Using Machine Learning Techniques to Increase the Effectiveness of Cybersecurity

In today's world, a great number of organizations generate and accumulate large amounts of information, which is of great value to owners, and is also considered by attackers as a valuable resource for enrichment. Any data storage system has vulnerabilities that will be exploited during cyberattacks. The inability to build a system secure enough against unauthorized access to data, forces companies to respond on an ongoing basis to evolving technologies of misappropriation of information by developing more effective methods of identifying and combating cyberattacks. This article examines the features of the use of machine learning methods to identify illegal access by third parties to the information of individuals and legal entities with economic and reputational damage. The study considers methods of processing various types of data (numerical values, textual information, video and audio content, images) that can be used to build an effective cybersecurity system. Obtaining a high level of identification of unauthorized access to data and combating their theft is possible through the implementation of modern machine learning approaches, which are constantly improving by creating innovative data processing algorithms and the use of powerful cloud computing services, acting as an element to counter rapidly evolving technologies

A Regularized Cross-Layer Ladder Network for Intrusion Detection in Industrial Internet-of-Things

As part of BigData trends, the ubiquitous use of the Internet-of-Things (IoT) in the industrial environment has generated a significant amount of network traffic. In this type of IoT industrial network where there is a large equipment heterogeneity, security is a fundamental issue, thus it is very important to detect likely intrusion behaviors. Furthermore, since the proportion of labeled data records is small in IoT environment, it is challenging to detect various attacks and intrusions accurately. This investigation builds a semi-supervised ladder network model for intrusion detection in IIoT. This model considers the manifold distribution of high-dimensional data and incorporated a manifold regularization constraint in the decoder of the ladder network. Meanwhile, the feature propagation between layers is strengthened by adding more cross-layer connections in this model. On this basis, a random attention-based data fusion approach to generate global features for intrusion detection. The experiments on CIC-IDS2018 show that the proposed approach can recognize the intrusion with less false alarm rate, whilst model training is time-efficient

Cybersecurity in Industrial Networks: Artificial Intelligence Techniques Applied to Intrusion Detection Systems

Industrial control systems (ICS) operate on serial based networks which lack proper security safeguards by design. They are also becoming more integrated to corporate networks, creating new vulnerabilities which expose ICS networks to increasing levels of risk with potentially significant impact. Despite those risks, only a few mechanisms have been suggested and are available in practice as cybersecurity safeguards for the ICS network layer, maybe because they might not be commercially viable. Intrusion detection systems (IDS) are typically deployed in the corporate networks to protect against attacks since they are based on TCP/IP. However, IDS are not used in serial based ICS networks yet. This study examines and compares modern Artificial Intelligence (AI) techniques applied in IDS that are potentially useful for serial-based ICS networks. The results showed that current AI-based IDS methods are viable in such networks. A mix of AI techniques would be the best way forward to detect known attacks via rules and novel attacks, not previously mapped, via supervised and unsupervised techniques. Despite these strategies’ limited use in serial-based networks, their adoption could significantly strengthen cybersecurity of ICS networks

A Novel Threat Intelligence Detection Model Using Neural Networks

A network intrusion detection system (IDS) is commonly recognized as an effective solution for identifying threats and malicious attacks. Due to the rapid emergence of threats and new attack vectors, novel and adaptive approaches must be considered to maintain the effectiveness of IDSs. In this paper, we present a novel Threat Intelligence Detection Model (TIDM) for online intrusion detection. The proposed TIDM focuses on the online processing of massive data flows and is accordingly able to reveal unknown connections, including zero-day attacks. The TIDM consists of three components: an optimized filter (OptiFilter), an adaptive and hybrid classifier, and an alarm component. The main contributions of the OptiFilter component are in its ability to continuously capture data flows and construct unlabeled connection vectors. The second component of the TIDM employs a hybrid model made up of an enhanced growing hierarchical self-organizing map (EGHSOM) and a normal network behavior (NNB) model to jointly identify unknown connections. The proposed TIDM updates the hybrid model continually in real-time. The model’s performance evaluation has been carried out in both offline and online operational modes using a quantitative approach that considers all possible evaluation metrics for the datasets and the hybrid classification method. The achieved results show that the proposed TIDM is able, with promising performance, to process massive data flows in real-time, classify unlabeled connections, reveal the label of unknown connections, and perform online updates successfully

Towards a machine learning-based framework for DDOS attack detection in software-defined IoT (SD-IoT) networks

The Internet of Things (IoT) is a complex and diverse network consisting of resource-constrained sensors/devices/things that are vulnerable to various security threats, particularly Distributed Denial of Services (DDoS) attacks. Recently, the integration of Software Defined Networking (SDN) with IoT has emerged as a promising approach for improving security and access control mechanisms. However, DDoS attacks continue to pose a significant threat to IoT networks, as they can be executed through botnet or zombie attacks. Machine learning-based security frameworks offer a viable solution to scrutinize the behavior of IoT devices and compile a profile that enables the decision-making process to maintain the integrity of the IoT environment. In this paper, we present a machine learning-based approach to detect DDoS attacks in an SDN-WISE IoT controller. We have integrated a machine learning-based detection module into the controller and set up a testbed environment to simulate DDoS attack traffic generation. The traffic is captured by a logging mechanism added to the SDN-WISE controller, which writes network logs into a log file that is pre-processed and converted into a dataset. The machine learning DDoS detection module, integrated into the SDN-WISE controller, uses Naive Bayes (NB), Decision Tree (DT), and Support Vector Machine (SVM) algorithms to classify SDN-IoT network packets. We evaluate the performance of the proposed framework using different traffic simulation scenarios and compare the results generated by the machine learning DDoS detection module. The proposed framework achieved an accuracy rate of 97.4%, 96.1%, and 98.1% for NB, SVM, and DT, respectively. The attack detection module takes up to 30% usage of memory and CPU, and it saves about 70% memory while keeping the CPU free up to 70% to process the SD-IoT network traffic with an average throughput of 48 packets per second, achieving an accuracy of 97.2%. Our experimental results demonstrate the superiority of the proposed framework in detecting DDoS attacks in an SDN-WISE IoT environment. The proposed approach can be used to enhance the security of IoT networks and mitigate the risk of DDoS attacks

Multimodal Approach for Malware Detection

Although malware detection is a very active area of research, few works were focused on using physical properties (e.g., power consumption) and multimodal features for malware detection. We designed an experimental testbed that allowed us to run samples of malware and non-malicious software applications and to collect power consumption, network traffic, and system logs data, and subsequently to extract dynamic behavioral-based features. We also extracted code-based static features of both malware and non-malicious software applications. These features were used for malware detection based on: feature level fusion using power consumption and network traffic data, feature level fusion using network traffic data and system logs, and multimodal feature level and decision level fusion. The contributions when using feature level fusion of power consumption and network traffic data are: (1) We focused on detecting real malware using the extracted dynamic behavioral features (both power-based and network traffic-based) and supervised machine learning algorithms, which has not been done by any of the prior works. (2) We ran a large number of machine learning experiments, which allowed us to identify the best performing learner, DC voltage rails that led to the best malware detection performance, and the subset of features that are the best predictors for malware detection. (3) The comparison of malware detection performance was done using a comprehensive set of metrics that reflect different aspects of the quality of malware detection. In the case of the feature level fusion using network traffic data and system logs, the contributions are: (1) Most of the previous works that have used network flows-based features have done classification of the network traffic, while our focus was on classifying the software running in a machine as malware and non-malicious software using the extracted dynamic behavioral features. (2) We experimented with different sizes of the training set (i.e., 90%, 75%, 50%, and 25% of the data) and found that smaller training sets produced very good classification results. This aspect of our work has a practical value because the manual labeling of the training set is a tedious and time consuming process. In this dissertation we present a multimodal deep learning neural network that integrates different modalities (i.e., power consumption, system logs, network traffic, and code-based static data) using decision level fusion. We evaluated the performance of each modality individually, when using feature level fusion, and when using decision level fusion. The contributions of our multimodal approach are as follow: (1) Collecting data from different modalities allowed us to develop a multimodal approach to malware detection, which has not been widely explored by prior works. Even more, none of the previous works compared the performance of feature level fusion with decision level fusion, which is explored in this dissertation. (2) We proposed a multimodal decision level fusion malware detection approach using a deep neural network and compared its performance with the performance of feature level fusion approaches based on deep neural network and standard supervised machine learning algorithms (i.e., Random Forest, J48, JRip, PART, Naive Bayes, and SMO)