583 research outputs found
Utilising Deep Learning techniques for effective zero-day attack detection
Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout
From Zero-Shot Machine Learning to Zero-Day Attack Detection
The standard ML methodology assumes that the test samples are derived from a
set of pre-observed classes used in the training phase. Where the model
extracts and learns useful patterns to detect new data samples belonging to the
same data classes. However, in certain applications such as Network Intrusion
Detection Systems, it is challenging to obtain data samples for all attack
classes that the model will most likely observe in production. ML-based NIDSs
face new attack traffic known as zero-day attacks, that are not used in the
training of the learning models due to their non-existence at the time. In this
paper, a zero-shot learning methodology has been proposed to evaluate the ML
model performance in the detection of zero-day attack scenarios. In the
attribute learning stage, the ML models map the network data features to
distinguish semantic attributes from known attack (seen) classes. In the
inference stage, the models are evaluated in the detection of zero-day attack
(unseen) classes by constructing the relationships between known attacks and
zero-day attacks. A new metric is defined as Zero-day Detection Rate, which
measures the effectiveness of the learning model in the inference stage. The
results demonstrate that while the majority of the attack classes do not
represent significant risks to organisations adopting an ML-based NIDS in a
zero-day attack scenario. However, for certain attack groups identified in this
paper, such systems are not effective in applying the learnt attributes of
attack behaviour to detect them as malicious. Further Analysis was conducted
using the Wasserstein Distance technique to measure how different such attacks
are from other attack types used in the training of the ML model. The results
demonstrate that sophisticated attacks with a low zero-day detection rate have
a significantly distinct feature distribution compared to the other attack
classes
Efficient Inductive Transfer Learning based Framework for Zero-Day Attack Detection
An Intrusion Detection System (IDS) is a type of security domain that tracks and evaluates network connections or system operations to detect potential security breaches, unauthorized usage, and malicious activity within computer networks. Machine learning (ML) and deep learning (DL) algorithms provide better IDS based on the labelled dataset. However, due to a lack of labelled data, its effectiveness in detecting zero-day attacks is limited. Anomaly detection methods frequently produce high False Positive Rates (FPR). Transfer learning (TL) is a powerful technique in various domains, including intrusion detection systems (IDS). It also creates advanced classifiers using knowledge extracted from the related source domain(s) with little or no labelled data. This paper introduced zero-day attack detection (ZDAD) model by combining it with transfer learning that helps classify the attacks and non-attacks from the given dataset. Using the UNSW-NB15 dataset, the authors created a Transfer Learning-based prototype in this study. The goal was to unify the feature space for distinguishing unlabeled Generic samples representing zero-day attacks from regular instances using labelled DoS samples. The ZDAD performed admirably, achieving 99.24% accuracy and a low False Positive Rate (FPR) of 0.02%. This performance outperforms current state-of-the-art methods
Verifikasi Signature Pada Kolaborasi Sistem Deteksi Intrusi Jaringan Tersebar Dengan Honeypot
Sistem Deteksi Intrusi atau IDS merupakan suatu sistem yang banyak digunakan oleh para administrator jaringan untuk mendeteksi adanya USAha-USAha penyusupan secara proaktif berdasarkan signature atau anomali dengan cara mengeluarkan alert (peringatan) sebagai hasil dari pendeteksiannya. Namun dalam implementasinya, IDS terkadang mengeluarkan alert yang salah (true negative) atau tidak dapat mendeteksi intrusi yang bersifat Zero-Day attack, sehingga menyebabkan administrator kesulitan dalam menganalisa serangan dan tindakan yang tepat selanjutnya. Untuk menyelesaikan permasalahan yang terjadi, maka perlu dilakukan suatu kolaborasi antar IDS maupun dengan teknologi keamanan jaringan yang lain dengan tujuan untuk membuat pendeteksian intrusi menjadi lebih baik. Pada penelitian ini, diajukan suatu bentuk Kolaborasi IDS dengan teknologi keamanan jaringan, yaitu dengan Honeypot. Selain itu diajukan pula suatu mekanisme perbaikan signature hasil analisis Honeypot dengan tujuan agar signature bisa langsung digunakan oleh IDS tanpa terjadi kesalahan. Pengujian pada lima belas skenario serangan yang dilakukan menunjukkan bahwa konsep kolaborasi dan mekanisme perbaikan signature yang diajukan mampu mereduksi alert true negative dan zero-day attack sebesar 85%. Karena dari lima belas skenario serangan hanya dua skenario serangan yang tidak berhasil terdeteksi oleh IDS dan Honeypot
Ataques Zero-day: Despliegue y evolución
In cybersecurity and computer science, the term “zero-day” is commonly related to troubles, threats, and hazards due to the lack of knowledge, experience, or misunderstanding. A zero-day attack is generally considered a new vulnerability with no defense; thus, the possible attack will have a highrisk probability, and a critical impact. Unfortunately, only a few surveys on the topic are available that would help understand these threats, which are not enough to construct new solutions to detect, prevent, and mitigate them. In this paper, it is conducted a review of the zero-day attack, how to understand its real impact, and a few different accessible solutions nowadays. This study introduces a useful reference that provides researchers with knowledge to understand the current problem concerning zero- days attacks; hence they could develop solutions for facing them.En la ciberseguridad y la informática, el término "Zero-day" se relaciona comúnmente con problemas, amenazas y peligros, esto debido a la falta de conocimiento, experiencia o malentendidos relacionados. Un ataque de Zero-day se considera generalmente una nueva vulnerabilidad sin defensa; por lo tanto, el ataque consecuente tendrá una alta probabilidad de riesgo, y un impacto crítico. Lamentablemente, sólo unos pocos estudios están disponibles para comprender estas amenazas, y no bastan para construir nuevas soluciones para detectar, prevenir y mitigar estas dificultades. En este artículo, se presenta una revisión del ataque Zero-day, enfocándose en comprender su impacto real y algunas soluciones accesibles hoy en día. Este estudio presenta una referencia útil que proporciona a los investigadores conocimientos para comprender el problema actual relacionado con los ataques Zero-day. Este puede ser un punto de partida para desarrollar soluciones para combatir este problema
Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey
Malwares are big threat to digital world and evolving with high complexity.
It can penetrate networks, steal confidential information from computers, bring
down servers and can cripple infrastructures etc. To combat the threat/attacks
from the malwares, anti- malwares have been developed. The existing
anti-malwares are mostly based on the assumption that the malware structure
does not changes appreciably. But the recent advancement in second generation
malwares can create variants and hence posed a challenge to anti-malwares
developers. To combat the threat/attacks from the second generation malwares
with low false alarm we present our survey on malwares and its detection
techniques.Comment: 5 Page
A framework for mitigating zero-day attacks in IoT
Internet of Things (IoT) aims at providing connectivity between every
computing entity. However, this facilitation is also leading to more cyber
threats which may exploit the presence of a vulnerability of a period of time.
One such vulnerability is the zero-day threat that may lead to zero-day attacks
which are detrimental to an enterprise as well as the network security. In this
article, a study is presented on the zero-day threats for IoT networks and a
context graph-based framework is presented to provide a strategy for mitigating
these attacks. The proposed approach uses a distributed diagnosis system for
classifying the context at the central service provider as well as at the local
user site. Once a potential zero-day attack is identified, a critical data
sharing protocol is used to transmit alert messages and reestablish the trust
between the network entities and the IoT devices. The results show that the
distributed approach is capable of mitigating the zero-day threats efficiently
with 33% and 21% improvements in terms of cost of operation and communication
overheads, respectively, in comparison with the centralized diagnosis system.Comment: 6 Pages, 6 Figures, Conference on Information Security and
Cryptography (CISC-S'17
Autoencoder-Based Representation Learning to Predict Anomalies in Computer Networks
With the recent advances in Internet-of-thing devices (IoT), cloud-based services, and diversity in the network data, there has been a growing need for sophisticated anomaly detection algorithms within the network intrusion detection system (NIDS) that can tackle advanced network threats. Advances in Deep and Machine learning (ML) has been garnering considerable interest among researchers since it has the capacity to provide a solution to advanced threats such as the zero-day attack. An Intrusion Detection System (IDS) is the first line of defense against network-based attacks compared to other traditional technologies, such as firewall systems. This report adds to the existing approaches by proposing a novel strategy to incorporate both supervised and unsupervised learning to Intrusion Detection Systems (IDS). Specifically, the study will utilize deep Autoencoder (DAE) as a dimensionality reduction tool and Support Vector Machine (SVM) as a classifier to perform anomaly-based classification. The study diverts from other similar studies by performing a thorough analysis of using deep autoencoders as a valid non-linear dimensionality tool by comparing it against Principal Component Analysis (PCA) and tuning hyperparameters that optimizes for \u27F-1 Micro\u27 score and \u27Balanced Accuracy\u27 since we are dealing with a dataset with imbalanced classes. The study employs robust analysis tools such as Precision-Recall Curves, Average-Precision score, Train-Test Times, t-SNE, Grid Search, and L1/L2 regularization. Our model will be trained and tested on a publicly available datasets KDDTrain+ and KDDTest+
Applicability of clustering to cyber intrusion detection
Maintaining cyber security is a complex task, utilizing many levels of network information along with an array of technology. Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to passively detect and block multi-stage attacks. Because of the speed and force at which a new type of cyber attack can occur, automated detection and response is becoming an apparent necessity. Anomaly-based detection systems, such as statistical-based or clustering algorithms, attempt to address this by analyzing the relative differences in network and host activity. Signature-based IDS systems are typically more accurate for known attacks, but require time and resources for an analyst to update the signature database. This work hypothesizes that the latency from zero-day attack to signature creation can be shortened via anomaly-based algorithms. In particular, the summarizing ability of clustering is leveraged and examined in its applicability of signature creation. This work first investigates a modified density-based clustering algorithm as an IDS, with its strengths and weaknesses identified. Being able to separate malicious from normal activity, the modified algorithm is then applied in a supervised way to signature creation. Lessons learned from the supervised signature creation are then leveraged for the development of unsupervised real-time signature classification. Automating signature creation and classification via clustering turns out satisfactory but with limitations. Density supports for new signatures via clustering can be diluted and lead to misclassification
- …