Dynamic Infrastructural Distributed Denial of Service (I-DDoS) attacks constantly change attack vectors to congest core backhaul links and disrupt critical network availability while evading end-system defenses. To effectively counter these highly dynamic attacks, defense mechanisms need to exhibit adaptive decision strategies for real-time mitigation. This paper presents a novel Autonomous DDoS Defense framework that employs model-based reinforcement agents. The framework continuously learns attack strategies, predicts attack actions, and dynamically determines the optimal composition of defense tactics such as filtering, limiting, and rerouting for flow diversion. Our contributions include extending the underlying formulation of the Markov Decision Process (MDP) to address simultaneous DDoS attack and defense behavior, and accounting for environmental uncertainties. We also propose a fine-grained action mitigation approach robust to classification inaccuracies in Intrusion Detection Systems (IDS). Additionally, our reinforcement learning model demonstrates resilience against evasion and deceptive attacks. Evaluation experiments using real-world and simulated DDoS traces demonstrate that our autonomous defense framework ensures the delivery of approximately 96 – 98% of benign traffic despite the diverse range of attack strategies.

As vehicles increasingly embed digital systems, new security vulnerabilities are also being introduced. Computational constraints make it challenging to add security oversight layers on top of core vehicle systems, especially when the security layers rely on additional deep learning models for anomaly detection. To improve security-aware decision-making for autonomous vehicles (AV), this paper proposes a bi-level security framework. The first security level consists of a one-shot resource allocation game that enables a single vehicle to fend off an attacker by optimizing the configuration of its intrusion prevention system based on risk estimation. The second level relies on a reinforcement learning (RL) environment where an agent is responsible for forming and managing a platoon of vehicles on the fly while also dealing with a potential attacker. We solve the first problem using a minimax algorithm to identify optimal strategies for each player. Then, we train RL agents and analyze their performance in forming security-aware platoons. The trained agents demonstrate superior performance compared to our baseline strategies that do not consider security risk.

With the rapid evolution of the Internet and the prevalence of sophisticated adversarial cyber threats, it has become apparent that an equally rapid development of new Situation Awareness techniques is needed. The vast amount of data produced everyday by Intrusion Detection Systems, Firewalls, Honeypots and other systems can quickly become insurmountable to analyze by the domain experts. To enhance the human - machine interaction, new Visual Analytics systems need to be implemented and tested, bridging the gap between the detection of possible malicious activity, identifying it and taking the necessary measures to stop its propagation. The detection of previously unknown, highly sophisticated Advanced Persistent Threats (APT) adds a higher degree of complexity to this task. In this paper, we discuss the principles inherent to Visual Analytics and propose a new technique for the detection of APT attacks through the use of anomaly and behavior-based analysis. Our ultimate goal is to define sophisticated cyber threats by their defining characteristics and combining those to construct a pattern of behavior, which can be presented in visual form to be explored and analyzed. This can be achieved through the use of our Multi-Agent System for Advanced Persistent Threat Detection (MASFAD) framework and the combination of highly-detailed and dynamic visualization techniques. This paper was originally presented at the NATO Science and Technology Organization Symposium (ICMCIS) organized by the Information Systems Technology (IST) Panel, IST-200 RSY - the ICMCIS, held in Skopje, North Macedonia, 16–17 May 2023.

Vehicular Ad Hoc Networks (VANETs) have the capability of swapping every node of every individual while driving and traveling on the roadside. The VANET-connected vehicle can send and receive data such as requests for emergency assistance, current traffic conditions, etc. VANET assistance with a vehicle for communication purposes is desperately needed. The routing method has the characteristics of safe routing to repair the trust-based features on a specific node.When malicious activity is uncovered, intrusion detection systems (IDS) are crucial tools for mitigating the damage. Collaborations between vehicles in a VANET enhance detection precision by spreading information about interactions across their nodes. This makes the machine learning distribution system feasible, scalable, and usable for creating VANET-based cooperative detection techniques. Privacy considerations are a major impediment to collaborative learning due to the data flow between nodes. A malicious node can get private details about other nodes by observing them. This study proposes a cooperative IDS for VANETs that safeguards the data generated by machine learning. In the intrusion detection phase, the selected optimal characteristics is used to detect network intrusion via a hybrid Deep Neural Network and Bidirectional Long Short-Term Memory approach. The Trust-based routing protocol then performs the intrusion prevention process, stopping the hostile node by having it select the most efficient routing path possible.

Anomaly and intrusion detection in industrial cyber-physical systems has attracted a lot of attention in recent years. Deep learning techniques that require huge datasets are actively researched nowadays. The great challenge is that the real data on such systems, especially security-related data, is confidential, and a methodology for dataset generation is required. In this paper, the authors consider this challenge and introduce the methodology of dataset generation for research on the security of industrial water treatment facilities. The authors describe in detail two stages of the proposed methodology: the definition of a technological process and creating a testbed. The paper ends with a conclusion and future work prospects.

The last decade has shown that networked cyberphysical systems (NCPS) are the future of critical infrastructure such as transportation systems and energy production. However, they have introduced an uncharted territory of security vulnerabilities and a wider attack surface, mainly due to network openness and the deeply integrated physical and cyber spaces. On the other hand, relying on manual analysis of intrusion detection alarms might be effective in stopping run-of-the-mill automated probes but remain useless against the growing number of targeted, persistent, and often AI-enabled attacks on large-scale NCPS. Hence, there is a pressing need for new research directions to provide advanced protection. This paper introduces a novel security paradigm for emerging NCPS, namely Autonomous CyberPhysical Defense (ACPD). We lay out the theoretical foundations and describe the methods for building autonomous and stealthy cyber-physical defense agents that are able to dynamically hunt, detect, and respond to intelligent and sophisticated adversaries in real time without human intervention. By leveraging the power of game theory and multi-agent reinforcement learning, these selflearning agents will be able to deploy complex cyber-physical deception scenarios on the fly, generate optimal and adaptive security policies without prior knowledge of potential threats, and defend themselves against adversarial learning. Nonetheless, serious challenges including trustworthiness, scalability, and transfer learning are yet to be addressed for these autonomous agents to become the next-generation tools of cyber-physical defense.

Deploying Connected and Automated Vehicles (CAVs) on top of 5G and Beyond networks (5GB) makes them vulnerable to increasing vectors of security and privacy attacks. In this context, a wide range of advanced machine/deep learningbased solutions have been designed to accurately detect security attacks. Specifically, supervised learning techniques have been widely applied to train attack detection models. However, the main limitation of such solutions is their inability to detect attacks different from those seen during the training phase, or new attacks, also called zero-day attacks. Moreover, training the detection model requires significant data collection and labeling, which increases the communication overhead, and raises privacy concerns. To address the aforementioned limits, we propose in this paper a novel detection mechanism that leverages the ability of the deep auto-encoder method to detect attacks relying only on the benign network traffic pattern. Using federated learning, the proposed intrusion detection system can be trained with large and diverse benign network traffic, while preserving the CAVs’ privacy, and minimizing the communication overhead. The in-depth experiment on a recent network traffic dataset shows that the proposed system achieved a high detection rate while minimizing the false positive rate, and the detection delay.

An intrusion detection system (IDS) is a crucial software or hardware application that employs security mechanisms to identify suspicious activity in a system or network. According to the detection technique, IDS is divided into two, namely signature-based and anomaly-based. Signature-based is said to be incapable of handling zero-day attacks, while anomaly-based is able to handle it. Machine learning techniques play a vital role in the development of IDS. There are differences of opinion regarding the most optimal algorithm for IDS classification in several previous studies, such as Random Forest, J48, and AdaBoost. Therefore, this study aims to evaluate the performance of the three algorithm models, using the NSL-KDD and UNSW-NB15 datasets used in previous studies. Empirical results demonstrate that utilizing AdaBoost+J48 with NSL-KDD achieves an accuracy of 99.86\%, along with precision, recall, and f1-score rates of 99.9\%. These results surpass previous studies using AdaBoost+Random Tree, with an accuracy of 98.45\%. Furthermore, this research explores the effectiveness of anomaly-based systems in dealing with zero-day attacks. Remarkably, the results show that anomaly-based systems perform admirably in such scenarios. For instance, employing Random Forest with the UNSW-NB15 dataset yielded the highest performance, with an accuracy rating of 99.81\%.

The most serious risk to network security can arise from a zero-day attack. Zero-day attacks are challenging to identify as they exhibit unseen behavior. Intrusion detection systems (IDS) have gained considerable attention as an effective tool for detecting such attacks. IDS are deployed in network systems to monitor the network and to detect any potential threats. Recently, a lot of Machine learning (ML) and Deep Learning (DL) techniques have been employed in Intrusion Detection Systems, and it has been found that these techniques can detect zero-day attacks efficiently. This paper provides an overview of the background, importance, and different types of ML and DL techniques adopted for detecting zero-day attacks. Then it conducts a comprehensive review of recent ML and DL techniques for detecting zero-day attacks and discusses the associated issues. Further, we analyze the results and highlight the research challenges and future scope for improving the ML and DL approaches for zero-day attack detection.

An Intrusion detection system (IDS) plays a role in network intrusion detection through network data analysis, and high detection accuracy, precision, and recall are required to detect intrusions. Also, various techniques such as expert systems, data mining, and state transition analysis are used for network data analysis. The paper compares the detection effects of the two IDS methods using data mining. The first technique is a support vector machine (SVM), a machine learning algorithm; the second is a deep neural network (DNN), one of the artificial neural network models. The accuracy, precision, and recall were calculated and compared using NSL-KDD training and validation data, which is widely used in intrusion detection to compare the detection effects of the two techniques. DNN shows slightly higher accuracy than the SVM model. The risk of recognizing an actual intrusion as normal data is much greater than the risk of considering normal data as an intrusion, so DNN proves to be much more effective in intrusion detection than SVM.

Network Intrusion Detection Systems (NIDS) monitor networking environments for suspicious events that could compromise the availability, integrity, or confidentiality of the network’s resources. To ensure NIDSs play their vital roles, it is necessary to identify how they can be attacked by adopting a viewpoint similar to the adversary to identify vulnerabilities and defenses hiatus. Accordingly, effective countermeasures can be designed to thwart any potential attacks. Machine learning (ML) approaches have been adopted widely for network anomaly detection. However, it has been found that ML models are vulnerable to adversarial attacks. In such attacks, subtle perturbations are inserted to the original inputs at inference time in order to evade the classifier detection or at training time to degrade its performance. Yet, modeling adversarial attacks and the associated threats of employing the machine learning approaches for NIDSs was not addressed. One of the growing challenges is to avoid ML-based systems’ diversity and ensure their security and trust. In this paper, we conduct threat modeling for ML-based NIDS using STRIDE and Attack Tree approaches to identify the potential threats on different levels. We model the threats that can be potentially realized by exploiting vulnerabilities in ML algorithms through a simplified structural attack tree. To provide holistic threat modeling, we apply the STRIDE method to systems’ data flow to uncover further technical threats. Our models revealed a noticing of 46 possible threats to consider. These presented models can help to understand the different ways that a ML-based NIDS can be attacked; hence, hardening measures can be developed to prevent these potential attacks from achieving their goals.

The number of Internet of Things (IoT) devices being deployed into networks is growing at a phenomenal pace, which makes IoT networks more vulnerable in the wireless medium. Advanced Persistent Threat (APT) is malicious to most of the network facilities and the available attack data for training the machine learning-based Intrusion Detection System (IDS) is limited when compared to the normal traffic. Therefore, it is quite challenging to enhance the detection performance in order to mitigate the influence of APT. Therefore, Prior Knowledge Input (PKI) models are proposed and tested using the SCVIC-APT2021 dataset. To obtain prior knowledge, the proposed PKI model pre-classifies the original dataset with unsupervised clustering method. Then, the obtained prior knowledge is incorporated into the supervised model to decrease training complexity and assist the supervised model in determining the optimal mapping between the raw data and true labels. The experimental findings indicate that the PKI model outperforms the supervised baseline, with the best macro average F1-score of 81.37\%, which is 10.47\% higher than the baseline.

With the proliferation of Low Earth Orbit (LEO) spacecraft constellations, comes the rise of space-based wireless cognitive communications systems (CCS) and the need to safeguard and protect data against potential hostiles to maintain widespread communications for enabling science, military and commercial services. For example, known adversaries are using advanced persistent threats (APT) or highly progressive intrusion mechanisms to target high priority wireless space communication systems. Specialized threats continue to evolve with the advent of machine learning and artificial intelligence, where computer systems inherently can identify system vulnerabilities expeditiously over naive human threat actors due to increased processing resources and unbiased pattern recognition. This paper presents a disruptive abuse case for an APT-attack on such a CCS and describes a trade-off analysis that was performed to evaluate a variety of machine learning techniques that could aid in the rapid detection and mitigation of an APT-attack. The trade results indicate that with the employment of neural networks, the CCS s resiliency would increase its operational functionality, and therefore, on-demand communication services reliability would increase. Further, modelling, simulation, and analysis (MS\&A) was achieved using the Knowledge Discovery and Data Mining (KDD) Cup 1999 data set as a means to validate a subset of the trade study results against Training Time and Number of Parameters selection criteria. Training and cross-validation learning curves were computed to model the learning performance over time to yield a reasonable conclusion about the application of neural networks.

In this fast growing technology and tight integration of physical devices in conventional networks, the resource management and adaptive scalability is a problematic undertaking particularly when it comes to network security measures. Current work focuses on software defined network (SDN) and network function virtualization (NFV) based security solution to address problems in network and security management. However, deployment, configuration and implementation of SDN/NFVbased security solution remains a real challenge. To overcome this research challenge, this paper presents the implementation of SDN-NFVs based network security solution. The proposed methodology is based on using open network operating system (ONOS) SDN Controller with Zodiac FX Openflow switches and virtual network functions (VNF). VNF comprises of virtual security functions (VSF) which includes firewall, intrusion prevention system (IPS) and intrusion detection system (IDS). One of the main contributions of this research is the implementation of security solution of an enterprise, utilizing SDN-NFV platform and commodity hardware. We demonstrate the successful implementation, configuration and deployment of the proposed NFVbased network security solution for an enterprise.

A smart university is supposed to be a safe university. At this moment we observe multiple cameras in different locations in the Hall University and rooms to detect suspicious behavior such as violation, larceny or persons in a state of alcohol or drug intoxication. Samples of the video footage is monitored 24/7 by operators in control rooms. Currently the recorded videos are visual assessed after a suspicious event has occurred. There is a requirement for realtime surveillance with smart cameras which can detect, track and analyze suspicious behavior over place and time. The expanding number of cameras requires an enormous measure of observing operators. This paper proposes a distributed intelligent surveillance system based on smart cameras. We seek to improve the Quality of Experience QoE operator side or QoEvideo surveillance expressed in function of i- resource availability constraints, ii- false detection of suspicious behavior, iii- define an optimal perimeter for intrusion detection (subset of cameras, network parameters required . . . ).

Provenance 2022 - Traditional Intrusion Detection Systems (IDS) are struggling to keep up with the increase in sophisticated cyberattacks such as Advanced Persistent Threats (APT) over the past years. Provenance-based Intrusion Detection Systems (PIDS) utilize data provenance concepts to enable fine-grained event correlation, and the results show increased detection accuracy and reduced false-alarm rates compared to traditional IDS. Especially, rule-based approaches for the PIDS have demonstrated high detection accuracy, low false alarm, and fast detection time. However, rules are manually created by security experts, which is time-consuming and doesn’t ensure high-quality rule standards. To address this issue, we propose an automated rule generation framework to generate robust rules to describe malicious files automatically. As a result, high-quality rules can be used in PIDS to identify similar attacks and other affected systems promptly.

Object Oriented Security - A growing number of attacks and the introduction of new security standards, e.g. ISO 21434, are increasingly shifting the focus of industry and research to the cybersecurity of vehicles. Being cyber-physical systems, compromised vehicles can pose a safety risk to occupants and the environment. Updates over the air and monitoring of the vehicle fleet over its entire lifespan are therefore established in current and future vehicles. Elementary components of such a strategy are security sensors in the form of firewalls and intrusion detection systems, for example, and an operations center where monitoring and response activities are coordinated. A critical step in defending against, detecting, and remediating attacks is providing knowledge about the vehicle and fleet context. Whether a vehicle is driving on the highway or parked at home, what software version is installed, or what security incidents have occurred affect the legitimacy of data and network traffic. However, current security measures lack an understanding of how to operate in an adjusted manner in different contexts. This work is therefore dedicated to a concept to make security measures for vehicles context-aware. We present our approach, which consists of an object-oriented model of relevant context information within the vehicle and a Knowledge Graph for the fleet. With this approach, various use cases can be addressed, according to the different requirements for the use of context knowledge in the vehicle and operations center.

Neural Network Security - With the continuous development of network technology and the continuous expansion of network scale, the security of the network has suffered more threats, and the attacks faced are becoming more and more extensive. The frequent occurrence of network security incidents has caused huge losses, facing more and more severe situation, it is necessary to adopt various network security technologies to solve the problem. In network security, the most commonly used technology is firewall. The firewall has a certain blocking effect on attacks from outside the network, but it has a weak defense effect on the attacks in the internal network, and it is easy to be bypassed. Intrusion detection technology can detect both internal and external network attacks. Responses are generated before the intrusion behavior occurs, and alarm information is issued for timely and effective processing. In recent years, China s campus security incidents are still happening, seriously threatening the lives of students and disrupting the normal teaching order of schools. At present, there are still many loopholes in campus security operations. Campus security management system has become an important task in campus security construction. On this basis, relevant personnel are required to analyze the existing problems of campus safety and the needs of the safety management system, and find the main technology of a more advanced intelligent safety management system.

Neural Network Security - With the development of computing technology, data security and privacy protection have also become the focus of researchers; along with this comes the issue of network link security and reliability, and these issues have become the focus of discussion when studying network security. Intrusion detection is an effective means to assist in network malicious traffic detection and maintain network stability; to meet the ever-changing demand for network traffic identification, intrusion detection models have undergone a transformation from traditional intrusion detection models to machine learning intrusion detection models to deep intrusion detection models. The efficiency and superiority of deep learning have been proven in fields such as image processing, but there are still some problems in the field of network security intrusion detection: the models are not targeted when processing data, the models have poor generalization ability, etc. The combinatorial neural network proposed in this paper can effectively propose a solution to the problems of existing models, and the CL-IDS model proposed in this paper has a better performance on the KDDCUP99 dataset as demonstrated by relevant experiments.

Neural Network Resiliency - With the proliferation of Low Earth Orbit (LEO) spacecraft constellations, comes the rise of space-based wireless cognitive communications systems (CCS) and the need to safeguard and protect data against potential hostiles to maintain widespread communications for enabling science, military and commercial services. For example, known adversaries are using advanced persistent threats (APT) or highly progressive intrusion mechanisms to target high priority wireless space communication systems. Specialized threats continue to evolve with the advent of machine learning and artificial intelligence, where computer systems inherently can identify system vulnerabilities expeditiously over naive human threat actors due to increased processing resources and unbiased pattern recognition. This paper presents a disruptive abuse case for an APT-attack on such a CCS and describes a trade-off analysis that was performed to evaluate a variety of machine learning techniques that could aid in the rapid detection and mitigation of an APT-attack. The trade results indicate that with the employment of neural networks, the CCS s resiliency would increase its operational functionality, and therefore, on-demand communication services reliability would increase. Further, modelling, simulation, and analysis (MS\&A) was achieved using the Knowledge Discovery and Data Mining (KDD) Cup 1999 data set as a means to validate a subset of the trade study results against Training Time and Number of Parameters selection criteria. Training and cross-validation learning curves were computed to model the learning performance over time to yield a reasonable conclusion about the application of neural networks.

Network Reconnaissance - Web applications are frequent targets of attack due to their widespread use and round the clock availability. Malicious users can exploit vulnerabilities in web applications to steal sensitive information, modify and destroy data as well as deface web applications. The process of exploiting web applications is a multi-step process and the first step in an attack is reconnaissance, in which the attacker tries to gather information about the target web application. In this step, the attacker uses highly efficient automated scanning tools to scan web applications. Following reconnaissance, the attacker proceeds to vulnerability scanning and subsequently attempts to exploit the vulnerabilities discovered to compromise the web application. Detection of reconnaissance scans by malicious users can be combined with other traditional intrusion detection and prevention systems to improve the security of web applications. In this paper, a method for detecting reconnaissance scans through analysis of web server access logs is proposed. The proposed approach uses an LSTM network based deep learning approach for detecting reconnaissance scans. Experiments conducted show that the proposed approach achieves a mean precision, recall and f1-score of 0.99 over three data sets and precision, recall and f1-score of 0.97, 0.96 and 0.96 over the combined dataset.

Network Intrusion Detection - This paper proposes a CNN-BiLS TM intrusion detection model for complex system networks. The model performs data over-sampling on the unbalanced data set, which reduces the gap in the amount of category data. It is based on the integration, cooperation, and selectivity of methods and mechanisms in the intrusion detection system, so as to achieve the idea of optimization. In the intrusion detection system, an intrusion detection system based on a variety of detection methods and technologies is proposed, and an integrated, cooperative, and selective overall structure is established. It will be based on distributed intrusion detection and feature engine analysis of intrusion detection, efficiency an increase of 6.7\%.

Network Intrusion Detection - Aiming at the problems of low detection accuracy, high false detection rate and high missed detection rate of traditional Intelligent Substation (I-S) secondary system network Intrusion Detection (I-D) methods, a semantic enhanced network I-D method for I-S secondary system is proposed. First of all, through the analysis of the secondary system network of I-S and the existing security risks, the information network security protection architecture is built based on network I-D. Then, the overall structure of I-S secondary network I-D is constructed by integrating CNN and BiLSTM. Finally, the semantic analysis of Latent Dirichlet Allocation (LDA) is introduced to enhance the network I-D model, which greatly improves the detection accuracy. The proposed method is compared with the other two methods under the same conditions through simulation experiments. The results show that the detection accuracy of the proposed method is the highest (95.02\%) in the face of 10 different types of attack traffic, and the false detection rate and missed detection rate are the lowest (1.3\% and 3.8\% respectively). The algorithm performance is better than the other three comparison algorithms.

Network Intrusion Detection - With the continuous development of deep learning technology, the phenolic model of intrusion detection based on deep learning has become a research hotspot. Traditional network attack detection mainly relies on static rules to detect network behavior, so it is difficult to dynamically adapt to the continuous development of network attacks. While deep learning technology is more and more used in the field of security, the text is based on deep learning classification network to design intrusion detection classification model. The appropriate data processing technology is used to preprocess the original intrusion data, and the processed data is used to train the network model. Finally, the performance of the model is tested to achieve high classification accuracy.

Network Intrusion Detection - Network intrusion detection technology has been a popular application technology for current network security, but the existing network intrusion detection technology in the application process, there are problems such as low detection efficiency, low detection accuracy and other poor detection performance. To solve the above problems, a new treatment combining artificial intelligence with network intrusion detection is proposed. Artificial intelligence-based network intrusion detection technology refers to the application of artificial intelligence techniques, such as: neural networks, neural algorithms, etc., to network intrusion detection, and the application of these artificial intelligence techniques makes the automatic detection of network intrusion detection models possible.