Robust Malicious Executable Detection Using Host-Based Machine Learning Classifier

The continuous development of cyberattacks is threatening digital transformation endeavors worldwide and leadsto wide losses for various organizations. These dangers have proven that signature-based approaches are insufficientto prevent emerging and polymorphic attacks. Therefore, this paper is proposing a Robust Malicious ExecutableDetection (RMED) using Host-based Machine Learning Classifier to discover malicious Portable Executable (PE)files in hosts using Windows operating systems through collecting PE headers and applying machine learningmechanisms to detect unknown infected files. The authors have collected a novel reliable dataset containing 116,031benign files and 179,071 malware samples from diverse sources to ensure the efficiency of RMED approach.The most effective PE headers that can highly differentiate between benign and malware files were selected totrain the model on 15 PE features to speed up the classification process and achieve real-time detection formalicious executables. The evaluation results showed that RMED succeeded in shrinking the classification timeto 91 milliseconds for each file while reaching an accuracy of 98.42% with a false positive rate equal to 1.58. Inconclusion, this paper contributes to the field of cybersecurity by presenting a comprehensive framework thatleverages Artificial Intelligence (AI) methods to proactively detect and prevent cyber-attacks.

Event-Based Anomaly Detection for Non-Public Industrial Communication Protocols in SDN-Based Control Systems

As the main communication mediums in industrial control networks,industrial communication protocols are always vulnerable to extreme exploitations,and it is very difficult to take protective measures due to their serious privacy.Based on the SDN(Software Defined Network)technology,this paper proposes a novel event-based anomaly detection approach to identify misbehaviors using non-public industrial communication protocols,and this approach can be installed in SDN switches as a security software appliance in SDN-based control systems.Furthermore,aiming at the unknown protocol specification and message format,this approach first restructures the industrial communication sessions and merges the payloads from industrial communication packets.After that,the feature selection and event sequence extraction can be carried out by using the N-gram model and K-means algorithm.Based on the obtained event sequences,this approach finally trains an event-based HMM(Hidden Markov Model)to identify aberrant industrial communication behaviors.Experimental results clearly show that the proposed approach has obvious advantages of classification accuracy and detection efficiency.

Advanced Persistent Threat Detection and Mitigation Using Machine Learning Model

The detection of cyber threats has recently been a crucial research domain as the internet and data drive people’s livelihood.Several cyber-attacks lead to the compromise of data security.The proposed system offers complete data protection from Advanced Persistent Threat(APT)attacks with attack detection and defence mechanisms.The modified lateral movement detection algorithm detects the APT attacks,while the defence is achieved by the Dynamic Deception system that makes use of the belief update algorithm.Before termination,every cyber-attack undergoes multiple stages,with the most prominent stage being Lateral Movement(LM).The LM uses a Remote Desktop protocol(RDP)technique to authenticate the unauthorised host leaving footprints on the network and host logs.An anomaly-based approach leveraging the RDP event logs on Windows is used for detecting the evidence of LM.After extracting various feature sets from the logs,the RDP sessions are classified using machine-learning techniques with high recall and precision.It is found that the AdaBoost classifier offers better accuracy,precision,F1 score and recall recording 99.9%,99.9%,0.99 and 0.98%.Further,a dynamic deception process is used as a defence mechanism to mitigateAPTattacks.A hybrid encryption communication,dynamic(Internet Protocol)IP address generation,timing selection and policy allocation are established based on mathematical models.A belief update algorithm controls the defender’s action.The performance of the proposed system is compared with the state-of-the-art models.

Intelligent Intrusion Detection for Industrial Internet of Things Using Clustering Techniques

The rapid growth of the Internet of Things(IoT)in the industrial sector has given rise to a new term:the Industrial Internet of Things(IIoT).The IIoT is a collection of devices,apps,and services that connect physical and virtual worlds to create smart,cost-effective,and scalable systems.Although the IIoT has been implemented and incorporated into a wide range of industrial control systems,maintaining its security and privacy remains a significant concern.In the IIoT contexts,an intrusion detection system(IDS)can be an effective security solution for ensuring data confidentiality,integrity,and availability.In this paper,we propose an intelligent intrusion detection technique that uses principal components analysis(PCA)as a feature engineering method to choose the most significant features,minimize data dimensionality,and enhance detection performance.In the classification phase,we use clustering algorithms such as K-medoids and K-means to determine whether a given flow of IIoT traffic is normal or attack for binary classification and identify the group of cyberattacks according to its specific type for multi-class classification.To validate the effectiveness and robustness of our proposed model,we validate the detection method on a new driven IIoT dataset called X-IIoTID.The performance results showed our proposed detection model obtained a higher accuracy rate of 99.79%and reduced error rate of 0.21%when compared to existing techniques.

Anomaly Detection for Industrial Internet of Things Cyberattacks

The evolution of the Internet of Things(IoT)has empowered modern industries with the capability to implement large-scale IoT ecosystems,such as the Industrial Internet of Things(IIoT).The IIoT is vulnerable to a diverse range of cyberattacks that can be exploited by intruders and cause substantial reputational andfinancial harm to organizations.To preserve the confidentiality,integrity,and availability of IIoT networks,an anomaly-based intrusion detection system(IDS)can be used to provide secure,reliable,and efficient IIoT ecosystems.In this paper,we propose an anomaly-based IDS for IIoT networks as an effective security solution to efficiently and effectively overcome several IIoT cyberattacks.The proposed anomaly-based IDS is divided into three phases:pre-processing,feature selection,and classification.In the pre-processing phase,data cleaning and nor-malization are performed.In the feature selection phase,the candidates’feature vectors are computed using two feature reduction techniques,minimum redun-dancy maximum relevance and neighborhood components analysis.For thefinal step,the modeling phase,the following classifiers are used to perform the classi-fication:support vector machine,decision tree,k-nearest neighbors,and linear discriminant analysis.The proposed work uses a new data-driven IIoT data set called X-IIoTID.The experimental evaluation demonstrates our proposed model achieved a high accuracy rate of 99.58%,a sensitivity rate of 99.59%,a specificity rate of 99.58%,and a low false positive rate of 0.4%.

Research on Remote Fault Detection System of Ceramic Kiln Based on 5G and IoT Technologies

In order to overcome the defects of the existing technology that the detection of ceramic electric kiln faults takes a long time and costs a lot,an electric kiln control and fault detection device was designed.The working process of the device includes detection module,control module,start⁃stop module and switch module.The detection module detects the resistance circuit and sends a fault signal to the control module.The control module generates stop signal and fault information according to the fault signal,and starts the electric kiln when the fault signal is not received within the preset time.The start⁃stop module can monitor the internal temperature of the electric kiln and control the closing status of the switch module.The switch module is used to control the connection status of AC power and each resistance circuit in the kiln.Based on the 5G DTU or 5G module,the control module could send the information to mobile terminal under the ultra⁃reliable and low⁃latency communication(uRLLC)technical characteristics of 5G communication.

MAC Frame Resolution and PHY Protocol Type Detection of IEEE 802.11

Frame resolution and physical layer (PHY) protocol type detection are the basis of research and development of intrusion prevention systems for IEEE 802.11 wireless network. Aiming at the problems which cannot be solved by the specifications export, this paper proposed a MAC frame analytical method and a PHY protocol type detection algorithm based on parsing the IEEE 802.11packets captured by the library Libpcap. The packet structure and the length of the frame preamble (18 or 26 bytes) are presented. Then the methods of transforming byte-order and resolving sub-fields are given. A detection algorithm of PHY protocol type is proposed based on the experiments and examples are given to verify these methods. This work can be a reference for the R & D related to link layer frame analysis.

Distributed intrusion detection for mobile ad hoc networks

Mobile ad hoc networking （MANET） has become an exciting and important technology in recent years, because of the rapid proliferation of wireless devices. Mobile ad hoc networks is highly vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, and lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. A distributed intrusion detection approach based on timed automata is given. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then the timed automata is constructed by the way of manually abstracting the correct behaviours of the node according to the routing protocol of dynamic source routing （DSR）. The monitor nodes can verify the behaviour of every nodes by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, the approach is much more efficient while maintaining the same level of effectiveness. Finally, the intrusion detection method is evaluated through simulation experiments.

Anomaly Detection for Internet of Things Cyberattacks

The Internet of Things(IoT)has been deployed in diverse critical sectors with the aim of improving quality of service and facilitating human lives.The IoT revolution has redefined digital services in different domains by improving efficiency,productivity,and cost-effectiveness.Many service providers have adapted IoT systems or plan to integrate them as integral parts of their systems’operation;however,IoT security issues remain a significant challenge.To minimize the risk of cyberattacks on IoT networks,anomaly detection based on machine learning can be an effective security solution to overcome a wide range of IoT cyberattacks.Although various detection techniques have been proposed in the literature,existing detection methods address limited cyberattacks and utilize outdated datasets for evaluations.In this paper,we propose an intelligent,effective,and lightweight detection approach to detect several IoT attacks.Our proposed model includes a collaborative feature selection method that selects the best distinctive features and eliminates unnecessary features to build an effective and efficient detection model.In the detection phase,we also proposed an ensemble of learning techniques to improve classification for predicting several different types of IoT attacks.The experimental results show that our proposed method can effectively and efficiently predict several IoT attacks with a higher accuracy rate of 99.984%,a precision rate of 99.982%,a recall rate of 99.984%,and an F1-score of 99.983%.

Distributed and Cooperative Anomaly Detection Scheme for Mobile Ad Hoc Networks

Due to their unique characteristics, such as the dynamic changing topology, the absence of central management, the cooperative routing mechanisms, and the resources constraints, Mobile ad hoc networks (MANETs) are relatively vulnerable to both active and passive attacks. In MANET, routing attacks try to disrupt the functions of routing protocol by intentionally or unintentionally dropping packets or propagating faked routing messages. However, due to their computation requirements, the prevention mechanisms are not powerful enough to secure MANET. In this paper, we propose a distributed and cooperative scheme using statistical methods to detect routing attacks in MANETs. Our scheme uses both direct and indirect observations to characterize the behaviors of both neighboring and remote nodes. Simple threshold and Grubb’s Test are utilized to propose our new detection methods. The scheme includes innovative methods to compute our proposed measures, Maximum Accusation Number (MAN) and Accusation Number (AN), which are used to make decision about node’s behavior. Experimental results show that our scheme performs well in detecting anomalous events in routing functions.

An Useful Communication Mechanism for Distributed Agents-Based Intrusion Detection System

The communication mechanism plays an important role in an intrusion detection system, while it has not been paid enough attention. Based on analyzing the actual facts and expatiating upon the requirements a communication mechanism needs to meet, a message driven communication mechanism is proposed in this paper. The protocol presented here is divided into three layers： entity level, host level, and network level. The communication processes are also designed in detail. Experiments illustrate that cooperative entities can detect distributed sophisticated attacks accurately. Furthermore, this mechanism has the advantages like high reliability, low time delay and expenses.

Collision Detection and the Design of Fair and Stable MAC Scheme for Wireless Ad Hoc Networks

Fairness and stability guarantee among TCP flows is very stubborn in wireless ad hoc networks. There is not a MAC protocol that can fulfill this acquirement until now. In this paper, we firstly reveal the in-depth causes of the severe TCP unfairness and instability problems in IEEE 802.11-based multihop networks. Then we utilize the collision detection mechanism of the IEEE 802.11 protocol which is often ignored by most of the people to design a novel collision detection mechanism-based MAC (CDMB-MAC) scheme to solve the short-term and long-term fairness and stability issues while providing a good aggregate throughput in many topologies.

Anomaly Detection Framework in Fog-to-Things Communication for Industrial Internet of Things

The rapid development of the Internet of Things(IoT)in the industrial domain has led to the new term the Industrial Internet of Things(IIoT).The IIoT includes several devices,applications,and services that connect the physical and virtual space in order to provide smart,cost-effective,and scalable systems.Although the IIoT has been deployed and integrated into a wide range of industrial control systems,preserving security and privacy of such a technology remains a big challenge.An anomaly-based Intrusion Detection System(IDS)can be an effective security solution for maintaining the confidentiality,integrity,and availability of data transmitted in IIoT environments.In this paper,we propose an intelligent anomalybased IDS framework in the context of fog-to-things communications to decentralize the cloud-based security solution into a distributed architecture(fog nodes)near the edge of the data source.The anomaly detection system utilizes minimum redundancy maximum relevance and principal component analysis as the featured engineering methods to select the most important features,reduce the data dimensionality,and improve detection performance.In the classification stage,anomaly-based ensemble learning techniques such as bagging,LPBoost,RUSBoost,and Adaboost models are implemented to determine whether a given flow of traffic is normal or malicious.To validate the effectiveness and robustness of our proposed model,we evaluate our anomaly detection approach on a new driven IIoT dataset called XIIoTID,which includes new IIoT protocols,various cyberattack scenarios,and different attack protocols.The experimental results demonstrated that our proposed anomaly detection method achieved a higher accuracy rate of 99.91%and a reduced false alarm rate of 0.1%compared to other recently proposed techniques.

A Novel Low-Complexity Low-Latency Power Efficient Collision Detection Algorithm for Wireless Sensor Networks

Collision detection mechanisms in Wireless Sensor Networks (WSNs) have largely been revolving around direct demodulation and decoding of received packets and deciding on a collision based on some form of a frame error detection mechanism, such as a CRC check. The obvious drawback of full detection of a received packet is the need to expend a significant amount of energy and processing complexity in order to fully decode a packet, only to discover the packet is illegible due to a collision. In this paper, we propose a suite of novel, yet simple and power-efficient algorithms to detect a collision without the need for full-decoding of the received packet. Our novel algorithms aim at detecting collision through fast examination of the signal statistics of a short snippet of the received packet via a relatively small number of computations over a small number of received IQ samples. Hence, the proposed algorithms operate directly at the output of the receiver's analog-to-digital converter and eliminate the need to pass the signal through the entire. In addition, we present a complexity and power-saving comparison between our novel algorithms and conventional full-decoding (for select coding schemes) to demonstrate the significant power and complexity saving advantage of our algorithms.

CAND-IDS: A Novel Context Aware Intrusion Detection System in Cooperative Wireless Sensor Networks by Nodal Node Deployment

Cooperative wireless sensor networks have drastically grown due to node co-opera- tive in unaltered environment. Various real time applications are developed and deployed under cooperative network, which controls and coordinates the flow to and from the nodes to the base station. Though nodes are interlinked to give expected state behavior, it is vital to monitor the malicious activities in the network. There is a high end probability to compromise the node behavior that leads to catastrophes. To overcome this issue a Novel Context Aware-IDS approach named Context Aware Nodal Deployment-IDS (CAND-IDS) is framed. During data transmission based on node properties and behavior CAND-IDS detects and eliminates the malicious nodes in the explored path. Also during network deployment and enhancement, node has to follow Context Aware Cooperative Routing Protocol (CCRP), to ensure the reliability of the network. CAND-IDS are programmed and simulated using Network Simulator software and the performance is verified and evaluated. The simulation result shows significant improvements in the throughput, energy consumption and delay made when compared with the existing system.

基于HSA技术的IEC104协议安全设计方案

以电力行业广泛使用的IEC104协议为研究对象,对该协议的报文结构进行分析并找出其存在的安全隐患和漏洞;提出增加安全信息控制字段,对核心数据进行加密处理,形成安全通信协议APDUSec;在不改变原有传输模式下,采用了RSA加密算法和HMAC认证算法,确保了协议的保密性、完整性和不可否认性;为解决电力通信系统中存在的通信链路故障,借助HSA技术来解决环路检测和分片安全问题.仿真测试结果表明:APDUSec在一定程度上能有效满足信息保密与身份认证的需要,HSA技术在检测环路、传输效率等方面具有一定的优势.本文结果对IEC104协议运行的安全性和可靠性研究具有一定的参考价值.

一种基于空洞节点检测的可靠无人机自组网路由协议

针对高动态无人机自组网中节点之间链路生存时间(Link Live Time,LLT)短和节点遭遇路由空洞次数多的问题,提出了一种基于空洞节点检测的可靠无人机自组网路由协议——GPSR-HND(Greedy Perimeter Stateless Routing Based on Hollow Node Detection)。GPSR-HND协议中,转发节点通过空洞节点检测机制检测邻居节点状态,将有效邻居节点加入待选邻居节点集;然后基于层次分析法(Analytic Hierarchy Process,AHP)的多度量下一跳节点选择机制从待选邻居节点集中选择权重最大的邻居节点贪婪转发数据;如果待选邻居节点集为空,则从空洞邻居节点集中选择权重最大的空洞节点启动改进的周边转发机制,寻找可恢复贪婪转发模式的节点。与GPSR-NS协议和GPSR协议相比,GPSR-HND协议表现出了更好的性能,包括平均端到端时延和丢包率的改善,以及吞吐量的提高。

安全协议形式化分析方法研究综述

介绍了安全协议的基本概念和分类,然后对安全协议形式化分析方法进行了详细介绍,包括基于模态逻辑的方法、基于模型检测的方法、基于定理证明的方法和基于可证明安全性理论的方法。其中,基于模型检测的方法是目前应用最广泛的一种方法,因此详细介绍了一些常用的基于模型检测方法的工具。最后,总结了当前安全协议形式化分析方法的研究热点和未来的发展方向。

基于信息熵与服务器识别的DoH流量检测

DNS over HTTPS(DoH)协议是一种针对域名系统(DNS)的最新改进方案,然而用户可使用第三方DoH服务规避内网原有的监管,所以异常流量检测方法不再适用于检测DoH流量。针对该问题提出了一种DTESI算法。首先,基于信息熵将DoH流量作为异常流量从全部网络流量中筛选出来;然后,利用DoH服务器与同一客户端建立TLS连接时响应方式总是相同的特性,用指纹识别检测客户端与DoH服务器之间的TLS协商,确定DoH服务器身份;最后,使用Top-K抽样算法选出一定时段内网络中前K台活跃主机着重进行流量检测,使算法能应用于中大型组织的网络。实验结果表明,针对发现的异常流量,DTESI算法检测出的DoH服务提供商准确率超过94%。在此基础上比较了在不同K值下的算法检测时间和对网络中全部DoH流量的检测覆盖率,结果表明合理选择K值可以提升算法的整体效能。

优化随机森林模型的工控网络异常检测

针对现有Modbus TCP协议的异常检测效率和准确率低的问题,提出了一种基于混合鲸鱼算法优化的随机森林异常检测模型。该模型将柯西变异和自适应动态惯性权重相结合,利用柯西变异算子增加种群多样性,避免算法陷入局部最优;引用自适应动态惯性权重因子提高种群的全局搜索能力,使算法的收敛速度加快。仿真实验结果表明,该模型相较于其他分类算法有着更高的准确率和较强的适应性,证明了模型在实际应用中具有较高的检测精度。