Research and development automatically generate detection rules for IDS based on machine learning technology

Abstract—Nowadays, there have been many signature-based intrusion detection systems deployed and widely used. These systems are capable of detecting known attacks with low false alarm rates, fast detection times, and little system resource requirements. However, these systems are less effective against new attacks that are not included in the ruleset. In addition, recent studies provide a new approach to the problem of detecting unknown types of network attacks based on machine learning and deep learning. However, this new approach requires a lot of resources, processing time and has a high false alarm rate. Therefore, it is necessary to find a solution that combines the advantages of the two approaches above in the problem of detecting network attacks. In this paper, the authors present a method to automatically generate network attack detection rules for the IDS system based on the results of training machine learning models. Through testing, the author proves that the system that automatically generates network attack detection rules for IDS based on machine learning meets the requirements of increasing the ability to detect new types of attacks, ensuring automatic effective updates of new signs of network attacks. Tóm tắt—Ngày nay, đã có nhiều hệ thống phát hiện xâm nhập dựa trên chữ ký được triển khai và sử dụng rộng rãi. Các hệ thống này có khả năng phát hiện các cuộc tấn công đã biết với tỷ lệ báo động giả thấp, thời gian phát hiện nhanh và yêu cầu ít tài nguyên hệ thống. Tuy nhiên, các hệ thống này kém hiệu quả khi chống lại các cuộc tấn công mới không có trong tập luật. Các nghiên cứu gần đây cung cấp một cách tiếp cận mới cho vấn đề phát hiện các kiểu tấn công mạng mới dựa trên học máy và học sâu. Tuy nhiên, cách tiếp cận này đòi hỏi nhiều tài nguyên, thời gian xử lý. Vì vậy, cần tìm ra giải pháp kết hợp ưu điểm của hai cách tiếp cận trên trong bài toán phát hiện tấn công mạng. Trong bài báo này, nhóm tác giả trình bày phương pháp tự động sinh luật phát hiện tấn công mạng cho hệ thống phát hiện xâm nhập dựa trên kết quả huấn luyện mô hình học máy. Qua thử nghiệm, tác giả chứng minh rằng phương pháp này đáp ứng yêu cầu tăng khả năng phát hiện chính xác các kiểu tấn công mới, đảm bảo tự động cập nhật hiệu quả các dấu hiệu tấn công mạng mới vào tập luật.

Multiple IoT based Network Attacks Discrimination by Multilayer Feedforward Neural Networks

In this paper a new neural model for detection of multiple network IoT-based attacks, such as DDoS TCP, UDP, and HHTP flood, is presented. It consists of feedforward multilayer network with back propagation. A general algorithm for its optimization during training is proposed, leading to proper number of neurons in the hidden layers. The Scaled Gradient Descent algorithm and the Adam optimization are studied with better classification results, obtained by the developed classifiers, using the latter. Tangent hyperbolic function appears to be proper selection for the hidden neurons. Two sets of features, gathered from aggregated records of the network traffic, are tested, containing 8 and 10 components. While more accurate results are obtained for the 10-feature set, the 8-feature set offers twice lower training time and seems applicable for real-world applications. The detection rate for 7 of 10 different network attacks, primarily various types of floods, is higher than 90% and for 3 of them – mainly reconnaissance and keylogging activities with low intensity of the generated traffic, deviates between 57% and 68%. The classifier is considered applicable for industrial implementation.

Attempt TCP ACK-Storm Based Virtual Network Attacks and Defence Solutions

The rapid development of the digital age has been pushing people to access a mobile working environment when handsets are becoming more diverse and convenient with the help of Virtualization Technology. The speed and usability of Virtualization Technology are astounding for saving initial investment costs and optimizing IT infrastructure. Such Virtualization Technology is what businesses are interested in and makes the virtual server market growing strongly, especially for businesses that have many branches. However, virtual systems (hypervisors) are more vulnerable than traditional servers according due to many network attacks from curious users. Therefore, it's necessary to prepare for the worst circumstances, understand clearly, and research for new threats that can break down the virtual system. In this paper, we attempt to demonstrate the TCP ACK storm based DoS (Denial of Service) attack on virtual and Docker networks to show the threats that easily are happen on services deploying on virtual networks. Based on such consequence, we propose some solutions to prevent our virtual system from potential risks.

Network Intrusion Detection Using Linear and Ensemble ML Modeling

Network attacks are continuously surging, and attackers keep on changing their ways in penetrating a system. A network intrusion detection system is created to monitor traffic in the network and to warn regarding the breach in security by invading foreign entities in the network. Specific experiments have been performed on the NSL-KDD dataset instead of the KDD dataset because it does not have redundant data so the output produced from classifiers will not be biased. The main types of attacks are divided into four categories: denial of service (DoS), probe attack, user to root attack (U2R), remote to local attack (R2L). Overall, this chapter proposes an intense study on linear and ensemble models such as logistic regression, stochastic gradient descent (SGD), naïve bayes, light GBM (LGBM), and XGBoost. Lastly, a stacked model is developed that is trained on the above-mentioned classifiers, and it is applied to detect intrusion in networks. From the plethora of approaches taken into consideration, the authors have found maximum accuracy (98.6%) from stacked model and XGBoost.

Performance Analysis of Wireless Sensor Networks Based on Trust Mechanism

Due to the characteristics like limited resources and dynamic topology, wireless sensor networks (WSNs) are facing two major problems such as security and energy consumption. To deal with various improper behaviors of nodes the trust-based solutions are possible but still exist a variety of attacks, high energy consumption, and communication congestion between nodes. Therefore, this paper proposes an advanced and efficient trust-based secure and energy-efficient routing protocol (TBSEER) to solve these network problems and to avoid malicious nodes. Efficient Adaptable Ant Colony Optimization Algorithm (EAACO) calculates the comprehensive trust value through adaptive direct trust value, indirect trust value, and energy trust value, which can be resistant to internal network attacks such as sinkhole, black hole, selective forwarding, and hello flood attacks. In addition, to fast identify the malicious nodes in the WSN, the adaptive penalty mechanism and volatilization factor are used. Moreover, the nodes only need to calculate the direct trust value, and the indirect trust value is obtained by the sink, so as to further reduce the energy consumption caused by iterative calculations. To actively avoid network attacks, the cluster heads find the safest multi-hop routes based on the comprehensive trust value. The simulation results show that the proposed EAACO reduces network energy consumption, speeds up the identification of malicious nodes, as well as resists all common attacks. Keywords: Comprehensive trust value, direct trust value, indirect value, EAACO, network attacks, wireless sensor networks

Detection of Network Attacks using Machine Learning: A New Approach

The Cyber-attacks become the most important security problems in the today’s world. With the increase in use of computing resources connected to the Internet like computers, mobiles, sensors, IoTs in networks, Big Data, Web Applications/Server, Clouds and other computing resources, hackers and malicious users are planning new ways of network intrusions. Many techniques have been developed to detect these intrusions which are based on data mining and machine learning methods. These intrusions detection techniques have been applied on various IDS datasets. UNSW-NB15 is the latest dataset. This data set contains different modern attack types and wide varieties of real normal activities. In this paper, we compare Naïve Bays algorithm with proposed probability based supervised machine learning algorithms using reduced UNSW NB15 dataset. Keywords: UNSW NB-15, Machine Learning, Naïve Bayes, All to Single (AS) features probability Algorithm

SDAE+Bi-LSTM-Based Situation Awareness Algorithm for the CAN Bus of Intelligent Connected Vehicles

With a deep connection to the internet, the controller area network (CAN) bus of intelligent connected vehicles (ICVs) has suffered many network attacks. A deep situation awareness method is urgently needed to judge whether network attacks will occur in the future. However, traditional shallow methods cannot extract deep features from CAN data with noise to accurately detect attacks. To solve these problems, we developed a SDAE+Bi-LSTM based situation awareness algorithm for the CAN bus of ICVs, simply called SDBL. Firstly, the stacked denoising auto-encoder (SDAE) model was used to compress the CAN data with noise and extract the deep spatial features at a certain time, to reduce the impact of noise. Secondly, a bidirectional long short-term memory (Bi-LSTM) model was further built to capture the periodic features from two directions to enhance the accuracy of the future situation prediction. Finally, a threat assessment model was constructed to evaluate the risk level of the CAN bus. Extensive experiments also verified the improved performance of our SDBL algorithm.

NETWORK ATTACKS RELATED TO SMART HEALTHCARE AND THEIR IMPACT EVALUATION

The Internet of Things (IoT) has frequently been used by people as a way to facilitate their connection to all types of devices. Thanks to this technology, healthcare field can also benefit from a perfect interaction taking advantage of a better diagnostic and treatment that facilitate life for both patients and doctors. Unfortunately, and similarly to other domains based on technology, the smart healthcare does also use IT programs and wireless network to exchange and analyse data the fact that makes it highly exposed to malicious actions. Moreover, if a good security level is not provided in order to save patients information once hackers get access to the mentioned data, patients might be affected or even lose their lives. This paper presents an overview of the security issues in smart healthcare fields and gives a state of art of some well-known network attacks in the field of smart healthcare. We also propose an impact evaluation of those attacks by adopting four scales of evaluation ‘Minor’, ‘Significant’, ‘Serious’ and ‘Critical’ proposed by EBIOS Gravity assessment. The proposed evaluation is classified based on three criteria: sensor’s nature, application field and intervention time.

Intrusion detection in internet of things networks based on machine learning methods

Introduction: The growing amount of digital data generated, among others, by smart devices of the Internet of Things makes it important to study the application of machine learning methods to the detection of network traffic anomalies, namely the presence of network attacks. Purpose: To propose a unified approach to detecting attacks at different levels of IoT network architecture, based on machine learning methods. Results: It was shown that at the wireless sensor network level, attack detection is associated with the detection of anomalous behavior of IoT devices, when the deviation of an IoT device behavior from its profile exceeds a predetermined level. Smart IoT devices are profiled on the basis of statistical characteristics, such as the intensity and duration of packet transmission, the proportion of retransmitted packets, etc. At the level of a local or global wired IoT network, data is aggregated and then analyzed using machine learning methods. Trained classifiers can become a part of a network attack detection system, making decisions about compromising a node on the fly. Models of classifiers of network attacks were experimentally selected both at the level of a wireless sensor network and at the level of a local or global wired network. The best results in terms of completeness and accuracy estimates are demonstrated by the random forest method for a wired local and/or global network and by all the considered methods for a wireless sensor network. Practical relevance: The proposed models of classifiers can be used for developing intrusion detection systems in IoT networks.