Automatic Dataset Labelling and Feature Selection for Intrusion Detection Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Correctly labelled datasets are commonly required. Three particular scenarios are highlighted, which showcase this need. When using supervised Intrusion Detection Systems (IDSs), these systems need labelled datasets to be trained. Also, the real nature of the analysed datasets must be known when evaluating the efficiency of the IDSs when detecting intrusions. Another scenario is the use of feature selection that works only if the processed datasets are labelled. In normal conditions, collecting labelled datasets from real networks is impossible. Currently, datasets are mainly labelled by implementing off-line forensic analysis, which is impractical because it does not allow real-time implementation. We have developed a novel approach to automatically generate labelled network traffic datasets using an unsupervised anomaly based IDS. The resulting labelled datasets are subsets of the original unlabelled datasets. The labelled dataset is then processed using a Genetic Algorithm (GA) based approach, which performs the task of feature selection. The GA has been implemented to automatically provide the set of metrics that generate the most appropriate intrusion detection results

Using metrics from multiple layers to detect attacks in wireless networks

The IEEE 802.11 networks are vulnerable to numerous wireless-specific attacks. Attackers can implement MAC address spoofing techniques to launch these attacks, while masquerading themselves behind a false MAC address. The implementation of Intrusion Detection Systems has become fundamental in the development of security infrastructures for wireless networks. This thesis proposes the designing a novel security system that makes use of metrics from multiple layers of observation to produce a collective decision on whether an attack is taking place. The Dempster-Shafer Theory of Evidence is the data fusion technique used to combine the evidences from the different layers. A novel, unsupervised and self- adaptive Basic Probability Assignment (BPA) approach able to automatically adapt its beliefs assignment to the current characteristics of the wireless network is proposed. This BPA approach is composed of three different and independent statistical techniques, which are capable to identify the presence of attacks in real time. Despite the lightweight processing requirements, the proposed security system produces outstanding detection results, generating high intrusion detection accuracy and very low number of false alarms. A thorough description of the generated results, for all the considered datasets is presented in this thesis. The effectiveness of the proposed system is evaluated using different types of injection attacks. Regarding one of these attacks, to the best of the author knowledge, the security system presented in this thesis is the first one able to efficiently identify the Airpwn attack

Adding Contextual Information to Intrusion Detection Systems Using Fuzzy Cognitive Maps

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning engines supported by contextual information about the network, cognitive information and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have developed. The experimental results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections

A look into the information your smartphone leaks

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Some smartphone applications (apps) pose a risk to users’ personal information. Events of apps leaking information stored in smartphones illustrate the danger that they present. In this paper, we investigate the amount of personal information leaked during the installation and use of apps when accessing the Internet. We have opted for the implementation of a Man-in-the-Middle proxy to intercept the network traffic generated by 20 popular free apps installed on different smartphones of distinctive vendors. This work describes the technical considerations and requirements for the deployment of the monitoring WiFi network employed during the conducted experiments. The presented results show that numerous mobile and personal unique identifiers, along with personal information are leaked by several of the evaluated apps, commonly during the installation process

Using the Pattern-of-Life in Networks to Improve the Effectiveness of Intrusion Detection Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high- level information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination

Support Vector Machine for Network Intrusion and Cyber-Attack Detection

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Cyber-security threats are a growing concern in networked environments. The development of Intrusion Detection Systems (IDSs) is fundamental in order to provide extra level of security. We have developed an unsupervised anomaly-based IDS that uses statistical techniques to conduct the detection process. Despite providing many advantages, anomaly-based IDSs tend to generate a high number of false alarms. Machine Learning (ML) techniques have gained wide interest in tasks of intrusion detection. In this work, Support Vector Machine (SVM) is deemed as an ML technique that could complement the performance of our IDS, providing a second line of detection to reduce the number of false alarms, or as an alternative detection technique. We assess the performance of our IDS against one-class and two-class SVMs, using linear and non-linear forms. The results that we present show that linear two-class SVM generates highly accurate results, and the accuracy of the linear one-class SVM is very comparable, and it does not need training datasets associated with malicious data. Similarly, the results evidence that our IDS could benefit from the use of ML techniques to increase its accuracy when analysing datasets comprising of non-homogeneous features

Misbehaviour metrics in WiMAX networks under attack

Much effort has been taken to make WiMAX a secure technology. Due to its broadcast nature, WiMAX is more susceptible to security threats than a wired network. In this paper, we give a general overview of the security architecture and possible attacks that a WiMAX network may face. For each type of attack the misbehaviour metrics that may vary under these attacks are listed. This work can be used to select an appropriate threshold for detecting attack and can be applied to future research on IDS

A Data Fusion Technique to Detect Wireless Network Virtual Jamming Attacks

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Wireless communications are potentially exposed to jamming due to the openness of the medium and, in particular, to virtual jamming, which allows more energy-efficient attacks. In this paper we tackle the problem of virtual jamming attacks on IEEE 802.11 networks and present a data fusion solution for the detection of a type of virtual jamming attack (namely, NAV attacks), based on the real-time monitoring of a set of metrics. The detection performance is evaluated in a number of real scenarios

Intrusion Detection System for Platooning Connected Autonomous Vehicles

The deployment of Connected Autonomous Vehicles (CAVs) in Vehicular Ad Hoc Networks (VANETs) requires secure wireless communication in order to ensure reliable connectivity and safety. However, this wireless communication is vulnerable to a variety of cyber atacks such as spoofing or jamming attacks. In this paper, we describe an Intrusion Detection System (IDS) based on Machine Learning (ML) techniques designed to detect both spoofing and jamming attacks in a CAV environment. The IDS would reduce the risk of traffic disruption and accident caused as a result of cyber-attacks. The detection engine of the presented IDS is based on the ML algorithms Random Forest (RF), k-Nearest Neighbour (k-NN) and One-Class Support Vector Machine (OCSVM), as well as data fusion techniques in a cross-layer approach. To the best of the authors’ knowledge, the proposed IDS is the first in literature that uses a cross-layer approach to detect both spoofing and jamming attacks against the communication of connected vehicles platooning. The evaluation results of the implemented IDS present a high accuracy of over 90% using training datasets containing both known and unknown attacks

Multi-Stage Attack Detection Using Contextual Information

The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an Advanced Persistent Threat (APT) like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%