Per-host DDoS mitigation by direct-control reinforcement learning

DDoS attacks plague the availability of online services today, yet like many cybersecurity problems are evolving and non-stationary. Normal and attack patterns shift as new protocols and applications are introduced, further compounded by burstiness and seasonal variation. Accordingly, it is difficult to apply machine learning-based techniques and defences in practice. Reinforcement learning (RL) may overcome this detection problem for DDoS attacks by managing and monitoring consequences; an agent’s role is to learn to optimise performance criteria (which are always available) in an online manner. We advance the state-of-the-art in RL-based DDoS mitigation by introducing two agent classes designed to act on a per-flow basis, in a protocol-agnostic manner for any network topology. This is supported by an in-depth investigation of feature suitability and empirical evaluation. Our results show the existence of flow features with high predictive power for different traffic classes, when used as a basis for feedback-loop-like control. We show that the new RL agent models can offer a significant increase in goodput of legitimate TCP traffic for many choices of host density

Intrusion Detection System based on time related features and Machine Learning

The analysis of the behavior of network communications over time allows the extraction of statistical features capable of characterizing the network traffic flows. These features can be used to create an Intrusion Detection System (IDS) that can automatically classify network traffic. But introducing an IDS into a network changes the latency of its communications. From a different viewpoint it is possible to analyze the latencies of a network to try to identifying the presence or absence of the IDS. The proposed method can be used to extract a set of phisical or time related features that characterize the communication behavior of an Internet of Things (IoT) infrastructure. For example the number of packets sent every 5 minutes. Then these features can help identify anomalies or cyber attacks. For example a jamming of the radio channel. This method does not necessarily take into account the content of the network packet and therefore can also be used on encrypted connections where is impossible to carry out a Deep Packet Inspection (DPI) analysis

The effective combating of intrusion attacks through fuzzy logic and neural networks

The importance of properly securing an organization’s information and computing resources has become paramount in modern business. Since the advent of the Internet, securing this organizational information has become increasingly difficult. Organizations deploy many security mechanisms in the protection of their data, intrusion detection systems in particular have an increasingly valuable role to play, and as networks grow, administrators need better ways to monitor their systems. Currently, many intrusion detection systems lack the means to accurately monitor and report on wireless segments within the corporate network. This dissertation proposes an extension to the NeGPAIM model, known as NeGPAIM-W, which allows for the accurate detection of attacks originating on wireless network segments. The NeGPAIM-W model is able to detect both wired and wireless based attacks, and with the extensions to the original model mentioned previously, also provide for correlation of intrusion attacks sourced on both wired and wireless network segments. This provides for a holistic detection strategy for an organization. This has been accomplished with the use of Fuzzy logic and neural networks utilized in the detection of attacks. The model works on the assumption that each user has, and leaves, a unique footprint on a computer system. Thus, all intrusive behaviour on the system and networks which support it, can be traced back to the user account which was used to perform the intrusive behavior

Intrusion Detection in SCADA Systems using Machine Learning Techniques

Modern Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and managing electric power generation, transmission and distribution. In the age of the Internet of Things, SCADA has evolved into big, complex and distributed systems that are prone to conventional in addition to new threats. So as to detect intruders in a timely and efficient manner a real time detection mechanism, capable of dealing with a range of forms of attacks is highly salient. Such a mechanism has to be distributed, low cost, precise, reliable and secure, with a low communication overhead, thereby not interfering in the industrial system’s operation. In this commentary two distributed Intrusion Detection Systems (IDSs) which are able to detect attacks that occur in a SCADA system are proposed, both developed and evaluated for the purposes of the CockpitCI project. The CockpitCI project proposes an architecture based on real-time Perimeter Intrusion Detection System (PIDS), which provides the core cyber-analysis and detection capabilities, being responsible for continuously assessing and protecting the electronic security perimeter of each CI. Part of the PIDS that was developed for the purposes of the CockpitCI project, is the OCSVM module. During the duration of the project two novel OCSVM modules were developed and tested using datasets from a small-scale testbed that was created, providing the means to mimic a SCADA system operating both in normal conditions and under the influence of cyberattacks. The first method, namely K-OCSVM, can distinguish real from false alarms using the OCSVM method with default values for parameters ν and σ combined with a recursive K-means clustering method. The K-OCSVM is very different from all similar methods that required pre-selection of parameters with the use of cross-validation or other methods that ensemble outcomes of one class classifiers. Building on the K-OCSVM and trying to cope with the high requirements that were imposed from the CockpitCi project, both in terms of accuracy and time overhead, a second method, namely IT-OCSVM is presented. IT-OCSVM method is capable of performing outlier detection with high accuracy and low overhead within a temporal window, adequate for the nature of SCADA systems. The two presented methods are performing well under several attack scenarios. Having to balance between high accuracy, low false alarm rate, real time communication requirements and low overhead, under complex and usually persistent attack situations, a combination of several techniques is needed. Despite the range of intrusion detection activities, it has been proven that half of these have human error at their core. An increased empirical and theoretical research into human aspects of cyber security based on the volumes of human error related incidents can enhance cyber security capabilities of modern systems. In order to strengthen the security of SCADA systems, another solution is to deliver defence in depth by layering security controls so as to reduce the risk to the assets being protected

Industrial control systems cybersecurity analysis and countermeasures

Industrial Control Systems (ICS) are frequently used in the manufacturing industry and critical infrastructures, such as water, oil and transportation. Disruption of these industries could have disastrous consequences, leading to financial loss or even human lives. Over time, technological development has improved ICS components; however, little research has been done to improve its security posture. In this research, a novel attack vector addressed to the Input and Output memory of the latest SIMATIC S7-1500 PLC is presented. The results obtained during the experimentation process show that attacks on the PLC memory can have a significantly detrimental effect on the operations of the control system. Furthermore, this research describes implements and evaluates the physical, hybrid and virtual model of a Clean Water Supply System developed for the cybersecurity analysis of the Industrial Control System. The physical testbed is implemented on the Festo MPA platform, while the virtual representation of this platform is implemented in MATLAB. The results obtained during the evaluation of the three testbeds show the strengths and weaknesses of each implementation. Likewise, this research proposes two approaches for Industrial Control Systems cyber-security analysis. The first approach involves an attack detection and mitigation mechanism that focuses on the input memory of PLC and is implemented as part of its code. The response mechanism involves three different techniques: optimized data blocks, switching between control strategies, and obtaining sensor readings directly from the analogue channel. The Clean Water Supply System described above is employed for the practical evaluation of this approach. The second approach corresponds to a supervised energy-based system to anomaly detection using a novel energy-based dataset. The results obtained during the experimentation process show that machine learning algorithms can classify the variations of energy produced by the execution of cyber-attacks as anomalous. The results show the feasibility of the approach presented in this research by achieving an F1-Score of 95.5%, and 6.8% FNR with the Multilayer Perceptron Classifier