Control Services Research Articles

Anomaly Intrusion Detection System for smart lighting

Smart lighting systems (SLS) are essential to smart cities, offering enhanced energy efficiency and public safety. However, they are susceptible to security threats, potentially leading to safety risks and service disruptions, making the protection of this infrastructure critical.This paper presents an anomaly-based Intrusion Detection System (IDS) designed for a real-world operational SLS. As commercial deployments vary in components, protocols, and functionalities, IDSs must be tailored to the characteristics of each deployment to perform effectively. Our anomaly IDS has been specifically defined based on the properties of available data and the types of attacks we aim to detect, providing explainability and exhibiting low complexity. The proposed system identifies anomalies in seven features of network traffic and telemetry data received at the central control (O&M) server. For the latter, we designed three customized anomaly detectors to identify abnormal data points, persistent deviations in power consumption of street lamps, and abnormal power value based on the time of day. Validation with real-world data and simulated attacks demonstrates the effectiveness of our approach. Network attacks (e.g., DoS, scanning) were detected by at least one of the seven flow-related anomaly detectors, while simulated data poisoning attacks and operational technology (OT) issues were detected with nearly 90% accuracy. The datasets used in this work are publicly available and may serve as a reference for the design of future IDS. While our detectors were designed specifically for our dataset, the variables examined and vulnerabilities addressed are common in most commercial SLSs.

Botnets Unveiled: A Comprehensive Survey on Evolving Threats and Defense Strategies

ABSTRACTBotnets have emerged as a significant internet security threat, comprising networks of compromised computers under the control of command and control (C&C) servers. These malevolent entities enable a range of malicious activities, from denial of service (DoS) attacks to spam distribution and phishing. Each bot operates as a malicious binary code on vulnerable hosts, granting remote control to attackers who can harness the combined processing power of these compromised hosts for synchronized, highly destructive attacks while maintaining anonymity. This survey explores botnets and their evolution, covering aspects such as their life cycles, C&C models, botnet communication protocols, detection methods, the unique environments botnets operate in, and strategies to evade detection tools. It analyzes research challenges and future directions related to botnets, with a particular focus on evasion and detection techniques, including methods like encryption and the use of covert channels for detection and the reinforcement of botnets. By reviewing existing research, the survey provides a comprehensive overview of botnets, from their origins to their evolving tactics, and evaluates how botnets evade detection and how to counteract their activities. Its primary goal is to inform the research community about the changing landscape of botnets and the challenges in combating these threats, offering guidance on addressing security concerns effectively through the highlighting of evasion and detection methods. The survey concludes by presenting future research directions, including using encryption and covert channels for detection and strategies to strengthen botnets. This aims to guide researchers in developing more robust security measures to combat botnets effectively.

Blockchain Security:"Botnets and Bitcoin Mining” - A Study on the Impacts and Countermeasures

Introduction: Botnets have become a significant threat to cybersecurity, as they can be used for a wide range of malicious activities, including Distributed Denial-of-Service (DDoS) attacks, spamming, and cryptocurrency mining. Bitcoin Mining, in particular, has become a lucrative target for cybercriminals, as it requires massive computing power and can generate significant profits. Method: In this paper, the author presents a study on a botnet that uses an HTA file to gain initial access and execute code on a victim's device, followed by the installation of mining software to infect the device and bitcoins. Result: The author analyzes the botnet's behaviour, including its evasion techniques and Bitcoin Mining activities, and discusses the implications of current findings for cybersecurity and Bitcoin Mining. Conclusion: Future research should also investigate the use of different command and control servers and other advanced attack frameworks in botnet operations and examine the potential connections between botnets and other cybercrime activities, such as ransomware and espionage.

An end-to-end framework for private DGA detection as a service.

Domain Generation Algorithms (DGAs) are used by malware to generate pseudorandom domain names to establish communication between infected bots and command and control servers. While DGAs can be detected by machine learning (ML) models with great accuracy, offering DGA detection as a service raises privacy concerns when requiring network administrators to disclose their DNS traffic to the service provider. The main scientific contribution of this paper is to propose the first end-to-end framework for privacy-preserving classification as a service of domain names into DGA (malicious) or non-DGA (benign) domains. Our framework achieves these goals by carefully designed protocols that combine two privacy-enhancing technologies (PETs), namely secure multi-party computation (MPC) and differential privacy (DP). Through MPC, our framework enables an enterprise network administrator to outsource the problem of classifying a DNS (Domain Name System) domain as DGA or non-DGA to an external organization without revealing any information about the domain name. Moreover, the service provider's ML model used for DGA detection is never revealed to the network administrator. Furthermore, by using DP, we also ensure that the classification result cannot be used to learn information about individual entries of the training data. Finally, we leverage post-training float16 quantization of deep learning models in MPC to achieve efficient, secure DGA detection. We demonstrate that by using quantization achieves a significant speed-up, resulting in a 23% to 42% reduction in inference runtime without reducing accuracy using a three party secure computation protocol tolerating one corruption. Previous solutions are not end-to-end private, do not provide differential privacy guarantees for the model's outputs, and assume that model embeddings are publicly known. Our best protocol in terms of accuracy runs in about 0.22s.

Role-Based Access Control (RBAC) Enabled Secure and Efficient Data Processing Framework for IoT Networks

Internet of Things (IoT) has the potential to significantly impact various domains e.g. health, transportation, automation, and emergency response to both man-made and natural disasters, particularly in scenarios where human decision is challenging. In this research a Role-Based Access Control (RBAC) Enabled Secure and Efficient Data Processing Framework for IoT Networks has been proposed. This framework ensures robust security and optimized data handling through granular access control mechanisms based on predefined roles. By leveraging RBAC, it mitigates unauthorized access risks, thereby safeguarding sensitive IoT data during transmission and storage. Our approach emphasizes efficiency by streamlining data processing workflows, reducing latency, and optimizing resource utilization. The framework is designed to scale with IoT network expansions and adapt to evolving security needs, promising enhanced reliability and trustworthiness in data operations for contemporary IoT environments. According to this research work current security effectiveness is 99 percent.Home area network (HAN) can be used for smart connectivity of different home appliances using IoT and automatic start and stop feature may be possible.Access control server (ACS) is used to control access and provide permission for different operations.

Class Incremental Deep Learning: A Computational Scheme to Avoid Catastrophic Forgetting in Domain Generation Algorithm Multiclass Classification

Domain Generation Algorithms (DGAs) are algorithms present in most malware used by botnets and advanced persistent threats. These algorithms dynamically generate domain names to maintain and obfuscate communication between the infected device and the attacker’s command and control server. Since DGAs are used by many threats, it is extremely important to classify a given DGA according to the threat it is related to. In addition, as new threats emerge daily, classifier models tend to become obsolete over time. Deep neural networks tend to lose their classification ability when retrained with a dataset that is significantly different from the initial one, a phenomenon known as catastrophic forgetting. This work presents a computational scheme composed of a deep learning model based on CNN and natural language processing and an incremental learning technique for class increment through transfer learning to classify 60 DGA families and include a new family to the classifier model, training the model incrementally using some examples from known families, avoiding catastrophic forgetting and maintaining metric levels. The proposed methodology achieved an average precision of 86.75%, an average recall of 83.06%, and an average F1 score of 83.78% with the full dataset, and suffered minimal losses when applying the class increment.

On DGA Detection and Classification Using P4 Programmable Switches

Domain Generation Algorithms (DGAs) are highly effective strategies employed by malware to establish connections with Command and Control (C2) servers. Mitigating DGAs in high-speed networks can be challenging, as it often requires resource-intensive tasks such as extracting high-dimensional features from domain names or collecting extensive network heuristics. In this paper, we propose an innovative framework leveraging the flexibility, per-packet granularity, and Terabits per second (Tbps) processing capabilities of P4 programmable data plane switches for the rapid and accurate detection and classification of DGA families. Specifically, we use P4 switches to extract a combination of unique network heuristics and domain name features through shallow and Deep Packet Inspection (DPI) with minimal impact on throughput. We employ a two-fold approach, comprising a line-rate compact Machine Learning (ML) classifier in the data plane for DGA detection and a more comprehensive classifier in the control plane for DGA detection and classification. To validate our approach, we collected malware samples totaling hundreds of Gigabytes (GBs), representing over 50 DGA families, and utilized campus traffic from normal benign users. Our results demonstrate that our proposed approach can swiftly and accurately detect DGAs with an accuracy of 97% and 99% in the data plane and the control plane, respectively. Furthermore, we present promising findings and preliminary results for detecting DGAs in encrypted Domain Name System (DNS) traffic. Our framework enables the immediate halting of malicious communications, empowering network operators to implement effective mitigation, incident management, and provisioning strategies.

Data Science in Cybersecurity to Detect Malware-Based Domain Generation Algorithm: Improvement, Challenges, and Prospects

Nowadays, the malware communicates with command and control servers using domains generated algorithmically. Domain generation algorithms ( DGAs) are continually evolving, which degrades the accuracy of the existing methods calls for the continuous tracking of how DGAs develop and their detection methods and calls for a good evaluation of the stage to open horizons for new detection methods. Data science plays a key role in cybersecurity by providing methods for detecting and analyzing network traffic data, including DGAs, and helping to improve the overall security of computer systems and networks. It can also be used to analyze large datasets of domain names and to develop and optimize solutions for DGA detection, by applying techniques such as machine learning, deep learning, and genetic algorithms, which have shown their effectiveness in detecting new and unknown DGAs. This paper reviews the role of data science in cybersecurity systems to detect DGAs. Hence, it also brings together publicly available domain name datasets and data science techniques utilized in recent DGA detection systems to highlight current issues and potential directions. This article additionally explains issues related to DGA detection. This will assist researchers in improving the current DGA detection algorithms as well as creating new powerful models.

Enhancing Botnet Detection in Network Security Using Profile Hidden Markov Models

A botnet is a network of compromised computer systems, or bots, remotely controlled by an attacker through bot controllers. This covert network poses a threat through large-scale cyber attacks, including phishing, distributed denial of service (DDoS), data theft, and server crashes. Botnets often camouflage their activity by utilizing common internet protocols, such as HTTP and IRC, making their detection challenging. This paper addresses this threat by proposing a method to identify botnets based on distinctive communication patterns between command and control servers and bots. Recognizable traits in botnet behavior, such as coordinated attacks, heartbeat signals, and periodic command distribution, are analyzed. Probabilistic models, specifically Hidden Markov Models (HMMs) and Profile Hidden Markov Models (PHMMs), are employed to learn and identify these activity patterns in network traffic data. This work utilizes publicly available datasets containing a combination of botnet, normal, and background traffic to train and test these models. The comparative analysis reveals that both HMMs and PHMMs are effective in detecting botnets, with PHMMs exhibiting superior accuracy in botnet detection compared to HMMs.

Algorithmically Generated Domain Names Detection Using Gated Recurrent Unit Deep Learning

The modern malware increasingly employs domain generation algorithms (DGAs) to evade traditional DNS query detection methods, such as blacklisting or reverse engineering of suspicious domain names. These algorithms generate vast numbers of random domain names to establish communication with Command and Control (C&C) servers, posing significant challenges for detection. Previous research has predominantly relied on classical machine learning algorithms, necessitating manual feature extraction and classification, which is both time-consuming and labour-intensive this paper, we propose a deep learning-based architecture for detecting DGA-generated domain names. Our model utilizes recurrent networks with gated recurrent units (GRUs) for domain name detection. By converting domain names into vectors and employing GRUs, the model autonomously learns features, eliminating the need for manual intervention in feature extraction. Compared to traditional methods, our approach reduces time costs associated with feature extraction. The experimental result demonstrates the effectiveness of our proposed GRU achieving 98% accuracy, 94% recall rate, 93% precision, and an Area Under the Curve (AUC) of 99.6%. The GRUarchitecture outperforms LSTM models in terms of recall rate and accuracy while requiring less computational resources, indicating significant performance enhancement.

BERT - Based Detection and Classification of Algorithmically Generated Domains in Malware Communication

Malware threats. Particularly ransomware, often employ Algorithmically Generated Domains (AGD) for communication with Command & Control (C&C) servers. This paper introduces a novel approach for AGD detection using the Bidirectional Encoder Representations from Transformer (BERT) model, eliminating the need for intricate feature selection or hyperparameter tuning. The proposed method effectively addresses the challenge posed by sophisticated domain generation techniques, including dictionary-based and random character approaches. Experimental results demonstrate the superior performance of the BERT model in both AGD detection and classification tasks, achieving a precision, recall, and accuracy score of 0.99. The approach proves effective against diverse domain generation algorithms, enhancing the current state-of-the-art methods for securing networks against evolving malware threats.

Energy optimized artificial hummingbird algorithm for routing in IoT‐based software‐defined WSN

SummaryThe Internet of Things (IoT) has become widely used in applications such as smart homes, industrial automation, and transportation due to its affordable hardware and fast internet connectivity. However, the increase in IoT‐enabled gadgets, particularly those running on batteries or connected to other sources, is putting strain on the world's energy requirements. Therefore, this study focuses on a green routing solution for battery‐powered IoT‐enabled Software‐defined Wireless Sensor Networks (IoT‐SDWSN). Finding green solutions for IoT‐based networks to address this energy challenge has become crucial. This study focuses on developing a green routing solution for battery‐powered IoT‐SDWSN. Energy efficiency in IoT‐SDWSN is attained by the process of clustering nodes. The network is partitioned into small clusters, and a Control Node (CN) is set up by a Control Server (CS) to transmit the data packets sent by sensor nodes. Choosing a CN in these networks is a critical concern due to the substantial energy consumption involved in delivering data to the CS. This research focuses on the problem of energy‐efficient cluster routing in IoT‐based SD‐WSN. It introduces the Energy‐optimized Artificial Hummingbird Algorithm (EOAHA) as a green routing technique. EOAHA aims to extend the lifespan of IoT‐based SD‐WSNs by intelligently selecting (based on a new fitness function) CNs to distribute the network load and increase its overall longevity. To evaluate the performance of EOAHA, a comparative analysis is conducted against other state‐of‐the‐art algorithms. The results demonstrate that EOAHA outperforms these algorithms by a minimum of 13.5% in terms of network longevity.

Unmanned Surface Vehicle for Automatic Water Quality Monitoring

This paper presents an affordable, yet efficient approach to Unmanned Surface Vehicle (USV) design for automated water quality monitoring. Mechanically, the USV employs a catamaran design with robust hardware components, including aluminium structural frames, PVC inflatable tubes, and waterproof enclosures for housing electronics and batteries. The water quality monitoring function is achieved through a multi-parameter sonde controlled by an onboard processing unit, enabling fully automated environmental data collection. With the capability of both GPS-guided and telemetry operation, the USV is suitable to perform various missions/tasks of vast environmental surveillance application on both static water and river setting while maintaining communication with ground control station and server via wireless RF/4G/LTE/GPRS/Wi-Fi networks.

Enhancing road safety in internet of vehicles using deep learning approach for real-time accident prediction and prevention

The paper proposes an Internet of Vehicles (IoV)-based Accident Prediction and Prevention System that leverages the Internet of Things (IoT) to tackle the road safety challenges arising from the increased rate and volume of traffic due to population growth. In order to enhance road safety and efficiency, the IoV devices enable real-time data transmission and analysis. The proposed multi-tier framework tracks vehicle and roadside unit (RSU) data, encompassing road traffic conditions and vehicle data. The framework integrates vehicles, road traffic, weather conditions, and external factors. On a cloud-based control server, the proposed Spatio-Temporal Conv-Long Short-Term Memory Autoencoder (STCLA) framework deals with and analyzes the resulting data. This research addresses road safety on the Internet of Vehicles via DL. It proposes a novel framework for real-time accident prevention and prediction, demonstrating its effectiveness and potential impact. In a year-long research in Hubei Province, China, data from two road segments demonstrated a substantial boost in predictive accuracy, achieving an Area Under the Receiver Operating Characteristic Curve (AUROC) score of 0.94.

Container-based Virtualization for Real-time Industrial Systems—A Systematic Review

Industrial Automation and Control systems have matured into a stable infrastructure model that has been kept fundamentally unchanged, using discrete embedded systems (such as Programmable Logic Controllers) to implement the first line of sensorization, actuation, and process control and stations and servers providing monitoring, supervision, logging/database and data-sharing capabilities, among others. More recently, with the emergence of the Industry 4.0 paradigm and the need for more flexibility, there has been a steady trend towards virtualizing some of the automation station/server components, first by using virtual machines and, more recently, by using container technology. This trend is pushing for better support for real-time requirements on enabling virtualization technologies such as virtual machines and containers. This article provides a systematic review on the use of container virtualization in real-time environments such as cyber-physical systems, assessing how existing and emerging technologies can fulfill the associated requirements. Starting by reviewing fundamental concepts related to container technology and real-time requirements, it goes on to present the methodology and results of a systematic study of 37 selected papers covering aspects related to the enforcement of real-time constrains within container hosts and the expected task latency on such environments, as well as an overview of container platforms and orchestration mechanisms for RT systems.

About the applicability of Apache2 web server memory forensics

With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.

Performance evaluation of RYU controller under distributed denial of service attacks

<span>Distributed denial of service (DDoS) attacks have been identified as one of the greatest threats to software-defined networking (SDN) because they are highly effective, hard to detect, and easy to use, and they take advantage of vulnerabilities in which the new architecture still exists. This paper describes one technique for denying the RYU controller's services, which can cause the controller's resources to be depleted if a significant number of packets from various zombie hosts are sent to the controller using spoofed source internet protocol (IP) addresses. In order to demonstrate the impact of the attack, we measure various metrics related to RYU controllers such as its central processing unit (CPU) usage and network throughput. In this work, Mininet was used to simulate the data plane and measure metrics such as random access memory (RAM) usage, CPU load, and link latency.</span>

CI_GRU: An efficient DGA botnet classification model based on an attention recurrence plot

Malware is often embedded with domain generation algorithms (DGAs) to prevent firewall interception and domain black-and-white list comparison detection while hiding command and control (C&C) servers to tighten the control of botnets. DGA domains are diverse and difficult to obtain, resulting in highly unbalanced datasets. Domain names generated by different DGA families do not differ much at the sequence data level and it is difficult to extract their features. The above characteristics lead to poor accuracy, poor generalization ability, and bloatedness of DGA domain name classification models based on deep learning. To solve the above problems, the visual representation of sequence data and the DGA domain classification model are presented in this paper. First, the DGA domain name is mapped to the attention recurrence plot (Att_RP) proposed in this paper, which can enrich the data phase space features and differentiate the key phase space features. After that, Att_RP is sent to a DGA domain name classification model (CI_GRU) proposed in this paper for data dimension transformation processing, followed by classification. Experiments show that the classification accuracy, F1_score, and recall of the model for a variety of DGA families in the wild are higher than 99%, and can also accurately classify four types of crafted DGA families. Compared with similar models, the model has high classification accuracy, low time consumption, low generalization error, and high efficiency, and the size of the model is less than one-tenth of similar models.

Detection of Algorithmically Generated Domain Names using Ensemble Machine Learning Technique

Prior to now, cyber attackers use malwares with hard-coded domain names stored in the malware binaries that communicate with a command and control (C&C) servers to launch cyber-attacks on their victim computers. Malware attacks such as botnets and ransomwares are some of the most prevalent forms of these attacks. As soon as a system is infected with a malware (either a botnet or a ransomware), one of the most essential components is to establish a secured communication with the botmaster (i.e., the malware author), through a C&C server. However, with a simple reverse engineering technique, cyber security experts could detect and block these domain names, hence, denying them the ability to communicate with the C&C servers and from receiving further instructions from the botmaster. This led to cyber criminals developing the Domain Generation Algorithm (DGA) technique, which algorithmically generate thousands or more candidate’s domain names for communication with the C&C server, thereby obfuscating the domain names of these malwares and making it difficult for cyber security experts to detect or block these domain names. This paper therefore proposes an ensemble machine learning technique for the detection and classification of algorithmically generated domain names (AGDNs) leveraging the combined strength of 4 different machine learning algorithms: Naïve Bayes, SVM, Random Forest and CART. The models were trained twice, first with 4 features and thereafter with 10 features. In order to effectively utilise the result of the predictions, we used a voting-based ensemble approach, where the final classification is decided by the majority vote of the algorithms. Result of the research shows that the Naïve Bayes model performed better than all the other models with an accuracy of 97.54% when trained with 10 features and 95.99% when trained with 4 features. Keywords: WSN, DDoS, Intrusion Detection System, Random Forest, Machine Learning. Proceedings Citation Format Abdullahi, S.M., Mohammed, A., Ibrahim, R.Y. & Shamsuddeen, A. (2023): Detection of Algorithmically Generated Domain Names using Ensemble Machine Learning Technique. Proceedings of the Cyber Secure Nigeria Conference. Nigerian Army Resource Centre (NARC) Abuja, Nigeria. 11-12th July, 2023. Pp 27-34. https://cybersecurenigeria.org/conference-proceedings/volume-2-2023/ dx.doi.org/10.22624/AIMS/CSEAN-SMART2023P2.

Behaviour based botnet detection with traffic analysis and flow intervals at the host level

A botnet is one of the most dangerous forms of security issues. It infects unsecured computers and transmit malicious commands. By using botnet, the attacker can launch a variety of attacks, such as distributed denial of service (DDoS), data theft, and phishing. The botnet may contain a lot of infected hosts and its size is usually large. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. We proposed a host-based approach that detects a host, that has been compromised by observing the flow of in-out bound traffic. To prove the existence of command and control communication, we examine host network flow. Once the bot process has been identified in the host being monitored, this knowledge allows blocking any in/out traffic with the bot’s server. In addition to providing information about the compromised machine’s IP address and how it communicates with servers, the log file is generated, which can provide data about the command and control (C&C) servers. Most existing work on detecting botnet is based on flow-based traffic analysis by mining their communication patterns. Our work distinguishes itself from other methods of bot detection from its ability to use real-time host-related data for detection.