-
FlowTransformer: A Transformer Framework for Flow-based Network Intrusion Detection Systems
Authors:
Liam Daly Manocchio,
Siamak Layeghy,
Wai Weng Lo,
Gayan K. Kulatilleke,
Mohanad Sarhan,
Marius Portmann
Abstract:
This paper presents the FlowTransformer framework, a novel approach for implementing transformer-based Network Intrusion Detection Systems (NIDSs). FlowTransformer leverages the strengths of transformer models in identifying the long-term behaviour and characteristics of networks, which are often overlooked by most existing NIDSs. By capturing these complex patterns in network traffic, FlowTransfo…
▽ More
This paper presents the FlowTransformer framework, a novel approach for implementing transformer-based Network Intrusion Detection Systems (NIDSs). FlowTransformer leverages the strengths of transformer models in identifying the long-term behaviour and characteristics of networks, which are often overlooked by most existing NIDSs. By capturing these complex patterns in network traffic, FlowTransformer offers a flexible and efficient tool for researchers and practitioners in the cybersecurity community who are seeking to implement NIDSs using transformer-based models. FlowTransformer allows the direct substitution of various transformer components, including the input encoding, transformer, classification head, and the evaluation of these across any flow-based network dataset. To demonstrate the effectiveness and efficiency of the FlowTransformer framework, we utilise it to provide an extensive evaluation of various common transformer architectures, such as GPT 2.0 and BERT, on three commonly used public NIDS benchmark datasets. We provide results for accuracy, model size and speed. A key finding of our evaluation is that the choice of classification head has the most significant impact on the model performance. Surprisingly, Global Average Pooling, which is commonly used in text classification, performs very poorly in the context of NIDS. In addition, we show that model size can be reduced by over 50\%, and inference and training times improved, with no loss of accuracy, by making specific choices of input encoding and classification head instead of other commonly used alternatives.
△ Less
Submitted 28 April, 2023;
originally announced April 2023.
-
NBC-Softmax : Darkweb Author fingerprinting and migration tracking
Authors:
Gayan K. Kulatilleke,
Shekhar S. Chandra,
Marius Portmann
Abstract:
Metric learning aims to learn distances from the data, which enhances the performance of similarity-based algorithms. An author style detection task is a metric learning problem, where learning style features with small intra-class variations and larger inter-class differences is of great importance to achieve better performance. Recently, metric learning based on softmax loss has been used succes…
▽ More
Metric learning aims to learn distances from the data, which enhances the performance of similarity-based algorithms. An author style detection task is a metric learning problem, where learning style features with small intra-class variations and larger inter-class differences is of great importance to achieve better performance. Recently, metric learning based on softmax loss has been used successfully for style detection. While softmax loss can produce separable representations, its discriminative power is relatively poor. In this work, we propose NBC-Softmax, a contrastive loss based clustering technique for softmax loss, which is more intuitive and able to achieve superior performance. Our technique meets the criterion for larger number of samples, thus achieving block contrastiveness, which is proven to outperform pair-wise losses. It uses mini-batch sampling effectively and is scalable. Experiments on 4 darkweb social forums, with NBCSAuthor that uses the proposed NBC-Softmax for author and sybil detection, shows that our negative block contrastive approach constantly outperforms state-of-the-art methods using the same network architecture.
Our code is publicly available at : https://github.com/gayanku/NBC-Softmax
△ Less
Submitted 15 December, 2022;
originally announced December 2022.
-
DOC-NAD: A Hybrid Deep One-class Classifier for Network Anomaly Detection
Authors:
Mohanad Sarhan,
Gayan Kulatilleke,
Wai Weng Lo,
Siamak Layeghy,
Marius Portmann
Abstract:
Machine Learning (ML) approaches have been used to enhance the detection capabilities of Network Intrusion Detection Systems (NIDSs). Recent work has achieved near-perfect performance by following binary- and multi-class network anomaly detection tasks. Such systems depend on the availability of both (benign and malicious) network data classes during the training phase. However, attack data sample…
▽ More
Machine Learning (ML) approaches have been used to enhance the detection capabilities of Network Intrusion Detection Systems (NIDSs). Recent work has achieved near-perfect performance by following binary- and multi-class network anomaly detection tasks. Such systems depend on the availability of both (benign and malicious) network data classes during the training phase. However, attack data samples are often challenging to collect in most organisations due to security controls preventing the penetration of known malicious traffic to their networks. Therefore, this paper proposes a Deep One-Class (DOC) classifier for network intrusion detection by only training on benign network data samples. The novel one-class classification architecture consists of a histogram-based deep feed-forward classifier to extract useful network data features and use efficient outlier detection. The DOC classifier has been extensively evaluated using two benchmark NIDS datasets. The results demonstrate its superiority over current state-of-the-art one-class classifiers in terms of detection and false positive rates.
△ Less
Submitted 14 December, 2022;
originally announced December 2022.
-
DI-NIDS: Domain Invariant Network Intrusion Detection System
Authors:
Siamak Layeghy,
Mahsa Baktashmotlagh,
Marius Portmann
Abstract:
The performance of machine learning based network intrusion detection systems (NIDSs) severely degrades when deployed on a network with significantly different feature distributions from the ones of the training dataset. In various applications, such as computer vision, domain adaptation techniques have been successful in mitigating the gap between the distributions of the training and test data.…
▽ More
The performance of machine learning based network intrusion detection systems (NIDSs) severely degrades when deployed on a network with significantly different feature distributions from the ones of the training dataset. In various applications, such as computer vision, domain adaptation techniques have been successful in mitigating the gap between the distributions of the training and test data. In the case of network intrusion detection however, the state-of-the-art domain adaptation approaches have had limited success. According to recent studies, as well as our own results, the performance of an NIDS considerably deteriorates when the `unseen' test dataset does not follow the training dataset distribution. In some cases, swap** the train and test datasets makes this even more severe. In order to enhance the generalisibility of machine learning based network intrusion detection systems, we propose to extract domain invariant features using adversarial domain adaptation from multiple network domains, and then apply an unsupervised technique for recognising abnormalities, i.e., intrusions. More specifically, we train a domain adversarial neural network on labelled source domains, extract the domain invariant features, and train a One-Class SVM (OSVM) model to detect anomalies. At test time, we feedforward the unlabeled test data to the feature extractor network to project it into a domain invariant space, and then apply OSVM on the extracted features to achieve our final goal of detecting intrusions. Our extensive experiments on the NIDS benchmark datasets of NFv2-CIC-2018 and NFv2-UNSW-NB15 show that our proposed setup demonstrates superior cross-domain performance in comparison to the previous approaches.
△ Less
Submitted 15 October, 2022;
originally announced October 2022.
-
Network Intrusion Detection System in a Light Bulb
Authors:
Liam Daly Manocchio,
Siamak Layeghy,
Marius Portmann
Abstract:
Internet of Things (IoT) devices are progressively being utilised in a variety of edge applications to monitor and control home and industry infrastructure. Due to the limited compute and energy resources, active security protections are usually minimal in many IoT devices. This has created a critical security challenge that has attracted researchers' attention in the field of network security. De…
▽ More
Internet of Things (IoT) devices are progressively being utilised in a variety of edge applications to monitor and control home and industry infrastructure. Due to the limited compute and energy resources, active security protections are usually minimal in many IoT devices. This has created a critical security challenge that has attracted researchers' attention in the field of network security. Despite a large number of proposed Network Intrusion Detection Systems (NIDSs), there is limited research into practical IoT implementations, and to the best of our knowledge, no edge-based NIDS has been demonstrated to operate on common low-power chipsets found in the majority of IoT devices, such as the ESP8266. This research aims to address this gap by pushing the boundaries on low-power Machine Learning (ML) based NIDSs. We propose and develop an efficient and low-power ML-based NIDS, and demonstrate its applicability for IoT edge applications by running it on a typical smart light bulb. We also evaluate our system against other proposed edge-based NIDSs and show that our model has a higher detection performance, and is significantly faster and smaller, and therefore more applicable to a wider range of IoT edge devices.
△ Less
Submitted 6 October, 2022;
originally announced October 2022.
-
Efficient block contrastive learning via parameter-free meta-node approximation
Authors:
Gayan K. Kulatilleke,
Marius Portmann,
Shekhar S. Chandra
Abstract:
Contrastive learning has recently achieved remarkable success in many domains including graphs. However contrastive loss, especially for graphs, requires a large number of negative samples which is unscalable and computationally prohibitive with a quadratic time complexity. Sub-sampling is not optimal and incorrect negative sampling leads to sampling bias. In this work, we propose a meta-node base…
▽ More
Contrastive learning has recently achieved remarkable success in many domains including graphs. However contrastive loss, especially for graphs, requires a large number of negative samples which is unscalable and computationally prohibitive with a quadratic time complexity. Sub-sampling is not optimal and incorrect negative sampling leads to sampling bias. In this work, we propose a meta-node based approximation technique that can (a) proxy all negative combinations (b) in quadratic cluster size time complexity, (c) at graph level, not node level, and (d) exploit graph sparsity. By replacing node-pairs with additive cluster-pairs, we compute the negatives in cluster-time at graph level. The resulting Proxy approximated meta-node Contrastive (PamC) loss, based on simple optimized GPU operations, captures the full set of negatives, yet is efficient with a linear time complexity. By avoiding sampling, we effectively eliminate sample bias. We meet the criterion for larger number of samples, thus achieving block-contrastiveness, which is proven to outperform pair-wise losses. We use learnt soft cluster assignments for the meta-node constriction, and avoid possible heterophily and noise added during edge creation. Theoretically, we show that real world graphs easily satisfy conditions necessary for our approximation. Empirically, we show promising accuracy gains over state-of-the-art graph clustering on 6 benchmarks. Importantly, we gain substantially in efficiency; up to 3x in training time, 1.8x in inference time and over 5x in GPU memory reduction.
△ Less
Submitted 28 September, 2022;
originally announced September 2022.
-
XG-BoT: An Explainable Deep Graph Neural Network for Botnet Detection and Forensics
Authors:
Wai Weng Lo,
Gayan K. Kulatilleke,
Mohanad Sarhan,
Siamak Layeghy,
Marius Portmann
Abstract:
In this paper, we propose XG-BoT, an explainable deep graph neural network model for botnet node detection. The proposed model comprises a botnet detector and an explainer for automatic forensics. The XG-BoT detector can effectively detect malicious botnet nodes in large-scale networks. Specifically, it utilizes a grouped reversible residual connection with a graph isomorphism network to learn exp…
▽ More
In this paper, we propose XG-BoT, an explainable deep graph neural network model for botnet node detection. The proposed model comprises a botnet detector and an explainer for automatic forensics. The XG-BoT detector can effectively detect malicious botnet nodes in large-scale networks. Specifically, it utilizes a grouped reversible residual connection with a graph isomorphism network to learn expressive node representations from botnet communication graphs. The explainer, based on the GNNExplainer and saliency map in XG-BoT, can perform automatic network forensics by highlighting suspicious network flows and related botnet nodes. We evaluated XG-BoT using real-world, large-scale botnet network graph datasets. Overall, XG-BoT outperforms state-of-the-art approaches in terms of key evaluation metrics. Additionally, we demonstrate that the XG-BoT explainers can generate useful explanations for automatic network forensics.
△ Less
Submitted 11 March, 2023; v1 submitted 19 July, 2022;
originally announced July 2022.
-
Anomal-E: A Self-Supervised Network Intrusion Detection System based on Graph Neural Networks
Authors:
Evan Caville,
Wai Weng Lo,
Siamak Layeghy,
Marius Portmann
Abstract:
This paper investigates Graph Neural Networks (GNNs) application for self-supervised network intrusion and anomaly detection. GNNs are a deep learning approach for graph-based data that incorporate graph structures into learning to generalise graph representations and output embeddings. As network flows are naturally graph-based, GNNs are a suitable fit for analysing and learning network behaviour…
▽ More
This paper investigates Graph Neural Networks (GNNs) application for self-supervised network intrusion and anomaly detection. GNNs are a deep learning approach for graph-based data that incorporate graph structures into learning to generalise graph representations and output embeddings. As network flows are naturally graph-based, GNNs are a suitable fit for analysing and learning network behaviour. The majority of current implementations of GNN-based Network Intrusion Detection Systems (NIDSs) rely heavily on labelled network traffic which can not only restrict the amount and structure of input traffic, but also the NIDSs potential to adapt to unseen attacks. To overcome these restrictions, we present Anomal-E, a GNN approach to intrusion and anomaly detection that leverages edge features and graph topological structure in a self-supervised process. This approach is, to the best our knowledge, the first successful and practical approach to network intrusion detection that utilises network flows in a self-supervised, edge leveraging GNN. Experimental results on two modern benchmark NIDS datasets not only clearly display the improvement of using Anomal-E embeddings rather than raw features, but also the potential Anomal-E has for detection on wild network traffic.
△ Less
Submitted 9 February, 2023; v1 submitted 14 July, 2022;
originally announced July 2022.
-
On Generalisability of Machine Learning-based Network Intrusion Detection Systems
Authors:
Siamak Layeghy,
Marius Portmann
Abstract:
Many of the proposed machine learning (ML) based network intrusion detection systems (NIDSs) achieve near perfect detection performance when evaluated on synthetic benchmark datasets. Though, there is no record of if and how these results generalise to other network scenarios, in particular to real-world networks. In this paper, we investigate the generalisability property of ML-based NIDSs by ext…
▽ More
Many of the proposed machine learning (ML) based network intrusion detection systems (NIDSs) achieve near perfect detection performance when evaluated on synthetic benchmark datasets. Though, there is no record of if and how these results generalise to other network scenarios, in particular to real-world networks. In this paper, we investigate the generalisability property of ML-based NIDSs by extensively evaluating seven supervised and unsupervised learning models on four recently published benchmark NIDS datasets. Our investigation indicates that none of the considered models is able to generalise over all studied datasets. Interestingly, our results also indicate that the generalisability has a high degree of asymmetry, i.e., swap** the source and target domains can significantly change the classification performance. Our investigation also indicates that overall, unsupervised learning methods generalise better than supervised learning models in our considered scenarios. Using SHAP values to explain these results indicates that the lack of generalisability is mainly due to the presence of strong correspondence between the values of one or more features and Attack/Benign classes in one dataset-model combination and its absence in other datasets that have different feature distributions.
△ Less
Submitted 9 May, 2022;
originally announced May 2022.
-
SCGC : Self-Supervised Contrastive Graph Clustering
Authors:
Gayan K. Kulatilleke,
Marius Portmann,
Shekhar S. Chandra
Abstract:
Graph clustering discovers groups or communities within networks. Deep learning methods such as autoencoders (AE) extract effective clustering and downstream representations but cannot incorporate rich structural information. While Graph Neural Networks (GNN) have shown great success in encoding graph structure, typical GNNs based on convolution or attention variants suffer from over-smoothing, no…
▽ More
Graph clustering discovers groups or communities within networks. Deep learning methods such as autoencoders (AE) extract effective clustering and downstream representations but cannot incorporate rich structural information. While Graph Neural Networks (GNN) have shown great success in encoding graph structure, typical GNNs based on convolution or attention variants suffer from over-smoothing, noise, heterophily, are computationally expensive and typically require the complete graph being present. Instead, we propose Self-Supervised Contrastive Graph Clustering (SCGC), which imposes graph-structure via contrastive loss signals to learn discriminative node representations and iteratively refined soft cluster labels. We also propose SCGC*, with a more effective, novel, Influence Augmented Contrastive (IAC) loss to fuse richer structural information, and half the original model parameters. SCGC(*) is faster with simple linear units, completely eliminate convolutions and attention of traditional GNNs, yet efficiently incorporates structure. It is impervious to layer depth and robust to over-smoothing, incorrect edges and heterophily. It is scalable by batching, a limitation in many prior GNN models, and trivially parallelizable. We obtain significant improvements over state-of-the-art on a wide range of benchmark graph datasets, including images, sensor data, text, and citation networks efficiently. Specifically, 20% on ARI and 18% on NMI for DBLP; overall 55% reduction in training time and overall, 81% reduction on inference time. Our code is available at : https://github.com/gayanku/SCGC
△ Less
Submitted 26 April, 2022;
originally announced April 2022.
-
HBFL: A Hierarchical Blockchain-based Federated Learning Framework for a Collaborative IoT Intrusion Detection
Authors:
Mohanad Sarhan,
Wai Weng Lo,
Siamak Layeghy,
Marius Portmann
Abstract:
The continuous strengthening of the security posture of IoT ecosystems is vital due to the increasing number of interconnected devices and the volume of sensitive data shared. The utilisation of Machine Learning (ML) capabilities in the defence against IoT cyber attacks has many potential benefits. However, the currently proposed frameworks do not consider data privacy, secure architectures, and/o…
▽ More
The continuous strengthening of the security posture of IoT ecosystems is vital due to the increasing number of interconnected devices and the volume of sensitive data shared. The utilisation of Machine Learning (ML) capabilities in the defence against IoT cyber attacks has many potential benefits. However, the currently proposed frameworks do not consider data privacy, secure architectures, and/or scalable deployments of IoT ecosystems. In this paper, we propose a hierarchical blockchain-based federated learning framework to enable secure and privacy-preserved collaborative IoT intrusion detection. We highlight and demonstrate the importance of sharing cyber threat intelligence among inter-organisational IoT networks to improve the model's detection capabilities. The proposed ML-based intrusion detection framework follows a hierarchical federated learning architecture to ensure the privacy of the learning process and organisational data. The transactions (model updates) and processes will run on a secure immutable ledger, and the conformance of executed tasks will be verified by the smart contract. We have tested our solution and demonstrated its feasibility by implementing it and evaluating the intrusion detection performance using a key IoT data set. The outcome is a securely designed ML-based intrusion detection system capable of detecting a wide range of malicious activities while preserving data privacy.
△ Less
Submitted 8 April, 2022;
originally announced April 2022.
-
Inspection-L: Self-Supervised GNN Node Embeddings for Money Laundering Detection in Bitcoin
Authors:
Wai Weng Lo,
Gayan K. Kulatilleke,
Mohanad Sarhan,
Siamak Layeghy,
Marius Portmann
Abstract:
Criminals have become increasingly experienced in using cryptocurrencies, such as Bitcoin, for money laundering. The use of cryptocurrencies can hide criminal identities and transfer hundreds of millions of dollars of dirty funds through their criminal digital wallets. However, this is considered a paradox because cryptocurrencies are goldmines for open-source intelligence, giving law enforcement…
▽ More
Criminals have become increasingly experienced in using cryptocurrencies, such as Bitcoin, for money laundering. The use of cryptocurrencies can hide criminal identities and transfer hundreds of millions of dollars of dirty funds through their criminal digital wallets. However, this is considered a paradox because cryptocurrencies are goldmines for open-source intelligence, giving law enforcement agencies more power when conducting forensic analyses. This paper proposed Inspection-L, a graph neural network (GNN) framework based on a self-supervised Deep Graph Infomax (DGI) and Graph Isomorphism Network (GIN), with supervised learning algorithms, namely Random Forest (RF), to detect illicit transactions for anti-money laundering (AML). To the best of our knowledge, our proposal is the first to apply self-supervised GNNs to the problem of AML in Bitcoin. The proposed method was evaluated on the Elliptic dataset and shows that our approach outperforms the state-of-the-art in terms of key classification metrics, which demonstrates the potential of self-supervised GNN in the detection of illicit cryptocurrency transactions.
△ Less
Submitted 9 October, 2022; v1 submitted 20 March, 2022;
originally announced March 2022.
-
Graph Neural Network-based Android Malware Classification with Jum** Knowledge
Authors:
Wai Weng Lo,
Siamak Layeghy,
Mohanad Sarhan,
Marcus Gallagher,
Marius Portmann
Abstract:
This paper presents a new Android malware detection method based on Graph Neural Networks (GNNs) with Jum**-Knowledge (JK). Android function call graphs (FCGs) consist of a set of program functions and their inter-procedural calls. Thus, this paper proposes a GNN-based method for Android malware detection by capturing meaningful intra-procedural call path patterns. In addition, a Jum**-Knowled…
▽ More
This paper presents a new Android malware detection method based on Graph Neural Networks (GNNs) with Jum**-Knowledge (JK). Android function call graphs (FCGs) consist of a set of program functions and their inter-procedural calls. Thus, this paper proposes a GNN-based method for Android malware detection by capturing meaningful intra-procedural call path patterns. In addition, a Jum**-Knowledge technique is applied to minimize the effect of the over-smoothing problem, which is common in GNNs. The proposed method has been extensively evaluated using two benchmark datasets. The results demonstrate the superiority of our approach compared to state-of-the-art approaches in terms of key classification metrics, which demonstrates the potential of GNNs in Android malware detection and classification.
△ Less
Submitted 13 June, 2022; v1 submitted 19 January, 2022;
originally announced January 2022.
-
A Cyber Threat Intelligence Sharing Scheme based on Federated Learning for Network Intrusion Detection
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Nour Moustafa,
Marius Portmann
Abstract:
The uses of Machine Learning (ML) in detection of network attacks have been effective when designed and evaluated in a single organisation. However, it has been very challenging to design an ML-based detection system by utilising heterogeneous network data samples originating from several sources. This is mainly due to privacy concerns and the lack of a universal format of datasets. In this paper,…
▽ More
The uses of Machine Learning (ML) in detection of network attacks have been effective when designed and evaluated in a single organisation. However, it has been very challenging to design an ML-based detection system by utilising heterogeneous network data samples originating from several sources. This is mainly due to privacy concerns and the lack of a universal format of datasets. In this paper, we propose a collaborative federated learning scheme to address these issues. The proposed framework allows multiple organisations to join forces in the design, training, and evaluation of a robust ML-based network intrusion detection system. The threat intelligence scheme utilises two critical aspects for its application; the availability of network data traffic in a common format to allow for the extraction of meaningful patterns across data sources. Secondly, the adoption of a federated learning mechanism to avoid the necessity of sharing sensitive users' information between organisations. As a result, each organisation benefits from other organisations cyber threat intelligence while maintaining the privacy of its data internally. The model is trained locally and only the updated weights are shared with the remaining participants in the federated averaging process. The framework has been designed and evaluated in this paper by using two key datasets in a NetFlow format known as NF-UNSW-NB15-v2 and NF-BoT-IoT-v2. Two other common scenarios are considered in the evaluation process; a centralised training method where the local data samples are shared with other organisations and a localised training method where no threat intelligence is shared. The results demonstrate the efficiency and effectiveness of the proposed framework by designing a universal ML model effectively classifying benign and intrusive traffic originating from multiple organisations without the need for local data exchange.
△ Less
Submitted 4 November, 2021;
originally announced November 2021.
-
FDGATII : Fast Dynamic Graph Attention with Initial Residual and Identity Map**
Authors:
Gayan K. Kulatilleke,
Marius Portmann,
Ryan Ko,
Shekhar S. Chandra
Abstract:
While Graph Neural Networks have gained popularity in multiple domains, graph-structured input remains a major challenge due to (a) over-smoothing, (b) noisy neighbours (heterophily), and (c) the suspended animation problem. To address all these problems simultaneously, we propose a novel graph neural network FDGATII, inspired by attention mechanism's ability to focus on selective information supp…
▽ More
While Graph Neural Networks have gained popularity in multiple domains, graph-structured input remains a major challenge due to (a) over-smoothing, (b) noisy neighbours (heterophily), and (c) the suspended animation problem. To address all these problems simultaneously, we propose a novel graph neural network FDGATII, inspired by attention mechanism's ability to focus on selective information supplemented with two feature preserving mechanisms. FDGATII combines Initial Residuals and Identity Map** with the more expressive dynamic self-attention to handle noise prevalent from the neighbourhoods in heterophilic data sets. By using sparse dynamic attention, FDGATII is inherently parallelizable in design, whist efficient in operation; thus theoretically able to scale to arbitrary graphs with ease. Our approach has been extensively evaluated on 7 datasets. We show that FDGATII outperforms GAT and GCN based benchmarks in accuracy and performance on fully supervised tasks, obtaining state-of-the-art results on Chameleon and Cornell datasets with zero domain-specific graph pre-processing, and demonstrate its versatility and fairness.
△ Less
Submitted 25 October, 2021; v1 submitted 21 October, 2021;
originally announced October 2021.
-
Exploring Deep Neural Networks on Edge TPU
Authors:
Seyedehfaezeh Hosseininoorbin,
Siamak Layeghy,
Brano Kusy,
Raja Jurdak,
Marius Portmann
Abstract:
This paper explores the performance of Google's Edge TPU on feed forward neural networks. We consider Edge TPU as a hardware platform and explore different architectures of deep neural network classifiers, which traditionally has been a challenge to run on resource constrained edge devices. Based on the use of a joint-time-frequency data representation, also known as spectrogram, we explore the tr…
▽ More
This paper explores the performance of Google's Edge TPU on feed forward neural networks. We consider Edge TPU as a hardware platform and explore different architectures of deep neural network classifiers, which traditionally has been a challenge to run on resource constrained edge devices. Based on the use of a joint-time-frequency data representation, also known as spectrogram, we explore the trade-off between classification performance and the energy consumed for inference. The energy efficiency of Edge TPU is compared with that of widely-used embedded CPU ARM Cortex-A53. Our results quantify the impact of neural network architectural specifications on the Edge TPU's performance, guiding decisions on the TPU's optimal operating point, where it can provide high classification accuracy with minimal energy consumption. Also, our evaluations highlight the crossover in performance between the Edge TPU and Cortex-A53, depending on the neural network specifications. Based on our analysis, we provide a decision chart to guide decisions on platform selection based on the model parameters and context.
△ Less
Submitted 20 October, 2021; v1 submitted 17 October, 2021;
originally announced October 2021.
-
From Zero-Shot Machine Learning to Zero-Day Attack Detection
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Marcus Gallagher,
Marius Portmann
Abstract:
The standard ML methodology assumes that the test samples are derived from a set of pre-observed classes used in the training phase. Where the model extracts and learns useful patterns to detect new data samples belonging to the same data classes. However, in certain applications such as Network Intrusion Detection Systems, it is challenging to obtain data samples for all attack classes that the m…
▽ More
The standard ML methodology assumes that the test samples are derived from a set of pre-observed classes used in the training phase. Where the model extracts and learns useful patterns to detect new data samples belonging to the same data classes. However, in certain applications such as Network Intrusion Detection Systems, it is challenging to obtain data samples for all attack classes that the model will most likely observe in production. ML-based NIDSs face new attack traffic known as zero-day attacks, that are not used in the training of the learning models due to their non-existence at the time. In this paper, a zero-shot learning methodology has been proposed to evaluate the ML model performance in the detection of zero-day attack scenarios. In the attribute learning stage, the ML models map the network data features to distinguish semantic attributes from known attack (seen) classes. In the inference stage, the models are evaluated in the detection of zero-day attack (unseen) classes by constructing the relationships between known attacks and zero-day attacks. A new metric is defined as Zero-day Detection Rate, which measures the effectiveness of the learning model in the inference stage. The results demonstrate that while the majority of the attack classes do not represent significant risks to organisations adopting an ML-based NIDS in a zero-day attack scenario. However, for certain attack groups identified in this paper, such systems are not effective in applying the learnt attributes of attack behaviour to detect them as malicious. Further Analysis was conducted using the Wasserstein Distance technique to measure how different such attacks are from other attack types used in the training of the ML model. The results demonstrate that sophisticated attacks with a low zero-day detection rate have a significantly distinct feature distribution compared to the other attack classes.
△ Less
Submitted 30 September, 2021;
originally announced September 2021.
-
Feature Analysis for Machine Learning-based IoT Intrusion Detection
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Marius Portmann
Abstract:
Internet of Things (IoT) networks have become an increasingly attractive target of cyberattacks. Powerful Machine Learning (ML) models have recently been adopted to implement network intrusion detection systems to protect IoT networks. For the successful training of such ML models, selecting the right data features is crucial, maximising the detection accuracy and computational efficiency. This pa…
▽ More
Internet of Things (IoT) networks have become an increasingly attractive target of cyberattacks. Powerful Machine Learning (ML) models have recently been adopted to implement network intrusion detection systems to protect IoT networks. For the successful training of such ML models, selecting the right data features is crucial, maximising the detection accuracy and computational efficiency. This paper comprehensively analyses feature sets' importance and predictive power for detecting network attacks. Three feature selection algorithms: chi-square, information gain and correlation, have been utilised to identify and rank data features. The attributes are fed into two ML classifiers: deep feed-forward and random forest, to measure their attack detection performance. The experimental evaluation considered three datasets: UNSW-NB15, CSE-CIC-IDS2018, and ToN-IoT in their proprietary flow format. In addition, the respective variants in NetFlow format were also considered, i.e., NF-UNSW-NB15, NF-CSE-CIC-IDS2018, and NF-ToN-IoT. The experimental evaluation explored the marginal benefit of adding individual features. Our results show that the accuracy initially increases rapidly with adding features but converges quickly to the maximum. This demonstrates a significant potential to reduce the computational and storage cost of intrusion detection systems while maintaining near-optimal detection accuracy. This has particular relevance in IoT systems, with typically limited computational and storage resources.
△ Less
Submitted 23 November, 2022; v1 submitted 28 August, 2021;
originally announced August 2021.
-
Feature Extraction for Machine Learning-based Intrusion Detection in IoT Networks
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Nour Moustafa,
Marcus Gallagher,
Marius Portmann
Abstract:
A large number of network security breaches in IoT networks have demonstrated the unreliability of current Network Intrusion Detection Systems (NIDSs). Consequently, network interruptions and loss of sensitive data have occurred, which led to an active research area for improving NIDS technologies. In an analysis of related works, it was observed that most researchers aim to obtain better classifi…
▽ More
A large number of network security breaches in IoT networks have demonstrated the unreliability of current Network Intrusion Detection Systems (NIDSs). Consequently, network interruptions and loss of sensitive data have occurred, which led to an active research area for improving NIDS technologies. In an analysis of related works, it was observed that most researchers aim to obtain better classification results by using a set of untried combinations of Feature Reduction (FR) and Machine Learning (ML) techniques on NIDS datasets. However, these datasets are different in feature sets, attack types, and network design. Therefore, this paper aims to discover whether these techniques can be generalised across various datasets. Six ML models are utilised: a Deep Feed Forward (DFF), Convolutional Neural Network (CNN), Recurrent Neural Network (RNN), Decision Tree (DT), Logistic Regression (LR), and Naive Bayes (NB). The accuracy of three Feature Extraction (FE) algorithms; Principal Component Analysis (PCA), Auto-encoder (AE), and Linear Discriminant Analysis (LDA), are evaluated using three benchmark datasets: UNSW-NB15, ToN-IoT and CSE-CIC-IDS2018. Although PCA and AE algorithms have been widely used, the determination of their optimal number of extracted dimensions has been overlooked. The results indicate that no clear FE method or ML model can achieve the best scores for all datasets. The optimal number of extracted dimensions has been identified for each dataset, and LDA degrades the performance of the ML models on two datasets. The variance is used to analyse the extracted dimensions of LDA and PCA. Finally, this paper concludes that the choice of datasets significantly alters the performance of the applied techniques. We believe that a universal (benchmark) feature set is needed to facilitate further advancement and progress of research in this field.
△ Less
Submitted 5 December, 2022; v1 submitted 28 August, 2021;
originally announced August 2021.
-
Benchmarking the Benchmark -- Analysis of Synthetic NIDS Datasets
Authors:
Siamak Layeghy,
Marcus Gallagher,
Marius Portmann
Abstract:
Network Intrusion Detection Systems (NIDSs) are an increasingly important tool for the prevention and mitigation of cyber attacks. A number of labelled synthetic datasets generated have been generated and made publicly available by researchers, and they have become the benchmarks via which new ML-based NIDS classifiers are being evaluated. Recently published results show excellent classification p…
▽ More
Network Intrusion Detection Systems (NIDSs) are an increasingly important tool for the prevention and mitigation of cyber attacks. A number of labelled synthetic datasets generated have been generated and made publicly available by researchers, and they have become the benchmarks via which new ML-based NIDS classifiers are being evaluated. Recently published results show excellent classification performance with these datasets, increasingly approaching 100 percent performance across key evaluation metrics such as accuracy, F1 score, etc. Unfortunately, we have not yet seen these excellent academic research results translated into practical NIDS systems with such near-perfect performance. This motivated our research presented in this paper, where we analyse the statistical properties of the benign traffic in three of the more recent and relevant NIDS datasets, (CIC, UNSW, ...). As a comparison, we consider two datasets obtained from real-world production networks, one from a university network and one from a medium size Internet Service Provider (ISP). Our results show that the two real-world datasets are quite similar among themselves in regards to most of the considered statistical features. Equally, the three synthetic datasets are also relatively similar within their group. However, and most importantly, our results show a distinct difference of most of the considered statistical features between the three synthetic datasets and the two real-world datasets. Since ML relies on the basic assumption of training and test datasets being sampled from the same distribution, this raises the question of how well the performance results of ML-classifiers trained on the considered synthetic datasets can translate and generalise to real-world networks. We believe this is an interesting and relevant question which provides motivation for further research in this space.
△ Less
Submitted 18 April, 2021;
originally announced April 2021.
-
Evaluating Standard Feature Sets Towards Increased Generalisability and Explainability of ML-based Network Intrusion Detection
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Marius Portmann
Abstract:
Machine Learning (ML)-based network intrusion detection systems bring many benefits for enhancing the cybersecurity posture of an organisation. Many systems have been designed and developed in the research community, often achieving a close to perfect detection rate when evaluated using synthetic datasets. However, the high number of academic research has not often translated into practical deploy…
▽ More
Machine Learning (ML)-based network intrusion detection systems bring many benefits for enhancing the cybersecurity posture of an organisation. Many systems have been designed and developed in the research community, often achieving a close to perfect detection rate when evaluated using synthetic datasets. However, the high number of academic research has not often translated into practical deployments. There are several causes contributing towards the wide gap between research and production, such as the limited ability of comprehensive evaluation of ML models and lack of understanding of internal ML operations. This paper tightens the gap by evaluating the generalisability of a common feature set to different network environments and attack scenarios. Therefore, two feature sets (NetFlow and CICFlowMeter) have been evaluated in terms of detection accuracy across three key datasets, i.e., CSE-CIC-IDS2018, BoT-IoT, and ToN-IoT. The results show the superiority of the NetFlow feature set in enhancing the ML models detection accuracy of various network attacks. In addition, due to the complexity of the learning models, SHapley Additive exPlanations (SHAP), an explainable AI methodology, has been adopted to explain and interpret the classification decisions of ML models. The Shapley values of two common feature sets have been analysed across multiple datasets to determine the influence contributed by each feature towards the final ML prediction.
△ Less
Submitted 28 August, 2021; v1 submitted 14 April, 2021;
originally announced April 2021.
-
E-GraphSAGE: A Graph Neural Network based Intrusion Detection System for IoT
Authors:
Wai Weng Lo,
Siamak Layeghy,
Mohanad Sarhan,
Marcus Gallagher,
Marius Portmann
Abstract:
This paper presents a new Network Intrusion Detection System (NIDS) based on Graph Neural Networks (GNNs). GNNs are a relatively new sub-field of deep neural networks, which can leverage the inherent structure of graph-based data. Training and evaluation data for NIDSs are typically represented as flow records, which can naturally be represented in a graph format. In this paper, we propose E-Graph…
▽ More
This paper presents a new Network Intrusion Detection System (NIDS) based on Graph Neural Networks (GNNs). GNNs are a relatively new sub-field of deep neural networks, which can leverage the inherent structure of graph-based data. Training and evaluation data for NIDSs are typically represented as flow records, which can naturally be represented in a graph format. In this paper, we propose E-GraphSAGE, a GNN approach that allows capturing both the edge features of a graph as well as the topological information for network intrusion detection in IoT networks. To the best of our knowledge, our proposal is the first successful, practical, and extensively evaluated approach of applying GNNs on the problem of network intrusion detection for IoT using flow-based data. Our extensive experimental evaluation on four recent NIDS benchmark datasets shows that our approach outperforms the state-of-the-art in terms of key classification metrics, which demonstrates the potential of GNNs in network intrusion detection, and provides motivation for further research.
△ Less
Submitted 10 January, 2022; v1 submitted 30 March, 2021;
originally announced March 2021.
-
Exploring Edge TPU for Network Intrusion Detection in IoT
Authors:
Seyedehfaezeh Hosseininoorbin,
Siamak Layeghy,
Mohanad Sarhan,
Raja Jurdak,
Marius Portmann
Abstract:
This paper explores Google's Edge TPU for implementing a practical network intrusion detection system (NIDS) at the edge of IoT, based on a deep learning approach. While there are a significant number of related works that explore machine learning based NIDS for the IoT edge, they generally do not consider the issue of the required computational and energy resources. The focus of this paper is the…
▽ More
This paper explores Google's Edge TPU for implementing a practical network intrusion detection system (NIDS) at the edge of IoT, based on a deep learning approach. While there are a significant number of related works that explore machine learning based NIDS for the IoT edge, they generally do not consider the issue of the required computational and energy resources. The focus of this paper is the exploration of deep learning-based NIDS at the edge of IoT, and in particular the computational and energy efficiency. In particular, the paper studies Google's Edge TPU as a hardware platform, and considers the following three key metrics: computation (inference) time, energy efficiency and the traffic classification performance. Various scaled model sizes of two major deep neural network architectures are used to investigate these three metrics. The performance of the Edge TPU-based implementation is compared with that of an energy efficient embedded CPU (ARM Cortex A53). Our experimental evaluation shows some unexpected results, such as the fact that the CPU significantly outperforms the Edge TPU for small model sizes.
△ Less
Submitted 30 March, 2021;
originally announced March 2021.
-
Towards a Standard Feature Set for Network Intrusion Detection System Datasets
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Marius Portmann
Abstract:
Network Intrusion Detection Systems (NIDSs) are important tools for the protection of computer networks against increasingly frequent and sophisticated cyber attacks. Recently, a lot of research effort has been dedicated to the development of Machine Learning (ML) based NIDSs. As in any ML-based application, the availability of high-quality datasets is critical for the training and evaluation of M…
▽ More
Network Intrusion Detection Systems (NIDSs) are important tools for the protection of computer networks against increasingly frequent and sophisticated cyber attacks. Recently, a lot of research effort has been dedicated to the development of Machine Learning (ML) based NIDSs. As in any ML-based application, the availability of high-quality datasets is critical for the training and evaluation of ML-based NIDS. One of the key problems with the currently available datasets is the lack of a standard feature set. The use of a unique and proprietary set of features for each of the publicly available datasets makes it virtually impossible to compare the performance of ML-based traffic classifiers on different datasets, and hence to evaluate the ability of these systems to generalise across different network scenarios. To address that limitation, this paper proposes and evaluates standard NIDS feature sets based on the NetFlow network meta-data collection protocol and system. We evaluate and compare two NetFlow-based feature set variants, a version with 12 features, and another one with 43 features.
△ Less
Submitted 14 May, 2021; v1 submitted 27 January, 2021;
originally announced January 2021.
-
Network Traffic Control for Multi-homed End-hosts via SDN
Authors:
Anees Al-Najjar,
Furqan Hameed Khan,
Marius Portmann
Abstract:
Software Defined Networking (SDN) is an emerging technology of efficiently controlling and managing computer networks, such as in data centres, Wide Area Networks (WANs), as well as in ubiquitous communication. In this paper, we explore the idea of embedding the SDN components, represented by SDN controller and virtual switch, in end-hosts to improve network performance. In particular, we consider…
▽ More
Software Defined Networking (SDN) is an emerging technology of efficiently controlling and managing computer networks, such as in data centres, Wide Area Networks (WANs), as well as in ubiquitous communication. In this paper, we explore the idea of embedding the SDN components, represented by SDN controller and virtual switch, in end-hosts to improve network performance. In particular, we consider load balancing across multiple network interfaces on end-hosts with different link capacity scenarios. We have explored and implemented different SDN-based load balancing approaches based on OpenFlow software switches, and have demonstrated the feasibility and the potential of this approach. The proposed system has been evaluated with multipath transmission control protocol (MPTCP). Our results demonstrated the potential of applying the SDN concepts on multi-homed devices resulting in an increase in achieved throughput of 55\% compared to the legacy single network approach and 10\% compared to the MPTCP.
△ Less
Submitted 13 December, 2020;
originally announced December 2020.
-
NetFlow Datasets for Machine Learning-based Network Intrusion Detection Systems
Authors:
Mohanad Sarhan,
Siamak Layeghy,
Nour Moustafa,
Marius Portmann
Abstract:
Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a reliable intelligence tool to protect networks against cyberattacks. Network data features has a great impact on the performances of ML-based NIDSs. However, evaluating ML models often are not reliable, as each ML-enabled NIDS is trained and validated using different data features that may do not contai…
▽ More
Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a reliable intelligence tool to protect networks against cyberattacks. Network data features has a great impact on the performances of ML-based NIDSs. However, evaluating ML models often are not reliable, as each ML-enabled NIDS is trained and validated using different data features that may do not contain security events. Therefore, a common ground feature set from multiple datasets is required to evaluate an ML model's detection accuracy and its ability to generalise across datasets. This paper presents NetFlow features from four benchmark NIDS datasets known as UNSW-NB15, BoT-IoT, ToN-IoT, and CSE-CIC-IDS2018 using their publicly available packet capture files. In a real-world scenario, NetFlow features are relatively easier to extract from network traffic compared to the complex features used in the original datasets, as they are usually extracted from packet headers. The generated Netflow datasets have been labelled for solving binary- and multiclass-based learning challenges. Preliminary results indicate that NetFlow features lead to similar binary-class results and lower multi-class classification results amongst the four datasets compared to their respective original features datasets. The NetFlow datasets are named NF-UNSW-NB15, NF-BoT-IoT, NF-ToN-IoT, NF-CSE-CIC-IDS2018 and NF-UQ-NIDS are published at http://staff.itee.uq.edu.au/marius/NIDS_datasets/ for research purposes.
△ Less
Submitted 18 November, 2020;
originally announced November 2020.
-
Deep Learning-based Cattle Activity Classification Using Joint Time-frequency Data Representation
Authors:
Seyedeh Faezeh Hosseini Noorbin,
Siamak Layeghy,
Brano Kusy,
Raja Jurdak,
Greg Bishop-hurley,
Marius Portmann
Abstract:
Automated cattle activity classification allows herders to continuously monitor the health and well-being of livestock, resulting in increased quality and quantity of beef and dairy products. In this paper, a sequential deep neural network is used to develop a behavioural model and to classify cattle behaviour and activities. The key focus of this paper is the exploration of a joint time-frequency…
▽ More
Automated cattle activity classification allows herders to continuously monitor the health and well-being of livestock, resulting in increased quality and quantity of beef and dairy products. In this paper, a sequential deep neural network is used to develop a behavioural model and to classify cattle behaviour and activities. The key focus of this paper is the exploration of a joint time-frequency domain representation of the sensor data, which is provided as the input to the neural network classifier. Our exploration is based on a real-world data set with over 3 million samples, collected from sensors with a tri-axial accelerometer, magnetometer and gyroscope, attached to collar tags of 10 dairy cows and collected over a one month period. The key results of this paper is that the joint time-frequency data representation, even when used in conjunction with a relatively basic neural network classifier, can outperform the best cattle activity classifiers reported in the literature. With a more systematic exploration of neural network classifier architectures and hyper-parameters, there is potential for even further improvements. Finally, we demonstrate that the time-frequency domain data representation allows us to efficiently trade-off a large reduction of model size and computational complexity for a very minor reduction in classification accuracy. This shows the potential for our classification approach to run on resource-constrained embedded and IoT devices.
△ Less
Submitted 6 November, 2020;
originally announced November 2020.
-
Experimental Evaluation of LoRaWAN in NS-3
Authors:
Furqan Hameed Khan,
Marius Portmann
Abstract:
Long Range Wide Area Networks (LoRaWAN) is an open medium access control (MAC) layer technology devised for the long range connectivity of massive number of low power network devices. This work gives an overview of the key aspects of LoRaWAN technology and presents results that we achieved via extensive evaluation of Class A LoRaWAN devices in different network settings using the state-of-the-art…
▽ More
Long Range Wide Area Networks (LoRaWAN) is an open medium access control (MAC) layer technology devised for the long range connectivity of massive number of low power network devices. This work gives an overview of the key aspects of LoRaWAN technology and presents results that we achieved via extensive evaluation of Class A LoRaWAN devices in different network settings using the state-of-the-art network simulator (NS-3). At first, we focus on a single device and its mobility. We further undertook evaluations in an extended network scenario with a changing number of devices and traffic intensity. In particular, we evaluate the packet delivery ratio (PDR), uplink (UL) throughput, and sub-band utilization for the confirmed and unconfirmed UL transmissions in different environments. Our results give new insights for future efforts to optimize the LoRaWAN performance for different large scale Internet of Things (IoT) applications with low power end devices.
△ Less
Submitted 20 September, 2020;
originally announced September 2020.
-
A Model for Reliable Uplink Transmissions in LoRaWAN
Authors:
Furqan Hameed Khan,
Raja Jurdak,
Marius Portmann
Abstract:
Long range wide area networks (LoRaWAN) technology provides a simple solution to enable low-cost services for low power internet-of-things (IoT) networks in various applications. The current evaluation of LoRaWAN networks relies on simulations or early testing, which are typically time consuming and prevent effective exploration of the design space. This paper proposes an analytical model to calcu…
▽ More
Long range wide area networks (LoRaWAN) technology provides a simple solution to enable low-cost services for low power internet-of-things (IoT) networks in various applications. The current evaluation of LoRaWAN networks relies on simulations or early testing, which are typically time consuming and prevent effective exploration of the design space. This paper proposes an analytical model to calculate the delay and energy consumed for reliable Uplink (UL) data delivery in Class A LoRaWAN. The analytical model is evaluated using a real network test-bed as well as simulation experiments based on the ns-3 LoRaWAN module. The resulting comparison confirms that the model accurately estimates the delay and energy consumed in the considered environment. The value of the model is demonstrated via its application to evaluate the impact of the number of end-devices and the maximum number of data frame retransmissions on delay and energy consumed for the confirmed UL data delivery in LoRaWAN networks. The model can be used to optimize different transmission parameters in future LoRaWAN networks.
△ Less
Submitted 20 September, 2020;
originally announced September 2020.
-
Joint QoS-control and Handover Optimization in Backhaul aware SDN-based LTE Networks
Authors:
Furqan Hameed Khan,
Marius Portmann
Abstract:
Future cellular networks will be dense and require key traffic management technologies for fine-grained network control. The problem gets more complicated in the presence of different network segments with bottleneck links limiting the desired quality of service (QoS) delivery to the last mile user. In this work, we first design a framework for software-defined cellular networks (SDCN) and then pr…
▽ More
Future cellular networks will be dense and require key traffic management technologies for fine-grained network control. The problem gets more complicated in the presence of different network segments with bottleneck links limiting the desired quality of service (QoS) delivery to the last mile user. In this work, we first design a framework for software-defined cellular networks (SDCN) and then propose new mechanisms for management of QoS and non-QoS users traffic considering both access and backhaul networks, jointly. The overall SDN-LTE system and related approaches are developed and tested using network simulator (ns-3) in different network environments. Especially, when the users are non-uniformly distributed, the results shows that compared to other approaches, the proposed load distribution algorithm enables at least 6\% and 23\% increase in the average QoS user downlink (DL) throughput for all network users and 40\%-ile edge users, respectively. Also, the proposed system efficiently achieves desired QoS and handles the network congestion without incurring significant overhead.
△ Less
Submitted 7 June, 2019;
originally announced June 2019.
-
MAC-Layer Rate Control for 802.11 Networks: Lesson Learned and Looking Forward
Authors:
Wei Yin,
Peizhao Hu,
Jadwiga Indulska,
Marius Portmann,
Ying Mao
Abstract:
Rate control at the MAC-layer is one of the fundamental building blocks in many wireless networks. Over the past two decades around thirty mechanisms have been proposed in the literature. Among them, there are mechanisms that make rate selection decisions based on sophisticated measurements of wireless link quality, and others that are based on straight-forward heuristics. Minstrel, for example, i…
▽ More
Rate control at the MAC-layer is one of the fundamental building blocks in many wireless networks. Over the past two decades around thirty mechanisms have been proposed in the literature. Among them, there are mechanisms that make rate selection decisions based on sophisticated measurements of wireless link quality, and others that are based on straight-forward heuristics. Minstrel, for example, is an elegant mechanism that has been adopted by hundreds of millions of computers, yet, not much was known about its performance until recently. The purpose of this paper is to provide a comprehensive survey and analysis of existing solutions from the two fundamental aspects of rate control - metrics and algorithms. We also review how these solutions were evaluated and compared against each other. Based on our detailed studies and observations, we share important insights on future development of rate control mechanisms at the MAC-layer. This discussion also takes into account the recent developments in wireless technologies and emerging applications, such as Internet-of-Things, and shows issues that need to be addressed in the design of new rate control mechanisms suitable for these technologies and applications.
△ Less
Submitted 8 July, 2018;
originally announced July 2018.
-
SCOR: Software-defined Constrained Optimal Routing Platform for SDN
Authors:
Siamak Layeghy,
Farzaneh Pakzad,
Marius Portmann
Abstract:
A Software-defined Constrained Optimal Routing (SCOR) platform is introduced as a Northbound interface in SDN architecture. It is based on constraint programming techniques and is implemented in MiniZinc modelling language. Using constraint programming techniques in this Northbound interface has created an efficient tool for implementing complex Quality of Service routing applications in a few lin…
▽ More
A Software-defined Constrained Optimal Routing (SCOR) platform is introduced as a Northbound interface in SDN architecture. It is based on constraint programming techniques and is implemented in MiniZinc modelling language. Using constraint programming techniques in this Northbound interface has created an efficient tool for implementing complex Quality of Service routing applications in a few lines of code. The code includes only the problem statement and the solution is found by a general solver program. A routing framework is introduced based on SDN's architecture model which uses SCOR as its Northbound interface and an upper layer of applications implemented in SCOR. Performance of a few implemented routing applications are evaluated in different network topologies, network sizes and various number of concurrent flows.
△ Less
Submitted 12 July, 2016;
originally announced July 2016.
-
Sequence Numbers Do Not Guarantee Loop Freedom; AODV Can Yield Routing Loops
Authors:
Rob van Glabbeek,
Peter Höfner,
Wee Lum Tan,
Marius Portmann
Abstract:
In the area of mobile ad-hoc networks and wireless mesh networks, sequence numbers are often used in routing protocols to avoid routing loops. It is commonly stated in protocol specifications that sequence numbers are sufficient to guarantee loop freedom if they are monotonically increased over time. A classical example for the use of sequence numbers is the popular Ad hoc On-Demand Distance Vecto…
▽ More
In the area of mobile ad-hoc networks and wireless mesh networks, sequence numbers are often used in routing protocols to avoid routing loops. It is commonly stated in protocol specifications that sequence numbers are sufficient to guarantee loop freedom if they are monotonically increased over time. A classical example for the use of sequence numbers is the popular Ad hoc On-Demand Distance Vector (AODV) routing protocol. The loop freedom of AODV is not only a common belief, it has been claimed in the abstract of its RFC and at least two proofs have been proposed. AODV-based protocols such as AODVv2 (DYMO) and HWMP also claim loop freedom due to the same use of sequence numbers.
In this paper we show that AODV is not a priori loop free; by this we counter the proposed proofs in the literature. In fact, loop freedom hinges on non-evident assumptions to be made when resolving ambiguities occurring in the RFC. Thus, monotonically increasing sequence numbers, by themselves, do not guarantee loop freedom.
△ Less
Submitted 30 December, 2015;
originally announced December 2015.
-
A Rigorous Analysis of AODV and its Variants
Authors:
Peter Höfner,
Rob van Glabbeek,
Wee Lum Tan,
Marius Portmann,
Annabelle McIver,
Ansgar Fehnker
Abstract:
In this paper we present a rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol using a formal specification in AWN (Algebra for Wireless Networks), a process algebra which has been specifically tailored for the modelling of Mobile Ad Hoc Networks and Wireless Mesh Network protocols. Our formalisation models the exact details of the core functionality of AODV, such as…
▽ More
In this paper we present a rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol using a formal specification in AWN (Algebra for Wireless Networks), a process algebra which has been specifically tailored for the modelling of Mobile Ad Hoc Networks and Wireless Mesh Network protocols. Our formalisation models the exact details of the core functionality of AODV, such as route discovery, route maintenance and error handling. We demonstrate how AWN can be used to reason about critical protocol correctness properties by providing a detailed proof of loop freedom. In contrast to evaluations using simulation or other formal methods such as model checking, our proof is generic and holds for any possible network scenario in terms of network topology, node mobility, traffic pattern, etc. A key contribution of this paper is the demonstration of how the reasoning and proofs can relatively easily be adapted to protocol variants.
△ Less
Submitted 30 December, 2015;
originally announced December 2015.
-
Modelling and Verifying the AODV Routing Protocol
Authors:
Rob van Glabbeek,
Peter Höfner,
Marius Portmann,
Wee Lum Tan
Abstract:
This paper presents a formal specification of the Ad hoc On-Demand Distance Vector (AODV) routing protocol using AWN (Algebra for Wireless Networks), a recent process algebra which has been tailored for the modelling of Mobile Ad Hoc Networks and Wireless Mesh Network protocols. Our formalisation models the exact details of the core functionality of AODV, such as route discovery, route maintenance…
▽ More
This paper presents a formal specification of the Ad hoc On-Demand Distance Vector (AODV) routing protocol using AWN (Algebra for Wireless Networks), a recent process algebra which has been tailored for the modelling of Mobile Ad Hoc Networks and Wireless Mesh Network protocols. Our formalisation models the exact details of the core functionality of AODV, such as route discovery, route maintenance and error handling. We demonstrate how AWN can be used to reason about critical protocol properties by providing detailed proofs of loop freedom and route correctness.
△ Less
Submitted 30 December, 2015;
originally announced December 2015.
-
Automated Analysis of AODV using UPPAAL
Authors:
Ansgar Fehnker,
Rob van Glabbeek,
Peter Höfner,
Annabelle McIver,
Marius Portmann,
Wee Lum Tan
Abstract:
This paper describes an automated, formal and rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol, a popular protocol used in wireless mesh networks.
We give a brief overview of a model of AODV implemented in the UPPAAL model checker. It is derived from a process-algebraic model which reflects precisely the intention of AODV and accurately captures the protocol spec…
▽ More
This paper describes an automated, formal and rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol, a popular protocol used in wireless mesh networks.
We give a brief overview of a model of AODV implemented in the UPPAAL model checker. It is derived from a process-algebraic model which reflects precisely the intention of AODV and accurately captures the protocol specification. Furthermore, we describe experiments carried out to explore AODV's behaviour in all network topologies up to 5 nodes. We were able to automatically locate problematic and undesirable behaviours. This is in particular useful to discover protocol limitations and to develop improved variants. This use of model checking as a diagnostic tool complements other formal-methods-based protocol modelling and verification techniques, such as process algebra.
△ Less
Submitted 22 December, 2015;
originally announced December 2015.
-
A Process Algebra for Wireless Mesh Networks
Authors:
Ansgar Fehnker,
Rob van Glabbeek,
Peter Höfner,
Annabelle McIver,
Marius Portmann,
Wee Lum Tan
Abstract:
We propose a process algebra for wireless mesh networks that combines novel treatments of local broadcast, conditional unicast and data structures. In this framework, we model the Ad-hoc On-Demand Distance Vector (AODV) routing protocol and (dis)prove crucial properties such as loop freedom and packet delivery.
We propose a process algebra for wireless mesh networks that combines novel treatments of local broadcast, conditional unicast and data structures. In this framework, we model the Ad-hoc On-Demand Distance Vector (AODV) routing protocol and (dis)prove crucial properties such as loop freedom and packet delivery.
△ Less
Submitted 22 December, 2015;
originally announced December 2015.
-
Modelling and Analysis of AODV in UPPAAL
Authors:
Ansgar Fehnker,
Rob van Glabbeek,
Peter Höfner,
Annabelle McIver,
Marius Portmann,
Wee Lum Tan
Abstract:
This paper describes work in progress towards an automated formal and rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol, a popular protocol used in ad hoc wireless networks. We give a brief overview of a model of AODV implemented in the UPPAAL model checker, and describe experiments carried out to explore AODV's behaviour in two network topologies. We were able to l…
▽ More
This paper describes work in progress towards an automated formal and rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) routing protocol, a popular protocol used in ad hoc wireless networks. We give a brief overview of a model of AODV implemented in the UPPAAL model checker, and describe experiments carried out to explore AODV's behaviour in two network topologies. We were able to locate automatically and confirm some known problematic and undesirable behaviours. We believe this use of model checking as a diagnostic tool complements other formal methods based protocol modelling and verification techniques, such as process algebras. Model checking is in particular useful for the discovery of protocol limitations and in the development of improved variations.
△ Less
Submitted 22 December, 2015;
originally announced December 2015.
-
A Process Algebra for Wireless Mesh Networks used for Modelling, Verifying and Analysing AODV
Authors:
Ansgar Fehnker,
Rob van Glabbeek,
Peter Höfner,
Annabelle McIver,
Marius Portmann,
Wee Lum Tan
Abstract:
We propose AWN (Algebra for Wireless Networks), a process algebra tailored to the modelling of Mobile Ad hoc Network (MANET) and Wireless Mesh Network (WMN) protocols. It combines novel treatments of local broadcast, conditional unicast and data structures.
In this framework we present a rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) protocol, a popular routing protocol designe…
▽ More
We propose AWN (Algebra for Wireless Networks), a process algebra tailored to the modelling of Mobile Ad hoc Network (MANET) and Wireless Mesh Network (WMN) protocols. It combines novel treatments of local broadcast, conditional unicast and data structures.
In this framework we present a rigorous analysis of the Ad hoc On-Demand Distance Vector (AODV) protocol, a popular routing protocol designed for MANETs and WMNs, and one of the four protocols currently standardised by the IETF MANET working group.
We give a complete and unambiguous specification of this protocol, thereby formalising the RFC of AODV, the de facto standard specification, given in English prose. In doing so, we had to make non-evident assumptions to resolve ambiguities occurring in that specification. Our formalisation models the exact details of the core functionality of AODV, such as route maintenance and error handling, and only omits timing aspects.
The process algebra allows us to formalise and (dis)prove crucial properties of mesh network routing protocols such as loop freedom and packet delivery. We are the first to provide a detailed proof of loop freedom of AODV. In contrast to evaluations using simulation or model checking, our proof is generic and holds for any possible network scenario in terms of network topology, node mobility, etc. Due to ambiguities and contradictions the RFC specification allows several interpretations; we show for more than 5000 of them whether they are loop free or not, thereby demonstrating how the reasoning and proofs can relatively easily be adapted to protocol variants.
Using our formal and unambiguous specification, we find shortcomings of AODV that affect performance, e.g. the establishment of non-optimal routes, and some routes not being found at all. We formalise improvements in the same process algebra; carrying over the proofs is again easy.
△ Less
Submitted 30 December, 2013;
originally announced December 2013.
-
Minimizing makespan in flowshop with time lags
Authors:
Julien Fondrevelle,
Ammar Oulamara,
Marie-Claude Portmann
Abstract:
We consider the problem of minimizing the makespan in a flowshop involving maximal and minimal time lags. Time lag constraints generalize the classical precedence constraints between operations. We assume that such constraints are only defined between operations of the same job. We propose a solution method and present several extensions.
We consider the problem of minimizing the makespan in a flowshop involving maximal and minimal time lags. Time lag constraints generalize the classical precedence constraints between operations. We assume that such constraints are only defined between operations of the same job. We propose a solution method and present several extensions.
△ Less
Submitted 6 July, 2005;
originally announced July 2005.