Practical Application of Machine Learning based Online Intrusion Detection to Internet of Things Networks

Internet of Things (IoT) devices participate in an open and distributed perception layer, with vulnerability to cyber attacks becoming a key concern for data privacy and service availability. The perception layer provides a unique challenge for intrusion detection where resources are constrained and networks are distributed. An additional challenge is that IoT networks are a continuous non-stationary data stream that, due to their variable nature, are likely to experience concept drift. This research aimed to review the practical applications of online machine learning methods for IoT network intrusion detection, to answer the question if a resource efficient architecture can be provided? An online learning architecture is introduced, with related IDS approaches reviewed and evaluated. Online learning provides a potential memory and time efficient architecture that can adapt to concept drift and perform anomaly detection, providing solutions for the resource constrained and distributed IoT perception layer. Future research should focus on addressing class imbalance in the data streams to ensure that minority attack classes are not missed

Selección de discriminadores de tráfico de red para clasificación en tiempo real

There are several techniques to select a set of traffic features for traffic classification. However, most studies ignore the domain knowledge where traffic analysis or classification is performed and do not consider the always moving information carried in the networks. This paper describes a selection process of online network-traffic discriminators. We obtained 24 traffic features that can be processed on the fly and propose them as a base attribute set for future domain-aware online analysis, processing, or classification. For the selection of a set of traffic discriminators, and to avoid the inconveniences mentioned, we carried out three steps. The first step is a context knowledge-based manual selection of traffic features that meet the condition of being obtained on the fly from the flow. The second step is focused on the quality analysis of previously selected attributes to ensure the relevance of each one when performing a traffic classification. In the third step, the implementation of several incremental learning algorithms verified the usefulness of such attributes in online traffic classification processes. Existen varias técnicas para seleccionar un conjunto de variables para clasificación del tráfico de red. Sin embargo, muchos estudios ignoran el ámbito del conocimiento en donde el análisis y clasificación del tráfico tiene lugar y no consideran la información, siempre en movimiento, que se transporta en dichas redes. Este artículo describe el proceso de selección de discriminadores tráfico de redes en línea. Se obtuvieron 24 características que pueden procesarse en tiempo real y se proponen como los conjuntos de atributos base para futuros análisis, procesamiento y calificación conscientes del dominio (domain-aware). Para la selección de un conjunto de discriminadores de tráfico y con el fin de evitar los inconvenientes mencionados anteriormente, se llevaron a cabo tres etapas. La primera consiste en la selección manual basada en el conocimiento contextual de las características de tráfico de red que tengan las condiciones de obtener en tiempo real a partir del flujo. La segunda etapa se enfoca en la calidad del análisis de los atributos previamente seleccionados para asegurar la relevancia de cada uno a la hora de efectuar la clasificación del tráfico. En la tercera etapa, la implementación de varios algoritmos de aprendizaje incremental verifican la idoneidad de tales atributos en procesos de clasificación de tráfico en línea

INSOMNIA:Towards Concept-Drift Robustness in Network Intrusion Detection

Despite decades of research in network traffic analysis and incredible advances in artificial intelligence, network intrusion detection systems based on machine learning (ML) have yet to prove their worth. One core obstacle is the existence of concept drift, an issue for all adversary-facing security systems. Additionally, specific challenges set intrusion detection apart from other ML-based security tasks, such as malware detection. In this work, we offer a new perspective on these challenges. We propose INSOMNIA, a semi-supervised intrusion detector which continuously updates the underlying ML model as network traffic characteristics are affected by concept drift. We use active learning to reduce latency in the model updates, label estimation to reduce labeling overhead, and apply explainable AI to better interpret how the model reacts to the shifting distribution. To evaluate INSOMNIA, we extend TESSERACT - a framework originally proposed for performing sound time-aware evaluations of ML-based malware detectors - to the network intrusion domain. Our evaluation shows that accounting for drifting scenarios is vital for effective intrusion detection systems

Saving energy in aggressive intrusion detection through dynamic latency sensitivity recognition

In an always connected world, cyber-attacks and computer security breaches can produce significant financial damages as well as introduce new risks and menaces in everyday's life. As a consequence, more and more sophisticated packet screening/filtering solutions are deployed everywhere, typically on network border devices, in order to sanitize Internet traffic. Despite the obvious benefits associated to the proactive detection of security threats, these devices, by performing deep packet inspection and inline analysis, may both affect latency-sensitive traffic introducing non-negligible delays, and increase the energy demand at the network element level. Starting from these considerations, we present a selective routing and intrusion detection technique based on dynamic statistical analysis. Our technique separates latency-sensitive traffic from latency-insensitive one and adaptively organizes the intrusion detection activities over multiple nodes. This allows suppressing directly at the network ingress, when possible, all the undesired components of latency-insensitive traffic and distributing on the innermost nodes the security check for latency sensitive flows, prioritizing routing activities over security scanning ones. Our final goal is demonstrating that selective intrusion detection can result in significant energy savings without adversely affecting latency-sensitive traffic by introducing unacceptable processing delays. \ua9 2017 Elsevier Ltd

UGRansome1819 : a novel dataset for anomaly detection and zero-day threats

This research attempts to introduce the production methodology of an anomaly detection dataset using ten desirable requirements. Subsequently, the article presents the produced dataset named UGRansome, created with up-to-date and modern network traffic (netflow), which represents cyclostationary patterns of normal and abnormal classes of threatening behaviours. It was discovered that the timestamp of various network attacks is inferior to one minute and this feature pattern was used to record the time taken by the threat to infiltrate a network node. The main asset of the proposed dataset is its implication in the detection of zero-day attacks and anomalies that have not been explored before and cannot be recognised by known threats signatures. For instance, the UDP Scan attack has been found to utilise the lowest netflow in the corpus, while the Razy utilises the highest one. In turn, the EDA2 and Globe malware are the most abnormal zero-day threats in the proposed dataset. These feature patterns are included in the corpus, but derived from two well-known datasets, namely, UGR’16 and ransomware that include real-life instances. The former incorporates cyclostationary patterns while the latter includes ransomware features. The UGRansome dataset was tested with cross-validation and compared to the KDD99 and NSL-KDD datasets to assess the performance of Ensemble Learning algorithms. False alarms have been minimized with a null empirical error during the experiment, which demonstrates that implementing the Random Forest algorithm applied to UGRansome can facilitate accurate results to enhance zero-day threats detection. Additionally, most zero-day threats such as Razy, Globe, EDA2, and TowerWeb are recognised as advanced persistent threats that are cyclostationary in nature and it is predicted that they will be using spamming and phishing for intrusion. Lastly, achieving the UGRansome balance was found to be NP-Hard due to real life-threatening classes that do not have a uniform distribution in terms of several instances.https://www.mdpi.com/journal/informationam2022Informatic

CHEATING DETECTION IN ONLINE EXAMS BASED ON CAPTURED VIDEO USING DEEP LEARNING

Today, e-learning has become a reality and a global trend imposed and accelerated by the COVID-19 pandemic. However, there are many risks and challenges related to the credibility of online exams which are of widespread concern to educational institutions around the world. Online exam system continues to gain popularity, particularly during the pandemic, due to the rapid expansion of digitalization and globalization. To protect the integrity of the examination and provide objective and fair results, cheating detection and prevention in examination systems is a must. Therefore, the main objective of this thesis is to develop an effective way of detection of cheating in online exams. In this work, a system to track and prevent attempts to cheat on online exams is developed using artificial intelligence techniques. The suggested solution uses the webcam that is already connected to the computer to record videos of the examinee in real time and afterwards analyze them using different deep learning methods to find best combinations of models for face detection and classification if cheating/not cheating occurred. To evaluate the system, we use a benchmark dataset of exam videos from 24 participants who represented examinees in online exam. An object detection technique is used to detect face appeared in the image and crop the face portion, and then a deep learning based classification model is trained from the images to classify a face as cheating or not cheating. We have proposed an effective combination of data preprocessing, object detection, and classification models to obtain high detection accuracy. We believe that the suggested invigilation methodology can be used in colleges, institutions, and schools to look for and keep an eye on suspicious student behavior. Hopefully, by putting the proposed invigilation method into place, we can aid in eliminating and reducing cheating incidences as it undermines the integrity and fairness of the educational system