Web Attack Detection through Network-Traffic-Based Feature Engineering and Machine Learning

Advanced Persistent Threat (APT) attacks are a form of malicious, intentionally and clearly targeted attack. This attack technique is growing in both the number of recorded attacks and the extent of its dangers to organizations, businesses and governments. Therefore, the task of detecting and warning APT attacks in the real system is very necessary today. One of the most effective approaches to APT attack detection is to apply machine learning or deep learning to analyze network traffic. There have been a number of studies and recommendations to analyze network traffic into network flows and then combine with some classification or clustering methods to look for signs of APT attacks. In particular, recent studies often apply machine learning algorithms to spot the present of APT attacks based on network flow. In this paper, a new method based on deep learning to detect APT attacks using network flow is proposed. Accordingly, in our research, network traffic is analyzed into IP-based network flows, then the IP information is reconstructed from flow, and finally deep learning models are used to extract features for detecting APT attack IPs from other IPs. Additionally, a combined deep learning model using Bidirectional Long Short-Term Memory (BiLSTM) and Graph Convolutional Networks (GCN) is introduced. The new detection model is evaluated and compared with some traditional machine learning models, i.e. Multi-layer perceptron (MLP) and single GCN models, in the experiments. Experimental results show that BiLSTM-GCN model has the best performance in all evaluation scores. This not only shows that deep learning application on flow network analysis to detect APT attacks is a good decision but also suggests a new direction for network intrusion detection techniques based on deep learning.

Download Full-text

Attack Detection in IoT using Machine Learning

Engineering, Technology & Applied Science Research ◽

10.48084/etasr.4202 ◽

2021 ◽

Vol 11 (3) ◽

pp. 7273-7278

Author(s):

M. Anwer ◽

M. U. Farooq ◽

S. M. Khan ◽

W. Waseemullah

Keyword(s):

Machine Learning ◽

Network Traffic ◽

Learning Algorithm ◽

Attack Detection ◽

Supervised Machine Learning ◽

Detection Methods ◽

Support Vector ◽

Web Traffic ◽

Local Networks ◽

Iot Devices

Many researchers have examined the risks imposed by the Internet of Things (IoT) devices on big companies and smart towns. Due to the high adoption of IoT, their character, inherent mobility, and standardization limitations, smart mechanisms, capable of automatically detecting suspicious movement on IoT devices connected to the local networks are needed. With the increase of IoT devices connected through internet, the capacity of web traffic increased. Due to this change, attack detection through common methods and old data processing techniques is now obsolete. Detection of attacks in IoT and detecting malicious traffic in the early stages is a very challenging problem due to the increase in the size of network traffic. In this paper, a framework is recommended for the detection of malicious network traffic. The framework uses three popular classification-based malicious network traffic detection methods, namely Support Vector Machine (SVM), Gradient Boosted Decision Trees (GBDT), and Random Forest (RF), with RF supervised machine learning algorithm achieving far better accuracy (85.34%). The dataset NSL KDD was used in the recommended framework and the performances in terms of training, predicting time, specificity, and accuracy were compared.

Download Full-text

Smart Detection: An Online Approach for DoS/DDoS Attack Detection Using Machine Learning

Security and Communication Networks ◽

10.1155/2019/1574749 ◽

2019 ◽

Vol 2019 ◽

pp. 1-15 ◽

Cited By ~ 6

Author(s):

Francisco Sales de Lima Filho ◽

Frederico A. F. Silveira ◽

Agostinho de Medeiros Brito Junior ◽

Genoveva Vargas-Solar ◽

Luiz F. Silveira

Keyword(s):

Machine Learning ◽

Network Traffic ◽

Service Providers ◽

Detection System ◽

Denial Of Service ◽

Sampling Rate ◽

Attack Detection ◽

Dos Attacks ◽

Internet Service ◽

Benchmark Datasets

Users and Internet service providers (ISPs) are constantly affected by denial-of-service (DoS) attacks. This cyber threat continues to grow even with the development of new protection technologies. Developing mechanisms to detect this threat is a current challenge in network security. This article presents a machine learning- (ML-) based DoS detection system. The proposed approach makes inferences based on signatures previously extracted from samples of network traffic. The experiments were performed using four modern benchmark datasets. The results show an online detection rate (DR) of attacks above 96%, with high precision (PREC) and low false alarm rate (FAR) using a sampling rate (SR) of 20% of network traffic.

Download Full-text

A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic

Journal of Intelligent & Fuzzy Systems ◽

10.3233/jifs-202465 ◽

2021 ◽

pp. 1-19

Author(s):

Cho Do Xuan ◽

Dung Kim Nguyen ◽

Duc Tran Duong

Keyword(s):

Machine Learning ◽

Network Traffic ◽

Attack Detection ◽

Analysis Model ◽

Detection Process ◽

Advanced Persistent Threat ◽

Analysis Technique ◽

Layer Analysis ◽

And Behaviors ◽

Behavior Profile

Advanced Persistent Threat (APT) is a dangerous network attack method that is widely used by attackers nowadays. During the APT attack process, attackers often use advanced techniques and tools, thus, causing many difficulties for information security systems. In fact, to detect the APT attacks, intrusion detection systems cannot rely on one technique or method but often combine multiple techniques and methods. In addition, the approach for APT attack detection using behavior analysis and evaluation techniques is facing many difficulties due to the lack of characteristic data of attack campaigns. For the above reasons, in this paper, we propose a method for APT attack detection based on a multi-layer analysis. The multi-layer analysis technique in our proposal computes and analyzes various events in Network Traffic to detect and synthesize abnormal signs and behaviors in order to make conclusions about the existence of APT in the system. Specifically, in our proposal, we will use serial 3 main layers for the APT attack detection process including i) Detecting APT attacks based on analyzing abnormal connection; ii) Detecting APT attacks based on analyzing and evaluating Suricata log; iii) Detecting APT attacks based on analyzing behavior profiles that are compiled from layers (i) and (ii). To achieve these goals, the multi-layer analysis technique for APT attack detection will perform 2 main tasks: i) Analyzing and evaluating components of Network Traffic based on abnormal signs and behaviors. ii) building and classifying behavior profile based on each component of network traffic. In the experimental section, we will compare and evaluate the effectiveness of the APT attack detection process of each layer in the multi-layer analysis model using machine learning. Experimental results have shown that the APT attack detection method based on analyzing behavior profile has yielded better results than individual detection methods on all metrics. The research results shown in the paper not only demonstrate the effectiveness of the multilayer analysis model for APT attack detection but also provide a novel approach for detecting several other cyber-attack techniques.

Download Full-text

DDoS Attack Simulation and Machine Learning-Based Detection Approach in Internet of Things Experimental Environment

International Journal of Information Security and Privacy ◽

10.4018/ijisp.2021070101 ◽

2021 ◽

Vol 15 (3) ◽

pp. 1-18

Author(s):

Hongsong Chen ◽

Caixia Meng ◽

Jingjiu Chen

Keyword(s):

Machine Learning ◽

Internet Of Things ◽

Network Traffic ◽

Large Scale ◽

Learning Algorithms ◽

Attack Detection ◽

Machine Learning Algorithms ◽

Ddos Attack ◽

Experimental Environment ◽

Ddos Attack Detection

Aiming at the problem of DDoS attack detection in internet of things (IoT) environment, statistical and machine-learning algorithms are proposed to model and analyze the network traffic of DDoS attack. Docker-based virtualization platform is designed and configured to collect IoT network traffic data. Then the packet-level, flow-level, and second-level network traffic datasets are generated, and the importance of features in different traffic datasets are sorted. By SKlearn and TensorFlow machine-learning software framework, different machine learning algorithms are researched and compared. In packet-level DDoS attack detection, KNN algorithm achieves the best results; the accuracy is 92.8%. In flow-level DDoS attack detection, the voting algorithm achieves the best results; the accuracy is 99.8%. In second-level DDoS attack detection, the RNN algorithm behaves best results; the accuracy is 97.1%. The DDoS attack detection method combined with statistical analysis and machine-learning can effectively detect large-scale DDoS attacks on the internet of things simulation experimental environment.

Download Full-text

DDoS attack detection with feature engineering and machine learning: the framework and performance evaluation

International Journal of Information Security ◽

10.1007/s10207-019-00434-1 ◽

2019 ◽

Vol 18 (6) ◽

pp. 761-785 ◽

Cited By ~ 3

Author(s):

Muhammad Aamir ◽

Syed Mustafa Ali Zaidi

Keyword(s):

Machine Learning ◽

Performance Evaluation ◽

Attack Detection ◽

Feature Engineering ◽

Ddos Attack ◽

And Performance ◽

Ddos Attack Detection

Download Full-text

Searching for optimal machine learning algorithm for network traffic classification in intrusion detection system

ITM Web of Conferences ◽

10.1051/itmconf/20182100027 ◽

2018 ◽

Vol 21 ◽

pp. 00027

Author(s):

Alicja Gerka

Keyword(s):

Machine Learning ◽

Intrusion Detection ◽

Network Traffic ◽

Detection System ◽

Learning Algorithms ◽

Attack Detection ◽

Machine Learning Algorithms ◽

Support Vector ◽

Traffic Classification ◽

Network Traffic Classification

The main problem associated with the development of an effective network behaviour anomaly detection-based IDS model is the selection of the optimal network traffic classification method. This article presents the results of simulation research on the effectiveness of the use of machine learning algorithms in the network attacks detection. The research part of the work concerned finding the optimal method of network packets classification possible to implement in the intrusion detection system’s attack detection module. During the research, the performance of three machine learning algorithms (Artificial Neural Network, Support Vector Machine and Naïve Bayes Classifier) has been compared using a dataset from the KDD Cup competition. Attention was also paid to the relationship between the values of algorithm parameters and their effectiveness. The work also contains an short analysis of the state of cybersecurity in Poland.

Download Full-text

Detecting APT Attacks Based on Network Traffic Using Machine Learning

Journal of Web Engineering ◽

10.13052/jwe1540-9589.2019 ◽

2021 ◽

Author(s):

Cho Do Xuan

Keyword(s):

Machine Learning ◽

Network Traffic ◽

Attack Detection ◽

Abnormal Behavior ◽

Sensitive Information ◽

Random Forest Classification ◽

Advanced Persistent Threat ◽

Forest Classification ◽

Novel Approach ◽

Abnormal Behaviors

Advanced Persistent Threat (APT) attacks are a form of malicious, intentionally and clearly targeted attack. By using many sophisticated and complicated methods and technologies to attack targets in order to obtain confidential and sensitive information. In fact, in order to detect APT attacks, detection systems often need to apply many parallel and series techniques in order to make the most of the advantages as well as minimize the disadvantages of each technique. Therefore, in this paper, we propose a method of detecting APT attacks based on abnormal behaviors of Network traffic using machine learning. Accordingly, in our research, the abnormal behavior of APT attacks in Network Traffic will be defined on both components: Domain and IP. Then, these behaviors are evaluated and classified based on the Random Forest classification algorithm to conclude about the behavior of APT attacks. Details of the definition of abnormal behaviors of the Domain and IP will be presented in section 3.2 of the paper. The synchronous APT attack detection method proposed in this paper is a novel approach, which will help information security systems detect quickly and accurately signs of the APT attack campaign in the organization. The experimental results presented in section 4 will demonstrate the effectiveness of our proposed method.

Download Full-text