7 research outputs found
Detecting Anomalous Network Communication Patterns Using Graph Convolutional Networks
To protect an organizations' endpoints from sophisticated cyberattacks,
advanced detection methods are required. In this research, we present
GCNetOmaly: a graph convolutional network (GCN)-based variational autoencoder
(VAE) anomaly detector trained on data that include connection events among
internal and external machines. As input, the proposed GCN-based VAE model
receives two matrices: (i) the normalized adjacency matrix, which represents
the connections among the machines, and (ii) the feature matrix, which includes
various features (demographic, statistical, process-related, and Node2vec
structural features) that are used to profile the individual nodes/machines.
After training the model on data collected for a predefined time window, the
model is applied on the same data; the reconstruction score obtained by the
model for a given machine then serves as the machine's anomaly score.
GCNetOmaly was evaluated on real, large-scale data logged by Carbon Black EDR
from a large financial organization's automated teller machines (ATMs) as well
as communication with Active Directory (AD) servers in two setups: unsupervised
and supervised. The results of our evaluation demonstrate GCNetOmaly's
effectiveness in detecting anomalous behavior of machines on unsupervised data
Deep fused flow and topology features for botnet detection basing on pretrained GCN
Nowadays, botnets have become one of the major threats to cyber security. The
characteristics of botnets are mainly reflected in bots network behavior and
their intercommunication relationships. Existing botnet detection methods use
flow features or topology features individually, which overlook the other type
of feature. This affects model performance. In this paper, we propose a botnet
detection model which uses graph convolutional network (GCN) to deeply fuse
flow features and topology features for the first time. We construct
communication graphs from network traffic and represent nodes with flow
features. Due to the imbalance of existing public traffic flow datasets, it is
impossible to train a GCN model on these datasets. Therefore, we use a balanced
public communication graph dataset to pretrain a GCN model, thereby
guaranteeing its capacity for identify topology features. We then feed the
communication graph with flow features into the pretrained GCN. The output from
the last hidden layer is treated as the fusion of flow and topology features.
Additionally, by adjusting the number of layers in the GCN network, the model
can effectively detect botnets under both C2 and P2P structures. Validated on
the public ISCX2014 dataset, our approach achieves a remarkable recall rate
92.90% and F1-score 92.76% for C2 botnets, alongside recall rate 94.66% and
F1-score of 92.35% for P2P botnets. These results not only demonstrate the
effectiveness of our method, but also outperform the performance of the
currently leading detection models
Cyber Security and Critical Infrastructures
This book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles: an editorial explaining current challenges, innovative solutions, real-world experiences including critical infrastructure, 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems, and a review of cloud, edge computing, and fog's security and privacy issues
Digital Forensics AI: on Practicality, Optimality, and Interpretability of Digital Evidence Mining Techniques
Digital forensics as a field has progressed alongside technological advancements over the years, just as digital devices have gotten more robust and sophisticated. However, criminals and attackers have devised means for exploiting the vulnerabilities or sophistication of these devices to carry out malicious activities in unprecedented ways. Their belief is that electronic crimes can be committed without identities being revealed or trails being established. Several applications of artificial intelligence (AI) have demonstrated interesting and promising solutions to seemingly intractable societal challenges. This thesis aims to advance the concept of applying AI techniques in digital forensic investigation. Our approach involves experimenting with a complex case scenario in which suspects corresponded by e-mail and deleted, suspiciously, certain communications, presumably to conceal evidence. The purpose is to demonstrate the efficacy of Artificial Neural Networks (ANN) in learning and detecting communication patterns over time, and then predicting the possibility of missing communication(s) along with potential topics of discussion. To do this, we developed a novel approach and included other existing models. The accuracy of our results is evaluated, and their performance on previously unseen data is measured. Second, we proposed conceptualizing the term “Digital Forensics AI” (DFAI) to formalize the application of AI in digital forensics. The objective is to highlight the instruments that facilitate the best evidential outcomes and presentation mechanisms that are adaptable to the probabilistic output of AI models. Finally, we enhanced our notion in support of the application of AI in digital forensics by recommending methodologies and approaches for bridging trust gaps through the development of interpretable models that facilitate the admissibility of digital evidence in legal proceedings
Digital Forensics AI: on Practicality, Optimality, and Interpretability of Digital Evidence Mining Techniques
Digital forensics as a field has progressed alongside technological advancements over the years, just as digital devices have gotten more robust and sophisticated. However, criminals and attackers have devised means for exploiting the vulnerabilities or sophistication of these devices to carry out malicious activities in unprecedented ways. Their belief is that electronic crimes can be committed without identities being revealed or trails being established. Several applications of artificial intelligence (AI) have demonstrated interesting and promising solutions to seemingly intractable societal challenges. This thesis aims to advance the concept of applying AI techniques in digital forensic investigation. Our approach involves experimenting with a complex case scenario in which suspects corresponded by e-mail and deleted, suspiciously, certain communications, presumably to conceal evidence. The purpose is to demonstrate the efficacy of Artificial Neural Networks (ANN) in learning and detecting communication patterns over time, and then predicting the possibility of missing communication(s) along with potential topics of discussion. To do this, we developed a novel approach and included other existing models. The accuracy of our results is evaluated, and their performance on previously unseen data is measured. Second, we proposed conceptualizing the term “Digital Forensics AI” (DFAI) to formalize the application of AI in digital forensics. The objective is to highlight the instruments that facilitate the best evidential outcomes and presentation mechanisms that are adaptable to the probabilistic output of AI models. Finally, we enhanced our notion in support of the application of AI in digital forensics by recommending methodologies and approaches for bridging trust gaps through the development of interpretable models that facilitate the admissibility of digital evidence in legal proceedings
An efficient reinforcement learning-based Botnet detection approach
The use of bot malware and botnets as a tool to facilitate other malicious cyber activities (e.g. distributed denial of service attacks, dissemination of malware and spam, and click fraud). However, detection of botnets, particularly peer-to-peer (P2P) botnets, is challenging. Hence, in this paper we propose a sophisticated traffic reduction mechanism, integrated with a reinforcement learning technique. We then evaluate the proposed approach using real-world network traffic, and achieve a detection rate of 98.3%. The approach also achieves a relatively low false positive rate (i.e. 0.012%)