Pierangelo Lombardo,Salvatore Saeli,Federica Bisio,Davide Bernardi,Danilo Massa

DOI: https://doi.org/10.1007/978-3-319-99136-8_25

2018-09-18

Abstract:In the last decade, the use of fast flux technique has become established as a common practice to organise botnets in Fast Flux Service Networks (FFSNs), which are platforms able to sustain illegal online services with very high availability. In this paper, we report on an effective fast flux detection algorithm based on the passive analysis of the Domain Name System (DNS) traffic of a corporate network. The proposed method is based on the near-real-time identification of different metrics that measure a wide range of fast flux key features; the metrics are combined via a simple but effective mathematical and data mining approach. The proposed solution has been evaluated in a one-month experiment over an enterprise network, with the injection of pcaps associated with different malware campaigns, that leverage FFSNs and cover a wide variety of attack scenarios. An in-depth analysis of a list of fast flux domains confirmed the reliability of the metrics used in the proposed algorithm and allowed for the identification of many IPs that turned out to be part of two notorious FFSNs, namely Dark Cloud and SandiFlux, to the description of which we therefore contribute. All the fast flux domains were detected with a very low false positive rate; a comparison of performance indicators with previous works show a remarkable improvement.

Cryptography and Security,Networking and Internet Architecture,Applications

Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Yinan Zhong,Mingyu Pan,Yanjiao Chen,Wenyuan Xu

DOI: https://doi.org/10.3390/sym16040443

2024-01-01

Abstract:The past few years have witnessed a wider adoption of Internet of Things (IoT) devices. Since IoT devices are usually deployed in an open and uncertain environment, device authentication is of great importance. However, traditional device fingerprint (DF) extraction methods have several disadvantages. First, existing DF extraction methods need private information from devices to compute DFs, which puts the privacy of devices at stake. Second, the manually designing features-based methods suffer from poor performance. To tackle these limitations, we propose a Linear Residual Neural Network-based DF extraction method, Res-DFNN, which utilizes network packet data in the pcap file to generate DF. The key block is designed according to symmetry, and it is verified by simulation that our method achieves better performance in both non-private and privacy-preserving scenarios.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

LI Qing-shan,CHEN Zhong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.08.004

2012-01-01

Abstract:Aimed at the shortage of current detection methods of domain-flux botnet,a method based on the alive character of domain name is proposed.The description of domains alive character is given which are generated by domain-flux botnet,and an domain-flux botnet detection method based on the alive characteristics of domain names is proposed.The detection description,detection flow and system structure are introduced.An experiment using the mirror dns traffic from an service provider is designed to validate the effectiveness of this detection method.The result shows that the method proposed do not rely on specific alphanumeric characteristics of domain names,and could find domain names efficiently used by domain-flux botnet.

Jing Chen,Xiangyan Tang,Jieren Cheng,Fengkai Wang,Ruomeng Xu

DOI: https://doi.org/10.48550/arXiv.1903.11844

2019-03-28

Abstract:Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.

Cryptography and Security

Wang Yue,Jiang Yiming,Lan Julong

DOI: https://doi.org/10.1088/1742-6596/1738/1/012127

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract Many deep learning models have been used in network intrusion detection to improve the accuracy of intrusion detection. In the existing deep learning methods, the input sample is either the feature vector extracted from the raw traffic data in advance, or directly the raw traffic data. These two categories of methods have their own limitations. In order to overcome the limitations, this paper proposes a preprocessing method based on multi-packets input unit and the raw traffic data is significantly compressed to improve the computational efficiency. To improve the computational efficiency and the detection accuracy, a deep learning model called F-CNN is designed. Experimental results on the benchmark dataset show that the proposed method has significantly improved detection accuracy and training efficiency compared with existing models with good performance.

Xuefei Yin,Yanming Zhu,Yi Xie,Jiankun Hu

DOI: https://doi.org/10.1109/OJCS.2022.3199755

2022-12-07

Abstract:Recent studies have demonstrated that smart grids are vulnerable to stealthy false data injection attacks (SFDIAs), as SFDIAs can bypass residual-based bad data detection mechanisms. The SFDIA detection has become one of the focuses of smart grid research. Methods based on deep learning technology have shown promising accuracy in the detection of SFDIAs. However, most existing methods rely on the temporal structure of a sequence of measurements but do not take account of the spatial structure between buses and transmission lines. To address this issue, we propose a spatiotemporal deep network, PowerFDNet, for the SFDIA detection in AC-model power grids. The PowerFDNet consists of two sub-architectures: spatial architecture (SA) and temporal architecture (TA). The SA is aimed at extracting representations of bus/line measurements and modeling the spatial structure based on their representations. The TA is aimed at modeling the temporal structure of a sequence of measurements. Therefore, the proposed PowerFDNet can effectively model the spatiotemporal structure of measurements. Case studies on the detection of SFDIAs on the benchmark smart grids show that the PowerFDNet achieved significant improvement compared with the state-of-the-art SFDIA detection methods. In addition, an IoT-oriented lightweight prototype of size 52 MB is implemented and tested for mobile devices, which demonstrates the potential applications on mobile devices. The trained model will be available at \textit{<a class="link-external link-https" href="https://github.com/HubYZ/PowerFDNet" rel="external noopener nofollow">this https URL</a>}.

Cryptography and Security,Artificial Intelligence,Machine Learning,Systems and Control

Xinqian Liu,Jiadong Ren,Haitao He,Bing Zhang,Chen Song,Yunxue Wang

DOI: https://doi.org/10.1016/j.jnca.2021.103079

IF: 7.574

2021-07-01

Journal of Network and Computer Applications

Abstract:<p>DDoS attack detection methods play a very important role in protecting computer network security. However, the existing flow-based DDoS attack detection methods face the non-negligible time delay and are not general for different types of DDoS attacks at different rates. In order to fill this research gap, a <strong>f</strong>ast <strong>a</strong>ll-<strong>p</strong>ackets-based <strong>D</strong>DoS attack <strong>d</strong>etection approach (FAPDD) is proposed. The FAPDD firstly designs a new time series network graph model to effectively simplify the processing of network traffic handling compared with the flow-base detections. Furthermore, it is the first time that the directed Weisfeiler-Lehman graph kernel is introduced for measuring the divergence between the current network graph and the normalization network graphs. Due to the new graph model and kernel measurement method to judge network changes, the different types and rates of DDoS attacks can be detected especially. In addition, the dynamic threshold and freezing mechanism are constructed to display standard traffic changes and prevent the pollution of attack traffic to the standard network. Finally, a number of real DDoS attack datasets are applied to evaluate the effectiveness of the proposed method, as well as the overall time efficiency and detection effect. Compared with other methods, the FAPDD can better meet the real-time requirements and achieve good detection effects in different types of DDoS attacks with different attack rates.</p>

computer science, interdisciplinary applications, software engineering, hardware & architecture

Yan Gao,Zhichun Li,Yan Chen

DOI: https://doi.org/10.1109/icdcs.2006.6

2006-01-01

Abstract:Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND I ) is scalable to flow-level detection on high-speed networks; 2) zs DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4 ) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case trafic of 40-byte-packet streams with each packet forming a flow.

Hao Zhang,Zude Xiao,Jason Gu,Yanhua Liu

DOI: https://doi.org/10.1007/s11227-023-05474-y

IF: 3.3

2023-06-15

The Journal of Supercomputing

Abstract:With the rapid development of network technology, the Internet has brought significant convenience to various sectors of society, holding a prominent position. Due to the unpredictable and severe consequences resulting from malicious attacks, the detection of anomalous network traffic has garnered considerable attention from researchers over the past few decades. Accurately labeling a sufficient amount of network traffic data as a training dataset within a short period of time is a challenging task, given the rapid and massive generation of network traffic data. Furthermore, the proportion of malicious attack traffic is relatively small compared to the overall traffic data, and the distribution of traffic data across different types of malicious attacks also varies significantly. To address the aforementioned challenges, this paper presents a novel network anomaly detection algorithm based on semi-supervised learning and adaptive multiclass balancing. Building upon the assumption of consistent distribution between labeled and unlabeled data, this paper introduces the multiclass split balancing strategy and the adaptive confidence threshold function. These innovative approaches aim to tackle the issue of the multiclass imbalanced in traffic data. By leveraging the mutually beneficial relationship between semi-supervised learning and ensemble learning, this paper presents the collaborative rotation forest algorithm. This algorithm is specifically designed to enhance performance of anomaly detection in an environment with label inadequacy. Several comparative experiments conducted on the NSL-KDD, UNSW-NB15, and ToN-IoT demonstrate that the proposed algorithm achieves significant improvements in performance. Specifically, it enhances precision by 1.5–5.7%, recall by 1.5−5.7%, and F-Measure by 1.4−4.3% compared to the state-of-the-art algorithms.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Yunhui Wang,Weichu Zheng,Zifei Liu,Jinyan Wang,Hongjian Shi,Mingyu Gu,Yicheng Di

DOI: https://doi.org/10.3390/electronics12194049

IF: 2.9

2023-09-27

Electronics

Abstract:The rapid development of cloud–fog–edge computing and mobile devices has led to massive amounts of data being generated. Also, artificial intelligence technology, like machine learning and deep learning, is widely used to mine the value of the data. Specifically, detecting attacks on the cloud–fog–edge computing system using mobile devices is essential. External attacks on network press organizations led to anomaly flow in network traffic. The network intrusion detection system (NIDS) has been an effective method for detecting anomaly flow. However, the NIDS is hard to deploy in distributed networks because network flow data are kept private. Existing methods cannot obtain an accurate NIDS under such a federated scenario. To construct an NIDS while preserving data privacy, we propose a combined model that integrates binary classifiers into a whole network based on simple classifier networks to specify the type of attack on anomalous data and offer instruction to other security system components. We also introduce federated learning (FL) methods into our system and design a new aggregation algorithm named vertical blocking aggregation (FedVB) according to our model structure. Our experiments demonstrate that our system can be more effective than simple multi-classifiers in terms of accuracy and significantly reduce communication and computation overhead when applying FedVB.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhou Changling,Xiao Jianguo,Cui Jian,Zhang Bei,Li Feng

DOI: https://doi.org/10.48550/arXiv.1503.04277

2015-03-14

Abstract:Knowledge about which nodes provide services is of critical importance for network administrators. Discovery of service nodes can be done by making full use of duplicate element detection in flows. Because the amount of traffic across network is massive, especially in large ISPs or campus networks, we propose an approximate algorithm with Round-robin Buddy Bloom Filters(RBBF) for service detection using NetFlow data solely. The properties and analysis of RBBF data structure are also given. Our method has better time/space efficiency than conventional algorithm with a small false positive rate.%portion of false positive. We also demonstrate the contributions through a prototype system by real world case studies.

Networking and Internet Architecture

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications

Guodong Fang,Zhihong Deng,Hao Ma

DOI: https://doi.org/10.1109/FSKD.2009.444

2009-01-01

Abstract:To keep the network secure, it is necessary to monitor network traffic timely and effectively. The traditional methods for detecting network anomalies were mainly based on such ways as sampling, counting and aggregating, but they can not solve the problem of getting accurate and effective results well. In this paper we propose a new method that is based on the basic properties of frequent pattern mining problem and makes use of the vertical mining methods to mine frequent patterns from network traffic. Based on this algorithm, we build a prototype system to evaluate our algorithm on huge netflow data of campus network. The experimental result shows that this algorithm can detect network anomalies timely and effectively and can help network administrators achieve more effective monitoring on network.

William Marfo,Deepak K. Tosh,Shirley V. Moore

DOI: https://doi.org/10.48550/arXiv.2303.07452

2023-03-14

Abstract:Due to the veracity and heterogeneity in network traffic, detecting anomalous events is challenging. The computational load on global servers is a significant challenge in terms of efficiency, accuracy, and scalability. Our primary motivation is to introduce a robust and scalable framework that enables efficient network anomaly detection. We address the issue of scalability and efficiency for network anomaly detection by leveraging federated learning, in which multiple participants train a global model jointly. Unlike centralized training architectures, federated learning does not require participants to upload their training data to the server, preventing attackers from exploiting the training data. Moreover, most prior works have focused on traditional centralized machine learning, making federated machine learning under-explored in network anomaly detection. Therefore, we propose a deep neural network framework that could work on low to mid-end devices detecting network anomalies while checking if a request from a specific IP address is malicious or not. Compared to multiple traditional centralized machine learning models, the deep neural federated model reduces training time overhead. The proposed method performs better than baseline machine learning techniques on the UNSW-NB15 data set as measured by experiments conducted with an accuracy of 97.21% and a faster computation time.

Machine Learning,Distributed, Parallel, and Cluster Computing

Zhe Chen

DOI: https://doi.org/10.13052/jcsm2245-1439.1349

2024-06-14

Journal of Cyber Security and Mobility

Abstract:At present, the secure campus network strategy adopts technical means such as distinguishing applications and limiting them separately, but they have triggered other new problems, greatly affecting the unity of network resources and data. The relatively dispersed network architecture will inevitably limit the further development and expansion of the campus network. Therefore, when universities plan their networks, they must consider whether the network is safe, complete, smooth, and sustainable for smooth upgrading and development. In order to improve the effect of campus network security intrusion detection, this paper combines feature segmentation and deep learning technology to construct a campus network security intrusion detection model. To reduce the transmission time of query requirements in the grid, this paper improves the replica management mechanism and requires the information server to cache the Bloom Filter structure of nodes in its successor node list. Moreover, this paper uses the Compressed Bloom Filter algorithm to compress the Bloom Filter structure that needs to be transmitted, therefore reducing the network traffic generated during the update process of the Bloom Filter structure copy and avoiding network congestion. It also constructs a campus network security intrusion detection model based on feature segmentation and deep learning. Through experimental verification, the effectiveness of the system in intrusion detection, user evaluation, information processing, and other aspects is verified, and it has certain advantages compared to traditional algorithms. Through experimental research, it can be seen that the campus network security intrusion detection model based on feature segmentation and deep learning proposed in the paper can effectively improve the effect of campus network security monitoring. The method proposed in this article can not only be applied to campus network security, but also to the network security management of enterprises and other units, with certain scalability

Rinkel Hananto,Charles Lim,Heru Purnomo Ipung

DOI: https://doi.org/10.1145/3199478.3199505

2018-03-16

Abstract:With more and more organization in the world rely on the Internet to do their business or activity, the malicious attackers are always looking for ways to penetrate in organization internal network to achieve their malicious goals. The malicious activities may include spam distribution, denial of service, adware, identity theft and many other security threats. Many of the security perimeter devices only able to detect network security threats from external, organization is left with many undetected or even unknown internal security threats. Many of these network security threats can be detected by monitoring and analyzing network traffic. One of the emerging threats is Domain Name System (DNS) Distributed Denial of Service (DDoS) attack, which flood the authoritative DNS server with large amount of DNS request. We introduce a new method to detect DDoS attack by using Netflow traffic as the early indicator of DDOS attacks and DNS traffic to validate the DNS DDOS attack. We also showed that by measuring statistical entropy of Netflow traffic and statistical values of DNS NXDOMAIN response, our proposed model could be used to detect either low volume or high volume DDoS attack.

Zhiliang Wang,Changping Zhou,Yang Yu,Xingang Shi,Xia Yin,Jiangyuan Yao

DOI: https://doi.org/10.1007/978-3-030-00012-7_5

2018-01-01

Abstract:Heavy Hitters refer to the set of flows that represent a significantly large proportion of the link capacity or of the active traffic. Identifying Heavy Hitters is of particular importance in both network management and security applications. Traditional methods are focusing on sampling in the middle box and analyzing those packets using streaming algorithms. The paradigm of Software Defined Network (SDN) simplifies the work of flow counting. However, continuously monitoring the network will introduce overhead, which needs to be considered as a tradeoff between accurate measurement in real-time. In this paper, We propose a novel method that stamps each suspicious flow with a weight based on an online learning algorithm. The granularity of measurement is dynamically changed according to the importance of each flow. We take advantage of history flows to make the procedure of finding a heavy hitter faster so that applications can make decisions instantly. Using real-world data, we show that our online learning method can detect heavy hitters faster with less overhead and the same accuracy.

Ying Liu,Zhiqiang Wang,Shufang Pang,Lei Ju

DOI: https://doi.org/10.3390/electronics13234720

IF: 2.9

2024-11-30

Electronics

Abstract:With the wide deployment of edge devices, distributed network traffic data are rapidly increasing. Traditional detection methods for malicious traffic rely on centralized training, in which a single server is often used to aggregate private traffic data from edge devices, so as to extract and identify features. However, these methods face difficult data collection, heavy computational complexity, and high privacy risks. To address these issues, this paper proposes a federated learning-based distributed malicious traffic detection framework, FL-CNN-Traffic. In this framework, edge devices utilize a convolutional neural network (CNN) to process local detection, data collection, feature extraction, and training. A server aggregates model updates from edge devices using four federated learning algorithms (FedAvg, FedProx, Scaffold, and FedNova) to build a global model. This framework allows multiple devices to collaboratively train a model without sharing private traffic data, addressing the "Data Silo" problem while ensuring privacy. Evaluations on the USTC-TFC2016 dataset show that for independent and identically distributed (IID) data, this framework can reach or exceed the performance of centralized deep learning methods. For Non-IID data, this framework outperforms other neural networks based on federated learning, with accuracy improvements ranging from 2.59% to 4.73%.

engineering, electrical & electronic,computer science, information systems,physics, applied