The rapid advancement of the Internet ofThings(IoT)has heightened the importance of security,with a notable increase in Distributed Denial-of-Service(DDoS)attacks targeting IoT devices.Network security specialists fac...The rapid advancement of the Internet ofThings(IoT)has heightened the importance of security,with a notable increase in Distributed Denial-of-Service(DDoS)attacks targeting IoT devices.Network security specialists face the challenge of producing systems to identify and offset these attacks.This researchmanages IoT security through the emerging Software-Defined Networking(SDN)standard by developing a unified framework(RNN-RYU).We thoroughly assess multiple deep learning frameworks,including Convolutional Neural Network(CNN),Long Short-Term Memory(LSTM),Feed-Forward Convolutional Neural Network(FFCNN),and Recurrent Neural Network(RNN),and present the novel usage of Synthetic Minority Over-Sampling Technique(SMOTE)tailored for IoT-SDN contexts to manage class imbalance during training and enhance performance metrics.Our research has significant practical implications as we authenticate the approache using both the self-generated SD_IoT_Smart_City dataset and the publicly available CICIoT23 dataset.The system utilizes only eleven features to identify DDoS attacks efficiently.Results indicate that the RNN can reliably and precisely differentiate between DDoS traffic and benign traffic by easily identifying temporal relationships and sequences in the data.展开更多
Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastr...Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastructure and target systems.Also,the APT attack has caused a catastrophic impact on global network security.Traditional APT attack detection is achieved by constructing rules or manual reverse analysis using expert experience,with poor intelligence and robustness.However,current research lacks a comprehensive effort to sort out the intelligent methods of APT attack detection.To this end,we summarize and review the research on intelligent detection methods for APT attacks.Firstly,we propose two APT attack intelligent detection frameworks for endpoint samples and malware,and for malwaregenerated audit logs.Secondly,this paper divides APT attack detection into four critical tasks:malicious attack detection,malicious family detection,malicious behavior identification,and malicious code location.In addition,we further analyze and summarize the strategies and characteristics of existing intelligent methods for each task.Finally,we look forward to the forefront of research and potential directions of APT attack detection,which can promote the development of intelligent defense against APT attacks.展开更多
The sinkhole attack is one of the most damaging threats in the Internet of Things(IoT).It deceptively attracts neighboring nodes and initiates malicious activity,often disrupting the network when combined with other a...The sinkhole attack is one of the most damaging threats in the Internet of Things(IoT).It deceptively attracts neighboring nodes and initiates malicious activity,often disrupting the network when combined with other attacks.This study proposes a novel approach,named NADSA,to detect and isolate sinkhole attacks.NADSA is based on the RPL protocol and consists of two detection phases.In the first phase,the minimum possible hop count between the sender and receiver is calculated and compared with the sender’s reported hop count.The second phase utilizes the number of DIO messages to identify suspicious nodes and then applies a fuzzification process using RSSI,ETX,and distance measurements to confirm the presence of a malicious node.The proposed method is extensively simulated in highly lossy and sparse network environments with varying numbers of nodes.The results demonstrate that NADSA achieves high efficiency,with PDRs of 68%,70%,and 73%;E2EDs of 81,72,and 60 ms;TPRs of 89%,83%,and 80%;and FPRs of 24%,28%,and 33%.NADSA outperforms existing methods in challenging network conditions,where traditional approaches typically degrade in effectiveness.展开更多
As cyber threats become increasingly sophisticated,Distributed Denial-of-Service(DDoS)attacks continue to pose a serious threat to network infrastructure,often disrupting critical services through overwhelming traffic...As cyber threats become increasingly sophisticated,Distributed Denial-of-Service(DDoS)attacks continue to pose a serious threat to network infrastructure,often disrupting critical services through overwhelming traffic.Although unsupervised anomaly detection using convolutional autoencoders(CAEs)has gained attention for its ability to model normal network behavior without requiring labeled data,conventional CAEs struggle to effectively distinguish between normal and attack traffic due to over-generalized reconstructions and naive anomaly scoring.To address these limitations,we propose CA-CAE,a novel anomaly detection framework designed to improve DDoS detection through asymmetric joint reconstruction learning and refined anomaly scoring.Our architecture connects two CAEs sequentially with asymmetric filter allocation,which amplifies reconstruction errors for anomalous data while preserving low errors for normal traffic.Additionally,we introduce a scoring mechanism that incorporates exponential decay weighting to emphasize recent anomalies and relative traffic volume adjustment to highlight highrisk instances,enabling more accurate and timely detection.We evaluate CA-CAE on a real-world network traffic dataset collected using Cisco NetFlow,containing over 190,000 normal instances and only 78 anomalous instances—an extremely imbalanced scenario(0.0004% anomalies).We validate the proposed framework through extensive experiments,including statistical tests and comparisons with baseline models.Despite this challenge,our method achieves significant improvement,increasing the F1-score from 0.515 obtained by the baseline CAE to 0.934,and outperforming other models.These results demonstrate the effectiveness,scalability,and practicality of CA-CAE for unsupervised DDoS detection in realistic network environments.By combining lightweight model architecture with a domain-aware scoring strategy,our framework provides a robust solution for early detection of DDoS attacks without relying on labeled attack data.展开更多
In this paper, the attack detection problem is investigated for a class of closed-loop systems subjected to unknownbutbounded noises in the presence of stealthy attacks. The measurement outputs from the sensors are qu...In this paper, the attack detection problem is investigated for a class of closed-loop systems subjected to unknownbutbounded noises in the presence of stealthy attacks. The measurement outputs from the sensors are quantized before transmission.A specific type of perfect stealthy attack, which meets certain rather stringent conditions, is taken into account. Such attacks could be injected by adversaries into both the sensor-toestimator and controller-to-actuator channels, with the aim of disrupting the normal data flow. For the purpose of defending against these perfect stealthy attacks, a novel scheme based on watermarks is developed. This scheme includes the injection of watermarks(applied to data prior to quantization) and the recovery of data(implemented before the data reaches the estimator).The watermark-based scheme is designed to be both timevarying and hidden from adversaries through incorporating a time-varying and bounded watermark signal. Subsequently, a watermark-based attack detection strategy is proposed which thoroughly considers the characteristics of perfect stealthy attacks,thereby ensuring that an alarm is activated upon the occurrence of such attacks. An example is provided to demonstrate the efficacy of the proposed mechanism for detecting attacks.展开更多
Face Presentation Attack Detection(fPAD)plays a vital role in securing face recognition systems against various presentation attacks.While supervised learning-based methods demonstrate effectiveness,they are prone to ...Face Presentation Attack Detection(fPAD)plays a vital role in securing face recognition systems against various presentation attacks.While supervised learning-based methods demonstrate effectiveness,they are prone to overfitting to known attack types and struggle to generalize to novel attack scenarios.Recent studies have explored formulating fPAD as an anomaly detection problem or one-class classification task,enabling the training of generalized models for unknown attack detection.However,conventional anomaly detection approaches encounter difficulties in precisely delineating the boundary between bonafide samples and unknown attacks.To address this challenge,we propose a novel framework focusing on unknown attack detection using exclusively bonafide facial data during training.The core innovation lies in our pseudo-negative sample synthesis(PNSS)strategy,which facilitates learning of compact decision boundaries between bonafide faces and potential attack variations.Specifically,PNSS generates synthetic negative samples within low-likelihood regions of the bonafide feature space to represent diverse unknown attack patterns.To overcome the inherent imbalance between positive and synthetic negative samples during iterative training,we implement a dual-loss mechanism combining focal loss for classification optimization with pairwise confusion loss as a regularizer.This architecture effectively mitigates model bias towards bonafide samples while maintaining discriminative power.Comprehensive evaluations across three benchmark datasets validate the framework’s superior performance.Notably,our PNSS achieves 8%–18% average classification error rate(ACER)reduction compared with state-of-the-art one-class fPAD methods in cross-dataset evaluations on Idiap Replay-Attack and MSU-MFSD datasets.展开更多
The surge in smishing attacks underscores the urgent need for robust,real-time detection systems powered by advanced deep learning models.This paper introduces PhishNet,a novel ensemble learning framework that integra...The surge in smishing attacks underscores the urgent need for robust,real-time detection systems powered by advanced deep learning models.This paper introduces PhishNet,a novel ensemble learning framework that integrates transformer-based models(RoBERTa)and large language models(LLMs)(GPT-OSS 120B,LLaMA3.370B,and Qwen332B)to enhance smishing detection performance significantly.To mitigate class imbalance,we apply synthetic data augmentation using T5 and leverage various text preprocessing techniques.Our system employs a duallayer voting mechanism:weighted majority voting among LLMs and a final ensemble vote to classify messages as ham,spam,or smishing.Experimental results show an average accuracy improvement from 96%to 98.5%compared to the best standalone transformer,and from 93%to 98.5%when compared to LLMs across datasets.Furthermore,we present a real-time,user-friendly application to operationalize our detection model for practical use.PhishNet demonstrates superior scalability,usability,and detection accuracy,filling critical gaps in current smishing detection methodologies.展开更多
As the density of wireless networks increases globally, the vulnerability of overlapped dense wireless communications to interference by hidden nodes and denial-of-service (DoS) attacks is becoming more apparent. Ther...As the density of wireless networks increases globally, the vulnerability of overlapped dense wireless communications to interference by hidden nodes and denial-of-service (DoS) attacks is becoming more apparent. There exists a gap in research on the detection and response to attacks on Medium Access Control (MAC) mechanisms themselves, which would lead to service outages between nodes. Classifying exploitation and deceptive jamming attacks on control mechanisms is particularly challengingdue to their resemblance to normal heavy communication patterns. Accordingly, this paper proposes a machine learning-based selective attack mitigation model that detects DoS attacks on wireless networks by monitoring packet log data. Based on the type of detected attack, it implements effective corresponding mitigation techniques to restore performance to nodes whose availability has been compromised. Experimental results reveal that the accuracy of the proposed model is 14% higher than that of a baseline anomaly detection model. Further, the appropriate mitigation techniques selected by the proposed system based on the attack type improve the average throughput by more than 440% compared to the case without a response.展开更多
The rapid progression of the Internet of Things(IoT)technology enables its application across various sectors.However,IoT devices typically acquire inadequate computing power and user interfaces,making them susceptibl...The rapid progression of the Internet of Things(IoT)technology enables its application across various sectors.However,IoT devices typically acquire inadequate computing power and user interfaces,making them susceptible to security threats.One significant risk to cloud networks is Distributed Denial-of-Service(DoS)attacks,where attackers aim to overcome a target system with excessive data and requests.Among these,low-rate DoS(LR-DoS)attacks present a particular challenge to detection.By sending bursts of attacks at irregular intervals,LR-DoS significantly degrades the targeted system’s Quality of Service(QoS).The low-rate nature of these attacks confuses their detection,as they frequently trigger congestion control mechanisms,leading to significant instability in IoT systems.Therefore,to detect the LR-DoS attack,an innovative deep-learning model has been developed for this research work.The standard dataset is utilized to collect the required data.Further,the deep feature extraction process is executed using the Residual Autoencoder with Sparse Attention(ResAE-SA),which helps derive the significant feature required for detection.Ultimately,the Adaptive Dense Recurrent Neural Network(ADRNN)is implemented to detect LR-DoS effectively.To enhance the detection process,the parameters present in the ADRNN are optimized using the Renovated Random Attribute-based Fennec Fox Optimization(RRA-FFA).The proposed optimization reduces the False Discovery Rate and False Positive Rate,maximizing the Matthews Correlation Coefficient from 23,70.8,76.2,84.28 in Dataset 1 and 70.28,73.8,74.1,82.6 in Dataset 2 on EPC-ADRNN,DPO-ADRNN,GTO-ADRNN,FFA-ADRNN respectively to 95.8 on Dataset 1 and 91.7 on Dataset 2 in proposed model.At batch size 4,the accuracy of the designed RRA-FFA-ADRNN model progressed by 9.2%to GTO-ADRNN,11.6%to EFC-ADRNN,10.9%to DPO-ADRNN,and 4%to FFA-ADRNN for Dataset 1.The accuracy of the proposed RRA-FFA-ADRNN is boosted by 12.9%,9.09%,11.6%,and 10.9%over FFCNN,SVM,RNN,and DRNN,using Dataset 2,showing a better improvement in accuracy with that of the proposed RRA-FFA-ADRNN model with 95.7%using Dataset 1 and 94.1%with Dataset 2,which is better than the existing baseline models.展开更多
The Internet of Things(IoT)is a growing technology that allows the sharing of data with other devices across wireless networks.Specifically,IoT systems are vulnerable to cyberattacks due to its opennes The proposed wo...The Internet of Things(IoT)is a growing technology that allows the sharing of data with other devices across wireless networks.Specifically,IoT systems are vulnerable to cyberattacks due to its opennes The proposed work intends to implement a new security framework for detecting the most specific and harmful intrusions in IoT networks.In this framework,a Covariance Linear Learning Embedding Selection(CL2ES)methodology is used at first to extract the features highly associated with the IoT intrusions.Then,the Kernel Distributed Bayes Classifier(KDBC)is created to forecast attacks based on the probability distribution value precisely.In addition,a unique Mongolian Gazellas Optimization(MGO)algorithm is used to optimize the weight value for the learning of the classifier.The effectiveness of the proposed CL2ES-KDBC framework has been assessed using several IoT cyber-attack datasets,The obtained results are then compared with current classification methods regarding accuracy(97%),precision(96.5%),and other factors.Computational analysis of the CL2ES-KDBC system on IoT intrusion datasets is performed,which provides valuable insight into its performance,efficiency,and suitability for securing IoT networks.展开更多
Since its inception,the Internet has been rapidly evolving.With the advancement of science and technology and the explosive growth of the population,the demand for the Internet has been on the rise.Many applications i...Since its inception,the Internet has been rapidly evolving.With the advancement of science and technology and the explosive growth of the population,the demand for the Internet has been on the rise.Many applications in education,healthcare,entertainment,science,and more are being increasingly deployed based on the internet.Concurrently,malicious threats on the internet are on the rise as well.Distributed Denial of Service(DDoS)attacks are among the most common and dangerous threats on the internet today.The scale and complexity of DDoS attacks are constantly growing.Intrusion Detection Systems(IDS)have been deployed and have demonstrated their effectiveness in defense against those threats.In addition,the research of Machine Learning(ML)and Deep Learning(DL)in IDS has gained effective results and significant attention.However,one of the challenges when applying ML and DL techniques in intrusion detection is the identification of unknown attacks.These attacks,which are not encountered during the system’s training,can lead to misclassification with significant errors.In this research,we focused on addressing the issue of Unknown Attack Detection,combining two methods:Spatial Location Constraint Prototype Loss(SLCPL)and Fuzzy C-Means(FCM).With the proposed method,we achieved promising results compared to traditional methods.The proposed method demonstrates a very high accuracy of up to 99.8%with a low false positive rate for known attacks on the Intrusion Detection Evaluation Dataset(CICIDS2017)dataset.Particularly,the accuracy is also very high,reaching 99.7%,and the precision goes up to 99.9%for unknown DDoS attacks on the DDoS Evaluation Dataset(CICDDoS2019)dataset.The success of the proposed method is due to the combination of SLCPL,an advanced Open-Set Recognition(OSR)technique,and FCM,a traditional yet highly applicable clustering technique.This has yielded a novel method in the field of unknown attack detection.This further expands the trend of applying DL and ML techniques in the development of intrusion detection systems and cybersecurity.Finally,implementing the proposed method in real-world systems can enhance the security capabilities against increasingly complex threats on computer networks.展开更多
Internet of Things (IoT) networks present unique cybersecurity challenges due to their distributed and heterogeneous nature. Our study explores the effectiveness of two types of deep learning models, long-term memory ...Internet of Things (IoT) networks present unique cybersecurity challenges due to their distributed and heterogeneous nature. Our study explores the effectiveness of two types of deep learning models, long-term memory neural networks (LSTMs) and deep neural networks (DNNs), for detecting attacks in IoT networks. We evaluated the performance of six hybrid models combining LSTM or DNN feature extractors with classifiers such as Random Forest, k-Nearest Neighbors and XGBoost. The LSTM-RF and LSTM-XGBoost models showed lower accuracy variability in the face of different types of attack, indicating greater robustness. The LSTM-RF and LSTM-XGBoost models show variability in results, with accuracies between 58% and 99% for attack types, while LSTM-KNN has higher but more variable accuracies, between 72% and 99%. The DNN-RF and DNN-XGBoost models show lower variability in their results, with accuracies between 59% and 99%, while DNN-KNN has higher but more variable accuracies, between 71% and 99%. LSTM-based models are proving to be more effective for detecting attacks in IoT networks, particularly for sophisticated attacks. However, the final choice of model depends on the constraints of the application, taking into account a trade-off between accuracy and complexity.展开更多
Aiming at the industry cyber-physical system(ICPS)where Denial-of-Service(DoS)attacks and actuator failure coexist,the integrated security control problem of ICPS under multi-objective constraints was studied.First,fr...Aiming at the industry cyber-physical system(ICPS)where Denial-of-Service(DoS)attacks and actuator failure coexist,the integrated security control problem of ICPS under multi-objective constraints was studied.First,from the perspective of the defender,according to the differential impact of the system under DoS attacks of different energies,the DoS attacks energy grading detection standard was formulated,and the ICPS comprehensive security control framework was constructed.Secondly,a security transmission strategy based on event triggering was designed.Under the DoS attack energy classification detection mechanism,for large-energy attacks,the method based on time series analysis was considered to predict and compensate for lost data.Therefore,on the basis of passive and elastic response to small energy attacks,the active defense capability against DoS attacks was increased.Then by introducing the conecomplement linearization algorithm,the calculation methods of the state and fault estimation observer and the integrated safety controller were deduced,the goal of DoS attack active and passive hybrid intrusion tolerance and actuator failure active fault tolerance were realized.Finally,a simulation example of a four-capacity water tank system was given to verify the validity of the obtained conclusions.展开更多
With the increasing emphasis on personal information protection,encryption through security protocols has emerged as a critical requirement in data transmission and reception processes.Nevertheless,IoT ecosystems comp...With the increasing emphasis on personal information protection,encryption through security protocols has emerged as a critical requirement in data transmission and reception processes.Nevertheless,IoT ecosystems comprise heterogeneous networks where outdated systems coexist with the latest devices,spanning a range of devices from non-encrypted ones to fully encrypted ones.Given the limited visibility into payloads in this context,this study investigates AI-based attack detection methods that leverage encrypted traffic metadata,eliminating the need for decryption and minimizing system performance degradation—especially in light of these heterogeneous devices.Using the UNSW-NB15 and CICIoT-2023 dataset,encrypted and unencrypted traffic were categorized according to security protocol,and AI-based intrusion detection experiments were conducted for each traffic type based on metadata.To mitigate the problem of class imbalance,eight different data sampling techniques were applied.The effectiveness of these sampling techniques was then comparatively analyzed using two ensemble models and three Deep Learning(DL)models from various perspectives.The experimental results confirmed that metadata-based attack detection is feasible using only encrypted traffic.In the UNSW-NB15 dataset,the f1-score of encrypted traffic was approximately 0.98,which is 4.3%higher than that of unencrypted traffic(approximately 0.94).In addition,analysis of the encrypted traffic in the CICIoT-2023 dataset using the same method showed a significantly lower f1-score of roughly 0.43,indicating that the quality of the dataset and the preprocessing approach have a substantial impact on detection performance.Furthermore,when data sampling techniques were applied to encrypted traffic,the recall in the UNSWNB15(Encrypted)dataset improved by up to 23.0%,and in the CICIoT-2023(Encrypted)dataset by 20.26%,showing a similar level of improvement.Notably,in CICIoT-2023,f1-score and Receiver Operation Characteristic-Area Under the Curve(ROC-AUC)increased by 59.0%and 55.94%,respectively.These results suggest that data sampling can have a positive effect even in encrypted environments.However,the extent of the improvement may vary depending on data quality,model architecture,and sampling strategy.展开更多
The Smart Grid is an enhancement of the traditional grid system and employs new technologies and sophisticated communication techniques for electrical power transmission and distribution. The Smart Grid’s communicati...The Smart Grid is an enhancement of the traditional grid system and employs new technologies and sophisticated communication techniques for electrical power transmission and distribution. The Smart Grid’s communication network shares information about status of its several integrated IEDs (Intelligent Electronic Devices). However, the IEDs connected throughout the Smart Grid, open opportunities for attackers to interfere with the communications and utilities resources or take clients’ private data. This development has introduced new cyber-security challenges for the Smart Grid and is a very concerning issue because of emerging cyber-threats and security incidents that have occurred recently all over the world. The purpose of this research is to detect and mitigate Distributed Denial of Service [DDoS] with application to the Electrical Smart Grid System by deploying an optimized Stealthwatch Secure Network analytics tool. In this paper, the DDoS attack in the Smart Grid communication networks was modeled using Stealthwatch tool. The simulated network consisted of Secure Network Analytic tools virtual machines (VMs), electrical Grid network communication topology, attackers and Target VMs. Finally, the experiments and simulations were performed, and the research results showed that Stealthwatch analytic tool is very effective in detecting and mitigating DDoS attacks in the Smart Grid System without causing any blackout or shutdown of any internal systems as compared to other tools such as GNS3, NeSSi2, NISST Framework, OMNeT++, INET Framework, ReaSE, NS2, NS3, M5 Simulator, OPNET, PLC & TIA Portal management Software which do not have the capability to do so. Also, using Stealthwatch tool to create a security baseline for Smart Grid environment, contributes to risk mitigation and sound security hygiene.展开更多
With rapid development of blockchain technology,blockchain and its security theory research and practical application have become crucial.At present,a new DDoS attack has arisen,and it is the DDoS attack in blockchain...With rapid development of blockchain technology,blockchain and its security theory research and practical application have become crucial.At present,a new DDoS attack has arisen,and it is the DDoS attack in blockchain network.The attack is harmful for blockchain technology and many application scenarios.However,the traditional and existing DDoS attack detection and defense means mainly come from the centralized tactics and solution.Aiming at the above problem,the paper proposes the virtual reality parallel anti-DDoS chain design philosophy and distributed anti-D Chain detection framework based on hybrid ensemble learning.Here,Ada Boost and Random Forest are used as our ensemble learning strategy,and some different lightweight classifiers are integrated into the same ensemble learning algorithm,such as CART and ID3.Our detection framework in blockchain scene has much stronger generalization performance,universality and complementarity to identify accurately the onslaught features for DDoS attack in P2P network.Extensive experimental results confirm that our distributed heterogeneous anti-D chain detection method has better performance in six important indicators(such as Precision,Recall,F-Score,True Positive Rate,False Positive Rate,and ROC curve).展开更多
Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the foc...Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the focus of many initiatives. Effectively analyzing massive network security data with high dimensions for suspicious flow diagnosis is a huge challenge. In addition, the uneven distribution of network traffic does not fully reflect the differences of class sample features, resulting in the low accuracy of attack detection. To solve these problems, a novel approach called the fuzzy entropy weighted natural nearest neighbor(FEW-NNN) method is proposed to enhance the accuracy and efficiency of flowbased network traffic attack detection. First, the FEW-NNN method uses the Fisher score and deep graph feature learning algorithm to remove unimportant features and reduce the data dimension. Then, according to the proposed natural nearest neighbor searching algorithm(NNN_Searching), the density of data points, each class center and the smallest enclosing sphere radius are determined correspondingly. Finally, a fuzzy entropy weighted KNN classification method based on affinity is proposed, which mainly includes the following three steps: 1、 the feature weights of samples are calculated based on fuzzy entropy values, 2、 the fuzzy memberships of samples are determined based on affinity among samples, and 3、 K-neighbors are selected according to the class-conditional weighted Euclidean distance, the fuzzy membership value of the testing sample is calculated based on the membership of k-neighbors, and then all testing samples are classified according to the fuzzy membership value of the samples belonging to each class;that is, the attack type is determined. The method has been applied to the problem of attack detection and validated based on the famous KDD99 and CICIDS-2017 datasets. From the experimental results shown in this paper, it is observed that the FEW-NNN method improves the accuracy and efficiency of flow-based network traffic attack detection.展开更多
As wireless sensor networks (WSN) are deployed in fire monitoring, object tracking applications, security emerges as a central requirement. A case that Sybil node illegitimately reports messages to the master node w...As wireless sensor networks (WSN) are deployed in fire monitoring, object tracking applications, security emerges as a central requirement. A case that Sybil node illegitimately reports messages to the master node with multiple non-existent identities (ID) will cause harmful effects on decision-making or resource allocation in these applications. In this paper, we present an efficient and lightweight solution for Sybil attack detection based on the time difference of arrival (TDOA) between the source node and beacon nodes. This solution can detect the existence of Sybil attacks, and locate the Sybil nodes. We demonstrate efficiency of the solution through experiments. The experiments show that this solution can detect all Sybil attack cases without missing.展开更多
Recently,the Erebus attack has proved to be a security threat to the blockchain network layer,and the existing research has faced challenges in detecting the Erebus attack on the blockchain network layer.The cloud-bas...Recently,the Erebus attack has proved to be a security threat to the blockchain network layer,and the existing research has faced challenges in detecting the Erebus attack on the blockchain network layer.The cloud-based active defense and one-sidedness detection strategies are the hindrances in detecting Erebus attacks.This study designs a detection approach by establishing a ReliefF_WMRmR-based two-stage feature selection algorithm and a deep learning-based multimodal classification detection model for Erebus attacks and responding to security threats to the blockchain network layer.The goal is to improve the performance of Erebus attack detection methods,by combining the traffic behavior with the routing status based on multimodal deep feature learning.The traffic behavior and routing status were first defined and used to describe the attack characteristics at diverse stages of s leak monitoring,hidden traffic overlay,and transaction identity forgery.The goal is to clarify how an Erebus attack affects the routing transfer and traffic state on the blockchain network layer.Consequently,detecting objects is expected to become more relevant and sensitive.A two-stage feature selection algorithm was designed based on ReliefF and weighted maximum relevance minimum redundancy(ReliefF_WMRmR)to alleviate the overfitting of the training model caused by redundant information and noise in multiple source features of the routing status and traffic behavior.The ReliefF algorithm was introduced to select strong correlations and highly informative features of the labeled data.According to WMRmR,a feature selection framework was defined to eliminate weakly correlated features,eliminate redundant information,and reduce the detection overhead of the model.A multimodal deep learning model was constructed based on the multilayer perceptron(MLP)to settle the high false alarm rates incurred by multisource data.Using this model,isolated inputs and deep learning were conducted on the selected routing status and traffic behavior.Redundant intermodal information was removed because of the complementarity of the multimodal network,which was followed by feature fusion and output feature representation to boost classification detection precision.The experimental results demonstrate that the proposed method can detect features,such as traffic data,at key link nodes and route messages in a real blockchain network environment.Additionally,the model can detect Erebus attacks effectively.This study provides novelty to the existing Erebus attack detection by increasing the accuracy detection by 1.05%,the recall rate by 2.01%,and the F1-score by 2.43%.展开更多
Fog computing paradigm extends computing,communication,storage,and network resources to the network’s edge.As the fog layer is located between cloud and end-users,it can provide more convenience and timely services t...Fog computing paradigm extends computing,communication,storage,and network resources to the network’s edge.As the fog layer is located between cloud and end-users,it can provide more convenience and timely services to end-users.However,in fog computing(FC),attackers can behave as real fog nodes or end-users to provide malicious services in the network.The attacker acts as an impersonator to impersonate other legitimate users.Therefore,in this work,we present a detection technique to secure the FC environment.First,we model a physical layer key generation based on wireless channel characteristics.To generate the secret keys between the legitimate users and avoid impersonators,we then consider a Double Sarsa technique to identify the impersonators at the receiver end.We compare our proposed Double Sarsa technique with the other two methods to validate our work,i.e.,Sarsa and Q-learning.The simulation results demonstrate that the method based on Double Sarsa outperforms Sarsa and Q-learning approaches in terms of false alarm rate(FAR),miss detection rate(MDR),and average error rate(AER).展开更多
基金supported by NSTC 113-2221-E-155-055NSTC 113-2222-E-155-007,Taiwan.
文摘The rapid advancement of the Internet ofThings(IoT)has heightened the importance of security,with a notable increase in Distributed Denial-of-Service(DDoS)attacks targeting IoT devices.Network security specialists face the challenge of producing systems to identify and offset these attacks.This researchmanages IoT security through the emerging Software-Defined Networking(SDN)standard by developing a unified framework(RNN-RYU).We thoroughly assess multiple deep learning frameworks,including Convolutional Neural Network(CNN),Long Short-Term Memory(LSTM),Feed-Forward Convolutional Neural Network(FFCNN),and Recurrent Neural Network(RNN),and present the novel usage of Synthetic Minority Over-Sampling Technique(SMOTE)tailored for IoT-SDN contexts to manage class imbalance during training and enhance performance metrics.Our research has significant practical implications as we authenticate the approache using both the self-generated SD_IoT_Smart_City dataset and the publicly available CICIoT23 dataset.The system utilizes only eleven features to identify DDoS attacks efficiently.Results indicate that the RNN can reliably and precisely differentiate between DDoS traffic and benign traffic by easily identifying temporal relationships and sequences in the data.
基金supported by the National Natural Science Foundation of China(No.62562012,No.62172308,and No.61972297)the Guizhou Provincial Basic Research Program(Natural Science)under Grant QKHJC-MS[2025]686+3 种基金the Major Scientific and Technological Special Project of Guizhou Province under Grant[2024]014the Guizhou Provincial Key Technology R&D Program under Grant PA[2025]004the Research Project for Recruited Talents at Guizhou University under Grant GDRJH[2024]15the Student Innovation Funding Project of the School of Cyber Security(i.e.,security knowledge graph of Qianxin project).
文摘Advanced persistent threat(APT)can use malware,vulnerabilities,and obfuscation countermeasures to launch cyber attacks against specific targets,spy and steal core information,and penetrate and damage critical infrastructure and target systems.Also,the APT attack has caused a catastrophic impact on global network security.Traditional APT attack detection is achieved by constructing rules or manual reverse analysis using expert experience,with poor intelligence and robustness.However,current research lacks a comprehensive effort to sort out the intelligent methods of APT attack detection.To this end,we summarize and review the research on intelligent detection methods for APT attacks.Firstly,we propose two APT attack intelligent detection frameworks for endpoint samples and malware,and for malwaregenerated audit logs.Secondly,this paper divides APT attack detection into four critical tasks:malicious attack detection,malicious family detection,malicious behavior identification,and malicious code location.In addition,we further analyze and summarize the strategies and characteristics of existing intelligent methods for each task.Finally,we look forward to the forefront of research and potential directions of APT attack detection,which can promote the development of intelligent defense against APT attacks.
文摘The sinkhole attack is one of the most damaging threats in the Internet of Things(IoT).It deceptively attracts neighboring nodes and initiates malicious activity,often disrupting the network when combined with other attacks.This study proposes a novel approach,named NADSA,to detect and isolate sinkhole attacks.NADSA is based on the RPL protocol and consists of two detection phases.In the first phase,the minimum possible hop count between the sender and receiver is calculated and compared with the sender’s reported hop count.The second phase utilizes the number of DIO messages to identify suspicious nodes and then applies a fuzzification process using RSSI,ETX,and distance measurements to confirm the presence of a malicious node.The proposed method is extensively simulated in highly lossy and sparse network environments with varying numbers of nodes.The results demonstrate that NADSA achieves high efficiency,with PDRs of 68%,70%,and 73%;E2EDs of 81,72,and 60 ms;TPRs of 89%,83%,and 80%;and FPRs of 24%,28%,and 33%.NADSA outperforms existing methods in challenging network conditions,where traditional approaches typically degrade in effectiveness.
基金supported by Korea National University of Transportation Industry-Academy Cooperation Foundation in 2024.
文摘As cyber threats become increasingly sophisticated,Distributed Denial-of-Service(DDoS)attacks continue to pose a serious threat to network infrastructure,often disrupting critical services through overwhelming traffic.Although unsupervised anomaly detection using convolutional autoencoders(CAEs)has gained attention for its ability to model normal network behavior without requiring labeled data,conventional CAEs struggle to effectively distinguish between normal and attack traffic due to over-generalized reconstructions and naive anomaly scoring.To address these limitations,we propose CA-CAE,a novel anomaly detection framework designed to improve DDoS detection through asymmetric joint reconstruction learning and refined anomaly scoring.Our architecture connects two CAEs sequentially with asymmetric filter allocation,which amplifies reconstruction errors for anomalous data while preserving low errors for normal traffic.Additionally,we introduce a scoring mechanism that incorporates exponential decay weighting to emphasize recent anomalies and relative traffic volume adjustment to highlight highrisk instances,enabling more accurate and timely detection.We evaluate CA-CAE on a real-world network traffic dataset collected using Cisco NetFlow,containing over 190,000 normal instances and only 78 anomalous instances—an extremely imbalanced scenario(0.0004% anomalies).We validate the proposed framework through extensive experiments,including statistical tests and comparisons with baseline models.Despite this challenge,our method achieves significant improvement,increasing the F1-score from 0.515 obtained by the baseline CAE to 0.934,and outperforming other models.These results demonstrate the effectiveness,scalability,and practicality of CA-CAE for unsupervised DDoS detection in realistic network environments.By combining lightweight model architecture with a domain-aware scoring strategy,our framework provides a robust solution for early detection of DDoS attacks without relying on labeled attack data.
基金supported in part by the National Natural Science Foundation of China(61933007,62273087,62273088,U21A2019)the Shanghai Pujiang Program of China(22PJ1400400)+2 种基金the Hainan Province Science and Technology Special Fund of China(ZDYF2022SHFZ105)the Royal Society of U.K.the Alexander von Humboldt Foundation of Germany
文摘In this paper, the attack detection problem is investigated for a class of closed-loop systems subjected to unknownbutbounded noises in the presence of stealthy attacks. The measurement outputs from the sensors are quantized before transmission.A specific type of perfect stealthy attack, which meets certain rather stringent conditions, is taken into account. Such attacks could be injected by adversaries into both the sensor-toestimator and controller-to-actuator channels, with the aim of disrupting the normal data flow. For the purpose of defending against these perfect stealthy attacks, a novel scheme based on watermarks is developed. This scheme includes the injection of watermarks(applied to data prior to quantization) and the recovery of data(implemented before the data reaches the estimator).The watermark-based scheme is designed to be both timevarying and hidden from adversaries through incorporating a time-varying and bounded watermark signal. Subsequently, a watermark-based attack detection strategy is proposed which thoroughly considers the characteristics of perfect stealthy attacks,thereby ensuring that an alarm is activated upon the occurrence of such attacks. An example is provided to demonstrate the efficacy of the proposed mechanism for detecting attacks.
基金supported in part by the National Natural Science Foundation of China under Grants 61972267,and 61772070in part by the Natural Science Foundation of Hebei Province under Grant F2024210005.
文摘Face Presentation Attack Detection(fPAD)plays a vital role in securing face recognition systems against various presentation attacks.While supervised learning-based methods demonstrate effectiveness,they are prone to overfitting to known attack types and struggle to generalize to novel attack scenarios.Recent studies have explored formulating fPAD as an anomaly detection problem or one-class classification task,enabling the training of generalized models for unknown attack detection.However,conventional anomaly detection approaches encounter difficulties in precisely delineating the boundary between bonafide samples and unknown attacks.To address this challenge,we propose a novel framework focusing on unknown attack detection using exclusively bonafide facial data during training.The core innovation lies in our pseudo-negative sample synthesis(PNSS)strategy,which facilitates learning of compact decision boundaries between bonafide faces and potential attack variations.Specifically,PNSS generates synthetic negative samples within low-likelihood regions of the bonafide feature space to represent diverse unknown attack patterns.To overcome the inherent imbalance between positive and synthetic negative samples during iterative training,we implement a dual-loss mechanism combining focal loss for classification optimization with pairwise confusion loss as a regularizer.This architecture effectively mitigates model bias towards bonafide samples while maintaining discriminative power.Comprehensive evaluations across three benchmark datasets validate the framework’s superior performance.Notably,our PNSS achieves 8%–18% average classification error rate(ACER)reduction compared with state-of-the-art one-class fPAD methods in cross-dataset evaluations on Idiap Replay-Attack and MSU-MFSD datasets.
基金funded by the Deanship of Scientific Research(DSR)at King Abdulaziz University,Jeddah,under Grant No.(GPIP:1074-612-2024).
文摘The surge in smishing attacks underscores the urgent need for robust,real-time detection systems powered by advanced deep learning models.This paper introduces PhishNet,a novel ensemble learning framework that integrates transformer-based models(RoBERTa)and large language models(LLMs)(GPT-OSS 120B,LLaMA3.370B,and Qwen332B)to enhance smishing detection performance significantly.To mitigate class imbalance,we apply synthetic data augmentation using T5 and leverage various text preprocessing techniques.Our system employs a duallayer voting mechanism:weighted majority voting among LLMs and a final ensemble vote to classify messages as ham,spam,or smishing.Experimental results show an average accuracy improvement from 96%to 98.5%compared to the best standalone transformer,and from 93%to 98.5%when compared to LLMs across datasets.Furthermore,we present a real-time,user-friendly application to operationalize our detection model for practical use.PhishNet demonstrates superior scalability,usability,and detection accuracy,filling critical gaps in current smishing detection methodologies.
基金supported by the Ministry of Trade,Industry and Energy(MOTIE)under Training Industrial Security Specialist for High-Tech Industry(RS-2024-00415520)supervised by the Korea Institute for Advancement of Technology(KIAT)the Ministry of Science and ICT(MSIT)under the ICT Challenge and Advanced Network of HRD(ICAN)Program(No.IITP-2022-RS-2022-00156310)supervised by the Institute of Information&Communication Technology Planning&Evaluation(IITP).
文摘As the density of wireless networks increases globally, the vulnerability of overlapped dense wireless communications to interference by hidden nodes and denial-of-service (DoS) attacks is becoming more apparent. There exists a gap in research on the detection and response to attacks on Medium Access Control (MAC) mechanisms themselves, which would lead to service outages between nodes. Classifying exploitation and deceptive jamming attacks on control mechanisms is particularly challengingdue to their resemblance to normal heavy communication patterns. Accordingly, this paper proposes a machine learning-based selective attack mitigation model that detects DoS attacks on wireless networks by monitoring packet log data. Based on the type of detected attack, it implements effective corresponding mitigation techniques to restore performance to nodes whose availability has been compromised. Experimental results reveal that the accuracy of the proposed model is 14% higher than that of a baseline anomaly detection model. Further, the appropriate mitigation techniques selected by the proposed system based on the attack type improve the average throughput by more than 440% compared to the case without a response.
基金funded by the Ministry of Higher Education Malaysia,Fundamental Research Grant Scheme(FRGS),FRGS/1/2024/ICT07/UPNM/02/1.
文摘The rapid progression of the Internet of Things(IoT)technology enables its application across various sectors.However,IoT devices typically acquire inadequate computing power and user interfaces,making them susceptible to security threats.One significant risk to cloud networks is Distributed Denial-of-Service(DoS)attacks,where attackers aim to overcome a target system with excessive data and requests.Among these,low-rate DoS(LR-DoS)attacks present a particular challenge to detection.By sending bursts of attacks at irregular intervals,LR-DoS significantly degrades the targeted system’s Quality of Service(QoS).The low-rate nature of these attacks confuses their detection,as they frequently trigger congestion control mechanisms,leading to significant instability in IoT systems.Therefore,to detect the LR-DoS attack,an innovative deep-learning model has been developed for this research work.The standard dataset is utilized to collect the required data.Further,the deep feature extraction process is executed using the Residual Autoencoder with Sparse Attention(ResAE-SA),which helps derive the significant feature required for detection.Ultimately,the Adaptive Dense Recurrent Neural Network(ADRNN)is implemented to detect LR-DoS effectively.To enhance the detection process,the parameters present in the ADRNN are optimized using the Renovated Random Attribute-based Fennec Fox Optimization(RRA-FFA).The proposed optimization reduces the False Discovery Rate and False Positive Rate,maximizing the Matthews Correlation Coefficient from 23,70.8,76.2,84.28 in Dataset 1 and 70.28,73.8,74.1,82.6 in Dataset 2 on EPC-ADRNN,DPO-ADRNN,GTO-ADRNN,FFA-ADRNN respectively to 95.8 on Dataset 1 and 91.7 on Dataset 2 in proposed model.At batch size 4,the accuracy of the designed RRA-FFA-ADRNN model progressed by 9.2%to GTO-ADRNN,11.6%to EFC-ADRNN,10.9%to DPO-ADRNN,and 4%to FFA-ADRNN for Dataset 1.The accuracy of the proposed RRA-FFA-ADRNN is boosted by 12.9%,9.09%,11.6%,and 10.9%over FFCNN,SVM,RNN,and DRNN,using Dataset 2,showing a better improvement in accuracy with that of the proposed RRA-FFA-ADRNN model with 95.7%using Dataset 1 and 94.1%with Dataset 2,which is better than the existing baseline models.
文摘The Internet of Things(IoT)is a growing technology that allows the sharing of data with other devices across wireless networks.Specifically,IoT systems are vulnerable to cyberattacks due to its opennes The proposed work intends to implement a new security framework for detecting the most specific and harmful intrusions in IoT networks.In this framework,a Covariance Linear Learning Embedding Selection(CL2ES)methodology is used at first to extract the features highly associated with the IoT intrusions.Then,the Kernel Distributed Bayes Classifier(KDBC)is created to forecast attacks based on the probability distribution value precisely.In addition,a unique Mongolian Gazellas Optimization(MGO)algorithm is used to optimize the weight value for the learning of the classifier.The effectiveness of the proposed CL2ES-KDBC framework has been assessed using several IoT cyber-attack datasets,The obtained results are then compared with current classification methods regarding accuracy(97%),precision(96.5%),and other factors.Computational analysis of the CL2ES-KDBC system on IoT intrusion datasets is performed,which provides valuable insight into its performance,efficiency,and suitability for securing IoT networks.
基金This research was partly supported by the National Science and Technology Council,Taiwan with Grant Numbers 112-2221-E-992-045,112-2221-E-992-057-MY3 and 112-2622-8-992-009-TD1.
文摘Since its inception,the Internet has been rapidly evolving.With the advancement of science and technology and the explosive growth of the population,the demand for the Internet has been on the rise.Many applications in education,healthcare,entertainment,science,and more are being increasingly deployed based on the internet.Concurrently,malicious threats on the internet are on the rise as well.Distributed Denial of Service(DDoS)attacks are among the most common and dangerous threats on the internet today.The scale and complexity of DDoS attacks are constantly growing.Intrusion Detection Systems(IDS)have been deployed and have demonstrated their effectiveness in defense against those threats.In addition,the research of Machine Learning(ML)and Deep Learning(DL)in IDS has gained effective results and significant attention.However,one of the challenges when applying ML and DL techniques in intrusion detection is the identification of unknown attacks.These attacks,which are not encountered during the system’s training,can lead to misclassification with significant errors.In this research,we focused on addressing the issue of Unknown Attack Detection,combining two methods:Spatial Location Constraint Prototype Loss(SLCPL)and Fuzzy C-Means(FCM).With the proposed method,we achieved promising results compared to traditional methods.The proposed method demonstrates a very high accuracy of up to 99.8%with a low false positive rate for known attacks on the Intrusion Detection Evaluation Dataset(CICIDS2017)dataset.Particularly,the accuracy is also very high,reaching 99.7%,and the precision goes up to 99.9%for unknown DDoS attacks on the DDoS Evaluation Dataset(CICDDoS2019)dataset.The success of the proposed method is due to the combination of SLCPL,an advanced Open-Set Recognition(OSR)technique,and FCM,a traditional yet highly applicable clustering technique.This has yielded a novel method in the field of unknown attack detection.This further expands the trend of applying DL and ML techniques in the development of intrusion detection systems and cybersecurity.Finally,implementing the proposed method in real-world systems can enhance the security capabilities against increasingly complex threats on computer networks.
文摘Internet of Things (IoT) networks present unique cybersecurity challenges due to their distributed and heterogeneous nature. Our study explores the effectiveness of two types of deep learning models, long-term memory neural networks (LSTMs) and deep neural networks (DNNs), for detecting attacks in IoT networks. We evaluated the performance of six hybrid models combining LSTM or DNN feature extractors with classifiers such as Random Forest, k-Nearest Neighbors and XGBoost. The LSTM-RF and LSTM-XGBoost models showed lower accuracy variability in the face of different types of attack, indicating greater robustness. The LSTM-RF and LSTM-XGBoost models show variability in results, with accuracies between 58% and 99% for attack types, while LSTM-KNN has higher but more variable accuracies, between 72% and 99%. The DNN-RF and DNN-XGBoost models show lower variability in their results, with accuracies between 59% and 99%, while DNN-KNN has higher but more variable accuracies, between 71% and 99%. LSTM-based models are proving to be more effective for detecting attacks in IoT networks, particularly for sophisticated attacks. However, the final choice of model depends on the constraints of the application, taking into account a trade-off between accuracy and complexity.
基金supported by Gansu Higher Education Innovation Fund Project(No.2023B-439)。
文摘Aiming at the industry cyber-physical system(ICPS)where Denial-of-Service(DoS)attacks and actuator failure coexist,the integrated security control problem of ICPS under multi-objective constraints was studied.First,from the perspective of the defender,according to the differential impact of the system under DoS attacks of different energies,the DoS attacks energy grading detection standard was formulated,and the ICPS comprehensive security control framework was constructed.Secondly,a security transmission strategy based on event triggering was designed.Under the DoS attack energy classification detection mechanism,for large-energy attacks,the method based on time series analysis was considered to predict and compensate for lost data.Therefore,on the basis of passive and elastic response to small energy attacks,the active defense capability against DoS attacks was increased.Then by introducing the conecomplement linearization algorithm,the calculation methods of the state and fault estimation observer and the integrated safety controller were deduced,the goal of DoS attack active and passive hybrid intrusion tolerance and actuator failure active fault tolerance were realized.Finally,a simulation example of a four-capacity water tank system was given to verify the validity of the obtained conclusions.
基金supported by the Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2023-00235509Development of security monitoring technology based network behavior against encrypted cyber threats in ICT convergence environment).
文摘With the increasing emphasis on personal information protection,encryption through security protocols has emerged as a critical requirement in data transmission and reception processes.Nevertheless,IoT ecosystems comprise heterogeneous networks where outdated systems coexist with the latest devices,spanning a range of devices from non-encrypted ones to fully encrypted ones.Given the limited visibility into payloads in this context,this study investigates AI-based attack detection methods that leverage encrypted traffic metadata,eliminating the need for decryption and minimizing system performance degradation—especially in light of these heterogeneous devices.Using the UNSW-NB15 and CICIoT-2023 dataset,encrypted and unencrypted traffic were categorized according to security protocol,and AI-based intrusion detection experiments were conducted for each traffic type based on metadata.To mitigate the problem of class imbalance,eight different data sampling techniques were applied.The effectiveness of these sampling techniques was then comparatively analyzed using two ensemble models and three Deep Learning(DL)models from various perspectives.The experimental results confirmed that metadata-based attack detection is feasible using only encrypted traffic.In the UNSW-NB15 dataset,the f1-score of encrypted traffic was approximately 0.98,which is 4.3%higher than that of unencrypted traffic(approximately 0.94).In addition,analysis of the encrypted traffic in the CICIoT-2023 dataset using the same method showed a significantly lower f1-score of roughly 0.43,indicating that the quality of the dataset and the preprocessing approach have a substantial impact on detection performance.Furthermore,when data sampling techniques were applied to encrypted traffic,the recall in the UNSWNB15(Encrypted)dataset improved by up to 23.0%,and in the CICIoT-2023(Encrypted)dataset by 20.26%,showing a similar level of improvement.Notably,in CICIoT-2023,f1-score and Receiver Operation Characteristic-Area Under the Curve(ROC-AUC)increased by 59.0%and 55.94%,respectively.These results suggest that data sampling can have a positive effect even in encrypted environments.However,the extent of the improvement may vary depending on data quality,model architecture,and sampling strategy.
文摘The Smart Grid is an enhancement of the traditional grid system and employs new technologies and sophisticated communication techniques for electrical power transmission and distribution. The Smart Grid’s communication network shares information about status of its several integrated IEDs (Intelligent Electronic Devices). However, the IEDs connected throughout the Smart Grid, open opportunities for attackers to interfere with the communications and utilities resources or take clients’ private data. This development has introduced new cyber-security challenges for the Smart Grid and is a very concerning issue because of emerging cyber-threats and security incidents that have occurred recently all over the world. The purpose of this research is to detect and mitigate Distributed Denial of Service [DDoS] with application to the Electrical Smart Grid System by deploying an optimized Stealthwatch Secure Network analytics tool. In this paper, the DDoS attack in the Smart Grid communication networks was modeled using Stealthwatch tool. The simulated network consisted of Secure Network Analytic tools virtual machines (VMs), electrical Grid network communication topology, attackers and Target VMs. Finally, the experiments and simulations were performed, and the research results showed that Stealthwatch analytic tool is very effective in detecting and mitigating DDoS attacks in the Smart Grid System without causing any blackout or shutdown of any internal systems as compared to other tools such as GNS3, NeSSi2, NISST Framework, OMNeT++, INET Framework, ReaSE, NS2, NS3, M5 Simulator, OPNET, PLC & TIA Portal management Software which do not have the capability to do so. Also, using Stealthwatch tool to create a security baseline for Smart Grid environment, contributes to risk mitigation and sound security hygiene.
基金performed in the Project“Cloud Interaction Technology and Service Platform for Mine Internet of things”supported by National Key Research and Development Program of China(2017YFC0804406)+1 种基金partly supported by the Project“Massive DDoS Attack Traffic Detection Technology Research based on Big Data and Cloud Environment”supported by Scientific Research Foundation of Shandong University of Science and Technology for Recruited Talents(0104060511314)。
文摘With rapid development of blockchain technology,blockchain and its security theory research and practical application have become crucial.At present,a new DDoS attack has arisen,and it is the DDoS attack in blockchain network.The attack is harmful for blockchain technology and many application scenarios.However,the traditional and existing DDoS attack detection and defense means mainly come from the centralized tactics and solution.Aiming at the above problem,the paper proposes the virtual reality parallel anti-DDoS chain design philosophy and distributed anti-D Chain detection framework based on hybrid ensemble learning.Here,Ada Boost and Random Forest are used as our ensemble learning strategy,and some different lightweight classifiers are integrated into the same ensemble learning algorithm,such as CART and ID3.Our detection framework in blockchain scene has much stronger generalization performance,universality and complementarity to identify accurately the onslaught features for DDoS attack in P2P network.Extensive experimental results confirm that our distributed heterogeneous anti-D chain detection method has better performance in six important indicators(such as Precision,Recall,F-Score,True Positive Rate,False Positive Rate,and ROC curve).
基金the Natural Science Foundation of China (No. 61802404, 61602470)the Strategic Priority Research Program (C) of the Chinese Academy of Sciences (No. XDC02040100)+3 种基金the Fundamental Research Funds for the Central Universities of the China University of Labor Relations (No. 20ZYJS017, 20XYJS003)the Key Research Program of the Beijing Municipal Science & Technology Commission (No. D181100000618003)partially the Key Laboratory of Network Assessment Technology,the Chinese Academy of Sciencesthe Beijing Key Laboratory of Network Security and Protection Technology
文摘Attacks such as APT usually hide communication data in massive legitimate network traffic, and mining structurally complex and latent relationships among flow-based network traffic to detect attacks has become the focus of many initiatives. Effectively analyzing massive network security data with high dimensions for suspicious flow diagnosis is a huge challenge. In addition, the uneven distribution of network traffic does not fully reflect the differences of class sample features, resulting in the low accuracy of attack detection. To solve these problems, a novel approach called the fuzzy entropy weighted natural nearest neighbor(FEW-NNN) method is proposed to enhance the accuracy and efficiency of flowbased network traffic attack detection. First, the FEW-NNN method uses the Fisher score and deep graph feature learning algorithm to remove unimportant features and reduce the data dimension. Then, according to the proposed natural nearest neighbor searching algorithm(NNN_Searching), the density of data points, each class center and the smallest enclosing sphere radius are determined correspondingly. Finally, a fuzzy entropy weighted KNN classification method based on affinity is proposed, which mainly includes the following three steps: 1、 the feature weights of samples are calculated based on fuzzy entropy values, 2、 the fuzzy memberships of samples are determined based on affinity among samples, and 3、 K-neighbors are selected according to the class-conditional weighted Euclidean distance, the fuzzy membership value of the testing sample is calculated based on the membership of k-neighbors, and then all testing samples are classified according to the fuzzy membership value of the samples belonging to each class;that is, the attack type is determined. The method has been applied to the problem of attack detection and validated based on the famous KDD99 and CICIDS-2017 datasets. From the experimental results shown in this paper, it is observed that the FEW-NNN method improves the accuracy and efficiency of flow-based network traffic attack detection.
基金the Specialized Research Foundation for the Doctoral Program of Higher Education(Grant No.20050248043)
文摘As wireless sensor networks (WSN) are deployed in fire monitoring, object tracking applications, security emerges as a central requirement. A case that Sybil node illegitimately reports messages to the master node with multiple non-existent identities (ID) will cause harmful effects on decision-making or resource allocation in these applications. In this paper, we present an efficient and lightweight solution for Sybil attack detection based on the time difference of arrival (TDOA) between the source node and beacon nodes. This solution can detect the existence of Sybil attacks, and locate the Sybil nodes. We demonstrate efficiency of the solution through experiments. The experiments show that this solution can detect all Sybil attack cases without missing.
基金funded by Open Fund Project of Information Assurance Technology Key Laboratory(No.KJ-15-109)Zhengzhou Science and Technology Talents(131PLKRC644).
文摘Recently,the Erebus attack has proved to be a security threat to the blockchain network layer,and the existing research has faced challenges in detecting the Erebus attack on the blockchain network layer.The cloud-based active defense and one-sidedness detection strategies are the hindrances in detecting Erebus attacks.This study designs a detection approach by establishing a ReliefF_WMRmR-based two-stage feature selection algorithm and a deep learning-based multimodal classification detection model for Erebus attacks and responding to security threats to the blockchain network layer.The goal is to improve the performance of Erebus attack detection methods,by combining the traffic behavior with the routing status based on multimodal deep feature learning.The traffic behavior and routing status were first defined and used to describe the attack characteristics at diverse stages of s leak monitoring,hidden traffic overlay,and transaction identity forgery.The goal is to clarify how an Erebus attack affects the routing transfer and traffic state on the blockchain network layer.Consequently,detecting objects is expected to become more relevant and sensitive.A two-stage feature selection algorithm was designed based on ReliefF and weighted maximum relevance minimum redundancy(ReliefF_WMRmR)to alleviate the overfitting of the training model caused by redundant information and noise in multiple source features of the routing status and traffic behavior.The ReliefF algorithm was introduced to select strong correlations and highly informative features of the labeled data.According to WMRmR,a feature selection framework was defined to eliminate weakly correlated features,eliminate redundant information,and reduce the detection overhead of the model.A multimodal deep learning model was constructed based on the multilayer perceptron(MLP)to settle the high false alarm rates incurred by multisource data.Using this model,isolated inputs and deep learning were conducted on the selected routing status and traffic behavior.Redundant intermodal information was removed because of the complementarity of the multimodal network,which was followed by feature fusion and output feature representation to boost classification detection precision.The experimental results demonstrate that the proposed method can detect features,such as traffic data,at key link nodes and route messages in a real blockchain network environment.Additionally,the model can detect Erebus attacks effectively.This study provides novelty to the existing Erebus attack detection by increasing the accuracy detection by 1.05%,the recall rate by 2.01%,and the F1-score by 2.43%.
基金supported by Natural Science Foundation of China(61801008)The China National Key R&D Program(No.2018YFB0803600)+1 种基金Scientific Research Common Program of Beijing Municipal Commission of Education(No.KM201910005025)Chinese Postdoctoral Science Foundation(No.2020M670074).
文摘Fog computing paradigm extends computing,communication,storage,and network resources to the network’s edge.As the fog layer is located between cloud and end-users,it can provide more convenience and timely services to end-users.However,in fog computing(FC),attackers can behave as real fog nodes or end-users to provide malicious services in the network.The attacker acts as an impersonator to impersonate other legitimate users.Therefore,in this work,we present a detection technique to secure the FC environment.First,we model a physical layer key generation based on wireless channel characteristics.To generate the secret keys between the legitimate users and avoid impersonators,we then consider a Double Sarsa technique to identify the impersonators at the receiver end.We compare our proposed Double Sarsa technique with the other two methods to validate our work,i.e.,Sarsa and Q-learning.The simulation results demonstrate that the method based on Double Sarsa outperforms Sarsa and Q-learning approaches in terms of false alarm rate(FAR),miss detection rate(MDR),and average error rate(AER).
