensors that wirelessly transmit and receive data. WSNs consist of two types of nodes: generic nodes with sensing capabilities and gateway nodes that manage data routing. These sensor nodes operate under constraints of limited battery power, storage capacity, and processing capabilities, exposing them to various threats, including wormhole attacks. This study focuses on detecting wormhole attacks by analyzing the connectivity details of network nodes. Machine learning (ML) techniques are proposed as effective solutions to address these modern challenges in wormhole attack detection within sensor networks. The base station employs two ML models, a support vector machine (SVM) and a deep neural network (DNN), to classify traffic data and identify malicious nodes in the network. The effectiveness of these algorithms is validated using traffic generated by the NS3.37 simulator and tested against real-world scenarios. Evaluation metrics such as average recall, false positive rates, latency, end-to-end delay, response time, throughput, energy consumption, and CPU utilization are used to assess the performance of the proposed models. Results indicate that the proposed model outperforms existing methods in terms of efficacy and efficiency.

computer science, information systems, artificial intelligence, theory & methods

Daniel Reti,Karina Elzer,Daniel Fraunholz,Daniel Schneider,Hans-Dieter Schotten

DOI: https://doi.org/10.1145/3560828.3564006

2023-01-25

Abstract:In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.

Cryptography and Security

Maede Zolanvari,Marcio A. Teixeira,Lav Gupta,Khaled M. Khan,Raj Jain

DOI: https://doi.org/10.48550/arXiv.1911.05771

2019-11-14

Abstract:It is critical to secure the Industrial Internet of Things (IIoT) devices because of potentially devastating consequences in case of an attack. Machine learning and big data analytics are the two powerful leverages for analyzing and securing the Internet of Things (IoT) technology. By extension, these techniques can help improve the security of the IIoT systems as well. In this paper, we first present common IIoT protocols and their associated vulnerabilities. Then, we run a cyber-vulnerability assessment and discuss the utilization of machine learning in countering these susceptibilities. Following that, a literature review of the available intrusion detection solutions using machine learning models is presented. Finally, we discuss our case study, which includes details of a real-world testbed that we have built to conduct cyber-attacks and to design an intrusion detection system (IDS). We deploy backdoor, command injection, and Structured Query Language (SQL) injection attacks against the system and demonstrate how a machine learning based anomaly detection system can perform well in detecting these attacks. We have evaluated the performance through representative metrics to have a fair point of view on the effectiveness of the methods.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Khushnaseeb Roshan,Aasim Zafar,Sheikh Burhan Ul Haque

DOI: https://doi.org/10.1016/j.comcom.2023.09.030

2023-10-08

Abstract:Network Intrusion Detection System (NIDS) is a key component in securing the computer network from various cyber security threats and network attacks. However, consider an unfortunate situation where the NIDS is itself attacked and vulnerable more specifically, we can say, How to defend the defender?. In Adversarial Machine Learning (AML), the malicious actors aim to fool the Machine Learning (ML) and Deep Learning (DL) models to produce incorrect predictions with intentionally crafted adversarial examples. These adversarial perturbed examples have become the biggest vulnerability of ML and DL based systems and are major obstacles to their adoption in real-time and mission-critical applications such as NIDS. AML is an emerging research domain, and it has become a necessity for the in-depth study of adversarial attacks and their defence strategies to safeguard the computer network from various cyber security threads. In this research work, we aim to cover important aspects related to NIDS, adversarial attacks and its defence mechanism to increase the robustness of the ML and DL based NIDS. We implemented four powerful adversarial attack techniques, namely, Fast Gradient Sign Method (FGSM), Jacobian Saliency Map Attack (JSMA), Projected Gradient Descent (PGD) and Carlini & Wagner (C&W) in NIDS. We analyzed its performance in terms of various performance metrics in detail. Furthermore, the three heuristics defence strategies, i.e., Adversarial Training (AT), Gaussian Data Augmentation (GDA) and High Confidence (HC), are implemented to improve the NIDS robustness under adversarial attack situations. The complete workflow is demonstrated in real-time network with data packet flow. This research work provides the overall background for the researchers interested in AML and its implementation from a computer network security point of view.

Machine Learning

Zong-Zhi Lin,Thomas D. Pike,Mark M. Bailey,Nathaniel D. Bastian

DOI: https://doi.org/10.1109/tsmc.2024.3446635

2024-10-19

IEEE Transactions on Systems Man and Cybernetics Systems

Abstract:Network intrusion detection systems (NIDSs) to detect malicious attacks continue to meet challenges. NIDS are often developed offline while they face auto-generated port scan infiltration attempts, resulting in a significant time lag from adversarial adaption to NIDS response. To address these challenges, we use hypergraphs (HGs) focused on Internet protocol (IP) addresses and destination ports to capture evolving patterns of port scan attacks. The derived set of HG-based metrics are then used to train an ensemble machine learning (ML)-based NIDS that allows for real-time adaption in monitoring and detecting port scanning activities, other types of attacks, and adversarial intrusions at high accuracy, precision and recall performances. This ML adapting NIDS was developed through the combination of 1) intrusion examples; 2) NIDS update rules; 3) attack threshold choices to trigger NIDS retraining requests; and 4) a production environment with no prior knowledge of the nature of network traffic. 40 scenarios were auto-generated to evaluate the ML ensemble NIDS comprising three tree-based models. The resulting ML ensemble NIDS was extended and evaluated with the CIC-IDS2017 dataset. Results show that under the model settings of an Update-ALL-NIDS rule (specifically retrain and update all the three models upon the same NIDS retraining request) the proposed ML ensemble NIDS evolved intelligently and produced the best results with nearly 100% detection performance throughout the simulation.

automation & control systems,computer science, cybernetics

Sabrine Ennaji,Fabio De Gaspari,Dorjan Hitaj,Alicia Kbidi,Luigi V. Mancini

2024-10-22

Abstract:Machine learning has brought significant advances in cybersecurity, particularly in the development of Intrusion Detection Systems (IDS). These improvements are mainly attributed to the ability of machine learning algorithms to identify complex relationships between features and effectively generalize to unseen data. Deep neural networks, in particular, contributed to this progress by enabling the analysis of large amounts of training data, significantly enhancing detection performance. However, machine learning models remain vulnerable to adversarial attacks, where carefully crafted input data can mislead the model into making incorrect predictions. While adversarial threats in unstructured data, such as images and text, have been extensively studied, their impact on structured data like network traffic is less explored. This survey aims to address this gap by providing a comprehensive review of machine learning-based Network Intrusion Detection Systems (NIDS) and thoroughly analyzing their susceptibility to adversarial attacks. We critically examine existing research in NIDS, highlighting key trends, strengths, and limitations, while identifying areas that require further exploration. Additionally, we discuss emerging challenges in the field and offer insights for the development of more robust and resilient NIDS. In summary, this paper enhances the understanding of adversarial attacks and defenses in NIDS and guide future research in improving the robustness of machine learning models in cybersecurity applications.

Cryptography and Security,Emerging Technologies,Networking and Internet Architecture