Songyun Wu,Bo Wang,Zhiliang Wang,Shuhan Fan,Jiahai Yang,Jia Li

DOI: https://doi.org/10.1016/j.cose.2022.102696

2022-06-01

Abstract:Recently, sophisticated attacks on cyberspace have occurred frequently, causing severe damage to the Internet. Predicting potential threats can assist security engineers in deploying corresponding defenses in advance to reduce the damage. Thus, threat prediction has drawn attention in communities recently. Previous works utilized merely historical security event sequences to predict the subsequent event through the recurrent neural network (RNN), yielding inaccurate results when the input sequence is corrupted by false reports from underlying detection logs. In this paper, we develop a joint predictor for security events and time intervals through attention-based LSTM(Long Short-Term Memory). To enhance the event predicting performance for corrupted input sequences, time intervals between events are incorporated into the input tuple, providing more distinguishing features. Moreover, a time discretization method is proposed to transform the skewed long-tail dwell time distribution into a predictable distribution of the time interval. In addition, the joint optimization function enables the model to predict the occurrence time of the next event simultaneously, which is supportive for security managers to select appropriate defenses. Our model is proved to be effective on four real-world datasets, outperforming previous methods on both event and time prediction. Moreover, the empirical results also validate the model's stability.

computer science, information systems

Zian Jia,Xiaosu Wang,Yun Xiong,Yao Zhang,JinJing Zhao

DOI: https://doi.org/10.1109/dsc55868.2022.00056

2022-01-01

Abstract:Advanced Persistent Threats (APT) are difficult to detect and defend due to their high variability and concealment. Current APT detection and investigation approaches suffer from two major problems. First, most recent models heavily rely on heuristic rules derived from a large amount of expensive prior knowledge, which in turn prevents the models from generalizing to new types of APT attacks. Second, the development of existing fully supervised models is limited by the scarcity of APT attack data. In this paper, we first construct the provenance graph by introducing logical entities to reduce the dependency on prior knowledge. Then we propose a novel self-supervised representation-learning based model, AISLE, for the investigation of the APT attack, which consists of a graph structure encoder (GSE) and an entity interaction pattern encoder (IPE). The GSE employs a graph attention auto-encoder to effectively compress the structural information of the graph; and the IPE employs a LSTM auto-encoder to extract the interaction patterns of entities from their interaction history. The two entity embeddings calculated respectively by the two auto-encoders are concatenated to form the final representation of the entity, which is evaluated by the attack investigation module to identify attack entities. Our model is evaluated on ten real-world APT attacks in a realistic virtual environment. The results show that our model can achieve superior generalization ability and consistently outperform the latest state-of-the-art APT attack investigation approaches.

Haofang Zhang,Chunying Kang,Yao Xiao

DOI: https://doi.org/10.3390/s21144788

IF: 3.9

2021-07-13

Sensors

Abstract:To better understand the behavior of attackers and describe the network state, we construct an LSTM-DT model for network security situation awareness, which provides risk assessment indicators and quantitative methods. This paper introduces the concept of attack probability, making prediction results more consistent with the actual network situation. The model is focused on the problem of the time sequence of network security situation assessment by using the decision tree algorithm (DT) and long short-term memory(LSTM) network. The biggest innovation of this paper is to change the description of the network situation in the original dataset. The original label only has attack and normal. We put forward a new idea which regards attack as a possibility, obtaining the probability of each attack, and describing the network situation by combining the occurrence probability and attack impact. Firstly, we determine the network risk assessment indicators through the dataset feature distribution, and we give the network risk assessment index a corresponding weight based on the analytic hierarchy process (AHP). Then, the stack sparse auto-encoder (SSAE) is used to learn the characteristics of the original dataset. The attack probability can be predicted by the processed dataset by using the LSTM network. At the same time, the DT algorithm is applied to identify attack types. Finally, we draw the corresponding curve according to the network security situation value at each time. Experiments show that the accuracy of the network situation awareness method proposed in this paper can reach 95%, and the accuracy of attack recognition can reach 87%. Compared with the former research results, the effect is better in describing complex network environment problems.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qiumei Cheng,Yi Shen,Dezhang Kong,Chunming Wu

DOI: https://doi.org/10.48550/arXiv.2105.14932

2021-05-31

Abstract:Network security events prediction helps network operators to take response strategies from a proactive perspective, and reduce the cost caused by network attacks, which is of great significance for maintaining the security of the entire network. Most of the existing event prediction methods rely on temporal characteristics and are dedicated to exploring time series predictions, but ignoring the spatial relationship between hosts. This paper combines the temporal and spatial characteristics of security events and proposes a spatial-temporal event prediction model, named STEP. In particular, STEP formulates the security events prediction into a spatial-temporal sequence prediction. STEP utilizes graph convolution operation to capture the spatial characteristics of hosts in the network, and adopts the long short term memory (LSTM) to capture the dynamic temporal dependency of events. This paper verifies the proposed STEP scheme on two public data sets. The experimental results show that the prediction accuracy of security events under STEP is higher than that of benchmark models such as LSTM, ConvLSTM. Besides, STEP achieves high prediction accuracy when we predict events from different lengths of sequence.

Cryptography and Security

Jun Zhao,Xudong Liu,Qiben Yan,Bo Li,Minglai Shao,Hao Peng,Lichao Sun

DOI: https://doi.org/10.1016/j.cose.2020.102152

2021-03-01

Abstract:<p>Predicting cyber attack preference of intruders is essential for security organizations to demystify attack intents and proactively handle oncoming cyber threats. In order to automatically analyze attack preferences of intruders, this paper proposes a novel framework, namely HinAp, to predict cyber attack preference using attributed heterogeneous attention network and transductive learning. Particularly, we first build an attributed heterogeneous information network (AHIN) of attack events to model attackers, vulnerabilities, exploited scripts, compromised devices, invaded platforms, and 20 types of meta-paths describing interdependent relationships among them, in which attribute information of vulnerabilities and exploited scripts are embedded. Then, we propose the attack preference prediction model based on attention mechanism and transductive learning, respectively. Finally, an automated model for predicting cyber attack preferences is constructed by stacking these two basic prediction models, which capable of integrating more comprehensive and complex semantic information from meta-paths and meta-graphs to characterize attack preference of intruders. Experimental results based on real-world data prove that HinAp outperforms the state-of-the-art methods in predicting cyber attack preferences of intruders.</p>

computer science, information systems

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

Tiantian Zhu,Jie Ying,Tieming Chen,Chunlin Xiong,Wenrui Cheng,Qixuan Yuan,Aohan Zheng,Mingqi Lv,Yan Chen

2024-05-05

Abstract:Advanced Persistent Threat (APT) attacks have caused significant damage worldwide. Various Endpoint Detection and Response (EDR) systems are deployed by enterprises to fight against potential threats. However, EDR suffers from high false positives. In order not to affect normal operations, analysts need to investigate and filter detection results before taking countermeasures, in which heavy manual labor and alarm fatigue cause analysts miss optimal response time, thereby leading to information leakage and destruction. Therefore, we propose Endpoint Forecasting and Interpreting (EFI), a real-time attack forecast and interpretation system, which can automatically predict next move during post-exploitation and explain it in technique-level, then dispatch strategies to EDR for advance reinforcement. First, we use Cyber Threat Intelligence (CTI) reports to extract the attack scene graph (ASG) that can be mapped to low-level system logs to strengthen attack samples. Second, we build a serialized graph forecast model, which is combined with the attack provenance graph (APG) provided by EDR to generate an attack forecast graph (AFG) to predict the next move. Finally, we utilize the attack template graph (ATG) and graph alignment plus algorithm for technique-level interpretation to automatically dispatch strategies for EDR to reinforce system in advance. EFI can avoid the impact of existing EDR false positives, and can reduce the attack surface of system without affecting the normal operations. We collect a total of 3,484 CTI reports, generate 1,429 ASGs, label 8,000 sentences, tag 10,451 entities, and construct 256 ATGs. Experimental results on both DARPA Engagement and large scale CTI dataset show that the alignment score between the AFG predicted by EFI and the real attack graph is able to exceed 0.8, the forecast and interpretation precision of EFI can reach 91.8%.

Cryptography and Security

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Yen-Hung Chen,Yuan-Cheng Lai,Pi-Tzong Jan,Ting-Yi Tsai

DOI: https://doi.org/10.3390/s21041027

2021-02-03

Abstract:(1) Background: Link flooding attacks (LFA) are a spatiotemporal attack pattern of distributed denial-of-service (DDoS) that arranges bots to send low-speed traffic to backbone links and paralyze servers in the target area. (2) Problem: The traditional methods to defend against LFA are heuristic and cannot reflect the changing characteristics of LFA over time; the AI-based methods only detect the presence of LFA without considering the spatiotemporal series attack pattern and defense suggestion. (3) Methods: This study designs a deep ensemble learning model (Stacking-based integrated Convolutional neural network-Long short term memory model, SCL) to defend against LFA: (a) combining continuous network status as an input to represent "continuous/combination attacking action" and to help CNN operation to extract features of spatiotemporal attack pattern; (b) applying LSTM to periodically review the current evolved LFA patterns and drop the obsolete ones to ensure decision accuracy and confidence; (c) stacking System Detector and LFA Mitigator module instead of only one module to couple with LFA detection and mediation at the same time. (4) Results: The simulation results show that the accuracy rate of SCL successfully blocking LFA is 92.95%, which is 60.81% higher than the traditional method. (5) Outcomes: This study demonstrates the potential and suggested development trait of deep ensemble learning on network security.

Sidahmed Benabderrahmane,Ngoc Hoang,Petko Valtchev,James Cheney,Talal Rahwan

2024-06-27

Abstract:Advanced Persistent Threats (APTs) are sophisticated, targeted cyberattacks designed to gain unauthorized access to systems and remain undetected for extended periods. To evade detection, APT cyberattacks deceive defense layers with breaches and exploits, thereby complicating exposure by traditional anomaly detection-based security methods. The challenge of detecting APTs with machine learning is compounded by the rarity of relevant datasets and the significant imbalance in the data, which makes the detection process highly burdensome. We present AE-APT, a deep learning-based tool for APT detection that features a family of AutoEncoder methods ranging from a basic one to a Transformer-based one. We evaluated our tool on a suite of provenance trace databases produced by the DARPA Transparent Computing program, where APT-like attacks constitute as little as 0.004% of the data. The datasets span multiple operating systems, including Android, Linux, BSD, and Windows, and cover two attack scenarios. The outcomes showed that AE-APT has significantly higher detection rates compared to its competitors, indicating superior performance in detecting and ranking anomalies.

Cryptography and Security,Artificial Intelligence

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Yaru Liu,Lijuan Xu,Shumian Yang,Dawei Zhao,Xin Li

DOI: https://doi.org/10.1016/j.cose.2024.103750

IF: 5.105

2024-02-11

Computers & Security

Abstract:The challenge faced by industrial control systems is that they are vulnerable to adversarial sample attacks. In the ICS field, the challenge with adversarial sample attacks is that the adversarial samples generated by the attack do not conform to protocol specifications. The challenge of adversarial sample defense is that it is difficult to design a defense model without information about the adversarial samples. To tackle these challenges, we propose an adversarial sample attack and defense method based on Long Short-Term Memory Networks based Encoder-Decoder (LSTM-ED). The objectives are to address challenges of adversarial samples not conforming to protocol specifications and physical meaning, inefficient generation of adversarial samples, and the difficulty of designing a defense model without information about adversarial samples. Our adversarial sample attack efficiently generates samples conforming to protocol specifications and physical meaning by adding perturbation values to sensors and actuators, while complying with feature constraints. Subsequently, we introduce an LSTM-ED Feature Weight defense method (LSTM-FWED) designed without explicit adversarial sample information. In LSTM-FWED, we normalize reconstruction errors across different features to prevent anomaly scores from being influenced by poorly predicted features, thereby ensuring robust defense results. We validate the effectiveness of our approach on a real-world critical infrastructure testbed. The proposed adversarial sample attack reduces the precision of the LSTM-ED model by an average of 66.26%, with a maximum adversarial sample generation time of 18 seconds, significantly improving attack efficiency. Furthermore, in comprehensive experiments, LSTM-FWED demonstrates an average AUC improvement of 21.83% compared to state-of-the-art anomaly detection baseline methods.

computer science, information systems

Philipp Gysel,Candid Wüest,Kenneth Nwafor,Otakar Jašek,Andrey Ustyuzhanin,Dinil Mon Divakaran

2024-09-02

Abstract:Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects $\approx$89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.

Cryptography and Security

Pankaj Sharma,Jay Shankar Prasad,Shaheen,Shaik Khaleel Ahamed

DOI: https://doi.org/10.1007/s11042-024-18169-0

IF: 2.577

2024-01-26

Multimedia Tools and Applications

Abstract:Digital applications are ruling today's world with their advancement. However, offering security for that digital application is an important and complex task. Several detection-based security models have existed in the Artificial Intelligence (AI) vision. Still, the problem in threat detection has not ended because of the unique behavior of the different attacks. So, the present research has introduced a novel Cuttlefish-based Peephole Long Short Term Memory (CbP-LSTM) model proposed for predicting the cyber threat from the data defends against attacks. Initially, data were preprocessed by removing noise from the data using the noise filtering function. Then, the refined data is imported to the classification layer of the CbP-LSTM for performing the feature extraction and attack prediction tasks. Moreover, the proposed CbP-LSTM model was implemented in the Python tool with several performance metrics, whereas the parameters were calculated, such as accuracy, precision, Recall, and F-score. This proposed model produced outstanding results compared with the previous work by providing the highest predicted accuracy of cyber threats.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Weiyong Yang,Peng Gao,Hao Huang,Xingshen Wei,Haotian Zhang,Zhihao Qu

DOI: https://doi.org/10.1109/globecom48099.2022.10001486

2022-01-01

Abstract:Advanced persistent threat (APT) attacks have caused severe damage to many core information infrastructures. To tackle this issue, the graph-based methods have been proposed due to their ability for learning complex interaction patterns of network entities with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic heterogeneous graph. In this paper, we propose a heterogeneous graph neural network based APT detection method in smart grid clouds. Our model is an encoder-decoder structure. The encoder uses heterogeneous temporal memory and attention embedding modules to capture contextual information of interactions of network entities from the time and spatial dimensions respectively. We implement a prototype and conduct extensive experiments on real-world cyber-security datasets with more than 10 million records. Experimental results show that our method can achieve superior detection performance than state-of-the-art methods.

Di Zhao,Jiqiang Liu,Jialin Wang,Wenjia Niu,Endong Tong,Tong Chen,Gang Li

DOI: https://doi.org/10.48550/arXiv.1905.03454

2019-05-09

Abstract:"Feint Attack", as a new type of APT attack, has become the focus of attention. It adopts a multi-stage attacks mode which can be concluded as a combination of virtual attacks and real attacks. Under the cover of virtual attacks, real attacks can achieve the real purpose of the attacker, as a result, it often caused huge losses inadvertently. However, to our knowledge, all previous works use common methods such as Causal-Correlation or Cased-based to detect outdated multi-stage attacks. Few attentions have been paid to detect the "Feint Attack", because the difficulty of detection lies in the diversification of the concept of "Feint Attack" and the lack of professional datasets, many detection methods ignore the semantic relationship in the attack. Aiming at the existing challenge, this paper explores a new method to solve the problem. In the attack scenario, the fuzzy clustering method based on attribute similarity is used to mine multi-stage attack chains. Then we use a few-shot deep learning algorithm (SMOTE&CNN-SVM) and bidirectional Recurrent Neural Network model (Bi-RNN) to obtain the "Feint Attack" chains. "Feint Attack" is simulated by the real attack inserted in the normal causal attack chain, and the addition of the real attack destroys the causal relationship of the original attack chain. So we used Bi-RNN coding to obtain the hidden feature of "Feint Attack" chain. In the end, our method achieved the goal to detect the "Feint Attack" accurately by using the LLDoS1.0 and LLDoS2.0 of DARPA2000 and CICIDS2017 of Canadian Institute for Cybersecurity.

Cryptography and Security,Machine Learning

Shirong Shen,Zhen Li,Guilin Qi

DOI: https://doi.org/10.48550/arXiv.2112.03073

2023-03-18

Abstract:Event extraction (EE) plays an important role in many industrial application scenarios, and high-quality EE methods require a large amount of manual annotation data to train supervised learning models. However, the cost of obtaining annotation data is very high, especially for annotation of domain events, which requires the participation of experts from corresponding domain. So we introduce active learning (AL) technology to reduce the cost of event annotation. But the existing AL methods have two main problems, which make them not well used for event extraction. Firstly, the existing pool-based selection strategies have limitations in terms of computational cost and sample validity. Secondly, the existing evaluation of sample importance lacks the use of local sample information. In this paper, we present a novel deep AL method for EE. We propose a batch-based selection strategy and a Memory-Based Loss Prediction model (MBLP) to select unlabeled samples efficiently. During the selection process, we use an internal-external sample loss ranking method to evaluate the sample importance by using local information. Finally, we propose a delayed training strategy to train the MBLP model. Extensive experiments are performed on three domain datasets, and our method outperforms other state-of-the-art methods.

Computation and Language,Artificial Intelligence

Vanlalruata Hnamte,Hong Nhung-Nguyen,Jamal Hussain,Yong Hwa-Kim

DOI: https://doi.org/10.1109/access.2023.3266979

IF: 3.9

2023-01-01

IEEE Access

Abstract:Machine learning and deep learning techniques are widely used to evaluate intrusion detection systems (IDS) capable of rapidly and automatically recognizing and classifying cyber-attacks on networks and hosts. However, when destructive attacks are becoming more extensive, more challenges develop, needing a comprehensive response. Numerous intrusion detection datasets are publicly accessible for further analysis by the cybersecurity research community. However, no previous research has examined the performance of the proposed model on a variety of publicly accessible datasets in detail. Due to the dynamic nature of the attack and its rapidly changing attack techniques, the publicly accessible intrusion datasets must be updated and benchmarked regularly. The deep neural network (DNN) and convolutional neural network (CNN) are examined in this article as types of deep learning models for developing a flexible and effective IDS capable of detecting and comparing them with the proposed model in detecting cyber-attacks. The constant development of network behavior and the fast growth of attacks need the development of IDS and the evaluation of many datasets produced over time through static and dynamic methods. This kind of research enables the identification of the most efficient algorithm for identifying future cyber-attacks. We proposed a novel two-stage deep learning technique hybridizing Long-Short Term Memory (LSTM) and Auto-Encoders (AE) for detecting attacks. The CICIDS2017 and CSE-CICDIS2018 datasets are used to determine the optimum network parameters for the proposed LSTM-AE. The experimental results show that the proposed hybrid model works well and is applicable for detecting attacks in modern scenarios.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sefi Akerman,Edan Habler,Asaf Shabtai

DOI: https://doi.org/10.48550/arXiv.1906.07921

2019-06-19

Cryptography and Security

Abstract:The purpose of the automatic dependent surveillance broadcast (ADS-B) technology is to serve as a replacement for the current radar-based, air traffic control systems. Despite the considerable time and resources devoted to designing and developing the system, the ADS-B is well known for its lack of security mechanisms. Attempts to address these security vulnerabilities have been made in previous studies by modifying the protocol's current architecture or by using additional hardware components. These solutions, however, are considered impractical because of 1) the complex regulatory process involving avionic systems, 2) the high costs of using hardware components, and 3) the fact that the ADS-B system itself is already deployed in most aircraft and ground stations around the world. In this paper, we propose VizADS-B, an alternative software-based security solution for detecting anomalous ADS-B messages, which does not require any alteration of the current ADS-B architecture or the addition of sensors. According to the proposed method, the information obtained from all aircraft within a specific geographical area is aggregated and represented as a stream of images. Then, a convolutional LSTM encoder-decoder model is used for analyzing and detecting anomalies in the sequences of images. In addition, we propose an explainability technique, designed specifically for convolutional LSTM encoder-decoder models, which is used for providing operative information to the pilot as a visual indicator of a detected anomaly, thus allowing the pilot to make relevant decisions. We evaluated our proposed method on five datasets by injecting and subsequently identifying five different attacks. Our experiments demonstrate that most of the attacks can be detected based on spatio-temporal anomaly detection approach.