Using response action with Intelligent Intrusion detection and prevention System against web application malware

Findings: After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system

Machine learning based botnet identification traffic

The continued growth of the Internet has resulted in the increasing sophistication of toolkit and methods to conduct computer attacks and intrusions that are easy to use and publicly available to download, such as Zeus botnet toolkit. Botnets are responsible for many cyber-attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of existence botnet toolkits release updates for new features, development and support. This presents challenges in the detection and prevention of bots. Current botnet detection approaches mostly ineffective as botnets change their Command and Control (C&C) server structures, centralized (e.g., IRC, HTTP), distributed (e.g., P2P), and encryption deterrent. In this paper, based on real world data sets we present our preliminary research on predicting the new bots before they launch their attack. We propose a rich set of features of network traffic using Classification of Network Information Flow Analysis (CONIFA) framework to capture regularities in C&C communication channels and malicious traffic. We present a case study of applying the approach to a popular botnet toolkit, Zeus. The experimental evaluation suggest that it is possible to detect effectively botnets during the botnet C&C communication generated from new updated Zeus botnet toolkit by building the classifier using machine learning from an earlier version and before they launch their attacks using traffic behaviors. Also, show that there is similarity in C&C structures various Botnet toolkit versions and that the network characteristics of botnet C&C traffic is different from legitimate network traffic. Such methods could reduce many different resources needed to identify C&C communication channels and malicious traffic

CroLSSim: Cross‐language software similarity detector using hybrid approach of LSA‐based AST‐MDrep features and CNN‐LSTM model

Software similarity in different programming codes is a rapidly evolving field because of its numerous applications in software development, software cloning, software plagiarism, and software forensics. Currently, software researchers and developers search cross-language open-source repositories for similar applications for a variety of reasons, such as reusing programming code, analyzing different implementations, and looking for a better application. However, it is a challenging task because each programming language has a unique syntax and semantic structure. In this paper, a novel tool called Cross-Language Software Similarity (CroLSSim) is designed to detect similar software applications written in different programming codes. First, the Abstract Syntax Tree (AST) features are collected from different programming codes. These are high-quality features that can show the abstract view of each program. Then, Methods Description (MDrep) in combination with AST is used to examine the relationship among different method calls. Second, the Term Frequency Inverse Document Frequency approach is used to retrieve the local and global weights from AST-MDrep features. Third, the Latent Semantic Analysis-based features extraction and selection method is proposed to extract the semantic anchors in reduced dimensional space. Fourth, the Convolution Neural Network (CNN)-based features extraction method is proposed to mine the deep features. Finally, a hybrid deep learning model of CNN-Long-Short-Term Memory is designed to detect semantically similar software applications from these latent variables. The data set contains approximately 9.5K Java, 8.8K C#, and 7.4K C++ software applications obtained from GitHub. The proposed approach outperforms as compared with the state-of-the-art methods

PIGNUS: a deep learning model for IDS in industrial internet-of-things

The heterogeneous nature of the Industrial Internet of Thing (IIoT) has a considerable impact on the development of an effective Intrusion Detection System (IDS). The proliferation of linked devices results in multiple inputs from industrial sensors. IDS faces challenges in analyzing the features of the traffic and identifying anonymous behavior. Due to the unavailability of a comprehensive feature mapping method, the present IDS solutions are non-usable to identify zero-day vulnerabilities. In this paper, we introduce the first comprehensive IDS framework that combines an efficient feature-mapping technique and cascading model to solve the above-mentioned problems. We call our proposed solution deeP learnIG model intrusioN detection in indUStrial internet-of things (PIGNUS). PIGNUS integrates Auto Encoders (AE) to select optimal features and Cascade Forward Back Propagation Neural Network (CFBPNN) for classification and attack detection. The cascading model uses interconnected links from the initial layer to the output layer and determines the normal and abnormal behavior patterns and produces a perfect classification. We execute a set of experiments on five popular IIoT datasets: gas pipeline, water storage tank, NSLKDD+, UNSW-NB15, and X-IIoTID. We compare PIGNUS to the state-of-the-art models in terms of accuracy, False Positive Ratio (FPR), precision, and recall. The results show that PIGNUS provides more than accuracy, which is better on average than the existing models. In the other parameters, PIGNUS shows improved FPR, better recall, and better in precision. Overall, PIGNUS proves its efficiency as an IDS solution for IIoTs. Thus, PIGNUS is an efficient solution for IIoTs

M-RL: A mobility and impersonation-aware IDS for DDoS UDP flooding attacks in IoT-Fog networks

The Internet of Things (IoT) has recently received a lot of attention from the information and communication technology community. It has turned out to be a crucial development for harnessing the incredible power of wireless media in the real world. The nature of IoT-Fog networks requires the use of defense techniques who are light and mobile-aware. The edge resources in such a distributed environment are open to various safety hazards. DDoS UDP flooding attacks are the most frequent threats to edge resources in IoT-Fog networks. It is crucial for sabotaging fog gateways and can overcome traditional data filtering techniques. This paper introduces M-RL, a lightweight intrusion detection system with mobility awareness that can detect DDoS UDP flooding attacks while taking into account adversarial IoT devices that engage in IP spoofing. To this end, this paper analyzes the malicious behaviors that result in anonymity against Rate Limiting and Received Signal Strength (RSS)-based approaches, combines their advantages, and addresses their vulnerabilities. We test our method in different contexts to achieve that goal, and we find that it may decrease the accuracy of the RL, RSS, and RSS-RL methods to 70%, 48.9%, and 64.3%, respectively. The outcomes demonstrate the proposed approach's resistance to software-based source address forgery, impersonation, and signal modification. It offers more than 99% accuracy and supports node mobility. In this case, the best possible accuracy of the previous methods is 77%

Augmented Reality-Based English Language Learning: Importance And State Of The Art

Augmented reality is increasingly used in the educational domain. However, little is known concerning the actual importance of AR for learning English skills. The weakness of the English language among English as a foreign Language (EFL) students is widespread in different educational institutions. Accordingly, this paper aims at exploring the importance of AR for learning English skills from the perspectives of English language teachers and educators. Mixed qualitative methods were used. To achieve the objective of this study, 12 interviews were conducted with English teachers concerning the topic under investigation. Second, a systematic literature review (SLR) that demonstrates the advantages, the limitation, and the approach of AR for learning English was performed. This study is different from other studies in using two methods and conducting comprehensive research on the importance of AR in improving English language skills in general. Thus, the study concluded that AR improves language skills and academic achievements. It also reduces students\u27 anxiety levels, improves students\u27 creativity, and increases students\u27 collaboration and engagement. Moreover, the students have positive attitudes towards using AR for learning the English language. The findings present important implications for the integration and development of AR for learning

Variance Ranking Attributes Selection Techniques for Binary Classification Problem in Imbalance Data

Data are being generated and used to support all aspects of healthcare provision, from policy formation to the delivery of primary care services. Particularly, with the change of emphasis from curative to preventive medicine, the importance of data-based research such as data mining and machine learning has emphasized the issues of class distributions in datasets. In typical predictive modeling, the inability to effectively address a class imbalance in a real-life dataset is an important shortcoming of the existing machine learning algorithms. Most algorithms assume a balanced class in their design, resulting in poor performance in predicting the minority target class. Ironically, the minority target class is usually the focus in predicting processes. The misclassification of the minority target class has resulted in serious consequences in detecting chronic diseases and detecting fraud and intrusion where positive cases are erroneously predicted as not positive. This paper presents a new attribute selection technique called variance ranking for handling imbalance class problems in a dataset. The results obtained were compared to two well-known attribute selection techniques: the Pearson correlation and information gain technique. This paper uses a novel similarity measurement technique ranked order similarity-ROS to evaluate the variance ranking attribute selection compared to the Pearson correlations and information gain. Further validation was carried out using three binary classifications: logistic regression, support vector machine, and decision tree. The proposed variance ranking and ranked order similarity techniques showed better results than the benchmarks. The ROS technique provided an excellent means of grading and measuring the similarities where other similarity measurement techniques were inadequate or not applicable

Digital Forensics Classification Based on a Hybrid Neural Network and the Salp Swarm Algorithm

In recent times, cybercrime has increased significantly and dramatically. This made the need for Digital Forensics (DF) urgent. The main objective of DF is to keep proof in its original state by identifying, collecting, analyzing, and evaluating digital data to rebuild past acts. The proof of cybercrime can be found inside a computer’s system files. This paper investigates the viability of Multilayer perceptron (MLP) in DF application. The proposed method relies on analyzing the file system in a computer to determine if it is tampered by a specific computer program. A dataset describes a set of features of file system activities in a given period. These data are used to train the MLP and build a training model for classification purposes. Identifying the optimal set of MLP parameters (weights and biases) is a challenging matter in training MLPs. Using traditional training algorithms causes stagnation in local minima and slow convergence. This paper proposes a Salp Swarm Algorithm (SSA) as a trainer for MLP using an optimized set of MLP parameters. SSA has proved its applicability in different applications and obtained promising optimization results. This motivated us to apply SSA in the context of DF to train MLP as it was never used for this purpose before. The results are validated by comparisons with other meta-heuristic algorithms. The SSAMLP-DF is the best algorithm because it achieves the highest accuracy results, minimum error rate, and best convergence scale

A pseudo feedback-based annotated TF-IDF technique for dynamic crypto-ransomware pre-encryption boundary delineation and features extraction

The cryptography employed against user files makes the effect of crypto-ransomware attacks irreversible even after detection and removal. Thus, detecting such attacks early, i.e. during pre-encryption phase before the encryption takes place is necessary. Existing crypto-ransomware early detection solutions use a fixed time-based thresholding approach to determine the pre-encryption phase boundaries. However, the fixed time thresholding approach implies that all samples start the encryption at the same time. Such assumption does not necessarily hold for all samples as the time for the main sabotage to start varies among different crypto-ransomware families due to the obfuscation techniques employed by the malware to change its attack strategies and evade detection, which generates different attack behaviors. Additionally, the lack of sufficient data at the early phases of the attack adversely affects the ability of feature extraction techniques in early detection models to perceive the characteristics of the attacks, which, consequently, decreases the detection accuracy. Therefore, this paper proposes a Dynamic Pre-encryption Boundary Delineation and Feature Extraction (DPBD-FE) scheme that determines the boundary of the pre-encryption phase, from which the features are extracted and selected more accurately. Unlike the fixed thresholding employed by the extant works, DPBD-FE tracks the pre-encryption phase for each instance individually based on the first occurrence of any cryptography-related APIs. Then, an annotated Term Frequency-Inverse Document Frequency (aTF-IDF) technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks. The aTF-IDF overcomes the challenge of insufficient attack patterns during the early phases of the attack lifecycle. The experimental evaluation shows that DPBD-FE was able to determine the pre-encryption boundaries and extract the features related to this phase more accurately compared to related works