DML-IDS: Distributed Multi-Layer Intrusion Detection System for Securing Healthcare Infrastructure

In connexion with the rapidly growing computer network information capacities, information security of local networks connected with global networks becomes a critical challenge. One of the information security aspects is to control and filter the network traffic by intercepting the incoming and outgoing network packets. This is accomplished owing to firewalls. The Linux kernel 2.4.x included the Netfilter firewall and the iptables utility, which allow us to analyse only the packets headers and their pertaining to specific network connections. In addition, the practice of rewriting the Linux kernel codes complicates the maintenance of the software targeting for this firewall.The article proposes a network packet intercepting method based directly on the structures and functions of the kernel, so it has no restrictions associated with the inherent Netfilter/iptables functionality. To provide intercepting, are used the struct net_device structure of the kernel that describes a network device and the struct net_device_ops structure that lists operations possible on the network device and two functions: ndo_start_xmit and rx_handler used to process outgoing and incoming packets, respectively. These functions are rewritten in order to include new functionality into the kernel to meet the users’ requests. The use of the structures and functions of the kernel provides desirable stability, versatility, and adaptive capability of the developed software for users’ requests such as content analysis of data transmitted in packets, their encryption and decryption. The proposed method can be used to create firewalls of the next-generation to implement technology of deep packet inspection, as well as a complement to the available firewalls.

Cloud computing has very attractive features like elastic, on demand and fully managed computer system resources and services. However, due to its distributed and dynamic nature as well as vulnerabilities in virtualization implementation, the cloud environment is prone to various cyber-attacks and security issues related to cloud model. Some of them are inability to access data coming to and from cloud service, theft and misuse of data hosted, no control over sensitive data access, advance threats like malware injection attack, wrapping attacks, virtual machine escape, distributed denial of service attack (DDoS) etc. DDoS is one of the notorious attack. Despite a number of available potential solutions for the detection of DDoS attacks, the increasing frequency and potency of recent attacks and the constantly evolving attack vectors, necessitate the development of improved detection approaches. This article proposes a novel architecture that combines a well posed stacked sparse AutoEncoder (AE) for feature learning with a Deep Neural Network (DNN) for classification of network traffic into benign traffic and DDoS attack traffic. AE and DNN are optimized for detection of DDoS attacks by tuning the parameters using appropriately designed techniques. The improvements suggested in this article lead to low reconstruction error, prevent exploding and vanishing gradients, and lead to smaller network which avoids overfitting. A comparative analysis of the proposed approach with ten state-of-the-art approaches using performance metrics-detection accuracy, precision, recall and F1-Score, has been conducted. Experiments have been performed on CICIDS2017 and NSL-KDD standard datasets for validation. Proposed approach outperforms existing approaches over the NSL-KDD dataset and yields competitive results over the CICIDS2017 dataset.

Optimizing the monitoring of network traffic features to detect abnormal traffic is critical. We propose a two-stage monitoring and classification (MOCA) system requiring fewer features to detect and classify malicious network attacks. The first stage monitors abnormal traffic, and the anomalous traffic is forwarded for processing in the second stage. A small subset of features trains both classifiers. We demonstrate MOCA’s effectiveness in identifying attacks in the CICIDS2017 dataset with an accuracy of 99.84% and in the CICDDOS2019 dataset with an accuracy of 93%, which significantly outperforms previous methods. We also found that MOCA can use a pre-trained classifier with one feature to distinguish DDoS and Botnet attacks from normal traffic in four different datasets. Our measurements show that MOCA can distinguish DDoS attacks from normal traffic in the CICDDOS2019 dataset with an accuracy of 96% and DDoS attacks in non-IoT and IoT traffic with an accuracy of 99.94%. The results emphasize the importance of using connection features to discriminate new DDoS and Bot attacks from benign traffic, especially with insufficient training samples.

In this article we consider the problem of maximizing the capacity of the network stack to the interaction of hardware and software core to ensure the stability of the physical server. The algorithms and program codes are proposed to optimize the load capacity of the CPU by core parallelization. The paper also considers statistics of improved power of distributed attacks affecting the network infrastructure. It proved the impact of any application with access to the external global network to the production of the physical server presented in the form of physical resources. With the help of the developed and implemented the algorithm (in the language of «BASH»), produced by the distribution of the load capacity of the physical server cores, to further reduce the load capacity on the processing power of the CPU is provided. Showcased flowcharts, as well as the final test results of each stage of development, are discussed. Implemented network optimization mode «AF_PACKET», which has given the opportunity to accept external network packets without any locks that, in turn, increases the efficiency of achievement of the set goals (upon request from the server to the client). The possibility of taking up to ten million incoming network packets by software physical server, which allows for stable processing of information for the smooth operation under DDoS-attacks «SYN-flood who realized the possibility of overload multimillion network packets. A similar number of incoming network packets provides an opportunity to fill the external network channel, with a consequent increase in the load capacity of the network TCP / IP stack that covers the remote control area physical server as soon as possible. Also adversely affect the performance of the working environment.

In the current big data environment, aiming at the problems that traditional machine learning needs manual intervention and time-consuming to detect DDoS attacks, a DDoS attack detection method based on a double-stacked long short-term memory network is presented. The preprocessed data stream is sorted by recursive feature elimination algorithm, and the features with the most DDoS attack characteristics are selected as high-quality features, forming a double-stacked long short-term memory network data input format. The Center Loss is introduced into the Softmax Loss to reduce the intraclass distance, further improve the classification accuracy. Finally, the information containing DDoS attack characteristics can be quickly extracted from the complex characteristics of traffic. The CIC-IDS2017 dataset is used to train the model. Experimental research shows that the proposed model has an accuracy rate of 99.48% compared with other neural network models, and the detection effect is better than the compared algorithms, which can effectively achieve DDoS attack detection.

A novel packet marking scheme is proposed to defend against network or bandwidth DDoS attacks, especially where malicious packets do not target the victim directly. A recent study shows that packet-level symmetry exists in legitimate Internet traffic while malicious flooding traffic often exhibits packet asymmetry. Our scheme utilizes the packet asymmetry to differentiate malicious and legitimate traffic. When a packet to a destination host is transmitted from a router, a packet asymmetry score, the ratio of transmitted to received packets of the destination host over the last interval, is calculated and recorded into the packet's header additively. Malicious packets should carry higher scores because of the absence of reverse packets. When packets with packet asymmetry scores arrive at a downstream router, where some packets are dropped because of congestion, the router should drop packets with higher scores preferentially. Simulation results show the scheme is effective to defend against DDoS attacks targeting network resources.

<p class='IJASEITAbtract'>A firewall system is a security system to ensure traffic control for incoming and outgoing packets passing through communication networks by applying specific decisions to improve cyber-defense and decide against malicious packets. The filtration process matches the traffic packets against predefined rules to preclude cyber threats from getting into the network. Accordingly, the firewall system proceeds with either to “allow,” “deny,” or “drop/reset” the incoming packet. This paper proposes an intelligent classification model that can be employed in the firewall systems to produce proper action for every communicated packet by analyzing packet attributes using two machine learning methods, namely, shallow neural network (SNN), and optimizable decision tree (ODT). Specifically, the proposed models have used to train and classify the Internet Firewall-2019 dataset into three classes: “allow, “deny,” and “drop/reset.” The experimental results exhibited our classification model's superiority, scoring an overall accuracy of 99.8%, and 98.5% for ODT, and SNN respectively. Besides, the suggested system was evaluated using many evaluation metrics, including confusion matrix parameters (TP, TN, FP, FN), true positive rate (TPR), false-negative rate (FNR), positive predictive value (PPV), false discovery rate (FDR), and the receiver operating characteristic (ROC) curves for the developed three-class classifier. Ultimately, the proposed system outpaced many existing up-to-date firewall classification systems in the same area of study.

PETRAK: A solution against DDoS attacks in vehicular networks

The extraordinary emergence and attainment of Internet has changed the way traditional essential services such as transportation, banking, education and defense are operated. Now they are being increasingly replaced by cheaper & effective Internet-based applications. Hence, the availability of Internet is very vital for the socio-economic growth of the society. However, the underlying vulnerabilities of the Internet architecture provide chance for a lot of attacks on its infrastructure and services. As the DDoS threat grows in sophistication and severity, all businesses and organizations that depend upon the Internet are at risk. In this paper we present a co-operative cross layer mechanism for mitigation of DDoS attack, as all the mechanism to mitigate the DDoS attack are applied at the single layer or multi-layer. To enhance the overall security against DDoS attack, cross-layer approach will be the constructive solution. Combination of Device-Driver Packet Filter (Cuckoo Filter) & Remote Firewall will be solution for this as a cross layer approach. Device driver level packet filtering is designed to kill harmful network traffic before it consumes resources at the server side. To defend access links from DDoS attacks by sinking destructive network traffic before they get into the link the remote firewall is intended with a cross-layer control. The achievement of proposed mechanism is checked through extensive simulation in java which shows that (67, 3429) malicious packets are dropped for respective dataset.

The control and management of Web-based service quality require the extension of the Internet infrastructure with monitoring functions to ascertain dynamically the state of networked resources. We describe the design and implementation of the Monitoring Application Programming Interface (MAPI), a Java-based tool for the on-line monitoring of Internet heterogeneous resources, which provides monitoring indicators at different levels of abstraction. At the application level, it instruments the Java Virtual Machine (JVM) to notify several different types of events triggered during the execution of Java applications, e.g. object allocation and method calls. At the kernel level, MAPI inspects system-specific information generally hidden by the JVM, e.g. CPU usage and incoming network packets, by integrating with Simple Network Management Protocol agents and platform-dependent monitoring modules. MAPI is the core part of a portable tool for distributed monitoring, control and management in the Internet environment. The tool is implemented in terms of mobile agents that move close to the monitored resources to enforce distributed management policies autonomously, with a significant reduction in both reaction time and traffic overhead.

This paper presents method of improving software fault injection by using deterministic replay. Fault injection and fuzzing are the methods of testing used for checking code coverage quality, improving error handling, and robustness testing. Fuzzing can hardly be applied for stateful communication protocols because of program state could change when restarting an application. The main idea of our method is to inject faults while replaying program deterministically. Deterministic replay requires program execution recording for latter replaying. Recorded log includes user input, incoming network packets, USB input, and hardware timers. During replay we read these events from the log and put them back into the simulator instead of reading inputs or receiving packets from the network. After injecting the fault in replay mode the program execution is different. It means that we should stop the replaying and start normal program execution from that program state. During the execution we simulate all hardware timers to make this mode switching imperceptible to the program. With the help of deterministic replay we can accelerate system initialization, eliminate non-deterministic data sources effect, and simplify environment setup, because the whole program execution before injecting fault is recorded. On the basis of the method the network fuzzer was built. The fuzzer modifies selected network packet saved during session recording and sends it back into the simulator. This phase is repeated from the same program state until the bug in the program was found.

Nowadays the Internet plays a vital role in the growth of the economy for any nation. DDoS attacks are one of the major threat that hurting this growth as it affects the systems and network which uses the Internet for their business work. In DDoS attacks, victims bandwidth is flooded with the excessive amount of malicious or fake traffic due to which, the victim is unable to serve the legitimate users. There have been many different techniques proposed by the researchers which can detect DDoS attack efficiently. But they have many limitations and one of the important limitation of these techniques is their inability to differentiate flash crowd from DDoS attacks. Flash crowd is a scenario in which plenty of legitimate users tries to access a common server or system, so filtering of this kind of traffic may lead to business loss or credibility loss of the victim. In this context, we proposed a new detection method, Entropy-score. Which uses a hierarchical structure to analysis the incoming packets. In the proposed approach first, the entropy-based method is used for characterizing the incoming packets and then packet score based method is used for filtering the malicious packets. We implement this proposed method by using OMNET++ simulation tool and the experimental results show that Entropy-score method not only differentiates DDoS attacks traffic from Flash crowd but can also differentiate the attack traffic from the normal traffic.

Cyber attacks, (e.g., DDoS), on computers connected to the Internet occur everyday. A DDoS attack in 2016 that used “Mirai botnet” generated over 600 Gbit/s traffic, which was twice as that of last year. In view of this situation, we can no longer adequately protect our computers using current end-point security solutions and must therefore introduce a new method of protection that uses distributed nodes, e.g., routers. We propose an Autonomous and Distributed Internet Security (AIS) infrastructure that provides two key functions: first, filtering source address spoofing packets (proactive filter), and second, filtering malicious packets that are observed at the end point (reactive filter) at the closest malicious packets origins. We also propose three types of Multi-Layer Binding Routers (MLBRs) to realize these functions. We implemented the MLBRs and constructed experimental systems to simulate DDoS attacks. Results showed that all malicious packets could be filtered by using the AIS infrastructure.

In this Modern era, Software Defined Network (SDN), Network Function Virtualization (NFV), and cloud computing participating of Fifth Generation (5G) network emergence. This paper presents a robust security scheme to provide fortification against major threats along with user privacy in 5G network, two additional entities are introduced. For mobile users, initial authentication is provided at access points by an inventive Highly Secured Authentication and Handover Mechanism (HS-AOHM) scheme which minimizes handover latency without loss of user privacy. Then the authorized user packets are arrived at dispatcher in which a novel Tree Based Switch Assignment (TBSA) algorithm is incorporated. TBSA mitigates the flow table overloading attack by assigning packets to underloaded switches. In controller, DDoS attack is detected with the assist of entropy analysis. Then the suspicious packets are redirected to scrubbing Virtual Network Function (sVNF) in cloud. In sVNF, suspicious packets are classified into normal packets and malicious packets by using Hybrid Fuzzy with Artificial Neural Network (HF-ANN) classifier based on packet features. Normal packets are allowed to access applications whereas malicious packets are dropped at sVNF. Extensive simulation shows security improvement in 5G network in terms of handover latency, holding time, switch failure rate, detection accuracy, and delay.

The increase in the deployment of IOT networks has improved productivity of humans and organisations. However, IOT networks are increasingly becoming platforms for launching DDOS attacks due to inherent weaker security and resource-constrained nature of IOT devices. This paper focusses on detecting DDOS attack in IOT networks by classifying incoming network packets on the transport layer as either “Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep learning algorithms and two clustering algorithms were independently trained for mitigating DDOS attacks. Emphasis was laid on exploitation based DDOS attacks which include Transmission Control Protocol SYN-Flood attacks and UDP-Lag attacks. Mirai, BASHLITE and CICDDOS2019 datasets were used in training the algorithms during the experimentation phase. The accuracy score and normalized-mutual-information score are used to quantify the classification performance of the four algorithms. Our results show that the autoencoder performed overall best with the highest accuracy across all the datasets.