Nearest cluster-based intrusion detection through convolutional neural networks

The recent boom in deep learning has revealed that the application of deep neural networks is a valuable way to address network intrusion detection problems. This paper presents a novel deep learning methodology that uses convolutional neural networks (CNNs) to equip a computer network with an effective means to analyse traffic on the network for signs of malicious activity. The basic idea is to represent network flows as 2D images and use this imagery representation of the flows to train a 2D CNN architecture. The novelty consists in deriving an imagery representation of the network flows through performing a combination of the nearest neighbour search and the clustering process. The advantage is that the proposed data mapping method allows us to build imagery data that express potential data patterns arising at neighbouring flows. The proposed methodology leads to better predictive accuracy when compared to competitive intrusion detection architectures on three benchmark datasets

A two-step network intrusion detection system for multi-class classification

A network intrusion detection system aims to discover any unauthorised access to computer networks by analysing the network traffic for signs of malicious activity. In this paper, we present a two-step system for network intrusion detection. The first step comprises a Triplet network that processes the flow-based characteristics of the historical network traffic data to learn an embedding space, where distances between samples labelled with opposite classes are greater than distances between samples labelled with the same class. We take adavantage of this embedding space to separate the normal samples from the malicious ones. The second step uses a multi-class eXtreme Gradient Boosting classifier to recognize the attack family of the detected malicious flows. The experiments prove the effectiveness of the proposed system as it leads to higher accuracy when compared to several, recent competitors

Autoencoder-based deep metric learning for network intrusion detection

Nowadays intrusion detection systems are a mandatory weapon in the war against the ever-increasing amount of network cyber attacks. In this study we illustrate a new intrusion detection method that analyses the flow-based characteristics of the network traffic data. It learns an intrusion detection model by leveraging a deep metric learning methodology that originally combines autoencoders and Triplet networks. In the training stage, two separate autoencoders are trained on historical normal network flows and attacks, respectively. Then a Triplet network is trained to learn the embedding of the feature vector representation of network flows. This embedding moves each flow close to its reconstruction, restored with the autoencoder associated with the same class as the flow, and away from its reconstruction, restored with the autoencoder of the opposite class. The predictive stage assigns each new flow to the class associated with the autoencoder that restores the closest reconstruction of the flow in the embedding space. In this way, the predictive stage takes advantage of the embedding learned in the training stage, achieving a good prediction performance in the detection of new signs of malicious activities in the network traffic. In fact, the proposed methodology leads to better predictive accuracy when compared to competitive intrusion detection architectures on benchmark datasets

Clustering-Aided Multi-View Classification: A Case Study on Android Malware Detection

Recognizing malware before its installation plays a crucial role in keeping an android device safe. In this paper we describe a supervised method that is able to analyse multiple information (e.g. permissions, api calls and network addresses) that can be retrieved through a broad static analysis of android applications. In particular, we propose a novel multi-view machine learning approach to malware detection, which couples knowledge extracted via both clustering and classification. In an assessment, we evaluate the effectiveness of the proposed method using benchmark Android applications and established machine learning metrics

SILVIA: An eXplainable Framework to Map Bark Beetle Infestation in Sentinel-2 Images

Recent long spells of high temperatures and drought-hit summers have fostered the conditions for an unprecedented outbreak of bark beetles in Europe. This phenomenon has ruined vast swathes of European conifer forests creating a need among forest managers to find effective methods to gather information about the mapping of bark beetle infestation hotspots. Sentinel-2 data have been recently established as an alternative to field surveys for certain inventory tasks. Hence, this study explores the achievements of machine learning to perform the inventory mapping of bark beetle infestation hotspots in Sentinel-2 images. In particular, we investigate the accuracy performance of a spectral classifier that is learned for the study task by leveraging spectral vegetation indices and performing self-training. We use a dataset of Sentinel-2 images acquired in nonoverlapping forest scenes from the North-east of France acquired in October 2018. The selected scenes host bark beetle infestation hotspots of different sizes, which originate from the mass reproduction of the bark beetle in the 2018 infestation. We perform a learning stage by accounting for the ground-truth bark beetle infestation masks of a subset of images in the study imagery dataset (training imagery set). The goal is to produce a prediction of the bark beetle infestation masks for the remaining images in the study imagery dataset (working imagery set). Moreover, we use an explainable artificial intelligence technique to study the relevance of spectral information and explain the effect of both self-training and spectral vegetation indices on the mapping decisions

Siamese Networks with Transfer Learning for Change Detection in Sentinel-2 Images

The Earth’s surface is constantly changing due to various anthropogenic and natural causes. Leveraging machine learning to monitor land cover changes over time may provide valuable information on the transformation of the Earth’s environment. This study focuses on the discovery of land cover changes in bi-temporal, Sentinel-2 images. In particular, we rely on a Siamese network trained with labelled, imagery data of the same Earth’s scene acquired with Sentinel-2 at different times. Subsequently, we adopt a transfer learning strategy to adapt the Siamese network to Sentinel-2 data acquired in any new unlabeled scene. To deal with the lack of change labels in the new scene, transfer learning is performed with change pseudo-labels estimated in the new scene in unsupervised manner. We assess the effectiveness of the proposed change detection method in two couples of images acquired with Sentinel-2, at different times, in the urban areas of Cupertino and Las Vegas

GLORIA: A Graph Convolutional Network-Based Approach for Review Spam Detection

Spam reviews contain untruthful content created with malevolent intent, to affect the overall reputation of a product, service or company. This content is commonly made by malicious users or automated programs (i.e., bots) that mimic human behaviour. With the recent boom of online review systems, performing accurate review spam detection has become of primary importance for a review platform, to mitigate the effect of malicious users responsible for untruthful content. In this work, we propose a review spam classification approach, named GLORIA, that adopts a graph representation of review data and trains a graph convolutional neural network for edge classification as a review spam detection model. In particular, GLORIA represents both users (i.e., authors of reviews) and products (i.e., reviewed items) as nodes of a heterogeneous graph, while it represents reviews as graph edges that connect each author of a review to the reviewed item. Features of users, products and reviews are associated with nodes and edges, respectively. Experiments performed on publicly available review datasets prove the effectiveness of the proposed approach compared with some state-of-the-art approaches

GAN augmentation to deal with imbalance in imaging-based intrusion detection

Nowadays attacks on computer networks continue to advance at a rate outpacing cyber defenders’ ability to write new attack signatures. This paper illustrates a deep learning methodology for the binary classification of the network traffic. The basic idea is to represent network flows as 2D images and use this imagery representation of the network traffic to train a Generative Adversarial Network (GAN) and a Convolutional Neural Network (CNN). The GAN is trained to produce new images of unforeseen network attacks by augmenting the training data used to learn a CNN-based intrusion detection model. The advantage is that the 2D data mapping technique used builds images of the network flows, which allow us to take advantage of deep learning architectures with convolution layers. In addition, the GAN-based data augmentation allows us to deal with the possible imbalance of malicious traffic that is commonly rarer than the normal traffic in the network traffic. Specifically, it is used to simulate unforeseen attacks to train a robust intrusion detection model. The proposed methodology leads to better predictive accuracy when compared to competitive intrusion detection architectures on four benchmark datasets

An XAI-based adversarial training approach for cyber-threat detection

adversarial samples. In addition, eXplainable Artificial Intelligence (XAI) has been recently investigated to improve the interpretability and explainability of black-box artificial systems such as deep neural models. In this study, we propose a methodology that combines adversarial training and XAI, in order to increase the accuracy of deep neural models trained for cyber-threat detection. In particular, we use the FGSM technique to generate the adversarial samples for the adversarial training stage, and SHAP to produce the local explanations of decisions made during the adversarial training stage. These local explanations are, subsequently, used to produce a new feature set that describes the effect of the original cyber-data characteristics on the classifications of the examples processed during the adversarial training stage. Leveraging this XAI-based information, we apply a transfer learning strategy, namely fine-tuning, to improve the accuracy performance of the deep neural model. Experiments conducted on two benchmark cybersecurity datasets prove the effectiveness of the proposed methodology in the multi-class classification of cyber-data

Improving Cyber-Threat Detection by Moving the Boundary Around the Normal Samples

Recent research trends definitely recognise deep learning as an important approach in cybersecurity. Deep learning allows us to learn accurate threat detection models in various scenarios. However, it often suffers from training data over-fitting. In this paper, we propose a supervised machine learning method for cyber-threat detection, which modifies the training set to reduce data over-fitting when training a deep neural network. This is done by re-positioning the decision boundary that separates the normal training samples and the threats. Particularly, it re-assigns the normal training samples that are close to the boundary to the opposite class and trains a competitive deep neural network from the modified training set. In this way, it learns a classification model that can detect unseen threats, which behave similarly to normal samples. The experiments, performed by considering three benchmark datasets, prove the effectiveness of the proposed method. They provide encouraging results, also compared to several prominent competitors