Unknown DDoS Attack Detection with Fuzzy C-Means Clustering and Spatial Location Constraint Prototype Loss

Since its inception,the Internet has been rapidly evolving.With the advancement of science and technology and the explosive growth of the population,the demand for the Internet has been on the rise.Many applications in education,healthcare,entertainment,science,and more are being increasingly deployed based on the internet.Concurrently,malicious threats on the internet are on the rise as well.Distributed Denial of Service(DDoS)attacks are among the most common and dangerous threats on the internet today.The scale and complexity of DDoS attacks are constantly growing.Intrusion Detection Systems(IDS)have been deployed and have demonstrated their effectiveness in defense against those threats.In addition,the research of Machine Learning(ML)and Deep Learning(DL)in IDS has gained effective results and significant attention.However,one of the challenges when applying ML and DL techniques in intrusion detection is the identification of unknown attacks.These attacks,which are not encountered during the system’s training,can lead to misclassification with significant errors.In this research,we focused on addressing the issue of Unknown Attack Detection,combining two methods:Spatial Location Constraint Prototype Loss(SLCPL)and Fuzzy C-Means(FCM).With the proposed method,we achieved promising results compared to traditional methods.The proposed method demonstrates a very high accuracy of up to 99.8%with a low false positive rate for known attacks on the Intrusion Detection Evaluation Dataset(CICIDS2017)dataset.Particularly,the accuracy is also very high,reaching 99.7%,and the precision goes up to 99.9%for unknown DDoS attacks on the DDoS Evaluation Dataset(CICDDoS2019)dataset.The success of the proposed method is due to the combination of SLCPL,an advanced Open-Set Recognition(OSR)technique,and FCM,a traditional yet highly applicable clustering technique.This has yielded a novel method in the field of unknown attack detection.This further expands the trend of applying DL and ML techniques in the development of intrusion detection systems and cybersecurity.Finally,implementing the proposed method in real-world systems can enhance the security capabilities against increasingly complex threats on computer networks.

An Erebus Attack Detection Method Oriented to Blockchain Network Layer

Recently,the Erebus attack has proved to be a security threat to the blockchain network layer,and the existing research has faced challenges in detecting the Erebus attack on the blockchain network layer.The cloud-based active defense and one-sidedness detection strategies are the hindrances in detecting Erebus attacks.This study designs a detection approach by establishing a ReliefF_WMRmR-based two-stage feature selection algorithm and a deep learning-based multimodal classification detection model for Erebus attacks and responding to security threats to the blockchain network layer.The goal is to improve the performance of Erebus attack detection methods,by combining the traffic behavior with the routing status based on multimodal deep feature learning.The traffic behavior and routing status were first defined and used to describe the attack characteristics at diverse stages of s leak monitoring,hidden traffic overlay,and transaction identity forgery.The goal is to clarify how an Erebus attack affects the routing transfer and traffic state on the blockchain network layer.Consequently,detecting objects is expected to become more relevant and sensitive.A two-stage feature selection algorithm was designed based on ReliefF and weighted maximum relevance minimum redundancy(ReliefF_WMRmR)to alleviate the overfitting of the training model caused by redundant information and noise in multiple source features of the routing status and traffic behavior.The ReliefF algorithm was introduced to select strong correlations and highly informative features of the labeled data.According to WMRmR,a feature selection framework was defined to eliminate weakly correlated features,eliminate redundant information,and reduce the detection overhead of the model.A multimodal deep learning model was constructed based on the multilayer perceptron(MLP)to settle the high false alarm rates incurred by multisource data.Using this model,isolated inputs and deep learning were conducted on the selected routing status and traffic behavior.Redundant intermodal information was removed because of the complementarity of the multimodal network,which was followed by feature fusion and output feature representation to boost classification detection precision.The experimental results demonstrate that the proposed method can detect features,such as traffic data,at key link nodes and route messages in a real blockchain network environment.Additionally,the model can detect Erebus attacks effectively.This study provides novelty to the existing Erebus attack detection by increasing the accuracy detection by 1.05%,the recall rate by 2.01%,and the F1-score by 2.43%.

FEW-NNN: A Fuzzy Entropy Weighted Natural Nearest Neighbor Method for Flow-Based Network Traffic Attack Detection

Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the focus of many initiatives. Effectively analyzing massive network security data with high dimensions for suspicious flow diagnosis is a huge challenge. In addition, the uneven distribution of network traffic does not fully reflect the differences of class sample features, resulting in the low accuracy of attack detection. To solve these problems, a novel approach called the fuzzy entropy weighted natural nearest neighbor(FEW-NNN) method is proposed to enhance the accuracy and efficiency of flowbased network traffic attack detection. First, the FEW-NNN method uses the Fisher score and deep graph feature learning algorithm to remove unimportant features and reduce the data dimension. Then, according to the proposed natural nearest neighbor searching algorithm(NNN_Searching), the density of data points, each class center and the smallest enclosing sphere radius are determined correspondingly. Finally, a fuzzy entropy weighted KNN classification method based on affinity is proposed, which mainly includes the following three steps: 1、 the feature weights of samples are calculated based on fuzzy entropy values, 2、 the fuzzy memberships of samples are determined based on affinity among samples, and 3、 K-neighbors are selected according to the class-conditional weighted Euclidean distance, the fuzzy membership value of the testing sample is calculated based on the membership of k-neighbors, and then all testing samples are classified according to the fuzzy membership value of the samples belonging to each class;that is, the attack type is determined. The method has been applied to the problem of attack detection and validated based on the famous KDD99 and CICIDS-2017 datasets. From the experimental results shown in this paper, it is observed that the FEW-NNN method improves the accuracy and efficiency of flow-based network traffic attack detection.

Anti-D Chain:A Lightweight DDoS Attack Detection Scheme Based on Heterogeneous Ensemble Learning in Blockchain

With rapid development of blockchain technology,blockchain and its security theory research and practical application have become crucial.At present,a new DDoS attack has arisen,and it is the DDoS attack in blockchain network.The attack is harmful for blockchain technology and many application scenarios.However,the traditional and existing DDoS attack detection and defense means mainly come from the centralized tactics and solution.Aiming at the above problem,the paper proposes the virtual reality parallel anti-DDoS chain design philosophy and distributed anti-D Chain detection framework based on hybrid ensemble learning.Here,Ada Boost and Random Forest are used as our ensemble learning strategy,and some different lightweight classifiers are integrated into the same ensemble learning algorithm,such as CART and ID3.Our detection framework in blockchain scene has much stronger generalization performance,universality and complementarity to identify accurately the onslaught features for DDoS attack in P2P network.Extensive experimental results confirm that our distributed heterogeneous anti-D chain detection method has better performance in six important indicators(such as Precision,Recall,F-Score,True Positive Rate,False Positive Rate,and ROC curve).

TDOA-based Sybil attack detection scheme for wireless sensor networks

As wireless sensor networks （WSN） are deployed in fire monitoring, object tracking applications, security emerges as a central requirement. A case that Sybil node illegitimately reports messages to the master node with multiple non-existent identities （ID） will cause harmful effects on decision-making or resource allocation in these applications. In this paper, we present an efficient and lightweight solution for Sybil attack detection based on the time difference of arrival （TDOA） between the source node and beacon nodes. This solution can detect the existence of Sybil attacks, and locate the Sybil nodes. We demonstrate efficiency of the solution through experiments. The experiments show that this solution can detect all Sybil attack cases without missing.

An Efficient Impersonation Attack Detection Method in Fog Computing

Fog computing paradigm extends computing,communication,storage,and network resources to the network’s edge.As the fog layer is located between cloud and end-users,it can provide more convenience and timely services to end-users.However,in fog computing(FC),attackers can behave as real fog nodes or end-users to provide malicious services in the network.The attacker acts as an impersonator to impersonate other legitimate users.Therefore,in this work,we present a detection technique to secure the FC environment.First,we model a physical layer key generation based on wireless channel characteristics.To generate the secret keys between the legitimate users and avoid impersonators,we then consider a Double Sarsa technique to identify the impersonators at the receiver end.We compare our proposed Double Sarsa technique with the other two methods to validate our work,i.e.,Sarsa and Q-learning.The simulation results demonstrate that the method based on Double Sarsa outperforms Sarsa and Q-learning approaches in terms of false alarm rate(FAR),miss detection rate(MDR),and average error rate(AER).

DDoS Attack Detection via Multi-Scale Convolutional Neural Network

Distributed Denial-of-Service(DDoS)has caused great damage to the network in the big data environment.Existing methods are characterized by low computational efficiency,high false alarm rate and high false alarm rate.In this paper,we propose a DDoS attack detection method based on network flow grayscale matrix feature via multi-scale convolutional neural network(CNN).According to the different characteristics of the attack flow and the normal flow in the IP protocol,the seven-tuple is defined to describe the network flow characteristics and converted into a grayscale feature by binary.Based on the network flow grayscale matrix feature(GMF),the convolution kernel of different spatial scales is used to improve the accuracy of feature segmentation,global features and local features of the network flow are extracted.A DDoS attack classifier based on multi-scale convolution neural network is constructed.Experiments show that compared with correlation methods,this method can improve the robustness of the classifier,reduce the false alarm rate and the missing alarm rate.

A Novel Shilling Attack Detection Model Based on Particle Filter and Gravitation

With the rapid development of e-commerce, the security issues of collaborative filtering recommender systems have been widely investigated. Malicious users can benefit from injecting a great quantities of fake profiles into recommender systems to manipulate recommendation results. As one of the most important attack methods in recommender systems, the shilling attack has been paid considerable attention, especially to its model and the way to detect it. Among them, the loose version of Group Shilling Attack Generation Algorithm (GSAGenl) has outstanding performance. It can be immune to some PCC (Pearson Correlation Coefficient)-based detectors due to the nature of anti-Pearson correlation. In order to overcome the vulnerabilities caused by GSAGenl, a gravitation-based detection model (GBDM) is presented, integrated with a sophisticated gravitational detector and a decider. And meanwhile two new basic attributes and a particle filter algorithm are used for tracking prediction. And then, whether an attack occurs can be judged according to the law of universal gravitation in decision-making. The detection performances of GBDM, HHT-SVM, UnRAP, AP-UnRAP Semi-SAD,SVM-TIA and PCA-P are compared and evaluated. And simulation results show the effectiveness and availability of GBDM.

RP-NBSR: A Novel Network Attack Detection Model Based on Machine Learning

The rapid progress of the Internet has exposed networks to an increasednumber of threats. Intrusion detection technology can effectively protect networksecurity against malicious attacks. In this paper, we propose a ReliefF-P-NaiveBayes and softmax regression (RP-NBSR) model based on machine learningfor network attack detection to improve the false detection rate and F1 score ofunknown intrusion behavior. In the proposed model, the Pearson correlation coef-ficient is introduced to compensate for deficiencies in correlation analysis betweenfeatures by the ReliefF feature selection algorithm, and a ReliefF-Pearson correlation coefficient (ReliefF-P) algorithm is proposed. Then, the Relief-P algorithm isused to preprocess the UNSW-NB15 dataset to remove irrelevant features andobtain a new feature subset. Finally, naïve Bayes and softmax regression (NBSR)classifier is constructed by cascading the naïve Bayes classifier and softmaxregression classifier, and an attack detection model based on RP-NBSR is established. The experimental results on the UNSW-NB15 dataset show that the attackdetection model based on RP-NBSR has a lower false detection rate and higherF1 score than other detection models.

Intelligent DoS Attack Detection with Congestion Control Technique for VANETs

VehicularAd hoc Network(VANET)has become an integral part of Intelligent Transportation Systems(ITS)in today’s life.VANET is a network that can be heavily scaled up with a number of vehicles and road side units that keep fluctuating in real world.VANET is susceptible to security issues,particularly DoS attacks,owing to maximum unpredictability in location.So,effective identification and the classification of attacks have become the major requirements for secure data transmission in VANET.At the same time,congestion control is also one of the key research problems in VANET which aims at minimizing the time expended on roads and calculating travel time as well as waiting time at intersections,for a traveler.With this motivation,the current research paper presents an intelligent DoS attack detection with Congestion Control(IDoS-CC)technique for VANET.The presented IDoSCC technique involves two-stage processes namely,Teaching and Learning Based Optimization(TLBO)-based Congestion Control(TLBO-CC)and Gated Recurrent Unit(GRU)-based DoS detection(GRU-DoSD).The goal of IDoS-CC technique is to reduce the level of congestion and detect the attacks that exist in the network.TLBO algorithm is also involved in IDoS-CC technique for optimization of the routes taken by vehicles via traffic signals and to minimize the congestion on a particular route instantaneously so as to assure minimal fuel utilization.TLBO is applied to avoid congestion on roadways.Besides,GRU-DoSD model is employed as a classification model to effectively discriminate the compromised and genuine vehicles in the network.The outcomes from a series of simulation analyses highlight the supremacy of the proposed IDoS-CC technique as it reduced the congestion and successfully identified the DoS attacks in network.

A Novel DDoS Attack Detection Method Using Optimized Generalized Multiple Kernel Learning

Distributed Denial of Service(DDoS)attack has become one of the most destructive network attacks which can pose a mortal threat to Internet security.Existing detection methods cannot effectively detect early attacks.In this paper,we propose a detection method of DDoS attacks based on generalized multiple kernel learning(GMKL)combining with the constructed parameter R.The super-fusion feature value(SFV)and comprehensive degree of feature(CDF)are defined to describe the characteristic of attack flow and normal flow.A method for calculating R based on SFV and CDF is proposed to select the combination of kernel function and regularization paradigm.A DDoS attack detection classifier is generated by using the trained GMKL model with R parameter.The experimental results show that kernel function and regularization parameter selection method based on R parameter reduce the randomness of parameter selection and the error of model detection,and the proposed method can effectively detect DDoS attacks in complex environments with higher detection rate and lower error rate.

Dynamic load-altering attack detection based on adaptive fading Kalman filter in power systems

This paper presents an effective and feasible method for detecting dynamic load-altering attacks(D-LAAs)in a smart grid.First,a smart grid discrete system model is established in view of D-LAAs.Second,an adaptive fading Kalman filter(AFKF)is designed for estimating the state of the smart grid.The AFKF can completely filter out the Gaussian noise of the power system,and obtain a more accurate state change curve(including consideration of the attack).A Euclidean distance ratio detection algorithm based on the AFKF is proposed for detecting D-LAAs.Amplifying imperceptible D-LAAs through the new Euclidean distance ratio improves the D-LAA detection sensitivity,especially for very weak D-LAA attacks.Finally,the feasibility and effectiveness of the Euclidean distance ratio detection algorithm are verified based on simulations.

Data Mining Based Cyber-Attack Detection

Detecting cyber-attacks undoubtedly has become a big data problem. This paper presents a tutorial on data mining based cyber-attack detection. First,a data driven defence framework is presented in terms of cyber security situational awareness. Then, the process of data mining based cyber-attack detection is discussed. Next,a multi-loop learning architecture is presented for data mining based cyber-attack detection. Finally,common data mining techniques for cyber-attack detection are discussed.

DDoS Attack Detection Scheme Based on Entropy and PSO-BP Neural Network in SDN

SDN (Software Defined Network) has many security problems, and DDoS attack is undoubtedly the most serious harm to SDN architecture network. How to accurately and effectively detect DDoS attacks has always been a difficult point and focus of SDN security research. Based on the characteristics of SDN, a DDoS attack detection method combining generalized entropy and PSOBP neural network is proposed. The traffic is pre-detected by the generalized entropy method deployed on the switch, and the detection result is divided into normal and abnormal. Locate the switch that issued the abnormal alarm. The controller uses the PSO-BP neural network to detect whether a DDoS attack occurs by further extracting the flow features of the abnormal switch. Experiments show that compared with other methods, the detection accurate rate is guaranteed while the CPU load of the controller is reduced, and the detection capability is better.

An Optimal Hybrid Learning Approach for Attack Detection in Linear Networked Control Systems

A novel learning-based attack detection and estimation scheme is proposed for linear networked control systems(NCS),wherein the attacks on the communication network in the feedback loop are expected to increase network induced delays and packet losses,thus changing the physical system dynamics.First,the network traffic flow is modeled as a linear system with uncertain state matrix and an optimal Q-learning based control scheme over finite-horizon is utilized to stabilize the flow.Next,an adaptive observer is proposed to generate the detection residual,which is subsequently used to determine the onset of an attack when it exceeds a predefined threshold,followed by an estimation scheme for the signal injected by the attacker.A stochastic linear system after incorporating network-induced random delays and packet losses is considered as the uncertain physical system dynamics.The attack detection scheme at the physical system uses the magnitude of the state vector to detect attacks both on the sensor and the actuator.The maximum tolerable delay that the physical system can tolerate due to networked induced delays and packet losses is also derived.Simulations have been performed to demonstrate the effectiveness of the proposed schemes.

Two-Tier GCT Based Approach for Attack Detection

The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.

CL2ES-KDBC:A Novel Covariance Embedded Selection Based on Kernel Distributed Bayes Classifier for Detection of Cyber-Attacks in IoT Systems

The Internet of Things(IoT)is a growing technology that allows the sharing of data with other devices across wireless networks.Specifically,IoT systems are vulnerable to cyberattacks due to its opennes The proposed work intends to implement a new security framework for detecting the most specific and harmful intrusions in IoT networks.In this framework,a Covariance Linear Learning Embedding Selection(CL2ES)methodology is used at first to extract the features highly associated with the IoT intrusions.Then,the Kernel Distributed Bayes Classifier(KDBC)is created to forecast attacks based on the probability distribution value precisely.In addition,a unique Mongolian Gazellas Optimization(MGO)algorithm is used to optimize the weight value for the learning of the classifier.The effectiveness of the proposed CL2ES-KDBC framework has been assessed using several IoT cyber-attack datasets,The obtained results are then compared with current classification methods regarding accuracy(97%),precision(96.5%),and other factors.Computational analysis of the CL2ES-KDBC system on IoT intrusion datasets is performed,which provides valuable insight into its performance,efficiency,and suitability for securing IoT networks.

Optimal monitoring and attack detection of networks modeled by Bayesian attack graphs

Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.

A Review on Cybersecurity Analysis,Attack Detection,and Attack Defense Methods in Cyber-physical Power Systems

Potential malicious cyber-attacks to power systems which are connected to a wide range of stakeholders from the top to tail will impose significant societal risks and challenges.The timely detection and defense are of crucial importance for safe and reliable operation of cyber-physical power systems(CPPSs).This paper presents a comprehensive review of some of the latest attack detection and defense strategies.Firstly,the vulnerabilities brought by some new information and communication technologies(ICTs)are analyzed,and their impacts on the security of CPPSs are discussed.Various malicious cyber-attacks on cyber and physical layers are then analyzed within CPPSs framework,and their features and negative impacts are discussed.Secondly,two current mainstream attack detection methods including state estimation based and machine learning based methods are analyzed,and their benefits and drawbacks are discussed.Moreover,two current mainstream attack defense methods including active defense and passive defense methods are comprehensively discussed.Finally,the trends and challenges in attack detection and defense strategies in CPPSs are provided.

A New Hybrid Approach Using GWO and MFO Algorithms to Detect Network Attack

This paper addresses the urgent need to detect network security attacks,which have increased significantly in recent years,with high accuracy and avoid the adverse effects of these attacks.The intrusion detection system should respond seamlessly to attack patterns and approaches.The use of metaheuristic algorithms in attack detection can produce near-optimal solutions with low computational costs.To achieve better performance of these algorithms and further improve the results,hybridization of algorithms can be used,which leads to more successful results.Nowadays,many studies are conducted on this topic.In this study,a new hybrid approach using Gray Wolf Optimizer(GWO)and Moth-Flame Optimization(MFO)algorithms was developed and applied to widely used data sets such as NSL-KDD,UNSW-NB15,and CIC IDS 2017,as well as various benchmark functions.The ease of hybridization of the GWO algorithm,its simplicity,its ability to perform global optimal search,and the success of the MFO algorithm in obtaining the best solution suggested that an effective solution would be obtained by combining these two algorithms.For these reasons,the developed hybrid algorithm aims to achieve better results by using the good aspects of both the GWO algorithm and the MFO algorithm.In reviewing the results,it was found that a high level of success was achieved in the benchmark functions.It achieved better results in 12 of the 13 benchmark functions compared.In addition,the success rates obtained according to the evaluation criteria in the different data sets are also remarkable.Comparing the 97.4%,98.3%,and 99.2% classification accuracy results obtained in the NSL-KDD,UNSW-NB15,and CIC IDS 2017 data sets with the studies in the literature,they seem to be quite successful.