Showing total 59 results

1. Hate speech, toxicity detection in online social media: a recent survey of state of the art and opportunities.

Author

Anjum and Katarya, Rahul

Subjects

*HATE speech, *INFORMATION & communication technologies, *FEATURE selection, *DEEP learning, *NATURAL language processing, *AUTOMATIC speech recognition, *SOCIAL media

Abstract

Information and communication technology has evolved dramatically, and now the majority of people are using internet and sharing their opinion more openly, which has led to the creation, collection and circulation of hate speech over multiple platforms. The anonymity and movability given by these social media platforms allow people to hide themselves behind a screen and spread the hate effortlessly. Online hate speech (OHS) recognition can play a vital role in stopping such activities and can thus restore the position of public platforms as the open marketplace of ideas. To study hate speech detection in social media, we surveyed the related available datasets on the web-based platform. We further analyzed approximately 200 research papers indexed in the different journals from 2010 to 2022. The papers were divided into various sections and approaches used in OHS detection, i.e., feature selection, traditional machine learning (ML) and deep learning (DL). Based on the selected 111 papers, we found that 44 articles used traditional ML and 35 used DL-based approaches. We concluded that most authors used SVM, Naive Bayes, Decision Tree in ML and CNN, LSTM in the DL approach. This survey contributes by providing a systematic approach to help researchers identify a new research direction in online hate speech. [ABSTRACT FROM AUTHOR]

Published

2024

2. A review on graph-based approaches for network security monitoring and botnet detection.

Author

Lagraa, Sofiane, Husák, Martin, Seba, Hamida, Vuppala, Satyanarayana, State, Radu, and Ouedraogo, Moussa

Subjects

*BOTNETS, *COMPUTER network security, *INTRUSION detection systems (Computer security), *COMPUTER network traffic, *RESEARCH personnel

Abstract

This survey paper provides a comprehensive overview of recent research and development in network security that uses graphs and graph-based data representation and analytics. The paper focuses on the graph-based representation of network traffic records and the application of graph-based analytics in intrusion detection and botnet detection. The paper aims to answer several questions related to graph-based approaches in network security, including the types of graphs used to represent network security data, the approaches used to analyze such graphs, the metrics used for detection and monitoring, and the reproducibility of existing works. The paper presents a survey of graph models used to represent, store, and visualize network security data, a survey of the algorithms and approaches used to analyze such data, and an enumeration of the most important graph features used for network security analytics for monitoring and botnet detection. The paper also discusses the challenges and limitations of using graph-based approaches in network security and identifies potential future research directions. Overall, this survey paper provides a valuable resource for researchers and practitioners in the field of network security who are interested in using graph-based approaches for analyzing and detecting malicious activities in networks. [ABSTRACT FROM AUTHOR]

Published

2024

3. Attribute inference privacy protection for pre-trained models.

Author

Abedi Khorasgani, Hossein, Mohammed, Noman, and Wang, Yang

Subjects

*DATA privacy, *PRIVACY, *DATA protection laws, *VISUAL fields, *IMAGE processing, *COMPUTER vision, *MACHINE learning

Abstract

With the increasing popularity of machine learning (ML) in image processing, privacy concerns have emerged as a significant issue in deploying and using ML services. However, current privacy protection approaches often require computationally expensive training from scratch or extensive fine-tuning of models, posing significant barriers to the development of privacy-conscious models, particularly for smaller organizations seeking to comply with data privacy laws. In this paper, we address the privacy challenges in computer vision by investigating the effectiveness of two recent fine-tuning methods, Model Reprogramming and Low-Rank Adaptation. We adapt these techniques to provide attribute protection for pre-trained models, minimizing computational overhead and training time. Specifically, we modify the models to produce privacy-preserving latent representations of images that cannot be used to identify unintended attributes. We integrate these methods into an adversarial min–max framework, allowing us to conceal sensitive information from feature outputs without extensive modifications to the pre-trained model, but rather focusing on a small set of new parameters. We demonstrate the effectiveness of our methods by conducting experiments on the CelebA dataset, achieving state-of-the-art performance while significantly reducing computational complexity and cost. Our research provides a valuable contribution to the field of computer vision and privacy, offering practical solutions to enhance the privacy of machine learning services without compromising efficiency. [ABSTRACT FROM AUTHOR]

Published

2024

4. Feature engineering impact on position falsification attacks detection in vehicular ad-hoc network.

Author

Abdelkreem, Eslam, Hussein, Sherif, and Tammam, Ashraf

Subjects

*FALSIFICATION, *MACHINE learning, *AD hoc computer networks, *ENGINEERING, *ROAD safety measures

Abstract

The vehicular ad-hoc network is a technology that enables vehicles to interact with each other and the surrounding infrastructure, aiming to enhance road safety and driver comfort. However, it is susceptible to various security attacks. Among these attacks, the position falsification attack is regarded as one of the most serious, in which the malicious nodes tamper with their transmitted location. Thus, developing effective misbehavior detection schemes capable of detecting such attacks is crucial. Many of these schemes employ machine learning techniques to detect misbehavior based on the features of the exchanged messages. However, the studies that identify the impact of feature engineering on schemes' performance and highlight the most efficient features and algorithms are limited. This paper conducts a comprehensive literature survey to identify the key features and algorithms used in the literature that lead to the best-performing models. Then, a comparative study using the VeReMi dataset, which is publicly available, is performed to assess six models implemented using three different machine learning algorithms and two feature sets: one comprising selected and derived features and the other including all message features. The findings show that two of the suggested models that employ feature engineering perform almost equally to existing studies in identifying two types of position falsification attacks while exhibiting performance improvements in detecting other types. Furthermore, the results of evaluating the proposed models using another simulation exhibit a substantial improvement achieved by employing feature engineering techniques, where the average accuracy of the models is increased by 6.31–47%, depending on the algorithm used. [ABSTRACT FROM AUTHOR]

Published

2024

5. Random forest evaluation using multi-key homomorphic encryption and lookup tables.

Author

Petrean, Diana-Elena and Potolea, Rodica

Subjects

*RANDOM forest algorithms, *DECISION trees, *MACHINE learning, *CLOUD computing, *INTELLECTUAL property, *BLOCK ciphers, *IMAGE encryption

Abstract

In recent years, machine learning (ML) has become increasingly popular in various fields of activity. Cloud platforms have also grown in popularity, as they offer services that are more secure and accessible worldwide. In this context, cloud-based technologies emerged to support ML, giving rise to the machine learning as a service (MLaaS) concept. However, the clients accessing ML services in order to obtain classification results on private data may be reluctant to upload sensitive information to cloud. The model owners may also prefer not to outsource their models in order to prevent model inversion attacks and to protect intellectual property. The privacy-preserving evaluation of ML models is possible through multi-key homomorphic encryption (MKHE), that allows both the client data and the model to be encrypted under different keys. In this paper, we propose an MKHE evaluation method for decision trees and we extend the proposed method for random forests. Each decision tree is evaluated as a single lookup table, and voting is performed at the level of groups of decision trees in the random forest. We provide both theoretical and experimental evaluations for the proposed method. The aim is to minimize the performance degradation introduced by the encrypted model compared to a plaintext model while also obtaining practical classification times. In our experiments with the proposed MKHE random forest evaluation method, we obtained minimal (less than 0.6%) impact on the main ML performance metrics considered for each scenario, while also achieving reasonable classification times (of the order of seconds). [ABSTRACT FROM AUTHOR]

Published

2024

6. A voting gray wolf optimizer-based ensemble learning models for intrusion detection in the Internet of Things.

Author

Saheed, Yakub Kayode and Misra, Sanjay

Subjects

*INTRUSION detection systems (Computer security), *GREY Wolf Optimizer algorithm, *WOLVES, *MACHINE learning, *INTERNET of things, *FEATURE selection

Abstract

The Internet of Things (IoT) has garnered considerable attention from academic and industrial circles as a pivotal technology in recent years. The escalation of security risks is observed to be associated with the growing interest in IoT applications. Intrusion detection systems (IDS) have been devised as viable instruments for identifying and averting malicious actions in this context. Several techniques described in academic papers are thought to be very accurate, but they cannot be used in the real world because the datasets used to build and test the models do not accurately reflect and simulate the IoT network. Existing methods, on the other hand, deal with these issues, but they are not good enough for commercial use because of their lack of precision, low detection rate, receiver operating characteristic (ROC), and false acceptance rate (FAR). The effectiveness of these solutions is predominantly dependent on individual learners and is consequently influenced by the inherent limitations of each learning algorithm. This study introduces a new approach for detecting intrusion attacks in an IoT network, which involves the use of an ensemble learning technique based on gray wolf optimizer (GWO). The novelty of this study lies in the proposed voting gray wolf optimizer (GWO) ensemble model, which incorporates two crucial components: a traffic analyzer and a classification phase engine. The model employs a voting technique to combine the probability averages of the base learners. Secondly, the combination of feature selection and feature extraction techniques is to reduce dimensionality. Thirdly, the utilization of GWO is employed to optimize the parameters of ensemble models. Similarly, the approach employs the most authentic intrusion detection datasets that are accessible and amalgamates multiple learners to generate ensemble learners. The hybridization of information gain (IG) and principal component analysis (PCA) was employed to reduce dimensionality. The study utilized a novel GWO ensemble learning approach that incorporated a decision tree, random forest, K-nearest neighbor, and multilayer perceptron for classification. To evaluate the efficacy of the proposed model, two authentic datasets, namely, BoT-IoT and UNSW-NB15, were scrutinized. The GWO-optimized ensemble model demonstrates superior accuracy when compared to other machine learning-based and deep learning models. Specifically, the model achieves an accuracy rate of 99.98%, a DR of 99.97%, a precision rate of 99.94%, an ROC rate of 99.99%, and an FAR rate of 1.30 on the BoT-IoT dataset. According to the experimental results, the proposed ensemble model optimized by GWO achieved an accuracy of 100%, a DR of 99.9%, a precision of 99.59%, an ROC of 99.40%, and an FAR of 1.5 when tested on the UNSW-NB15 dataset. [ABSTRACT FROM AUTHOR]

Published

2024

7. A computationally efficient dimensionality reduction and attack classification approach for network intrusion detection.

Author

Patel, N. D., Mehtre, B. M., and Wankar, Rajeev

Subjects

*INTRUSION detection systems (Computer security), *COMPUTER network traffic, *MACHINE learning, *FEATURE selection, *SYSTEM administrators, *CLASSIFICATION

Abstract

An intrusion detection system (IDS) is a system that monitors network traffic for malicious activity and generates alerts. In anomaly-based detection, machine learning (ML) algorithms exploit various statistical and probabilistic methods to learn from past or historical experience and detect valuable patterns from large, unstructured, and complex datasets. ML-based network intrusion detection aims to identify malicious behavior and alert a system administrator when an intruder tries to penetrate the network. This paper deals with the study, strategic construction, and implementation of a network intrusion detection model based on ML methods. Among the available IDS datasets, five of the most relevant are chosen for the experimental analysis, which are NSL-KDD-2009, CIC-IDS2017, CIC-IDS2018, IoTID20, and UNSW-NB15 datasets. In order to reduce the computation time in the training sample and achieve computational complexity O (N 2.38 ± δ) , we propose a computationally efficient and feasible algorithmic framework for analyzing the network traffic data. The developed approach mainly consists of two phases, i.e., "Scatter Matrices and Eigenvalue Computation based feature Selection" and "Classification procedure for the reduced dimension data." Experimental evaluation of various test case scenarios for the chosen datasets is carried out in the simulation setting. It is observed that the test results outperform the existing intrusion detection methods for detecting certain attack categories. [ABSTRACT FROM AUTHOR]

Published

2024

8. Enhancing detection of malicious profiles and spam tweets with an automated honeypot framework powered by deep learning.

Author

El Mendili, Fatna, Fattah, Mohammed, Berros, Nisrine, Filaly, Youness, and El Bouzekri El Idrissi, Younès

Subjects

*SPAM email, *DEEP learning, *CONVOLUTIONAL neural networks, *MACHINE learning, *RECOMMENDER systems, *SOCIAL networks

Abstract

Social networks are widely used platforms for sharing various information and content, including text, images, and videos.The main challenge in social networking today is the verification of data credibility and the identification of genuine social media profiles. Cybercriminals take advantage of this by utilizing fake profiles to disseminate false information. However, current research mainly concentrates on spam filtering and analyzing malicious behavior separately, disregarding the interrelated nature of these issues. We propose a more desirable global, hybrid solution that encompasses both malicious profile detection and spam detection to mitigate the spread of spam effectively. This paper offers a deep learning-based method for detecting malicious profiles and spam tweets. For the profiles to interact with them as legitimate profiles, we first provide the detection of fake profiles using an automated honeypot. Next, we detect those who make interactions as malicious profiles, and finally, we collect their shared content to find spam tweets using a convolution neural network algorithm. We suggest using collaborative filtering and content filtering algorithms from recommender systems to define accounts similar to harmful profiles and spam similar to spam material picked up by convolution neural networks. We get a highly compelling and intriguing outcome with higher accuracy (99.23%) and lesser loss than typical learning algorithms. [ABSTRACT FROM AUTHOR]

Published

2024

9. Security bug reports classification using fasttext.

Author

Alqahtani, Sultan S.

Subjects

*TEXT mining, *COMPUTER software developers, *MACHINE learning, *COMPUTER security vulnerabilities, *CLASSIFICATION

Abstract

Software developers and maintainers must address security bug reports (SBRs) before they are publicly disclosed, and their system is left vulnerable to attack. Bug tracking systems may contain securities-related reports which are unlabeled as SBRs, which makes it hard for developers to identify them. Therefore, finding unlabeled SBRs is an essential to help security expert developers identify these security issues fast and accurately. The goal of this paper is to aid software developers to better classify bug reports that identify security vulnerabilities as security bug reports through fasttext classifier. Previous work has applied text analytics and machine learning learners to classify which bug reports are security related. We improve on that work, as shown by our analysis of five open-source projects. We first collected a dataset of 45,940 bug reports from five software repositories (e.g., the work of Peters et al. and Shu et al.). Second, we conducted an experiment throughout the classification of SBRs using machine learning technique; particularly, we built fasttext classifiers. Finally, we investigated the accuracy of our built fasttext classifiers in identifying SBRs. Our experiment results show that our fasttext classifier can achieve an average F1 score of 0.81 when used to identify SBRs. Furthermore, we examined the generalizability of identifying SBRs by applying cross-project validation, and our results showed that the fasttext classifier is able to achieve an average F1 score values of 0.65. Finally, we made our data and results available at Alqahtani (fasttext implementation, 2023. https://github.com/isultane/fasttext%5fclassifications) to help the replication of our work. [ABSTRACT FROM AUTHOR]

Published

2024

10. Exploring the potential of deep learning and machine learning techniques for randomness analysis to enhance security on IoT.

Author

Ince, Kenan

Subjects

*DEEP learning, *MACHINE learning, *INTERNET of things, *PROCESS capability, *BINARY sequences, *EDGE computing

Abstract

The Internet of Things (IoT) is an incredibly growing technology. However, due to hardware inadequacy, IoT security is not improving to the same extent. For this reason, lightweight encryption algorithms have begun to be developed. This paper presents a method for assessing the security of Pseudorandom Number Generator (PRNG) generated binary sequences in a reasonable time using a pre-trained deep learning (DL) model. Due to their long execution times, Randomness Test Standards (RTSs) that include statistical tests that examine whether the sequences generated by PRNGs contain any patterns that cause cryptographic vulnerabilities are not suitable for running on edge devices with low processing capacities such as the IoT. We argue that every random sequence, even generated by a PRNGs that are classified as cryptographically secure, utilized in cryptographic applications should be used after successful results obtained from RTSs in every time. Therefore, an alternative method based on machine learning has been proposed to overcome the processing time problem of these test suites. The most utilized RTSs are NIST 800-22 Rev.1a, GB/T 32915-2016 and AIS 20/31. The 800-22 Rev.1a, which NIST has designated as a standard, has been observed to be the most referenced test standard in the literature. With this implementation, we sought to show that 15 statistical tests of the NIST 800-22 rev.1a environment can be modeled using DL. The application findings indicate that this modeling can serve as an alternative to the existing test environments. The average accuracy recorded throughout 15 tests was 98.64 percent. As a result, the trained model can be implemented even in edge computing devices with limited capability including IoTs. [ABSTRACT FROM AUTHOR]

Published

2024

11. Fairness as a Service (FaaS): verifiable and privacy-preserving fairness auditing of machine learning systems.

Author

Toreini, Ehsan, Mehrnezhad, Maryam, and van Moorsel, Aad

Subjects

*MACHINE learning, *FAIRNESS, *AUDITING, *INSTRUCTIONAL systems, *TRUST, *NETWORK governance

Abstract

Providing trust in machine learning (ML) systems and their fairness is a socio-technical challenge, and while the use of ML continues to rise, there is lack of adequate processes and governance practices to assure their fairness. In this paper, we propose FaaS, a novel privacy-preserving, end-to-end verifiable solution, that audits the algorithmic fairness of ML systems. FaaS offers several features, which are absent from previous designs. The FAAS protocol is model-agnostic and independent of specific fairness metrics and can be utilised as a service by multiple stakeholders. FAAS uses zero knowledge proofs to assure the well-formedness of the cryptograms and provenance in the steps of the protocol. We implement a proof of concept of the FaaS architecture and protocol using off-the-shelf hardware, software, and datasets and run experiments to demonstrate its practical feasibility and to analyse its performance and scalability. Our experiments confirm that our proposed protocol is scalable to large-scale auditing scenarios (e.g. over 1000 participants) and secure against various attack vectors. [ABSTRACT FROM AUTHOR]

Published

2024

12. BAPRP: a machine learning approach to blackhole attacks prevention routing protocol in vehicular Ad Hoc networks.

Author

Luong, Ngoc T. and Hoang, Doan

Subjects

*MACHINE learning, *NETWORK routing protocols, *AD hoc computer networks, *CLASSIFICATION algorithms, *K-nearest neighbor classification, *BLACK holes

Abstract

One of the network performance challenges of Vehicular Ad Hoc Networks (VANET) is the Black Hole attack. This destructive attack severely damages the network performance if succeeded. By replying to a route request with the minimum routing cost and the maximum sequence number (SN) value, the malicious vehicle can fool the source vehicle that it has the "freshest" and best cost-effective route to the destination vehicle. As a result, all data packets intended to a legitimate destination are caught and destroyed by the malicious vehicle. This may also cause a serious risk for autonomous vehicle control system or traffic warning applications. Previous published malicious detection algorithms suffer high error rates when the malicious node uses a "close-to-legitimate" SN value to attack or actively change the information in the route reply packet. This paper proposes a Black Hole Attack Detection Algorithm (BADA) based on a machine learning approach. In VANETs, it is a challenge to differentiate the behavior of malicious vehicles as they try to avoid detection by imitating that of the normal vehicles. The BADA classification algorithm outperforms existing solutions because it relies on the history of each vehicle's route request and response behavior, and it deploys the k-Nearest Neighbors machine learning algorithm to identify malicious vehicles. The paper also proposes a Black hole Attack Detection Routing Protocol which utilizes the proposed BADA solution to realize a more secured and improved AODV-based protocol. Using the NS2 simulation system, the paper evaluates the performance of the proposed protocol and compares it with related solutions on the traffic network model in Ho Chi Minh city, Vietnam under black hole attacks using minimum SN values. Simulation results have shown that the proposed algorithm can correctly detect the malicious node higher than 99.0%, outperforming previously published algorithms. [ABSTRACT FROM AUTHOR]

Published

2023

13. Short- versus long-term performance of detection models for obfuscated MSOffice-embedded malware.

Author

Viţel, Silviu, Lupaşcu, Marilena, Gavriluţ, Dragoş Teodor, and Luchian, Henri

Subjects

*MACHINE learning, *ARTIFICIAL neural networks, *RANDOM forest algorithms, *DECISION trees, *MALWARE

Abstract

This paper analyzes the efficiency of various machine learning models (artificial neural networks, random forest, decision tree, AdaBoost and XGBoost) against the evolution of VBA-based (Visual Basic for Applications) malware over a large period of time (1995–2021). The file set used in our research is comprehensive—approximately 1.9 million files (out of which 944,595 are malicious and the rest are benign)—which allowed to gain insights on the resilience of various machine learning models against the diversity and the evolution of file features that reflect obfuscation techniques in VBA-based malware. In studying detection of VBA-based malware, we focus on characteristics of both the classifiers—proactivity (short-term detection efficiency against future malware), endurance (long-term detection robustness)—and of the detection-wise relevant file features—feature perishability (dynamics of feature relevance). We also describe in some detail—as a prerequisite of the study—various obfuscation techniques used by the malware under investigation during the last decade. [ABSTRACT FROM AUTHOR]

Published

2024

14. Securing MQTT protocol for IoT environment using IDS based on ensemble learning.

Author

Zeghida, Hayette, Boulaiche, Mehdi, and Chikh, Ramdane

Subjects

*INTERNET of things, *MACHINE learning, *STATISTICAL correlation, *DECISION making, *PUBLIC spaces

Abstract

Nowadays, the world of the Internet of Things (IoT) enables machines to communicate, collect data, and even make decisions which improve significantly daily human life. However, the proliferation of IoT devices coupled with their inherent vulnerabilities makes them highly exposed to cyber-attacks such as network disruptions or Denial of Service (DoS) attacks. Traditional detection methods based on a single machine learning (ML) technique may not be fully efficient due to the sophistication level and the variety of attacks. In this paper, we propose an intrusion detection model based on ensemble learning (EL) trained using a recent public dataset containing various MQTT attacks. EL is a powerful machine learning (ML) technique that consists of training several ML models independently on random subsets of the training data and then averages the predictions to produce the final result. Basically, we propose the use of three known ensemble learning methods, namely bagging, boosting, and stacking. EL principles allow increasing prediction performances by integrating the capabilities of numerous distinct models. In order to train and test the proposed model, we also propose generating a binary balanced MQTT dataset rather than using imbalanced one as usually used in previous work. To the best of our knowledge, the work in this paper is the first that applies ensemble learning method on this MQTT dataset. The experiment results have shown that our EL-based network IDS increases both the detection accuracy and F1-score up to 95% where Matthews's correlation coefficient (MCC) exceeds 90%. [ABSTRACT FROM AUTHOR]

Published

2023

15. From zero-shot machine learning to zero-day attack detection.

Author

Sarhan, Mohanad, Layeghy, Siamak, Gallagher, Marcus, and Portmann, Marius

Subjects

*MACHINE learning, *EVALUATION methodology

Abstract

Machine learning (ML) models have proved efficient in classifying data samples into their respective categories. The standard ML evaluation methodology assumes that test data samples are derived from pre-observed classes used in the training phase. However, in applications such as Network Intrusion Detection Systems (NIDSs), obtaining data samples of all attack classes to be observed is challenging. ML-based NIDSs face new attack traffic known as zero-day attacks that are not used in training due to their non-existence at the time. Therefore, this paper proposes a novel zero-shot learning methodology to evaluate the performance of ML-based NIDSs in recognising zero-day attack scenarios. In the attribute learning stage, the learning models map network data features to semantic attributes that distinguish between known attacks and benign behaviour. In the inference stage, the models construct the relationships between known and zero-day attacks to detect them as malicious. A new evaluation metric is defined as Zero-day Detection Rate (Z-DR) to measure the effectiveness of the learning model in detecting unknown attacks. The proposed framework is evaluated using two key ML models and two modern NIDS data sets. The results demonstrate that for certain zero-day attack groups discovered in this paper, ML-based NIDSs are ineffective in detecting them as malicious. Further analysis shows that attacks with a low Z-DR have a significantly distinct feature distribution and a higher Wasserstein Distance range than the other attack classes. [ABSTRACT FROM AUTHOR]

Published

2023

16. DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour.

Author

Žiža, Kristijan, Tadić, Predrag, and Vuletić, Pavle

Subjects

*INTERNET domain naming system, *SCIENTIFIC community

Abstract

The Domain Name System (DNS) exfiltration is an activity in which an infected device sends data to the attacker's server by encoding it in DNS request messages. Because of the frequent use of DNS exfiltration for malicious purposes, exfiltration detection gained attention from the research community which proposed several predominantly machine learning-based methods. The majority of previous studies used publicly available DNS exfiltration tools with the default configuration parameters, resulting in datasets created from DNS exfiltration requests that are usually significantly longer, have more DNS name labels, and higher character entropy than average regular DNS requests. This further led to overly optimistic detection rates. In this paper, we have explored some of the strategies an attacker could use to avoid exfiltration detection. First, we have explored the impact of DNS exfiltration tools' parameter variation on the exfiltration detection accuracy. Second, we have modified the DNSExfiltrator tool to produce exfiltration requests which have significantly lower character entropy. This approach proved to be capable of deceiving classifiers based on single DNS request features. Only around 1% of modified DNS requests shorter or equal to 9 bytes, and less than one third of DNS exfiltration requests in the overall population were accurately detected. In addition, we present a methodology and an aggregated feature set (including inter-request timing statistics) which can be used for accurate DNS exfiltration in this kind of adversarial settings. [ABSTRACT FROM AUTHOR]

Published

2023

17. Malware classification approaches utilizing binary and text encoding of permissions.

Author

Zyout, Mo'ath, Shatnawi, Raed, and Najadat, Hassan

Subjects

*MALWARE, *SUPPORT vector machines, *MOBILE apps, *ENCODING, *TEXT processing (Computer science), *CLASSIFICATION

Abstract

With the advancement of smartphone technology, the development of mobile applications is rapidly growing. These apps are designed to help mobile users with a variety of everyday tasks, such as e-commerce and online services. Because these applications are widely used, they are susceptible to malicious user attacks. As a result, new challenges have emerged, such as the inability to differentiate between benign and malicious malware applications. This paper proposes two methods for classifying mobile applications into either benign or malicious: 1D convolution (Conv1d) and long short-term memory (LSTM). The suggested approaches use two encoding techniques, namely binary and text encoding, which were applied to the Android permissions of each application. In addition, the support vector machine and K-nearest-neighbor classifiers are reported as well. The two primary approaches were tested on the well-known CICMalDroid2020 dataset. Conv1d and LSTM with text encoding performed the best in terms of precision and accuracy (98.16%, 97.72%, and 96.63%, 96.69%, respectively). When compared with the Mal-Prem dataset, the Conv1d on binary classification beat the LSTM model. [ABSTRACT FROM AUTHOR]

Published

2023

18. Adversarial attacks against mouse- and keyboard-based biometric authentication: black-box versus domain-specific techniques.

Author

López, Christian, Solano, Jesús, Rivera, Esteban, Tengana, Lizzy, Florez-Lozano, Johana, Castelblanco, Alejandra, and Ochoa, Martín

Subjects

*BIOMETRIC identification, *MACHINE learning, *MICE, *BIOMETRY

Abstract

Adversarial attacks have recently gained popularity due to their simplicity, impact, and applicability to a wide range of machine learning scenarios. However, knowledge of a particular security scenario can be advantageous for adversaries to craft better attacks. In other words, in some scenarios, attackers may come up naturally with ad hoc black-box attack techniques inspired directly by problem space characteristics rather than using generic adversarial techniques. This paper explores an intuitive attack technique based on reusing legitimate user inputs and applying it to mouse-based behavioral biometrics and keyboard-based behavioral biometrics. Moreover, it compares the model's effectiveness against adversarial machine learning attacks, achieving attack success rates up to 87 and 86% for the mouse and keyboard settings, respectively. We show that attacks leveraging domain knowledge have higher transferability when applied to various machine-learning techniques and are more challenging to defend against. We also propose countermeasures against such attacks and discuss their effectiveness. [ABSTRACT FROM AUTHOR]

Published

2023

19. AIHGAT: A novel method of malware detection and homology analysis using assembly instruction heterogeneous graph.

Author

Wang, Runzheng, Gao, Jian, and Huang, Shuhua

Subjects

*COMPUTER network security, *FAMILY research, *MACHINE learning, *MALWARE, *FEATURE extraction

Abstract

At present, the trend of familiarization of malicious code is becoming more and more obvious, and the research on the homology of malware (the classification of malicious code family) is of great significance for maintaining network security. In order to better express the overall characteristics of malicious code and improve the effect of detection and homology analysis, this paper proposes a method for detection and homology analysis of malware based on heterogeneous graphs of assembly instructions (AIHGAT). We take the assembly instructions of malicious families as the research object and analyze the importance and correlation of assembly instructions of different malicious families. The malware detection and homology analysis are carried out in three aspects: feature extraction, feature preprocessing, and model construction. In the feature extraction of malicious code, in order to alleviate the problem that it is difficult to extract static features of malicious samples that contain countermeasures such as packing and obfuscation, we obtain binary files from dynamic memory through sandbox and then, analyze its assembly instruction set. In feature preprocessing, we divide the assembly instructions into N-tuples and construct a heterogeneous graph based on assembly instructions according to the internal correlation of the gene sequence composed of the assembly N-grams features. Finally, in terms of model construction, we analyze the homology determination effect of the traditional graph neural network and construct the Graph Attention Network based on residual connection named ResGAT to analyze the homology of malicious code. The experimental results show that the ResGAT can gather the core characteristics of malicious families and enhance the ability to recognize malicious family variants. Our model has an accuracy rate of 98.83%, which is better than traditional machine learning detection methods, and can effectively determine the homology of malicious code families. [ABSTRACT FROM AUTHOR]

Published

2023

20. cFEM: a cluster based feature extraction method for network intrusion detection.

Author

Mazumder, Md. Mumtahin Habib Ullah, Kadir, Md. Eusha, Sharmin, Sadia, Islam, Md. Shariful, and Alam, Muhammad Mahbub

Subjects

*FEATURE extraction, *INTRUSION detection systems (Computer security), *COMPUTER network traffic, *FEATURE selection, *MACHINE learning, *TRAFFIC flow

Abstract

The recent trend in network intrusion detection leverages key features of machine learning (ML) algorithms to detect network traffic anomalies. Network traffic flows contain high dimensional features which significantly affect data-driven approaches. Therefore, the performance of ML-based approaches mainly depends on the appropriate set of features of network data. Different feature selection and extraction methods are extensively employed to attain the informative and compact set of features. Existing methods often suffer from achieving the expected performance due to the lacking of effectively removing redundant features as well as incorporating features with complementary information. In this paper, we present a cluster-based feature extraction method using Mahalanobis distance (cFEM) that clusters the correlated features and extracts new feature representations based on a distance metric. The extracted features on the transformed dimensions are employed to train different machine learning classifiers. We conducted extensive experiments using three renowned datasets. The results show that cFEM outperforms the state-of-the-art intrusion detection methods in several performance metrics such as detection rate (99.61%) and false alarm rate (0.26%). Further experiments on extracted features show that our extracted features are discriminative, free of redundancy, and able to capture complementary information. [ABSTRACT FROM AUTHOR]

Published

2023

21. A unit-based symbolic execution method for detecting memory corruption vulnerabilities in executable codes.

Author

Baradaran, Sara, Heidari, Mahdi, Kamali, Ali, and Mouzarani, Maryam

Subjects

*COMPUTER security vulnerabilities, *CORRUPTION, *MEMORY, *MACHINE learning

Abstract

Memory corruption is a serious class of software vulnerabilities, which requires careful attention to be detected and removed from applications before getting exploited and harming the system users. Symbolic execution is a well-known method for analyzing programs and detecting various vulnerabilities, e.g., memory corruption. Although this method is sound and complete in theory, it faces some challenges, such as path explosion, when applied to real-world complex programs. In this paper, we present a method for improving the efficiency of symbolic execution and detecting four classes of memory corruption vulnerabilities in executable codes, i.e., heap-based buffer overflow, stack-based buffer overflow, use-after-free, and double-free. We perform symbolic execution only on test units rather than the whole program to lower the chance of path explosion. In our method, test units are considered parts of the program's code, which might contain vulnerable statements and are statically identified based on the specifications of memory corruption vulnerabilities. Then, each test unit is symbolically executed to calculate path and vulnerability constraints for each statement of the unit, which determine the conditions on unit input data for executing that statement or activating vulnerabilities in it, respectively. Solving these constraints gives us input values for the test unit, which execute the desired statements and reveal vulnerabilities in them. Finally, we use machine learning to approximate the correlation between system and unit input data. Thereby, we generate system inputs that enter the program, reach vulnerable instructions in the desired test unit, and reveal vulnerabilities in them. This method is implemented as a plug-in for angr framework and evaluated using a group of benchmark programs. The experiments show its superiority over similar tools in accuracy and performance. [ABSTRACT FROM AUTHOR]

Published

2023

22. Malicious website identification using design attribute learning.

Author

Naim, Or, Cohen, Doron, and Ben-Gal, Irad

Subjects

*WEBSITES, *WEB design, *REPUTATION

Abstract

Malicious websites pose a challenging cybersecurity threat. Traditional tools for detecting malicious websites rely heavily on industry-specific domain knowledge, are maintained by large-scale research operations, and result in a never-ending attacker–defender dynamic. Malicious websites need to balance two opposing requirements to successfully function: escaping malware detection tools while attracting visitors. This fundamental conflict can be leveraged to create a robust and sustainable detection approach based on the extraction, analysis, and learning of design attributes for malicious website identification. In this paper, we propose a next-generation algorithm for extended design attribute learning that learns and analyzes web page structures, content, appearances, and reputation to detect malicious websites. Results from a large-scale experiment that was conducted on more than 35,000 websites suggest that the proposed algorithm effectively detects more than 83% of all malicious websites while maintaining a low false-positive rate of 2%. In addition, the proposed method can incorporate user feedback and flag new suspicious websites and thus can be effective against zero-day attacks. [ABSTRACT FROM AUTHOR]

Published

2023

23. Early web application attack detection using network traffic analysis.

Author

Rajić, Branislav, Stanisavljević, Žarko, and Vuletić, Pavle

Subjects

*WEB-based user interfaces, *SUPERVISED learning, *MACHINE learning, *HTTP (Computer network protocol), *INTERNET traffic, *TRAFFIC monitoring, *COMPUTER networks, *SCANNING systems

Abstract

The number of deployed web applications and the number of web-based attacks in the last decade are constantly increasing. One group of tools that gained the attention of cyber security specialists are Dynamic Application Security Testing (DAST) tools, which is used to assess the security posture of web applications. DAST tools have similar purpose for web applications as network scanners and mappers have for local networks and computers—to scan web applications, enumerate as much as possible information from them and this way potentially reveal existing vulnerabilities. The tools are not only used by security analysts but also by the attackers in the reconnaissance and enumeration phases of the attack. This paper analyses DAST tools' network behaviour patterns, characteristic features that distinguish them from other traffic and methods to detect their operation using classical supervised machine learning methods. Unlike most of the work related to web application security and web application attack detection, which relies on HTTP logs, the research presented here is based on network traffic traces and flow statistics. This allows malicious scanning detection on the network traffic path even in the case of encrypted web traffic. Experimental results show that an accurate and reliable detection of four analysed DAST tools, ZAP, Nikto, Vega and Arachni, is possible. Flow classification of the existing DAST tools has high precision because DAST tools still do not deploy any mechanisms to hide their operation and mimic web application browsing by human users. Additionally, the paper contains an analysis of fast malicious behaviour detection through an analysis of the detection of malicious behaviour, while the flows are still active. The experimental results show that it is possible to detect malicious behaviour with a relatively high accuracy after only 15 packets in a flow. [ABSTRACT FROM AUTHOR]

Published

2023

24. Causal effect analysis-based intrusion detection system for IoT applications.

Author

Bhaskara, Srividya and Rathore, Santosh Singh

Subjects

*CAUSAL inference, *MACHINE learning, *BAYESIAN analysis, *INTERNET of things, *ARTIFICIAL intelligence, *INTRUSION detection systems (Computer security), *PREDICTION models

Abstract

Intrusion detection systems (IDSs) are employed at various levels in the network to either detect or prevent an intrusion that could cause irrecoverable data damage in IoT applications. Nowadays, different machine learning (ML) and artificial intelligence techniques are used to develop prediction models for IDS. However, existing ML-based detection models mostly rely on associative features to determine the relationship between attacks and traffic variables. These features failed to discern correlation from causality, and thus, many times, they generated poor performance on the testing data. The method of drawing causal inferences can be helpful to researchers in focusing on the causes of the intrusion rather than the correlation of the attributes, which provide only limited information. However, the method of drawing causal inferences has few to no implementations in the IDS. This paper explores using a causal analysis method, the Bayesian causal network for the IDS, and attempts to determine the significant attributes that can lead to an accurate prediction model for the IDS. The presented causal inference method is validated via an experimental analysis of the message queuing telemetry transport protocol dataset. The result shows that the Bayesian network implementation of causal inference has achieved an average accuracy, precision, recall, and F1-score of 99.8%, 99.4%, 98.89%, and 99.13%, respectively, for different considered attack scenarios. The analysis of the results shows that the performance of the presented method is equivalent to or better than other machine learning solutions. [ABSTRACT FROM AUTHOR]

Published

2023

25. Phish-Sight: a new approach for phishing detection using dominant colors on web pages and machine learning.

Author

Pandey, Pankaj and Mishra, Nishchol

Subjects

*WEBSITES, *MACHINE learning, *PHISHING, *INTERNET traffic, *UNIFORM Resource Locators, *RANDOM forest algorithms, *PHISHING prevention

Abstract

Phishing is one of the most dangerous threats in which a hacker imitates a person, company or government agency to lure and deceive their victims. Machine learning anti-phishing solutions are gaining popularity nowadays. However, most anti-phishing solutions rely heavily on features extracted from third-party services such as whois services, DNS search, and web traffic. As a result, they are slow and require a lot of computing resources. This paper introduces a machine-learning-based framework: Phish-Sight that detects phishing websites through a visual inspection strategy. Phish-Sight uses dominant color features and highly targeted popular brand names embedded in URLs' web pages with machine learning techniques to detect phishing web pages. Prediction performance of the dominant color features and popular brand names from web pages was investigated using five machine learning algorithms. The Random Forest algorithm surpassed the others, with a 98.43% true positive rate and 99.13% accuracy in detecting phishing frauds. The prediction run time per web page measured at 7.6 s suggests that Phish-Sight has potential for real-time applications. [ABSTRACT FROM AUTHOR]

Published

2023

26. Random resampling algorithms for addressing the imbalanced dataset classes in insider threat detection.

Author

Al-Shehari, Taher and Alsowail, Rakan A.

Subjects

*MACHINE learning, *LEAK detection, *ALGORITHMS, *STATISTICAL sampling, *SAMPLING (Process)

Abstract

Cybersecurity threats can be perpetrated by insiders or outsiders. The threats that could be carried out by insiders are far more serious due to their privileged access, which they may use to cause financial loss and reputation harm for an organization. Thus, insider threats represent a major cybersecurity challenge for private and government organizations. Researchers and cybersecurity practitioners have proposed different approaches for detecting and mitigating insider threats, but they face many challenges (e.g., dataset availability and the highly imbalanced classes of the available dataset). Because the shortcoming of an insider threat dataset, the benchmarking dataset given by The Computer Emergency Response Team (CERT) was used to validate the majority of the insider threat detection approaches. The CERT dataset of insider threat is extremely imbalanced, and hence, once utilized to validate an insider threat detection model, the detection results may be biased and inaccurate. Such imbalance issue of the CERT dataset is ignored by most existing approaches of insider threat detection. As result, effective model is required to detect insider data leakage incidents from an imbalanced dataset more precisely. In this paper an insider data leakage detection model is proposed to leverage various random sampling techniques and well-known machine learning algorithms to deal with the dataset's extremely imbalanced classes. We evaluate the model on CERT r4.2 insider threat dataset utilizing different sampling techniques, and then compare its performance with the baseline and existing work. The empirical results show that by resolving the imbalanced dataset issue, our model enhances the detection performance of insider data leakage events by surpassing existing approaches. [ABSTRACT FROM AUTHOR]

Published

2023

27. Defense against membership inference attack in graph neural networks through graph perturbation.

Author

Wang, Kai, Wu, Jinxia, Zhu, Tianqing, Ren, Wei, and Hong, Ying

Subjects

*REPRESENTATIONS of graphs, *MACHINE learning, *FUZZY graphs, *PRIVACY

Abstract

Graph neural networks have demonstrated remarkable performance in learning node or graph representations for various graph-related tasks. However, learning with graph data or its embedded representations may induce privacy issues when the node representations contain sensitive or private user information. Although many machine learning models or techniques have been proposed for privacy preservation of traditional non-graph structured data, there is limited work to address graph privacy concerns. In this paper, we investigate the privacy problem of embedding representations of nodes, in which an adversary can infer the user's privacy by designing an inference attack algorithm. To address this problem, we develop a defense algorithm against white-box membership inference attacks, based on perturbation injection on the graph. In particular, we employ a graph reconstruction model and inject a certain size of noise into the intermediate output of the model, i.e., the latent representations of the nodes. The experimental results obtained on real-world datasets, along with reasonable usability and privacy metrics, demonstrate that our proposed approach can effectively resist membership inference attacks. Meanwhile, based on our method, the trade-off between usability and privacy brought by defense measures can be observed intuitively, which provides a reference for subsequent research in the field of graph privacy protection. [ABSTRACT FROM AUTHOR]

Published

2023

28. Adversarial security mitigations of mmWave beamforming prediction models using defensive distillation and adversarial retraining.

Author

Kuzlu, Murat, Catak, Ferhat Ozgur, Cali, Umit, Catak, Evren, and Guler, Ozgur

Subjects

*ARTIFICIAL neural networks, *DEEP learning, *ARTIFICIAL intelligence, *MACHINE learning, *BEAMFORMING, *PREDICTION models

Abstract

The design of a security scheme for beamforming prediction is critical for next-generation wireless networks (5G, 6G, and beyond). However, there is no consensus about protecting beamforming prediction using deep learning algorithms in these networks. This paper presents the security vulnerabilities in deep learning for beamforming prediction using deep neural networks in 6G wireless networks, which treats the beamforming prediction as a multi-output regression problem. It is indicated that the initial DNN model is vulnerable to adversarial attacks, such as Fast Gradient Sign Method , Basic Iterative Method , Projected Gradient Descent , and Momentum Iterative Method , because the initial DNN model is sensitive to the perturbations of the adversarial samples of the training data. This study offers two mitigation methods, such as adversarial training and defensive distillation, for adversarial attacks against artificial intelligence-based models used in the millimeter-wave (mmWave) beamforming prediction. Furthermore, the proposed scheme can be used in situations where the data are corrupted due to the adversarial examples in the training data. Experimental results show that the proposed methods defend the DNN models against adversarial attacks in next-generation wireless networks. [ABSTRACT FROM AUTHOR]

Published

2023

29. HTTPScout: A Machine Learning based Countermeasure for HTTP Flood Attacks in SDN.

Author

Mohammadi, Reza, Lal, Chhagan, and Conti, Mauro

Subjects

*DENIAL of service attacks, *HTTP (Computer network protocol), *MACHINE learning, *SOFTWARE-defined networking, *INTERNET servers, *TRAFFIC flow

Abstract

Nowadays, the number of Distributed Denial of Service (DDoS) attacks is growing rapidly. The aim of these type of attacks is to make the prominent and critical services unavailable for legitimate users. HTTP flooding is one of the most common DDoS attacks and because of its implementation in application layer, it is difficult to detect and prevent by the current defense mechanisms. This attack not only makes the web servers unavailable, but consumes the computational resources of the network equipment and congests communication links. Recently, the advent of Software Defined Networking (SDN) paradigm has enabled the network providers to detect and mitigate application layer DDoS attacks such as HTTP flooding. In this paper, we propose a defense mechanism named HTTPScout which leverages the benefits of SDN together with Machine Learning (ML) techniques to detect and mitigate HTTP flooding attack. HTTPScout is implemented as a security module in RYU controller and monitors the behavior of HTTP traffic flows. Upon detecting a malicious flow, it blocks the source of the attack at the edge switch and preserves the network resources from the adversarial effects of the attack. Simulation results confirm that HTTPScout brings a significant improvement of 64% in bandwidth consumption and 80% in the number of forwarding rules compared to normal SDN. [ABSTRACT FROM AUTHOR]

Published

2023

30. Applying NLP techniques to malware detection in a practical environment.

Author

Mimura, Mamoru and Ito, Ryo

Subjects

*NATURAL language processing, *MALWARE, *SUBSPECIES, *COMPUTERS, *MACHINE learning

Abstract

Executable files still remain popular to compromise the endpoint computers. These executable files are often obfuscated to avoid anti-virus programs. To examine all suspicious files from the Internet, dynamic analysis requires too much time. Therefore, a fast filtering method is required. With the recent development of natural language processing (NLP) techniques, printable strings became more effective to detect malware. The combination of the printable strings and NLP techniques can be used as a filtering method. In this paper, we apply NLP techniques to malware detection. This paper reveals that printable strings with NLP techniques are effective for detecting malware in a practical environment. Our dataset consists of more than 500,000 samples obtained from multiple sources. Our experimental results demonstrate that our method is effective to not only subspecies of the existing malware, but also new malware. Our method is effective against packed malware and anti-debugging techniques. [ABSTRACT FROM AUTHOR]

Published

2022

31. A study of machine learning-based models for detection, control, and mitigation of cyberbullying in online social media.

Author

Kumar, Raju and Bhat, Aruna

Subjects

*CYBERBULLYING, *SOCIAL media, *DEEP learning, *ACTIVE medium, *CYBERSPACE, *PREDICTION models

Abstract

Online social media (OSM) is an integral part of human life these days. Significantly, the young generation spends most of their time on social media in an active and passive state. The exponential growth of OSM has created an atmosphere of increased cybercrime. Although OSM provides a platform to connect people with similar thoughts and interests, it also exposes vulnerable users to mischievous elements in cyberspace. Social media connects and generates a massive amount of human activity-related data. However, the misuse of OSM introduces a novel way of expressing aggression and violence that exclusively happens online. In this research paper, we briefly discuss the background of Cyberbullying and the various machine and deep learning-based models incorporated to deal with it effectively. We also highlight the main challenges in designing a cyberbullying prediction model and address them. [ABSTRACT FROM AUTHOR]

Published

2022

32. IoT-oriented high-efficient anti-malware hardware focusing on time series metadata extractable from inside a processor core.

Author

Koike, Kazuki, Kobayashi, Ryotaro, and Katoh, Masahiko

Subjects

*ANTI-malware (Computer software), *TIME series analysis, *METADATA, *MACHINE learning, *MALWARE

Abstract

We aim to improve the efficiency of our previously proposed anti-malware hardware; it is a hardware-implemented malware detection mechanism that uses information inside the processor. We previously evaluated a prototype, but, due to its prototypical nature, there remain limitations, such as only detecting certain behaviors, high power consumption, and a tendency to bloat the training model. In this paper, we propose a circuit and a learning method to achieve high efficiency, low power consumption, and light weight for the model. In considering these three issues, we focus on time-series metadata obtained by transforming the processor information. To improve efficiency, we implement predictive detection to predict the behavior of metadata in the malware detection component. This lets the model detect malware within less than 19% of the number of execution cycles of the conventional method. To reduce power consumption, we implement a sampling circuit that interrupts the input to the detection circuit at regular intervals, reducing the system's uptime by 99% while maintaining judgment accuracy. Finally, for a light weight, we focus on the training process of the metadata generator based on a machine-learning model. By applying sampling learning and feature dimensionality reduction in the training process, a metadata generator approximately 16% smaller than the previous version is created. [ABSTRACT FROM AUTHOR]

Published

2022

33. MAPAS: a practical deep learning-based android malware detection system.

Author

Kim, Jinsung, Ban, Younghoon, Ko, Eunbyeol, Cho, Haehyun, and Yi, Jeong Hyun

Subjects

*DEEP learning, *CONVOLUTIONAL neural networks, *MALWARE, *MACHINE learning

Abstract

A lot of malicious applications appears every day, threatening numerous users. Therefore, a surge of studies have been conducted to protect users from newly emerging malware by using machine learning algorithms. Albeit existing machine or deep learning-based Android malware detection approaches achieve high accuracy by using a combination of multiple features, it is not possible to employ them on our mobile devices due to the high cost for using them. In this paper, we propose MAPAS, a malware detection system, that achieves high accuracy and adaptable usages of computing resources. MAPAS analyzes behaviors of malicious applications based on API call graphs of them by using convolution neural networks (CNN). However, MAPAS does not use a classifier model generated by CNN, it only utilizes CNN for discovering common features of API call graphs of malware. For efficiently detecting malware, MAPAS employs a lightweight classifier that calculates a similarity between API call graphs used for malicious activities and API call graphs of applications that are going to be classified. To demonstrate the effectiveness and efficiency of MAPAS, we implement a prototype and thoroughly evaluate it. And, we compare MAPAS with a state-of-the-art Android malware detection approach, MaMaDroid. Our evaluation results demonstrate that MAPAS can classify applications 145.8% faster and uses memory around ten times lower than MaMaDroid. Also, MAPAS achieves higher accuracy (91.27%) than MaMaDroid (84.99%) for detecting unknown malware. In addition, MAPAS can generally detect any type of malware with high accuracy. [ABSTRACT FROM AUTHOR]

Published

2022

34. Swarm-intelligence for the modern ICT ecosystems.

Author

Hatzivasilis, George, Lakka, Eftychia, Athanatos, Manos, Ioannidis, Sotiris, Kalogiannis, Grigoris, Chatzimpyrros, Manolis, Spanoudakis, George, Papastergiou, Spyros, Karagiannis, Stylianos, Alexopoulos, Andreas, Amelin, Dimitry, and Kiefer, Stephan

Abstract

Digitalization is continuing facilitating our daily lives. The world is interconnected as never before, bringing close people, businesses, or other organizations. However, hackers are also coming close. New business and operational models require the collection and processing of massive amounts of data in real-time, involving utilization of complex information systems, large supply-chains, personal devices, etc. These impose several advantages for adversaries on the one hand (e.g., poorly protected or monitored elements, slow fashion of security updates/upgrades in components that gain little attention, etc.), and many difficulties for defenders on the other hand (e.g., administrate large and complex systems with high dynamicity) in this cyber-security interplay. Impactful attacks on ICT systems, critical infrastructures, and supply networks, as well as cyber-warfare are deriving the necessity for more effective defensives. This paper presents a swarm-intelligence solution for incident handling and response. Cyber Threat Intelligence (CTI) is continuously integrated in the system (i.e., MISP, CVEs, STIX, etc.), and Artificial Intelligence (AI)/Machine Learning (ML) are incorporated in the risk assessment and event evaluation processes. Several incident handling and response sub-procedures are automated, improving effectiveness and decreasing response time. Information concerning identified malicious activity is circulated back to the community (i.e., via the MISP information sharing platform) in an open loop. The proposal is applied in the supply-chain of healthcare organizations in Europe (considering also EU data protection regulations). Nevertheless, it is a generic solution that can be applied in any domain. [ABSTRACT FROM AUTHOR]

Published

2024

35. A systematic review on research utilising artificial intelligence for open source intelligence (OSINT) applications.

Author

Browne, Thomas Oakley, Abedin, Mohammad, and Chowdhury, Mohammad Jabed Morshed

Abstract

This paper presents a systematic review to identify research combining artificial intelligence (AI) algorithms with Open source intelligence (OSINT) applications and practices. Currently, there is a lack of compilation of these approaches in the research domain and similar systematic reviews do not include research that post dates the year 2019. This systematic review attempts to fill this gap by identifying recent research. The review used the preferred reporting items for systematic reviews and meta-analyses and identified 163 research articles focusing on OSINT applications leveraging AI algorithms. This systematic review outlines several research questions concerning meta-analysis of the included research and seeks to identify research limitations and future directions in this area. The review identifies that research gaps exist in the following areas: Incorporation of pre-existing OSINT tools with AI, the creation of AI-based OSINT models that apply to penetration testing, underutilisation of alternate data sources and the incorporation of dissemination functionality. The review additionally identifies future research directions in AI-based OSINT research in the following areas: Multi-lingual support, incorporation of additional data sources, improved model robustness against data poisoning, integration with live applications, real-world use, the addition of alert generation for dissemination purposes and incorporation of algorithms for use in planning. [ABSTRACT FROM AUTHOR]

Published

2024

36. IoTvulCode: AI-enabled vulnerability detection in software products designed for IoT applications.

Author

Bhandari, Guru Prasad, Assres, Gebremariam, Gavric, Nikola, Shalaginov, Andrii, and Grønli, Tor-Morten

Abstract

The proliferation of the Internet of Things (IoT) paradigm has ushered in a new era of connectivity and convenience. Consequently, rapid IoT expansion has introduced unprecedented security challenges , among which source code vulnerabilities present a significant risk. Recently, machine learning (ML) has been increasingly used to detect source code vulnerabilities. However, there has been a lack of attention to IoT-specific frameworks regarding both tools and datasets. This paper addresses potential source code vulnerabilities in some of the most commonly used IoT frameworks. Hence, we introduce IoTvulCode - a novel framework consisting of a dataset-generating tool and ML-enabled methods for detecting source code vulnerabilities and weaknesses as well as the initial release of an IoT vulnerability dataset. Our framework contributes to improving the existing coding practices, leading to a more secure IoT infrastructure. Additionally, IoTvulCode provides a solid basis for the IoT research community to further explore the topic. [ABSTRACT FROM AUTHOR]

Published

2024

37. Defeating traffic analysis via differential privacy: a case study on streaming traffic.

Author

Zhang, Xiaokuan, Hamm, Jihun, Reiter, Michael K., and Zhang, Yinqian

Subjects

*PRIVACY, *MACHINE learning, *CITY traffic, *PHYSIOLOGICAL adaptation

Abstract

In this paper, we explore the adaption of techniques previously used in the domains of adversarial machine learning and differential privacy to mitigate the ML-powered analysis of streaming traffic. Our findings are twofold. First, constructing adversarial samples effectively confounds an adversary with a predetermined classifier but is less effective when the adversary can adapt to the defense by using alternative classifiers or training the classifier with adversarial samples. Second, differential-privacy guarantees are very effective against such statistical-inference-based traffic analysis, while remaining agnostic to the machine learning classifiers used by the adversary. We propose three mechanisms for enforcing differential privacy for encrypted streaming traffic and evaluate their security and utility. Our empirical implementation and evaluation suggest that the proposed statistical privacy approaches are promising solutions in the underlying scenarios [ABSTRACT FROM AUTHOR]

Published

2022

38. Evaluating differentially private decision tree model over model inversion attack.

Author

Park, Cheolhee, Hong, Dowon, and Seo, Changho

Subjects

*DECISION trees, *RIGHT of privacy, *MACHINE learning, *PRIVACY

Abstract

Machine learning techniques have been widely used and shown remarkable performance in various fields. Along with the widespread utilization of machine learning, concerns about privacy violations have been raised. Recently, as privacy invasion attacks on machine learning models have been reported, research on privacy-preserving machine learning has been conducted. In particular, in the field of differential privacy, which is the rigorous notion of privacy, various mechanisms have been proposed to preserve privacy of machine learning models. However, there is a lack of research that analyzes the relationship between the degree of privacy guarantee and substantial privacy breach attacks. In this paper, we analyze the relationship between differentially private models and privacy breach attacks according to the degree of privacy preservation and study how to set appropriate privacy parameters. In particular, we focus on the model inversion attack for decision trees and analyze various differentially private decision tree algorithms over the attack. Our main finding from investigating the trade-off between data privacy and model utility is that well-designed differentially private algorithms can significantly mitigate the substantial privacy invasion attack while preserving model utility. [ABSTRACT FROM AUTHOR]

Published

2022

39. An SSH predictive model using machine learning with web proxy session logs.

Author

Lee, Junwon and Lee, Heejo

Subjects

*MACHINE learning, *PREDICTION models, *SUPERVISED learning, *DEEP learning, *DECISION trees, *RANDOM forest algorithms

Abstract

An adversary can use SSH communication as a route for information leakage or hacking. Many studies have focused on TCP header analysis to detect encrypted communication. However, SSH detection using TCP header analysis is limited when changing TCP port information or modifying components of the SSH protocol. Various machine-learning (ML) techniques have been introduced to enhance network traffic classification by analyzing TCP headers. Most ML-based traffic classification research has analyzed network packet flows. However, because of the complex structures and the various implementations of the TCP protocol, a lot of time and resources are required for the recombination of network packet flows. This paper presents a novel contribution to overcome the problems of network packet analysis that employs web proxy session logs, which do not require the recombination of packets to prepare a dataset for analysis. Moreover, we propose a hybrid predictive model that is useful for web proxy session log analysis. In the modeling process, we collected the web proxy logs from an actual network of ICT companies (more than 10,000 employees, Seoul, South Korea) and used the random forest and decision tree algorithms for the supervised learning. The detection rate (DR) for the training dataset was 99.9%, which is similar to or higher than that of other studies using ML and deep learning. Using the dataset of DARPA99, we proved that the DR and FPR for our proposed model were better than those achieved by Alshammari et al.'s model. We expect that the proposed predictive model can be used to block illegal attempts at SSH communication over HTTP CONNECT by changing the destination port and to detect novel illegal communication protocols. [ABSTRACT FROM AUTHOR]

Published

2022

40. Machine learning approach to vulnerability detection in OAuth 2.0 authentication and authorization flow.

Author

Munonye, Kindson and Péter, Martinek

Subjects

*MACHINE learning, *WEB-based user interfaces, *SUPERVISED learning

Abstract

Technologies for integrating enterprise web applications have improved rapidly over the years. The OAuth framework provides authentication and authorization using the users' profile and credentials in an existing identity provider. This makes it possible for attackers to exploit any vulnerability arising from exchange of data with the provider. Vulnerability in OAuth authorization flow allows an attacker to alter the normal flow sequence of the OAuth protocol. In this paper, a machine learning-based approach was applied in the detection of potential vulnerability in the OAuth authentication and authorization flow by analyzing the relationship between changes in the OAuth parameters and the final output. This research models the OAuth protocol as a supervised learning problem where seven classification models were developed, tuned and evaluated. Exploratory Data Analytics (EDA) techniques were applied in the extraction and analysis of specific OAuth features so that each output class could be evaluated to determine the effect of the identified OAuth features. The models developed in this research were trained, tuned and tested. A performance accuracy above 90% was attained for detection of vulnerabilities in the OAuth authentication and authorization flow. Comparison with known vulnerability resulted in a 54% match. [ABSTRACT FROM AUTHOR]

Published

2022

41. The Agent Web Model: modeling web hacking for reinforcement learning.

Author

Erdődi, László and Zennaro, Fabio Massimo

Subjects

*COMPUTER hacking, *REINFORCEMENT learning, *WEBSITES, *MACHINE learning, *LEARNING problems

Abstract

Website hacking is a frequent attack type used by malicious actors to obtain confidential information, modify the integrity of web pages or make websites unavailable. The tools used by attackers are becoming more and more automated and sophisticated, and malicious machine learning agents seem to be the next development in this line. In order to provide ethical hackers with similar tools, and to understand the impact and the limitations of artificial agents, we present in this paper a model that formalizes web hacking tasks for reinforcement learning agents. Our model, named Agent Web Model, considers web hacking as a capture-the-flag style challenge, and it defines reinforcement learning problems at seven different levels of abstraction. We discuss the complexity of these problems in terms of actions and states an agent has to deal with, and we show that such a model allows to represent most of the relevant web vulnerabilities. Aware that the driver of advances in reinforcement learning is the availability of standardized challenges, we provide an implementation for the first three abstraction layers, in the hope that the community would consider these challenges in order to develop intelligent web hacking agents. [ABSTRACT FROM AUTHOR]

Published

2022

42. A semantic-aware log generation method for network activities.

Author

Yichiet, Aun, Khaw, Yen-Min Jasmina, Gan, Ming-Lee, and Ponnusamy, Vasaki

Subjects

*ARTIFICIAL neural networks, *DECODING algorithms, *SAWLOGS, *MULTIPLE scattering (Physics), *MACHINE learning

Abstract

Context-aware network logging is becoming more prevalent for enterprise networks, data centers, and forensics. Monitoring agents are strategically placed to generate log files from the activity of interests from various network points. In a distributed architecture, these agents are scattered across multiple nodes, and they have limited network visibility. Consequently, the resulting logs become fragmented and less perceptible without a unified network context. Besides, aggregating useful information from a diverse management protocol with various languages, syntax styles, and notations requires complex semantic understanding to synthesize these log files. Currently, general-purpose logs like SNMP's logs only provide parametric values at connection levels but lacks incident-specific information. Meanwhile, proprietary services like AWS CloudTrail identify more contexts at the incident-level, but they only work on selected products and infrastructure. This paper proposed a platform-agnostic log decoding and generation algorithm (SAG) for network logging that is semantic aware using context aggregation. Firstly, a protocol-agnostic controller acts as a master to collect logs from agents running in routers, firewall, IDS/IPS, load balancers, managed switches, and servers. From these logs, three traffic models, namely (1) service-activity model (SaM), (2) general-activity model (GaM), and (3) device-activity model (DaM), are trained using artificial neural network (ANN). The log generator then uses the context-filling technique to resolve and construct log entries using a generic sentence template while inferring from these machine-learning models. A sentence smoothing technique is designed to restructure entities in the logs based on traffic directionality for semantic correctness. The experimental result shows that SAG's logs have 1.8 times more contexts resolved for improved log's perceptibility. [ABSTRACT FROM AUTHOR]

Published

2022

43. DDoS attack detection with feature engineering and machine learning: the framework and performance evaluation.

Author

Aamir, Muhammad and Zaidi, Syed Mustafa Ali

Subjects

*DENIAL of service attacks, *K-nearest neighbor classification, *MACHINE learning, *SUPERVISED learning, *FEATURE selection, *SUPPORT vector machines, *FAULT-tolerant computing

Abstract

This paper applies an organized flow of feature engineering and machine learning to detect distributed denial-of-service (DDoS) attacks. Feature engineering has a focus to obtain the datasets of different dimensions with significant features, using feature selection methods of backward elimination, chi2, and information gain scores. Different supervised machine learning models are applied on the feature-engineered datasets to demonstrate the adaptability of datasets for machine learning under optimal tuning of parameters within given sets of values. The results show that substantial feature reduction is possible to make DDoS detection faster and optimized with minimal performance hit. The paper proposes a strategic-level framework which incorporates the necessary elements of feature engineering and machine learning with a defined flow of experimentation. The models are also validated with cross-validation and evaluated for area-under-curve analyses. It provides comprehensive solutions which can be trusted to avoid the overfitting and collinearity problems of data while detecting DDoS attacks. In the case study of DDoS datasets, K-nearest neighbors algorithm overall exhibits the best performance followed by support vector machine, whereas low-dimensional datasets of discrete feature types perform better under the Random Forest model as compared to high dimensions with numerical features. The accuracy scores of dataset with the lowest number of features remain competitive with other datasets under all machine learning models, leading to a substantially reduced processing overhead. The experiments show that approximately 68% reduction in the feature space is possible with an impact of only about 0.03% on accuracy. [ABSTRACT FROM AUTHOR]

Published

2019

44. Combining behavioral biometrics and session context analytics to enhance risk-based static authentication in web applications.

Author

Solano, Jesus, Camacho, Luis, Correa, Alejandro, Deiro, Claudio, Vargas, Javier, and Ochoa, Martín

Subjects

*BEHAVIORAL assessment, *SCIENTIFIC literature, *BIOMETRIC identification, *MACHINE learning, *BIOMETRY, *MICE

Abstract

The fragility of password-based authentication has been recognized and studied for several decades. It is an increasingly common industry practice to profile users based on their sessions context, such as IP ranges and Browser type in order to build a risk profile on an incoming authentication attempt. On the other hand, behavioral dynamics such as mouse and keyword features have been proposed in the scientific literature order to improve authentication, but have been shown most effective in continuous authentication scenarios. In this paper we propose to combine both fingerprinting and behavioral dynamics (for mouse and keyboard) in order to increase security of login mechanisms. We do this by using machine learning techniques that aim at high accuracy, and only occasionally raise alarms for manual inspection. We evaluate our approach on a dataset containing mouse, keyboard and session context information of 24 users and simulated attacks. We show that while context analysis and behavioural analysis on their own achieve around 0.7 accuracy on this dataset, a combined approach reaches up to 0.9 accuracy using a linear combination of the outcomes of the single models. [ABSTRACT FROM AUTHOR]

Published

2021

45. NSDroid: efficient multi-classification of android malware using neighborhood signature in local function call graphs.

Author

Liu, Pengfei, Wang, Weiping, Luo, Xi, Wang, Haodong, and Liu, Chushu

Subjects

*NEIGHBORHOODS, *WIRELESS Internet, *MALWARE prevention, *MALWARE

Abstract

With the rapid development of mobile Internet, Android applications are used more and more in people's daily life. While bringing convenience and making people's life smarter, Android applications also face much serious security and privacy issues, e.g., information leakage and monetary loss caused by malware. Detection and classification of malware have thus attracted much research attention in recent years. Most current malware detection and classification approaches are based on graph-based similarity analysis (e.g., subgraph isomorphism), which is well known to be time-consuming, especially for large graphs. In this paper, we propose NSDroid, a time-efficient malware multi-classification approach based on neighborhood signature in local function call graphs (FCGs). NSDroid uses a approach based on neighborhood signature to calculate the similarity of different applications' FCGs, which is significantly faster than traditional approaches based on subgraph isomorphism. For each node in the FCGs, NSDroid uses a fixed-length neighborhood signature to capture the caller-callee relationship between different functions and combines neighborhood signatures of all nodes to form a vector that characterizes the function call relationship in the whole application. The generated signature vector is fed into a SVM-based classifier to determine which family the malware belongs to. Experimental results on large-scale benchmarks show that, compared with state-of-the-art solutions, NSDroid reduces average detection latency by nearly 20 × , and meanwhile improves many evaluation index such as recall rate and others. [ABSTRACT FROM AUTHOR]

Published

2021

46. Designing in-VM-assisted lightweight agent-based malware detection framework for securing virtual machines in cloud computing.

Author

Patil, Rajendra, Dudeja, Harsha, and Modi, Chirag

Subjects

*CLOUD computing, *MALWARE prevention, *ANOMALY detection (Computer security), *MALWARE, *METAHEURISTIC algorithms

Abstract

The security of cloud services and underlying resources is a major concern due to vulnerabilities existing in current implementation of the virtualization. Thus, there is a need of detecting system-level attacks like viruses, worms, malware, etc. In this paper, we extend our previous work on vulnerability assessment and patching by integrating in-VM-assisted agent-based malware detection (AMD) framework for securing high-risk virtual machines (VMs) in cloud. The proposed framework has two components, viz. agent at VM and anomaly detection at hypervisor. An agent continuously looks for the new deployment of the executable in-VM and applies the signature-based detection to detect known malware. For detecting unknown attacks, it generates the profile with optimal static features for new executable. The optimal features are derived using an extended binary bat algorithm with two new fitness functions. The profile is transferred to hypervisor where anomaly detection using random forest classifier is applied. It classifies the executable to either normal or malware and generates an alert to VM user. The functionality of the proposed AMD framework is validated over cloud testbed at NIT Goa, as well as with the latest malware datasets. In addition, we analyze the VM security requirements fulfilled by the proposed framework. [ABSTRACT FROM AUTHOR]

Published

2020

47. A study of IoT malware activities using association rule learning for darknet sensor data.

Author

Ozawa, Seiichi, Ban, Tao, Hashimoto, Naoki, Nakazato, Junji, and Shimamura, Jumpei

Subjects

*MALWARE, *INTERNET of things, *SOURCE code, *MALWARE prevention, *CYBERTERRORISM, *DETECTORS, *BIG data

Abstract

Along with the proliferation of Internet of Things (IoT) devices, cyberattacks towards these devices are on the rise. In this paper, we present a study on applying Association Rule Learning to discover the regularities of these attacks from the big stream data collected on a large-scale darknet. By exploring the regularities in IoT-related indicators such as destination ports, type of service, and TCP window sizes, we succeeded in discovering the activities of attacking hosts associated with well-known classes of malware programs. As a case study, we report an interesting observation of the attack campaigns before and after the first source code release of the well-known IoT malware Mirai. The experiments show that the proposed scheme is effective and efficient in early detection and tracking of activities of new malware on the Internet and hence induces a promising approach to automate and accelerate the identification and mitigation of new cyber threats. [ABSTRACT FROM AUTHOR]

Published

2020

48. A prototype implementation and evaluation of the malware detection mechanism for IoT devices using the processor information.

Author

Takase, Hayate, Kobayashi, Ryotaro, Kato, Masahiko, and Ohmura, Ren

Subjects

*HOUSEHOLD appliances, *INTERNET of things, *PROTOTYPES, *COMPUTER security vulnerabilities, *MALWARE prevention

Abstract

Due to the popularization of Internet of Things (IoT) devices, numerous and varied devices have been connected to the Internet. While various devices including home appliances operate via the Internet, attacks targeting many IoT devices are increasing because the vulnerabilities exist in them. Furthermore, there is a problem that introducing a security mechanism as software is difficult because they have few hardware resources. Therefore, a security mechanism which does not consume hardware resources such as CPU and memory is required. We propose a malware detection mechanism using values extracted from the processor. We aim to offload the malware detection mechanism to hardware by using the processor information and aim to suppress the consumption of hardware resources. In this paper, we implemented a prototype of our proposed mechanism using QEMU, which is a virtual machine. We show that our proposed mechanism can classify malware or benign programs by using the processor information as well as detect malware variant belonging to the same family. [ABSTRACT FROM AUTHOR]

Published

2020

49. Improved yoking proof protocols for preserving anonymity.

Author

Ham, HyoungMin, Lee, JongHyup, and Song, JooSeok

Subjects

*CLOUD computing, *RADIO frequency identification systems, *MACHINE learning, *TAGS (Metadata), *BIOMETRIC identification

Abstract

In emerging RFID applications, the yoking proof provides a method not only to ensure the physical proximity of multiple objects but also to verify that a pair of RFID tags has been scanned simultaneously by a reader. Previous studies have focused on generating the yoking proof, but have not been successful in preserving the anonymity of tags. In this paper, we address two attacks on tracking RFID tags and propose a new yoking proof protocol to improve anonymity of the tags. For better practicality, we also present authenticated yoking proof generation against DoS attacks on the system. Our analysis shows that the proposed protocols achieves improved anonymity effectively. Specifically, the protocols require the least number of computational steps and modules in a tag, while preserving its anonymity. [ABSTRACT FROM AUTHOR]

Published

2018

50. Supervised machine learning using encrypted training data.

Author

González-Serrano, Francisco-Javier, Amor-Martín, Adrián, and Casamayón-Antón, Jorge

Subjects

*DATA encryption, *DATA protection, *DATA security, *CLOUD computing, *MACHINE learning

Abstract

Preservation of privacy in data mining and machine learning has emerged as an absolute prerequisite in many practical scenarios, especially when the processing of sensitive data is outsourced to an external third party. Currently, privacy preservation methods are mainly based on randomization and/or perturbation, secure multiparty computations and cryptographic methods. In this paper, we take advantage of the partial homomorphic property of some cryptosystems to train simple machine learning models with encrypted data. Our basic scenario has three parties: multiple Data Owners, which provide encrypted training examples; the Algorithm Owner (or Application), which processes them to adjust the parameters of its models; and a semi-trusted third party, which provides privacy and secure computation services to the Application in some operations not supported by the homomorphic cryptosystem. In particular, we focus on two issues: the use of multiple-key cryptosystems, and the impact of the quantization of real-valued input data required before encryption. In addition, we develop primitives based on the outsourcing of a reduced set of operations that allows to implement general machine learning algorithms using efficient dedicated hardware. As applications, we consider the training of classifiers using privacy-protected data and the tracking of a moving target using encrypted distance measurements. [ABSTRACT FROM AUTHOR]

Published

2018