Malicious Packets Research Articles

Enhanced Anomaly-Based Detection of the Distributed Denial of Service Attack using Modular Memetic Behavioral Analysis

The Internet’s popularity has proven to be an effective mode for data dissemination, and also advance the proliferation of adversaries whose exploits network for personal gain via unauthorized access that compromises a user device. Adversaries have achieved such feats via socially-engineered, subterfuge schemes – some of which deny users of network resources. These distributed denial of service (DDoS) attacks are carefully crafted to impact a large magnitude with the capability to wreak havoc at high levels of network infrastructures. This study posits a deep learning approach to distinguish between benign exchange of data and malicious attacks from data traffic. With benchmark ensemble such as XGBoost, Random Forest and Decision Tree – the results shows our proposed ensemble yields F1 of 0.9945, and outperforms XGBoost, RF and DT (with F1 of 0.9925, 0.9881 and 0.9805 respectively); And with an Accuracy of 0.9984 to outperform XGBoost, RF and DT (with 0.9981, 0.9964 and 0.9815 respectively). The proposed ensemble incorrectly classified only 283-instances with 13,418 correctly classified test instances with a 99.84% accuracy. Result shows our use of the deep learning memetic model effectively differentiate between genuine and malicious packets via anomaly-based detection. Keywords: Memetic Algorithm, Random Forest, XGBoost, feature selection, imbalanced dataset Aims Research Journal Reference Format: Sulu, G.A., Akazue, M.I., Edje, A.E., (2024): Enhancing computer network intrusion detection using the network behaviour analysis technique: a pilot study. Advances in Multidisciplinary and Scientific Research Journal Vol. 10. No. 2. Pp 125-142 www.isteams.net/aimsjournal. dx.doi.org/10.22624/AIMS/V10N2P11

Analysis of neural network detectors for network attacks

While network attacks play a critical role in many advanced persistent threat (APT) campaigns, an arms race exists between the network defenders and the adversary: to make APT campaigns stealthy, the adversary is strongly motivated to evade the detection system. However, new studies have shown that neural network is likely a game-changer in the arms race: neural network could be applied to achieve accurate, signature-free, and low-false-alarm-rate detection. In this work, we investigate whether the adversary could fight back during the next phase of the arms race. In particular, noticing that none of the existing adversarial example generation methods could generate malicious packets (and sessions) that can simultaneously compromise the target machine and evade the neural network detection model, we propose a novel attack method to achieve this goal. We have designed and implemented the new attack. We have also used Address Resolution Protocol (ARP) Poisoning and Domain Name System (DNS) Cache Poisoning as the case study to demonstrate the effectiveness of the proposed attack.

Cross-layer detection and defence mechanism against DDoS and DRDoS attacks in software-defined networks using P4 switches

This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system’s ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

PETRAK: A solution against DDoS attacks in vehicular networks

In recent years, the frequently reported incidents of Distributed Denial of Service assaults on vehicular networks in various countries have made researchers find new protective solutions. DDoS attacks can propagate through the charging points for electric vehicles in a charging station and affect the production of critical infrastructures such as electric grids. Existing solutions are efficient in attack detection; however, current systems do not offer multi-level protection, and zero-day vulnerabilities are prone to escape from the detection systems.In this paper, we address the problems mentioned above and introduce the first Machine Learning (ML)–based DDoS protective solution to combine prevention and detection mechanisms in vehicular networks. To be more specific, our proposed model is the first to consider the adaptive traffic threshold to generate the alarm for a suspicious amount of traffic flow in an Intrusion Detection Prevention System (IDPS). We call our proposed approach Protecting vEhicular neTworks against distRibuted deniAl of service attacKs (PETRAK). PETRAK uses four functions: prevention, alarm, training, and detection. The alarming system uses the flow parameters and activates the detection module to detect malicious packets. The prevention system works in two modes: immediate and future. PETRAK uses logistic regression to identify incoming packets and signatures of malicious packets to prevent future attacks. We also show that our proposed model is implacable towards advanced post-quantum cryptography-based traffic and also able to analyse side-channel attacks. We run a comprehensive set of experiments to test PETRAK on our synthesized dataset, KDDCUP’99 dataset, CIC-MalMem-2022, and the ToN-IoT dataset. We observe that PETRAK shows an accuracy of 99%. The results claim the efficiency of PETRAK in detecting and preventing DDoS attacks in vehicular networks.

A secure framework for effective workload resource management

An efficient and dynamic role-based access-control (RBAC) model is presented in this work which utilizes access-control for internet of things (IoT) nodes while minimizing storage and computational overhead. Also, for the identification of the malicious packets at the gateway server, a machine learning method has been presented. In addition, a framework for data management techniques in the IoT environment is designed to ensure efficient and secure storage, management, and processing of IoT data. The results have been evaluated by using the Montage and Cybershake workload in terms of energy consumption, processing time, detection accuracy and misclassification rate. The results show that the proposed secure framework for effective workload resource management (SFE-WRM) attains better performance in comparison to the reliable and energy‐efficient route selection (REERS) and FTA-WRM method. Also, by using the security method, the proposed method provides better security to the IoT nodes during the data aggregation and processing of the workload. The ultimate aim of this work is to provide a solution for the development of a secure and efficient IoT environment that can address critical security challenges and enable the widespread adoption of IoT devices and services.

Malicious Packet Detection Technology Using Reinforcement Learning

In the present day, the advancement of 5G and Internet of Things (IoT) technology has resulted in the interconnectedness of everyday objects through networks. However, attempts to exploit networked computers for malicious purposes continue to rise while the attacks utilizing malicious codes to compromise user information's confidentiality and integrity are becoming increasingly sophisticated and intelligent. To counter these evolving threats, researches have been conducted on a method to identify malicious network packets using a combination of security control systems and Artificial Intelligence (AI) technology, especially supervised learning. Unfortunately, the current cybersecurity control systems suffer from inefficiencies in terms of both manpower and cost. Moreover, the surge in remote work has created challenges in responding swiftly to security incidents. Furthermore, the existing AI technology based on supervised learning has limitations, particularly in detecting new variants of malicious code, and its accuracy in identifying malicious code depends heavily on the quantity and quality of available data. In light of these challenges, this study, reinforcement learning is employed to overcome the limitations of the original supervised learning-based malicious packet detection system, such as high dependency on training data and the failure to detect variant malicious packets. This research proposes a malicious packet detection technology capable of addressing new malicious packets or variant types effectively.

Dynamic Quantized Consensus Under DoS Attacks: Towards a Tight Zooming-Out Factor

This paper deals with dynamic quantized consensus of dynamical agents in a general form under packet losses induced by Denial-of-Service (DoS) attacks. The communication channel has limited bandwidth and hence the transmitted signals over the network are subject to quantization. To deal with agent's output, an observer is implemented at each node. The state of the observer is quantized by a finite-level quantizer and then transmitted over the network. To solve the problem of quantizer overflow under malicious packet losses, a zooming-in and out dynamic quantization mechanism is designed. By the new quantized controller proposed in the paper, the zooming-out factor is lower bounded by the spectral radius of the agent's dynamic matrix. A sufficient condition of quantization range is provided under which the finite-level quantizer is free of overflow. A sufficient condition of tolerable DoS attacks for achieving consensus is also provided. At last, we study scalar dynamical agents as a special case and further tighten the zooming-out factor to a value smaller than the agent's dynamic parameter. Under such a zooming-out factor, it is possible to recover the level of tolerable DoS attacks to that of unquantized consensus, and the quantizer is free of overflow.

Leveraging Metaheuristics for Feature Selection With Machine Learning Classification for Malicious Packet Detection in Computer Networks

Leveraging Metaheuristics for Feature Selection With Machine Learning Classification for Malicious Packet Detection in Computer Networks

CYBERSECURITY: RESEARCH ON METHODS FOR DETECTING DDOS ATTACKS

This article describes the problem of DDoS attacks, analyzing their nature and consequences. The paper covers common DDoS attack types, such as SYN flood, ICMP flood, UDP flood. Existing methods for detecting attacks from literature are reviewed, including machine learning approaches, including artificial neural networks, support vector machines and decision trees. The paper introduces a decision tree-based machine learning model for the detection of DDoS attacks. The model is trained and tested on a publicly available dataset. The dataset consists of 1,04,345 rows of data, where every row includes 23 features, such as source IP, destination IP, port number, number of bytes transferred from the switch port, etc. A similar set of characteristics can be obtained on a real network hardware using simple calculations, which makes it possible to approximate the model evaluation to real operating conditions. SYN flood, ICMP flood and UDP flood attack types are present in the data, as well as legitimate traffic. To avoid overfitting, only some columns were used, and columns such as IP addresses were discarded. The field “label” in each row of the dataset contains either 0 or 1 where 0 corresponds to legitimate traffic and 1 to malicious one. The problem of DDoS attack detection is therefore formally reduced to the task of binary classification of each row from the dataset. The constructed model achieves an average classification accuracy of 0.94 with a standard deviation at the level of 0.06 in detecting the above mentioned types of attacks. To objectively assess the effectiveness of the model and avoid distortion of the results, stratified 5-fold cross-validation was used. The developed model can be applied in the real world network hardware to filter malicious packets or as a tool for warning the administrator about an attack. This research advances cybersecurity by enhancing DDoS attack detection.

Hybrid defense mechanism against malicious packet dropping attack for MANET using game theory

Hybrid defense mechanism against malicious packet dropping attack for MANET using game theory

Comparative Analysis for Detecting Malicious packets in LAN Network using Bagging and Boosting Techniques

The security is the important one in sharing the data through the network. The intrusion detection system helps to classify the data as the normal or anomaly by using the machine learning algorithms. There is the large pool of machine learning algorithms which helps to find the anomaly. The algorithms have to find the connection that is normal or abnormal. The attacks are classified into four categories. Using the machine learning algorithm, the prediction is done to classify the packet as the normal or anomaly. The dataset used in this paper is communication of the LAN network which is happened in the very sensitive environments like military and Airforce. Various models are used to predict the anomaly but the bagging performs well in predicting the anomaly. There are various features associated in the dataset which helps to classify the network connection. The algorithms like adaboost was done with 10 iteration and the time for execution is 1.55 seconds and the accuracy are 94 %, bagging the time taken to execute the algorithm is 2.27 seconds, accuracy is 99%. Among these two algorithms the bagging performs well in predicting the abnormal data. Totally 42 attributes have been taken for the training and the testing purposes.

SlimBox: Lightweight Packet Inspection over Encrypted Traffic

Due to the explosive increase of enterprise network traffic, middleboxes that inspect packets through customized rules have been widely outsourced for cost-saving. Despite promising, redirecting enterprise traffic to remote middleboxes raises privacy concerns about the exposure of corporate secrets. To address this, existing solutions mainly apply searchable encryption (SE) to encrypt traffic and rules, enabling middlebox to perform pattern matching over ciphertexts without learning any sensitive information. However, SE is designed for searching pre-chosen keywords, and may cause extensive costs when applied directly to inspecting traffic in which the keywords cannot be determined in advance. The inefficiency of existing SE-based approaches motivates us to investigate a privacy-preserving and lightweight middlebox. To this end, this paper designs <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math>${\sf SlimBox}$</tex-math></inline-formula> , which rapidly screens out potentially malicious packets in constant time while incurring only moderate communication overhead. Our main idea is to fragment a traffic/rule string into sub-patterns to achieve conjunctive sub-pattern matching over ciphertexts, while incorporating the position information into the secure matching process to avoid false positives. Experiment results on real datasets show that <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math>${\sf SlimBox}$</tex-math></inline-formula> can achieve a good tradeoff between matching latency and communication cost compared to prior work.

Lightweight blockchain-assisted intrusion detection system in energy efficient MANETs

This paper focuses on achieving high-level security in Mobile Adhoc Networks (MANET) by incorporating Blockchain technology-based Intrusion Detection systems (IDS). The existing works on MANET security focus on either security prevention or detection. Thus, the security level attained by the prior works is unable to cope with the increasing attacks. To resolve this main issue, this research paper introduces Lightweight Blockchain assisted Intrusion Detection System (LB-IDS) which jointly prevents and detects the attacks held on mobile networks. Initially, the network nodes are authenticated by a lightweight Blockchain-based Multi-Factor Authentication (LBMFA) scheme. This procedure prevents the malicious nodes entry to the network. Then, data packets are transmitted through the optimal route which is selected by Multi-Objective Strawberry Optimization (MOSO) algorithm. The collected data packets are fed into IDS which classifies the data into normal and malicious packets. For IDS, we proposed Deep Q-Learning (DQL) algorithm which takes actions by learning the environment. As the mitigation step, the Blockchain is updated with the trust value according to the data packet classification. For such continuous monitoring, K-Mode Clustering (KMC) algorithm is proposed. On the whole, the proposed work improves the network security in MANET through Prevention, Detection, and Mitigation. The results of the presented work attains better security level, packet delivery ratio (PDR), energy efficiency, delay, and detection accuracy.

Bit scanner: Anomaly detection for in-vehicle CAN bus using binary sequence whitelisting

Due to the vulnerability of in-vehicle networks, particularly the Controller Area Network (CAN), malicious remote intrusion into vehicles has been a prominent public concern in recent years. The majority of existing technologies disregard the importance of the frame payload, making it difficult to detect tampered frames. In this paper, we propose Bit Scanner, a whitelist-based anomaly detection method that employs fine-grained checking for frame payload. Bit Scanner has no dependency on the CAN periodicity or CAN protocol. Its detection capabilities are evaluated using genuine CAN traffic collected from an autonomous bus. The results show that the proposed method has a malicious frames detection rate improvement of about 20% under replay attack scenarios, and a malicious packets detection rate improvement of at least 20% under tampering attack situations compared to the state-of-art methods.

A novel and distributed three phase consensus based secured data sharing in internet of things environment

The most essential part of any internet of things (IoT) model is the wireless sensor networks (WSN); latest technologies are combined with the applications of WSN results in fast, efficient, flexible as well as economical models. These networks are highly prone to attacks considering their characteristic nature, which includes self-organization, a topology that is dynamic, large-scale and constrained on the resources. Various models have been proposed for the detection of attacks in these wireless sensor networks. This research work proposes three-phase consensus based secured data sharing (TCSDS) in IoT environment. TCSDS adopts the consensus-based protocol for designing the security model in this research. Furthermore, TCSDS comprises three distinctive phases, each phase consisting of novel algorithm. First phase includes the setting up threshold value for sensor nodes. Second phase includes the efficient data packet transmission and third phase includes the efficient and secure routing, which tends to discard the unsecured nodes. TCSDS is evaluated considering the different parameter like energy consumption, malicious packet detection and throughput. Further comparison with the existing model is carried out based on the classified and misclassified packet; through the comparative analysis, it is observed that the TCSDS approach simply outperforms the existing model.

Defending SDN against packet injection attacks using deep learning

The (logically) centralized architecture of software-defined networks makes them an easy target for packet injection attacks. In these attacks, the attacker injects malicious packets into the SDN network to affect the services and performance of the SDN controller and overflows the capacity of the SDN switches. Such attacks have been shown to ultimately stop the network functioning in real-time, leading to network breakdowns. There have been significant works on detecting and defending against similar DoS attacks in non-SDN networks, but detection and protection techniques for SDN against packet injection attacks are still in their infancy. Furthermore, many of the proposed solutions have been shown to be easily bypassed by simple modifications to the attacking packets or by altering the attacking profile. In this paper, we develop novel Graph Convolutional Neural Network models and algorithms for grouping network nodes/users into security classes by learning from network data. We start with two simple classes — nodes that engage in suspicious packet injection attacks and nodes that are not. From these classes, we then partition the network into separate segments with different security policies using distributed Ryu controllers in an SDN network. We show in experiments on an emulated SDN that our detection solution outperforms alternative approaches with above 99% detection accuracy for various types (both old and new) of injection attacks. More importantly, our mitigation solution maintains continuous functions of non-compromised nodes while isolating compromised/suspicious nodes in real-time. All code and data are publicly available for the reproducibility of our results.

The facilities of detection by using a tool of Wireshark

Wireshark is easy for using as a packet inspection tool, in additional the feature of packets colorizing is easy for a various type of traffic. This paper exemplifies how Wireshark is used in networks as a tool. To clarify the effectiveness of malicious packet identification in any network, an experiment was conducted. Using the Wireshark program, testing was carried out in real time through experimentation and analysis. Inferences were drawn that clearly show Wireshark's capabilities as a tool in a powerful system for discovering the breach. The functionality of Wireshark is to analyze the network protocol and its open-source features for enabling the addition of likely tasks in the detecting devices were emphasized. Wireshark's skills for handling and interpreting packet data have been highlighted and the access control list (ACL) filtering has been the main application of Wireshark.

FSCB-IDS: Feature Selection and Minority Class Balancing for Attacks Detection in VANETs

Vehicular ad hoc networks (VANETs) are used for vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) communications. They are a special type of mobile ad hoc networks (MANETs) that can share useful information to improve road traffic and safety. In VANETs, vehicles are interconnected through a wireless medium, making the network susceptible to various attacks, such as Denial of Service (DoS), Distributed Denial of Service (DDoS), or even black hole attacks that exploit the wireless medium to disrupt the network. These attacks degrade the network performance of VANETs and prevent legitimate users from accessing resources. VANETs face unique challenges due to the fast mobility of vehicles and dynamic changes in network topology. The high-speed movement of vehicles results in frequent alterations in the network structure, posing difficulties in establishing and maintaining stable communication. Moreover, the dynamic nature of VANETs, with vehicles joining and leaving the network regularly, adds complexity to implementing effective security measures. These inherent constraints necessitate the development of robust and efficient solutions tailored to VANETs, ensuring secure and reliable communication in dynamic and rapidly evolving environments. Therefore, securing communication in VANETs is a crucial requirement. Traditional security countermeasures are not pertinent to autonomous vehicles. However, many machine learning (ML) technologies are being utilized to classify malicious packet information and a variety of solutions have been suggested to improve security in VANETs. In this paper, we propose an enhanced intrusion detection framework for VANETs that leverages mutual information to select the most relevant features for building an effective model and synthetic minority oversampling (SMOTE) to deal with the class imbalance problem. Random Forest (RF) is applied as our classifier, and the proposed method is compared with different ML techniques such as logistic regression (LR), K-Nearest Neighbor (KNN), decision tree (DT), and Support Vector Machine (SVM). The model is tested on three datasets, namely ToN-IoT, NSL-KDD, and CICIDS2017, addressing challenges such as missing values, unbalanced data, and categorical values. Our model demonstrated great performance in comparison to other models. It achieved high accuracy, precision, recall, and f1 score, with a 100% accuracy rate on the ToN-IoT dataset and 99.9% on both NSL-KDD and CICIDS2017 datasets. Furthermore, the ROC curve analysis demonstrated our model’s exceptional performance, achieving a 100% AUC score.

An Efficient and Reliable Blockchain-based Trust Management Model for Electricity Trading Terminal

&lt;p&gt;A safe and reliable terminal environment is crucial to ensure the security of the electricity trading system. The existing terminal security system based on identity authentication and access control has internal threats that are difficult to solve. For example, multiple internal malicious nodes cause broadcast message tampering attacks and malicious packet loss, resulting in message dissemination failure. Existing blockchain-based trust management systems are good for addressing insider threats, but suffer from low efficiency. In order to solve the internal threat problem of the electric electricity trading system, from the perspective of trust evaluation and trust management of the terminal environment, an efficient and reliable blockchain-based electric trading terminal (ERBTM) trust management model is proposed. First of all, we collect a variety of trust factors to evaluate the credibility of the terminal, which solves the problem of accuracy in the process of trust assessment; secondly, we improve the speed of storing trust values on the chain and ensure the robustness of the system by improving the consensus algorithm; Finally, we designed the structure of the block that stores the trust value to ensure that the trust value is not tampered with. The experimental results show that, compared with similar methods, the ERBTM model can effectively deal with the endogenous security threats of terminals in the electricity trading environment, and has significant advantages in terms of efficiency and reliability. &lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt;

A security-friendly privacy-preserving solution for federated learning

Federated learning is a privacy-aware collaborative machine learning method where the clients collaborate on constructing a global model by performing local model training using their training data and sending the local model updates to the server. Although it enhances privacy by letting the clients collaborate without sharing their training data, it is still prone to sophisticated privacy attacks because of possible information leakage from the local model updates sent to the server. To prevent such attacks, generally secure aggregation protocols are proposed so that the server will not be able to access the individual local model updates but the aggregated result. However, such secure aggregation approaches may not allow the execution of security mechanisms against some security attacks to model training, such as poisoning and backdoor attacks, because the server cannot access the individual local model updates and; therefore, cannot analyze them to detect anomalies resulting from these attacks. Thus, solutions that satisfy privacy and security at the same time or new privacy-preserving solutions that allow the server to execute some analysis on the local model updates without violating privacy are needed for federated learning. In this paper, we introduce a novel security-friendly privacy solution for federated learning based on multi-hop communication to hide clients’ identities. Our solution ensures that the forwardee clients in the path between the source client and the server cannot execute malicious activities by altering model updates and contributing to the global model construction with more than one local model update in one FL round. We then propose two different approaches to make the solution also robust against possible malicious packet drop behaviors by the forwardee clients.