DoS and DDoS mitigation using Variational Autoencoders

DoS and DDoS attacks have been growing in size and number over the last decade and existing solutions to mitigate these attacks are largely inefficient. Compared to other types of malicious cyber attacks, DoS and DDoS attacks are particularly challenging to combat. Because of their ability to mask themselves as legitimate traffic, it has proven difficult to develop methods to detect these types of attacks on a packet or flow level. In this paper, we explore the potential of Variational Autoencoders to serve as a component within an intelligent security solution that differentiates between normal and malicious traffic. The motivation behind resorting to Variational Autoencoders is that unlike normal encoders that would code an input flow as a single point, they encode a flow as a distribution over the latent space which avoids overfitting. Intuitively, this allows a Variational Autoencoder to not only learn latent representations of seen input features, but to generalize in a way that allows for an interpretation of unseen flows and flow features with slight variations. Two methods based on the ability of Variational Autoencoders to learn latent representations from network traffic flows of both benign and malicious traffic, are proposed. The first method resorts to a classifier based on the latent encodings obtained from Variational Autoencoders learned from traffic traces. The second method is an anomaly detection method, where the Variational Autoencoder is used to learn the abstract feature representations of exclusively legitimate traffic. Anomalies are then filtered out by relying on the reconstruction loss of the Variational Autoencoder. In this sense, the construction loss of the autoencoder is fed as input to a classifier that outputs the class of the traffic including benign and malign, and eventually the attack type. Thus, the second approach operates with two separate training processes on two separate data sources: the first training involving only legitimate traffic, and the second training involving all traffic classes. This is different from the first approach which operates only a single training process on the whole traffic dataset. Thus, the autoencoder of the first approach aspires to learn a general feature representation of the flows while the autoencoder of the second approach aims to exclusively learn a representation of the benign traffic. The second approach is thus more susceptible to finding zero day attacks and discovering new attacks as anomalies. Both of the proposed methods have been thoroughly tested on two separate datasets with a similar feature space. The results show that both methods are promising, with the classifier-based method being slightly superior to the anomaly-based one

Security of Internet of Things (IoT) Using Federated Learning and Deep Learning — Recent Advancements, Issues and Prospects

There is a great demand for an efficient security framework which can secure IoT systems from potential adversarial attacks. However, it is challenging to design a suitable security model for IoT considering the dynamic and distributed nature of IoT. This motivates the researchers to focus more on investigating the role of machine learning (ML) in the designing of security models. A brief analysis of different ML algorithms for IoT security is discussed along with the advantages and limitations of ML algorithms. Existing studies state that ML algorithms suffer from the problem of high computational overhead and risk of privacy leakage. In this context, this review focuses on the implementation of federated learning (FL) and deep learning (DL) algorithms for IoT security. Unlike conventional ML techniques, FL models can maintain the privacy of data while sharing information with other systems. The study suggests that FL can overcome the drawbacks of conventional ML techniques in terms of maintaining the privacy of data while sharing information with other systems. The study discusses different models, overview, comparisons, and summarization of FL and DL-based techniques for IoT security

Mitigating Botnet Attack Using Encapsulated Detection Mechanism (EDM)

Botnet as it is popularly called became fashionable in recent times owing to it embedded force on network servers. Botnet has an exponential growth of about 170, 000 within network server and client infrastructures per day. The networking environment on monthly basis battle over 5 million bots. Nigeria as a country loses above one hundred and twenty five (N125) billion naira to network fraud annually, end users such as Banks and other financial institutions battle daily the botnet threats.Comment: This paper addresses critical area of networ

Towards a machine learning-based framework for DDOS attack detection in software-defined IoT (SD-IoT) networks

The Internet of Things (IoT) is a complex and diverse network consisting of resource-constrained sensors/devices/things that are vulnerable to various security threats, particularly Distributed Denial of Services (DDoS) attacks. Recently, the integration of Software Defined Networking (SDN) with IoT has emerged as a promising approach for improving security and access control mechanisms. However, DDoS attacks continue to pose a significant threat to IoT networks, as they can be executed through botnet or zombie attacks. Machine learning-based security frameworks offer a viable solution to scrutinize the behavior of IoT devices and compile a profile that enables the decision-making process to maintain the integrity of the IoT environment. In this paper, we present a machine learning-based approach to detect DDoS attacks in an SDN-WISE IoT controller. We have integrated a machine learning-based detection module into the controller and set up a testbed environment to simulate DDoS attack traffic generation. The traffic is captured by a logging mechanism added to the SDN-WISE controller, which writes network logs into a log file that is pre-processed and converted into a dataset. The machine learning DDoS detection module, integrated into the SDN-WISE controller, uses Naive Bayes (NB), Decision Tree (DT), and Support Vector Machine (SVM) algorithms to classify SDN-IoT network packets. We evaluate the performance of the proposed framework using different traffic simulation scenarios and compare the results generated by the machine learning DDoS detection module. The proposed framework achieved an accuracy rate of 97.4%, 96.1%, and 98.1% for NB, SVM, and DT, respectively. The attack detection module takes up to 30% usage of memory and CPU, and it saves about 70% memory while keeping the CPU free up to 70% to process the SD-IoT network traffic with an average throughput of 48 packets per second, achieving an accuracy of 97.2%. Our experimental results demonstrate the superiority of the proposed framework in detecting DDoS attacks in an SDN-WISE IoT environment. The proposed approach can be used to enhance the security of IoT networks and mitigate the risk of DDoS attacks

A Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks

Router advertisement (RA) flooding attack aims to exhaust all node resources, such as CPU and memory, attached to routers on the same link. A biologically inspired machine learning-based approach is proposed in this study to detect RA flooding attacks. The proposed technique exploits information gain ratio (IGR) and principal component analysis (PCA) for feature selection and a support vector machine (SVM)-based predictor model, which can also detect input traffic anomaly. A real benchmark dataset obtained from National Advanced IPv6 Center of Excellence laboratory is used to evaluate the proposed technique. The evaluation process is conducted with two experiments. The first experiment investigates the effect of IGR and PCA feature selection methods to identify the most contributed features for the SVM training model. The second experiment evaluates the capability of SVM to detect RA flooding attacks. The results show that the proposed technique demonstrates excellent detection accuracy and is thus an effective choice for detecting RA flooding attacks. The main contribution of this study is identification of a set of new features that are related to RA flooding attack by utilizing IGR and PCA algorithms. The proposed technique in this paper can effectively detect the presence of RA flooding attack in IPv6 network

Efficiency and Sustainability of the Distributed Renewable Hybrid Power Systems Based on the Energy Internet, Blockchain Technology and Smart Contracts-Volume II

The climate changes that are becoming visible today are a challenge for the global research community. In this context, renewable energy sources, fuel cell systems, and other energy generating sources must be optimally combined and connected to the grid system using advanced energy transaction methods. As this reprint presents the latest solutions in the implementation of fuel cell and renewable energy in mobile and stationary applications, such as hybrid and microgrid power systems based on the Energy Internet, Blockchain technology, and smart contracts, we hope that they will be of interest to readers working in the related fields mentioned above

System Health Monitoring and Proactive Response Activation

RÉSUMÉ Les services réseau sont de plus en plus étendus et de plus en plus complexes à gérer. Il est extrêmement important de maintenir la qualité de service pour les utilisateurs, en particulier le temps de réponse des applications et services critiques en forte demande. D'autre part, il y a une évolution dans la manière avec laquelle les attaquants accèdent aux systèmes et infectent les ordinateurs. Le déploiement d'un outil de détection d'intrusion (IDS) est donc essentiel pour surveiller et analyser les systèmes en opération. Une composante importante à associer à un outil de détection d'intrusion est un sous-système de calcul de la sévérité des attaques et de sélection d'une réponse adéquate au bon moment. Ce composant est nommé système d'intervention et de réponse aux intrusions (IRS). Un IRS doit évaluer avec précision la valeur de la perte que pourrait subir une ressource compromise ainsi que le coût des réponses envisagées. Sans cette information, un IRS automatique risque de sérieusement réduire les performances du réseau, déconnecter à tort les utilisateurs du réseau, causer un résultat impliquant des coûts élevés pour le rétablissement des services par les administrateurs, et ainsi devenir une attaque par déni de service de notre réseau. Dans cette thèse, nous abordons ces défis et nous proposons un IRS qui tient compte de ces coûts. Dans la première partie de cette thèse, nous présentons une évaluation dynamique des coûts de réponse. L'évaluation des coûts d'intervention est un élément important du système d'intervention et de réponse aux intrusion. Bien que de nombreux IRS automatisés aient été proposés, la plupart d'entre eux choisissent statiquement les réponses en fonction des attaques, évitant la nécessité d'une évaluation dynamique des coûts de réponse. Toutefois, avec une évaluation dynamique des réponses, on peut atténuer les inconvénients du modèle statique. En outre, il sera alors plus efficace de défendre un système contre une attaque car la réponse sera moins prévisible. Un modèle dynamique offre une meilleure réponse choisie selon la situation actuelle du réseau. Ainsi, l'évaluation des effets positifs et des effets négatifs des réponses doit être calculée en ligne, au moment de l'attaque, dans un modèle dynamique. Nous évaluons le coût de réponse en ligne en fonction des liens de dépendance entre les ressources, du nombre d'utilisateurs en ligne, et du niveau de privilège de chaque utilisateur. Dans la deuxième partie, un IRS a justement été proposé qui fonctionne avec une composante d'évaluation en ligne du risque d'attaque. Une coordination parfaite entre le mécanisme d'évaluation des risques et le système de réponse dans le modèle proposé a conduit à un cadre efficace qui est capable de : (1) tenter de réduire les risques d'intrusion, (2) calculer l'efficacité des réponses, et (3) décider de l'activation et la désactivation des réponses en fonction de facteurs dont plusieurs qui ont rarement été couverts dans les précédents modèles impliquant ce type de coopération. Pour démontrer l'efficacité et la faisabilité du modèle proposé dans les environnements de production réels, une attaque sophistiquée, exploitant une combinaison de vulnérabilités afin de compromettre un ordinateur cible, a été mise en oeuvre. Dans la troisième partie, nous présentons une méthode en ligne pour calculer le coût de l'attaque à l'aide d'une combinaison de graphe d'attaque dynamique et de graphe de dépendances de services en mode direct. Dans ce travail, la détection et la génération du graphe d'attaque sont basées sur les évènements d'une trace d'exécution au niveau du noyau, ce qui est nouveau dans ce travail. En effet, notre groupe (Laboratoire DORSAL) a conçu un traceur à faible impact pour le système d'exploitation Linux, appelé LTTng (Linux Trace Toolkit prochaine génération). Tous les cadres proposés sont basés sur le traceur LTTng. Le noyau Linux est instrumenté avec l'infrastructure des points de trace. Ainsi, il peut fournir beaucoup d'information sur les appels système. Aussi, ce mécanisme est disponible en espace utilisateur. Après avoir recueilli toutes les traces, il faut les synchroniser puisque chaque noeud sur lequel une trace est générée possè de sa propre horloge. Finalement, nous utilisons un algorithme d'abstraction pour faire face aux énormes fichiers de trace et synthétiser les informations utiles pour un mécanisme de détection d'attaques et de déclenchement de mesures correctives visant à atténuer l'effet des attaques.---------ABSTRACT Network services are becoming larger and increasingly complex to manage. It is extremely important to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect computers. Deployment of intrusion detection tools (IDS) is critical to monitor and analyze running systems. An important component needed to complement intrusion detection tools is a subsystem to evaluate the severity of each attack and select a correct response at the right time. This component is called Intrusion Response System (IRS). An IRS has to accurately assess the value of the loss incurred by a compromised resource and have an accurate evaluation of the responses cost. Otherwise, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this thesis, we address this challenges and we propose a cost-sensitive framework for IRS. In the rst part of this dissertation, we present a dynamic response cost evaluation. Response cost evaluation is a major part of the Intrusion Response System. Although many automated IRSs have been proposed, most of them use statically evaluated responses, avoiding the need for dynamic evaluation of response cost. However, by designing a dynamic evaluation for the responses, we can alleviate the drawbacks of the static model. Furthermore,it will be more eective at defending a system from an attack as it will be less predictable. A dynamic model oers the best response based on the current situation of the network. Thus, the evaluation of the positive eects and negative impacts of the responses must be computed online, at attack time, in a dynamic model. We evaluate the response cost online with respect to the resources dependencies and the number of online users. In the second part, an IRS has been proposed that works with an online risk assessment component. Perfect coordination between the risk assessment mechanism and the response system in the proposed model has led to an ecient framework that is able to: (1) manage risk reduction issues; (2) calculate the response Goodness; and (3) perform response activation and deactivation based on factors that have rarely been seen in previous models involving this kind of cooperation. To demonstrate the eciency and feasibility of using the proposed model in real production environments, a sophisticated attack exploiting a combination of vulnerabilities to compromise a target machine was implemented. In the third part, we present an online method to calculate the attack cost using a combination of dynamic attack graph and service dependency graph in live mode. In this work, detecting and generating the attack graph is based on kernel level events which is new in this work.Our group (DORSAL Lab) has designed a low impact tracer in the Linux operating system called LTTng (Linux Trace Toolkit next generation). All the proposed frameworks are based on the LTTng tracer. The Linux kernel is instrumented with the tracepoint infrastructure. Thus, it can provide a lot of information about system call entry and exit. Also, this mechanism is available at user-space level. After gathering all traces, we have to synchronize them because each trace is generated on a node with its own clock. We use an abstraction algorithm, to deal with huge trace les, to prepare useful information for the detection mechanism and nally to trigger corrective measures to mitigate attack

Electronic Voting: 6th International Joint Conference, E-Vote-ID 2021, Virtual Event, October 5–8, 2021: proceedings

This volume contains the papers presented at E-Vote-ID 2021, the Sixth International Joint Conference on Electronic Voting, held during October 5–8, 2021. Due to the extraordinary situation brought about by the COVID-19, the conference was held online for the second consecutive edition, instead of in the traditional venue in Bregenz, Austria. The E-Vote-ID conference is the result of the merger of the EVOTE and Vote-ID conferences, with first EVOTE conference taking place 17 years ago in Austria. Since that conference in 2004, over 1000 experts have attended the venue, including scholars, practitioners, authorities, electoral managers, vendors, and PhD students. The conference focuses on the most relevant debates on the development of electronic voting, from aspects relating to security and usability through to practical experiences and applications of voting systems, also including legal, social, or political aspects, amongst others, and has turned out to be an important global referent in relation to this issue

Sixth International Joint Conference on Electronic Voting E-Vote-ID 2021. 5-8 October 2021

This volume contains papers presented at E-Vote-ID 2021, the Sixth International Joint Conference on Electronic Voting, held during October 5-8, 2021. Due to the extraordinary situation provoked by Covid-19 Pandemic, the conference is held online for second consecutive edition, instead of in the traditional venue in Bregenz, Austria. E-Vote-ID Conference resulted from the merging of EVOTE and Vote-ID and counting up to 17 years since the _rst E-Vote conference in Austria. Since that conference in 2004, over 1000 experts have attended the venue, including scholars, practitioners, authorities, electoral managers, vendors, and PhD Students. The conference collected the most relevant debates on the development of Electronic Voting, from aspects relating to security and usability through to practical experiences and applications of voting systems, also including legal, social or political aspects, amongst others; turning out to be an important global referent in relation to this issue. Also, this year, the conference consisted of: · Security, Usability and Technical Issues Track · Administrative, Legal, Political and Social Issues Track · Election and Practical Experiences Track · PhD Colloquium, Poster and Demo Session on the day before the conference E-VOTE-ID 2021 received 49 submissions, being, each of them, reviewed by 3 to 5 program committee members, using a double blind review process. As a result, 27 papers were accepted for its presentation in the conference. The selected papers cover a wide range of topics connected with electronic voting, including experiences and revisions of the real uses of E-voting systems and corresponding processes in elections. We would also like to thank the German Informatics Society (Gesellschaft für Informatik) with its ECOM working group and KASTEL for their partnership over many years. Further we would like to thank the Swiss Federal Chancellery and the Regional Government of Vorarlberg for their kind support. EVote- ID 2021 conference is kindly supported through European Union's Horizon 2020 projects ECEPS (grant agreement 857622) and mGov4EU (grant agreement 959072). Special thanks go to the members of the international program committee for their hard work in reviewing, discussing, and shepherding papers. They ensured the high quality of these proceedings with their knowledge and experience