A taxonomy of network threats and the effect of current datasets on intrusion detection systems

As the world moves towards being increasingly dependent on computers and automation, building secure applications, systems and networks are some of the main challenges faced in the current decade. The number of threats that individuals and businesses face is rising exponentially due to the increasing complexity of networks and services of modern networks. To alleviate the impact of these threats, researchers have proposed numerous solutions for anomaly detection; however, current tools often fail to adapt to ever-changing architectures, associated threats and zero-day attacks. This manuscript aims to pinpoint research gaps and shortcomings of current datasets, their impact on building Network Intrusion Detection Systems (NIDS) and the growing number of sophisticated threats. To this end, this manuscript provides researchers with two key pieces of information; a survey of prominent datasets, analyzing their use and impact on the development of the past decade’s Intrusion Detection Systems (IDS) and a taxonomy of network threats and associated tools to carry out these attacks. The manuscript highlights that current IDS research covers only 33.3% of our threat taxonomy. Current datasets demonstrate a clear lack of real-network threats, attack representation and include a large number of deprecated threats, which together limit the detection accuracy of current machine learning IDS approaches. The unique combination of the taxonomy and the analysis of the datasets provided in this manuscript aims to improve the creation of datasets and the collection of real-world data. As a result, this will improve the efficiency of the next generation IDS and reflect network threats more accurately within new datasets

A taxonomy of network threats and the effect of current datasets on intrusion detection systems

As the world moves towards being increasingly dependent on computers and automation, building secure applications, systems and networks are some of the main challenges faced in the current decade. The number of threats that individuals and businesses face is rising exponentially due to the increasing complexity of networks and services of modern networks. To alleviate the impact of these threats, researchers have proposed numerous solutions for anomaly detection; however, current tools often fail to adapt to ever-changing architectures, associated threats and zero-day attacks. This manuscript aims to pinpoint research gaps and shortcomings of current datasets, their impact on building Network Intrusion Detection Systems (NIDS) and the growing number of sophisticated threats. To this end, this manuscript provides researchers with two key pieces of information; a survey of prominent datasets, analyzing their use and impact on the development of the past decade's Intrusion Detection Systems (IDS) and a taxonomy of network threats and associated tools to carry out these attacks. The manuscript highlights that current IDS research covers only 33.3% of our threat taxonomy. Current datasets demonstrate a clear lack of real-network threats, attack representation and include a large number of deprecated threats, which together limit the detection accuracy of current machine learning IDS approaches. The unique combination of the taxonomy and the analysis of the datasets provided in this manuscript aims to improve the creation of datasets and the collection of real-world data. As a result, this will improve the efficiency of the next generation IDS and reflect network threats more accurately within new datasets

An Efficient Fuzzy Based Multi Level Clustering Model Using Artificial Bee Colony For Intrusion Detection

Network security is becoming increasingly important as computer technology advances. One of the most important components in maintaining a secure network is an Intrusion Detection System (IDS). An IDS is a collection of tools used to detect and report network anomalies. Threats to computer networks are increasing at an alarming rate. As a result, it is critical to create and maintain a safe computing environment. For network security, researchers employ a range of technologies, including anomaly-based intrusion detection systems (AIDS). These anomaly-based detections face a major challenge in the classification of data. Optimization algorithms that mimic the foraging behavior of bees in nature, such as the artificial bee colony algorithm, is a highly successful tool. A computer network's intrusion detection system (IDS) is an essential tool for keeping tabs on the activities taking place in the network. Artificial Bee Colony (ABC) algorithm is used in this research for effective intrusion detection. More and more intrusion detection systems are needed to keep up with the increasing number of attacks and the increase in Internet bandwidth. Detecting developing threats with high accuracy at line rates is the prerequisite for a good intrusion detection system. As traffic grows, current systems will be overwhelmed by the sheer volume of false positives and negatives they generate. In order to detect intrusions based on anomalies, this research employs an Efficient Fuzzy based Multi Level Clustering Model using Artificial Bee Colony (EFMLC-ABC). A semi-supervised intrusion detection method based on an artificial bee colony algorithm is proposed in this paper to optimize cluster centers and identify the best clustering options. In order to assess the effectiveness of the proposed method, various subsets of the KDD Cup 99 database were subjected to experimental testing. Analyses have shown that the proposed algorithm is suitable and efficient for intrusion detection system

دراسة استقصائية لمجموعات البيانات المستخدمة حاليا ضمن أنظمة كشف الاقتحام المستندة الى تقنيات تعلم الآلة

تتسبب الهجمات الإلكترونية في العصر الرقمي الراهن في فقدان البيانات الحساسة وخسارة مالية فادحة للمؤسسات والدول. لذلك، فإن دور خبير الأمن السيبراني مهم جدًا لحماية البيانات من الهجمات المتزايدة والجديدة. يركز الباحثون على نظم اكتشاف الاقتحام القائم على الشذوذ لاكتشاف تلك الهجمات الغير المعروفة وتلعب خوارزميات التعلم الآلي دورًا حيويًا في هذه العملية لأنها تكتشف الهجمات بدقة. تعاني مجموعات البيانات المستخدمة حاليا في أنظمة كشف الاقتحام نقصًا واضحًا في تهديدات الشبكة الحقيقية، وتمثيل الهجوم، وتتضمن عددًا كبيرًا من التهديدات المهجورة، والتي تحد من دقة الاكتشاف ضمن مناهج أنظمة كشف الاقتحام الحالية لتعلم الآلة، مما يجعلها غير قادرة على مواكبة الهجمات المتزايدة والجديدة في البيئات السحابية والحاويات البرمجية. تهدف هذه الورقة البحثية الى الجمع بين التصنيف وتحليل مجموعات البيانات الحالية من أجل تحسين إنشاء مجموعات بيانات جديدة مستقبلية تحاكي الواقع الفعلي لبيانات الشبكة الحقيقية. مما سيؤدي ذلك إلى تحسين كفاءة الجيل القادم من أنظمة كشف الاقتحام ويعكس تهديدات الشبكة بشكل أكثر دقة

Leveraging siamese networks for one-shot intrusion detection model

The use of supervised Machine Learning (ML) to enhance Intrusion Detection Systems (IDS) has been the subject of significant research. Supervised ML is based upon learning by example, demanding significant volumes of representative instances for effective training and the need to retrain the model for every unseen cyber-attack class. However, retraining the models in-situ renders the network susceptible to attacks owing to the time-window required to acquire a sufficient volume of data. Although anomaly detection systems provide a coarse-grained defence against unseen attacks, these approaches are significantly less accurate and suffer from high false-positive rates. Here, a complementary approach referred to as “One-Shot Learning”, whereby a limited number of examples of a new attack-class is used to identify a new attack-class (out of many) is detailed. The model grants a new cyber-attack classification opportunity for classes that were not seen during training without retraining. A Siamese Network is trained to differentiate between classes based on pairs similarities, rather than features, allowing to identify new and previously unseen attacks. The performance of a pre-trained model to classify new attack-classes based only on one example is evaluated using three mainstream IDS datasets; CICIDS2017, NSL-KDD, and KDD Cup’99. The results confirm the adaptability of the model in classifying unseen attacks and the trade-off between performance and the need for distinctive class representations.</p

Machine and deep learning techniques for detecting internet protocol version six attacks: a review

The rapid development of information and communication technologies has increased the demand for internet-facing devices that require publicly accessible internet protocol (IP) addresses, resulting in the depletion of internet protocol version 4 (IPv4) address space. As a result, internet protocol version 6 (IPv6) was designed to address this issue. However, IPv6 is still not widely used because of security concerns. An intrusion detection system (IDS) is one example of a security mechanism used to secure networks. Lately, the use of machine learning (ML) or deep learning (DL) detection models in IDSs is gaining popularity due to their ability to detect threats on IPv6 networks accurately. However, there is an apparent lack of studies that review ML and DL in IDS. Even the existing reviews of ML and DL fail to compare those techniques. Thus, this paper comprehensively elucidates ML and DL techniques and IPv6-based distributed denial of service (DDoS) attacks. Additionally, this paper includes a qualitative comparison with other related works. Moreover, this work also thoroughly reviews the existing ML and DL-based IDSs for detecting IPv6 and IPv4 attacks. Lastly, researchers could use this review as a guide in the future to improve their work on DL and ML-based IDS

Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application

In the last decade, researchers, practitioners and companies struggled for devising mechanisms to detect cyber-security threats. Among others, those efforts originated rule-based, signature-based or supervised Machine Learning (ML) algorithms that were proven effective for detecting those intrusions that have already been encountered and characterized. Instead, new unknown threats, often referred to as zero-day attacks or zero-days, likely go undetected as they are often misclassified by those techniques. In recent years, unsupervised anomaly detection algorithms showed potential to detect zero-days. However, dedicated support for quantitative analyses of unsupervised anomaly detection algorithms is still scarce and often does not promote meta-learning, which has potential to improve classification performance. To such extent, this paper introduces the problem of zero-days and reviews unsupervised algorithms for their detection. Then, the paper applies a question-answer approach to identify typical issues in conducting quantitative analyses for zero-days detection, and shows how to setup and exercise unsupervised algorithms with appropriate tooling. Using a very recent attack dataset, we debate on i) the impact of features on the detection performance of unsupervised algorithms, ii) the relevant metrics to evaluate intrusion detectors, iii) means to compare multiple unsupervised algorithms, iv) the application of meta-learning to reduce misclassifications. Ultimately, v) we measure detection performance of unsupervised anomaly detection algorithms with respect to zero-days. Overall, the paper exemplifies how to practically orchestrate and apply an appropriate methodology, process and tool, providing even non-experts with means to select appropriate strategies to deal with zero-days