Guosheng ZHAO Yang WANG Jian WANG
Internet of Things (IoT) devices are widely used in various fields. However, their limited computing resources make them extremely vulnerable and difficult to be effectively protected. Traditional intrusion detection systems (IDS) focus on high accuracy and low false alarm rate (FAR), making them often have too high spatiotemporal complexity to be deployed in IoT devices. In response to the above problems, this paper proposes an intrusion detection model of IoT based on the light gradient boosting machine (LightGBM). Firstly, the one-dimensional convolutional neural network (CNN) is used to extract features from network traffic to reduce the feature dimensions. Then, the LightGBM is used for classification to detect the type of network traffic belongs. The LightGBM is more lightweight on the basis of inheriting the advantages of the gradient boosting tree. The LightGBM has a faster decision tree construction process. Experiments on the TON-IoT and BoT-IoT datasets show that the proposed model has stronger performance and more lightweight than the comparison models. The proposed model can shorten the prediction time by 90.66% and is better than the comparison models in accuracy and other performance metrics. The proposed model has strong detection capability for denial of service (DoS) and distributed denial of service (DDoS) attacks. Experimental results on the testbed built with IoT devices such as Raspberry Pi show that the proposed model can perform effective and real-time intrusion detection on IoT devices.
Takeshi SENOO Akira JINGUJI Ryosuke KURAMOCHI Hiroki NAKAHARA
Multilayer perceptron (MLP) is a basic neural network model that is used in practical industrial applications, such as network intrusion detection (NID) systems. It is also used as a building block in newer models, such as gMLP. Currently, there is a demand for fast training in NID and other areas. However, in training with numerous GPUs, the problems of power consumption and long training times arise. Many of the latest deep neural network (DNN) models and MLPs are trained using a backpropagation algorithm which transmits an error gradient from the output layer to the input layer such that in the sequential computation, the next input cannot be processed until the weights of all layers are updated from the last layer. This is known as backward locking. In this study, a weight parameter update mechanism is proposed with time delays that can accommodate the weight update delay to allow simultaneous forward and backward computation. To this end, a one-dimensional systolic array structure was designed on a Xilinx U50 Alveo FPGA card in which each layer of the MLP is assigned to a processing element (PE). The time-delay backpropagation algorithm executes all layers in parallel, and transfers data between layers in a pipeline. Compared to the Intel Core i9 CPU and NVIDIA RTX 3090 GPU, it is 3 times faster than the CPU and 2.5 times faster than the GPU. The processing speed per power consumption is 11.5 times better than that of the CPU and 21.4 times better than that of the GPU. From these results, it is concluded that a training accelerator on an FPGA can achieve high speed and energy efficiency.
Jaewoong HEO Hyunghoon KIM Hyo Jin JO
With the development of in-vehicle network technologies, Automotive Ethernet is being applied to modern vehicles. Scalable service-Oriented MiddlewarE over IP (SOME/IP) is an automotive middleware solution that is used for communications of the infotainment domain as well as that of other domains in the vehicle. However, since SOME/IP lacks security, it is vulnerable to a variety of network-based attacks. In this paper, we introduce a new type of intrusion detection system (IDS) leveraging on SOME/IP packet's header information and packet reception time to deal with SOME/IP related network attacks.
Fei ZHANG Peining ZHEN Dishan JING Xiaotang TANG Hai-Bao CHEN Jie YAN
Intrusion is one of major security issues of internet with the rapid growth in smart and Internet of Thing (IoT) devices, and it becomes important to detect attacks and set out alarm in IoT systems. In this paper, the support vector machine (SVM) and principal component analysis (PCA) based method is used to detect attacks in smart IoT systems. SVM with nonlinear scheme is used for intrusion classification and PCA is adopted for feature selection on the training and testing datasets. Experiments on the NSL-KDD dataset show that the test accuracy of the proposed method can reach 82.2% with 16 features selected from PCA for binary-classification which is almost the same as the result obtained with all the 41 features; and the test accuracy can achieve 78.3% with 29 features selected from PCA for multi-classification while 79.6% without feature selection. The Denial of Service (DoS) attack detection accuracy of the proposed method can achieve 8.8% improvement compared with existing artificial neural network based method.
Wenjuan LI Yu WANG Weizhi MENG Jin LI Chunhua SU
To safeguard critical services and assets in a distributed environment, collaborative intrusion detection systems (CIDSs) are usually adopted to share necessary data and information among various nodes, and enhance the detection capability. For simplifying the network management, software defined networking (SDN) is an emerging platform that decouples the controller plane from the data plane. Intuitively, SDN can help lighten the management complexity in CIDSs, and a CIDS can protect the security of SDN. In practical implementation, trust management is an important approach to help identify insider attacks (or malicious nodes) in CIDSs, but the challenge is how to ensure the data integrity when evaluating the reputation of a node. Motivated by the recent development of blockchain technology, in this work, we design BlockCSDN — a framework of blockchain-based collaborative intrusion detection in SDN, and take the challenge-based CIDS as a study. The experimental results under both external and internal attacks indicate that using blockchain technology can benefit the robustness and security of CIDSs and SDN.
Lijun GAO Zhenyi BIAN Maode MA
DoS (Denial of Service) attacks are becoming one of the most serious security threats to global networks. We analyze the existing DoS detection methods and defense mechanisms in depth. In recent years, K-Means and improved variants have been widely examined for security intrusion detection, but the detection accuracy to data is not satisfactory. In this paper we propose a multi-dimensional space feature vector expansion K-Means model to detect threats in the network environment. The model uses a genetic algorithm to optimize the weight of K-Means multi-dimensional space feature vector, which greatly improves the detection rate against 6 typical Dos attacks. Furthermore, in order to verify the correctness of the model, this paper conducts a simulation on the NSL-KDD data set. The results show that the algorithm of multi-dimensional space feature vectors expansion K-Means improves the recognition accuracy to 96.88%. Furthermore, 41 kinds of feature vectors in NSL-KDD are analyzed in detail according to a large number of experimental training. The feature vector of the probability positive return of security attack detection is accurately extracted, and a comparison chart is formed to support subsequent research. A theoretical analysis and experimental results show that the multi-dimensional space feature vector expansion K-Means algorithm has a good application in the detection of DDos attacks.
Cheng-Chung KUO Ding-Kai TSENG Chun-Wei TSAI Chu-Sing YANG
The development of an efficient detection mechanism to determine malicious network traffic has been a critical research topic in the field of network security in recent years. This study implemented an intrusion-detection system (IDS) based on a machine learning algorithm to periodically convert and analyze real network traffic in the campus environment in almost real time. The focuses of this study are on determining how to improve the detection rate of an IDS and how to detect more non-well-known port attacks apart from the traditional rule-based system. Four new features are used to increase the discriminant accuracy. In addition, an algorithm for balancing the data set was used to construct the training data set, which can also enable the learning model to more accurately reflect situations in real environment.
Deep learning is gaining more and more lots of attractions and better performance in implementing the Intrusion Detection System (IDS), especially for feature learning. This paper presents the state-of-the-art advances and challenges in IDS using deep learning models, which have been achieved the big performance enhancements in the field of computer vision, natural language processing, and image/audio processing than the traditional methods. After providing a systematic and methodical description of the latest developments in deep learning from the points of the deployed architectures and techniques, we suggest the pros-and-cons of all the deep learning-based IDS, and discuss the importance of deep learning models as feature learning approach. For this, the author has suggested the concept of the Deep-Feature Extraction and Selection (D-FES). By combining the stacked feature extraction and the weighted feature selection for D-FES, our experiment was verified to get the best performance of detection rate, 99.918% and false alarm rate, 0.012% to detect the impersonation attacks in Wi-Fi network which can be achieved better than the previous publications. Summary and further challenges are suggested as a concluding remark.
Sornxayya PHETLASY Satoshi OHZAHATA Celimuge WU Toshihito KATO
Intrusion detection system (IDS) is a device or software to monitor a network system for malicious activity. In terms of detection results, there could be two types of false, namely, the false positive (FP) which incorrectly detects normal traffic as abnormal, and the false negative (FN) which incorrectly judges malicious traffic as normal. To protect the network system, we expect that FN should be minimized as low as possible. However, since there is a trade-off between FP and FN when IDS detects malicious traffic, it is difficult to reduce the both metrics simultaneously. In this paper, we propose a sequential classifiers combination method to reduce the effect of the trade-off. The single classifier suffers a high FN rate in general, therefore additional classifiers are sequentially combined in order to detect more positives (reduce more FN). Since each classifier can reduce FN and does not generate much FP in our approach, we can achieve a reduction of FN at the final output. In evaluations, we use NSL-KDD dataset, which is an updated version of KDD Cup'99 dataset. WEKA is utilized as a classification tool in experiment, and the results show that the proposed approach can reduce FN while improving the sensitivity and accuracy.
Seon-Ho SHIN HyunBong KIM MyungKeun YOON
Regular expression matching is essential in network and big-data applications; however, it still has a serious performance bottleneck. The state-of-the-art schemes use a multi-pattern exact string-matching algorithm as a filtering module placed before a heavy regular expression engine. We design a new approximate string-matching filter using multiple q-grams; this filter not only achieves better space compactness, but it also has higher throughput than the existing filters.
Bayu Adhi TAMA Kyung-Hyune RHEE
Anomaly detection is one approach in intrusion detection systems (IDSs) which aims at capturing any deviation from the profiles of normal network activities. However, it suffers from high false alarm rate since it has impediment to distinguish the boundaries between normal and attack profiles. In this paper, we propose an effective anomaly detection approach by hybridizing three techniques, i.e. particle swarm optimization (PSO), ant colony optimization (ACO), and genetic algorithm (GA) for feature selection and ensemble of four tree-based classifiers, i.e. random forest (RF), naive bayes tree (NBT), logistic model trees (LMT), and reduces error pruning tree (REPT) for classification. Proposed approach is implemented on NSL-KDD dataset and from the experimental result, it significantly outperforms the existing methods in terms of accuracy and false alarm rate.
DDoS remains a major threat to Software Defined Networks. To keep SDN secure, effective detection techniques for DDoS are indispensable. Most of the newly proposed schemes for detecting such attacks on SDN make the SDN controller act as the IDS or the central server of a collaborative IDS. The controller consequently becomes a target of the attacks and a heavy loaded point of collecting traffic. A collaborative intrusion detection system is proposed in this paper without the need for the controller to play a central role. It is deployed as a modified artificial neural network distributed over the entire substrate of SDN. It disperses its computation power over the network that requires every participating switch to perform like a neuron. The system is robust without individual targets and has a global view on a large-scale distributed attack without aggregating traffic over the network. Emulation results demonstrate its effectiveness.
Min SHAO Min S. KIM Victor C. VALGENTI Jungkeun PARK
Network Intrusion Detection Systems (NIDS) are deployed to protect computer networks from malicious attacks. Proper evaluation of NIDS requires more scrutiny than the evaluation for general network appliances. This evaluation is commonly performed by sending pre-generated traffic through the NIDS. Unfortunately, this technique is often limited in diversity resulting in evaluations incapable of examining the complex data structures employed by NIDS. More sophisticated methods that generate workload directly from NIDS rules consume excessive resources and are incapable of running in real-time. This work proposes a novel approach to real-time workload generation for NIDS evaluation to improve evaluation diversity while maintaining much higher throughput. This work proposes a generative grammar which represents an optimized version of a context-free grammar derived from the set of strings matching to the given NIDS rule database. The grammar is memory-efficient and computationally light when generating workload. Experiments demonstrate that grammar-generated workloads exert an order of magnitude more effort on the target NIDS. Even better, this improved diversity comes at much smaller cost in memory and speeds four times faster than current approaches.
Aslhan AKYOL Mehmet HACIBEYOĞLU Bekir KARLIK
With the increase of network components connected to the Internet, the need to ensure secure connectivity is becoming increasingly vital. Intrusion Detection Systems (IDSs) are one of the common security components that identify security violations. This paper proposes a novel multilevel hybrid classifier that uses different feature sets on each classifier. It presents the Discernibility Function based Feature Selection method and two classifiers involving multilayer perceptron (MLP) and decision tree (C4.5). Experiments are conducted on the KDD'99 Cup and ISCX datasets, and the proposal demonstrates better performance than individual classifiers and other proposed hybrid classifiers. The proposed method provides significant improvement in the detection rates of attack classes and Cost Per Example (CPE) which was the primary evaluation method in the KDD'99 Cup competition.
This letter presents a method to adaptively counter false data injection attacks (FDIAs) in wireless sensor networks, in which a fuzzy rule-based system detects FDIAs and chooses the most appropriate countermeasures. The method does not require en-route verification processes and manual parameter settings. The effectiveness of the method is shown with simulation results.
Mitsuaki AKIYAMA Takeshi YAGI Youki KADOBAYASHI Takeo HARIU Suguru YAMAGUCHI
We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process sandbox mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process sandbox mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.
Recently, a malicious user attacks a web browser through a malicious page that exploits the vulnerability of the browser and that executes malicious code. To prevent this attack, some methods have been devised such as DEP (Data Execution Prevention) that prevents data in stack frame or heap region from being executed. However, to evade these defense techniques, return-oriented programming (ROP) is introduced. ROP executes arbitrary code indirectly using gadget, which is group of instructions including ret instruction in a module that doesn't apply ASLR (Address Space Layout Randomization). In this paper, we propose a static approach to detect ROP payload in a network irrespective of the environment of the system under attack. Most studies have tried to detect ROP attacks using dynamic analysis, because ROP has various addresses of gadgets according to loaded modules. These methods have a limitation that must consider the environment of system to operate ROP, such as the version of OS and modules including gadgets. To overcome this limitation, our method detects ROP payload using static analysis without preliminary knowledge about the environment. We extract five characteristics of ROP and then propose a novel algorithm, STROP, to detect ROP in payload without execution. Our idea is as follows: STROP makes stack frame using input payload statically. It extracts addresses suspected as indicating gadgets and makes groups using the addresses. And then, STROP determine whether the payload includes ROP based on static characteristics. We implement a prototype using snort (network-based intrusion system) and evaluate it. Experiments show that our technique can detect ROP payload with a low number of false alarms. False positive (FP) is 1.3% for 2,239 benign files and 0.05-0.51% for 1GB packet dump file. Among 68 ROP payloads, STROP detects 51 payloads. This research can be applied to existing systems that collect malicious codes, such as Honeypot.
Xiaoyun LIU Gongjun YAN Danda B. RAWAT Shugang DENG
The past decade has witnessed a growing interest in vehicular networking. Initially motivated by traffic safety, vehicles equipped with computing, communication and sensing capabilities will be organized into ubiquitous and pervasive networks with a significant Internet presence while on the move. Large amount of data can be generated, collected, and processed on the vehicular networks. Big data on vehicular networks include useful and sensitive information which could be exploited by malicious intruders. But intrusion detection in vehicular networks is challenging because of its unique features of vehicular networks: short range wireless communication, large amount of nodes, and high mobility of nodes. Traditional methods are hard to detect intrusion in such sophisticated environment, especially when the attack pattern is unknown, therefore, it can result unacceptable false negative error rates. As a novel attempt, the main goal of this research is to apply data mining methodology to recognize known attacks and uncover unknown attacks in vehicular networks. We are the first to attempt to adapt data mining method for intrusion detection in vehicular networks. The main contributions include: 1) specially design a decentralized vehicle networks that provide scalable communication and data availability about network status; 2) applying two data mining models to show feasibility of automated intrusion detection system in vehicular networks; 3) find the detection patterns of unknown intrusions.
Detecting spreaders, or scan sources, helps intrusion detection systems (IDS) identify potential attackers. The existing work can only detect aggressive spreaders that scan a large number of distinct destinations in a short period of time. However, stealthy spreaders may perform scanning deliberately at a low rate. We observe that these spreaders can easily evade the detection because current IDS's have serious limitations. Being lightweight, the proposed scheme can detect scan sources in high speed networking while residing in SRAM. By theoretical analysis and experiments on real Internet traffic traces, we demonstrate that the proposed scheme detects stealthy spreaders successfully.
Jingyu HUA Mingchu LI Yizhi REN Kouichi SAKURAI
Those host-based intrusion detection models like VPStatic first construct a model of acceptable behaviors for each monitored program via static analysis, and then perform intrusion detection by comparing them with programs' runtime behaviors. These models usually share the highly desirable feature that they do not produce false alarms but face the conflicts between accuracy and efficiency. For instance, the high accuracy of the VPStatic model is at the cost of high space complexity. In this paper, we use a statically-constructed state transition table (STT), which records expected transitions among system calls as well as their stack states (return address lists), as a behavior model to perform context-sensitive intrusion detection. According to our analysis, our STT model improves the space efficiency of the VPStatic model without decreasing its high precision and time efficiency. Experiments show that for three test programs, memory uses of our STT models are all much less than half of the VPStatic models'. Thereby, we alleviate the conflicts between the accuracy and the efficiency.