Towards a Reliable Comparison and Evaluation of Network Intrusion Detection Systems Based on Machine Learning Approaches

Presently, we are living in a hyper-connected world where millions of heterogeneous devices are continuously sharing information in different application contexts for wellness, improving communications, digital businesses, etc. However, the bigger the number of devices and connections are, the higher the risk of security threats in this scenario. To counteract against malicious behaviours and preserve essential security services, Network Intrusion Detection Systems (NIDSs) are the most widely used defence line in communications networks. Nevertheless, there is no standard methodology to evaluate and fairly compare NIDSs. Most of the proposals elude mentioning crucial steps regarding NIDSs validation that make their comparison hard or even impossible. This work firstly includes a comprehensive study of recent NIDSs based on machine learning approaches, concluding that almost all of them do not accomplish with what authors of this paper consider mandatory steps for a reliable comparison and evaluation of NIDSs. Secondly, a structured methodology is proposed and assessed on the UGR'16 dataset to test its suitability for addressing network attack detection problems. The guideline and steps recommended will definitively help the research community to fairly assess NIDSs, although the definitive framework is not a trivial task and, therefore, some extra effort should still be made to improve its understandability and usability further

Engineering the application of machine learning in an IDS based on IoT traffic flow

Internet of Things (IoT) devices are now widely used, enabling intelligent services that, in association with new communication technologies like the 5G and broadband internet, boost smart-city environments. Despite their limited resources, IoT devices collect and share large amounts of data and are connected to the internet, becoming an attractive target for malicious actors. This work uses machine learning combined with an Intrusion Detection System (IDS) to detect possible attacks. Due to the limitations of IoT devices and low latency services, the IDS must have a specialized architecture. Furthermore, although machine learning-based solutions have high potential, there are still challenges related to training and generalization, which may impose constraints on the architecture. Our proposal is an IDS with a distributed architecture that relies on Fog computing to run specialized modules and use deep neural networks to identify malicious traffic inside IoT data flows. We compare our IoT-Flow IDS with three other architectures. We assess model generalization using test data from different datasets and evaluate their performance in terms of Recall, Precision, and F1-Score. Results confirm the feasibility of flowbased anomaly detection and the importance of network traffic segmentation and specialized models in the AI-based IDS for IoT.info:eu-repo/semantics/publishedVersio

UNCOVERING EVIDENCE OF ATTACKER BEHAVIOR ON THE NETWORK

This comprehensive research presents and investigates a diverse assessment of interruption discovery strategies and their job in contemporary online protection. Interruption Recognition Frameworks are taken apart as vital parts in defending computerized foundations, utilizing different techniques, for example, signature-based, peculiarity based, and heuristic-based identification. While signature-based strategies demonstrate strong against known dangers, the review highlights the urgent job of irregularity-based and heuristic-based approaches in countering novel and complex assaults. Different types attract, their characteristics and behaviors has explored in this paper. The mix of AI and Man-made consciousness (computer based intelligence) in recognizing odd exercises arises as an extraordinary power, empowering versatile reactions to developing digital dangers. The exploration fundamentally breaks down the difficulties looked by existing location strategies, including versatility concerns, high bogus positive rates, and the encryption-related obstacles in rush hour gridlock examination. The outcomes and investigation segment approves the viability of proposed models, including group learning strategies and creative techniques, for example, the Solid Methodology in light of Blockchain and Peculiarity based location (SABA). A Convolutional Brain Organization (CNN) model for interruption location in IoT conditions and a cross breed approach joining positioning based channel strategies and NSGA-II exhibit eminent exactnesses. The review\u27s suggestions for network security are significant, prompting proposals for a TTP-driven approach, mix of conduct peculiarities, persistent security mindfulness preparing, standard red group works out, versatile episode reaction plans, and intermittent security reviews. By and large, the examination contributes a nuanced comprehension of assailant\u27s ways of behaving, down to earth procedures for online protection flexibility, and makes way for future investigation into dynamic danger scenes and the human component in network safety

Cybersecurity of Industrial Cyber-Physical Systems: A Review

Industrial cyber-physical systems (ICPSs) manage critical infrastructures by controlling the processes based on the "physics" data gathered by edge sensor networks. Recent innovations in ubiquitous computing and communication technologies have prompted the rapid integration of highly interconnected systems to ICPSs. Hence, the "security by obscurity" principle provided by air-gapping is no longer followed. As the interconnectivity in ICPSs increases, so does the attack surface. Industrial vulnerability assessment reports have shown that a variety of new vulnerabilities have occurred due to this transition while the most common ones are related to weak boundary protection. Although there are existing surveys in this context, very little is mentioned regarding these reports. This paper bridges this gap by defining and reviewing ICPSs from a cybersecurity perspective. In particular, multi-dimensional adaptive attack taxonomy is presented and utilized for evaluating real-life ICPS cyber incidents. We also identify the general shortcomings and highlight the points that cause a gap in existing literature while defining future research directions.Comment: 32 pages, 10 figure

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page

SecureFlow: Knowledge and data-driven ensemble for intrusion detection and dynamic rule configuration in software-defined IoT environment

There is a massive growth in the rate of heterogeneous devices configured in the Internet of Things (IoT) environment for efficient communication. The IoT devices are limited in resources, and there are no defined protocols in terms of security during communication in the IoT-based platforms. Several solutions are framed to make communication secure in the IoT ecosystem. However, the existing schemes need to be more reliable to handle the cyber threats and unwarranted incidents (such as intrusions, anomalies and attacks) coming from IoT endpoints owing to the unstructured patterns of IoT data and dynamic network conditions. Moreover, heavy cryptographic primitives have their deployment challenges due to the resource constraints of the IoT ecosystem. The dynamic nature of IoT traffic requires flexible and varied rules to handle the threats in different deployment scenarios. Therefore, a programmable interface enabled through Software-defined Networking (SDN) can handle heterogeneous threats and incidents in the IoT cyber world. Thus, in this paper, we have designed a novel framework, SecureFlow, an intrusion detection and dynamic rule configuration system based on the knowledge-based and data-driven ensemble. The proposed framework is robust and fault tolerant owing to dual-layer Intrusion Detection System (IDS) and rule configuration modules that can work without one of them. SecureFlow validated through several experiments performed through emulations in Mininet. The results depict that the proposed framework is effective and promising

Anomaly-based network intrusion detection: Techniques, systems and challenges.

Threat Intrusion detection Anomaly detection IDS systems and platforms Assessment a b s t r a c t The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues. ª 2008 Elsevier Ltd. All rights reserved. Introduction Intrusion Detection Systems (IDS) are security tools that, like other measures such as antivirus software, firewalls and access control schemes, are intended to strengthen the security of information and communication systems. Although, as shown i

Obfuscation of Malicious Behaviors for Thwarting Masquerade Detection Systems Based on Locality Features

In recent years, dynamic user verification has become one of the basic pillars for insider threat detection. From these threats, the research presented in this paper focuses on masquerader attacks, a category of insiders characterized by being intentionally conducted by persons outside the organization that somehow were able to impersonate legitimate users. Consequently, it is assumed that masqueraders are unaware of the protected environment within the targeted organization, so it is expected that they move in a more erratic manner than legitimate users along the compromised systems. This feature makes them susceptible to being discovered by dynamic user verification methods based on user profiling and anomaly-based intrusion detection. However, these approaches are susceptible to evasion through the imitation of the normal legitimate usage of the protected system (mimicry), which is being widely exploited by intruders. In order to contribute to their understanding, as well as anticipating their evolution, the conducted research focuses on the study of mimicry from the standpoint of an uncharted terrain: the masquerade detection based on analyzing locality traits. With this purpose, the problem is widely stated, and a pair of novel obfuscation methods are introduced: locality-based mimicry by action pruning and locality-based mimicry by noise generation. Their modus operandi, effectiveness, and impact are evaluated by a collection of well-known classifiers typically implemented for masquerade detection. The simplicity and effectiveness demonstrated suggest that they entail attack vectors that should be taken into consideration for the proper hardening of real organizations