Deep Learning Approach for Intelligent Intrusion Detection System

Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyberattacks at the network-level and the host-level in a timely and automatic manner. However, many challenges arise since malicious attacks are continually changing and are occurring in very large volumes requiring a scalable solution. There are different malware datasets available publicly for further research by cyber security community. However, no existing study has shown the detailed analysis of the performance of various machine learning algorithms on various publicly available datasets. Due to the dynamic nature of malware with continuously changing attacking methods, the malware datasets available publicly are to be updated systematically and benchmarked. In this paper, a deep neural network (DNN), a type of deep learning model, is explored to develop a flexible and effective IDS to detect and classify unforeseen and unpredictable cyberattacks. The continuous change in network behavior and rapid evolution of attacks makes it necessary to evaluate various datasets which are generated over the years through static and dynamic approaches. This type of study facilitates to identify the best algorithm which can effectively work in detecting future cyberattacks. A comprehensive evaluation of experiments of DNNs and other classical machine learning classifiers are shown on various publicly available benchmark malware datasets. The optimal network parameters and network topologies for DNNs are chosen through the following hyperparameter selection methods with KDDCup 99 dataset. All the experiments of DNNs are run till 1,000 epochs with the learning rate varying in the range [0.01–0.5]. The DNN model which performed well on KDDCup 99 is applied on other datasets, such as NSL-KDD, UNSW-NB15, Kyoto, WSN-DS, and CICIDS 2017, to conduct the benchmark. Our DNN model learns the abstract and high-dimensional feature representation of the IDS data by passing them into many hidden layers. Through a rigorous experimental testing, it is confirmed that DNNs perform well in comparison with the classical machine learning classifiers. Finally, we propose a highly scalable and hybrid DNNs framework called scale-hybrid-IDS-AlertNet which can be used in real-time to effectively monitor the network traffic and host-level events to proactively alert possible cyberattacks

Analisis Perbandingan Behavior User Menggunakan Low Interaction Honeypot dan IDS pada Sistem Edge Computing

Saat ini perkembangan Edge computing semakin pesat, perkembangan ini juga disertai dengan ancaman yang begitu besar. Egde server merupakan sistem yang rentan terkena serangan. Serangan tersebut dapat berupa serangan DoS, Port Scanning, Web Service Intrusion, dan lain sebagainya. Maka dari itu diperlukan upaya pencegahan untuk meminimalisir risiko yang diakibatkan oleh serangan tersebut dengan cara menganalisis aktivitas user saat mengakses edge server. Penelitian ini bertujuan untuk mengetahui dan menganalisis aktivitas user saat mengakses edge server menggunakan Low Interaction Honeypot dan IDS. Pengujian yang dilakukan yaitu dengan dua skenario yaitu saat honeypot dinyalakan dan dimatikan. Hasil pengujian menunjukkan pada skenario honeypot dinyalakan, beban edge server menjadi berat, ditunjukkan dengan rata rata latensi sebesar 0,0085s. Selain itu, port layanan server yang terbuka juga lebih banyak sehingga meningkatkan peluang intruder untuk melakukan penyerangan terhadap edge server. Sedangkan pengujian dengan skenario honeypot dimatikan, beban edge server menjadi berkurang, hal ini ditunjukkan dengan rata rata latensi sebesar 0,0055s. Selain itu port layanan server yang terbuka hanya layanan yang berasal dari Windows dan XAMPP, sehingga aktivitas intruder yang dilakukan menjadi terbatas. Pengujian tersebut menunjukkan semakin banyak port dan layanan server yang terbuka, semakin tinggi risiko penyerangannya, dan dengan adanya honeypot risiko tersebut dapat dikurangi dengan menganalisis aktivitas intruder dengan menentukan rules yang tepat untuk pencegahan serangan

Anomaly Detection Approach Based on Deep Neural Network and Dropout

فيما يتعلق بأمان نظام الكمبيوتر، تعد أنظمة كشف التسلل هي من المكونات الأساسية لتمييز الهجمات في المرحلها المبكرة. حيث انها تراقب وتحلل محطات الشبكة، وتبحث عن سلوكيات غير طبيعية أو توقعات هجومية لكشفها في وقت مبكر. ومع ذلك، نشات العديد من التحديات أثناء تطوير انظمة الكشف من حيث كونه نظام مرن ونشط للهجمات غير المتوقعة. في هذه الرسالة ، نقترح مصنف متكون من الشبكة العصبية العميقة لتكوين نظام كشف الخروقات الشبكي. حيث ان هذا المصنف مُحسن باستخدام تقنية التسقيط  الذي يعمل على تجاهل بعض الوحدات في الطبقات المخفية، مؤقتًا في الشبكة العصبية العميقة في مرحلة التدريب، مما يؤدي إلى نتائج تصنيف جيدة بحيث يقلل على النموذج او المصنف من الوقوع في مشكلة (Overfitting). تحاول تقنية التسقيط إضافة ضوضاء معينة تسمى (ضوضاء برنولي) إلى مخرجات الوحدة المخفية عند تمريرها الامامي للبيانات في الشبكة، في مرحلة للتدريب. اذا كانت هذه الضوضاء أصفار فانها توقف او تثبط جزء من عدد الوحدات العصبية في الطبقة التي تتعرض للتعطيل، في حالة الشبكة العصبية تحوي على n من الوحدات المخفية، فان مجموع  الشبكات العصبية الرقيقة المحتملة عددها . وهذه الشبكات العصبية الرقيقة تشترك في الاوزان. لذلك يتم تدريب عدد قليل من الشبكات الرقيقة ويحصلون على نموذج تدريب واحد فقط. في مرحلة الاختبار، تحسب شبكة المتوسط الهندسي لتنبؤات جميع الشبكات الرقيقة في وقت الاختبار. النتائج التجريبية اجريت على بيانات NSL_KDD. تم استخدام طبقة مخرجات (SoftMax) مع دالة فقدان الانتروبيا المتقاطعة لتمكين المصنف في التصنيفات المتعددة بما في ذلك خمس فئات، واحد طبيعي (Normal) والأربعة الأخرى هي هجمات (Dos وR2L  و U2L وProbe ). استخدمت الدقة لتقييم أداء النموذج  ووصلت دقة اداء المصنف الى 99.46%. يتم تقليل وقت الكشف في الغالب في مصنفات انظمة كشف الخروقات الشبكي باستخدام تقنية اختيار الصفة. حيث تم تحسين أداء نظام كشف التسلل في الكشف عن الهجمات بواسطة مصنف الشبكة العصبية العميقة وخوارزمية اختيار الصفة. وحققت دقة مقدارها 99.27٪.   Regarding to the computer system security, the intrusion detection systems are fundamental components for discriminating attacks at the early stage. They monitor and analyze network traffics, looking for abnormal behaviors or attack signatures to detect intrusions in early time. However, many challenges arise while developing flexible and efficient network intrusion detection system (NIDS) for unforeseen attacks with high detection rate. In this paper, deep neural network (DNN) approach was proposed for anomaly detection NIDS. Dropout is the regularized technique used with DNN model to reduce the overfitting. The experimental results applied on NSL_KDD dataset. SoftMax output layer has been used with cross entropy loss function to enforce the proposed model in multiple classification, including five labels, one is normal and four others are attacks (Dos, R2L, U2L and Probe). Accuracy metric was used to evaluate the model performance. The proposed model accuracy achieved to 99.45%. Commonly the recognition time is reduced in the NIDS by using feature selection technique. The proposed DNN classifier implemented with feature selection algorithm, and obtained on accuracy reached to 99.27%

Intrusion Detection: A Deep Learning Approach

Network intrusions are a significant problem in all industries today. A critical part of the solution is being able to effectively detect intrusions. With recent advances in artificial intelligence, current research has begun adopting deep learning approaches for intrusion detection. Current approaches for multi-class intrusion detection include the use of a deep neural network. However, it fails to take into account spatial relationships between the data objects and long term dependencies present in the dataset. The paper proposes a novel architecture to combat intrusion detection that has a Convolutional Neural Network (CNN) module, along with a Long Short Term Memory(LSTM) module and with a Support Vector Machine (SVM) classification function. The analysis is followed by a comparison of both conventional machine learning techniques and deep learning methodologies, which highlights areas that could be further explored.Comment: presented at 2023 Second International Conference on Electrical, Electronics, Information and Communication Technologies (ICEEICT 2023

A Comparative Study between Machine Learning and Deep Learning Algorithm for Network Intrusion Detection

Network Intrusion Detection is a system that can monitor a network system to avoid malicious activities. One of the methods used for intrusion detection systems is using machine learning. Many pieces of research had proved that machine provides good detection in term of accuracy and performance. However, it can only be used with a smaller dataset other than the features can only be determined using human power. So, deep learning is applied to countermeasure the problem as it can form its own features without using human power other than can be tested with a larger dataset. This study aims to conduct a comparative study for network intrusion detection using machine learning and deep learning algorithm. The dataset that will be tested is CSE-CIC-IDS2018 using Support Vector Machine and Convolutional Neural Network

Exploring the potential of offline cryptography techniques for securing ECG signals in healthcare

In the research, a software for ECG signal based on Chaos encryption based on C#-programmed and Kit of Microsoft Visual Studio Development was implemented. A chaos logic map (ChLMp ) and its initial value are utilized to create Level-1 ECG signal based on Chaos encryption bit streams. A ChLMp, an initial value, a ChLMp bifurcation parameter, and two encryption level parameters are utilized to create level-2 ECG signal based on Chaos encryption bit streams. The level-3 ECG signal based on Chaos encryption software utilizes two parameters for the level of encryption, a permutation mechanism, an initial value, a bifurcation parameter of the level of encryption, and a ChLMp. We assess 16-channel ECG signals with great resolution utilizing encryption software. The level-3 ECG signal based on Chaos encryption program has the slowest and most reliable encryption speed. The encryption effect is superior, according to test findings, and when the right decoding parameter is utilized, the ECG signals may be completely recovered. The high resolution 16-channel ECG signals (HRMCECG) won't be recovered if an invalid input parameter occurred, such as a 0.00001% initial point error, which will result in chaotic encryption bit streams

МЕТОДИКА МІНІМІЗАЦІЇ ВИТРАТ НА ПОБУДОВУ БАГАТОКОНТУРНОЇ СИСТЕМИ ЗАХИСТУ НА ОСНОВІ ГЕНЕТИЧНОГО АЛГОРИТМУ

The article describes the methodology of multi-criteria optimization of costs for the information protection system of the object of informatization. The technique is based on the use of a modified VEGA genetic algorithm. A modified algorithm for solving the MCO problem of parameters of a multi-circuit information protection system of an informatization object is proposed, which makes it possible to substantiate the rational characteristics of the ISS components, taking into account the priority metrics of OBI cybersecurity selected by the expert. In contrast to the existing classical VEGA algorithm, the modified algorithm additionally applies the Pareto principle, as well as a new mechanism for the selection of population specimens. The Pareto principle applies to the best point. At this point, the solution, interpreted as the best, if there is an improvement in one of the cybersecurity metrics, and strictly no worse in another metric (or metrics). The new selection mechanism, in contrast to the traditional one, involves the creation of an intermediate population. The formation of an intermediate population occurs in several stages. At the first stage, the first half of the population is formed based on the metric - the proportion of vulnerabilities of the object of informatization that are eliminated in a timely manner. At the second stage, the second half of the intermediate population is formed based on the metric - the proportion of risks that are unacceptable for the information assets of the informatization object. Further, these parts of the intermediate population are mixed. After mixing, an array of numbers is formed and mixed. At the final stage of selection for crossing, specimens (individuals) will be taken by the number from this array. The numbers are chosen randomly. The effectiveness of this technique has been confirmed by practical resultsУ статті викладена методика багатокритеріальної оптимізації витрат на систему захисту інформації об'єкта інформатизації. Методика базується на застосуванні модифікованого генетичного алгоритму VEGA. Запропоновано модифікований алгоритм рішення задачі БКО параметрів багатоконтурною системи захисту інформації об'єкта інформатизації, який дозволяє обґрунтовувати оптимальні параметри компонентів СЗІ з урахуванням обраних експертом пріоритетних метрик кібербезпеки ОБІ. На відміну від існуючого класичного алгоритму VEGA, в модифікованому алгоритмі додатково застосовані принцип Парето, а також новий механізм селекції примірників популяції. Принцип Парето застосовується для кращої точки. У цій точці рішення, трактуються як найкращі, якщо за однією з метрик кібербезпеки є поліпшення, а по інший метриці (або метриках) буде відповідно не гірше. Новий механізм селекції на відміну від традиційної, передбачає створення проміжної популяції. Формування проміжної популяції відбувається в кілька етапів. На першому етапі перша половина популяції формується на основі метрики - частка вразливостей об'єкта інформатизації, які усунуті в установлені терміни. На другому етапі друга половина проміжної популяції формується на основі метрики - частка ризиків, які неприпустимі для інформаційних активів об'єкта інформатизації. Далі ці частини проміжної популяції змішуються. Після змішування формується масив номерів і виробляється змішування. На заключному етапі селекції для схрещування будуть братися екземпляри (індивіди) за номером з цього масиву. Номери вибираються випадково. Ефективність застосування даної методики підтверджена практичними результатам

A Security Model for the Classification of Suspicious Data Using Machine Learning Techniques

Cybercrime first emerged in 1981 and gained significant attention in the 20th century. The proliferation of technology and our increasing reliance on the internet have been major factors contributing to the growth of cybercrime. Different countries face varying types and levels of cyber-attacks, with developing countries often dealing with different types of attacks compared to developed countries. The response to cybercrime is usually based on the resources and technological capabilities available in each country. For example, sophisticated attacks involving machine learning may not be common in countries with limited technological advancements. Despite the variations in technology and resources, cybercrime remains a costly issue worldwide, projected to reach around 8 trillion by 2023. Preventing and combating cybercrime has become crucial in our society. Machine learning techniques, such as convolutional neural networks (CNN), recurrent neural networks (RNN), and more, have gained popularity in the fight against cybercrime. Researchers and authors have made significant contributions in protecting and predicting cybercrime. Nowadays, many corporations implement cyber defense strategies based on machine learning to safeguard their data. In this study, we utilized five different machine learning algorithms, including CNN, LSTM, RNN, GRU, and MLP DNN, to address cybercrime. The models were trained and tested using the InSDN public dataset. Each model provided different levels of trained and test accuracy percentages

Collaborative Feature Maps of Networks and Hosts for AI-driven Intrusion Detection

Intrusion Detection Systems (IDS) are critical security mechanisms that protect against a wide variety of network threats and malicious behaviors on networks or hosts. As both Network-based IDS (NIDS) or Host-based IDS (HIDS) have been widely investigated, this paper aims to present a Combined Intrusion Detection System (CIDS) that integrates network and host data in order to improve IDS performance. Due to the scarcity of datasets that include both network packet and host data, we present a novel CIDS dataset formation framework that can handle log files from a variety of operating systems and align log entities with network flows. A new CIDS dataset named SCVIC-CIDS-2021 is derived from the meta-data from the well-known benchmark dataset, CIC-IDS-2018 by utilizing the proposed framework. Furthermore, a transformer-based deep learning model named CIDS-Net is proposed that can take network flow and host features as inputs and outperform baseline models that rely on network flow features only. Experimental results to evaluate the proposed CIDS-Net under the SCVIC-CIDS-2021 dataset support the hypothesis for the benefits of combining host and flow features as the proposed CIDS-Net can improve the macro F1 score of baseline solutions by 6.36% (up to 99.89%).Comment: IEEE Global Communications Conference (Globecom), 2022, 6 pages, 3 figures 4 table