An Effective Classifier Model for Imbalanced Network Attack Data

Recently,machine learning algorithms have been used in the detection and classification of network attacks.The performance of the algorithms has been evaluated by using benchmark network intrusion datasets such as DARPA98,KDD’99,NSL-KDD,UNSW-NB15,and Caida DDoS.However,these datasets have two major challenges:imbalanced data and highdimensional data.Obtaining high accuracy for all attack types in the dataset allows for high accuracy in imbalanced datasets.On the other hand,having a large number of features increases the runtime load on the algorithms.A novel model is proposed in this paper to overcome these two concerns.The number of features in the model,which has been tested at CICIDS2017,is initially optimized by using genetic algorithms.This optimum feature set has been used to classify network attacks with six well-known classifiers according to high f1-score and g-mean value in minimumtime.Afterwards,amulti-layer perceptron based ensemble learning approach has been applied to improve the models’overall performance.The experimental results showthat the suggested model is acceptable for feature selection as well as classifying network attacks in an imbalanced dataset,with a high f1-score(0.91)and g-mean(0.99)value.Furthermore,it has outperformed base classifier models and voting procedures.

Enhancement of scale-free network attack tolerance

Despite the large size of most communication and transportation systems, there are short paths between nodes in these networks which guarantee the efficient information, data and passenger delivery; furthermore these networks have a surprising tolerance under random errors thanks to their inherent scale-free topology. However, their scale-free topology also makes them fragile under intentional attacks, leaving us a challenge on how to improve the network robustness against intentional attacks without losing their strong tolerance under random errors and high message and passenger delivering capacity. Here We propose two methods （SL method and SH method） to enhance scale-free network＇s tolerance under attack in different conditions.

FEW-NNN: A Fuzzy Entropy Weighted Natural Nearest Neighbor Method for Flow-Based Network Traffic Attack Detection

Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the focus of many initiatives. Effectively analyzing massive network security data with high dimensions for suspicious flow diagnosis is a huge challenge. In addition, the uneven distribution of network traffic does not fully reflect the differences of class sample features, resulting in the low accuracy of attack detection. To solve these problems, a novel approach called the fuzzy entropy weighted natural nearest neighbor(FEW-NNN) method is proposed to enhance the accuracy and efficiency of flowbased network traffic attack detection. First, the FEW-NNN method uses the Fisher score and deep graph feature learning algorithm to remove unimportant features and reduce the data dimension. Then, according to the proposed natural nearest neighbor searching algorithm(NNN_Searching), the density of data points, each class center and the smallest enclosing sphere radius are determined correspondingly. Finally, a fuzzy entropy weighted KNN classification method based on affinity is proposed, which mainly includes the following three steps: 1、 the feature weights of samples are calculated based on fuzzy entropy values, 2、 the fuzzy memberships of samples are determined based on affinity among samples, and 3、 K-neighbors are selected according to the class-conditional weighted Euclidean distance, the fuzzy membership value of the testing sample is calculated based on the membership of k-neighbors, and then all testing samples are classified according to the fuzzy membership value of the samples belonging to each class;that is, the attack type is determined. The method has been applied to the problem of attack detection and validated based on the famous KDD99 and CICIDS-2017 datasets. From the experimental results shown in this paper, it is observed that the FEW-NNN method improves the accuracy and efficiency of flow-based network traffic attack detection.

Prediction of network attack profit path based on NAPG model

The network attack profit graph(NAPG)model and the attack profit path predication algorithm are presented herein to cover the shortage of considerations in attacker’s subjective factors based on existing network attack path prediction methods.Firstly,the attack profit is introduced,with the attack profit matrix designed and the attack profit matrix generation algorithm given accordingly.Secondly,a path profit feasibility analysis algorithm is proposed to analyze the network feasibility of realizing profit of attack path.Finally,an opportunity profit path and an optimal profit path are introduced with the selection algorithm and the prediction algorithm designed for accurate prediction of the path.According to the experimental test,the network attack profit path predication algorithm is applicable for accurate prediction of the opportunity profit path and the optimal profit path.

DDoS Attack Detection Scheme Based on Entropy and PSO-BP Neural Network in SDN

SDN (Software Defined Network) has many security problems, and DDoS attack is undoubtedly the most serious harm to SDN architecture network. How to accurately and effectively detect DDoS attacks has always been a difficult point and focus of SDN security research. Based on the characteristics of SDN, a DDoS attack detection method combining generalized entropy and PSOBP neural network is proposed. The traffic is pre-detected by the generalized entropy method deployed on the switch, and the detection result is divided into normal and abnormal. Locate the switch that issued the abnormal alarm. The controller uses the PSO-BP neural network to detect whether a DDoS attack occurs by further extracting the flow features of the abnormal switch. Experiments show that compared with other methods, the detection accurate rate is guaranteed while the CPU load of the controller is reduced, and the detection capability is better.

A Novel Attack Graph Posterior Inference Model Based on Bayesian Network

Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.

Wormhole Attack Behaviour in Monte-Carlo Localization for Mobile Sensor Networks

Localization is the basic requirement for network management in Wireless Sensor Networks as it helps nodes find their absolute position coordinates and in gathering information relevant to their locations. A localization algorithm has to be dynamic, scalable and should not impose high computation or communication overhead. The localization systems are also prone to attacks. We target a localization scheme for mobile sensor networks called Monte-Carlo Localization, which study its behavior under the most dangerous attack on localization called Wormhole Attack, also known as Collusion Attack and propose a modified algorithm that can help the localization system retain its accuracy level even in the presence of attacks. Our algorithm has communication cost almost equal to that of original localization algorithm (in this case MCL) in the absence of attacks.

Performance analysis of mobile ad hoc networks under flooding attacks

Due to their characteristics of dynamic topology, wireless channels and limited resources, mobile ad hoc networks are particularly vulnerable to a denial of service （DoS） attacks launched by intruders. The effects of flooding attacks in network simulation 2 （NS2） and measured performance parameters are investigated, including packet loss ratio, average delay, throughput and average number of hops under different numbers of attack nodes, flooding frequency, network bandwidth and network size. Simulation results show that with the increase of the flooding frequency and the number of attack nodes, network performance sharply drops. But when the frequency of flooding attacks or the number of attack nodes is greater than a certain value, performance degradation tends to a stable value.

Continuous Weight Attack on Complex Network

<Abstract>We introduce a continuous weight attack strategy and numerically investigate the effect of continuous weight attack strategy on the Barabási-Albert (BA) scale-free network and the Erds-Rényi (ER) random network.We use a weight coefficient ω to define the attack intensity.The weight coefficient ω increases continuously from 1 to infinity, where 1 represents no attack and infinity represents complete destructive attack.Our results show that the continuous weight attack on two selected nodes with small ω (ω≈ 3) could achieve the same damage of complete elimination of a single selected node on both BA and ER networks.It is found that the continuous weight attack on a single selected edge with small ω(ω≈2) can reach the same effect of complete elimination of a single edge on BA network,but on ER network the damage of the continuous weight attack on a single edge is close to but always smaller than that of complete elimination of edge even if ω is very large.

Anomaly Detection Based on Data-Mining for Routing Attacks in Wireless Sensor Networks

With the increasing deployment of wireless sensordevices and networks,security becomes a criticalchallenge for sensor networks.In this paper,a schemeusing data mining is proposed for routing anomalydetection in wireless sensor networks.The schemeuses the Apriori algorithm to extract traffic patternsfrom both routing table and network traffic packetsand subsequently the K-means cluster algorithmadaptively generates a detection model.Through thecombination of these two algorithms,routing attackscan be detected effectively and automatically.Themain advantage of the proposed approach is that it isable to detect new attacks that have not previouslybeen seen.Moreover,the proposed detection schemeis based on no priori knowledge and then can beapplied to a wide range of different sensor networksfor a variety of routing attacks.

Network resource allocation attack detection with long range dependence

The approach of traffic abnormality detection of network resource allocation attack did not have reliable signatures to depict abnormality and identify them. However, it is crucial for us to detect attacks accurately. The technique that we adopted is inspired by long range dependence ideas. We use the number of packet arrivals of a flow in fixed-length time intervals as the signal and attempt to extend traffic invariant “self-similarity”. We validate the effectiveness of the approach with simulation and trace analysis.

Attacks and Countermeasures in Social Network Data Publishing

With the increasing prevalence of social networks, more and more social network data are published for many applications, such as social network analysis and data mining. However, this brings privacy problems. For example, adversaries can get sensitive information of some individuals easily with little background knowledge. How to publish social network data for analysis purpose while preserving the privacy of individuals has raised many concerns. Many algorithms have been proposed to address this issue. In this paper, we discuss this privacy problem from two aspects： attack models and countermeasures. We analyse privacy conceres, model the background knowledge that adversary may utilize and review the recently developed attack models. We then survey the state-of-the-art privacy preserving methods in two categories： anonymization methods and differential privacy methods. We also provide research directions in this area.

Recovery from Wormhole Attack in Mobile Ad Hoc Network (MANET)

Wormhole attack is a serious threat against MANET (mobile ad hoc network) and its routing protocols. A new approach—tunnel key node identification (TKNI) was proposed. Based on tunnel-key-node identification and priority-based route discovery, TKNI can rapidly rebuild the communications that have been blocked by wormhole attack. Compared to previous approaches, the proposed approach aims at both static and dynamic topology environment, involves addressing visible and invisible wormhole attack modes, requires no extra hardware, has a low overhead, and can be easily applied to MANET.

Nonlinear Dynamical Behavior in Neuron Model Based on Small World Network with Attack and Repair Strategy

在这篇论文，我们在非线性的动态行为上由于网络的拓扑学结构的变化调查效果，由有基于小世界的攻击和修理策略的 OFC 神经原进化模型的优点。特别地，关于动态行为的各种各样的参数的角色小心地被学习并且分析。另外，雪崩和象 EEG 一样随攻击挥动活动，修理策略也在这个工作详细被探索。

Preventing Dropping Packets Attack in Sensor Networks:A Game Theory Approach

Focusing on dropping packets attacks in sensor networks, we propose a model of dropping packets attack-resistance as a repeated game based on such an assumption that sensor nodes are rational. The model prevents malicious nodes from attacking by establishing punishment mechanism, and impels sensor networks to reach a collaborative Nash equilibrium. Simulation results show that the devised model can effectively resist the dropping packets attacks（DPA） by choosing reasonable configuration parameters.

A Comparison of Link Layer Attacks on Wireless Sensor Networks

Wireless sensor networks (WSNs) have many potential applications [1,2] and unique challenges. They usually consist of hundreds or thousands of small sensor nodes such as MICA2, which operate autonomously;conditions such as cost, invisible deployment and many application domains, lead to small size and resource limited sensors [3]. WSNs are susceptible to many types of link layer attacks [1] and most of traditional network security techniques are unusable on WSNs [3];This is due to wireless and shared nature of communication channel, untrusted transmissions, deployment in open environments, unattended nature and limited resources [1]. Therefore security is a vital requirement for these networks;but we have to design a proper security mechanism that attends to WSN’s constraints and requirements. In this paper, we focus on security of WSNs, divide it (the WSNs security) into four categories and will consider them, include: an overview of WSNs, security in WSNs, the threat model on WSNs, a wide variety of WSNs’ link layer attacks and a comparison of them. This work enables us to identify the purpose and capabilities of the attackers;furthermore, the goal and effects of the link layer attacks on WSNs are introduced. Also, this paper discusses known approaches of security detection and defensive mechanisms against the link layer attacks;this would enable IT security managers to manage the link layer attacks of WSNs more effectively.

Five Basic Types of Insider DoS Attacks of Code Dissemination in Wireless Sensor Networks

Code dissemination is one of the important services of wireless sensor networks (WSNs). Securing the process of code dissemination is essential in some certain WSNs applications, state-of-the-art secure code dissemination protocols for WSNs aim for the efficient source authentication and integrity verification of code image, however, due to the resource constrains of WSNs and the epidemic behavior of the code dissemination system, existing secure code dissemination protocols are vulnerable to Denial of Service (DoS) attacks when sensor nodes can be compromised (insider DoS attacks). In this paper, we identify five different basic types of DoS attacks exploiting the epidemic propagation strategies used by Deluge. They are (1) Higher-version Advertisement attack, (2) False Request attack, (3) Larger-numbered Page attack, (4) Lower-version Adv attack, and (5) Same-version Adv attack. Simulation shows these susceptibilities caused by above insider DoS attacks. Some simple models are also proposed which promote understanding the problem of insider DoS attacks and attempt to quantify the severity of these attacks in the course of code dissemination in WSNs.

Network security equipment evaluation based on attack tree with risk fusion

Network security equipment is crucial to information systems, and a proper evaluation model can ensure the quality of network security equipment. However, there is only a few models of comprehensive models nowadays. An index system for network security equipment was established and a model based on attack tree with risk fusion was proposed to obtain the score of qualitative indices. The proposed model implements attack tree model and controlled interval and memory(CIM) model to solve the problem of quantifying qualitative indices, and thus improves the accuracy of the evaluation.