Deployment Of Intrusion Detection Systems Research Articles

Detection and mitigation of DDoS attacks in SDN based intrusion detection system

Software defined networks (SDN) have completely revolutionized the management and operation of networks. This novel technology entails a distinctive approach to management. Amidst the advancements, a notable security concern arises in the form of distributed denial of service (DDoS) attacks. To counteract this attack, the deployment of intrusion detection systems (IDS) assumes paramount importance. IDS plays a critical role in monitoring network traffic, promptly detecting irregularities that may signify a potential denial of service (DoS) assault. This study delves into a comprehensive exploration of a DDoS attack on an SDN network using the OpenDaylight controller and the Mininet emulator. Furthermore, the assessment extends to evaluating the DDoS attack's repercussions and the effectiveness of IDS in mitigating such risks. Various performance metrics, including throughput according to delay time, are monitored to gauge network performance under duress. The difference in throughput curves when comparing scenarios with and without IDS highlights the significant impact of intrusion detection. When the IDS was absent, there was a noticeable increase in oscillations, indicating greater network susceptibility. On the other hand, the presence of an IDS created a more regulated environment, reducing variances and promoting a more stable network.

A Practical Approach to Intrusion Detection in IoV Networks Using LCCDE Ensemble Framework

Abstract: With the rapid development of the Internet of Things (IoT) and the Internet of Vehicles (IoV) technologies, modern vehicles are increasingly adopting network-controlled functionalities, exposing them to a variety of cyber threats. To address these security challenges, this paper implements and evaluates a novel ensemble Intrusion Detection System (IDS) framework, named Leader Class and Confidence Decision Ensemble (LCCDE). The LCCDE framework integrates three advanced Machine Learning (ML) algorithms—XGBoost, LightGBM, and CatBoost—to detect various types of cyber-attacks on both intra-vehicle and external vehicular networks.This study demonstrates the effectiveness of the LCCDE framework using two public IoV security datasets: the Car-Hacking dataset and the CICIDS2017 dataset. By identifying the best-performing ML model for each class of attacks and leveraging prediction confidence values, LCCDE achieves high detection accuracy and robustness against diverse attack types. The experimental results show that the proposed framework outperforms traditional IDS approaches in terms of detection accuracy, computational efficiency, and adaptability to different types of cyber-attacks. This paper provides practical insights into the implementation and deployment of IDS in IoV systems, highlighting the potential of ensemble learning methods to enhance vehicular network security.

Mitigating Adversarial Reconnaissance in IoT Anomaly Detection Systems: A Moving Target Defense Approach based on Reinforcement Learning

The machine learning (ML) community has extensively studied adversarial threats on learning-based systems, emphasizing the need to address the potential compromise of anomaly-based intrusion detection systems (IDS) through adversarial attacks. On the other hand, investigating the use of moving target defense (MTD) mechanisms in Internet of Things (IoT) networks is ongoing research, with unfathomable potential to equip IoT devices and networks with the ability to fend off cyber attacks despite their computational deficiencies. In this paper, we propose a game-theoretic model of MTD to render the configuration and deployment of anomaly-based IDS more dynamic through diversification of feature training in order to minimize successful reconnaissance on ML-based IDS. We then solve the MTD problem using a reinforcement learning method to generate the optimal shifting policy within the network without a prior network transition model. The state-of-the-art ToN-IoT dataset is investigated for feasibility to implement the feature-based MTD approach. The overall performance of the proposed MTD-based IDS is compared to a conventional IDS by analyzing the accuracy curve for varying attacker success rates. Our approach has proven effective in increasing the resilience of the IDS against adversarial learning.

Crossover Boosted Grey Wolf Optimizer‐based framework for leader election and resource allocation in Intrusion Detection Systems for MANETs

AbstractMobile Ad hoc Networks (MANETs) is a self‐organizing networks without having a fixed infrastructure for making them susceptible to security threats. Intrusion Detection Systems (IDS) promotes security in MANETs by identifying malicious activities. Leader election is a fundamental aspect of IDS deployment, impacting resource allocation and system efficiency. This article presents a novel approach, the Crossover Boosted Grey Wolf Optimizer (CBGWO), for leader election and resource allocation in MANET‐based IDS. The proposed CBGWO algorithm integrates the Grey Wolf Optimizer (GWO) with innovative crossover operators that have an ability to enhance the capabilities of exploration and exploitation in the optimization process. The leader election problem is solved through applying multi‐objective optimization by considering energy consumption, reputation, and communication overhead. Objective functions are defined to maximize energy efficiency while maintaining a balanced distribution of leadership roles. Extensive simulations are conducted, varying network densities and the percentage of selfish nodes. Results demonstrate the effectiveness of the CBGWO‐based model in balancing energy consumption, prolonging network lifespan, and enhancing intrusion detection by comparing different state‐of‐the‐art models such as PCA‐FELM, CTAA‐MPSO, FLS‐RE, LEACH, DCAIDS, WOA‐GA, and VOELA. The proposed model achieved an energy consumption of 4.31 J, network lifetime of 560.482 ms, and average intrusion detection latency of 0.12 s, respectively. The proposed model outperforms than existing random and connectivity‐based leader election methods that is evaluated by taking main consideration of energy efficiency and network survivability. This research contributes to the field by introducing a robust algorithm for leader election in MANET‐based IDS, addressing challenges posed by network dynamics and resource constraints. The CBGWO‐based approach showcases its potential to achieve effective leader election and efficient resource allocation, thereby enhancing the security and sustainability of MANETs.

Implementation and Evaluation of Intrusion Detection Systems using Machine Learning Classifiers on Network Traffic Data

Strong Intrusion Detection Systems (IDS) are now essential given how much more crucial services and communication are being reliant on digital networks. Through the use of machine learning classifiers on network traffic data, this research shows the deployment and thorough evaluation of IDS. The first step of the study is to gather and preprocess a wide dataset of network traffic, which includes both legitimate and criminal operations. A high-dimensional feature set is produced when important information is extracted from the raw data using feature engineering techniques. In order to simulate the patterns of network traffic, a variety of machine learning methods are used, such as Decision Trees, Random Forests, Support Vector Machines, and Neural Networks. The models are also put to the test in a variety of situations, such as those with changing levels of network traffic, different kinds of attacks, and false-positive rates. Results show that machine learning-based IDS is more accurate than conventional rule-based systems at identifying and categorising network intrusions. Assessments are made of the models' ability to scale up and change to accommodate new threats. A thorough examination of IDS utilising machine learning classifiers on actual network traffic data is provided in this research, which, in turn, advances network security. The results highlight the value of machine learning in improving the precision and sturdiness of intrusion detection systems and protecting crucial network infrastructures from new cyber threats.

SCADA intrusion detection scheme exploiting the fusion of modified decision tree and Chi-square feature selection

The industrial internet of things (IIoT) and supervisory control and data acquisition (SCADA) have experienced ubiquitous growth recently. This growth comes with the challenge of an increased number of unusual attacks constituting threats. The existence and effect of intruders and their innovative attack techniques are rising. Although the existing intrusion detection systems (IDS) safeguard the networks, they have been computationally expensive. In real-time domains, available methods lag, necessitating additional research into effective feature extraction schemes with time exigency. An IDS with a fused feature selection (FS) approach for detecting and classifying attacks in a real-time SCADA network is imperative. It is to enable the resolution of computationally complex vulnerability detection schemes. The proposed technique is in three (3) phases: (a) data preparation which involves data cleansing and normalization, and (b) a fused feature selection approach built to obtain an optimal subset of features using Chi-square. (c) deployment of the modified decision tree (MDT) for anomaly detection and classification. Lastly, the reliability of the proposed model was validated, demonstrating suitability in precisely detecting abnormalities while minimizing computational time. This improvement enables adaptability for the IDS deployment scheme in a real-time situation, which could be in the control center. The validation results reveal that when the proposed chi-square-based (fused) feature extraction is employed, it performs optimally to other FS techniques and ML classifiers, compared across four (4) publicly available datasets. Cohen’s kappa coefficient (CKC) further validates the proposed model’s reliability. Further demonstrating the experimental results with recourse to false positive rates (FPR), the Mathews correlation coefficient (MCC) was employed. It also shows the resilience of the proposed model performance on an imbalanced dataset validating its suitability in real scenarios.

GaDQN-IDS: A Novel Self-Adaptive IDS for VANETs Based on Bayesian Game Theory and Deep Reinforcement Learning

Due to the nature of high mobility and dynamic network topology, Intrusion Detection Systems (IDSs) in Vehicular Ad-hoc Networks (VANETs) face lots of challenges, especially in balancing the accuracy and efficiency of detection. Current researches about the deployment of IDSs in VANETs mainly focus on a tradeoff between the effectiveness and efficiency, but few efforts have been done about the adaptability of the tradeoff in the changeable networks. Thus, we address two crucial problems: 1) how to perceive the environmental change in the perspective of an IDS? 2) how to make the IDS adaptive in different scenarios? In this paper, a Bayesian Game theory and Deep Q-learning Network-based IDS is proposed for VANETs, called GaDQN-IDS. The interactions between an IDS and attackers are formulated as a dynamic intrusion detection game, in which the IDS decides either to just adjust the tradeoff between the accuracy and efficiency or to be retrained completely when its detection capacity has declined. The Nash Equilibria (NE) of the game is derived to reveal how the optimal decision of the IDS depends on the detection performance and road conditions. Moreover, a Deep Q-learning Network (DQN)-Adjustment is proposed to realize the self-adaptation of the IDS in the dynamic game, while an Error Priority Learning (EPL) is further designed for IDS retraining in changing VANETs. Simulation results show that the GaDQN-IDS has better performance than other existing IDSs with higher detection rate as well as lower detection time and overhead.

Blueprint for Security: Designing Secure Cloud Architectures

The research paper delves into the imperative of robust security frameworks within cloud computing environments, addressing the prevalent challenges and vulnerabilities that accompany the cloud's expansive utilization across industries. This study underscores the necessity of foundational security principles, such as least privilege, role-based access control, and comprehensive data encryption, aiming to fortify cloud infrastructures against escalating cyber threats. The paper provides a thorough analysis of contemporary security practices, including network segmentation, the deployment of intrusion detection systems, and rigorous compliance protocols, to ensure resilient and secure cloud operations. Additionally, it evaluates cutting-edge tools and technologies, like automated security solutions and AI-driven threat detection systems, which are pivotal in enhancing security postures and mitigating risks in dynamic cloud ecosystems. Through a series of case studies, the paper highlights successful implementations and extracts critical lessons from historical security breaches, offering actionable insights and strategies to design inherently secure cloud architectures. This study not only synthesizes complex security requirements into actionable architecture blueprints but also anticipates future challenges and technological advancements, making it a vital resource for professionals and organizations aiming to leverage cloud computing securely and efficiently.

Intrusion Detection Systems in Internet of Things and Mobile Ad-Hoc Networks

Internet of Things (IoT) devices work mainly in wireless mediums; requiring different Intrusion Detection System (IDS) kind of solutions to leverage 802.11 header information for intrusion detection. Wireless-specific traffic features with high information gain are primarily found in data link layers rather than application layers in wired networks. This survey investigates some of the complexities and challenges in deploying wireless IDS in terms of data collection methods, IDS techniques, IDS placement strategies, and traffic data analysis techniques. This paper’s main finding highlights the lack of available network traces for training modern machine-learning models against IoT specific intrusions. Specifically, the Knowledge Discovery in Databases (KDD) Cup dataset is reviewed to highlight the design challenges of wireless intrusion detection based on current data attributes and proposed several guidelines to future-proof following traffic capture methods in the wireless network (WN). The paper starts with a review of various intrusion detection techniques, data collection methods and placement methods. The main goal of this paper is to study the design challenges of deploying intrusion detection system in a wireless environment. Intrusion detection system deployment in a wireless environment is not as straightforward as in the wired network environment due to the architectural complexities. So this paper reviews the traditional wired intrusion detection deployment methods and discusses how these techniques could be adopted into the wireless environment and also highlights the design challenges in the wireless environment. The main wireless environments to look into would be Wireless Sensor Networks (WSN), Mobile Ad Hoc Networks (MANET) and IoT as this are the future trends and a lot of attacks have been targeted into these networks. So it is very crucial to design an IDS specifically to target on the wireless networks.

An Efficient Hybrid IDS Deployment Architecture for Multi-Hop Clustered Wireless Sensor Networks

Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

DIGFuPAS: Deceive IDS with GAN and function-preserving on adversarial samples in SDN-enabled networks

Showing a great potential in various domains, machine learning techniques are more and more used in the task of malicious network traffic detection to significantly enhance the ability of intrusion detection system (IDS). When associating with Software-Defined Networks (SDN), the deployment of IDSs can leverage the centralized control plane in SDN to support for large-scale network monitoring. However, machine learning-based IDSs themselves can be attacked and tricked by adversarial examples with additional perturbation from the original ones. It is vital to provide supplementary unknown traffic to evaluate and improve the resilience of IDS against variants of cyberattacks. Thus, this work explores the method of generating adversarial attack samples by Generative Adversarial Model (GAN) to deceive IDS. We propose DIGFuPAS, a framework can create attack samples which can bypass machine learning-based IDSs in SDN with the black-box manner. In this framework, instead of Vanilla GAN, we use Wassertein GAN (WGAN) to improve the ability of GAN convergence training. In addition, the strategy of preserving functional features of attack traffic is applied to maintain the operational aspect of adversarial attacks. Through our implementation and experiments on NSL-KDD and CICIDS2018 dataset, the decreased detection rate of black-box IDSs on adversarial attacks demonstrates that our proposed framework can make IDSs in SDN-enabled networks misclassify on GAN-based synthetic attacks. Also, we utilize DIGFuPAS as a tool for evaluating and improving the robustness of IDS by repetitively retraining classifiers from crafted network traffic flow.

A novel workload scheduling framework for intrusion detection system in NFV scenario

Compared with traditional Intrusion Detection System (IDS) solutions, deploying IDS in Network Function Virtualization (NFV) environment can have better scalability and flexibility. Existing research works in this area do not consider many IDS features to design IDS-specific workload scheduling approaches. Thus, there is space further to promote the performance of IDS deployment in the NFV scenario. In this paper, we find some critical IDS features by analyzing packet processing procedures, software implementation, and rulesets of typical IDS. Combining these features with the flexibility of NFV, we propose a novel workload scheduling framework for IDS deployment in the NFV scenario. Our framework contains two parts: 1) a novel protocol & destination port based traffic migration strategy which can promote the detection performance and reduce the memory usage compared with the traditional 5-tuple hash based strategy; 2) an auto-configuration algorithm to find a better-than-default configuration for each Virtual Network Function (VNF) instance. We evaluate our framework with real network traffic and benchmark traffic datasets for IDS. Experimental results show that our framework can always have better detection performance and lower memory usage than the 5-tuple hash based migration strategy and the default configuration.

Benchmark Tests for the Model-Checking-Based IDS Algorithms

A fundamental concern for the security community is to identify the comprehensive comparable performance of various intrusion detection algorithms which are based on the Model Checking (MC) techniques. To address this open issue, we conduct the benchmark tests for the model-checking-based intrusion detection systems algorithms. At first, linear temporal logic, interval temporal logic and real-time attack signature logic are employed respectively to establish formula models for twenty-four types of attacks selected from KDDCUP, i.e., the annual data mining and knowledge discovery competition organized by association for computing machinery. And then, a standard intrusion set, called intrusion set for intrusion detection based on model checking, which is a behavior version of a subset of KDDCUP, is constructed. On the basis of it, detection abilities and efficiency of the intrusion detection algorithms based on model checking the three logics mentioned above are compared exhaustively. The experimental results illustrate the efficiency and abilities of these three algorithms. It is beneficial for selecting the suitable MC-based algorithms in actual deployment of intrusion detection systems.

Alert Correlation for Cyber-Manufacturing Intrusion Detection

Abstract With the deployment of intrusion detection systems (IDS) in Cyber-Manufacturing System (CMS), both cyber alerts and physical alerts need to be managed effectively. In this research, an alert correlation method based on temporal and attribute-based similarity analyses is presented. Intrusion detection message exchange format (IDMEF) is introduced, along with a new physical intrusion detection alert (PIDA) format for reporting and correlating physical alerts with cyber alters. A five-step alert correlation process has been developed for cyber-physical alert correlations in CMS. To test the alert correlation method, an experiment has been carried out on a CMS security testbed. SQL injection and Nmap scanning tool are used for cyber-attacks and interferences; CNC milling and heat treatment processes are adopted as physical attack targets. The results show that the alert correlation method can reduce the false alerts significantly.

Multistage Signaling Game-Based Optimal Detection Strategies for Suppressing Malware Diffusion in Fog-Cloud-Based IoT Networks

We consider the Internet of Things (IoT) with malware diffusion and seek optimal malware detection strategies for preserving the privacy of smart objects in IoT networks and suppressing malware diffusion. To this end, we propose a malware detection infrastructure realized by an intrusion detection system (IDS) with cloud and fog computing to overcome the IDS deployment problem in smart objects due to their limited resources and heterogeneous subnetworks. We then employ a signaling game to disclose interactions between smart objects and the corresponding fog node because of malware uncertainty in smart objects. To minimize privacy leakage of smart objects, we also develop optimal strategies that maximize malware detection probability by theoretically computing the perfect Bayesian equilibrium of the game. Moreover, we analyze the factors influencing the optimal probability of a malicious smart object diffusing malware, and factors influencing the performance of a fog node in determining an infected smart object. Finally, we present a framework to demonstrate a potential and practical application of suppressing malware diffusion in IoT networks.

An Improved Malicious Behaviour Detection Via k-Means and Decision Tree

Data Mining algorithm which is applied as an anomaly detection system has been considered as one of the essential techniques in malicious behaviour detection. Unfortunately, such detection system is known for its inclination in detecting a cyber-malicious activity more accurately (i.e. maximizing malicious and non-malicious behaviours detection) and has become a persistent limitation in the deployment of intrusion detection systems. Consequently, these constraints will affect a number of important performance factors such as the accuracy, detection rate and false alarms. In this research, KMDT proposed as an anomaly detection model that utilized k-means clustering and decision tree classifier to maximize the detection of malicious behaviours by scrutinizing packet headers. The k-means clustering employed for labelling and plots the whole behaviours into identical cluster, which characterized the behaviours into suspicious or non-suspicious composition. Subsequently, these dissimilar clustered behaviours are reordered within two classes of types such as malicious and non-malicious via decision tree classifier. KMDT is a profitable finding which improved the anomaly detection performance in identifying suspicious and non-suspicious behaviours as well as characterizes it into malicious and non-malicious behaviours more accurately. These criteria have been validated by the result from the experiments throughout banking system environment dataset 2016. KMDT have detected more malicious behaviours accurately as contrast to discrete and diversely combined methods.

Game-theoretic strategies for IDS deployment in peer-to-peer networks

This work studies the problem of optimal positioning of Intrusion Detection Systems (IDSs) in a Peer-to-Peer (P2P) environment involving a number of peers and super-peers. This scenario applies to network architectures like that of Gnutella, Skype or Tor, which involve a huge number of leaf-peers and a selected number of super-peers who have higher responsibilities in the network. A malicious entity may become part of the P2P network by joining from any part of the network. It can attack a super-peer and thus disrupt the functioning of the P2P network. Peers may try to secure the network by running IDSs at certain strategically-chosen locations in the network. But a deterministic schedule of running and positioning the IDSs can be observed and thwarted by an adversary. In this paper, we explore the problem of strategically positioning IDSs in a P2P network with a randomized, game-theoretic approach. Our approach distributes the responsibility of running the IDSs between the peers in a randomized fashion and minimizes the probability of a successful attack.

Internal Security on an IDS Based on Agents

An Intrusion Detection System (IDS) can monitor different events that may occur in a determined network or host, and which affect any network security service (confidentiality, integrity, availability). Because of this, an IDS must be flexible and it must detect and trace each alert without affecting the systems performance. On the other hand, agents ina Multi- Agent system have inherent security problems due to their mobility; that's why we propose some techniques in order to provide internal security for the agents belonging to the system. The deployed IDS works with a multiagent platform and each component inside the infrastructure is verified using security techniques in order to provide integrity. Likewise, the agents can specialize in order to carry out specific jobs, for example monitoring TCP, UDP traffic, etc. The IDS can work without interfering in the system's performance. In this article we present a hierarchical IDS deployment with internal security on a multiagent system, using a platform named BESA with its processes, functions and results.

Prevention of selective black hole attacks on mobile ad hoc networks through intrusion detection systems

A black hole attack on a MANET refers to an attack by a malicious node, which forcibly acquires the route from a source to a destination by the falsification of sequence number and hop count of the routing message. A selective black hole is a node that can optionally and alternately perform a black hole attack or perform as a normal node. In this paper, several IDS (intrusion detection system) nodes are deployed in MANETs in order to detect and prevent selective black hole attacks. The IDS nodes must be set in sniff mode in order to perform the so-called ABM (Anti-Blackhole Mechanism) function, which is mainly used to estimate a suspicious value of a node according to the abnormal difference between the routing messages transmitted from the node. When a suspicious value exceeds a threshold, an IDS nearby will broadcast a block message, informing all nodes on the network, asking them to cooperatively isolate the malicious node. This study employs ns2 to validate the effect of the proposed IDS deployment, as IDS nodes can rapidly block a malicious node, without false positives, if a proper threshold is set.

A Game Theoretical Framework on Intrusion Detection in Heterogeneous Networks

Due to the dynamic, distributed, and heterogeneous nature of today's networks, intrusion detection systems (IDSs) have become a necessary addition to the security infrastructure and are widely deployed as a complementary line of defense to classical security approaches. In this paper, we address the intrusion detection problem in heterogeneous networks consisting of nodes with different noncorrelated security assets. In our study, two crucial questions are: What are the expected behaviors of rational attackers? What is the optimal strategy of the defenders (IDSs)? We answer the questions by formulating the network intrusion detection as a noncooperative game and performing an in-depth analysis on the Nash equilibrium and the engineering implications behind. Based on our game theoretical analysis, we derive the expected behaviors of rational attackers, the minimum monitor resource requirement, and the optimal strategy of the defenders. We then provide guidelines for IDS design and deployment. We also show how our game theoretical framework can be applied to configure the intrusion detection strategies in realistic scenarios via a case study. Finally, we evaluate the proposed game theoretical framework via simulations. The simulation results show both the correctness of the analytical results and the effectiveness of the proposed guidelines.