123 research outputs found
SCOR: Software-defined Constrained Optimal Routing Platform for SDN
A Software-defined Constrained Optimal Routing (SCOR) platform is introduced
as a Northbound interface in SDN architecture. It is based on constraint
programming techniques and is implemented in MiniZinc modelling language. Using
constraint programming techniques in this Northbound interface has created an
efficient tool for implementing complex Quality of Service routing applications
in a few lines of code. The code includes only the problem statement and the
solution is found by a general solver program. A routing framework is
introduced based on SDN's architecture model which uses SCOR as its Northbound
interface and an upper layer of applications implemented in SCOR. Performance
of a few implemented routing applications are evaluated in different network
topologies, network sizes and various number of concurrent flows.Comment: 19 pages, 11 figures, 11 algorithms, 3 table
Tag anti-collision algorithms in RFID systems - a new trend
RFID is a wireless communication technology that provides automatic identification or tracking and data collection from any tagged object. Due to the shared communication channel between the reader and the tags during the identification process in RFID systems, many tags may communicate with the reader at the same time, which causes collisions. The problem of tag collision has to be addressed to have fast multiple tag identification process. There are two main approaches to the tag collision problem: ALOHA based algorithms and tree based algorithms. Although these methods reduce the collision and solve the problem to some extent, they are not fast and efficient enough in real applications. A new trend emerged recently which takes the advantages of both ALOHA and tree based approaches. This paper describes the process and performance of the tag anti-collision algorithms of the tree-ALOHA trend
Benchmarking the Benchmark -- Analysis of Synthetic NIDS Datasets
Network Intrusion Detection Systems (NIDSs) are an increasingly important
tool for the prevention and mitigation of cyber attacks. A number of labelled
synthetic datasets generated have been generated and made publicly available by
researchers, and they have become the benchmarks via which new ML-based NIDS
classifiers are being evaluated. Recently published results show excellent
classification performance with these datasets, increasingly approaching 100
percent performance across key evaluation metrics such as accuracy, F1 score,
etc. Unfortunately, we have not yet seen these excellent academic research
results translated into practical NIDS systems with such near-perfect
performance. This motivated our research presented in this paper, where we
analyse the statistical properties of the benign traffic in three of the more
recent and relevant NIDS datasets, (CIC, UNSW, ...). As a comparison, we
consider two datasets obtained from real-world production networks, one from a
university network and one from a medium size Internet Service Provider (ISP).
Our results show that the two real-world datasets are quite similar among
themselves in regards to most of the considered statistical features. Equally,
the three synthetic datasets are also relatively similar within their group.
However, and most importantly, our results show a distinct difference of most
of the considered statistical features between the three synthetic datasets and
the two real-world datasets. Since ML relies on the basic assumption of
training and test datasets being sampled from the same distribution, this
raises the question of how well the performance results of ML-classifiers
trained on the considered synthetic datasets can translate and generalise to
real-world networks. We believe this is an interesting and relevant question
which provides motivation for further research in this space.Comment: 25 pages, 13 figure
Network Intrusion Detection System in a Light Bulb
Internet of Things (IoT) devices are progressively being utilised in a
variety of edge applications to monitor and control home and industry
infrastructure. Due to the limited compute and energy resources, active
security protections are usually minimal in many IoT devices. This has created
a critical security challenge that has attracted researchers' attention in the
field of network security. Despite a large number of proposed Network Intrusion
Detection Systems (NIDSs), there is limited research into practical IoT
implementations, and to the best of our knowledge, no edge-based NIDS has been
demonstrated to operate on common low-power chipsets found in the majority of
IoT devices, such as the ESP8266. This research aims to address this gap by
pushing the boundaries on low-power Machine Learning (ML) based NIDSs. We
propose and develop an efficient and low-power ML-based NIDS, and demonstrate
its applicability for IoT edge applications by running it on a typical smart
light bulb. We also evaluate our system against other proposed edge-based NIDSs
and show that our model has a higher detection performance, and is
significantly faster and smaller, and therefore more applicable to a wider
range of IoT edge devices
Towards a Standard Feature Set of NIDS Datasets
Network Intrusion Detection Systems (NIDSs) datasets are essential tools used
by researchers for the training and evaluation of Machine Learning (ML)-based
NIDS models. There are currently five datasets, known as NF-UNSW-NB15,
NF-BoT-IoT, NF-ToN-IoT, NF-CSE-CIC-IDS2018 and NF-UQ-NIDS, which are made up of
a common feature set. However, their performances in classifying network
traffic, mainly using the multi-classification method, is often unreliable.
Therefore, this paper proposes a standard NetFlow feature set, to be used in
future NIDS datasets due to the tremendous benefits of having a common feature
set. NetFlow has been widely utilised in the networking industry for its
practical scaling properties. The evaluation is done by extracting and labeling
the proposed features from four well-known datasets. The newly generated
datasets are known as NF- UNSW-NB15-v2, NF-BoT-IoT-v2, NF-ToN-IoT-v2,
NF-CSE-CIC-IDS2018-v2 and NF-UQ-NIDS-v2. Their performances have been compared
to their respective original datasets using an Extra Trees classifier, showing
a great improvement in the attack detection accuracy. They have been made
publicly available to use for research purposes.Comment: 13 pages, 4 figures, 13 tables. arXiv admin note: substantial text
overlap with arXiv:2011.0914
From Zero-Shot Machine Learning to Zero-Day Attack Detection
The standard ML methodology assumes that the test samples are derived from a
set of pre-observed classes used in the training phase. Where the model
extracts and learns useful patterns to detect new data samples belonging to the
same data classes. However, in certain applications such as Network Intrusion
Detection Systems, it is challenging to obtain data samples for all attack
classes that the model will most likely observe in production. ML-based NIDSs
face new attack traffic known as zero-day attacks, that are not used in the
training of the learning models due to their non-existence at the time. In this
paper, a zero-shot learning methodology has been proposed to evaluate the ML
model performance in the detection of zero-day attack scenarios. In the
attribute learning stage, the ML models map the network data features to
distinguish semantic attributes from known attack (seen) classes. In the
inference stage, the models are evaluated in the detection of zero-day attack
(unseen) classes by constructing the relationships between known attacks and
zero-day attacks. A new metric is defined as Zero-day Detection Rate, which
measures the effectiveness of the learning model in the inference stage. The
results demonstrate that while the majority of the attack classes do not
represent significant risks to organisations adopting an ML-based NIDS in a
zero-day attack scenario. However, for certain attack groups identified in this
paper, such systems are not effective in applying the learnt attributes of
attack behaviour to detect them as malicious. Further Analysis was conducted
using the Wasserstein Distance technique to measure how different such attacks
are from other attack types used in the training of the ML model. The results
demonstrate that sophisticated attacks with a low zero-day detection rate have
a significantly distinct feature distribution compared to the other attack
classes
A Cyber Threat Intelligence Sharing Scheme based on Federated Learning for Network Intrusion Detection
The uses of Machine Learning (ML) in detection of network attacks have been
effective when designed and evaluated in a single organisation. However, it has
been very challenging to design an ML-based detection system by utilising
heterogeneous network data samples originating from several sources. This is
mainly due to privacy concerns and the lack of a universal format of datasets.
In this paper, we propose a collaborative federated learning scheme to address
these issues. The proposed framework allows multiple organisations to join
forces in the design, training, and evaluation of a robust ML-based network
intrusion detection system. The threat intelligence scheme utilises two
critical aspects for its application; the availability of network data traffic
in a common format to allow for the extraction of meaningful patterns across
data sources. Secondly, the adoption of a federated learning mechanism to avoid
the necessity of sharing sensitive users' information between organisations. As
a result, each organisation benefits from other organisations cyber threat
intelligence while maintaining the privacy of its data internally. The model is
trained locally and only the updated weights are shared with the remaining
participants in the federated averaging process. The framework has been
designed and evaluated in this paper by using two key datasets in a NetFlow
format known as NF-UNSW-NB15-v2 and NF-BoT-IoT-v2. Two other common scenarios
are considered in the evaluation process; a centralised training method where
the local data samples are shared with other organisations and a localised
training method where no threat intelligence is shared. The results demonstrate
the efficiency and effectiveness of the proposed framework by designing a
universal ML model effectively classifying benign and intrusive traffic
originating from multiple organisations without the need for local data
exchange
- …