Optimizing cybersecurity incident response decisions using deep reinforcement learning

The main purpose of this paper is to explore and investigate the role of deep reinforcement learning (DRL) in optimizing the post-alert incident response process in security incident and event management (SIEM) systems. Although machine learning is used at multiple levels of SIEM systems, the last mile decision process is often ignored. Few papers reported efforts regarding the use of DRL to improve the post-alert decision and incident response processes. All the reported efforts applied only shallow (traditional) machine learning approaches to solve the problem. This paper explores the possibility of solving the problem using DRL approaches. The main attraction of DRL models is their ability to make accurate decisions based on live streams of data without the need for prior training, and they proved to be very successful in other fields of applications. Using standard datasets, a number of experiments have been conducted using different DRL configurations The results showed that DRL models can provide highly accurate decisions without the need for prior training

Simple, Fast, and Accurate Cybercrime Detection on E-Government with Elastic Stack SIEM

Increased public activity in cyberspace (Internet) during the Covid-19 pandemic has also increased cybercrime cases with various attack targets, including E-Government services. Cybercrime is hidden and occurs unnoticed in E-Government, so handling it is challenging for all government agencies. The characteristics of E-Government are unique and different from other service systems in general, requiring extra anticipation for the prevention and handling of cybercrime attack threats. This research proposes log and event data analysis to detect cybercrime in e-Government using System Information and Event Management (SIEM). The main contribution of this research is a simple, fast, and accurate cybercrime detection process in the e-Government environment by increasing the level of log and event data analysis with the SIEM approach. SIEM technology based on machine learning and big data is implemented with Elastic Stack. The implemented technique can be used as a mitigation program against cybercrime threats that often attack and target e-Government. With simple, accurate, and fast cybercrime detection, it is expected to improve e-Government security and increase public confidence in public services organized by government agencies

Evaluation of Classification Algorithms for Intrusion Detection System: A Review

Intrusion detection is one of the most critical network security problems in the technology world. Machine learning techniques are being implemented to improve the Intrusion Detection System (IDS). In order to enhance the performance of IDS, different classification algorithms are applied to detect various types of attacks. Choosing a suitable classification algorithm for building IDS is not an easy task. The best method is to test the performance of the different classification algorithms. This paper aims to present the result of evaluating different classification algorithms to build an IDS model in terms of confusion matrix, accuracy, recall, precision, f-score, specificity and sensitivity. Nevertheless, most researchers have focused on the confusion matrix and accuracy metric as measurements of classification performance. It also provides a detailed comparison with the dataset, data preprocessing, number of features selected, feature selection technique, classification algorithms, and evaluation performance of algorithms described in the intrusion detection system

Threat intelligence using machine learning packet dissection

In this research we compare different methods to examine network packets using supervised learning to predict possible intrusions. Although there have been many attempts to use Machine Learning for automated packet analysis, our application simplifies the process by taking any packet data source for analysis in a container ready for deploying on a private or public cloud without the need to pre-process the packet data. The packet is dissected extracting numerical data, describing the packet numbers, the time and length of the packets. Categorical variables are the source and destination IP addresses, protocol used and packet info/flag. The use of filters allows ability to recognize any type of packet (e.g., SYN, ACK, FIN, RST). Four machine learning models, i.e., Neural Networks, Support Vector Machines, Logistic Regression and Linear Regression, are applied respectively to calculate the probability of suspicious packets. Subsequently, the outcomes are compared. During the testing against trojan malware, the models can detect the suspicious packets sent to a bogus website and attempts at downloading malware by means of packet payload analysis

Advancements in intrusion detection: A lightweight hybrid RNN-RF model

Computer networks face vulnerability to numerous attacks, which pose significant threats to our data security and the freedom of communication. This paper introduces a novel intrusion detection technique that diverges from traditional methods by leveraging Recurrent Neural Networks (RNNs) for both data preprocessing and feature extraction. The proposed process is based on the following steps: (1) training the data using RNNs, (2) extracting features from their hidden layers, and (3) applying various classification algorithms. This methodology offers significant advantages and greatly differs from existing intrusion detection practices. The effectiveness of our method is demonstrated through trials on the Network Security Laboratory (NSL) and Canadian Institute for Cybersecurity (CIC) 2017 datasets, where the application of RNNs for intrusion detection shows substantial practical implications. Specifically, we achieved accuracy scores of 99.6% with Decision Tree, Random Forest, and CatBoost classifiers on the NSL dataset, and 99.8% and 99.9%, respectively, on the CIC 2017 dataset. By reversing the conventional sequence of training data with RNNs and then extracting features before applying classification algorithms, our approach provides a major shift in intrusion detection methodologies. This modification in the pipeline underscores the benefits of utilizing RNNs for feature extraction and data preprocessing, meeting the critical need to safeguard data security and communication freedom against ever-evolving network threats

Investigating machine and deep-learning model combinations for a two-stage IDS for IoT networks.

Masters Degree. University of KwaZulu-Natal, Durban.By 2025, there will be upwards of 75 billion IoT devices connected to the internet. Notable security incidents have shown that many IoT devices are insecure or misconfigured, leaving them vulnerable, often with devastating results. AI’s learning, adaptable and flexible nature can be leveraged to provide networking monitoring for IoT networks. This work proposes a novel two-stage IDS, using layered machine- and deep-learning models. The applicability of seven algorithms is investigated using the BoT-IoT dataset. After replicating four algorithms from literature, modifications to these algorithms' application are then explored along with their ability to classify in three scenarios: 1) binary attack/benign, 2) multi-class attack with benign and 3) multi-class attack only. Three additional algorithms are also considered. The modifications are shown to achieve higher F1-scores by 22.75% and shorter training times by 35.68 seconds on average than the four replicated algorithms. Potential benefits of the proposed two-stage system are examined, showing a reduction of threat detection/identification time by 0.51s on average and an increase of threat classification F1-score by 0.05 on average. In the second half of the dissertation, algorithm combinations, layered in the two-stage system, are investigated. To facilitate comparison of time metrics, the classification scenarios from the first half of the dissertation are re-evaluated on the test PC CPU. All two-stage combinations are then tested. The results show a CNN binary classifier at stage one and a KNN 4-Class model at stage two performs best, outperforming the 5-Class (attack and benign) system of either algorithm. This system's first stage improves upon the 5-Class system's classification time by 0.25 seconds. The benign class F1-score is improved by 0.23, indicating a significant improvement in false positive rate. The system achieves an overall F1-score of 0.94. This shows the two-stage system would perform well as an IDS. Additionally, investigations arising from findings during the evaluation of the two-stage system are presented, namely GPU data-transfer overhead, the effect of data scaling and the effect of benign samples on stage two, giving a better understanding of how the dataset interacts with AI models and how they may be improved in future work

Addressing High False Positive Rates of DDoS Attack Detection Methods

Distributed denial of service (DDoS) attack detection methods based on the clustering method are ineffective in detecting attacks correctly. Service interruptions caused by DDoS attacks impose concerns for IT leaders and their organizations, leading to financial damages. Grounded in the cross industry standard process for data mining framework, the purpose of this ex post facto study was to examine whether adding the filter and wrapper methods prior to the clustering method is effective in terms of lowering false positive rates of DDoS attack detection methods. The population of this study was 225,745 network traffic data records of the CICIDS2017 network traffic dataset. The 10-fold cross validation method was applied to identify effective DDoS attack detection methods. The results of the 10-fold cross validation method showed that in some instances, addition of the filter and wrapper methods prior to the clustering method was effective in terms of lowering false positive rates of DDoS attack detection methods; in some instances, it was not. A recommendation to IT leaders is to deploy the effective DDoS attack detection method that produced the lowest false positive rate of 0.013 in detecting attacks outside of demilitarized zones to identify attacks directly from the Internet. Implications for positive social change is potentially in enabling organizations to protect their systems and provide uninterrupted services to their communities with reduced financial damages

Cyber Security and Critical Infrastructures

This book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles: an editorial explaining current challenges, innovative solutions, real-world experiences including critical infrastructure, 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems, and a review of cloud, edge computing, and fog's security and privacy issues