-
Measuring Technological Convergence in Encryption Technologies with Proximity Indices: A Text Mining and Bibliometric Analysis using OpenAlex
Authors:
Alessandro Tavazzi,
Dimitri Percia David,
Julian Jang-Jaccard,
Alain Mermoud
Abstract:
Identifying technological convergence among emerging technologies in cybersecurity is crucial for advancing science and fostering innovation. Unlike previous studies focusing on the binary relationship between a paper and the concept it attributes to technology, our approach utilizes attribution scores to enhance the relationships between research papers, combining keywords, citation rates, and co…
▽ More
Identifying technological convergence among emerging technologies in cybersecurity is crucial for advancing science and fostering innovation. Unlike previous studies focusing on the binary relationship between a paper and the concept it attributes to technology, our approach utilizes attribution scores to enhance the relationships between research papers, combining keywords, citation rates, and collaboration status with specific technological concepts. The proposed method integrates text mining and bibliometric analyses to formulate and predict technological proximity indices for encryption technologies using the "OpenAlex" catalog. Our case study findings highlight a significant convergence between blockchain and public-key cryptography, evidenced by the increasing proximity indices. These results offer valuable strategic insights for those contemplating investments in these domains.
△ Less
Submitted 3 March, 2024;
originally announced March 2024.
-
Classification and Explanation of Distributed Denial-of-Service (DDoS) Attack Detection using Machine Learning and Shapley Additive Explanation (SHAP) Methods
Authors:
Yuanyuan Wei,
Julian Jang-Jaccard,
Amardeep Singh,
Fariza Sabrina,
Seyit Camtepe
Abstract:
DDoS attacks involve overwhelming a target system with a large number of requests or traffic from multiple sources, disrupting the normal traffic of a targeted server, service, or network. Distinguishing between legitimate traffic and malicious traffic is a challenging task. It is possible to classify legitimate traffic and malicious traffic and analysis the network traffic by using machine learni…
▽ More
DDoS attacks involve overwhelming a target system with a large number of requests or traffic from multiple sources, disrupting the normal traffic of a targeted server, service, or network. Distinguishing between legitimate traffic and malicious traffic is a challenging task. It is possible to classify legitimate traffic and malicious traffic and analysis the network traffic by using machine learning and deep learning techniques. However, an inter-model explanation implemented to classify a traffic flow whether is benign or malicious is an important investigation of the inner working theory of the model to increase the trustworthiness of the model. Explainable Artificial Intelligence (XAI) can explain the decision-making of the machine learning models that can be classified and identify DDoS traffic. In this context, we proposed a framework that can not only classify legitimate traffic and malicious traffic of DDoS attacks but also use SHAP to explain the decision-making of the classifier model. To address this concern, we first adopt feature selection techniques to select the top 20 important features based on feature importance techniques (e.g., XGB-based SHAP feature importance). Following that, the Multi-layer Perceptron Network (MLP) part of our proposed model uses the optimized features of the DDoS attack dataset as inputs to classify legitimate and malicious traffic. We perform extensive experiments with all features and selected features. The evaluation results show that the model performance with selected features achieves above 99\% accuracy. Finally, to provide interpretability, XAI can be adopted to explain the model performance between the prediction results and features based on global and local explanations by SHAP, which can better explain the results achieved by our proposed framework.
△ Less
Submitted 27 June, 2023;
originally announced June 2023.
-
Reconstruction-based LSTM-Autoencoder for Anomaly-based DDoS Attack Detection over Multivariate Time-Series Data
Authors:
Yuanyuan Wei,
Julian Jang-Jaccard,
Fariza Sabrina,
Wen Xu,
Seyit Camtepe,
Aeryn Dunmore
Abstract:
A Distributed Denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular traffic of a targeted server, service, or network by sending a flood of traffic to overwhelm the target or its surrounding infrastructure. As technology improves, new attacks have been developed by hackers. Traditional statistical and shallow machine learning techniques can detect superficial anomalies base…
▽ More
A Distributed Denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular traffic of a targeted server, service, or network by sending a flood of traffic to overwhelm the target or its surrounding infrastructure. As technology improves, new attacks have been developed by hackers. Traditional statistical and shallow machine learning techniques can detect superficial anomalies based on shallow data and feature selection, however, these approaches cannot detect unseen DDoS attacks. In this context, we propose a reconstruction-based anomaly detection model named LSTM-Autoencoder (LSTM-AE) which combines two deep learning-based models for detecting DDoS attack anomalies. The proposed structure of long short-term memory (LSTM) networks provides units that work with each other to learn the long short-term correlation of data within a time series sequence. Autoencoders are used to identify the optimal threshold based on the reconstruction error rates evaluated on each sample across all time-series sequences. As such, a combination model LSTM-AE can not only learn delicate sub-pattern differences in attacks and benign traffic flows, but also minimize reconstructed benign traffic to obtain a lower range reconstruction error, with attacks presenting a larger reconstruction error. In this research, we trained and evaluated our proposed LSTM-AE model on reflection-based DDoS attacks (DNS, LDAP, and SNMP). The results of our experiments demonstrate that our method performs better than other state-of-the-art methods, especially for LDAP attacks, with an accuracy of over 99.
△ Less
Submitted 20 April, 2023;
originally announced May 2023.
-
Generative Adversarial Networks for Malware Detection: a Survey
Authors:
Aeryn Dunmore,
Julian Jang-Jaccard,
Fariza Sabrina,
** Kwak
Abstract:
Since their proposal in the 2014 paper by Ian Goodfellow, there has been an explosion of research into the area of Generative Adversarial Networks. While they have been utilised in many fields, the realm of malware research is a problem space in which GANs have taken root. From balancing datasets to creating unseen examples in rare classes, GAN models offer extensive opportunities for application.…
▽ More
Since their proposal in the 2014 paper by Ian Goodfellow, there has been an explosion of research into the area of Generative Adversarial Networks. While they have been utilised in many fields, the realm of malware research is a problem space in which GANs have taken root. From balancing datasets to creating unseen examples in rare classes, GAN models offer extensive opportunities for application. This paper surveys the current research and literature for the use of Generative Adversarial Networks in the malware problem space. This is done with the hope that the reader may be able to gain an overall understanding as to what the Generative Adversarial model provides for this field, and for what areas within malware research it is best utilised. It covers the current related surveys, the different categories of GAN, and gives the outcomes of recent research into optimising GANs for different topics, as well as future directions for exploration.
△ Less
Submitted 24 February, 2023; v1 submitted 16 February, 2023;
originally announced February 2023.
-
Improving Multilayer-Perceptron(MLP)-based Network Anomaly Detection with Birch Clustering on CICIDS-2017 Dataset
Authors:
Yuhua Yin,
Julian Jang-Jaccard,
Fariza Sabrina,
** Kwak
Abstract:
Machine learning algorithms have been widely used in intrusion detection systems, including Multi-layer Perceptron (MLP). In this study, we proposed a two-stage model that combines the Birch clustering algorithm and MLP classifier to improve the performance of network anomaly multi-classification. In our proposed method, we first apply Birch or Kmeans as an unsupervised clustering algorithm to the…
▽ More
Machine learning algorithms have been widely used in intrusion detection systems, including Multi-layer Perceptron (MLP). In this study, we proposed a two-stage model that combines the Birch clustering algorithm and MLP classifier to improve the performance of network anomaly multi-classification. In our proposed method, we first apply Birch or Kmeans as an unsupervised clustering algorithm to the CICIDS-2017 dataset to pre-group the data. The generated pseudo-label is then added as an additional feature to the training of the MLP-based classifier. The experimental results show that using Birch and K-Means clustering for data pre-grou** can improve intrusion detection system performance. Our method can achieve 99.73% accuracy in multi-classification using Birch clustering, which is better than similar researches using a stand-alone MLP model.
△ Less
Submitted 30 October, 2022; v1 submitted 20 August, 2022;
originally announced August 2022.
-
Malware Triage Approach using a Task Memory based on Meta-Transfer Learning Framework
Authors:
**ting Zhu,
Julian Jang-Jaccard,
Ian Welch,
Harith Al-Sahaf,
Seyit Camtepe
Abstract:
To enhance the efficiency of incident response triage operations, it is not cost-effective to defend all systems equally in a complex cyber environment. Instead, prioritizing the defense of critical functionality and the most vulnerable systems is desirable. Threat intelligence is crucial for guiding Security Operations Center (SOC) analysts' focus toward specific system activity and provides the…
▽ More
To enhance the efficiency of incident response triage operations, it is not cost-effective to defend all systems equally in a complex cyber environment. Instead, prioritizing the defense of critical functionality and the most vulnerable systems is desirable. Threat intelligence is crucial for guiding Security Operations Center (SOC) analysts' focus toward specific system activity and provides the primary contextual foundation for interpreting security alerts. This paper explores novel approaches for improving incident response triage operations, including dealing with attacks and zero-day malware. This solution for rapid prioritization of different malware have been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of malware attacks in recent years, it can also be extended to other incident response. We propose a malware triage approach that can rapidly classify and prioritize different malware classes to address this concern. We utilize a pre-trained ResNet18 network based on Siamese Neural Network (SNN) to reduce the biases in weights and parameters. Furthermore, our approach incorporates external task memory to retain the task information of previously encountered examples. This helps to transfer experience to new samples and reduces computational costs, without requiring backpropagation on external memory. Evaluation results indicate that the classification aspect of our proposed method surpasses other similar classification techniques in terms of performance. This new triage strategy based on task memory with meta-learning evaluates the level of similarity matching across malware classes to identify any risky and unknown malware (e.g., zero-day attacks) so that a defense of those that support critical functionality can be conducted.
△ Less
Submitted 25 March, 2023; v1 submitted 20 July, 2022;
originally announced July 2022.
-
LSTM-Autoencoder based Anomaly Detection for Indoor Air Quality Time Series Data
Authors:
Yuanyuan Wei,
Julian Jang-Jaccard,
Wen Xu,
Fariza Sabrina,
Seyit Camtepe,
Mikael Boulic
Abstract:
Anomaly detection for indoor air quality (IAQ) data has become an important area of research as the quality of air is closely related to human health and well-being. However, traditional statistics and shallow machine learning-based approaches in anomaly detection in the IAQ area could not detect anomalies involving the observation of correlations across several data points (i.e., often referred t…
▽ More
Anomaly detection for indoor air quality (IAQ) data has become an important area of research as the quality of air is closely related to human health and well-being. However, traditional statistics and shallow machine learning-based approaches in anomaly detection in the IAQ area could not detect anomalies involving the observation of correlations across several data points (i.e., often referred to as long-term dependences). We propose a hybrid deep learning model that combines LSTM with Autoencoder for anomaly detection tasks in IAQ to address this issue. In our approach, the LSTM network is comprised of multiple LSTM cells that work with each other to learn the long-term dependences of the data in a time-series sequence. Autoencoder identifies the optimal threshold based on the reconstruction loss rates evaluated on every data across all time-series sequences. Our experimental results, based on the Dunedin CO2 time-series dataset obtained through a real-world deployment of the schools in New Zealand, demonstrate a very high and robust accuracy rate (99.50%) that outperforms other similar models.
△ Less
Submitted 13 April, 2022;
originally announced April 2022.
-
Autoencoder-based Unsupervised Intrusion Detection using Multi-Scale Convolutional Recurrent Networks
Authors:
Amardeep Singh,
Julian Jang-Jaccard
Abstract:
The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subs…
▽ More
The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subsets based on correlations in traffic data. These solutions often require high computational cost, manual support in fine-tuning intrusion detection models, and labeling of data that limit real-time processing of network traffic. Unsupervised solutions do reduce computational complexities and manual support for labeling data but current unsupervised solutions do not consider spatio-temporal correlations in traffic data. To address this, we propose a unified Autoencoder based on combining multi-scale convolutional neural network and long short-term memory (MSCNN-LSTM-AE) for anomaly detection in network traffic. The model first employs Multiscale Convolutional Neural Network Autoencoder (MSCNN-AE) to analyze the spatial features of the dataset, and then latent space features learned from MSCNN-AE employs Long Short-Term Memory (LSTM) based Autoencoder Network to process the temporal features. Our model further employs two Isolation Forest algorithms as error correction mechanisms to detect false positives and false negatives to improve detection accuracy. %Additionally, covariance matrices forms a Riemannian manifold that is naturally embedded with distance metrices that facilitates descriminative patterns for detecting malicious network traffic. We evaluated our model NSL-KDD, UNSW-NB15, and CICDDoS2019 dataset and showed our proposed method significantly outperforms the conventional unsupervised methods and other existing studies on the dataset.
△ Less
Submitted 7 April, 2022;
originally announced April 2022.
-
IGRF-RFE: A Hybrid Feature Selection Method for MLP-based Network Intrusion Detection on UNSW-NB15 Dataset
Authors:
Yuhua Yin,
Julian Jang-Jaccard,
Wen Xu,
Amardeep Singh,
**ting Zhu,
Fariza Sabrina,
** Kwak
Abstract:
The effectiveness of machine learning models is significantly affected by the size of the dataset and the quality of features as redundant and irrelevant features can radically degrade the performance. This paper proposes IGRF-RFE: a hybrid feature selection method tasked for multi-class network anomalies using a Multilayer perceptron (MLP) network. IGRF-RFE can be considered as a feature reductio…
▽ More
The effectiveness of machine learning models is significantly affected by the size of the dataset and the quality of features as redundant and irrelevant features can radically degrade the performance. This paper proposes IGRF-RFE: a hybrid feature selection method tasked for multi-class network anomalies using a Multilayer perceptron (MLP) network. IGRF-RFE can be considered as a feature reduction technique based on both the filter feature selection method and the wrapper feature selection method. In our proposed method, we use the filter feature selection method, which is the combination of Information Gain and Random Forest Importance, to reduce the feature subset search space. Then, we apply recursive feature elimination(RFE) as a wrapper feature selection method to further eliminate redundant features recursively on the reduced feature subsets. Our experimental results obtained based on the UNSW-NB15 dataset confirm that our proposed method can improve the accuracy of anomaly detection while reducing the feature dimension. The results show that the feature dimension is reduced from 42 to 23 while the multi-classification accuracy of MLP is improved from 82.25% to 84.24%.
△ Less
Submitted 5 February, 2023; v1 submitted 30 March, 2022;
originally announced March 2022.
-
Training a Bidirectional GAN-based One-Class Classifier for Network Intrusion Detection
Authors:
Wen Xu,
Julian Jang-Jaccard,
Tong Liu,
Fariza Sabrina
Abstract:
The network intrusion detection task is challenging because of the imbalanced and unlabeled nature of the dataset it operates on. Existing generative adversarial networks (GANs), are primarily used for creating synthetic samples from reals. They also have been proved successful in anomaly detection tasks. In our proposed method, we construct the trained encoder-discriminator as a one-class classif…
▽ More
The network intrusion detection task is challenging because of the imbalanced and unlabeled nature of the dataset it operates on. Existing generative adversarial networks (GANs), are primarily used for creating synthetic samples from reals. They also have been proved successful in anomaly detection tasks. In our proposed method, we construct the trained encoder-discriminator as a one-class classifier based on Bidirectional GAN (Bi-GAN) for detecting anomalous traffic from normal traffic other than calculating expensive and complex anomaly scores or thresholds. Our experimental result illustrates that our proposed method is highly effective to be used in network intrusion detection tasks and outperforms other similar generative methods on the NSL-KDD dataset.
△ Less
Submitted 8 March, 2022; v1 submitted 2 February, 2022;
originally announced February 2022.
-
A Game-Theoretic Approach for AI-based Botnet Attack Defence
Authors:
Hooman Alavizadeh,
Julian Jang-Jaccard,
Tansu Alpcan,
Seyit A. Camtepe
Abstract:
The new generation of botnets leverages Artificial Intelligent (AI) techniques to conceal the identity of botmasters and the attack intention to avoid detection. Unfortunately, there has not been an existing assessment tool capable of evaluating the effectiveness of existing defense strategies against this kind of AI-based botnet attack. In this paper, we propose a sequential game theory model tha…
▽ More
The new generation of botnets leverages Artificial Intelligent (AI) techniques to conceal the identity of botmasters and the attack intention to avoid detection. Unfortunately, there has not been an existing assessment tool capable of evaluating the effectiveness of existing defense strategies against this kind of AI-based botnet attack. In this paper, we propose a sequential game theory model that is capable to analyse the details of the potential strategies botnet attackers and defenders could use to reach Nash Equilibrium (NE). The utility function is computed under the assumption when the attacker launches the maximum number of DDoS attacks with the minimum attack cost while the defender utilises the maximum number of defense strategies with the minimum defense cost. We conduct a numerical analysis based on a various number of defense strategies involved on different (simulated) cloud-band sizes in relation to different attack success rate values. Our experimental results confirm that the success of defense highly depends on the number of defense strategies used according to careful evaluation of attack rates.
△ Less
Submitted 3 December, 2021;
originally announced December 2021.
-
A Few-Shot Meta-Learning based Siamese Neural Network using Entropy Features for Ransomware Classification
Authors:
**ting Zhu,
Julian Jang-Jaccard,
Amardeep Singh,
Ian Welch,
Harith AI-Sahaf,
Seyit Camtepe
Abstract:
Ransomware defense solutions that can quickly detect and classify different ransomware classes to formulate rapid response plans have been in high demand in recent years. Though the applicability of adopting deep learning techniques to provide automation and self-learning provision has been proven in many application domains, the lack of data available for ransomware (and other malware)samples has…
▽ More
Ransomware defense solutions that can quickly detect and classify different ransomware classes to formulate rapid response plans have been in high demand in recent years. Though the applicability of adopting deep learning techniques to provide automation and self-learning provision has been proven in many application domains, the lack of data available for ransomware (and other malware)samples has been raised as a barrier to develo** effective deep learning-based solutions. To address this concern, we propose a few-shot meta-learning based Siamese Neural Network that not only detects ransomware attacks but is able to classify them into different classes. Our proposed model utilizes the entropy feature directly extracted from ransomware binary files to retain more fine-grained features associated with different ransomware signatures. These entropy features are used further to train and optimize our model using a pre-trained network (e.g. VGG-16) in a meta-learning fashion. This approach generates more accurate weight factors, compared to feature images are used, to avoid the bias typically associated with a model trained with a limited number of training samples. Our experimental results show that our proposed model is highly effective in providing a weighted F1-score exceeding the rate>86% compared
△ Less
Submitted 10 April, 2022; v1 submitted 1 December, 2021;
originally announced December 2021.
-
Deep Q-Learning based Reinforcement Learning Approach for Network Intrusion Detection
Authors:
Hooman Alavizadeh,
Julian Jang-Jaccard,
Hootan Alavizadeh
Abstract:
The rise of the new generation of cyber threats demands more sophisticated and intelligent cyber defense solutions equipped with autonomous agents capable of learning to make decisions without the knowledge of human experts. Several reinforcement learning methods (e.g., Markov) for automated network intrusion tasks have been proposed in recent years. In this paper, we introduce a new generation of…
▽ More
The rise of the new generation of cyber threats demands more sophisticated and intelligent cyber defense solutions equipped with autonomous agents capable of learning to make decisions without the knowledge of human experts. Several reinforcement learning methods (e.g., Markov) for automated network intrusion tasks have been proposed in recent years. In this paper, we introduce a new generation of network intrusion detection methods that combines a Q-learning-based reinforcement learning with a deep-feed forward neural network method for network intrusion detection. Our proposed Deep Q-Learning (DQL) model provides an ongoing auto-learning capability for a network environment that can detect different types of network intrusions using an automated trial-error approach and continuously enhance its detection capabilities. We provide the details of fine-tuning different hyperparameters involved in the DQL model for more effective self-learning. According to our extensive experimental results based on the NSL-KDD dataset, we confirm that the lower discount factor which is set as 0.001 under 250 episodes of training yields the best performance results. Our experimental results also show that our proposed DQL is highly effective in detecting different intrusion classes and outperforms other similar machine learning approaches.
△ Less
Submitted 27 November, 2021;
originally announced November 2021.
-
Intrusion Detection using Spatial-Temporal features based on Riemannian Manifold
Authors:
Amardeep Singh,
Julian Jang-Jaccard
Abstract:
Network traffic data is a combination of different data bytes packets under different network protocols. These traffic packets have complex time-varying non-linear relationships. Existing state-of-the-art methods rise up to this challenge by fusing features into multiple subsets based on correlations and using hybrid classification techniques that extract spatial and temporal characteristics. This…
▽ More
Network traffic data is a combination of different data bytes packets under different network protocols. These traffic packets have complex time-varying non-linear relationships. Existing state-of-the-art methods rise up to this challenge by fusing features into multiple subsets based on correlations and using hybrid classification techniques that extract spatial and temporal characteristics. This often requires high computational cost and manual support that limit them for real-time processing of network traffic. To address this, we propose a new novel feature extraction method based on covariance matrices that extract spatial-temporal characteristics of network traffic data for detecting malicious network traffic behavior. The covariance matrices in our proposed method not just naturally encode the mutual relationships between different network traffic values but also have well-defined geometry that falls in the Riemannian manifold. Riemannian manifold is embedded with distance metrics that facilitate extracting discriminative features for detecting malicious network traffic. We evaluated our model on NSL-KDD and UNSW-NB15 datasets and showed our proposed method significantly outperforms the conventional method and other existing studies on the dataset.
△ Less
Submitted 31 October, 2021;
originally announced November 2021.
-
A Survey on Threat Situation Awareness Systems: Framework, Techniques, and Insights
Authors:
Hooman Alavizadeh,
Julian Jang-Jaccard,
Simon Yusuf Enoch,
Harith Al-Sahaf,
Ian Welch,
Seyit A. Camtepe,
Dong Seong Kim
Abstract:
Cyberspace is full of uncertainty in terms of advanced and sophisticated cyber threats which are equipped with novel approaches to learn the system and propagate themselves, such as AI-powered threats. To debilitate these types of threats, a modern and intelligent Cyber Situation Awareness (SA) system need to be developed which has the ability of monitoring and capturing various types of threats,…
▽ More
Cyberspace is full of uncertainty in terms of advanced and sophisticated cyber threats which are equipped with novel approaches to learn the system and propagate themselves, such as AI-powered threats. To debilitate these types of threats, a modern and intelligent Cyber Situation Awareness (SA) system need to be developed which has the ability of monitoring and capturing various types of threats, analyzing and devising a plan to avoid further attacks. This paper provides a comprehensive study on the current state-of-the-art in the cyber SA to discuss the following aspects of SA: key design principles, framework, classifications, data collection, and analysis of the techniques, and evaluation methods. Lastly, we highlight misconceptions, insights and limitations of this study and suggest some future work directions to address the limitations.
△ Less
Submitted 29 October, 2021;
originally announced October 2021.
-
Task-Aware Meta Learning-based Siamese Neural Network for Classifying Obfuscated Malware
Authors:
**ting Zhu,
Julian Jang-Jaccard,
Amardeep Singh,
Paul A. Watters,
Seyit Camtepe
Abstract:
Malware authors apply different techniques of control flow obfuscation, in order to create new malware variants to avoid detection. Existing Siamese neural network (SNN)-based malware detection methods fail to correctly classify different malware families when such obfuscated malware samples are present in the training dataset, resulting in high false-positive rates. To address this issue, we prop…
▽ More
Malware authors apply different techniques of control flow obfuscation, in order to create new malware variants to avoid detection. Existing Siamese neural network (SNN)-based malware detection methods fail to correctly classify different malware families when such obfuscated malware samples are present in the training dataset, resulting in high false-positive rates. To address this issue, we propose a novel task-aware few-shot-learning-based Siamese Neural Network that is resilient against the presence of malware variants affected by such control flow obfuscation techniques. Using the average entropy features of each malware family as inputs, in addition to the image features, our model generates the parameters for the feature layers, to more accurately adjust the feature embedding for different malware families, each of which has obfuscated malware variants. In addition, our proposed method can classify malware classes, even if there are only one or a few training samples available. Our model utilizes few-shot learning with the extracted features of a pre-trained network (e.g., VGG-16), to avoid the bias typically associated with a model trained with a limited number of training samples. Our proposed approach is highly effective in recognizing unique malware signatures, thus correctly classifying malware samples that belong to the same malware family, even in the presence of obfuscated malware variants. Our experimental results, validated by N-way on N-shot learning, show that our model is highly effective in classification accuracy, exceeding a rate \textgreater 91\%, compared to other similar methods.
△ Less
Submitted 14 June, 2023; v1 submitted 26 October, 2021;
originally announced October 2021.
-
A Markov Game Model for AI-based Cyber Security Attack Mitigation
Authors:
Hooman Alavizadeh,
Julian Jang-Jaccard,
Tansu Alpcan,
Seyit A. Camtepe
Abstract:
The new generation of cyber threats leverages advanced AI-aided methods, which make them capable to launch multi-stage, dynamic, and effective attacks. Current cyber-defense systems encounter various challenges to defend against such new and emerging threats. Modeling AI-aided threats through game theory models can help the defender to select optimal strategies against the attacks and make wise de…
▽ More
The new generation of cyber threats leverages advanced AI-aided methods, which make them capable to launch multi-stage, dynamic, and effective attacks. Current cyber-defense systems encounter various challenges to defend against such new and emerging threats. Modeling AI-aided threats through game theory models can help the defender to select optimal strategies against the attacks and make wise decisions to mitigate the attack's impact. This paper first explores the current state-of-the-art in the new generation of threats in which AI techniques such as deep neural network is used for the attacker and discusses further challenges. We propose a Markovian dynamic game that can evaluate the efficiency of defensive methods against the AI-aided attacker under a cloud-based system in which the attacker utilizes an AI technique to launch an advanced attack by finding the shortest attack path. We use the CVSS metrics to quantify the values of this zero-sum game model for decision-making.
△ Less
Submitted 20 July, 2021;
originally announced July 2021.
-
Evaluating the Security and Economic Effects of Moving Target Defense Techniques on the Cloud
Authors:
Hooman Alavizadeh,
Samin Aref,
Dong Seong Kim,
Julian Jang-Jaccard
Abstract:
Moving Target Defense (MTD) is a proactive security mechanism which changes the attack surface aiming to confuse attackers. Cloud computing leverages MTD techniques to enhance cloud security posture against cyber threats. While many MTD techniques have been applied to cloud computing, there has not been a joint evaluation of the effectiveness of MTD techniques with respect to security and economic…
▽ More
Moving Target Defense (MTD) is a proactive security mechanism which changes the attack surface aiming to confuse attackers. Cloud computing leverages MTD techniques to enhance cloud security posture against cyber threats. While many MTD techniques have been applied to cloud computing, there has not been a joint evaluation of the effectiveness of MTD techniques with respect to security and economic metrics. In this paper, we first introduce mathematical definitions for the combination of three MTD techniques: \emph{Shuffle}, \emph{Diversity}, and \emph{Redundancy}. Then, we utilize four security metrics including system risk, attack cost, return on attack, and reliability to assess the effectiveness of the combined MTD techniques applied to large-scale cloud models. Secondly, we focus on a specific context based on a cloud model for E-health applications to evaluate the effectiveness of the MTD techniques using security and economic metrics. We introduce (1) a strategy to effectively deploy Shuffle MTD technique using a virtual machine placement technique and (2) two strategies to deploy Diversity MTD technique through operating system diversification. As deploying Diversity incurs cost, we formulate the \emph{Optimal Diversity Assignment Problem (O-DAP)} and solve it as a binary linear programming model to obtain the assignment which maximizes the expected net benefit.
△ Less
Submitted 19 June, 2021; v1 submitted 4 September, 2020;
originally announced September 2020.
-
Cyber Situation Awareness Monitoring and Proactive Response for Enterprises on the Cloud
Authors:
Hootan Alavizadeh,
Hooman Alavizadeh,
Julian Jang-Jaccard
Abstract:
The cloud model allows many enterprises able to outsource computing resources at an affordable price without having to commit the expense upfront. Although the cloud providers are responsible for the security of the cloud, there are still many security concerns due to inherently complex model the cloud providers operate on (e.g.,multi-tenancy). In addition, the enterprises whose services have migr…
▽ More
The cloud model allows many enterprises able to outsource computing resources at an affordable price without having to commit the expense upfront. Although the cloud providers are responsible for the security of the cloud, there are still many security concerns due to inherently complex model the cloud providers operate on (e.g.,multi-tenancy). In addition, the enterprises whose services have migrated into the cloud have a preference for their own cybersecurity situation awareness capability on top of the security mechanisms provided by the cloud providers. In this way, the enterprises can monitor the performance of the security offerings of the cloud and have a choice to decide and select potential response strategies more appropriate to the enterprise in the presence of the attack where the defense provided by the cloud doesn't work for them. However, some response strategies, such as Moving Target Defense (MTD) techniques shown to be effective to secure cloud, cannot be deployed by the enterprise themselves. In this paper, we propose a framework that enables better collaboration between enterprises and cloud providers. Our proposed framework, which offers more in-depth security analysis based on the set of most advanced security metrics, allows the security experts of the enterprise to obtain better situational awareness in the cloud. With better and more effective situation awareness of cloud security, our framework can support better decision making and further allows to deploy more appropriate threat responses to protect the outsourced resources. We also propose a secure protocol which can facilitate more secure communication between the enterprises and cloud provider. Using our proposed secure protocol, which is based on authentication and key exchange mechanism, the enterprises can send a secure request to the cloud provider to perform a selected defensive strategy.
△ Less
Submitted 3 September, 2020;
originally announced September 2020.
-
MSD-Kmeans: A Novel Algorithm for Efficient Detection of Global and Local Outliers
Authors:
Yuanyuan Wei,
Julian Jang-Jaccard,
Fariza Sabrina,
Timothy McIntosh
Abstract:
Outlier detection is a technique in data mining that aims to detect unusual or unexpected records in the dataset. Existing outlier detection algorithms have different pros and cons and exhibit different sensitivity to noisy data such as extreme values. In this paper, we propose a novel cluster-based outlier detection algorithm named MSD-Kmeans that combines the statistical method of Mean and Stand…
▽ More
Outlier detection is a technique in data mining that aims to detect unusual or unexpected records in the dataset. Existing outlier detection algorithms have different pros and cons and exhibit different sensitivity to noisy data such as extreme values. In this paper, we propose a novel cluster-based outlier detection algorithm named MSD-Kmeans that combines the statistical method of Mean and Standard Deviation (MSD) and the machine learning clustering algorithm K-means to detect outliers more accurately with the better control of extreme values. There are two phases in this combination method of MSD-Kmeans: (1) applying MSD algorithm to eliminate as many noisy data to minimize the interference on clusters, and (2) applying K-means algorithm to obtain local optimal clusters. We evaluate our algorithm and demonstrate its effectiveness in the context of detecting possible overcharging of taxi fares, as greedy dishonest drivers may attempt to charge high fares by detouring. We compare the performance indicators of MSD-Kmeans with those of other outlier detection algorithms, such as MSD, K-means, Z-score, MIQR and LOF, and prove that the proposed MSD-Kmeans algorithm achieves the highest measure of precision, accuracy, and F-measure. We conclude that MSD-Kmeans can be used for effective and efficient outlier detection on data of varying quality on IoT devices.
△ Less
Submitted 15 October, 2019;
originally announced October 2019.
-
An Automated Security Analysis Framework and Implementation for Cloud
Authors:
Hootan Alavizadeh,
Hooman Alavizadeh,
Dong Seong Kim,
Julian Jang-Jaccard,
Masood Niazi Torshiz
Abstract:
Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze…
▽ More
Cloud service providers offer their customers with on-demand and cost-effective services, scalable computing, and network infrastructures. Enterprises migrate their services to the cloud to utilize the benefit of cloud computing such as eliminating the capital expense of their computing need. There are security vulnerabilities and threats in the cloud. Many researches have been proposed to analyze the cloud security using Graphical Security Models (GSMs) and security metrics. In addition, it has been widely researched in finding appropriate defensive strategies for the security of the cloud. Moving Target Defense (MTD) techniques can utilize the cloud elasticity features to change the attack surface and confuse attackers. Most of the previous work incorporating MTDs into the GSMs are theoretical and the performance was evaluated based on the simulation. In this paper, we realized the previous framework and designed, implemented and tested a cloud security assessment tool in a real cloud platform named UniteCloud. Our security solution can (1) monitor cloud computing in real-time, (2) automate the security modeling and analysis and visualize the GSMs using a Graphical User Interface via a web application, and (3) deploy three MTD techniques including Diversity, Redundancy, and Shuffle on the real cloud infrastructure. We analyzed the automation process using the APIs and showed the practicality and feasibility of automation of deploying all the three MTD techniques on the UniteCloud.
△ Less
Submitted 3 April, 2019;
originally announced April 2019.