Search

Your search keyword '"Network traffic analysis"' showing total 434 results
Start Over Descriptor "Network traffic analysis"
434 results on '"Network traffic analysis"'

2. Classify Me Correctly if You Can: Evaluating Adversarial Machine Learning Threats in NIDS

Author

Rusch, Neea, Akbarfam, Asma Jodeiri, Maleki, Hoda, Agrawal, Gagan, Dorai, Gokila, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Duan, Haixin, editor, Debbabi, Mourad, editor, de Carné de Carnavalet, Xavier, editor, Luo, Xiapu, editor, Du, Xiaojiang, editor, and Au, Man Ho Allen, editor

Published
2025
Full Text
View/download PDF

3. Developing information technology for evaluating and enhancing application-layer DDoS attack detection methods

Author

Arkadii Kravchuk and Mykola Onai

Subjects
ddos, ddos attack detection, network traffic analysis, information security, al-ddos, http, cryptography, software system, kubernetes, istio, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95
Abstract

The subject matter of this article is the methods to detect distributed denial-of-service (DDoS) attacks at the Hypertext Transfer Protocol (HTTP) level with the purpose of justifying the requirements for creating software capable of identifying malicious web server clients. The goal of this article is to develop an information technology to evaluate the efficiency of DDoS attack detection methods, which will quantify their operating time, memory consumption, and approximate classification accuracy. In addition, this paper proposes hypotheses and a potential approach to improve existing application-layer DDoS attack detection methods with the intention of increasing their accuracy and identification speed. The tasks of this study are as follows: to analyse modern methods for detecting application-layer DDoS attacks; to investigate their features and short­comings; to develop a software system to assess DDoS attack detection methods; to programmatically implement these methods and experimentally measure their performance indicators, specifically: classification ac­curacy, operating time, and memory usage; to compare the efficiency of the investigated methods; to formulate hypotheses and propose an approach to improve existing methods and/or develop new methods based on the results obtained. The methods employed are abstraction, analysis, systematic approach, and empirical research. In particular, the datasets generated by DDoS utilities were processed using the synthetic minority oversampling technique (SMOTE) to balance them. Furthermore, the studied DDoS attack detection methods were implemented, including fitting the required parameters and training artificial neural network models for evaluation. The following results were obtained. The average classification accuracy, operating time, and random-access memory (RAM) consumption during Internet traffic classification were determined for six DDoS attack detection methods under the same conditions. This study has demonstrated that the development of a novel method to detect DDoS attacks at the HTTP level with enhanced accuracy and classification speed is strongly required. The experimental results demonstrate that the time series-based method exhibited the shortest operating time (1.33 ms for 5000 vectors), whereas the deep neural network-based method exhibited the highest average classification accuracy (ranging from 99.07% to 99.97%) and the lowest memory consumption (39.09 KB for 5000 vectors). Conclusions. In this study, a software system was developed to assess the average accuracy of DDoS attack classification methods and measure the computational resources utilized. The scientific novelty of the obtained results lies in the formulation of two hypotheses and a potential approach to the creation of a novel method for detecting DDoS attacks at the HTTP level, which will have both high classification accuracy and a short operating time to surpass previously studied analogues in these respects. The first hypothesis is based on the additional usage of HTTP request attributes during Internet traffic classification. The second hypothesis is to analyse a graph of user transitions between website pages. The article also superficially describes a potential approach that involves the implementation of the described hypotheses as well as the proposed software architecture of an application-layer DDoS attack detection system for the Kubernetes platform and the Istio framework, which addresses the issue of collecting web request parameter values for websites that use the cryptographically secured HTTPS protocol.

Published
2024
Full Text
View/download PDF

4. A scalable data acquisition system for the efficient processing of DNS network traffic.

Author

Ochab, Marcin, Mrukowicz, Marcin, Sarzyński, Jaromir, and Rzasa, Wojciech

Subjects
COMPUTER network traffic, DATABASES, BIG data, DATA acquisition systems, COMPUTER network protocols
Abstract

The article covers the architecture developed to efficiently collect large-volume DNS traffic. The resulting collected dataset can be utilised in a multitude of scenarios, including anomaly detection, machine learning, and network monitoring. The system enables the automatic enrichment of this data with information from external reputation databases and additional data, such as location and AS number. Data is anonymised on the fly using a proposed solution based on iptables. The pre-processed data is sent via the Kafka broker to a dedicated Clickhouse database, which allows for efficient analysis of this type of large data sets. The important aspect of the proposed DNS network acquisition system is that it is focused on active DNS measurement, which remains a relatively uncommon practice. It is essential that the detailed description of the proposed architecture is readily reproducible. The learning dataset obtained at the final stage allows for convenient querying and filtering using SQL. Furthermore, it is easily adaptable to work with a multitude of machine learning environments. The proposed modular system could be easily extended to other purposes, such as DNS traffic monitoring or generally collecting other network protocol data. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

5. DEVELOPING INFORMATION TECHNOLOGY FOR EVALUATING AND ENHANCING APPLICATION-LAYER DDOS ATTACK DETECTION METHODS.

Author

KRAVCHUK, Arkadii and ONAI, Mykola

Subjects
HTTP (Computer network protocol), DENIAL of service attacks, CYBERTERRORISM, ARTIFICIAL neural networks, CRYPTOGRAPHY
Abstract

The subject matter of this article is the methods to detect distributed denial -of-service (DDoS) attacks at the Hypertext Transfer Protocol (HTTP) level with the purpose of justifying the requirements for creating software capable of identifying malicious web server clients. The goal of this article is to develop an information technology to evaluate the efficiency of DDoS attack detection methods, which will quantify their operating time, memory consumption, and approximate classification accuracy. In addition, this paper p roposes hypotheses and a potential approach to improve existing application-layer DDoS attack detection methods with the intention of increasing their accuracy and identification speed. The tasks of this study are as follows: to analyse modern methods for detecting application-layer DDoS attacks; to investigate their features and shortcomings; to develop a software system to assess DDoS attack detection methods; to programmatically implement these methods and experimentally measure their performance indicators, specifically: classification accuracy, operating time, and memory usage; to compare the efficiency of the investigated methods; to formulate hypotheses and propose an approach to improve existing methods and/or develop new methods based on the resul ts obtained. The methods employed are abstraction, analysis, systematic approach, and empirical research. In particular, the datasets generated by DDoS utilities were processed using the synthetic minority oversampling technique (SMOTE) to balance them. Furthermore, the studied DDoS attack detection methods were implemented, including fitting the required parameters and training artificial neural network models for evaluation. The following results were obtained. The average classification accuracy, operating time, and random-access memory (RAM) consumption during Internet traffic classification were determined for six DDoS attack detection methods under the same conditions. This study has demonstrated that the development of a novel method to detect DDoS at tacks at the HTTP level with enhanced accuracy and classification speed is strongly required. The experimental results demonstrate that the time series-based method exhibited the shortest operating time (1.33 ms for 5000 vectors), whereas the deep neural network-based method exhibited the highest average classification accuracy (ranging from 99.07% to 99.97%) and the lowest memory consumption (39.09 KB for 5000 vectors). Conclusions. In this study, a software system was developed to assess the average accuracy of DDoS attack classification methods and measure the computational resources utilized. The scientific novelty of the obtained results lies in the formulation of two hypotheses and a potential approach to the creation of a novel method for detecting DDoS attacks at the HTTP level, which will have both high classification accuracy and a short operating time to surpass previously studied analogues in these respects. The first hypothesis is based on the additional usage of HTTP request attributes during Internet traffic classification. The second hypothesis is to analyse a graph of user transitions between website pages. The article also superficially describes a potential approach that involves the implementation of the described hypotheses as well as the proposed software architecture of an applicationlayer DDoS attack detection system for the Kubernetes platform and the Istio framework, which addresses the issue of collecting web request parameter values for websites that use the cryptographically secure d HTTPS protocol. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

6. Third-Party Data Leaks on Municipal Websites

Author

Rauti, Sampsa, Carlsson, Robin, Puhtila, Panu, Leppänen, Ville, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Yang, Xin-She, editor, Sherratt, Simon, editor, Dey, Nilanjan, editor, and Joshi, Amit, editor

Published
2024
Full Text
View/download PDF

8. AI Enhanced Cyber Security Methods for Anomaly Detection

Author

Shaik, Abdul Subhahan, Shaik, Amjan, Tsihrintzis, George A., Series Editor, Virvou, Maria, Series Editor, Jain, Lakhmi C., Series Editor, Dehuri, Satchidananda, editor, Cho, Sung-Bae, editor, Padhy, Venkat Prasad, editor, Shanmugam, Poonkuntrun, editor, and Ghosh, Ashish, editor

Published
2024
Full Text
View/download PDF

9. Identify Users on Dating Applications: A Forensic Perspective

Author

Stenzel, Paul, Le-Khac, Nhien-An, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Goel, Sanjay, editor, and Nunes de Souza, Paulo Roberto, editor

Published
2024
Full Text
View/download PDF

11. Using Multivariate Heuristic Analysis for Detecting Attacks in Website Log Files: A Formulaic Approach

Author

Smith, Peter, Robson, John, Dalton, Nick, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Daimi, Kevin, editor, and Al Sadoon, Abeer, editor

Published
2024
Full Text
View/download PDF

13. Several Online Pharmacies Leak Sensitive Health Data to Third Parties

Author

Carlsson, Robin, Rauti, Sampsa, Mickelsson, Sini, Mäkilä, Tuomas, Heino, Timi, Pirjatanniemi, Elina, Leppänen, Ville, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Rocha, Alvaro, editor, Adeli, Hojjat, editor, Dzemyda, Gintautas, editor, Moreira, Fernando, editor, and Colla, Valentina, editor

Published
2024
Full Text
View/download PDF

14. Adversarial Example Attacks and Defenses in DNS Data Exfiltration

Author

Savić, Izabela, Yan, Haonan, Lin, Xiaodong, Gillis, Daniel, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Shao, Jun, editor, Katsikas, Sokratis K., editor, and Meng, Weizhi, editor

Published
2024
Full Text
View/download PDF

17. QUIC website fingerprinting based on automated machine learning

Author

Joonseo Ha and Heejun Roh

Subjects
Website fingerprinting, Network traffic analysis, Network security, Automated machine learning, Information technology, T58.5-58.64
Abstract

Recently, QUIC for the secure and faster connections has standardized but it is unclear that QUIC can cope with website fingerprinting (WF), a technique to infer visited websites from network traffic, since most existing efforts targeted TCP-induced traffic. To this end, we propose a novel QUIC WF technique based on Automated Machine Learning (AutoML). In our approach, we revisit traffic features appeared in literature, but relies on an AutoML framework to achieve best practice without manual intervention. Through experiments, we show that our technique outperforms state-of-the-art WF techniques with an F1-score of 99.79% and a 20-precision of 92.60%.

Published
2024
Full Text
View/download PDF

18. ITC-Net-blend-60: a comprehensive dataset for robust network traffic classification in diverse environments

Author

Marziyeh Bayat, Javad Garshasbi, Mozhgan Mehdizadeh, Neda Nozari, Abolghasem Rezaei Khesal, Maryam Dokhaei, and Mehdi Teimouri

Subjects
Network traffic analysis, Traffic classification, Application identification, Mobile-app fingerprinting, Encrypted traffic, Android applications, Medicine, Biology (General), QH301-705.5, Science (General), Q1-390
Abstract

Abstract Objectives Recognition of mobile applications within encrypted network traffic holds considerable effects across multiple domains, encompassing network administration, security, and digital marketing. The creation of network traffic classifiers capable of adjusting to dynamic and unforeseeable real-world settings presents a tremendous challenge. Presently available datasets exclusively encompass traffic data obtained from a singular network environment, thereby restricting their utility in evaluating the robustness and compatibility of a given model. Data description This dataset was gathered from 60 popular Android applications in five different network scenarios, with the intention of overcoming the limitations of previous datasets. The scenarios were the same in the applications set but differed in terms of Internet service provider (ISP), geographic location, device, application version, and individual users. The traffic was generated through real human interactions on physical devices for 3–15 min. The method used to capture the traffic did not require root privileges on mobile phones and filtered out any background traffic. In total, the collected dataset comprises over 48 million packets, 450K bidirectional flows, and 36 GB of data.

Published
2024
Full Text
View/download PDF

19. Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detection

Author

Arkan Hammoodi Hasan Kabla, Achmad Husni Thamrin, Mohammed Anbar, Selvakumar Manickam, and Shankar Karuppayah

Subjects
P2P botnets, Network traffic analysis, Intrusion detection system, Anomaly detection, Machine learning, Deep learning, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95
Abstract

Abstract The orientation of emerging technologies on the Internet is moving toward decentralisation. Botnets have always been one of the biggest threats to Internet security, and botmasters have adopted the robust concept of decentralisation to develop and improve peer-to-peer botnet tactics. This makes the botnets cleverer and more artful, although bots under the same botnet have symmetrical behaviour, which is what makes them detectable. However, the literature indicates that the last decade has lacked research that explores new behavioural characteristics that could be used to identify peer-to-peer botnets. For the abovementioned reasons, in this study, we propose new two methods to detect peer-to-peer botnets: first, we explored a new set of behavioural characteristics based on network traffic flow analyses that allow network administrators to more easily recognise a botnet’s presence, and second, we developed a new anomaly detection approach by adopting machine-learning and deep-learning techniques that have not yet been leveraged to detect peer-to-peer botnets using only the five-tuple static indicators as selected features. The experimental analyses revealed new and important behavioural characteristics that can be used to identify peer-to-peer botnets, whereas the experimental results for the detection approach showed a high detection accuracy of 99.99% with no false alarms. Graphical Abstract

Published
2024
Full Text
View/download PDF

20. ITC-Net-blend-60: a comprehensive dataset for robust network traffic classification in diverse environments.

Author

Bayat, Marziyeh, Garshasbi, Javad, Mehdizadeh, Mozhgan, Nozari, Neda, Rezaei Khesal, Abolghasem, Dokhaei, Maryam, and Teimouri, Mehdi

Subjects
*COMPUTER network traffic, *INTERNET service providers, *MOBILE apps, *SOCIAL interaction, *CLASSIFICATION
Abstract

Objectives: Recognition of mobile applications within encrypted network traffic holds considerable effects across multiple domains, encompassing network administration, security, and digital marketing. The creation of network traffic classifiers capable of adjusting to dynamic and unforeseeable real-world settings presents a tremendous challenge. Presently available datasets exclusively encompass traffic data obtained from a singular network environment, thereby restricting their utility in evaluating the robustness and compatibility of a given model. Data description: This dataset was gathered from 60 popular Android applications in five different network scenarios, with the intention of overcoming the limitations of previous datasets. The scenarios were the same in the applications set but differed in terms of Internet service provider (ISP), geographic location, device, application version, and individual users. The traffic was generated through real human interactions on physical devices for 3–15 min. The method used to capture the traffic did not require root privileges on mobile phones and filtered out any background traffic. In total, the collected dataset comprises over 48 million packets, 450K bidirectional flows, and 36 GB of data. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

21. Peer-to-peer botnets: exploring behavioural characteristics and machine/deep learning-based detection.

Author

Kabla, Arkan Hammoodi Hasan, Thamrin, Achmad Husni, Anbar, Mohammed, Manickam, Selvakumar, and Karuppayah, Shankar

Subjects
BOTNETS, COMPUTER network traffic, TECHNOLOGICAL innovations, INTERNET security, ANOMALY detection (Computer security), TRAFFIC flow
Abstract

The orientation of emerging technologies on the Internet is moving toward decentralisation. Botnets have always been one of the biggest threats to Internet security, and botmasters have adopted the robust concept of decentralisation to develop and improve peer-to-peer botnet tactics. This makes the botnets cleverer and more artful, although bots under the same botnet have symmetrical behaviour, which is what makes them detectable. However, the literature indicates that the last decade has lacked research that explores new behavioural characteristics that could be used to identify peer-to-peer botnets. For the abovementioned reasons, in this study, we propose new two methods to detect peer-to-peer botnets: first, we explored a new set of behavioural characteristics based on network traffic flow analyses that allow network administrators to more easily recognise a botnet's presence, and second, we developed a new anomaly detection approach by adopting machine-learning and deep-learning techniques that have not yet been leveraged to detect peer-to-peer botnets using only the five-tuple static indicators as selected features. The experimental analyses revealed new and important behavioural characteristics that can be used to identify peer-to-peer botnets, whereas the experimental results for the detection approach showed a high detection accuracy of 99.99% with no false alarms. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

24. BotDefender: A Collaborative Defense Framework Against Botnet Attacks using Network Traffic Analysis and Machine Learning.

Author

Prasad, Arvind and Chandra, Shalini

Subjects
*BOTNETS, *COMPUTER network traffic, *MACHINE learning, *FEATURE selection, *STACKING machines, *TRAFFIC flow
Abstract

Botnets, an army of remotely controlled compromised devices called bots, routinely cause severe damage to infrastructures and organizations. Since the attacker uses millions of diverse internet-enabled devices and always has extra resources to increase the attack intensity, traditional counterattack measures fail to handle the enormous volumes of network traffic generated from a bot army. Consequently, there is a demand for a robust botnet defense system that can handle the massive volume of network traffic and detect botnet attacks with high accuracy. In this work, we propose BotDefender, a collaborative framework that protects against botnet attacks. BotDefender combines a proposed network traffic analyzer and machine learning technique to prevent botnet attacks. The proposed network traffic analyzer performs an in-depth traffic analysis to detect bots and filter out all the traffic from the identified bots. It significantly reduces network traffic by filtering out a huge amount of traffic from the bots and transfers significantly reduced amounts of traffic to the machine learning model for further analysis. The machine learning model is powered by a novel feature selection technique, an extended dataset construction technique inspired by human learning patterns and a stacking ensemble-based machine learning model, to detect bots. Our experiments exhibit a consistent performance of the proposed machine learning model. Finally, to evaluate the performance of BotDefender, we design and develop a live botnet attack strategy. During the live experiment, BotDefender filters out 99.8% of the botnet traffic and achieves an overall accuracy of 100%. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

26. Automated Network Incident Identification through Genetic Algorithm-Driven Feature Selection.

Author

Aksoy, Ahmet, Valle, Luis, and Kar, Gorkem

Subjects
BOTNETS, INTERNET servers, FEATURE selection, INTERNET domain naming system, DENIAL of service attacks, PATTERN recognition systems, COMPUTER network traffic
Abstract

The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

27. ЗАСТОСУВАННЯ МЕТОДУ ШТУЧНОГО ІНТЕЛЕКТУ ДЛЯ АНАЛІЗУ ШКІДЛИВОГО МЕРЕЖЕВОГО ТРАФІКУ НА КАНАЛЬНОМУ РІВНІ (ARP-атаки)

Author

Палагін, В. В., Палагіна, О. А., Івченко, О. В., Панаско, О. М., and Пташкін, Р. Л.

Subjects
*COMPUTER network traffic, *ARTIFICIAL intelligence, *COMMUNICATION infrastructure, *TECHNOLOGICAL innovations, *INFRASTRUCTURE (Economics)
Abstract

The widespread distribution of software-defined networks (Software-Defined Networking - SDN) and IoT networks has provided flexibility and efficiency in network management. However, it has also posed new challenges in protecting network infrastructure. Address Resolution Protocol (ARP) spoofing attacks, which violate network integrity and data confidentiality, remain one of the significant threats. This manuscript presents a new approach to detecting ARP spoofing in networks, addressing the limitations of existing methodologies. The analysis of ARP protocols, their purposes, and basic methods of protection against attacks was carried out. Typical threats to computer networks at the physical and data link layers of the OSI model are presented, along with an analysis of the features of detecting such threats using artificial intelligence (AI) methods. The application of machine learning (ML) methods for traffic analysis based on real-time data from the Wireshark platform is proposed. The new method uses AI to classify and detect malicious network traffic generated by ARP protocol attacks. The developed model and method demonstrate exceptional robustness, achieving 100% ARP spoofing detection accuracy, which is critical for maintaining network responsiveness. The analysis results can be used to make informed decisions about the choice of protection methods for networks with different purposes and information protection requirements. Using AI to monitor and analyze network traffic can significantly increase the effectiveness and speed of threat detection. Due to its ability to adapt to new types of attacks and detect more complex anomaly patterns, the proposed approach provides a higher level of network infrastructure security. This research demonstrates the potential of innovative technologies in the fight against cyber threats and contributes to the development of reliable protection methods for modern networks. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

28. Autonomous machine learning for early bot detection in the internet of things

Author

Alex Medeiros Araujo, Anderson Bergamini de Neira, and Michele Nogueira

Subjects
Network security, Bot early detection, Autonomous machine learning, Network traffic analysis, Information technology, T58.5-58.64
Abstract

The high costs incurred due to attacks and the increasing number of different devices in the Internet of Things (IoT) highlight the necessity of the early detection of botnets (i.e., a network of infected devices) to gain an advantage against attacks. However, early botnet detection is challenging because of continuous malware mutations, the adoption of sophisticated obfuscation techniques, and the massive volume of data. The literature addresses botnet detection by modeling the behavior of malware spread, the classification of malicious traffic, and the analysis of traffic anomalies. This article details ANTE, a system for ANTicipating botnEt signals based on machine learning algorithms. The system adapts itself to different scenarios and detects different types of botnets. It autonomously selects the most appropriate Machine Learning (ML) pipeline for each botnet and improves the classification before an attack effectively begins. The system evaluation follows trace-driven experiments and compares ANTE results to other relevant results from the literature over four representative datasets: ISOT HTTP Botnet, CTU-13, CICDDoS2019, and BoT-IoT. Results show an average detection accuracy of 99.06% and an average bot detection precision of 100%.

Published
2023
Full Text
View/download PDF

29. Measuring Latency-Accuracy Trade-Offs in Convolutional Neural Networks

Author

Tse, André, Oliveira, Lino, Vinagre, João, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Moniz, Nuno, editor, Vale, Zita, editor, Cascalho, José, editor, Silva, Catarina, editor, and Sebastião, Raquel, editor

Published
2023
Full Text
View/download PDF

30. Autoencoder-Based Botnet Detection for Enhanced IoT Security

Author

Mahajan, Radhika, Kumar, Manoj, Filipe, Joaquim, Editorial Board Member, Ghosh, Ashish, Editorial Board Member, Prates, Raquel Oliveira, Editorial Board Member, Zhou, Lizhu, Editorial Board Member, Whig, Pawan, editor, Silva, Nuno, editor, Elngar, Ahmed A., editor, Aneja, Nagender, editor, and Sharma, Pavika, editor

Published
2023
Full Text
View/download PDF

31. An integrated optimization model of network behavior victimization identification based on association rule feature extraction

Author

Shengli ZHOU, Linqi RUAN, Rui XU, Xikang ZHANG, Quanzhe ZHAO, and Yuanbo LIAN

Subjects
The National Social Science Foundation of China, Zhejiang Natural Science Foundation and Public Welfare Research Program, Ministry of Public Security Science and Technology Plan Project, network traffic analysis, Telecommunication, TK5101-6720, Technology
Abstract

The identification of the risk of network behavior victimization was of great significance for the prevention and warning of telecom network fraud.Insufficient mining of network behavior features and difficulty in determining relationships, an integrated optimization model for network behavior victimization identification based on association rule feature extraction was proposed.The interactive traffic data packets generated when users accessed websites were captured by the model, and the implicit and explicit behavior features in network traffic were extracted.Then, the association rules between features were mined, and the feature sequences were reconstructed using the FP-Growth algorithm.Finally, an analysis model of telecom network fraud victimization based on network traffic analysis was established, combined with the stochastic forest algorithm of particle swarm optimization.The experiments show that compared with general binary classification models, the proposed model has better precision and recall rates and can effectively improve the accuracy of network fraud victimization identification.

Published
2023
Full Text
View/download PDF

32. Derin Paket İncelemesi için Önerilen Yeni Bir Örüntü Eşleştirme Algoritması

Author

Merve Çelebi and Uraz Yavanoğlu

Subjects
derin paket inceleme, örüntü eşleştirme, ağ güvenliği, ağ trafiği analizi, deep packet inspection, pattern matching, network security, network traffic analysis, Technology, Engineering (General). Civil engineering (General), TA1-2040, Science, Science (General), Q1-390
Abstract

Derin Paket İnceleme (Deep Packet Inspection-DPI), hem paket başlığı hem de paket yükü üzerinde ayrıntılı analizler gerçekleştirerek ağ trafiğinin tam görünürlüğünü sağlayan teknolojidir. DPI ile iyi bilinen kötü amaçlı yazılım imzaları ve saldırı sırası, saldırganın izlediği yol ve kullandığı tekniklerin birleşimi olarak tanımlanan saldırı deseninin tespiti yapılabilmektedir. Bu doğrultuda, ağ güvenliği veya devlet gözetimi gibi uygulamalarda kullanılabilmesi yönüyle DPI, kritik bir öneme sahiptir. Bu çalışmada, tek seferde taranan bayt sayısını artırarak DPI sürecini hızlandırmayı amaçlayan blok tabanlı bir örüntü eşleştirme algoritması önerilmiştir. Farklı sayıda örüntü içeren veri kümeleri kullanılarak Aho-Corasick (AC), Rabin-Karp (RK), Wu-Manber (WM) ve bu çalışmada önerilen algoritma üzerinde örüntü eşleştirme testleri gerçekleştirilmiş ve bu algoritmaların performansları karşılaştırılmıştır. AC, WU ve RK algoritmalarına kıyasla bu çalışmada önerilen algoritma, daha yüksek bir performans göstermiştir.

Published
2023
Full Text
View/download PDF

33. Network traffic reduction with spatially flexible optical networks using machine learning techniques.

Author

Wang, Aiqiang

Subjects
*COMPUTER network traffic, *MACHINE learning, *INTERIOR-point methods, *REINFORCEMENT learning, *SERVER farms (Computer network management), *TRAFFIC estimation
Abstract

Traffic forecasting and the utilisation of historical data are essential for intelligent and efficient resource management, particularly in optical data centre networks (ODCNs) that serve a wide range of applications. In this research, we investigate the challenge of traffic aggregation in ODCNs by making use of exact or predictable knowledge of application-certain data and demands, such as waiting time, bandwidth, traffic history, and latency. Since ODCNs process a wide range of flows (including long/elephant and short/mice), we employ machine learning (ML) to foresee time-varying traffic and connection blockage. In order to improve energy use and resource distribution in spatially mobile optical networks, this research proposes a novel method of network traffic analysis based on machine learning. Here, we leverage network monitoring to inform resource allocation decisions, with the goal of decreasing traffic levels using short-term space multiplexing multitier reinforcement learning. Then, the energy is optimised by using dynamic gradient descent division multiplexing. Various metrics, including accuracy, NSE (normalised square error), validation loss, mean average error, and probability of bandwidth blockage, are used in the experiment. Finally, using the primal–dual interior-point approach, we investigate how much weight each slice should have depending on the predicted results, which include the traffic of each slice and the distribution of user load. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

34. Methods and High-performance Tools for Collecting, Analysis and Visualization of Data Exchange with a Focus on Research and Education Telecommunications Networks.

Author

Abramov, A. G., Porkhachev, V. A., and Yastrebov, Yu. V.

Abstract

The paper is focuses on the methods that have come into practice, key functions and software instruments for collecting, analysis and visualization of network traffic statistics. The source of information is NetFlow telemetry data collected from network equipment. In addition to being used by network engineers and technicians, including for the purposes of network monitoring, incident handling, identification of network congestion and the main bandwidth utilizers with details on autonomous systems or IP addresses of sources and recipients, protocols, services and applications, NetFlow data is of interest in the context of monitoring and analysis of network interaction between users, service providers and consumers. The paper provides a detailed description of the developed and implemented on the basis of the new generation National Research Computer Network of Russia of the up-to-date and high-performance software solution for working with network telemetry data; specific examples of the capabilities are given in order to advanced analytics and descriptive data visualization in real time, taking into account the special needs of industry telecommunications networks in the field of research and education. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

35. MisplaceX: A System for IT Device Detection and Monitoring System in Office Environments.

Author

Gunathilaka, S. B. M. B. S. A., Herath, H. M. C. S. B., Arachchi, K. T. Jasin, Jathurshan, S., Abeywardhana, Lakmini, and Gunasinghe, Amali

Subjects
DATA libraries, IMAGE processing, TECHNOLOGICAL innovations, MACHINE learning, ARTIFICIAL intelligence
Abstract

In the realm of securing critical office environments, particularly data centers and server rooms, this research endeavors to establish a comprehensive framework for real-time monitoring, anomaly detection, and misplaced device localization. The proposed system integrates multiple modules that collaboratively ensure the integrity of device arrangement and address potential security breaches. Central to this architecture is an image processing module that employs advanced computer vision techniques, as spearheaded by the first team member. This module autonomously extracts and identifies devices within video footage, subsequently assessing their spatial distribution against a predefined arrangement. The second module, led by the second team member, focuses on network traffic analysis to uncover suspicious activities within the workstation. By meticulously scrutinizing network interactions and patterns, this module aims to detect any unauthorized access attempts or malevolent actions, such as unauthorized password attempts. Complementing the digital aspects, the third team member pioneers the hardware-based solution for misplaced devices. Leveraging technologies like WIFI and GPS, this module provides indoor and outdoor tracking capabilities to swiftly pinpoint devices that have been unintentionally displaced from their designated locations. Acting as the cohesive nexus of this multifaceted system, the fourth team member orchestrates data flow between the image processing, network analysis, and device tracking modules. This member not only ensures seamless communication but also establishes a robust database infrastructure to chronicle and manage every finding. Additionally, a userfriendly interface is developed, granting administrators full control and insight into each module's outputs and system status. By amalgamating these diverse modules, the research aims to furnish office environments with a holistic safeguarding mechanism that addresses both physical arrangement integrity and cybersecurity concerns in a real-time SOC environment and predicts future attacks using a machine learning approach. This comprehensive approach transcends conventional security paradigms, forging a new frontier in the protection of critical spaces where data integrity and operational continuity are paramount. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

36. Deep Neural Decision Forest (DNDF): A Novel Approach for Enhancing Intrusion Detection Systems in Network Traffic Analysis.

Author

Alrayes, Fatma S., Zakariah, Mohammed, Driss, Maha, and Boulila, Wadii

Subjects
*COMPUTER network traffic, *ARTIFICIAL neural networks, *COMPUTER network security, *NETWORK performance, *INTRUSION detection systems (Computer security)
Abstract

Intrusion detection systems, also known as IDSs, are widely regarded as one of the most essential components of an organization's network security. This is because IDSs serve as the organization's first line of defense against several cyberattacks and are accountable for accurately detecting any possible network intrusions. Several implementations of IDSs accomplish the detection of potential threats throughout flow-based network traffic analysis. Traditional IDSs frequently struggle to provide accurate real-time intrusion detection while keeping up with the changing landscape of threat. Innovative methods used to improve IDSs' performance in network traffic analysis are urgently needed to overcome these drawbacks. In this study, we introduced a model called a deep neural decision forest (DNDF), which allows the enhancement of classification trees with the power of deep networks to learn data representations. We essentially utilized the CICIDS 2017 dataset for network traffic analysis and extended our experiments to evaluate the DNDF model's performance on two additional datasets: CICIDS 2018 and a custom network traffic dataset. Our findings showed that DNDF, a combination of deep neural networks and decision forests, outperformed reference approaches with a remarkable precision of 99.96% by using the CICIDS 2017 dataset while creating latent representations in deep layers. This success can be attributed to improved feature representation, model optimization, and resilience to noisy and unbalanced input data, emphasizing DNDF's capabilities in intrusion detection and network security solutions. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

37. Anomaly detection in network traffic using entropy-based methods: application to various types of cyberattacks.

Author

Bashurov, Vadim and Safonov, Paul

Subjects
COMPUTER network traffic, ANOMALY detection (Computer security), INTRUSION detection systems (Computer security), CYBERTERRORISM, UNCERTAINTY (Information theory), COMPUTER network security, SCALABILITY
Abstract

This paper proposes an entropy-based approach for detecting anomalies in network traffic. With the exponential growth of data and sophisticated cyberattacks traditional methods struggle to identify evolving attack patterns. To address this, we leverage Shannon and Renyi entropies to analyze network traffic datasets. We are focusing on the entire network traffic. Using a publicly available dataset with labeled traffic samples, we calculate the entropy of different traffic features to assess their effectiveness in anomaly detection and attack identification. The scalability and sensitivity of this approach make it suitable for analyzing diverse and high-volume network data, capturing changes in traffic distributions, and detecting anomalies missed by traditional metrics. The method is easily implementable and interpretable, requiring minimal training data. Our findings show promising results for nine different types of cyberattacks, offering practical insights for robust anomaly detection systems in network security. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

38. Network-based advanced malware detection using multi-classifier machine learning

Author

Almashhadani, Ahmad, Sezer, Sakir, and O'Kane, Philip

Subjects
005.8, Network security, network traffic analysis, intrusion detection, machine learning, malware analysis, ransomware, domain generation algorithm (DGA)
Abstract

Over the past decade, cyber threats have significantly evolved in persistence and sophistication. Malware has been the primary choice of weapon to carry out various cyberattacks. Host-based malware detection, as the primary line of defence, evolved into the \Achilles Heel". In particular, the increase of security-aware targeted attacks, comprises of reconnaissance and delivery phases, are capable of identifying deployed security tools and disabling these without being detected. Hence, the deployment of advanced, network-based Intrusion Detection System (IDS) has become an inevitable line-of-defence assisting host-based malware detection. Ransomware is a kind of advanced malware that has spread rapidly in recent years, causing massive financial losses for a broad range of victims, such as healthcare facilities, companies, and individuals. Modern host-based detection methods require the host to be infected first to be able to identify anomalies and detect the malware. By the time of infection, it may be too late as some of the system's assets would have been already encrypted or exfiltrated by the malware. Conversely, the network-based approach can be an effective detection method as most families of ransomware attempt to contact with command and control (C&C) servers before their harmful payloads are executed. Also, some recent ransomware families have evolved and combined the propagation properties of computer worms to be able to spread across the networks. A network-based ransomware detection approach, which complements well-established host-based ransomware detection methods, can be one of the essential means for detecting ransomware attack effectively. It can overcome the limitations of current ransomware defence while enabling early detection and timely deployment of countermeasures. State-of-the-art presents little research work that focuses on network-based approaches for ransomware detection. This thesis investigates the use of machine learning techniques for detecting crypto ransomware network activities. A thorough dynamic analysis of crypto ransomware network traffic is carried out using a dedicated malware testbed. A set of 18 network-based features are extracted from several network protocols of Locky, one of the well-established ransomware families. A new classification scheme is introduced to classify the features into four types. A multi-feature and multi-classifier intrusion detection system is proposed and implemented for detecting the communications between ransomware and its C&C server. This new approach employs two independent classifiers working in parallel on two levels: packet and flow. The experimental evaluation of the presented detection system demonstrates that the system offers high detection accuracy for each level: 97.92% and 97.08% respectively. Second, machine learning techniques are used to detect covert C&C channels established using Domain Generation Algorithm (DGA). DGA is one of the main techniques deployed by ransomware and botnet to connect with attackers by generating many pseudorandom domain names. A malicious domain name detection system, called MaldomDetector, is introduced. Prototyped MaldomDetector can detect the DGA-based communications before the malware is able to establish a successful connection with the C&C server, basing only on the used characters for the domain name MaldomDetector deploys a deterministic algorithm and easy to compute features extracted out of the domain name characters. It is not based on any probabilistic language model, i.e., a language-independent system, and does not utilise any data from an external site or wait for a DNS response packet; hence, significantly reducing the time and computation required to classify the domain names. The evaluation results demonstrate that MaldomDetector provides high accuracy of 98% in detecting different types of DGA-based domains. MaldomDetector can be employed as an early warning system to raise early alarms about potential malicious DNS communications. Finally, a multi-feature and multi-classifier network-based system (MFMCNS) is presented for detecting ransomware propagation activities. A comprehensive analysis of ransomware traffic is performed, and two sets of features are extracted based on two independent flow levels: session-based and time-based. Also, two individual classifiers are built employing the two different feature sets. The experimental results demonstrate a high detection accuracy for the session-based and time-based classifiers: 99.88% and 99.66% respectively validating the effectiveness of the extracted features. MFMCNS employs these classifiers in parallel on different levels where the classifiers' decisions are combined using a fusion rule. Experimental results validate that the overall MFMCNS detection accuracy and reliability have been enhanced.

Published
2021

39. User profiling based on network application traffic monitoring

Author

Shaman, Faisal

Subjects
005.8, User profiling, Network traffic analysis
Abstract

There is increasing interest in identifying users and behaviour profiling from network traffic metadata for traffic engineering and security monitoring. However, user identification and behaviour profiling in real-time network management remains a challenge, as the activities and underlying interactions of network applications are constantly changing. User behaviour is also changing and adapting in parallel, due to changes in the online interaction environment. A major challenge is how to detect user activity among generic network traffic in terms of identifying the user and his/her changing behaviour over time. Another issue is that relying only on computer network information (Internet Protocol [IP] addresses) directly to identify individuals who generate such traffic is not reliable due to user mobility and IP mobility (resulting from the widespread use of the Dynamic Host Configuration Protocol [DHCP]) within a network. In this context, this project aims to identify and extract a set of features that may be adequate for use in identifying users based on their network application activity and timing resolution to describe user behaviour. The project also provides a procedure for traffic capturing and analysis to extract the required profiling parameters; the procedure includes capturing flow traffic and then performing statistical analysis to extract the required features. This will help network administrators and internet service providers to create user behaviour traffic profiles in order to make informed decisions about policing and traffic management and investigate various network security perspectives. The thesis explores the feasibility of user identification and behaviour profiling in order to be able to identify users independently of their IP address. In order to maintain privacy and overcome the issues associated with encryption (which exists on an increasing volume of network traffic), the proposed approach utilises data derived from generic flow network traffic (NetFlow information). A number of methods and techniques have been proposed in prior research for user identification and behaviour profiling from network traffic information, such as port-based monitoring and profiling, deep packet inspection (DPI) and statistical methods. However, the statistical methods proposed in this thesis are based on extracting relevant features from network traffic metadata, which are utilised by the research community to overcome the limitations that occur with port-based and DPI techniques. This research proposes a set of novel statistical timing features extracted by considering application-level flow sessions identified through Domain Name System (DNS) filtering criteria and timing resolution bins: one-hour time bins (0-23) and quarter- hour time bins (0-95). The novel time bin features are utilised to identify users by representing their 24-hour daily activities by analysing the application-level network traffic based on an automated technique. The raw network traffic is analysed based on the development of a features extraction process in terms of representing each user’s daily usage through a combination of timing features, including the flow session, timing and DNS filtering for the top 11 applications. In addition, media access control (MAC) and IP source mapping (in a truth table) is utilised to ensure that profiling is allocated to the correct host, even if the IP addresses change. The feature extraction process developed for this thesis focuses more on the user, rather than machine-to-machine traffic, and the research has sought to use this information to determine whether a behavioural profile could be developed to enable the identification of users. Network traffic was collected and processed using the aforementioned feature extraction process for 23 users for a period of 60 days (8 May-8 July 2018). The traffic was captured from the Centre for Cyber Security, Communications and Network Research (CSCAN) at the University of Plymouth. The results of identifying and profiling users from extracted timing features behaviour show that the system is capable of identifying users with an average true positive identification rate (TPIR) based on hourly time bin features for the whole population of ~86% and ~91% for individual users. Furthermore, the results show that the system has the ability to identify users based on quarter-hour time bin features, with an average TPIR of ~94% for the whole population and ~96% for the individual user.

Published
2020

40. An Analysis of Temporal Features in Multivariate Time Series to Forecast Network Events.

Author

Ji, Soo-Yeon, Jeong, Bong Keun, and Jeong, Dong H.

Subjects
COMPUTER network traffic, TIME series analysis, TIME management, FORECASTING
Abstract

Analyzing network traffic over time is crucial for understanding the changes in network activity. To properly examine network traffic patterns over time, multiple network events in each timestamp need to be converted to time series data. In this study, we propose a new approach to transform network traffic data into time series formats by extracting temporal features to analyze normal/attack patterns. The normal patterns indicate network traffic occurred without any intrusion-related activities, whereas the attack patterns denote potential threats that deviate from the normal patterns. To evaluate the features, long short-term memory (LSTM) is applied to forecast multi-step network normal and attack events. Visual analysis is also performed to enhance the understanding of key features in the network. We compared the performance differences using time scales of 60 and 120 s. Upon evaluation, we found that the temporal features extracted with the 60 s time scale exhibited better performance in forecasting future network events. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

41. 基于关联规则特征提取的网络行为被害性识别集成优化模型.

Author

周胜利, 阮琳琦, 徐睿, 张熙康, 赵泉喆, and 连远博

Abstract

Copyright of Telecommunications Science is the property of Beijing Xintong Media Co., Ltd. and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2023
Full Text
View/download PDF

42. Traffic Management in IoT Backbone Networks Using GNN and MAB with SDN Orchestration.

Author

Guo, Yanmin, Wang, Yu, Khan, Faheem, Al-Atawi, Abdullah A., Abdulwahid, Abdulwahid Al, Lee, Youngmoon, and Marapelli, Bhaskar

Subjects
*TRAFFIC patterns, *SOFTWARE-defined networking, *QUEUING theory, *SPINE, *INTERNET of things
Abstract

Traffic management is a critical task in software-defined IoT networks (SDN-IoTs) to efficiently manage network resources and ensure Quality of Service (QoS) for end-users. However, traditional traffic management approaches based on queuing theory or static policies may not be effective due to the dynamic and unpredictable nature of network traffic. In this paper, we propose a novel approach that leverages Graph Neural Networks (GNNs) and multi-arm bandit algorithms to dynamically optimize traffic management policies based on real-time network traffic patterns. Specifically, our approach uses a GNN model to learn and predict network traffic patterns and a multi-arm bandit algorithm to optimize traffic management policies based on these predictions. We evaluate the proposed approach on three different datasets, including a simulated corporate network (KDD Cup 1999), a collection of network traffic traces (CAIDA), and a simulated network environment with both normal and malicious traffic (NSL-KDD). The results demonstrate that our approach outperforms other state-of-the-art traffic management methods, achieving higher throughput, lower packet loss, and lower delay, while effectively detecting anomalous traffic patterns. The proposed approach offers a promising solution to traffic management in SDNs, enabling efficient resource management and QoS assurance. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

43. Derin Paket İncelemesi için Önerilen Yeni Bir Örüntü Eşleştirme Algoritması.

Author

ÇELEBİ, Merve and YAVANOĞLU, Uraz

Abstract

Copyright of Duzce University Journal of Science & Technology is the property of Duzce University Journal of Science & Technology and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)

Published
2023
Full Text
View/download PDF

44. Toward Early and Accurate Network Intrusion Detection Using Graph Embedding.

Author

Hu, Xiaoyan, Gao, Wenjie, Cheng, Guang, Li, Ruidong, Zhou, Yuyang, and Wu, Hua

Abstract

Early and accurate detection of network intrusions is crucial to ensure network security and stability. Existing network intrusion detection methods mainly use conventional machine learning or deep learning technology to classify intrusions based on the statistical features of network flows. The feature extraction relies on expert experience and cannot be performed until the end of network flows, which delays intrusion detection. The existing graph-based intrusion detection methods require global network traffic to construct communication graphs, which is complex and time-consuming. Besides, the existing deep learning-based and graph-based intrusion detection methods resort to massive training samples. This paper proposes Graph2vec+RF, an early and accurate network intrusion detection method based on graph embedding technology. We construct a flow graph from the initial several interactive packets for each bidirectional network flow instead, adopt graph embedding technology, graph2vec, to learn the vector representation of the flow graph and classify the graph vectors with Random Forest (RF). Graph2vec+RF automatically extracts flow graph features using subgraph structures and relies on only a small number of the initial interactive packets per bidirectional network flow without requiring massive training samples to achieve early and accurate network intrusion detection. Our experimental results on the CICIDS2017 and CICIDS2018 datasets show that our proposed Graph2vec+RF outperforms the state-of-the-art methods in terms of accuracy, recall, precision, and F1-score. [ABSTRACT FROM AUTHOR]

Published
2023
Full Text
View/download PDF

45. Consolidating Packet-Level Features for Effective Network Intrusion Detection: A Novel Session-Level Approach

Author

Kohei Miyamoto, Masazumi Iida, Chansu Han, Tao Ban, Takeshi Takahashi, and Jun'ichi Takeuchi

Subjects
Network security, network intrusion detection, network traffic analysis, machine learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971
Abstract

Network Intrusion Detection Systems (NIDSs) are crucial tools for ensuring cyber security. Recently, machine learning-based NIDSs have gained popularity due to their ability to adapt to various anomalies. To enable machine learning techniques, packet-level features have been proposed for packet-level classification, but this approach may generate an excessive number of security alerts and reduce performance due to irrelevant packets. To address these limitations, this paper proposes a session-level classification approach that consolidates packet-level classification outputs to identify anomalous sessions. The effectiveness of the proposed approach is demonstrated by a prototype system. Experiments on a publicly available benchmark dataset demonstrate the high performance of proposed approach achieving F1-measure exceeding 98%. It also shows that even when we used only a few packets in head parts of each session to obtain session-level predictions, the high F1-measure still could be achieved. This result implies that the proposed approach is also efficient in terms of the number of packets to be processed. These results highlight the promising potential of the proposed approach for adaptive network intrusion detection.

Published
2023
Full Text
View/download PDF

47. Network Anomaly Detection Based on Sparse Representation and Incoherent Dictionary Learning

Author

Kierul, Tomasz, Andrysiak, Tomasz, Kierul, Michał, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Zamojski, Wojciech, editor, Mazurkiewicz, Jacek, editor, Sugier, Jarosław, editor, and Walkowiak, Tomasz, editor

Published
2022
Full Text
View/download PDF

48. Where Does Your Data Go? Comparing Network Traffic and Privacy Policies of Public Sector Mobile Applications

Author

Carlsson, Robin, Heino, Timi, Koivunen, Lauri, Rauti, Sampsa, Leppänen, Ville, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Rocha, Alvaro, editor, Adeli, Hojjat, editor, Dzemyda, Gintautas, editor, and Moreira, Fernando, editor

Published
2022
Full Text
View/download PDF

49. Android Botnet Detection Based on Network Analysis Using Machine Learning Algorithm

Author

Kamal, Muhammad Farrid Affiq Hairul, Hamid, Isredza Rahmi A., Abdullah, Noryusliza, Abdullah, Zubaile, Ahmad, Masitah, Shah, Wahidah Md, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Ghazali, Rozaida, editor, Mohd Nawi, Nazri, editor, Deris, Mustafa Mat, editor, Abawajy, Jemal H., editor, and Arbaiy, Nureize, editor

Published
2022
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results