Muhammad Fahad Umer,Muhammad Sher,Yaxin Bi

DOI: https://doi.org/10.1371/journal.pone.0180945

IF: 3.7

2018-01-12

PLoS ONE

Abstract:The next-generation network provides state-of-the-art access-independent services over converged mobile and fixed networks. Security in the converged network environment is a major challenge. Traditional packet and protocol-based intrusion detection techniques cannot be used in next-generation networks due to slow throughput, low accuracy and their inability to inspect encrypted payload. An alternative solution for protection of next-generation networks is to use network flow records for detection of malicious activity in the network traffic. The network flow records are independent of access networks and user applications. In this paper, we propose a two-stage flow-based intrusion detection system for next-generation networks. The first stage uses an enhanced unsupervised one-class support vector machine which separates malicious flows from normal network traffic. The second stage uses a self-organizing map which automatically groups malicious flows into different alert clusters. We validated the proposed approach on two flow-based datasets and obtained promising results.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Aleksey A. Galtsev,Andrei M. Sukhov

DOI: https://doi.org/10.1007/978-3-642-22875-9_30

2011-04-06

Abstract:In this paper, we propose a new method for detecting unauthorized network intrusions, based on a traffic flow model and Cisco NetFlow protocol application. The method developed allows us not only to detect the most common types of network attack (DDoS and port scanning), but also to make a list of trespassers' IP-addresses. Therefore, this method can be applied in intrusion detection systems, and in those systems which lock these IP-addresses.

Cryptography and Security

Yan Gao,Zhichun Li,Yan Chen

DOI: https://doi.org/10.1109/icdcs.2006.6

2006-01-01

Abstract:Global-scale attacks like viruses and worms are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper we leverage data streaming techniques such as the reversible sketch to obtain HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND I ) is scalable to flow-level detection on high-speed networks; 2) zs DoS resilient; 3) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; 4 ) enables aggregate detection over multiple routers/gateways; and 5) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (approximately 10s of Gigabit/second), even for the worst case trafic of 40-byte-packet streams with each packet forming a flow.

Sultan Zavrak,Murat Iskefiyeli

DOI: https://doi.org/10.1007/s00521-023-08376-5

2023-03-07

Neural Computing and Applications

Abstract:In this study, we present and implement the SAnDet (SDN anomaly detector) architecture, an anomaly-based intrusion detection system designed to take advantage of the capabilities offered by software-defined networking (SDN) architecture, as a controller application. The SAnDet system is composed of three modules: statistics collection, anomaly detection, and anomaly prevention. In particular, we utilize replicator neural networks (RNN), which is a specialized variant of the autoencoder, and the LSTM-based encoder–decoder (EncDecAD) method, which is a special type of long short-term memory (LSTM) network that has demonstrated a strong performance on data series particularly, to identify unknown attacks using flow features collected from OpenFlow switches. In our experiments, we utilize flow-based features extracted from network traffic data containing various types of attacks as input to our models in the form of time series. We evaluate the performance of our methods using the accuracy and area under the receiver operating characteristic curve (AUC) metrics. Our experimental results demonstrate that EncDecAD outperforms RNN and that our approach offers several benefits over previously conducted research.

computer science, artificial intelligence

Raja Giryes,Lior Shafir,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.2405.07232

2024-05-12

Abstract:Distributed Denial of Service (DDoS) attacks are getting increasingly harmful to the Internet, showing no signs of slowing down. Developing an accurate detection mechanism to thwart DDoS attacks is still a big challenge due to the rich variety of these attacks and the emergence of new attack vectors. In this paper, we propose a new tree-based DDoS detection approach that operates on a flow as a stream structure, rather than the traditional fixed-size record structure containing aggregated flow statistics. Although aggregated flow records have gained popularity over the past decade, providing an effective means for flow-based intrusion detection by inspecting only a fraction of the total traffic volume, they are inherently constrained. Their detection precision is limited not only by the lack of packet payloads, but also by their structure, which is unable to model fine-grained inter-packet relations, such as packet order and temporal relations. Additionally, inferring aggregated flow statistics must wait for the complete flow to end. Here we show that considering flow inputs as variable-length streams composed of their associated packet headers, allows for very accurate and fast detection of malicious flows. We evaluate our proposed strategy on the CICDDoS2019 and CICIDS2017 datasets, which contain a comprehensive variety of DDoS attacks. Our approach matches or exceeds existing machine learning techniques' accuracy, including state-of-the-art deep learning methods. Furthermore, our method achieves significantly earlier detection, e.g., with CICDDoS2019 detection based on the first 2 packets, which corresponds to an average time-saving of 99.79% and uses only 4--6% of the traffic volume.

Cryptography and Security

Rimsha Saeed,Hassaan Khaliq Qureshi,Christiana Ioannou,Marios Lestas

DOI: https://doi.org/10.1109/access.2024.3489772

IF: 3.9

2024-11-09

IEEE Access

Abstract:Many interconnected IoT devices driven by imperatives of efficiency and convenience often lack adequate security measures, making them susceptible to exploitation by cyber-criminals. Effective network security necessitates meticulous intrusion detection, which typically involves scrutinizing the network traffic using deep packet or stateful protocol inspection techniques. However, traditional inspection methods often require manual feature engineering, which can result in loss of payload information and thus, false alarms. In this study, a controlled testbed environment is established to capture botnet traffic. The paper introduces a detection approach that involves converting raw NetFlow data to IDX, short for 'Index,' image representations. A hybrid deep learning architecture is designed, integrating VGG19 and GRU structures to learn the spatial and temporal features, respectively. The detection results show that the proposed solution achieves 98.883% true positives rate and 0.9% false negatives rate, surpassing conventional anomaly detection. In addition, an adaptive sliding window technique is introduced for live intrusion detection and prevention. Through iterative testing and refinement, a runtime of 0.041 ms per image and 0.00171 ms per packet is achieved, confirming the robust nature of the proposed method.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoheng Deng,Jincai Zhu,Xinjun Pei,Lan Zhang,Zhen Ling,Kaiping Xue

DOI: https://doi.org/10.1109/tnsm.2022.3213807

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Given the distributed nature of the massively connected “Things” in IoT, IoT networks have been a primary target for cyberattacks. Although machine learning based network intrusion detection systems (NIDS) can effectively detect abnormal network traffic behaviors, most existing approaches are based on a large amount of labeled traffic flow data, which hinders their implementation in the highly dynamic IoT networks with limited labeling. In this paper, we develop a novel Flow Topology based Graph Convolutional Network (FT-GCN) approach for label-limited IoT network intrusion detection. Our main idea is to leverage the underlying traffic flow patterns, $i.e.$ , the flow topological structure, to unlock the full potential of the traffic flow data with limited labeling, where the FT-GCN will be deployed at the edge servers in IoT networks to detect intrusions via software defined network technologies. Specifically, FT-GCN first takes the time correlation of traffic flows into account to construct an interval-constrained traffic graph (ICTG). Besides, a Node-Level Spatial (NLS) attention mechanism is designed to further enhance the key statistical features of traffic flows in ICTG. Finally, the combined representation of statistical flow features and flow topological structure are learned by the cost-effective Topology Adaptive Graph Convolutional Networks (TAGCN) for intrusion identification in IoT networks. Extensive experiments are conducted on three real-world datasets, which demonstrate the effectiveness of the proposed FT-GCN compared to state-of-the-art approaches.

Zhichun Li,Yan Gao,Yan Chen

DOI: https://doi.org/10.1016/j.comnet.2009.10.016

IF: 5.493

2009-01-01

Computer Networks

Abstract:Global-scale attacks like worms and botnets are increasing in frequency, severity and sophistication, making it critical to detect outbursts at routers/gateways instead of end hosts. In this paper, leveraging data streaming techniques such as the reversible sketch, we design HiFIND, a High-speed Flow-level Intrusion Detection system. In contrast to existing intrusion detection systems, HiFIND: (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst-case traffic of 40-byte-packet streams with each packet forming a flow.

Martin Andreoni Lopez,Diogo Menezes Ferrazani Mattos,Otto Carlos M. B. Duarte

DOI: https://doi.org/10.1007/s12243-016-0506-y

2016-03-05

Annals of Telecommunications

Abstract:Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.

telecommunications

Amritpal Singh,Pushpinder Kaur Chouhan,Gagangeet Singh Aujla

DOI: https://doi.org/10.1016/j.adhoc.2024.103404

IF: 4.816

2024-01-22

Ad Hoc Networks

Abstract:There is a massive growth in the rate of heterogeneous devices configured in the Internet of Things (IoT) environment for efficient communication. The IoT devices are limited in resources, and there are no defined protocols in terms of security during communication in the IoT-based platforms. Several solutions are framed to make communication secure in the IoT ecosystem. However, the existing schemes need to be more reliable to handle the cyber threats and unwarranted incidents (such as intrusions, anomalies and attacks) coming from IoT endpoints owing to the unstructured patterns of IoT data and dynamic network conditions. Moreover, heavy cryptographic primitives have their deployment challenges due to the resource constraints of the IoT ecosystem. The dynamic nature of IoT traffic requires flexible and varied rules to handle the threats in different deployment scenarios. Therefore, a programmable interface enabled through Software-defined Networking (SDN) can handle heterogeneous threats and incidents in the IoT cyber world. Thus, in this paper, we have designed a novel framework, SecureFlow, an intrusion detection and dynamic rule configuration system based on the knowledge-based and data-driven ensemble. The proposed framework is robust and fault tolerant owing to dual-layer Intrusion Detection System (IDS) and rule configuration modules that can work without one of them. SecureFlow validated through several experiments performed through emulations in Mininet. The results depict that the proposed framework is effective and promising.

computer science, information systems,telecommunications

Ning Xi,Chao Chen,Jun Zhang,Cong Sun,Shigang Liu,Pengbin Feng,Jianfeng Ma

DOI: https://doi.org/10.48550/arXiv.2106.04951

2021-06-09

Abstract:Mobile and IoT applications have greatly enriched our daily life by providing convenient and intelligent services. However, these smart applications have been a prime target of adversaries for stealing sensitive data. It poses a crucial threat to users' identity security, financial security, or even life security. Research communities and industries have proposed many Information Flow Control (IFC) techniques for data leakage detection and prevention, including secure modeling, type system, static analysis, dynamic analysis, \textit{etc}. According to the application's development life cycle, although most attacks are conducted during the application's execution phase, data leakage vulnerabilities have been introduced since the design phase. With a focus on lifecycle protection, this survey reviews the recent representative works adopted in different phases. We propose an information flow based defensive chain, which provides a new framework to systematically understand various IFC techniques for data leakage detection and prevention in Mobile and IoT applications. In line with the phases of the application life cycle, each reviewed work is comprehensively studied in terms of technique, performance, and limitation. Research challenges and future directions are also pointed out by consideration of the integrity of the defensive chain.

Cryptography and Security

Ansam Khraisat,Iqbal Gondal,Peter Vamplew,Joarder Kamruzzaman

DOI: https://doi.org/10.1186/s42400-019-0038-7

2019-07-17

Abstract:Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). This survey paper presents a taxonomy of contemporary IDS, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes. It also presents evasion techniques used by attackers to avoid detection and discusses future research challenges to counter such techniques so as to make computer systems more secure.

computer science, information systems, interdisciplinary applications, software engineering

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Congqi Shen,Geyang Xiao,Shaofeng Yao,Boyang Zhou,Zhongxia Pan,Hong Zhang

DOI: https://doi.org/10.1109/spac53836.2021.9539933

2021-01-01

Abstract:Current Industrial Internet faces serious threats where attackers propagate malicious flows, resulting in communication failures in the Industrial Internet. In this work, we propose a practical and novel method to detect malicious traffic attack in real time with high accuracy. Our primary idea is to capture network flow, extract adequate network flow features, construct a long short-term memory (LSTM) based deep learning model, and identify the property of the corresponding network flow. Whether the network suffers attack or not is then determined according to the detection results. The corresponding prototype is also implemented in the Industrial Internet which is equipped with Software Defined Networking (SDN). Experimental results validate that the proposed method is effective in defending against malicious traffic attack in real-world network.

María Rodríguez,Álvaro Alesanco,Lorena Mehavilla,José García

DOI: https://doi.org/10.3390/s22239326

IF: 3.9

2022-12-01

Sensors

Abstract:Cybersecurity is one of the great challenges of today's world. Rapid technological development has allowed society to prosper and improve the quality of life and the world is more dependent on new technologies. Managing security risks quickly and effectively, preventing, identifying, or mitigating them is a great challenge. The appearance of new attacks, and with more frequency, requires a constant update of threat detection methods. Traditional signature-based techniques are effective for known attacks, but they are not able to detect a new attack. For this reason, intrusion detection systems (IDS) that apply machine learning (ML) techniques represent an alternative that is gaining importance today. In this work, we have analyzed different machine learning techniques to determine which ones permit to obtain the best traffic classification results based on classification performance measurements and execution times, which is decisive for further real-time deployments. The CICIDS2017 dataset was selected in this work since it contains bidirectional traffic flows (derived from traffic captures) that include benign traffic and different types of up-to-date attacks. Each traffic flow is characterized by a set of connection-related attributes that can be used to model the traffic and distinguish between attacks and normal flows. The CICIDS2017 also contains the raw network traffic captures collected during the dataset creation in a packet-based format, thus permitting to extract the traffic flows from them. Various classification techniques have been evaluated using the Weka software: naive Bayes, logistic, multilayer perceptron, sequential minimal optimization, k-nearest neighbors, adaptive boosting, OneR, J48, PART, and random forest. As a general result, methods based on decision trees (PART, J48, and random forest) have turned out to be the most efficient with F1 values above 0.999 (average obtained in the complete dataset). Moreover, multiclass classification (distinguishing between different types of attack) and binary classification (distinguishing only between normal traffic and attack) have been compared, and the effect of reducing the number of attributes using the correlation-based feature selection (CFS) technique has been evaluated. By reducing the complexity in binary classification, better results can be obtained, and by selecting a reduced set of the most relevant attributes, less time is required (above 30% of decrease in the time required to test the model) at the cost of a small performance loss. The tree-based techniques with CFS attribute selection (six attributes selected) reached F1 values above 0.990 in the complete dataset. Finally, a conventional tool like Zeek has been used to process the raw traffic captures to identify the traffic flows and to obtain a reduced set of attributes from these flows. The classification results obtained using tree-based techniques (with 14 Zeek-based attributes) were also very high, with F1 above 0.997 (average obtained in the complete dataset) and low execution times (allowing several hundred thousand flows/s to be processed). These classification results obtained on the CICIDS2017 dataset allow us to affirm that the tree-based machine learning techniques may be appropriate in the flow-based intrusion detection problem and that algorithms, such as PART or J48, may offer a faster alternative solution to the RF technique.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Xinwen Fu,Ye Zhu,Bryan Graham,Riccardo Bettati,Wei Zhao

DOI: https://doi.org/10.1166/juci.2007.005

2007-04-01

Journal of Ubiquitous Computing and Intelligence

Abstract:This paper studies the degradation of anonymity in a flow-based wireless mix network under flow marking attacks, in which an adversary embeds a recognizable pattern of marks into wireless traffic flows by electromagnetic interference. We find that traditional mix technologies are not effective in defeating flow marking attacks, and it may take an adversary only a few seconds to recognize the communication relationship between hosts by tracking such intentional marks. Flow marking attacks utilize frequency domain analytical techniques and convert time domain marks into invariant feature frequencies. To counter flow marking attacks, we propose a new class of countermeasure based on digital filtering technology and show that this filter-based countermeasure can effectively defend a wireless mix network from flow marking attacks.

Yun-Chun Chen,Yu-Jhe Li,Aragorn Tseng,Tsungnan Lin

DOI: https://doi.org/10.48550/arXiv.1802.03358

IF: 5.414

2018-02-09

Machine Learning

Abstract:Cyber security has grown up to be a hot issue in recent years. How to identify potential malware becomes a challenging task. To tackle this challenge, we adopt deep learning approaches and perform flow detection on real data. However, real data often encounters an issue of imbalanced data distribution which will lead to a gradient dilution issue. When training a neural network, this problem will not only result in a bias toward the majority class but show the inability to learn from the minority classes. In this paper, we propose an end-to-end trainable Tree-Shaped Deep Neural Network (TSDNN) which classifies the data in a layer-wise manner. To better learn from the minority classes, we propose a Quantity Dependent Backpropagation (QDBP) algorithm which incorporates the knowledge of the disparity between classes. We evaluate our method on an imbalanced data set. Experimental result demonstrates that our approach outperforms the state-of-the-art methods and justifies that the proposed method is able to overcome the difficulty of imbalanced learning. We also conduct a partial flow experiment which shows the feasibility of real-time detection and a zero-shot learning experiment which justifies the generalization capability of deep learning in cyber security.

Jahanzaib Malik,Adnan Akhunzada,Iram Bibi,Muhammad Talha,Mian Ahmad Jan,Muhammad Usman

DOI: https://doi.org/10.1109/jsen.2020.3012046

IF: 4.3

2021-07-15

IEEE Sensors Journal

Abstract:Intelligent transportation systems have been envisioned to bring more intelligence and cooperative sensing to meet the imminent demands of overall improved autonomous transportation. However, dynamic era of modern applications and fixed architecture of legacy Internet needs flexible, innovative, adaptive, and programmable software defined intelligent transportation systems (SD-ITS). The centralized control intelligence of SD-ITS can be a potential primary target of the prevalent cyber threats and attacks that can simply throw the entire network into chaos. The authors propose a DL-driven multi-vector scalable attack detection framework leveraging graphical processing unit (GPU) empowered Bidirectional Long Short-Term Memory (BLSTM) to efficiently tackle exponentially growing diverse sophisticated attacks that primarily target the control unit of the SD-ITS. The proposed technique has been rigorously evaluated with current state-of-the-art publicly available Flow-based dataset (i.e., CICIDS2017) using standard performance metrics. Further, the proposed mechanism is compared with contemporary benchmarks (i.e., DL algorithms). Extensive experimental results exhibit out-performance of the proposed technique in term of detection accuracy with a trivial trade-off computational complexity. Finally, the study also employed 10-fold cross validation to explicitly show unbiased results.