Unknown Cyber Attacks Research Articles

Nelder-Mead Optimized Weighted Voting Ensemble Learning for Network Intrusion Detection

The rise in internet usage and data transfer rates has led to numerous anomalies. Hence, anomaly-based intrusion detection systems (IDS) are essential in cybersecurity because of their ability to identify unknown cyber-attacks, especially zero-day attacks that signature-based IDS cannot detect. This study proposes an ensemble classification for intrusion detection using a weighted soft voting system with KNN, XGBoost, and Random Forest base models. The base model weights are optimized using the Nelder-Mead simplex method to improve the overall ensemble performance. We propose a robust intrusion detection framework that uses soft-voting classifier-level weights optimized using the Nelder-Mead algorithm and feature selection. We evaluated the system's performance using the KDD99 and UNSW-NB15 datasets, which demonstrated that the proposed approach exceeded other existing methods in respect of accuracy and provided comparable results with fewer features. The proposed system and its hyperparameter optimization technique were compared with other cyber threat detection and mitigation systems to determine their relative effectiveness and efficiency.

An Analysis of the Domain Names Linked to the Important World Events using a Longitudinal Measurement Approach

Since the lack of sufficient security mechanisms, domain system (DNS) has become the main operational infrastructure for cyber intruders to launch cyber-attacks. Therefore, how to discover and block the potential malicious domains and its corresponding IP addresses fast and accurately has become a hot research area as it is one of the most important method in preventing unknown cyber-attacks. In this paper, we proposed an approach to detect malicious domains by analyzing massive mobile web traffic data. We used multiple features to classify, including the textual features and the traffic statistics features of domains and presented three typical classifiers to compare the classifying effect of each. Spark framework is leveraged to speed up the calculation of a large-scale DNS traffic. The efficiency of our system makes us believe the approach can help a lot in the field of network security. The new features are harder to be tampered with and can help determine whether a domain is malicious from a more comprehensive perspective. We evaluate MalPortrait on the passive DNS traffic collected from real-world large ISP networks.

Resilient Output Containment Over Heterogeneous Wide-Area Networks: Mitigating Intermittent Communication and Unknown Cyber-Attacks

Resilient Output Containment Over Heterogeneous Wide-Area Networks: Mitigating Intermittent Communication and Unknown Cyber-Attacks

Enhancing Security Frameworks with Artificial Intelligence in Cybersecurity

Cybersecurity, in the digital era we live in today, has become a major concern that demands innovation. Data Science and Artificial Intelligence (AI) have played a central role in changing the way we understand and address cyber threats. This research will review the important role of innovation in this technology in improving an organization's ability to detect, prevent, and respond to cyber attacks. Identifying patterns and gaining insights from security events in cyber data, while developing appropriate data-based models, is a key element in realizing automated and intelligent security systems. This research reviews needs in the cyber security domain that can be addressed through Artificial Intelligence (AI) techniques. In this study, we employed quantitative methods to assess the impact of artificial intelligence on enhancing cybersecurity by distributing questionnaires to 85 respondents, which included companies operating in the banking and IT sectors. In addition, this research will explore how data-based intelligent decision-making systems are able to protect systems from known and unknown cyber attacks. This research will conclude by considering the future potential of Artificial Intelligence and cybersecurity.

An artificial immunity based intrusion detection system for unknown cyberattacks

The evolving unknown cyberattacks have rapidly expanded the cyber threat landscape. Identifying unknown cyberattacks, therefore, remains a challenging issue, compounded by the widespread implementation of emerging technologies, such as 5G, digital twin, etc. However, most existing intrusion detection systems (IDSs) are effective in detecting only known cyberattacks. In this paper, inspired by artificial immunity (AIm), we propose a hierarchical differential evolution based IDS, coined HiDE-IDS, to identify unknown cyberattacks. Specifically, we first map the multidimensional normal and abnormal network samples to self antigens and nonself antigens, respectively, in a multidimensional geometrical space. Second, a hierarchical differential evolution algorithm for self antigens is designed, to create newly-evolved antigens possibly used for generating cyberattack detectors. Third, a novel filtering mechanism is developed to eliminate invalid new antigens falling into the coverage of either known self or nonself antigens. Last, the remaining new antigens are employed to generate new detectors and further identify known and unknown cyberattacks. Extensive experiments demonstrate that the training efficiency of the proposed HiDE-IDS is significantly improved than recent IDSs. More importantly, while showing a favorable false positive rate of normal data, the HiDE-IDS achieves outperformed effectiveness in recognizing unknown cyberattacks (as well as known cyberattacks) compared to the state-of-the-art studies.

A self-adaptation-based approach to resilience improvement of complex internets of utility systems

Resilience improvement of complex internets of utility systems is still an open issue for the current research. Proposed solutions fail to implement an integrated approach to detection, mitigation, and reaction which is able to face both well-known and new, previously unknown cyber-attacks (in particular distributed ones, which constitute one of the most serious and still unresolved threat scenarios affecting networked systems). In this work, we present the conceptual architecture of a novel multi-layer distributed Intrusion Detection and Reaction System based on the Autonomic Communication paradigm. The architecture relies on a self-organizing cooperative overlay network of complementary components that are dynamically and autonomously adapted to face distributed cyberattacks against Industrial Control Systems. The proposed architecture aims at being a guideline for experts and practitioners to address the well-known problem of distributed nature of new types of cyber-attacks, by implementing mechanisms to orchestrate available resources for effective detection and remediation dynamically. A distributed flow monitoring system provides input data to cooperative intrusion detection agents, which allow correlating information from heterogeneous feeds to improve the identification of attacks originating from both the inside and the outside of the monitored network and to support customizable remediation mechanisms.

A Novel Detection Approach of Unknown Cyber-Attacks for Intra-Vehicle Networks Using Recurrence Plots and Neural Networks

Proliferation of connected services in modern vehicles could make them vulnerable to a wide range of cyber-attacks through intra-vehicle networks that connect various vehicle systems. Designers usually equip vehicles with predesigned counter-measures, but these may not be effective against novel cyber-attacks. Intrusion Detection Systems (IDSs) serve as an additional layer of defence when conventional measures that are implemented by the designers fail. Several intrusion detection techniques, such as rule-based IDS, have been proposed in the literature but these techniques have limited capability in detecting novel cyber-attacks. This paper proposes a new Machine Learning (ML)-based IDS for detecting novel cyber-attacks in intra-vehicle networks, specifically in Controller Area Networks (CANs). The proposed IDS generates high-level representations of CAN messages transmitted on the bus exploiting their temporal properties as well as the intra and inter message dependencies through the use of Recurrence Plot (RP), which are then fed into a bespoke Neural Network, designed and trained to detect novel intrusions. Evaluations of the performance of the proposed IDS in comparison with that of the state-of-the-art existing IDS schemes namely Decision Tree (DT), Random Forest (RF) and other well-known approaches demonstrate the superiority of the proposed IDS in this paper.

Anomaly and Cyber Attack Detection Technique Based on the Integration of Fractal Analysis and Machine Learning Methods

In modern data transmission networks, in order to constantly monitor network traffic and detect abnormal activity in it, as well as identify and classify cyber attacks, it is necessary to take into account a large number of factors and parameters, including possible network routes, data delay times, packet losses and new traffic properties that differ from normal. All this is an incentive to search for new methods and techniques for detecting cyber attacks and protecting data networks from them. The article discusses a technique for detecting anomalies and cyberattacks, designed for use in modern data networks, which is based on the integration of fractal analysis and machine learning methods. The technique is focused on real-time or near-real-time execution and includes several steps: (1) detecting anomalies in network traffic, (2) identifying cyber attacks in anomalies, and (3) classifying cyber attacks. The first stage is implemented using fractal analysis methods (evaluating the self-similarity of network traffic), the second and third stages are implemented using machine learning methods that use cells of recurrent neural networks with a long short-term memory. The issues of software implementation of the proposed technique are considered, including the formation of a data set containing network packets circulating in the data transmission network. The results of an experimental evaluation of the proposed technique, obtained using the generated data set, are presented. The results of the experiments showed a rather high efficiency of the proposed technique and the solutions developed for it, which allow early detection of both known and unknown cyber attacks.

Adaptive NN Finite-Time Resilient Control for Nonlinear Time-Delay Systems With Unknown False Data Injection and Actuator Faults.

This article considers neural network (NN)-based adaptive finite-time resilient control problem for a class of nonlinear time-delay systems with unknown fault data injection attacks and actuator faults. In the procedure of recursive design, a coordinate transformation and a modified fractional-order command-filtered (FOCF) backstepping technique are incorporated to handle the unknown false data injection attacks and overcome the issue of "explosion of complexity" caused by repeatedly taking derivatives for virtual control laws. The theoretical analysis proves that the developed resilient controller can guarantee the finite-time stability of the closed-loop system (CLS) and the stabilization errors converge to an adjustable neighborhood of zero. The foremost contributions of this work include: 1) by means of a modified FOCF technique, the adaptive resilient control problem of more general nonlinear time-delay systems with unknown cyberattacks and actuator faults is first considered; 2) different from most of the existing results, the commonly used assumptions on the sign of attack weight and prior knowledge of actuator faults are fully removed in this article. Finally, two simulation examples are given to demonstrate the effectiveness of the developed control scheme.

Secure Control for Cyber-Physical Systems Under Malicious Attacks

This article investigates the secure control problem for cyber-physical systems when the malicious data are injected into the cyber realm, which directly connects to the actuators. Based on moving target defense (MTD) and reinforcement learning, we propose a novel proactive and reactive defense control scheme. First, the system <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$(A,B)$</tex-math></inline-formula> is modeled as a switching system consisting of several controllable pairs <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$(A,\mathcal {B}_{l})$</tex-math></inline-formula> to facilitate the construction of the MTD control scheme. The controllable pairs <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$(A,\mathcal {B}_{l})$</tex-math></inline-formula> can be altered to update system dynamics under certain unpredictable switching probabilities for each subsystem, which can prevent the adversaries from effective attacks. Second, both attack detection and isolation schemes are designed to accurately locate and exclude the compromised actuators from a switching sequence. Third, a reinforcement learning algorithm based on the zero-sum game theory is proposed to design the defense control scheme when there exist no controllable subsystems to switch. To demonstrate the effectiveness of the defense control scheme, a three-tank system under unknown cyber attacks is illustrated.

A Novel Two-Stage Deep Learning Structure for Network Flow Anomaly Detection

Unknown cyber-attacks have appeared constantly. Several anomaly detection techniques based on semi-supervised learning have been proposed to detect these unknown cyber-attacks. Among them, the Denoising Auto-Encoder (DAE) scheme performs better than others in accuracy but is not good enough in precision. This paper proposes a novel two-stage deep learning structure for network flow anomaly detection by combining the models of Gate Recurrent Unit (GRU) and DAE. By using supervised anomaly detection with a selection mechanism to assist semi-supervised anomaly detection, the precision and accuracy of the anomaly detection system are improved. In the proposed structure, we first use the GRU model to analyze the network flow and then take the outcome from the Softmax function as a confidence score. When the score is more than or equal to the predefined confidence threshold, the GRU model outputs the flow as a positive result, no matter the flow is classified as normal or abnormal. When the score is less than the confidence threshold, GRU model outputs the flow as a negative result and passes the flow to DAE model for flow classification. DAE then determines a reconstruction error threshold by learning the pattern of normal flows. Accordingly, the flow is normal or abnormal depending on whether it is under or over the reconstruction error threshold. A comparative experiment is performed using NSL-KDD dataset as benchmark. The results revealed that the precision using the proposed scheme is 0.83% better than DAE. The accuracy using the proposed approach is 90.21%, which is better than Random Forest, Naïve Bayes, One-Dimensional Convolutional Neural Network, two-stage Auto-Encoder, etc. In addition, the proposed approach is also applied to the environment of software defined network (SDN). By adopting our approach in SDN environment, the precision and F-measure are significantly improved.

Using AI to detect and classify malicious domain names

On the Internet and other IP networks, the Domain Name System (DNS) is used to identify machines. Resource entries in the DNS link domain names to various sorts of data. Commonly, it is used to transform domain names to IP addresses so that computers may locate services and devices utilizing the underlying network protocols. Due to a lack of security safeguards, cybercriminals use the Domain Name System (DNS) to launch attacks. So how to quickly locate and block possibilities? Finding rogue websites and their IP addresses has become a prominent research topic. Preventing unknown cyber-attacks is critical. This article advocated analysing enormous amounts of mobile web traffic to find dangerous domains. To classify, we used text and domain traffic statistics. Then we gave three typical classifiers to compare their impacts. The Spark framework is used to calculate huge amounts of DNS traffic. Our system's efficiency persuades us. It can be very useful in network security. The new features are tough to use and assist in identifying rogue domains. We tested MalPortrait using real-world big ISP networks' passive DNS traffic.

Certificate-Based Signature Scheme for Industrial Internet of Things Using Hyperelliptic Curve Cryptography

The Industrial Internet of Things (IIoT) is a technology that uses the Internet of Things (IoT) infrastructure to sense, process, and communicate real-time events in the industrial system to cut down on unnecessary operating costs and to speed up industrial automation of internal and external working processes. Since the IIoT system inherits the same cyber-physical vulnerabilities that the IoT system already encounters, it requires additional work to address security concerns owing to its heterogeneous nature. As a result, an efficient security mechanism is essential to protect against various and unknown cyber-attacks. In this article, we propose a certificate-based signature scheme based on hyperelliptic curve cryptography (HECC), with the aim of improving security while reducing computational and communication costs in the IIoT environment. The proposed scheme outperforms existing schemes in terms of both computational and communication costs, as well as offering better security.

Data Discretization and Decision Boundary Data Point Analysis for Unknown Attack Detection

Researchers have continuously sought effective ways to immediately detect unknown (zero-day) cyberattacks. Most current methods rely on pattern-recognition to identify known threats when they appear; however, some newer capabilities use machine-learning (ML) anomaly detection tools that involve training a model based on normal network data, so the outliers can be identified and scrutinized in case they represent a new attack. Various deep-learning methods have been attempted for the latter, but training for unknown features and new events is problematic with machine learning (ML), owing to the need to train for the unknown, which actually increases the risk of false positives. Moreover, attacks developed using adversarial learning techniques can quickly outsmart such algorithms by hiding the attack in the normal distribution. To overcome these problems, this study applies data discretization and decision-boundary point analyses to scrutinize patterns near the thresholds of uncertainty. A novel discretization method is used to effectively train our model for the fuzzy c-means feature analysis of data points at the decision boundary, through which adversarial features are detected and classified based upon their entropy. Through this, it was possible to identify incorrectly detected attack data distributed near the model’s decision boundary. The National Security Laboratory’s Knowledge Discovery Dataset, which is commonly used to evaluate ML intrusion detection systems, is used to evaluate the proposed method. The results show that our model successfully identifies attacks at the decision boundary as desired and that its performance can be improved through classification. In addition, when classification was performed, it was confirmed that the accuracy performance of DoS attacks was improved by 5 to 7%, Probe by 7 to 10%, R2L by 4 to 7%, and U2R by 1 to 9%, compared to the existing model.

Necessity of data science for enhanced Cybersecurity

In a computing context, cybersecurity is undergoing massive shifts in technology and its operations in recent days, and data science is driving the change. Extracting security incident patterns or insights from cybersecurity data and building corresponding data-driven model, is the key to make a security system automated and intelligent. To understand and analyze the actual phenomena with data, various scientific methods, machine learning techniques, processes, and systems are used, which is commonly known as data science. In this paper, I have briefly described the data science its evolution its applications in cloud security and how cybersecurity data science came in existence what kind of advantages are given by Cybersecurity Data Science (CSDS) and its steps like, where the data is being gathered from relevant cybersecurity sources, and the analytics complement the latest data-driven patterns for providing more effective security solutions. The concept of cybersecurity data science allows making the computing process more actionable and intelligent as compared to traditional ones in the domain of cybersecurity. After that I have described the various upcoming challenges that can emerge after the frequent applications of CSDS, how machine learning and deep learning are applicable in it and types of algorithms that can be applicable in it. So, the overall paper is not only focuses on the origins of Data Science but it also describes its modern uses for the relevant cybersecurity field and data driven intelligent decision making system can protect our system from known and unknown cyber attacks.

A Multiagent and Machine Learning based Hybrid NIDS for Known and Unknown Cyber-attacks

The objective of this paper is to propose a hybrid Network Intrusion Detection System (NIDS) for the detection of cyber-attacks that may target modern computer networks. Indeed, in the era of technological evolution that the world is currently experiencing, hackers are constantly inventing new attack mechanisms that can bypass traditional security systems. Thus, NIDS are now an essential security brick to be deployed in corporate networks to detect known and zero-day attacks. In this research work, we propose a hybrid NIDS model based on the use of both a signature-based NIDS and an anomaly detection NIDS. The proposed system is based on agent technology, SNORT signature-based NIDS, machine learning techniques and the CICIDS2017 dataset is used for training and evaluation purposes. Thus, the CICIDS2017 dataset has undergone several pre-processing actions, namely, dataset cleaning, and dataset balancing as well as reducing the number of attributes (from 79 to 33 attributes). In addition, a set of machine learning algorithms are used, such as decision tree, random forest, Naive Bayes and multilayer perceptron, and are evaluated using some metrics, such as recall, precision, F-measure and accuracy. The detection methods used give very satisfactory results in terms of modeling benign network traffic and the accuracy reaches 99.9% for some algorithms.

Stability Oriented Design of Cyber Attack Resilient Controllers for Cooperative DC Microgrids

Due to the importance of reliability and security in dc microgrids, it is essential to provide maximum resilience against cyberattacks. However, insufficient global information in the microgrid makes it difficult to accurately identify the location of these attacks. To address these issues, this article develops a novel resilient distributed control mechanism, which ensures average voltage regulation and proportional load sharing in dc microgrids under unknown cyberattacks. The proposed resilient control design does not require any information regarding the nature or location of the attacks. By virtue of a graph theoretical approach and a Lyapunov-based framework, the proposed resilient distributed control strategy is designed in a way such that the system stability is always guaranteed following a comprehensive design mechanism. Finally, the robustness of the proposed resilient distributed control approach is demonstrated via simulations and validated by experimental results.

Towards a Multi-Agent based Network Intrusion Detection System for a Fleet of Drones

The objective of this research work is to propose a new model of intrusion detection system for a fleet of UAVs deployed with an ad hoc communication architecture. The security of a drone fleet is rarely addressed by the scientific community, and most research has focused on routing protocols and battery autonomy, while ignoring the security aspect. The multi-agent paradigm is considered the most adequate and appropriate solution to model an effective intrusion detection system capable of detecting intrusions targeting a drone fleet. Multi-agent systems can perfectly address the security problem of a drone fleet, given the mobility, autonomy, cooperation and distribution characteristics present in the network linking the different nodes of the fleet. The proposed model consists of a set of cooperative, autonomous, communicating, learning and intelligent agents that collaborate with each other to carry out intrusion and suspicious activity detection missions that can target the network of a fleet of drones. Our system is autonomous and can detect known and unknown cyber attacks in real time without the need for human experts, who generally design the signatures of known attacks for conventional intrusion detection systems.

The software for the formation of parameters etalons for cyber-attacks detection systems

The overwhelming majority of intrusion detection systems become an integral part of the protection of any network security, they are used to monitor suspicious activity in the system and detect an attack by an unauthorized party. Ac-tivating of cyberattacks initiates the creation of special technical solutions that can remain effective when new or modified types of cyber threats appear with unidentified or unclearly defined properties. The majority of such systems are aimed to detect suspicious activity or interfering in the network to take adequate measures to prevent cyber at-tacks. Current systems for detecting intrusions are those that are aimed to identify abnormal states, but they have a number of disadvantages. More effective in this regard are expert approaches based on the use of knowledge and experience of specialists in the relevant subject field. The construction of technical solutions and the creation of special tools (for example, software for detection systems that allow detection of previously unknown cyber attacks by controlling the current state of unclear parameters in a poorly formalized environment, based on expert approaches, is a promising area of research. Based on the well-known cyberattack detection system which is based on the methodology for detecting anomalies generated by cyber attacks and the set of appropriate methods and models, software provided by the basic algorithm and a number of developed procedures (grid construction, initialization of values based on a set of databases and modules; graphic forming of parameters, search of common points in ac-cordance with the basic rules and graphic interpretation of the result) allows to automate the process of forming parameters etalons for modern attack detection systems and display the results of detecting abnormal states at a given time interval.

Norwegian "Digital Border Defense" and Competence for the Unforeseen: A Grounded Theory Approach.

Strategic Competence Leadership (SCL) is a tool meant to ensure that the Norwegian Armed Forces Cyber Defence (NAFCD) has the necessary expertise to cope with current and future unforeseen events. This is necessary in order to develop a better digital border defense against digital threats from different state or non-state actors. Unforeseen cyber incidents include for instance “zero-days” attacks and similar severe threats. The goal of the SCL in the NAFCD is the development of a reliable “Cyber Resilience.” In the present study, we examine how the concept of SCL is understood and carried out on the different leadership and managerial levels in the NAFCD. Our research problem was how well prepared the NAFCD is for SCL and competence development for future competence needs, especially in relation to unforeseen events? Semi-structured interviews and document analyses of governance documents were used in the present study. The Strategic Didactic Model for the Unforeseen was used to construct nine research questions that were then given to the participants. The nine questions were sorted under three categories: organizational structures, competence development and needs, and plans, handling and communication. Fourteen leaders at different levels in the NAFCD participated in the study. Our main finding was that high-level (n = 4) and low-level (n = 10) participants differed in their views on SCL. As for unforeseen events, both levels shared the opinion that the NAFCD can cope with a low level of didactical degrees of the unforeseen (the degree to which the management has the competence to facilitate for adequate exercises for the different hierarchical levels in the organization, i.e., sudden unknown cyber-attacks). However, no common understanding of the term SCL was found among the participants. Interaction was interpreted to be very important to the participants, and they used professional networks to a high degree. In addition, unofficial lines of communication were very frequently used in relation to human resource exchange and development. By creating a common understanding within the NAFCD regarding the concept of SCL, it will be possible to improve the Norwegian digital border defense against unforeseen events.