Research and development automatically generate detection rules for IDS based on machine learning technology

Abstract—Nowadays, there have been many signature-based intrusion detection systems deployed and widely used. These systems are capable of detecting known attacks with low false alarm rates, fast detection times, and little system resource requirements. However, these systems are less effective against new attacks that are not included in the ruleset. In addition, recent studies provide a new approach to the problem of detecting unknown types of network attacks based on machine learning and deep learning. However, this new approach requires a lot of resources, processing time and has a high false alarm rate. Therefore, it is necessary to find a solution that combines the advantages of the two approaches above in the problem of detecting network attacks. In this paper, the authors present a method to automatically generate network attack detection rules for the IDS system based on the results of training machine learning models. Through testing, the author proves that the system that automatically generates network attack detection rules for IDS based on machine learning meets the requirements of increasing the ability to detect new types of attacks, ensuring automatic effective updates of new signs of network attacks. Tóm tắt—Ngày nay, đã có nhiều hệ thống phát hiện xâm nhập dựa trên chữ ký được triển khai và sử dụng rộng rãi. Các hệ thống này có khả năng phát hiện các cuộc tấn công đã biết với tỷ lệ báo động giả thấp, thời gian phát hiện nhanh và yêu cầu ít tài nguyên hệ thống. Tuy nhiên, các hệ thống này kém hiệu quả khi chống lại các cuộc tấn công mới không có trong tập luật. Các nghiên cứu gần đây cung cấp một cách tiếp cận mới cho vấn đề phát hiện các kiểu tấn công mạng mới dựa trên học máy và học sâu. Tuy nhiên, cách tiếp cận này đòi hỏi nhiều tài nguyên, thời gian xử lý. Vì vậy, cần tìm ra giải pháp kết hợp ưu điểm của hai cách tiếp cận trên trong bài toán phát hiện tấn công mạng. Trong bài báo này, nhóm tác giả trình bày phương pháp tự động sinh luật phát hiện tấn công mạng cho hệ thống phát hiện xâm nhập dựa trên kết quả huấn luyện mô hình học máy. Qua thử nghiệm, tác giả chứng minh rằng phương pháp này đáp ứng yêu cầu tăng khả năng phát hiện chính xác các kiểu tấn công mới, đảm bảo tự động cập nhật hiệu quả các dấu hiệu tấn công mạng mới vào tập luật.

Computer Network Attack Detection Using Enhanced Clustering Technologies

The need for security means has brought from the fact of privacy of data especially after the communication revolution in the recent times. The advancement of data mining and machine learning technology has paved the road for establishment an efficient attack prediction paradigm for protecting of large scaled networks. In this project, computer network intrusions had been eliminated by using smart machine learning algorithm. Referring a big dataset named as KDD computer intrusion dataset which includes large number of connections that diagnosed with several types of attacks; the model is established for predicting the type of attack by learning through this data. Feed forward neural network model is outperformed over the other proposed clustering models in attack prediction accuracy.

Study on Power Grid Partition and Attack Strategies Based on Complex Networks

Based on the community discovery method in complex network theory, a power grid partition method considering generator nodes and network weightings is proposed. Firstly, the weighted network model of a power system is established, an improved Fast-Newman hierarchical algorithm and a weighted modular Q function index are introduced, and the partitioning algorithm process is practically improved combined with the characteristics of the actual power grid. Then, the partition results of several IEEE test systems with the improved algorithm and with the Fast-Newman algorithm are compared to demonstrate its effectiveness and correctness. Subsequently, on the basis of subnet partition, two kinds of network attack strategies are proposed. One is attacking the maximum degree node of each subnet, and the other is attacking the maximum betweenness node of each subnet. Meanwhile, considering the two traditional intentional attack strategies, that is, attacking the maximum degree nodes or attacking the maximum betweenness nodes of the whole network, the cascading fault survivability of different types of networks under four attack strategies is simulated and analyzed. It was found that the proposed two attack strategies based on subnet partition are better than the two traditional intentional attack strategies.

Network Security Defense Decision-Making Method Based on Stochastic Game and Deep Reinforcement Learning

Aiming at the existing network attack and defense stochastic game models, most of them are based on the assumption of complete information, which causes the problem of poor applicability of the model. Based on the actual modeling requirements of the network attack and defense process, a network defense decision-making model combining incomplete information stochastic game and deep reinforcement learning is proposed. This model regards the incomplete information of the attacker and the defender as the defender’s uncertainty about the attacker’s type and uses the Double Deep Q-Network algorithm to solve the problem of the difficulty of determining the network state transition probability, so that the network system can dynamically adjust the defense strategy. Finally, a simulation experiment was performed on the proposed model. The results show that, under the same experimental conditions, the proposed method in this paper has a better convergence speed than other methods in solving the defense equilibrium strategy. This model is a fusion of traditional methods and artificial intelligence technology and provides new research ideas for the application of artificial intelligence in the field of cyberspace security.

A Hybrid Lightweight System for Early Attack Detection in the IoMT Fog

Cyber-attack detection via on-gadget embedded models and cloud systems are widely used for the Internet of Medical Things (IoMT). The former has a limited computation ability, whereas the latter has a long detection time. Fog-based attack detection is alternatively used to overcome these problems. However, the current fog-based systems cannot handle the ever-increasing IoMT’s big data. Moreover, they are not lightweight and are designed for network attack detection only. In this work, a hybrid (for host and network) lightweight system is proposed for early attack detection in the IoMT fog. In an adaptive online setting, six different incremental classifiers were implemented, namely a novel Weighted Hoeffding Tree Ensemble (WHTE), Incremental K-Nearest Neighbors (IKNN), Incremental Naïve Bayes (INB), Hoeffding Tree Majority Class (HTMC), Hoeffding Tree Naïve Bayes (HTNB), and Hoeffding Tree Naïve Bayes Adaptive (HTNBA). The system was benchmarked with seven heterogeneous sensors and a NetFlow data infected with nine types of recent attack. The results showed that the proposed system worked well on the lightweight fog devices with ~100% accuracy, a low detection time, and a low memory usage of less than 6 MiB. The single-criteria comparative analysis showed that the WHTE ensemble was more accurate and was less sensitive to the concept drift.

Authentication of IoT device with the enhancement of One-time Password (OTP)

The Robust and Energy Efficient Authentication Protocol works for Industrial Internet of Things. The Internet of Things (IoT) is an arising innovation and expected to give answers for different modern fields. The IoT enable connection of physical devices all around the world to the internet by collecting and sharing critical and real-time data among each other. The increment of devices increases the computational cost during data transmission between devices and towards the internet. In this paper we proposed a solution that is a multi-factor authentication protocol to enhance the protocol proposed by Li et al. For Industrial IoT by adding One Time Password (OTP) after the biometric information of the user is checked by the Gateway Node (GWN) to be able to tackle additional network attack aside from those that are overcome by Li et al. scheme. Our contribution for this project is, we proposed the solution that a multi-factor authentication protocol to enhance the protocol proposed. For Industrial IoT by adding One Time Password (OTP) after the biometric information of the user is checked by the Gateway Node (GWN) to be able to tackle additional network attack aside from those that are overcome. The idea of adding OTP is inspired by where they scheme correlates to biometric of user as well. Our proposal is lower cost than the three protocols regarding authentication overhead and computational cost perspectives. Challenges and future directions of this paper examined the security shortcomings of a client confirmation convention for WSN, which is as proposed by Chang and Le. To address the normal security shortcomings of past protocols, we proposed a strong and energy effective three-factor authentication protocol for WSN.

Multi-Player Evolutionary Game of Network Attack and Defense Based on System Dynamics

We formalize the adversarial process between defender and attackers as a game and study the non-cooperative evolutionary game mechanism under bounded rationality. We analyze the long-term dynamic process between the attacking and defending parties using the evolutionary stable strategies derived from the evolutionary game model. First, we construct a multi-player evolutionary game model consisting of a defender and multiple attackers, formally describe the strategies, and construct a three-player game payoff matrix. Then, we propose two punishment schemes, i.e., static and dynamic ones. Moreover, through the combination of mathematical derivation with simulation, we obtain the evolutionary stable strategies of each player. Different from previous work, in this paper, we consider the influence of strategies among different attackers. The simulation shows that (1) in the static punishment scheme, increasing the penalty can quickly control the occurrence of network attacks in the short term; (2) in the dynamic punishment scheme, the game can be stabilized effectively, and the stable state and equilibrium values are not affected by the change of the initial values.

Research on internal network data security monitoring method based on NB-IOT

In order to overcome the problems of poor data classification accuracy and effectiveness of traditional data monitoring methods, this paper designs a data security monitoring method based on narrow-band Internet of things. Firstly, the model of network data acquisition and sensor node’s optimal configuration is established to collect intranet data. Based on the analysis of data characteristics, dynamic intranet data analysis indexes are designed from three aspects: establishing security incident quantity index, establishing address entropy index and data diversion. According to the above-mentioned narrow-band data aggregation rate, the security index of the Internet of things is calculated to realize the security of monitoring data. The experimental results show that: whether the network attack exists or not, the accuracy rate of the method is always higher than 90%, the classification time is less than 4 s, and the energy consumption of monitoring process is always less than 150 J, which fully proves that the method achieves the design expectation.

Predicting Attack Surface Effects on Attack Vectors in an Open Congested Network Transmission Session by Machine Learning

<p>This paper examined the impact of a network attack on a congested transmission session. The research is motivated by the fact that the previous research community has neglected to evaluate security issues related to network congestion environments, and has instead concentrated on resolving congestion issues only. At any point in time, attackers can take advantage of the congestion problem, exploit the attack surface, and inject attack vectors. In order to circumvent this issue, a machine learning algorithm is trained to correlate attack vectors from the attack surface in a network congestion signals environment with the value of decisions over time in order to maximise expected attack vectors from the attack surface. Experimental scenario that dwell on transmission rate overwhelming transmission session, resulting in a standing queue was used. The experiment produced a dataset in which a TCP transmission through bursting transmission were capture. The data was acquired using a variety of experimental scenarios. Nave Bayes, and K-Nearest Neighbours prediction analyses demonstrate strong prediction performance. As a result, this study re-establishes the association between attack surface and vectors with network attack prediction. </p>