Heng Zhang,Yinchu Wang,Yawen Xue,Ruilong Deng,Hongran Li,Jian Zhang

DOI: https://doi.org/10.23919/ccc63176.2024.10662787

2024-01-01

Abstract:Industrial network control systems (INCSs) are easy to be targeted by attackers due to their high economic value. Most of the existing defense methods are deployed at the network boundary, which causes high-security risks to INCS once an attacker enters the system. In addition, many existing intrusion detection systems (IDSs) build detection models based on historical data. When INCS lacks sufficient historical data, it is difficult to build detection models with high accuracy. In this paper, we propose a trust assessment model for INCS based on Fourier series fitting employing concept of zero trust to assess the real-time trust of INCS. The model alerts when INCS has low trust. We test two data injection attacks in the experiment to prove the effectiveness of our approach.

S. Garg,Govind P. Gupta,Rakesh Tripathi,Mohammad Mehedi Hassan,Prabhat Kumar

DOI: https://doi.org/10.1109/TITS.2021.3122368

2023-02-01

Abstract:The recent burgeoning of Internet of Things (IoT) technologies in the maritime industry is successfully digitalizing Maritime Transportation Systems (MTS). In IoT-enabled MTS, the smart maritime objects, infrastructure associated with ship or port communicate wirelessly using an open channel Internet. The intercommunication and incorporation of heterogeneous technologies in IoT-enabled MTS brings opportunities not only for the industries that embrace it, but also for cyber-criminals. Cyber Threat Intelligence (CTI) is an effective security strategy that uses artificial intelligence models to understand cyber-attacks and can protect data of IoT-enabled MTS proficiently. Unsurprisingly, most of the existing CTI-based solutions uses manual analysis to extract relevant threat information, and has low detection and high false alarm rate. Therefore, to tackle aforementioned challenges, an automated framework called DLTIF is developed for modeling cyber threat intelligence and identifying threat types. The proposed DLTIF is based on three schemes: a deep feature extractor (DFE), CTI-driven detection (CTIDD) and CTI-attack type identification (CTIATI). The DFE scheme automatically extracts the hidden patterns of IoT-enabled MTS network and its output is used by CTIDD scheme for threat detection. The CTIATI scheme is designed to identify the exact threat types and to assist security analysts in giving early warning and adopt defensive strategies. The proposed framework has obtained upto 99% accuracy, and outperforms some traditional and recent state-of-the-art approaches.

Computer Science,Engineering,Environmental Science

Vegard Berge,Chunlei Li

2024-10-26

Abstract:Traditional intrusion detection systems (IDSs) often rely on either network traffic or process data, but this single-source approach may miss complex attack patterns that span multiple layers within industrial control systems (ICSs) or persistent threats that target different layers of operational technology systems. This study investigates whether combining both network and process data can improve attack detection in ICSs environments. Leveraging the SWaT dataset, we evaluate various machine learning models on individual and combined data sources. Our findings suggest that integrating network traffic with operational process data can enhance detection capabilities, evidenced by improved recall rates for cyber attack classification. Serving as a proof-of-concept within a limited testing environment, this research explores the feasibility of advancing intrusion detection through a multi-source data approach in ICSs. Although the results are promising, they are preliminary and highlight the need for further studies across diverse datasets and refined methodologies.

Cryptography and Security

Andrea Pinto,Luis-Carlos Herrera,Yezid Donoso,Jairo A Gutierrez

DOI: https://doi.org/10.3390/s23052415

2023-02-22

Abstract:Industrial control systems (ICSs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCSs) are fundamental components of critical infrastructure (CI). CI supports the operation of transportation and health systems, electric and thermal plants, and water treatment facilities, among others. These infrastructures are not insulated anymore, and their connection to fourth industrial revolution technologies has expanded the attack surface. Thus, their protection has become a priority for national security. Cyber-attacks have become more sophisticated and criminals are able to surpass conventional security systems; therefore, attack detection has become a challenging area. Defensive technologies such as intrusion detection systems (IDSs) are a fundamental part of security systems to protect CI. IDSs have incorporated machine learning (ML) techniques that can deal with broader kinds of threats. Nevertheless, the detection of zero-day attacks and having technological resources to implement purposed solutions in the real world are concerns for CI operators. This survey aims to provide a compilation of the state of the art of IDSs that have used ML algorithms to protect CI. It also analyzes the security dataset used to train ML models. Finally, it presents some of the most relevant pieces of research on these topics that have been developed in the last five years.

A. Termanini,D. Al-Abri,H. Bourdoucen,A. Al Maashri

DOI: https://doi.org/10.1007/s10207-024-00916-x

2024-11-10

International Journal of Information Security

Abstract:Industrial control systems (ICS) are vital parts of the physical infrastructure for many industrial assets, such as oil and gas fields, water stations, and power generation plants. Inadequate protection of such critical assets may lead to disruption of vital services and substantial monetary losses. Therefore, the safety of these assets is prioritized as national security. Operational technology networks have a unique nature and different requirements than conventional enterprise networks as they seek tailored security solutions to detect and prevent cyberattacks on such attractive targets. Motivated by a necessary need from industry and academia, this paper aims to present a broad survey of the research works related to developing Intrusion Detection Systems in ICS networks focusing on using recent machine learning techniques. A proposed review methodology is presented and applied to the relevant selected literature. The paper offers a comparative analysis to provide better insights into this domain, where it identifies several unresolved challenges that present intriguing research prospects for the industry and academic community.

computer science, information systems, theory & methods, software engineering

Abdulrahman Al-Abassi,Hadis Karimipour,Ali Dehghantanha,Reza M. Parizi

DOI: https://doi.org/10.48550/arXiv.2005.00936

IF: 4.729

2020-05-02

Signal Processing

Abstract:The integration of communication networks and the Internet of Things (IoT) in Industrial Control Systems (ICSs) increases their vulnerability towards cyber-attacks, causing devastating outcomes. Traditional Intrusion Detection Systems (IDSs), which are mainly developed to support Information Technology (IT) systems, count vastly on predefined models and are trained mostly on specific cyber-attacks. Besides, most IDSs do not consider the imbalanced nature of ICS datasets, thereby suffering from low accuracy and high false positive on real datasets. In this paper, we propose a deep representation learning model to construct new balanced representations of the imbalanced dataset. The new representations are fed into an ensemble deep learning attack detection model specifically designed for an ICS environment. The proposed attack detection model leverages Deep Neural Network (DNN) and Decision Tree (DT) classifiers to detect cyber-attacks from the new representations. The performance of the proposed model is evaluated based on 10-fold cross-validation on two real ICS datasets. The results show that the proposed method outperforms conventional classifiers, including Random Forest (RF), DNN, and AdaBoost, as well as recent existing models in the literature. The proposed approach is a generalized technique, which can be implemented in existing ICS infrastructures with minimum changes.

Taejun Choi,Guangdong Bai,Ryan K L Ko,Naipeng Dong,Wenlu Zhang,Shunyao Wang

DOI: https://doi.org/10.48550/arXiv.2101.11866

2021-01-28

Abstract:Industrial control systems (ICS) of critical infrastructure are increasingly connected to the Internet for remote site management at scale. However, cyber attacks against ICS - especially at the communication channels between humanmachine interface (HMIs) and programmable logic controllers (PLCs) - are increasing at a rate which outstrips the rate of mitigation. In this paper, we introduce a vendor-agnostic analytics framework which allows security researchers to analyse attacks against ICS systems, even if the researchers have zero control automation domain knowledge or are faced with a myriad of heterogenous ICS systems. Unlike existing works that require expertise in domain knowledge and specialised tool usage, our analytics framework does not require prior knowledge about ICS communication protocols, PLCs, and expertise of any network penetration testing tool. Using `digital twin' scenarios comprising industry-representative HMIs, PLCs and firewalls in our test lab, our framework's steps were demonstrated to successfully implement a stealthy deception attack based on false data injection attacks (FDIA). Furthermore, our framework also demonstrated the relative ease of attack dataset collection, and the ability to leverage well-known penetration testing tools. We also introduce the concept of `heuristic inference attacks', a new family of attack types on ICS which is agnostic to PLC and HMI brands/models commonly deployed in ICS. Our experiments were also validated on a separate ICS dataset collected from a cyber-physical scenario of water utilities. Finally, we utilized time complexity theory to estimate the difficulty for the attacker to conduct the proposed packet analyses, and recommended countermeasures based on our findings.

Cryptography and Security

Zahra Jadidi,Yi Lu

DOI: https://doi.org/10.1109/access.2021.3133260

IF: 3.9

2021-01-01

IEEE Access

Abstract:An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.

Cheng Feng,Tingting Li,Zhanxing Zhu,Deeph Chana

DOI: https://doi.org/10.48550/arXiv.1709.06397

2017-09-19

Cryptography and Security

Abstract:Industrial control systems (ICS), which in many cases are components of critical national infrastructure, are increasingly being connected to other networks and the wider internet motivated by factors such as enhanced operational functionality and improved efficiency. However, set in this context, it is easy to see that the cyber attack surface of these systems is expanding, making it more important than ever that innovative solutions for securing ICS be developed and that the limitations of these solutions are well understood. The development of anomaly based intrusion detection techniques has provided capability for protecting ICS from the serious physical damage that cyber breaches are capable of delivering to them by monitoring sensor and control signals for abnormal activity. Recently, the use of so-called stealthy attacks has been demonstrated where the injection of false sensor measurements can be used to mimic normal control system signals, thereby defeating anomaly detectors whilst still delivering attack objectives. In this paper we define a deep learning-based framework which allows an attacker to conduct stealthy attacks with minimal a-priori knowledge of the target ICS. Specifically, we show that by intercepting the sensor and/or control signals in an ICS for a period of time, a malicious program is able to automatically learn to generate high-quality stealthy attacks which can achieve specific attack goals whilst bypassing a black box anomaly detector. Furthermore, we demonstrate the effectiveness of our framework for conducting stealthy attacks using two real-world ICS case studies. We contend that our results motivate greater attention on this area by the security community as we demonstrate that currently assumed barriers for the successful execution of such attacks are relaxed.

Colman McGuan,Chansu Yu,Qin Lin

DOI: https://doi.org/10.48550/arXiv.2308.16769

2023-08-31

Cryptography and Security

Abstract:The protection of Industrial Control Systems (ICS) that are employed in public critical infrastructures is of utmost importance due to catastrophic physical damages cyberattacks may cause. The research community requires testbeds for validation and comparing various intrusion detection algorithms to protect ICS. However, there exist high barriers to entry for research and education in the ICS cybersecurity domain due to expensive hardware, software, and inherent dangers of manipulating real-world systems. To close the gap, built upon recently developed 3D high-fidelity simulators, we further showcase our integrated framework to automatically launch cyberattacks, collect data, train machine learning models, and evaluate for practical chemical and manufacturing processes. On our testbed, we validate our proposed intrusion detection model called Minimal Threshold and Window SVM (MinTWin SVM) that utilizes unsupervised machine learning via a one-class SVM in combination with a sliding window and classification threshold. Results show that MinTWin SVM minimizes false positives and is responsive to physical process anomalies. Furthermore, we incorporate our framework with ICS cybersecurity education by using our dataset in an undergraduate machine learning course where students gain hands-on experience in practicing machine learning theory with a practical ICS dataset. All of our implementations have been open-sourced.

Bruno Paes Leao,Jagannadh Vempati,Siddharth Bhela,Tobias Ahlgrim,Daniel Arnold

2024-05-31

Abstract:Modern industrial systems face a growing threat from sophisticated cyberattacks that can cause significant operational disruptions. This work presents a novel methodology for identification of the most critical cyberattacks that may disrupt the operation of such a system. Application of the proposed framework can enable the design and development of advanced cybersecurity solutions for a wide range of industrial applications. Attacks are assessed taking into direct consideration how they impact the system operation as measured by a defined Key Performance Indicator (KPI). A simulation model (SM), of the industrial process is employed for calculation of the KPI based on operating conditions. Such SM is augmented with a layer of information describing the communication network topology, connected devices, and potential actions an adversary can take based on each device or network link. Each possible action is associated with an abstract measure of effort, which is interpreted as a cost. It is assumed that the adversary has a corresponding budget that constrains the selection of the sequence of actions defining the progression of the attack. A dynamical system comprising a set of states associated with the cyberattack (cyber-states) and transition logic for updating their values is also proposed. The resulting augmented simulation model (ASM) is then employed in an artificial intelligence-based sequential decision-making optimization to yield the most critical cyberattack scenarios as measured by their impact on the defined KPI. The methodology is successfully tested based on an electrical power distribution system use case.

Systems and Control

Kumar, Prabhat,Islam, A. K. M. Najmul

DOI: https://doi.org/10.1007/s12559-024-10309-w

IF: 4.89

2024-06-11

Cognitive Computation

Abstract:Industrial Cyber-Physical Systems (ICPSs) are becoming more and more networked and essential to modern infrastructure. This has led to an increase in the complexity of their dynamics and the challenges of protecting them from advanced cyber threats have escalated. Conventional intrusion detection systems (IDS) often struggle to interpret high-dimensional, sequential data efficiently and extract meaningful features. They are characterized by low accuracy and a high rate of false positives. In this article, we adopt the computational design science approach to design an IDS for ICPS, driven by Generative AI and cognitive computing. Initially, we designed a Long Short-Term Memory-based Sparse Variational Autoencoder (LSTM-SVAE) technique to extract relevant features from complex data patterns efficiently. Following this, a Bidirectional Recurrent Neural Network with Hierarchical Attention (BiRNN-HAID) is constructed. This stage focuses on proficiently identifying potential intrusions by processing data with enhanced focus and memory capabilities. Next, a Cognitive Enhancement for Contextual Intrusion Awareness (CE-CIA) is designed to refine the initial predictions by applying cognitive principles. This enhances the system's reliability by effectively balancing sensitivity and specificity, thereby reducing false positives. The final stage, Interpretive Assurance through Activation Insights in Detection Models (IAA-IDM), involves the visualizations of mean activations of LSTM and GRU layers for providing in-depth insights into the decision-making process for cybersecurity analysts. Our framework undergoes rigorous testing on two publicly accessible industrial datasets, ToN-IoT and Edge-IIoTset, demonstrating its superiority over both baseline methods and recent state-of-the-art approaches.

computer science, artificial intelligence,neurosciences

Gauthama Raman M. R.,Chuadhry Mujeeb Ahmed,Aditya Mathur

DOI: https://doi.org/10.1186/s42400-021-00095-5

2021-08-02

Abstract:Abstract Gradual increase in the number of successful attacks against Industrial Control Systems (ICS) has led to an urgent need to create defense mechanisms for accurate and timely detection of the resulting process anomalies. Towards this end, a class of anomaly detectors, created using data-centric approaches, are gaining attention. Using machine learning algorithms such approaches can automatically learn the process dynamics and control strategies deployed in an ICS. The use of these approaches leads to relatively easier and faster creation of anomaly detectors compared to the use of design-centric approaches that are based on plant physics and design. Despite the advantages, there exist significant challenges and implementation issues in the creation and deployment of detectors generated using machine learning for city-scale plants. In this work, we enumerate and discuss such challenges. Also presented is a series of lessons learned in our attempt to meet these challenges in an operational plant.

computer science, information systems, interdisciplinary applications, software engineering

Hani Alshahrani,Attiya Khan,Muhammad Rizwan,Mana Saleh Al Reshan,Adel Sulaiman,Asadullah Shaikh

DOI: https://doi.org/10.3390/su15119001

IF: 3.9

2023-06-03

Sustainability

Abstract:The Industrial Internet of Things (IIoT) refers to the employment of the Internet of Things in industrial management, where a substantial number of machines and devices are linked and synchronized with the help of software programs and third platforms to improve the overall productivity. The acquisition of the industrial IoT provides benefits that range from automation and optimization to eliminating manual processes and improving overall efficiencies, but security remains to be forethought. The absence of reliable security mechanisms and the magnitude of security features are significant obstacles to enhancing IIoT security. Over the last few years, alarming attacks have been witnessed utilizing the vulnerabilities of the IIoT network devices. Moreover, the attackers can also sink deep into the network by using the relationships amidst the vulnerabilities. Such network security threats cause industries and businesses to suffer financial losses, reputational damage, and theft of important information. This paper proposes an SDN-based framework using machine learning techniques for intrusion detection in an industrial IoT environment. SDN is an approach that enables the network to be centrally and intelligently controlled through software applications. In our framework, the SDN controller employs a machine-learning algorithm to monitor the behavior of industrial IoT devices and networks by analyzing traffic flow data and ultimately determining the flow rules for SDN switches. We use SVM and Decision Tree classification models to analyze our framework's network intrusion and attack detection performance. The results indicate that the proposed framework can detect attacks in industrial IoT networks and devices with an accuracy of 99.7%.

environmental sciences,environmental studies,green & sustainable science & technology

Yifan Liu,Shancang Li,Xinheng Wang,Li Xu

DOI: https://doi.org/10.32604/cmes.2024.046473

2024-01-01

Abstract:The Industrial Internet of Things (IIoT) has brought numerous benefits, such as improved efficiency, smart analytics, and increased automation. However, it also exposes connected devices, users, applications, and data generated to cyber security threats that need to be addressed. This work investigates hybrid cyber threats (HCTs), which are now working on an entirely new level with the increasingly adopted IIoT. This work focuses on emerging methods to model, detect, and defend against hybrid cyber attacks using machine learning (ML) techniques. Specifically, a novel ML-based HCT modelling and analysis framework was proposed, in which L1 regularisation and Random Forest were used to cluster features and analyse the importance and impact of each feature in both individual threats and HCTs. A grey relation analysis-based model was employed to construct the correlation between IIoT components and different threats.

Sapna Sadhwani,Urvi Kavan Modi,Raja Muthalagu,Pranav M Pawar,Pranav M. Pawar

DOI: https://doi.org/10.1109/access.2024.3371996

IF: 3.9

2024-03-12

IEEE Access

Abstract:While the Internet of Things (IoT) paradigm has transformed connectivity, it has also brought with it previously unheard-of security risks. The categorization of IoT attacks using several machine learning techniques and a deep learning method is the main emphasis of this research. In addition to proposing a binary and multiclass classification framework with Machine Learning (ML) algorithms like Random Forest (RF), Decision tree (DT), Extra Tree Classifier (ETC), Support Vector Machine (SVM), and k-Nearest Neighbor (KNN) and Deep Learning (DL) architectures like Deep Neural Network (DNN), the study assesses a wide range of attack types in IoT environments. Benchmark datasets with real-world IoT attack scenarios, such as Edge-IIoTset, are used for experimentation. Preprocessing is done on the dataset using Principal Componenet Analysis (PCA) for feature selection, Synthetic Minority Oversampling Technique to handle class imbalance and Standard Scaling for feature scaling. These approaches' comparative performance and efficacy are examined. The outcomes indicate how successful the DL model in managing intricate attack patterns and the generalization capabilities of ML algorithms across various attack classes. The DNN model yields the best results, with 100% accuracy for binary classification, 96.15% accuracy for 6-class classification, and 94.68% accuracy for 15-class classification. Further, 10-fold cross validation has been applied to make sure that the model does not overfit. This work contributes to the improvement of IoT security mechanisms by offering insights into the selection of appropriate approaches for binary and multiclass classification of threats.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenbin Yu,Yiyin Wang,Lei Song

DOI: https://doi.org/10.20944/preprints201912.0174.v1

2019-01-01

Abstract:Standard Ethernet (IEEE 802.3 and the TCP/IP protocol suite) is gradually applied in industrial control system (ICS) with the development of information technology. It breaks the natural isolation of ICS, but contains no security mechanism. A modified intrusion detection system (IDS), which is strongly correlated to specific industrial scenario, is necessary for modern ICS. On the one hand, this paper outlines attack models, including infiltration attacks and our creative forging attack. On the other hand, we proposes a hierarchical IDS, which contains a traffic prediction model and an anomaly detection model. The traffic prediction model, which is based on autoregressive integrated moving average (ARIMA), can forecast the traffic of ICS network in the short term and precisely detect the infiltration attacks according to abnormal changes in traffic pattern. The anomaly detection model using one-class support vector machine (OCSVM) is able to detect malicious control instructions by analyzing the key field in EtherNet/IP packets. The experimental results show that the hierarchical IDS has an outstanding performance in detecting infiltration attacks and forging attack compared with other two innovative IDSs.

KG Raghavendra Narayan,Srijanee Mookherji,Vanga Odelu,Rajendra Prasath,Anish Chand Turlapaty,Ashok Kumar Das

2023-08-02

Abstract:With rapid technological growth, security attacks are drastically increasing. In many crucial Internet-of-Things (IoT) applications such as healthcare and defense, the early detection of security attacks plays a significant role in protecting huge resources. An intrusion detection system is used to address this problem. The signature-based approaches fail to detect zero-day attacks. So anomaly-based detection particularly AI tools, are becoming popular. In addition, the imbalanced dataset leads to biased results. In Machine Learning (ML) models, F1 score is an important metric to measure the accuracy of class-level correct predictions. The model may fail to detect the target samples if the F1 is considerably low. It will lead to unrecoverable consequences in sensitive applications such as healthcare and defense. So, any improvement in the F1 score has significant impact on the resource protection. In this paper, we present a framework for ML-based intrusion detection system for an imbalanced dataset. In this study, the most recent dataset, namely CICIoT2023 is considered. The random forest (RF) algorithm is used in the proposed framework. The proposed approach improves 3.72%, 3.75% and 4.69% in precision, recall and F1 score, respectively, with the existing method. Additionally, for unsaturated classes (i.e., classes with F1 score < 0.99), F1 score improved significantly by 7.9%. As a result, the proposed approach is more suitable for IoT security applications for efficient detection of intrusion and is useful in further studies.

Cryptography and Security

Panagiotis Radoglou-Grammatikis,Konstantinos Rompolos,Panagiotis Sarigiannidis,Vasileios Argyriou,Thomas Lagkas,Antonios Sarigiannidis,Sotirios Goudos,Shaohua Wan

DOI: https://doi.org/10.1109/tii.2021.3093905

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:The rise of the Internet of Medical Things introduces the healthcare ecosystem in a new digital era with multiple benefits, such as remote medical assistance, real-time monitoring, and pervasive control. However, despite the valuable healthcare services, this progression raises significant cybersecurity and privacy concerns. In this article, we focus our attention on the IEC 60 870-5-104 protocol, which is widely adopted in industrial healthcare systems. First, we investigate and assess the severity of the IEC 60 870-5-104 cyberattacks by providing a quantitative threat model, which relies on Attack Defence Trees and Common Vulnerability Scoring System v3.1. Next, we introduce an intrusion detection and prevention system (IDPS), which is capable of discriminating and mitigating automatically the IEC 60 870-5-104 cyberattacks. The proposed IDPS takes full advantage of the machine learning (ML) and software defined networking (SDN) technologies. ML is used to detect the IEC 60 870-5-104 cyberattacks, utilizing 1) Transmission Control Protocol/Internet Protocol network flow statistics and 2) IEC 60 870-5-104 payload flow statistics. On the other side, the automated mitigation is transformed into a multiarmed bandit problem, which is solved through a reinforcement learning method called Thomson sampling and SDN. The evaluation analysis demonstrates the efficiency of the proposed IDPS in terms of intrusion detection accuracy and automated mitigation performance. The detection accuracy and the F1 score of the proposed IDPS reach 0.831 and 0.8258, respectively, while the mitigation accuracy is calculated at 0.923.

Fazila Malik,Qazi Waqas Waqas Khan,Atif Rizwan,Rana Alnashwan,Ghada Atteia

DOI: https://doi.org/10.3390/math12121799

IF: 2.4

2024-06-10

Mathematics

Abstract:Intrusion Detection Systems (IDSs) play a crucial role in safeguarding network infrastructures from cyber threats and ensuring the integrity of highly sensitive data. Conventional IDS technologies, although successful in achieving high levels of accuracy, frequently encounter substantial model bias. This bias is primarily caused by imbalances in the data and the lack of relevance of certain features. This study aims to tackle these challenges by proposing an advanced machine learning (ML) based IDS that minimizes misclassification errors and corrects model bias. As a result, the predictive accuracy and generalizability of the IDS are significantly improved. The proposed system employs advanced feature selection techniques, such as Recursive Feature Elimination (RFE), sequential feature selection (SFS), and statistical feature selection, to refine the input feature set and minimize the impact of non-predictive attributes. In addition, this work incorporates data resampling methods such as Synthetic Minority Oversampling Technique and Edited Nearest Neighbor (SMOTE_ENN), Adaptive Synthetic Sampling (ADASYN), and Synthetic Minority Oversampling Technique–Tomek Links (SMOTE_Tomek) to address class imbalance and improve the accuracy of the model. The experimental results indicate that our proposed model, especially when utilizing the random forest (RF) algorithm, surpasses existing models regarding accuracy, precision, recall, and F Score across different data resampling methods. Using the ADASYN resampling method, the RF model achieves an accuracy of 99.9985% for botnet attacks and 99.9777% for Man-in-the-Middle (MITM) attacks, demonstrating the effectiveness of our approach in dealing with imbalanced data distributions. This research not only improves the abilities of IDS to identify botnet and MITM attacks but also provides a scalable and efficient solution that can be used in other areas where data imbalance is a recurring problem. This work has implications beyond IDS, offering valuable insights into using ML techniques in complex real-world scenarios.

mathematics