1
|
Tides of Blockchain in IoT Cybersecurity. SENSORS (BASEL, SWITZERLAND) 2024; 24:3111. [PMID: 38793962 PMCID: PMC11124985 DOI: 10.3390/s24103111] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 03/27/2024] [Revised: 05/03/2024] [Accepted: 05/13/2024] [Indexed: 05/26/2024]
Abstract
This paper surveys the implementation of blockchain technology in cybersecurity in Internet of Things (IoT) networks, presenting a comprehensive framework that integrates blockchain technology with intrusion detection systems (IDS) to enhance IDS performance. This paper reviews articles from various domains, including AI, blockchain, IDS, IoT, and Industrial IoT (IIoT), to identify emerging trends and challenges in this field. An analysis of various approaches incorporating AI and blockchain demonstrates the potentiality of integrating AI and blockchain to transform IDS. This paper's structure establishes the foundation for further investigation and provides a blueprint for the development of IDS that is accessible, scalable, transparent, immutable, and decentralized. A demonstration from case studies integrating AI and blockchain shows the viability of combining the duo to enhance performance. Despite the challenges posed by resource constraints and privacy concerns, it is notable that blockchain is the key to securing IoT networks and that continued innovation in this area is necessary. Further research into lightweight cryptography, efficient consensus mechanisms, and privacy-preserving techniques is needed to realize all of the potential of blockchain-powered cybersecurity in IoT.
Collapse
|
2
|
RobEns: Robust Ensemble Adversarial Machine Learning Framework for Securing IoT Traffic. SENSORS (BASEL, SWITZERLAND) 2024; 24:2626. [PMID: 38676241 PMCID: PMC11053586 DOI: 10.3390/s24082626] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 03/01/2024] [Revised: 03/29/2024] [Accepted: 04/10/2024] [Indexed: 04/28/2024]
Abstract
Recently, Machine Learning (ML)-based solutions have been widely adopted to tackle the wide range of security challenges that have affected the progress of the Internet of Things (IoT) in various domains. Despite the reported promising results, the ML-based Intrusion Detection System (IDS) proved to be vulnerable to adversarial examples, which pose an increasing threat. In fact, attackers employ Adversarial Machine Learning (AML) to cause severe performance degradation and thereby evade detection systems. This promoted the need for reliable defense strategies to handle performance and ensure secure networks. This work introduces RobEns, a robust ensemble framework that aims at: (i) exploiting state-of-the-art ML-based models alongside ensemble models for IDSs in the IoT network; (ii) investigating the impact of evasion AML attacks against the provided models within a black-box scenario; and (iii) evaluating the robustness of the considered models after deploying relevant defense methods. In particular, four typical AML attacks are considered to investigate six ML-based IDSs using three benchmarking datasets. Moreover, multi-class classification scenarios are designed to assess the performance of each attack type. The experiments indicated a drastic drop in detection accuracy for some attempts. To harden the IDS even further, two defense mechanisms were derived from both data-based and model-based methods. Specifically, these methods relied on feature squeezing as well as adversarial training defense strategies. They yielded promising results, enhanced robustness, and maintained standard accuracy in the presence or absence of adversaries. The obtained results proved the efficiency of the proposed framework in robustifying IDS performance within the IoT context. In particular, the accuracy reached 100% for black-box attack scenarios while preserving the accuracy in the absence of attacks as well.
Collapse
|
3
|
STNet: A Time-Frequency Analysis-Based Intrusion Detection Network for Distributed Optical Fiber Acoustic Sensing Systems. SENSORS (BASEL, SWITZERLAND) 2024; 24:1570. [PMID: 38475105 DOI: 10.3390/s24051570] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 12/23/2023] [Revised: 02/19/2024] [Accepted: 02/26/2024] [Indexed: 03/14/2024]
Abstract
Distributed optical fiber acoustic sensing (DAS) is promising for long-distance intrusion-anomaly detection tasks. However, realistic settings suffer from high-intensity interference noise, compromising the detection performance of DAS systems. To address this issue, we propose STNet, an intrusion detection network based on the Stockwell transform (S-transform), for DAS systems, considering the advantages of the S-transform in terms of noise resistance and ability to detect disturbances. Specifically, the signal detected by a DAS system is divided into space-time data matrices using a sliding window. Subsequently, the S-transform extracts the time-frequency features channel by channel. The extracted features are combined into a multi-channel time-frequency feature matrix and presented to STNet. Finally, a non-maximum suppression algorithm (NMS), suitable for locating intrusions, is used for the post-processing of the detection results. To evaluate the effectiveness of the proposed method, experiments were conducted using a realistic high-speed railway environment with high-intensity noise. The experimental results validated the satisfactory performance of the proposed method. Thus, the proposed method offers an effective solution for achieving high intrusion detection rates and low false alarm rates in complex environments.
Collapse
|
4
|
Detection of Malicious Threats Exploiting Clock-Gating Hardware Using Machine Learning. SENSORS (BASEL, SWITZERLAND) 2024; 24:983. [PMID: 38339700 PMCID: PMC10856995 DOI: 10.3390/s24030983] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 12/04/2023] [Revised: 01/19/2024] [Accepted: 01/29/2024] [Indexed: 02/12/2024]
Abstract
Embedded system technologies are increasingly being incorporated into manufacturing, smart grid, industrial control systems, and transportation systems. However, the vast majority of today's embedded platforms lack the support of built-in security features which makes such systems highly vulnerable to a wide range of cyber-attacks. Specifically, they are vulnerable to malware injection code that targets the power distribution system of an ARM Cortex-M-based microcontroller chipset (ARM, Cambridge, UK). Through hardware exploitation of the clock-gating distribution system, an attacker is capable of disabling/activating various subsystems on the chip, compromising the reliability of the system during normal operation. This paper proposes the development of an Intrusion Detection System (IDS) capable of detecting clock-gating malware deployed on ARM Cortex-M-based embedded systems. To enhance the robustness and effectiveness of our approach, we fully implemented, tested, and compared six IDSs, each employing different methodologies. These include IDSs based on K-Nearest Classifier, Random Forest, Logistic Regression, Decision Tree, Naive Bayes, and Stochastic Gradient Descent. Each of these IDSs was designed to identify and categorize various variants of clock-gating malware deployed on the system. We have analyzed the performance of these IDSs in terms of detection accuracy against various types of clock-gating malware injection code. Power consumption data collected from the chipset during normal operation and malware code injection attacks were used for models' training and validation. Our simulation results showed that the proposed IDSs, particularly those based on K-Nearest Classifier and Logistic Regression, were capable of achieving high detection rates, with some reaching a detection rate of 0.99. These results underscore the effectiveness of our IDSs in protecting ARM Cortex-M-based embedded systems against clock-gating malware.
Collapse
|
5
|
Development and Validation of a Cyber-Physical System Leveraging EFDPN for Enhanced WSN-IoT Network Security. SENSORS (BASEL, SWITZERLAND) 2023; 23:9294. [PMID: 38005679 PMCID: PMC10675451 DOI: 10.3390/s23229294] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 09/21/2023] [Revised: 11/14/2023] [Accepted: 11/15/2023] [Indexed: 11/26/2023]
Abstract
In the current digital era, Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) are evolving, transforming human experiences by creating an interconnected environment. However, ensuring the security of WSN-IoT networks remains a significant hurdle, as existing security models are plagued with issues like prolonged training durations and complex classification processes. In this study, a robust cyber-physical system based on the Emphatic Farmland Fertility Integrated Deep Perceptron Network (EFDPN) is proposed to enhance the security of WSN-IoT. This initiative introduces the Farmland Fertility Feature Selection (F3S) technique to alleviate the computational complexity of identifying and classifying attacks. Additionally, this research leverages the Deep Perceptron Network (DPN) classification algorithm for accurate intrusion classification, achieving impressive performance metrics. In the classification phase, the Tunicate Swarm Optimization (TSO) model is employed to improve the sigmoid transformation function, thereby enhancing prediction accuracy. This study demonstrates the development of an EFDPN-based system designed to safeguard WSN-IoT networks. It showcases how the DPN classification technique, in conjunction with the TSO model, significantly improves classification performance. In this research, we employed well-known cyber-attack datasets to validate its effectiveness, revealing its superiority over traditional intrusion detection methods, particularly in achieving higher F1-score values. The incorporation of the F3S algorithm plays a pivotal role in this framework by eliminating irrelevant features, leading to enhanced prediction accuracy for the classifier, marking a substantial stride in fortifying WSN-IoT network security. This research presents a promising approach to enhancing the security and resilience of interconnected cyber-physical systems in the evolving landscape of WSN-IoT networks.
Collapse
|
6
|
Hybrid Deep Learning Techniques for Securing Bioluminescent Interfaces in Internet of Bio Nano Things. SENSORS (BASEL, SWITZERLAND) 2023; 23:8972. [PMID: 37960671 PMCID: PMC10648166 DOI: 10.3390/s23218972] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 09/26/2023] [Revised: 10/27/2023] [Accepted: 11/02/2023] [Indexed: 11/15/2023]
Abstract
The Internet of bio-nano things (IoBNT) is an emerging paradigm employing nanoscale (~1-100 nm) biological transceivers to collect in vivo signaling information from the human body and communicate it to healthcare providers over the Internet. Bio-nano-things (BNT) offer external actuation of in-body molecular communication (MC) for targeted drug delivery to otherwise inaccessible parts of the human tissue. BNTs are inter-connected using chemical diffusion channels, forming an in vivo bio-nano network, connected to an external ex vivo environment such as the Internet using bio-cyber interfaces. Bio-luminescent bio-cyber interfacing (BBI) has proven to be promising in realizing IoBNT systems due to their non-obtrusive and low-cost implementation. BBI security, however, is a key concern during practical implementation since Internet connectivity exposes the interfaces to external threat vectors, and accurate classification of anomalous BBI traffic patterns is required to offer mitigation. However, parameter complexity and underlying intricate correlations among BBI traffic characteristics limit the use of existing machine-learning (ML) based anomaly detection methods typically requiring hand-crafted feature designing. To this end, the present work investigates the employment of deep learning (DL) algorithms allowing dynamic and scalable feature engineering to discriminate between normal and anomalous BBI traffic. During extensive validation using singular and multi-dimensional models on the generated dataset, our hybrid convolutional and recurrent ensemble (CNN + LSTM) reported an accuracy of approximately ~93.51% over other deep and shallow structures. Furthermore, employing a hybrid DL network allowed automated extraction of normal as well as temporal features in BBI data, eliminating manual selection and crafting of input features for accurate prediction. Finally, we recommend deployment primitives of the extracted optimal classifier in conventional intrusion detection systems as well as evolving non-Von Neumann architectures for real-time anomaly detection.
Collapse
|
7
|
CTSF: An Intrusion Detection Framework for Industrial Internet Based on Enhanced Feature Extraction and Decision Optimization Approach. SENSORS (BASEL, SWITZERLAND) 2023; 23:8793. [PMID: 37960495 PMCID: PMC10647644 DOI: 10.3390/s23218793] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 09/27/2023] [Revised: 10/20/2023] [Accepted: 10/27/2023] [Indexed: 11/15/2023]
Abstract
The traditional Transformer model primarily employs a self-attention mechanism to capture global feature relationships, potentially overlooking local relationships within sequences and thus affecting the modeling capability of local features. For Support Vector Machine (SVM), it often requires the joint use of feature selection algorithms or model optimization methods to achieve maximum classification accuracy. Addressing the issues in both models, this paper introduces a novel network framework, CTSF, specifically designed for Industrial Internet intrusion detection. CTSF effectively addresses the limitations of traditional Transformers in extracting local features while compensating for the weaknesses of SVM. The framework comprises a pre-training component and a decision-making component. The pre-training section consists of both CNN and an enhanced Transformer, designed to capture both local and global features from input data while reducing data feature dimensions. The improved Transformer simultaneously decreases certain training parameters within CTSF, making it more suitable for the Industrial Internet environment. The classification section is composed of SVM, which receives initial classification data from the pre-training phase and determines the optimal decision boundary. The proposed framework is evaluated on an imbalanced subset of the X-IIOTID dataset, which represent Industrial Internet data. Experimental results demonstrate that with SVM using both "linear" and "rbf" kernel functions, CTSF achieves an overall accuracy of 0.98875 and effectively discriminates minor classes, showcasing the superiority of this framework.
Collapse
|
8
|
Vehicular Network Intrusion Detection Using a Cascaded Deep Learning Approach with Multi-Variant Metaheuristic. SENSORS (BASEL, SWITZERLAND) 2023; 23:8772. [PMID: 37960470 PMCID: PMC10650029 DOI: 10.3390/s23218772] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 09/12/2023] [Revised: 10/16/2023] [Accepted: 10/23/2023] [Indexed: 11/15/2023]
Abstract
Vehicle malfunctions have a direct impact on both human and road safety, making vehicle network security an important and critical challenge. Vehicular ad hoc networks (VANETs) have grown to be indispensable in recent years for enabling intelligent transport systems, guaranteeing traffic safety, and averting collisions. However, because of numerous types of assaults, such as Distributed Denial of Service (DDoS) and Denial of Service (DoS), VANETs have significant difficulties. A powerful Network Intrusion Detection System (NIDS) powered by Artificial Intelligence (AI) is required to overcome these security issues. This research presents an innovative method for creating an AI-based NIDS that uses Deep Learning methods. The suggested model specifically incorporates the Self Attention-Based Bidirectional Long Short-Term Memory (SA-BiLSTM) for classification and the Cascaded Convolution Neural Network (CCNN) for learning high-level features. The Multi-variant Gradient-Based Optimization algorithm (MV-GBO) is applied to improve CCNN and SA-BiLSTM further to enhance the model's performance. Additionally, information gained using MV-GBO-based feature extraction is employed to enhance feature learning. The effectiveness of the proposed model is evaluated on reliable datasets such as KDD-CUP99, ToN-IoT, and VeReMi, which are utilized on the MATLAB platform. The proposed model achieved 99% accuracy on all the datasets.
Collapse
|
9
|
A Lightweight Unsupervised Intrusion Detection Model Based on Variational Auto-Encoder. SENSORS (BASEL, SWITZERLAND) 2023; 23:8407. [PMID: 37896500 PMCID: PMC10611103 DOI: 10.3390/s23208407] [Citation(s) in RCA: 1] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 08/27/2023] [Revised: 10/09/2023] [Accepted: 10/10/2023] [Indexed: 10/29/2023]
Abstract
With the gradual integration of internet technology and the industrial control field, industrial control systems (ICSs) have begun to access public networks on a large scale. Attackers use these public network interfaces to launch frequent invasions of industrial control systems, thus resulting in equipment failure and downtime, production data leakage, and other serious harm. To ensure security, ICSs urgently need a mature intrusion detection mechanism. Most of the existing research on intrusion detection in ICSs focuses on improving the accuracy of intrusion detection, thereby ignoring the problem of limited equipment resources in industrial control environments, which makes it difficult to apply excellent intrusion detection algorithms in practice. In this study, we first use the spectral residual (SR) algorithm to process the data; we then propose the improved lightweight variational autoencoder (LVA) with autoregression to reconstruct the data, and we finally perform anomaly determination based on the permutation entropy (PE) algorithm. We construct a lightweight unsupervised intrusion detection model named LVA-SP. The model as a whole adopts a lightweight design with a simpler network structure and fewer parameters, which achieves a balance between the detection accuracy and the system resource overhead. Experimental results on the ICSs dataset show that our proposed LVA-SP model achieved an F1-score of 84.81% and has advantages in terms of time and memory overhead.
Collapse
|
10
|
Data-Driven Network Analysis for Anomaly Traffic Detection. SENSORS (BASEL, SWITZERLAND) 2023; 23:8174. [PMID: 37837004 PMCID: PMC10574999 DOI: 10.3390/s23198174] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/28/2023] [Revised: 09/06/2023] [Accepted: 09/15/2023] [Indexed: 10/15/2023]
Abstract
Cybersecurity is a critical issue in today's internet world. Classical security systems, such as firewalls based on signature detection, cannot detect today's sophisticated zero-day attacks. Machine learning (ML) based solutions are more attractive for their capabilities of detecting anomaly traffic from benign traffic, but to develop an ML-based anomaly detection system, we need meaningful or realistic network datasets to train the detection engine. There are many public network datasets for ML applications. Still, they have limitations, such as the data creation process and the lack of diverse attack scenarios or background traffic. To create a good detection engine, we need a realistic dataset with various attack scenarios and various types of background traffic, such as HTTPs, streaming, and SMTP traffic. In this work, we have developed realistic network data or datasets considering various attack scenarios and diverse background/benign traffic. Furthermore, considering the importance of distributed denial of service (DDoS) attacks, we have compared the performance of detecting anomaly traffic of some classical supervised and our prior developed unsupervised ML algorithms based on the convolutional neural network (CNN) and pseudo auto-encoder (AE) architecture based on the created datasets. The results show that the performance of the CNN-Pseudo-AE is comparable to that of many classical supervised algorithms. Hence, the CNN-Pseudo-AE algorithm is promising in actual implementation.
Collapse
|
11
|
Secure and Privacy-Preserving Intrusion Detection and Prevention in the Internet of Unmanned Aerial Vehicles. SENSORS (BASEL, SWITZERLAND) 2023; 23:8077. [PMID: 37836907 PMCID: PMC10575224 DOI: 10.3390/s23198077] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 08/25/2023] [Revised: 09/15/2023] [Accepted: 09/24/2023] [Indexed: 10/15/2023]
Abstract
In smart cities, unmanned aerial vehicles (UAVS) play a vital role in surveillance, monitoring, and data collection. However, the widespread integration of UAVs brings forth a pressing concern: security and privacy vulnerabilities. This study introduces the SP-IoUAV (Secure and Privacy Preserving Intrusion Detection and Prevention for UAVS) model, tailored specifically for the Internet of UAVs ecosystem. The challenge lies in safeguarding UAV operations and ensuring data confidentiality. Our model employs cutting-edge techniques, including federated learning, differential privacy, and secure multi-party computation. These fortify data confidentiality and enhance intrusion detection accuracy. Central to our approach is the integration of deep neural networks (DNNs) like the convolutional neural network-long short-term memory (CNN-LSTM) network, enabling real-time anomaly detection and precise threat identification. This empowers UAVs to make immediate decisions in dynamic environments. To proactively counteract security breaches, we have implemented a real-time decision mechanism triggering alerts and initiating automatic blacklisting. Furthermore, multi-factor authentication (MFA) strengthens access security for the intrusion detection system (IDS) database. The SP-IoUAV model not only establishes a comprehensive machine framework for safeguarding UAV operations but also advocates for secure and privacy-preserving machine learning in UAVS. Our model's effectiveness is validated using the CIC-IDS2017 dataset, and the comparative analysis showcases its superiority over previous approaches like FCL-SBL, RF-RSCV, and RBFNNs, boasting exceptional levels of accuracy (99.98%), precision (99.93%), recall (99.92%), and F-Score (99.92%).
Collapse
|
12
|
A Novel Efficient Dynamic Throttling Strategy for Blockchain-Based Intrusion Detection Systems in 6G-Enabled VSNs. SENSORS (BASEL, SWITZERLAND) 2023; 23:8006. [PMID: 37766062 PMCID: PMC10537506 DOI: 10.3390/s23188006] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/21/2023] [Revised: 09/12/2023] [Accepted: 09/18/2023] [Indexed: 09/29/2023]
Abstract
Vehicular Social Networks (VSNs) have emerged as a new social interaction paradigm, where vehicles can form social networks on the roads to improve the convenience/safety of passengers. VSNs are part of Vehicle to Everything (V2X) services, which is one of the industrial verticals in the coming sixth generation (6G) networks. The lower latency, higher connection density, and near-100% coverage envisaged in 6G will enable more efficient implementation of VSNs applications. The purpose of this study is to address the problem of lateral movements of attackers who could compromise one device in a VSN, given the large number of connected devices and services in VSNs and attack other devices and vehicles. This challenge is addressed via our proposed Blockchain-based Collaborative Distributed Intrusion Detection (BCDID) system with a novel Dynamic Throttling Strategy (DTS) to detect and prevent attackers' lateral movements in VSNs. Our experiments showed how the proposed DTS improve the effectiveness of the BCDID system in terms of detection capabilities and handling queries three times faster than the default strategy with 350k queries tested. We concluded that our DTS strategy can increase transaction processing capacity in the BCDID system and improve its performance while maintaining the integrity of data on-chain.
Collapse
|
13
|
Detecting Cyber Attacks In-Vehicle Diagnostics Using an Intelligent Multistage Framework. SENSORS (BASEL, SWITZERLAND) 2023; 23:7941. [PMID: 37765997 PMCID: PMC10535859 DOI: 10.3390/s23187941] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 08/06/2023] [Revised: 09/05/2023] [Accepted: 09/07/2023] [Indexed: 09/29/2023]
Abstract
The advanced technology of vehicles makes them vulnerable to external exploitation. The current trend of research is to impose security measures to protect vehicles from different aspects. One of the main problems that counter Intrusion Detection Systems (IDSs) is the necessity to have a low false acceptance rate (FA) with high detection accuracy without major changes in the vehicle network infrastructure. Furthermore, the location of IDSs can be controversial due to the limitations and concerns of Electronic Control Units (ECUs). Thus, we propose a novel framework of multistage to detect abnormality in vehicle diagnostic data based on specifications of diagnostics and stacking ensemble for various machine learning models. The proposed framework is verified against the KIA SOUL and Seat Leon 2018 datasets. Our IDS is evaluated against point anomaly attacks and period anomaly attacks that have not been used in its training. The results show the superiority of the framework and its robustness with high accuracy of 99.21%, a low false acceptance rate of 0.003%, and a good detection rate (DR) of 99.63% for Seat Leon 2018, and an accuracy of 99.22%, a low false acceptance rate of 0.005%, and good detection rate of 98.59% for KIA SOUL.
Collapse
|
14
|
SGAN-IDS: Self-Attention-Based Generative Adversarial Network against Intrusion Detection Systems. SENSORS (BASEL, SWITZERLAND) 2023; 23:7796. [PMID: 37765852 PMCID: PMC10538047 DOI: 10.3390/s23187796] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/30/2023] [Revised: 08/30/2023] [Accepted: 09/05/2023] [Indexed: 09/29/2023]
Abstract
In cybersecurity, a network intrusion detection system (NIDS) is a critical component in networks. It monitors network traffic and flags suspicious activities. To effectively detect malicious traffic, several detection techniques, including machine learning-based NIDSs (ML-NIDSs), have been proposed and implemented. However, in much of the existing ML-NIDS research, the experimental settings do not accurately reflect real-world scenarios where new attacks are constantly emerging. Thus, the robustness of intrusion detection systems against zero-day and adversarial attacks is a crucial area that requires further investigation. In this paper, we introduce and develop a framework named SGAN-IDS. This framework constructs adversarial attack flows designed to evade detection by five BlackBox ML-based IDSs. SGAN-IDS employs generative adversarial networks and self-attention mechanisms to generate synthetic adversarial attack flows that are resilient to detection. Our evaluation results demonstrate that SGAN-IDS has successfully constructed adversarial flows for various attack types, reducing the detection rate of all five IDSs by an average of 15.93%. These findings underscore the robustness and broad applicability of the proposed model.
Collapse
|
15
|
Ensemble Model Based on Hybrid Deep Learning for Intrusion Detection in Smart Grid Networks. SENSORS (BASEL, SWITZERLAND) 2023; 23:7464. [PMID: 37687919 PMCID: PMC10490611 DOI: 10.3390/s23177464] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/26/2023] [Revised: 08/19/2023] [Accepted: 08/22/2023] [Indexed: 09/10/2023]
Abstract
The Smart Grid aims to enhance the electric grid's reliability, safety, and efficiency by utilizing digital information and control technologies. Real-time analysis and state estimation methods are crucial for ensuring proper control implementation. However, the reliance of Smart Grid systems on communication networks makes them vulnerable to cyberattacks, posing a significant risk to grid reliability. To mitigate such threats, efficient intrusion detection and prevention systems are essential. This paper proposes a hybrid deep-learning approach to detect distributed denial-of-service attacks on the Smart Grid's communication infrastructure. Our method combines the convolutional neural network and recurrent gated unit algorithms. Two datasets were employed: The Intrusion Detection System dataset from the Canadian Institute for Cybersecurity and a custom dataset generated using the Omnet++ simulator. We also developed a real-time monitoring Kafka-based dashboard to facilitate attack surveillance and resilience. Experimental and simulation results demonstrate that our proposed approach achieves a high accuracy rate of 99.86%.
Collapse
|
16
|
Multi-Criteria Feature Selection Based Intrusion Detection for Internet of Things Big Data. SENSORS (BASEL, SWITZERLAND) 2023; 23:7434. [PMID: 37687889 PMCID: PMC10490686 DOI: 10.3390/s23177434] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 08/03/2023] [Revised: 08/21/2023] [Accepted: 08/24/2023] [Indexed: 09/10/2023]
Abstract
The rapid growth of the Internet of Things (IoT) and big data has raised security concerns. Protecting IoT big data from attacks is crucial. Detecting real-time network attacks efficiently is challenging, especially in the resource-limited IoT setting. To enhance IoT security, intrusion detection systems using traffic features have emerged. However, these face difficulties due to varied traffic feature formats, hindering fast and accurate detection model training. To tackle accuracy issues caused by irrelevant features, a new model, LVW-MECO (LVW enhanced with multiple evaluation criteria), is introduced. It uses the LVW (Las Vegas Wrapper) algorithm with multiple evaluation criteria to identify pertinent features from IoT network data, boosting intrusion detection precision. Experimental results confirm its efficacy in addressing IoT security problems. LVW-MECO enhances intrusion detection performance and safeguards IoT data integrity, promoting a more secure IoT environment.
Collapse
|
17
|
A Systematic Review of Data-Driven Attack Detection Trends in IoT. SENSORS (BASEL, SWITZERLAND) 2023; 23:7191. [PMID: 37631728 PMCID: PMC10457981 DOI: 10.3390/s23167191] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 06/30/2023] [Revised: 08/08/2023] [Accepted: 08/09/2023] [Indexed: 08/27/2023]
Abstract
The Internet of Things is perhaps a concept that the world cannot be imagined without today, having become intertwined in our everyday lives in the domestic, corporate and industrial spheres. However, irrespective of the convenience, ease and connectivity provided by the Internet of Things, the security issues and attacks faced by this technological framework are equally alarming and undeniable. In order to address these various security issues, researchers race against evolving technology, trends and attacker expertise. Though much work has been carried out on network security to date, it is still seen to be lagging in the field of Internet of Things networks. This study surveys the latest trends used in security measures for threat detection, primarily focusing on the machine learning and deep learning techniques applied to Internet of Things datasets. It aims to provide an overview of the IoT datasets available today, trends in machine learning and deep learning usage, and the efficiencies of these algorithms on a variety of relevant datasets. The results of this comprehensive survey can serve as a guide and resource for identifying the various datasets, experiments carried out and future research directions in this field.
Collapse
|
18
|
Traffic Management in IoT Backbone Networks Using GNN and MAB with SDN Orchestration. SENSORS (BASEL, SWITZERLAND) 2023; 23:7091. [PMID: 37631627 PMCID: PMC10458845 DOI: 10.3390/s23167091] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 06/13/2023] [Revised: 08/05/2023] [Accepted: 08/08/2023] [Indexed: 08/27/2023]
Abstract
Traffic management is a critical task in software-defined IoT networks (SDN-IoTs) to efficiently manage network resources and ensure Quality of Service (QoS) for end-users. However, traditional traffic management approaches based on queuing theory or static policies may not be effective due to the dynamic and unpredictable nature of network traffic. In this paper, we propose a novel approach that leverages Graph Neural Networks (GNNs) and multi-arm bandit algorithms to dynamically optimize traffic management policies based on real-time network traffic patterns. Specifically, our approach uses a GNN model to learn and predict network traffic patterns and a multi-arm bandit algorithm to optimize traffic management policies based on these predictions. We evaluate the proposed approach on three different datasets, including a simulated corporate network (KDD Cup 1999), a collection of network traffic traces (CAIDA), and a simulated network environment with both normal and malicious traffic (NSL-KDD). The results demonstrate that our approach outperforms other state-of-the-art traffic management methods, achieving higher throughput, lower packet loss, and lower delay, while effectively detecting anomalous traffic patterns. The proposed approach offers a promising solution to traffic management in SDNs, enabling efficient resource management and QoS assurance.
Collapse
|
19
|
HealthLock: Blockchain-Based Privacy Preservation Using Homomorphic Encryption in Internet of Things Healthcare Applications. SENSORS (BASEL, SWITZERLAND) 2023; 23:6762. [PMID: 37571545 PMCID: PMC10422473 DOI: 10.3390/s23156762] [Citation(s) in RCA: 6] [Impact Index Per Article: 6.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 06/06/2023] [Revised: 06/28/2023] [Accepted: 06/29/2023] [Indexed: 08/13/2023]
Abstract
The swift advancement of the Internet of Things (IoT), coupled with the growing application of healthcare software in this area, has given rise to significant worries about the protection and confidentiality of critical health data. To address these challenges, blockchain technology has emerged as a promising solution, providing decentralized and immutable data storage and transparent transaction records. However, traditional blockchain systems still face limitations in terms of preserving data privacy. This paper proposes a novel approach to enhancing privacy preservation in IoT-based healthcare applications using homomorphic encryption techniques combined with blockchain technology. Homomorphic encryption facilitates the performance of calculations on encrypted data without requiring decryption, thus safeguarding the data's privacy throughout the computational process. The encrypted data can be processed and analyzed by authorized parties without revealing the actual contents, thereby protecting patient privacy. Furthermore, our approach incorporates smart contracts within the blockchain network to enforce access control and to define data-sharing policies. These smart contracts provide fine-grained permission settings, which ensure that only authorized entities can access and utilize the encrypted data. These settings protect the data from being viewed by unauthorized parties. In addition, our system generates an audit record of all data transactions, which improves both accountability and transparency. We have provided a comparative evaluation with the standard models, taking into account factors such as communication expense, transaction volume, and security. The findings of our experiments suggest that our strategy protects the confidentiality of the data while at the same time enabling effective data processing and analysis. In conclusion, the combination of homomorphic encryption and blockchain technology presents a solution that is both resilient and protective of users' privacy for healthcare applications integrated with IoT. This strategy offers a safe and open setting for the management and exchange of sensitive patient medical data, while simultaneously preserving the confidentiality of the patients involved.
Collapse
|
20
|
Channel Prediction-Based Security Authentication for Artificial Intelligence of Things. SENSORS (BASEL, SWITZERLAND) 2023; 23:6711. [PMID: 37571494 PMCID: PMC10422243 DOI: 10.3390/s23156711] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 06/29/2023] [Revised: 07/15/2023] [Accepted: 07/24/2023] [Indexed: 08/13/2023]
Abstract
The emerging physical-layer unclonable attribute-aided authentication (PLUA) schemes are capable of outperforming traditional isolated approaches, with the advantage of having reliable fingerprints. However, conventional PLUA methods face new challenges in artificial intelligence of things (AIoT) applications owing to their limited flexibility. These challenges arise from the distributed nature of AIoT devices and the involved information, as well as the requirement for short end-to-end latency. To address these challenges, we propose a security authentication scheme that utilizes intelligent prediction mechanisms to detect spoofing attack. Our approach is based on a dynamic authentication method using long short term memory (LSTM), where the edge computing node observes and predicts the time-varying channel information of access devices to detect clone nodes. Additionally, we introduce a Savitzky-Golay filter-assisted high order cumulant feature extraction model (SGF-HOCM) for preprocessing channel information. By utilizing future channel attributes instead of relying solely on previous channel information, our proposed approach enables authentication decisions. We have conducted extensive experiments in actual industrial environments to validate our prediction-based security strategy, which has achieved an accuracy of 97%.
Collapse
|
21
|
A Deep Learning Approach to Intrusion Detection and Segmentation in Pellet Fuels Using Microscopic Images. SENSORS (BASEL, SWITZERLAND) 2023; 23:6488. [PMID: 37514782 PMCID: PMC10383668 DOI: 10.3390/s23146488] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 05/31/2023] [Revised: 06/28/2023] [Accepted: 07/10/2023] [Indexed: 07/30/2023]
Abstract
Pellet fuels are nowadays commonly used as a heat source for food preparation. Unfortunately, they may contain intrusions which might be harmful for humans and the environment. The intrusions can be identified precisely using immersed microscopy analysis. The aim of this study is to investigate the possibility of autonomous identification of selected classes of intrusions using relatively simple deep learning models. The semantic segmentation was chosen as a method for impurity identification in the microscopic image. Three architectures of deep networks based on UNet architecture were examined. The networks contained the same depth as UNet but with a successively limited number of filters. The input image influence on the segmentation results was also examined. The efficiency of the network was assessed using the intersection over union index. The results showed an easily observable impact of the filter used on segmentation efficiency. The influence of the input image resolution is not so clear, and even the lowest (256 × 256 pixels) resolution used gave satisfactory results. The biggest (but still smaller than originally proposed UNet) network yielded segmentation quality good enough for practical applications. The simpler one was also applicable, although the quality of the segmentation decreased considerably. The simplest network gave poor results and is not suitable in applications. The two proposed networks can be used as a support for domain experts in practical applications.
Collapse
|
22
|
SELID: Selective Event Labeling for Intrusion Detection Datasets. SENSORS (BASEL, SWITZERLAND) 2023; 23:6105. [PMID: 37447954 DOI: 10.3390/s23136105] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 06/07/2023] [Revised: 06/26/2023] [Accepted: 06/29/2023] [Indexed: 07/15/2023]
Abstract
A large volume of security events, generally collected by distributed monitoring sensors, overwhelms human analysts at security operations centers and raises an alert fatigue problem. Machine learning is expected to mitigate this problem by automatically distinguishing between true alerts, or attacks, and falsely reported ones. Machine learning models should first be trained on datasets having correct labels, but the labeling process itself requires considerable human resources. In this paper, we present a new selective sampling scheme for efficient data labeling via unsupervised clustering. The new scheme transforms the byte sequence of an event into a fixed-size vector through content-defined chunking and feature hashing. Then, a clustering algorithm is applied to the vectors, and only a few samples from each cluster are selected for manual labeling. The experimental results demonstrate that the new scheme can select only 2% of the data for labeling without degrading the F1-score of the machine learning model. Two datasets, a private dataset from a real security operations center and a public dataset from the Internet for experimental reproducibility, are used.
Collapse
|
23
|
Plant and Salamander Inspired Network Attack Detection and Data Recovery Model. SENSORS (BASEL, SWITZERLAND) 2023; 23:5562. [PMID: 37420729 DOI: 10.3390/s23125562] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 03/15/2023] [Revised: 04/24/2023] [Accepted: 06/01/2023] [Indexed: 07/09/2023]
Abstract
The number of users of the Internet has been continuously rising, with an estimated 5.1 billion users in 2023, which comprises around 64.7% of the total world population. This indicates the rise of more connected devices to the network. On average, 30,000 websites are hacked daily, and nearly 64% of companies worldwide experience at least one type of cyberattack. As per IDC's 2022 Ransomware study, two-thirds of global organizations were hit by a ransomware attack that year. This creates the desire for a more robust and evolutionary attack detection and recovery model. One aspect of the study is the bio-inspiration models. This is because of the natural ability of living organisms to withstand various odd circumstances and overcome them with an optimization strategy. In contrast to the limitations of machine learning models with the need for quality datasets and computational availability, bio-inspired models can perform in low computational environments, and their performances are designed to evolve naturally with time. This study concentrates on exploring the evolutionary defence mechanism in plants and understanding how plants react to any known external attacks and how the response mechanism changes to unknown attacks. This study also explores how regenerative models, such as salamander limb regeneration, could build a network recovery system where services could be automatically activated after a network attack, and data could be recovered automatically by the network after a ransomware-like attack. The performance of the proposed model is compared to open-source IDS Snort and data recovery systems such as Burp and Casandra.
Collapse
|
24
|
An Evidence Theoretic Approach for Traffic Signal Intrusion Detection. SENSORS (BASEL, SWITZERLAND) 2023; 23:4646. [PMID: 37430560 DOI: 10.3390/s23104646] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Received: 02/28/2023] [Revised: 04/26/2023] [Accepted: 05/08/2023] [Indexed: 07/12/2023]
Abstract
The increasing attacks on traffic signals worldwide indicate the importance of intrusion detection. The existing traffic signal Intrusion Detection Systems (IDSs) that rely on inputs from connected vehicles and image analysis techniques can only detect intrusions created by spoofed vehicles. However, these approaches fail to detect intrusion from attacks on in-road sensors, traffic controllers, and signals. In this paper, we proposed an IDS based on detecting anomalies associated with flow rate, phase time, and vehicle speed, which is a significant extension of our previous work using additional traffic parameters and statistical tools. We theoretically modelled our system using the Dempster-Shafer decision theory, considering the instantaneous observations of traffic parameters and their relevant historical normal traffic data. We also used Shannon's entropy to determine the uncertainty associated with the observations. To validate our work, we developed a simulation model based on the traffic simulator called SUMO using many real scenarios and the data recorded by the Victorian Transportation Authority, Australia. The scenarios for abnormal traffic conditions were generated considering attacks such as jamming, Sybil, and false data injection attacks. The results show that the overall detection accuracy of our proposed system is 79.3% with fewer false alarms.
Collapse
|
25
|
Intrusion Detection Method for Internet of Vehicles Based on Parallel Analysis of Spatio-Temporal Features. SENSORS (BASEL, SWITZERLAND) 2023; 23:s23094399. [PMID: 37177603 PMCID: PMC10181641 DOI: 10.3390/s23094399] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 04/06/2023] [Revised: 04/26/2023] [Accepted: 04/26/2023] [Indexed: 05/15/2023]
Abstract
The problems with network security that the Internet of Vehicles (IoV) faces are becoming more noticeable as it continues to evolve. Deep learning-based intrusion detection techniques can assist the IoV in preventing network threats. However, previous methods usually employ a single deep learning model to extract temporal or spatial features, or extract spatial features first and then temporal features in a serial manner. These methods usually have the problem of insufficient extraction of spatio-temporal features of the IoV, which affects the performance of intrusion detection and leads to a high false-positive rate. To solve the above problems, this paper proposes an intrusion detection method for IoV based on parallel analysis of spatio-temporal features (PA-STF). First, we built an optimal subset of features based on feature correlations of IoV traffic. Then, we used the temporal convolutional network (TCN) and long short-term memory (LSTM) to extract spatio-temporal features in the IoV traffic in a parallel manner. Finally, we fused the spatio-temporal features extracted in parallel based on the self-attention mechanism and used a multilayer perceptron to detect attacks in the Internet of Vehicles. The experimental results show that the PA-STF method reduces the false-positive rate by 1.95% and 1.57% on the NSL-KDD and UNSW-NB15 datasets, respectively, with the accuracy and F1 score also being superior.
Collapse
|
26
|
A Lightweight Intelligent Network Intrusion Detection System Using One-Class Autoencoder and Ensemble Learning for IoT. SENSORS (BASEL, SWITZERLAND) 2023; 23:4141. [PMID: 37112482 PMCID: PMC10144792 DOI: 10.3390/s23084141] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 03/09/2023] [Revised: 04/12/2023] [Accepted: 04/18/2023] [Indexed: 06/19/2023]
Abstract
Network intrusion detection technology is key to cybersecurity regarding the Internet of Things (IoT). The traditional intrusion detection system targeting Binary or Multi-Classification can detect known attacks, but it is difficult to resist unknown attacks (such as zero-day attacks). Unknown attacks require security experts to confirm and retrain the model, but new models do not keep up to date. This paper proposes a Lightweight Intelligent NIDS using a One-Class Bidirectional GRU Autoencoder and Ensemble Learning. It can not only accurately identify normal and abnormal data, but also identify unknown attacks as the type most similar to known attacks. First, a One-Class Classification model based on a Bidirectional GRU Autoencoder is introduced. This model is trained with normal data, and has high prediction accuracy in the case of abnormal data and unknown attack data. Second, a multi-classification recognition method based on ensemble learning is proposed. It uses Soft Voting to evaluate the results of various base classifiers, and identify unknown attacks (novelty data) as the type most similar to known attacks, so that exception classification becomes more accurate. Experiments are conducted on WSN-DS, UNSW-NB15, and KDD CUP99 datasets, and the recognition rates of the proposed models in the three datasets are raised to 97.91%, 98.92%, and 98.23% respectively. The results verify the feasibility, efficiency, and portability of the algorithm proposed in the paper.
Collapse
|
27
|
Enhanced Intrusion Detection with Data Stream Classification and Concept Drift Guided by the Incremental Learning Genetic Programming Combiner. SENSORS (BASEL, SWITZERLAND) 2023; 23:3736. [PMID: 37050795 PMCID: PMC10098915 DOI: 10.3390/s23073736] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 02/11/2023] [Revised: 03/27/2023] [Accepted: 03/31/2023] [Indexed: 06/19/2023]
Abstract
Concept drift (CD) in data streaming scenarios such as networking intrusion detection systems (IDS) refers to the change in the statistical distribution of the data over time. There are five principal variants related to CD: incremental, gradual, recurrent, sudden, and blip. Genetic programming combiner (GPC) classification is an effective core candidate for data stream classification for IDS. However, its basic structure relies on the usage of traditional static machine learning models that receive onetime training, limiting its ability to handle CD. To address this issue, we propose an extended variant of the GPC using three main components. First, we replace existing classifiers with alternatives: online sequential extreme learning machine (OSELM), feature adaptive OSELM (FA-OSELM), and knowledge preservation OSELM (KP-OSELM). Second, we add two new components to the GPC, specifically, a data balancing and a classifier update. Third, the coordination between the sub-models produces three novel variants of the GPC: GPC-KOS for KA-OSELM; GPC-FOS for FA-OSELM; and GPC-OS for OSELM. This article presents the first data stream-based classification framework that provides novel strategies for handling CD variants. The experimental results demonstrate that both GPC-KOS and GPC-FOS outperform the traditional GPC and other state-of-the-art methods, and the transfer learning and memory features contribute to the effective handling of most types of CD. Moreover, the application of our incremental variants on real-world datasets (KDD Cup '99, CICIDS-2017, CSE-CIC-IDS-2018, and ISCX '12) demonstrate improved performance (GPC-FOS in connection with CSE-CIC-IDS-2018 and CICIDS-2017; GPC-KOS in connection with ISCX2012 and KDD Cup '99), with maximum accuracy rates of 100% and 98% by GPC-KOS and GPC-FOS, respectively. Additionally, our GPC variants do not show superior performance in handling blip drift.
Collapse
|
28
|
Intrusion Detection in Vehicle Controller Area Network (CAN) Bus Using Machine Learning: A Comparative Performance Study. SENSORS (BASEL, SWITZERLAND) 2023; 23:3610. [PMID: 37050674 PMCID: PMC10099193 DOI: 10.3390/s23073610] [Citation(s) in RCA: 2] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 01/30/2023] [Revised: 03/14/2023] [Accepted: 03/29/2023] [Indexed: 06/19/2023]
Abstract
Electronic Control Units (ECUs) have been increasingly used in modern vehicles to control the operations of the vehicle, improve driving comfort, and safety. For the operation of the vehicle, these ECUs communicate using a Controller Area Network (CAN) protocol that has many security vulnerabilities. According to the report of Upstream 2022, more than 900 automotive cybersecurity incidents were reported in 2021 only. In addition to developing a more secure CAN protocol, intrusion detection can provide a path to mitigate cyberattacks on the vehicle. This paper proposes a machine learning-based intrusion detection system (IDS) using a Support Vector Machine (SVM), Decision Tree (DT), and K-Nearest Neighbor (KNN) and investigates the effectiveness of the IDS using multiple real-world datasets. The novelty of our developed IDS is that it has been trained and tested on multiple vehicular datasets (Kia Soul and a Chevrolet Spark) to detect and classify intrusion. Our IDS has achieved accuracy up to 99.9% with a high true positive and a low false negative rate. Finally, the comparison of our performance evaluation outcomes demonstrates that the proposed IDS outperforms the existing works in terms of its liability and efficiency to detect cyber-attacks with a minimal error rate.
Collapse
|
29
|
Intrusion Detection System CAN-Bus In-Vehicle Networks Based on the Statistical Characteristics of Attacks. SENSORS (BASEL, SWITZERLAND) 2023; 23:3554. [PMID: 37050613 PMCID: PMC10098590 DOI: 10.3390/s23073554] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 01/27/2023] [Revised: 03/15/2023] [Accepted: 03/23/2023] [Indexed: 06/19/2023]
Abstract
For in-vehicle network communication, the controller area network (CAN) broadcasts to all connected nodes without address validation. Therefore, it is highly vulnerable to all sorts of attack scenarios. This research proposes a novel intrusion detection system (IDS) for CAN to identify in-vehicle network anomalies. The statistical characteristics of attacks provide valuable information about the inherent intrusion patterns and behaviors. We employed two real-world attack scenarios from publicly available datasets to record a real-time response against intrusions with increased precision for in-vehicle network environments. Our proposed IDS can exploit malicious patterns by calculating thresholds and using the statistical properties of attacks, making attack detection more efficient. The optimized threshold value is calculated using brute-force optimization for various window sizes to minimize the total error. The reference values of normality require a few legitimate data frames for effective intrusion detection. The experimental findings validate that our suggested method can efficiently detect fuzzy, merge, and denial-of-service (DoS) attacks with low false-positive rates. It is also demonstrated that the total error decreases with an increasing attack rate for varying window sizes. The results indicate that our proposed IDS minimizes the misclassification rate and is hence better suited for in-vehicle networks.
Collapse
|
30
|
Kohonen neural network and symbiotic-organism search algorithm for intrusion detection of network viruses. Front Comput Neurosci 2023; 17:1079483. [PMID: 36908758 PMCID: PMC9992525 DOI: 10.3389/fncom.2023.1079483] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/25/2022] [Accepted: 02/06/2023] [Indexed: 02/25/2023] Open
Abstract
Introduction The development of the Internet has made life much more convenient, but forms of network intrusion have become increasingly diversified and the threats to network security are becoming much more serious. Therefore, research into intrusion detection has become very important for network security. Methods In this paper, a clustering algorithm based on the symbiotic-organism search (SOS) algorithm and a Kohonen neural network is proposed. Results The clustering accuracy of the Kohonen neural network is improved by using the SOS algorithm to optimize the weights in the Kohonen neural network. Discussion Our approach was verified with the KDDCUP99 network intrusion data. The experimental results show that SOS-Kohonen can effectively detect intrusion. The detection rate was higher, and the false alarm rate was lower.
Collapse
|
31
|
Investigating Generalized Performance of Data-Constrained Supervised Machine Learning Models on Novel, Related Samples in Intrusion Detection. SENSORS (BASEL, SWITZERLAND) 2023; 23:1846. [PMID: 36850444 PMCID: PMC9960990 DOI: 10.3390/s23041846] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 12/17/2022] [Revised: 02/02/2023] [Accepted: 02/03/2023] [Indexed: 06/18/2023]
Abstract
Recently proposed methods in intrusion detection are iterating on machine learning methods as a potential solution. These novel methods are validated on one or more datasets from a sparse collection of academic intrusion detection datasets. Their recognition as improvements to the state-of-the-art is largely dependent on whether they can demonstrate a reliable increase in classification metrics compared to similar works validated on the same datasets. Whether these increases are meaningful outside of the training/testing datasets is rarely asked and never investigated. This work aims to demonstrate that strong general performance does not typically follow from strong classification on the current intrusion detection datasets. Binary classification models from a range of algorithmic families are trained on the attack classes of CSE-CIC-IDS2018, a state-of-the-art intrusion detection dataset. After establishing baselines for each class at various points of data access, the same trained models are tasked with classifying samples from the corresponding attack classes in CIC-IDS2017, CIC-DoS2017 and CIC-DDoS2019. Contrary to what the baseline results would suggest, the models have rarely learned a generally applicable representation of their attack class. Stability and predictability of generalized model performance are central issues for all methods on all attack classes. Focusing only on the three best-in-class models in terms of interdataset generalization, reveals that for network-centric attack classes (brute force, denial of service and distributed denial of service), general representations can be learned with flat losses in classification performance (precision and recall) below 5%. Other attack classes vary in generalized performance from stark losses in recall (-35%) with intact precision (98+%) for botnets to total degradation of precision and moderate recall loss for Web attack and infiltration models. The core conclusion of this article is a warning to researchers in the field. Expecting results of proposed methods on the test sets of state-of-the-art intrusion detection datasets to translate to generalized performance is likely a serious overestimation. Four proposals to reduce this overestimation are set out as future work directions.
Collapse
|
32
|
SCSLnO-SqueezeNet: Sine Cosine-Sea Lion Optimization enabled SqueezeNet for intrusion detection in IoT. NETWORK (BRISTOL, ENGLAND) 2023; 34:343-373. [PMID: 37807939 DOI: 10.1080/0954898x.2023.2261531] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 05/23/2022] [Accepted: 07/27/2023] [Indexed: 10/10/2023]
Abstract
Security and privacy are regarded as the greatest priority in any real-world smart ecosystem built on the Internet of Things (IoT) paradigm. In this study, a SqueezeNet model for IoT threat detection is built using Sine Cosine Sea Lion Optimization (SCSLnO). The Base Station (BS) carries out intrusion detection. The Hausdorff distance is used to determine which features are important. Using the SqueezeNet model, attack detection is carried out, and the network classifier is trained using SCSLnO, which is developed by combining the Sine Cosine Algorithm (SCA) with Sea Lion Optimization (SLnO). BoT-IoT and NSL-KDD datasets are used for the analysis. In comparison to existing approaches, PSO-KNN/SVM, Voting Ensemble Classifier, Deep NN, and Deep learning, the accuracy value produced by devised method for the BoT-IoT dataset is 10.75%, 8.45%, 6.36%, and 3.51% higher when the training percentage is 90.
Collapse
|
33
|
A Diffusion Model Based on Network Intrusion Detection Method for Industrial Cyber-Physical Systems. SENSORS (BASEL, SWITZERLAND) 2023; 23:1141. [PMID: 36772180 PMCID: PMC9920089 DOI: 10.3390/s23031141] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 12/01/2022] [Revised: 01/08/2023] [Accepted: 01/12/2023] [Indexed: 06/18/2023]
Abstract
Industrial Cyber-Physical Systems (ICPS) connect intelligent manufacturing equipment equipped with sensors, wireless and RFID communication technologies through data interaction, which makes the interior of the factory, even between factories, become a whole. However, intelligent factories will suffer information leakage and equipment damage when being attacked by ICPS intrusion. Therefore, the network security of ICPS cannot be ignored, and researchers have conducted in-depth research on network intrusion detection for ICPS. Though machine learning and deep learning methods are often used for network intrusion detection, the problem of data imbalance can cause the model to pay attention to the misclassification cost of the prevalent class, but ignore that of the rare class, which seriously affects the classification performance of network intrusion detection models. Considering the powerful generative power of the diffusion model, we propose an ICPS Intrusion Detection system based on the Diffusion model (IDD). Firstly, data corresponding to the rare class is generated by the diffusion model, which makes the training dataset of different classes balanced. Then, the improved BiLSTM classification network is trained on the balanced training set. Extensive experiments are conducted to show that the IDD method outperforms the existing baseline method on several available datasets.
Collapse
|
34
|
An Imbalanced Generative Adversarial Network-Based Approach for Network Intrusion Detection in an Imbalanced Dataset. SENSORS (BASEL, SWITZERLAND) 2023; 23:550. [PMID: 36617148 PMCID: PMC9824750 DOI: 10.3390/s23010550] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 11/29/2022] [Revised: 12/19/2022] [Accepted: 12/24/2022] [Indexed: 06/17/2023]
Abstract
In modern networks, a Network Intrusion Detection System (NIDS) is a critical security device for detecting unauthorized activity. The categorization effectiveness for minority classes is limited by the imbalanced class issues connected with the dataset. We propose an Imbalanced Generative Adversarial Network (IGAN) to address the problem of class imbalance by increasing the detection rate of minority classes while maintaining efficiency. To limit the effect of the minimum or maximum value on the overall features, the original data was normalized and one-hot encoded using data preprocessing. To address the issue of the low detection rate of minority attacks caused by the imbalance in the training data, we enrich the minority samples with IGAN. The ensemble of Lenet 5 and Long Short Term Memory (LSTM) is used to classify occurrences that are considered abnormal into various attack categories. The investigational findings demonstrate that the proposed approach outperforms the other deep learning approaches, achieving the best accuracy, precision, recall, TPR, FPR, and F1-score. The findings indicate that IGAN oversampling can enhance the detection rate of minority samples, hence improving overall accuracy. According to the data, the recommended technique valued performance measures far more than alternative approaches. The proposed method is found to achieve above 98% accuracy and classifies various attacks significantly well as compared to other classifiers.
Collapse
|
35
|
Evaluating Word Embedding Feature Extraction Techniques for Host-Based Intrusion Detection Systems. DISCOVER DATA 2023; 1:2. [PMID: 37035459 PMCID: PMC10077957 DOI: 10.1007/s44248-023-00002-y] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Subscribe] [Scholar Register] [Received: 12/20/2022] [Accepted: 02/22/2023] [Indexed: 04/07/2023]
Abstract
Research into Intrusion and Anomaly Detectors at the Host level typically pays much attention to extracting attributes from system call traces. These include window-based, Hidden Markov Models, and sequence-model-based attributes. Recently, several works have been focusing on sequence-model-based feature extractors, specifically Word2Vec and GloVe, to extract embeddings from the system call traces due to their ability to capture semantic relationships among system calls. However, due to the nature of the data, these extractors introduce inconsistencies in the extracted features, causing the Machine Learning models built on them to yield inaccurate and potentially misleading results. In this paper, we first highlight the research challenges posed by these extractors. Then, we conduct experiments with new feature sets assessing their suitability to address the detected issues. Our experiments show that Word2Vec is prone to introducing more duplicated samples than GloVe. Regarding the solutions proposed, we found that concatenating the embedding vectors generated by Word2Vec and GloVe yields the overall best balanced accuracy. In addition to resolving the challenge of data leakage, this approach enables an improvement in performance relative to other alternatives.
Collapse
|
36
|
Customised Intrusion Detection for an Industrial IoT Heterogeneous Network Based on Machine Learning Algorithms Called FTL-CID. SENSORS (BASEL, SWITZERLAND) 2022; 23:s23010321. [PMID: 36616920 PMCID: PMC9824493 DOI: 10.3390/s23010321] [Citation(s) in RCA: 2] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 10/30/2022] [Revised: 12/22/2022] [Accepted: 12/22/2022] [Indexed: 05/14/2023]
Abstract
Technological breakthroughs in the Internet of Things (IoT) easily promote smart lives for humans by connecting everything through the Internet. The de facto standardised IoT routing strategy is the routing protocol for low-power and lossy networks (RPL), which is applied in various heterogeneous IoT applications. Hence, the increase in reliance on the IoT requires focus on the security of the RPL protocol. The top defence layer is an intrusion detection system (IDS), and the heterogeneous characteristics of the IoT and variety of novel intrusions make the design of the RPL IDS significantly complex. Most existing IDS solutions are unified models and cannot detect novel RPL intrusions. Therefore, the RPL requires a customised global attack knowledge-based IDS model to identify both existing and novel intrusions in order to enhance its security. Federated transfer learning (FTL) is a trending topic that paves the way to designing a customised RPL-IoT IDS security model in a heterogeneous IoT environment. In this paper, we propose a federated-transfer-learning-assisted customised distributed IDS (FT-CID) model to detect RPL intrusion in a heterogeneous IoT. The design process of FT-CID includes three steps: dataset collection, FTL-assisted edge IDS learning, and intrusion detection. Initially, the central server initialises the FT-CID with a predefined learning model and observes the unique features of different RPL-IoTs to construct a local model. The experimental model generates an RPL-IIoT dataset with normal and abnormal traffic through simulation on the Contiki-NG OS. Secondly, the edge IDSs are trained using the local parameters and the globally shared parameters generated by the central server through federation and aggregation of different local parameters of various edges. Hence, transfer learning is exploited to update the server's and edges' local and global parameters based on relational knowledge. It also builds and customised IDS model with partial retraining through local learning based on globally shared server knowledge. Finally, the customised IDS in the FT-CID model enforces the detection of intrusions in heterogeneous IoT networks. Moreover, the FT-CID model accomplishes high RPL security by implicitly utilising the local and global parameters of different IoTs with the assistance of FTL. The FT-CID detects RPL intrusions with an accuracy of 85.52% in tests on a heterogeneous IoT network.
Collapse
|
37
|
Evaluation of Machine Learning Techniques for Traffic Flow-Based Intrusion Detection. SENSORS (BASEL, SWITZERLAND) 2022; 22:9326. [PMID: 36502028 PMCID: PMC9740321 DOI: 10.3390/s22239326] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 11/04/2022] [Revised: 11/24/2022] [Accepted: 11/28/2022] [Indexed: 06/17/2023]
Abstract
Cybersecurity is one of the great challenges of today's world. Rapid technological development has allowed society to prosper and improve the quality of life and the world is more dependent on new technologies. Managing security risks quickly and effectively, preventing, identifying, or mitigating them is a great challenge. The appearance of new attacks, and with more frequency, requires a constant update of threat detection methods. Traditional signature-based techniques are effective for known attacks, but they are not able to detect a new attack. For this reason, intrusion detection systems (IDS) that apply machine learning (ML) techniques represent an alternative that is gaining importance today. In this work, we have analyzed different machine learning techniques to determine which ones permit to obtain the best traffic classification results based on classification performance measurements and execution times, which is decisive for further real-time deployments. The CICIDS2017 dataset was selected in this work since it contains bidirectional traffic flows (derived from traffic captures) that include benign traffic and different types of up-to-date attacks. Each traffic flow is characterized by a set of connection-related attributes that can be used to model the traffic and distinguish between attacks and normal flows. The CICIDS2017 also contains the raw network traffic captures collected during the dataset creation in a packet-based format, thus permitting to extract the traffic flows from them. Various classification techniques have been evaluated using the Weka software: naive Bayes, logistic, multilayer perceptron, sequential minimal optimization, k-nearest neighbors, adaptive boosting, OneR, J48, PART, and random forest. As a general result, methods based on decision trees (PART, J48, and random forest) have turned out to be the most efficient with F1 values above 0.999 (average obtained in the complete dataset). Moreover, multiclass classification (distinguishing between different types of attack) and binary classification (distinguishing only between normal traffic and attack) have been compared, and the effect of reducing the number of attributes using the correlation-based feature selection (CFS) technique has been evaluated. By reducing the complexity in binary classification, better results can be obtained, and by selecting a reduced set of the most relevant attributes, less time is required (above 30% of decrease in the time required to test the model) at the cost of a small performance loss. The tree-based techniques with CFS attribute selection (six attributes selected) reached F1 values above 0.990 in the complete dataset. Finally, a conventional tool like Zeek has been used to process the raw traffic captures to identify the traffic flows and to obtain a reduced set of attributes from these flows. The classification results obtained using tree-based techniques (with 14 Zeek-based attributes) were also very high, with F1 above 0.997 (average obtained in the complete dataset) and low execution times (allowing several hundred thousand flows/s to be processed). These classification results obtained on the CICIDS2017 dataset allow us to affirm that the tree-based machine learning techniques may be appropriate in the flow-based intrusion detection problem and that algorithms, such as PART or J48, may offer a faster alternative solution to the RF technique.
Collapse
|
38
|
FLDID: Federated Learning Enabled Deep Intrusion Detection in Smart Manufacturing Industries. SENSORS (BASEL, SWITZERLAND) 2022; 22:8974. [PMID: 36433569 PMCID: PMC9694635 DOI: 10.3390/s22228974] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Grants] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 10/14/2022] [Revised: 11/14/2022] [Accepted: 11/17/2022] [Indexed: 06/16/2023]
Abstract
The rapid development in manufacturing industries due to the introduction of IIoT devices has led to the emergence of Industry 4.0 which results in an industry with intelligence, increased efficiency and reduction in the cost of manufacturing. However, the introduction of IIoT devices opens up the door for a variety of cyber threats in smart industries. The detection of cyber threats against such extensive, complex, and heterogeneous smart manufacturing industries is very challenging due to the lack of sufficient attack traces. Therefore, in this work, a Federated Learning enabled Deep Intrusion Detection framework is proposed to detect cyber threats in smart manufacturing industries. The proposed FLDID framework allows multiple smart manufacturing industries to build a collaborative model to detect threats and overcome the limited attack example problem with individual industries. Moreover, to ensure the privacy of model gradients, Paillier-based encryption is used in communication between edge devices (representative of smart industries) and the server. The deep learning-based hybrid model, which consists of a Convolutional Neural Network, Long Short Term Memory, and Multi-Layer Perceptron is used in the intrusion detection model. An exhaustive set of experiments on the publically available dataset proves the effectiveness of the proposed framework for detecting cyber threats in smart industries over the state-of-the-art approaches.
Collapse
|
39
|
Intrusion Detection in IoT Using Deep Learning. SENSORS (BASEL, SWITZERLAND) 2022; 22:8417. [PMID: 36366115 PMCID: PMC9658941 DOI: 10.3390/s22218417] [Citation(s) in RCA: 3] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 08/18/2022] [Revised: 10/23/2022] [Accepted: 10/26/2022] [Indexed: 06/16/2023]
Abstract
Cybersecurity has been widely used in various applications, such as intelligent industrial systems, homes, personal devices, and cars, and has led to innovative developments that continue to face challenges in solving problems related to security methods for IoT devices. Effective security methods, such as deep learning for intrusion detection, have been introduced. Recent research has focused on improving deep learning algorithms for improved security in IoT. This research explores intrusion detection methods implemented using deep learning, compares the performance of different deep learning methods, and identifies the best method for implementing intrusion detection in IoT. This research is conducted using deep learning models based on convolutional neural networks (CNNs), long short-term memory (LSTM), and gated recurrent units (GRUs). A standard dataset for intrusion detection in IoT is considered to evaluate the proposed model. Finally, the empirical results are analyzed and compared with the existing approaches for intrusion detection in IoT. The proposed method seemed to have the highest accuracy compared to the existing methods.
Collapse
|
40
|
A Hybrid Intrusion Detection Model Using EGA-PSO and Improved Random Forest Method. SENSORS (BASEL, SWITZERLAND) 2022; 22:s22165986. [PMID: 36015744 PMCID: PMC9414798 DOI: 10.3390/s22165986] [Citation(s) in RCA: 18] [Impact Index Per Article: 9.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/01/2022] [Revised: 07/19/2022] [Accepted: 07/31/2022] [Indexed: 06/12/2023]
Abstract
Due to the rapid growth in IT technology, digital data have increased availability, creating novel security threats that need immediate attention. An intrusion detection system (IDS) is the most promising solution for preventing malicious intrusions and tracing suspicious network behavioral patterns. Machine learning (ML) methods are widely used in IDS. Due to a limited training dataset, an ML-based IDS generates a higher false detection ratio and encounters data imbalance issues. To deal with the data-imbalance issue, this research develops an efficient hybrid network-based IDS model (HNIDS), which is utilized using the enhanced genetic algorithm and particle swarm optimization(EGA-PSO) and improved random forest (IRF) methods. In the initial phase, the proposed HNIDS utilizes hybrid EGA-PSO methods to enhance the minor data samples and thus produce a balanced data set to learn the sample attributes of small samples more accurately. In the proposed HNIDS, a PSO method improves the vector. GA is enhanced by adding a multi-objective function, which selects the best features and achieves improved fitness outcomes to explore the essential features and helps minimize dimensions, enhance the true positive rate (TPR), and lower the false positive rate (FPR). In the next phase, an IRF eliminates the less significant attributes, incorporates a list of decision trees across each iterative process, supervises the classifier's performance, and prevents overfitting issues. The performance of the proposed method and existing ML methods are tested using the benchmark datasets NSL-KDD. The experimental findings demonstrated that the proposed HNIDS method achieves an accuracy of 98.979% on BCC and 88.149% on MCC for the NSL-KDD dataset, which is far better than the other ML methods i.e., SVM, RF, LR, NB, LDA, and CART.
Collapse
|
41
|
Towards an Explainable Universal Feature Set for IoT Intrusion Detection. SENSORS (BASEL, SWITZERLAND) 2022; 22:s22155690. [PMID: 35957249 PMCID: PMC9371123 DOI: 10.3390/s22155690] [Citation(s) in RCA: 3] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 07/10/2022] [Revised: 07/21/2022] [Accepted: 07/22/2022] [Indexed: 06/12/2023]
Abstract
As IoT devices' adoption grows rapidly, security plays an important role in our daily lives. As part of the effort to counter these security threats in recent years, many IoT intrusion detection datasets were presented, such as TON_IoT, BoT-IoT, and Aposemat IoT-23. These datasets were used to build many machine learning-based IoT intrusion detection models. In this research, we present an explainable and efficient method for selecting the most effective universal features from IoT intrusion detection datasets that can help in producing highly-accurate and efficient machine learning-based intrusion detection systems. The proposed method was applied to TON_IoT, Aposemat IoT-23, and IoT-ID datasets and resulted in the selection of six universal network-flow features. The proposed method was tested and produced a high accuracy of 99.62% with a prediction time reduced by up to 70%. To provide better insight into the operation of the classifier, a Shapley additive explanation was used to explain the selected features and to prove the alignment of the explanation with current attack techniques.
Collapse
|
42
|
Abstract
An intrusion detection system (IDS) is designed to detect and analyze network traffic for suspicious activity. Several methods have been introduced in the literature for IDSs; however, due to a large amount of data, these models have failed to achieve high accuracy. A statistical approach is proposed in this research due to the unsatisfactory results of traditional intrusion detection methods. The features are extracted and selected using a multilayer convolutional neural network, and a softmax classifier is employed to classify the network intrusions. To perform further analysis, a multilayer deep neural network is also applied to classify network intrusions. Furthermore, the experiments are performed using two commonly used benchmark intrusion detection datasets: NSL-KDD and KDDCUP'99. The performance of the proposed model is evaluated using four performance metrics: accuracy, recall, F1-score, and precision. The experimental results show that the proposed approach achieved better accuracy (99%) compared with other IDSs.
Collapse
|
43
|
DOC-IDS: A Deep Learning-Based Method for Feature Extraction and Anomaly Detection in Network Traffic. SENSORS (BASEL, SWITZERLAND) 2022; 22:4405. [PMID: 35746191 PMCID: PMC9227447 DOI: 10.3390/s22124405] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 05/16/2022] [Revised: 06/04/2022] [Accepted: 06/07/2022] [Indexed: 06/15/2023]
Abstract
With the growing diversity of cyberattacks in recent years, anomaly-based intrusion detection systems that can detect unknown attacks have attracted significant attention. Furthermore, a wide range of studies on anomaly detection using machine learning and deep learning methods have been conducted. However, many machine learning and deep learning-based methods require significant effort to design the detection feature values, extract the feature values from network packets, and acquire the labeled data used for model training. To solve the aforementioned problems, this paper proposes a new model called DOC-IDS, which is an intrusion detection system based on Perera's deep one-class classification. The DOC-IDS, which comprises a pair of one-dimensional convolutional neural networks and an autoencoder, uses three different loss functions for training. Although, in general, only regular traffic from the computer network subject to detection is used for anomaly detection training, the DOC-IDS also uses multi-class labeled traffic from open datasets for feature extraction. Therefore, by streamlining the classification task on multi-class labeled traffic, we can obtain a feature representation with highly enhanced data discrimination abilities. Simultaneously, we perform variance minimization in the feature space, even on regular traffic, to further improve the model's ability to discriminate between normal and abnormal traffic. The DOC-IDS is a single deep learning model that can automatically perform feature extraction and anomaly detection. This paper also reports experiments for evaluating the anomaly detection performance of the DOC-IDS. The results suggest that the DOC-IDS offers higher anomaly detection performance while reducing the load resulting from the design and extraction of feature values.
Collapse
|
44
|
A New Intrusion Detection System for the Internet of Things via Deep Convolutional Neural Network and Feature Engineering. SENSORS 2022; 22:s22103607. [PMID: 35632016 PMCID: PMC9146064 DOI: 10.3390/s22103607] [Citation(s) in RCA: 5] [Impact Index Per Article: 2.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 04/07/2022] [Revised: 05/05/2022] [Accepted: 05/06/2022] [Indexed: 02/01/2023]
Abstract
The Internet of Things (IoT) is a widely used technology in automated network systems across the world. The impact of the IoT on different industries has occurred in recent years. Many IoT nodes collect, store, and process personal data, which is an ideal target for attackers. Several researchers have worked on this problem and have presented many intrusion detection systems (IDSs). The existing system has difficulties in improving performance and identifying subcategories of cyberattacks. This paper proposes a deep-convolutional-neural-network (DCNN)-based IDS. A DCNN consists of two convolutional layers and three fully connected dense layers. The proposed model aims to improve performance and reduce computational power. Experiments were conducted utilizing the IoTID20 dataset. The performance analysis of the proposed model was carried out with several metrics, such as accuracy, precision, recall, and F1-score. A number of optimization techniques were applied to the proposed model in which Adam, AdaMax, and Nadam performance was optimum. In addition, the proposed model was compared with various advanced deep learning (DL) and traditional machine learning (ML) techniques. All experimental analysis indicates that the accuracy of the proposed approach is high and more robust than existing DL-based algorithms.
Collapse
|
45
|
Artificial Intelligence-Driven Intrusion Detection in Software-Defined Wireless Sensor Networks: Towards Secure IoT-Enabled Healthcare Systems. INTERNATIONAL JOURNAL OF ENVIRONMENTAL RESEARCH AND PUBLIC HEALTH 2022; 19:ijerph19095367. [PMID: 35564763 PMCID: PMC9103430 DOI: 10.3390/ijerph19095367] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 12/22/2021] [Revised: 04/05/2022] [Accepted: 04/22/2022] [Indexed: 01/15/2023]
Abstract
Wireless Sensor Networks (WSNs) are increasingly deployed in Internet of Things (IoT) systems for applications such as smart transportation, telemedicine, smart health monitoring and fall detection systems for the elderly people. Given that huge amount of data, vital and critical information can be exchanged between the different parts of a WSN, good management and protection schemes are needed to ensure an efficient and secure operation of the WSN. To ensure an efficient management of WSNs, the Software-Defined Wireless Sensor Network (SDWSN) paradigm has been recently introduced in the literature. In the same vein, Intrusion Detection Systems, have been used in the literature to safeguard the security of SDWSN-based IoTs. In this paper, three popular Artificial Intelligence techniques (Decision Tree, Naïve Bayes, and Deep Artificial Neural Network) are trained to be deployed as anomaly detectors in IDSs. It is shown that an IDS using the Decision Tree-based anomaly detector yields the best performances metrics both in the binary classification and in the multinomial classification. Additionally, it was found that an IDS using the Naïve Bayes-based anomaly detector was only adapted for binary classification of intrusions in low memory capacity SDWSN-based IoT (e.g., wearable fitness tracker). Moreover, new state-of-the-art accuracy (binary classification) and F-scores (multinomial classification) were achieved by introducing an end-to-end feature engineering scheme aimed at obtaining 118 features from the 41 features of the Network Security Laboratory-Knowledge Discovery in Databases (NSL-KDD) dataset. The state-of-the-art accuracy was pushed to 0.999777 using the Decision Tree-based anomaly detector. Finally, it was found that the Deep Artificial Neural Network should be expected to become the next default anomaly detector in the light of its current performance metrics and the increasing abundance of training data.
Collapse
|
46
|
Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey. SENSORS 2022; 22:s22041494. [PMID: 35214394 PMCID: PMC8879519 DOI: 10.3390/s22041494] [Citation(s) in RCA: 3] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 12/22/2021] [Revised: 01/20/2022] [Accepted: 01/29/2022] [Indexed: 02/04/2023]
Abstract
Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems' future progress and development.
Collapse
|
47
|
Attacks to Automatous Vehicles: A Deep Learning Algorithm for Cybersecurity. SENSORS 2022; 22:s22010360. [PMID: 35009899 PMCID: PMC8749531 DOI: 10.3390/s22010360] [Citation(s) in RCA: 18] [Impact Index Per Article: 9.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 12/06/2021] [Revised: 12/30/2021] [Accepted: 12/30/2021] [Indexed: 02/04/2023]
Abstract
Rapid technological development has changed drastically the automotive industry. Network communication has improved, helping the vehicles transition from completely machine- to software-controlled technologies. The autonomous vehicle network is controlled by the controller area network (CAN) bus protocol. Nevertheless, the autonomous vehicle network still has issues and weaknesses concerning cybersecurity due to the complexity of data and traffic behaviors that benefit the unauthorized intrusion to a CAN bus and several types of attacks. Therefore, developing systems to rapidly detect message attacks in CAN is one of the biggest challenges. This study presents a high-performance system with an artificial intelligence approach that protects the vehicle network from cyber threats. The system secures the autonomous vehicle from intrusions by using deep learning approaches. The proposed security system was verified by using a real automatic vehicle network dataset, including spoofing, flood, replaying attacks, and benign packets. Preprocessing was applied to convert the categorical data into numerical. This dataset was processed by using the convolution neural network (CNN) and a hybrid network combining CNN and long short-term memory (CNN-LSTM) models to identify attack messages. The results revealed that the model achieved high performance, as evaluated by the metrics of precision, recall, F1 score, and accuracy. The proposed system achieved high accuracy (97.30%). Along with the empirical demonstration, the proposed system enhanced the detection and classification accuracy compared with the existing systems and was proven to have superior performance for real-time CAN bus security.
Collapse
|
48
|
Towards Model Generalization for Intrusion Detection: Unsupervised Machine Learning Techniques. JOURNAL OF NETWORK AND SYSTEMS MANAGEMENT 2022. [PMCID: PMC8520582 DOI: 10.1007/s10922-021-09615-7] [Citation(s) in RCA: 2] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 05/14/2023]
Abstract
Through the ongoing digitization of the world, the number of connected devices is continuously growing without any foreseen decline in the near future. In particular, these devices increasingly include critical systems such as power grids and medical institutions, possibly causing tremendous consequences in the case of a successful cybersecurity attack. A network intrusion detection system (NIDS) is one of the main components to detect ongoing attacks by differentiating normal from malicious traffic. Anomaly-based NIDS, more specifically unsupervised methods previously proved promising for their ability to detect known as well as zero-day attacks without the need for a labeled dataset. Despite decades of development by researchers, anomaly-based NIDS are only rarely employed in real-world applications, most possibly due to the lack of generalization power of the proposed models. This article first evaluates four unsupervised machine learning methods on two recent datasets and then defines their generalization strength using a novel inter-dataset evaluation strategy estimating their adaptability. Results show that all models can present high classification scores on an individual dataset but fail to directly transfer those to a second unseen but related dataset. Specifically, the accuracy dropped on average 25.63% in an inter-dataset setting compared to the conventional evaluation approach. This generalization challenge can be observed and tackled in future research with the help of the proposed evaluation strategy in this paper.
Collapse
|
49
|
Attack-Aware IoT Network Traffic Routing Leveraging Ensemble Learning. SENSORS 2021; 22:s22010241. [PMID: 35009784 PMCID: PMC8749547 DOI: 10.3390/s22010241] [Citation(s) in RCA: 11] [Impact Index Per Article: 3.7] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 12/05/2021] [Revised: 12/26/2021] [Accepted: 12/28/2021] [Indexed: 11/21/2022]
Abstract
Network Intrusion Detection Systems (NIDSs) are indispensable defensive tools against various cyberattacks. Lightweight, multipurpose, and anomaly-based detection NIDSs employ several methods to build profiles for normal and malicious behaviors. In this paper, we design, implement, and evaluate the performance of machine-learning-based NIDS in IoT networks. Specifically, we study six supervised learning methods that belong to three different classes: (1) ensemble methods, (2) neural network methods, and (3) kernel methods. To evaluate the developed NIDSs, we use the distilled-Kitsune-2018 and NSL-KDD datasets, both consisting of a contemporary real-world IoT network traffic subjected to different network attacks. Standard performance evaluation metrics from the machine-learning literature are used to evaluate the identification accuracy, error rates, and inference speed. Our empirical analysis indicates that ensemble methods provide better accuracy and lower error rates compared with neural network and kernel methods. On the other hand, neural network methods provide the highest inference speed which proves their suitability for high-bandwidth networks. We also provide a comparison with state-of-the-art solutions and show that our best results are better than any prior art by 1~20%.
Collapse
|
50
|
Deep Stacking Network for Intrusion Detection. SENSORS (BASEL, SWITZERLAND) 2021; 22:25. [PMID: 35009568 PMCID: PMC8747112 DOI: 10.3390/s22010025] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 11/15/2021] [Revised: 11/29/2021] [Accepted: 12/07/2021] [Indexed: 06/14/2023]
Abstract
Preventing network intrusion is the essential requirement of network security. In recent years, people have conducted a lot of research on network intrusion detection systems. However, with the increasing number of advanced threat attacks, traditional intrusion detection mechanisms have defects and it is still indispensable to design a powerful intrusion detection system. This paper researches the NSL-KDD data set and analyzes the latest developments and existing problems in the field of intrusion detection technology. For unbalanced distribution and feature redundancy of the data set used for training, some training samples are under-sampling and feature selection processing. To improve the detection effect, a Deep Stacking Network model is proposed, which combines the classification results of multiple basic classifiers to improve the classification accuracy. In the experiment, we screened and compared the performance of various mainstream classifiers and found that the four models of the decision tree, k-nearest neighbors, deep neural network and random forests have outstanding detection performance and meet the needs of different classification effects. Among them, the classification accuracy of the decision tree reaches 86.1%. The classification effect of the Deeping Stacking Network, a fusion model composed of four classifiers, has been further improved and the accuracy reaches 86.8%. Compared with the intrusion detection system of other research papers, the proposed model effectively improves the detection performance and has made significant improvements in network intrusion detection.
Collapse
|