Junjiang He,Wenbo Fang,Xiaolong Lan,Geying Yang,Ziyu Chen,Yang Chen,Tao Li,Jiangchuan Chen

DOI: https://doi.org/10.1155/2024/9044391

IF: 8.993

2024-11-02

International Journal of Intelligent Systems

Abstract:Application‐layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application‐layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application‐layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application‐layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application‐layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.

computer science, artificial intelligence

Babu R. Dawadi,Bibek Adhikari,Devesh K. Srivastava

DOI: https://doi.org/10.3390/s23042073

IF: 3.9

2023-02-13

Sensors

Abstract:New techniques and tactics are being used to gain unauthorized access to the web that harm, steal, and destroy information. Protecting the system from many threats such as DDoS, SQL injection, cross-site scripting, etc., is always a challenging issue. This research work makes a comparative analysis between normal HTTP traffic and attack traffic that identifies attack-indicating parameters and features. Different features of standard datasets ISCX, CISC, and CICDDoS were analyzed and attack and normal traffic were compared by taking different parameters into consideration. A layered architecture model for DDoS, XSS, and SQL injection attack detection was developed using a dataset collected from the simulation environment. In the long short-term memory (LSTM)-based layered architecture, the first layer was the DDoS detection model designed with an accuracy of 97.57% and the second was the XSS and SQL injection layer with an obtained accuracy of 89.34%. The higher rate of HTTP traffic was investigated first and filtered out, and then passed to the second layer. The web application firewall (WAF) adds an extra layer of security to the web application by providing application-level filtering that cannot be achieved by the traditional network firewall system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Do Thi Thu Hien,Pham Van Hau

DOI: https://doi.org/10.54654/isj.v3i20.1008

2023-12-31

Journal of Science and Technology on Information security

Abstract:Abstract— Nowadays, web attacks have become more complicated, leading to the difficulty of traditional web application firewalls (WAFs) in recognizing those threats, especially when dealing with new attacks. Hence, machine learning/deep learning (ML/DL) approaches have been applied to the field of web attack detection with proven success. However, most existing ML/DL-based web attack detectors focus on a specific type of attack due to the difference in the payload of various attacks, which sets a border to the capability of those solutions in detecting new attack types. In this paper, we propose a novel DL-based solution for web attack detection, named DL-WAD, leveraging deep learning and natural language processing techniques. Moreover, DL-WAD is designed with a data preprocessing mechanism aimed at differentiating between regular web requests and malicious ones that carry attack payloads encompassing multiple types of web attacks. The experiment results indicate the effectiveness of our solution in protecting the target web services from a wide range of attacks with high accuracy.

Kirti V. Deshpande,Jaibir Singh

DOI: https://doi.org/10.1007/s11042-023-17356-9

IF: 2.577

2023-10-18

Multimedia Tools and Applications

Abstract:Web application firewalls (WAFs) and other Intrusion Detection Systems (IDS) techniques are employed to defend the network against web attacks. Even so, attacks may succeed since most WAFs demand extensive configuration expertise that depends on filters. Despite notable successes, deep information has been utilized in varied applications. Still, it's crucial to have a reliable method for detecting the attack due to the attacker's various ways of concealment of the URLs. Several methods were introduced for detecting the attacks in web applications; still, the accuracy of detection and the computation burden are challenging aspects. Hence, a web attack detection mechanism is introduced in this research using the deep learning framework using the URL request. The proposed method utilizes a three-fold attack detection strategy to detect the attack with minimal computation complexity. Initially, the profile is checked to determine the genuinity of a user, and then, the bot scanners are identified using the generalized adversarial network (GAN). Finally, the attack detection is employed using the transformer neural network, wherein the adjustable parameters are modified using the weighted mean of vectors (INFO) optimization technique. The performance of a proposed method is evaluated based on various assessment measures like Accuracy, Precision, Recall, F-Measure, TPR, FPR, FNR and TNR and acquired the values of 99.97%, 99.96%, 99.97%, 99.97%, 99.97%, 0.03%, 0.03%, and 99.97% respectively.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Ke Li,Heng Yang,Willem Visser

DOI: https://doi.org/10.48550/arXiv.2206.05743

2022-06-12

Abstract:Web application firewall (WAF) plays an integral role nowadays to protect web applications from various malicious injection attacks such as SQL injection, XML injection, and PHP injection, to name a few. However, given the evolving sophistication of injection attacks and the increasing complexity of tuning a WAF, it is challenging to ensure that the WAF is free of injection vulnerabilities such that it will block all malicious injection attacks without wrongly affecting the legitimate message. Automatically testing the WAF is, therefore, a timely and essential task. In this paper, we propose DaNuoYi, an automatic injection testing tool that simultaneously generates test inputs for multiple types of injection attacks on a WAF. Our basic idea derives from the cross-lingual translation in the natural language processing domain. In particular, test inputs for different types of injection attacks are syntactically different but may be semantically similar. Sharing semantic knowledge across multiple programming languages can thus stimulate the generation of more sophisticated test inputs and discovering injection vulnerabilities of the WAF that are otherwise difficult to find. To this end, in DaNuoYi, we train several injection translation models by using multi-task learning that translates the test inputs between any pair of injection attacks. The model is then used by a novel multi-task evolutionary algorithm to co-evolve test inputs for different types of injection attacks facilitated by a shared mating pool and domain-specific mutation operators at each generation. We conduct experiments on three real-world open-source WAFs and six types of injection attacks, the results reveal that DaNuoYi generates up to 3.8x and 5.78x more valid test inputs (i.e., bypassing the underlying WAF) than its state-of-the-art single-task counterparts and the context-free grammar-based injection construction.

Neural and Evolutionary Computing

Louai A. Maghrabi

DOI: https://doi.org/10.1109/access.2024.3369237

IF: 3.9

2024-03-06

IEEE Access

Abstract:Security attacks are becoming more sophisticated and common as connected devices rapidly exchange personal, sensitive, and important data. Security solutions are therefore required for Internet of Things (IoT) environments. System administrators receive alerts through an automatic Network Intrusion Detection (NID) system when security breaches occur. An automatic NID can be an effective tool to protect IoT networks against various attacks. It is possible to detect intrusions using a variety of intrusion detection techniques, but the performance and class imbalance in the dataset make this a difficult process. To improve detection rates and decrease false alarms, intrusion detection accuracy must be improved. In this paper, an automatic NID system is proposed leveraging a renowned machine learning model named Random Forest (RF) on the (UNSW-NB15) dataset collected from Kaggle. The experimental results indicate that the proposed model not only has higher accuracy at 90.17% surpassing the baseline approach by 7.34%, but also has precision, recall, and F1 scores up to 90.14%, 90.17, and 90.14%, respectively. Moreover, 98.83% accuracy is achieved with a balanced class dataset by using random resampling techniques to generate synthetic data of minority attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhihao Wang,Dingde Jiang,Liuwei Huo,Wei Yang

DOI: https://doi.org/10.1007/s11276-021-02698-9

IF: 2.701

2021-01-01

Wireless Networks

Abstract:With the rapid development of cloud computing and mobile internet, massive network traffic is generated, with the raging malicious traffic and attacks. Network Intrusion Detection System plays an essential part in defending the malicious attacks. However, based on mathematical-statistical and packet verification methods, traditional network intrusion detection approaches are inadequate in detection capacity. Therefore, in this paper, we present an effective network intrusion detection approach based on sparse auto-encoder (SAE) and random forest (RF), as a mitigation way to this problem. The feature extraction power of SAE and the classification and detection power of random forest are combined to improve the detection efficiency and accuracy. And the SAE-RF (Sparse Auto-Encoder Based Random Forest) detection approach is presented. Besides, to address the irregularities and imbalance of the benchmark dataset, an ANASYN over-sampling technique is employed. Simulation and evaluation results on TensorFlow and Keras demonstrate the proposed SAE-RF model has better performance than existing approaches.

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

Guodong Huang,Chuan Ma,Ming Ding,Yuwen Qian,Chunpeng Ge,Liming Fang,Zhe Liu

DOI: https://doi.org/10.48550/arXiv.2302.13763

2023-02-27

Abstract:Website fingerprinting attack is an extensively studied technique used in a web browser to analyze traffic patterns and thus infer confidential information about users. Several website fingerprinting attacks based on machine learning and deep learning tend to use the most typical features to achieve a satisfactory performance of attacking rate. However, these attacks suffer from several practical implementation factors, such as a skillfully pre-processing step or a clean dataset. To defend against such attacks, random packet defense (RPD) with a high cost of excessive network overhead is usually applied. In this work, we first propose a practical filter-assisted attack against RPD, which can filter out the injected noises using the statistical characteristics of TCP/IP traffic. Then, we propose a list-assisted defensive mechanism to defend the proposed attack method. To achieve a configurable trade-off between the defense and the network overhead, we further improve the list-based defense by a traffic splitting mechanism, which can combat the mentioned attacks as well as save a considerable amount of network overhead. In the experiments, we collect real-life traffic patterns using three mainstream browsers, i.e., Microsoft Edge, Google Chrome, and Mozilla Firefox, and extensive results conducted on the closed and open-world datasets show the effectiveness of the proposed algorithms in terms of defense accuracy and network efficiency.

Cryptography and Security,Machine Learning

Bo-Xiang Wang,Jiann-Liang Chen,Chiao-Lin Yu

DOI: https://doi.org/10.1109/access.2022.3175886

IF: 3.9

2022-05-27

IEEE Access

Abstract:The work develops a network threat detection system, AI@NTDS, that uses the behavioral features of attackers and intelligent techniques. The proposed AI@NTDS system combines data analysis, feature extraction, and feature evaluation to construct a detection model, which supports a more straightforward strategy by which the operating system or its operators can defend against network attacks. The Linux system interaction information of SSH (Secure Shell) and Telnet are obtained from the Cowrie Honeypot and labeled according to Enterprise Tactics of MITRE ATT&CK to ensure dataset credibility. The proposed AI@NTDS system has three levels, depending on the attacker's attacks and the user's risk of damage. Fifty-two features are used to detect the network threat level. The features contain message-based features for all kinds of Linux operating instructions, host-based features for all types of information in the network connection process, and geography-based features are related to the attacker's location. AI-based algorithms LightGBM, Random Forest and the K-NN algorithm are used to verify the identification of the custom features. Finally, the detection model that is trained using the best combination of features is used to predict the test dataset. The accuracy of the proposed AI@NTDS system reaches 99%, 95.66%, and 94.08% with the LightGBM, Random Forest, and K-NN algorithms, respectively. The mutual dependencies of features and network threats are evaluated. Results of a performance analysis reveal that the proposed AI@NTDS system has an accuracy of 99.20% and an F1-score of 99.80%. It is superior to existing detection mechanisms, which it outperforms by 4% and 1% i- accuracy and F1-score, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haibin Hu

DOI: https://doi.org/10.1063/1.4982570

2017-01-01

AIP Conference Proceedings

Abstract:Among numerous WEB security issues, SQL injection is the most notable and dangerous. In this study, characteristics and procedures of SQL injection are analyzed, and the method for detecting the SQL injection attack is illustrated. The defense resistance and remedy model of SQL injection attack is established from the perspective of non-intrusive SQL injection attack and defense. Moreover, the ability of resisting the SQL injection attack of the server has been comprehensively improved through the security strategies on operation system, IIS and database, etc.. Corresponding codes are realized. The method is well applied in the actual projects.

Li Nige,Chen Lu,Zhao Lei,Teng Zhenning,Wang Zhiqiang,Shao Yiyang,Gui Xiaolin

DOI: https://doi.org/10.1109/AEEGE58828.2023.00010

2023-01-01

Abstract:The widespread use of power micro-applications has significantly expanded the attack surface of their server side, thus increasing the risk of vulnerability attacks such as SQL injection, XSS, and CRLF injection. To ensure the security of power systems, these attacks must be detected precisely and timely. Therefore, this paper proposes a server-side web attack detection method based on DistilBERT and feature fusion for HTTP and HTTPS requests. The method treats HTTP and HTTPS requests as text data, specifically, extracts deep semantic features using DistilBERT, and fuses them with well-designed empirical features to comprehensively characterize and classify the request. Consequently, anomalous requests can be detected. The experimental results show that the accuracy, precision, recall, and F1 score of the method on HTTP CSIC 2010 and FWAF datasets are close to or higher than 99%. Compared with other methods as far as we known, this method has better performance and efficiency.

ZHOU Yong-lu,WU Hai-yan,JIANG Dong-xing

DOI: https://doi.org/10.3969/j.issn.1671-0428.2012.05.004

2012-01-01

Abstract:As traditional security techniques fail to protect web applications from attacks,more research has focus on intrusion detection for web applications.Access logs are the most important data source for intrusion detection.However,log files usually contain a huge quantity of records.Without effective methods,it is not feasible for administrator to inspect and locate intrusions.Misuse detection and anomaly detection models have been proposed to solve this problem.This paper conducts intrusion detection over a real web application based on statistical anomaly-based models.The result shows these models can effectively detect attacks like SQL injection.

Hafiza Anisa Ahmed,Anum Hameed,Narmeen Zakaria Bawany

DOI: https://doi.org/10.7717/peerj-cs.820

2022-01-07

PeerJ Computer Science

Abstract:The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

computer science, information systems, artificial intelligence, theory & methods

GUO Shan-Qing,GAO Cong,YAO Jian,XIE Li

DOI: https://doi.org/10.1360/jos161490

2005-01-01

Journal of Software

Abstract:Coupled with the explosion of number of the network-oriented applications, Intrusion Detection as an increasingly popular area is attracting more and more research efforts. Although a number of algorithms have already been presented to tackle this problem, they are unable to achieve balanced detection performance for different types of intrusion and cannot respond as quickly as expected. Employing random forests algorithm (RFA)in intrusion detection, this paper devises an improved variation - IRFA and presents an IRFA based model for intrusion detection in information exchanged through network connections. The feasibility in balanced detection and the effectiveness of this approach are verified by experiments based on DARPA data sets.

Panigrahi, Ranjit,Garg, Amik,Bhoi, Akash Kumar

DOI: https://doi.org/10.1007/s44196-023-00205-w

IF: 2.259

2023-03-13

International Journal of Computational Intelligence Systems

Abstract:Intrusion detection ( ID ) methods are security frameworks designed to safeguard network information systems. The strength of an intrusion detection method is dependent on the robustness of the feature selection method. This study developed a multi-level random forest algorithm for intrusion detection using a fuzzy inference system. The strengths of the filter and wrapper approaches are combined in this work to create a more advanced multi-level feature selection technique, which strengthens network security. The first stage of the multi-level feature selection is the filter method using a correlation-based feature selection to select essential features based on the multi-collinearity in the data. The correlation-based feature selection used a genetic search method to choose the best features from the feature set. The genetic search algorithm assesses the merits of each attribute, which then delivers the characteristics with the highest fitness values for selection. A rule assessment has also been used to determine whether two feature subsets have the same fitness value, which ultimately returns the feature subset with the fewest features. The second stage is a wrapper method based on the sequential forward selection method to further select top features based on the accuracy of the baseline classifier. The selected top features serve as input into the random forest algorithm for detecting intrusions. Finally, fuzzy logic was used to classify intrusions as either normal, low, medium, or high to reduce misclassification. When the developed intrusion method was compared to other existing models using the same dataset, the results revealed a higher accuracy, precision, sensitivity, specificity, and F1-score of 99.46%, 99.46%, 99.46%, 93.86%, and 99.46%, respectively. The classification of attacks using the fuzzy inference system also indicates that the developed method can correctly classify attacks with reduced misclassification. The use of a multi-level feature selection method to leverage the advantages of filter and wrapper feature selection methods and fuzzy logic for intrusion classification makes this study unique.

computer science, artificial intelligence, interdisciplinary applications

Ding Chen,Qiseng Yan,Chunwang Wu,Jun Zhao

DOI: https://doi.org/10.1088/1742-6596/1757/1/012055

2021-01-01

Journal of Physics: Conference Series

Abstract:Abstract Web application brings us convenience but also has some potential security problems. SQL injection attacks topped the list of Top 10 Network Security Problems released by OWASP, and the detection technology of SQL injection attacks has been one of the hotspots of network security research. In this paper, we propose a SQL injection detection method that does not rely on background rule base by using a natural language processing model and deep learning framework on the basis of comprehensive domestic and international research. The method can improve the accuracy and reduce the false alarm rate while allowing the machine to automatically learn the language model features of SQL injection attacks, greatly reducing human intervention and providing some defense against 0day attacks that never occur.

Hao Zhang,Shumin Dai,Yongdan Li,Wenjun Zhang

DOI: https://doi.org/10.1109/pccc.2018.8711068

2018-01-01

Abstract:With the rapid increase in Internet services, network traffic data has become very large and complex, increasing the possibility of intrusions. The traditional intrusion detection system (IDS) cannot detect intrusion behaviors among such high-speed traffic data. A real-time network IDS should be able to process large amounts of network traffic data as quickly as possible to detect malicious traffic as early as possible. Therefore, in this paper, we propose a network intrusion detection framework based on a distributed random forest capable of handling high-speed traffic data. This framework consists of three parts: a data capturing part based on NetFlow, a preprocessing data part and a classification-based intrusion detection part. In this paper, we apply the random forest classification algorithm and adapt it to the Apache Spark distributed processing system to realize real-time detection. To verify the effectiveness of the framework, we implement the system and perform several comparison experiments. The results show that the system has satisfactory efficiency and accuracy compared to existing systems and thus is very suitable for the real-time detection of network intrusion, with a large capacity and high speed.

An, Lei

DOI: https://doi.org/10.1007/s10586-024-04487-3

2024-05-12

Cluster Computing

Abstract:The commonly used method for network intrusion is based on pattern matching systems, but these systems do not have high detection accuracy when facing large-scale high-speed network traffic environments. In addition, when facing a wide variety of network attacks, relying solely on a certain network security technology is difficult to ensure network security. Therefore, a distributed network intrusion prevention system based on the Spark framework and dynamic information security theory model was innovatively proposed to improve the detection efficiency of network intrusion and solve these issues. The architecture and functional structure of the network intrusion prevention system were constructed by improving the random forest algorithm and Spark. In addition, the dynamic network intrusion prevention system was designed on the basis of the Policy Protection Detection Response (P2DR) model and the Protection Detection Reaction Recovery (PDRR) model to cope with the diverse network attacks and make up for the lack of dynamic defense based on improved forest algorithm and Spark. The test results showed that the network intrusion prevention system based on the improved random forest algorithm and Spark had a maximum detection time of 13,593 ms, a minimum detection time of 13,318 ms, and an average detection time of 13,468 ms when the data were 6000 pieces. The average success rate of the dynamic network intrusion prevention system based on the dynamic information security theory model was 87.72%, the average detection rate was 71.68%, and the average false alarm rate was 17.23%. The F1 values corresponding to the improved random forest algorithm under 7 different attack types of data were 0.985, 0.983, 0.876, 0.843, 0.797, 0.983, and 0.890, respectively, which were significantly better than the comparison algorithm. It can be seen that the dynamic network intrusion prevention system based on the improved random forest algorithm, Spark, and the dynamic information security theoretical model, has good performance and can effectively detect network intrusions, providing technical support for solving network intrusion problems in reality. The contribution of the research is reflected in the improvement of the detection performance of network intrusion detection systems and the reduction of detection time and false alarm rates.

computer science, information systems, theory & methods

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.