The Controller area network (CAN) is the most extensively used in-vehicle network. It is set to enable communication between a number of electronic control units (ECU) that are widely found in most modern vehicles. CAN is the de facto in-vehicle network standard due to its error avoidance techniques and similar features, but it is vulnerable to various attacks. In this research, we propose a CAN bus intrusion detection system (IDS) based on convolutional neural networks (CNN). U-CAN is a segmentation model that is trained by monitoring CAN traffic data that are preprocessed using hamming distance and saliency detection algorithm. The model is trained and tested using publicly available datasets of raw and reverse-engineered CAN frames. With an F\_1 Score of 0.997, U-CAN can detect DoS, Fuzzy, spoofing gear, and spoofing RPM attacks of the publicly available raw CAN frames. The model trained on reverse-engineered CAN signals that contain plateau attacks also results in a true positive rate and false-positive rate of 0.971 and 0.998, respectively.
Authored by Araya Desta, Shuji Ohira, Ismail Arai, Kazutoshi Fujikawa
As the IPv6 protocol has been rapidly developed and applied, the security of IPv6 networks has become the focus of academic and industrial attention. Despite the fact that the IPv6 protocol is designed with security in mind, due to insufficient defense measures of current firewalls and intrusion detection systems for IPv6 networks, the construction of covert channels using fields not defined or reserved in IPv6 protocols may compromise the information systems. By discussing the possibility of constructing storage covert channels within IPv6 protocol fields, 10 types of IPv6 covert channels are constructed with undefined and reserved fields, including the flow label field, the traffic class field of IPv6 header, the reserved fields of IPv6 extension headers and the code field of ICMPv6 header. An IPv6 covert channel detection method based on field matching (CC-Guard) is proposed, and a typical IPv6 network environment is built for testing. In comparison with existing detection tools, the experimental results show that the CC-Guard not only can detect more covert channels consisting of IPv6 extension headers and ICMPv6 headers, but also achieves real-time detection with a lower detection overhead.
Authored by Jichang Wang, Liancheng Zhang, Zehua Li, Yi Guo, Lanxin Cheng, Wenwen Du
The modern networking world is being exposed to many risks more frequently every day. Most of systems strongly rely on remaining anonymous throughout the whole endpoint exploitation process. Covert channels represent risk since they ex-ploit legitimate communications and network protocols to evade typical filtering. This firewall avoidance sees covert channels frequently used for malicious communication of intruders with systems they compromised, and thus a real threat to network security. While there are commercial tools to safeguard computer networks, novel applications such as automotive connectivity and V2X present new challenges. This paper focuses on the analysis of the recent ways of using covert channels and detecting them, but also on the state-of-the-art possibilities of protection against them. We investigate observing the timing covert channels behavior simulated via injected ICMP traffic into standard network communications. Most importantly, we concentrate on enhancing firewall with detection and prevention of such attack built-in features. The main contribution of the paper is design for detection timing covert channel threats utilizing detection methods based on statistical analysis. These detection methods are combined and implemented in one program as a simple host-based intrusion detection system (HIDS). As a result, the proposed design can analyze and detect timing covert channels, with the addition of taking preventive measures to block any future attempts to breach the security of an end device.
Authored by Adrián Ondov, Pavol Helebrandt
Security of Internet of Things (IoT) is one of the most prevalent crucial challenges ever since. The diversified devices and their specification along with resource constrained protocols made it more complex to address over all security need of IoT. Denial of Service attacks, being the most powerful and frequent attacks on IoT have been considered so forth. However, the attack happens on multiple layers and thus a single detection technique for each layer is not sufficient and effective to combat these attacks. Current study focuses on cross layer intrusion detection system (IDS) for detection of multiple Denial of Service (DoS) attacks. Presently, two attacks at Transmission Control Protocol (TCP) and Routing Protocol are considered for Low power and Lossy Networks (RPL) and a neural network-based IDS approach has been proposed for the detection of such attacks. The attacks are simulated on NetSim and detection and the performance shows up to 80% detection probabilities.
Authored by Ayushi Kharkwal, Saumya Mishra, Aditi Paul
DDoS attacks produce a lot of traffic on the network. DDoS attacks may be fought in a novel method thanks to the rise of Software Defined Networking (SDN). DDoS detection and data gathering may lead to larger system load utilization among SDN as well as systems, much expense of SDN, slow reaction period to DDoS if they are conducted at regular intervals. Using the Identification Retrieval algorithm, we offer a new DDoS detection framework for detecting resource scarcity type DDoS attacks. In designed to check low-density DDoS attacks, we employ a combination of network traffic characteristics. The KSVD technique is used to generate a dictionary of network traffic parameters. In addition to providing legitimate and attack traffic models for dictionary construction, the suggested technique may be used to network traffic as well. Matching Pursuit and Wavelet-based DDoS detection algorithms are also implemented and compared using two separate data sets. Despite the difficulties in identifying LR-DoS attacks, the results of the study show that our technique has a detection accuracy of 89%. DDoS attacks are explained for each type of DDoS, and how SDN weaknesses may be exploited. We conclude that machine learning-based DDoS detection mechanisms and cutoff point DDoS detection techniques are the two most prevalent methods used to identify DDoS attacks in SDN. More significantly, the generational process, benefits, and limitations of each DDoS detection system are explained. This is the case in our testing environment, where the intrusion detection system (IDS) is able to block all previously identified threats
Authored by E. Fenil, Mohan Kumar
Intrusion detection systems (IDS) are most efficient way of defending against network-based attacks aimed at system devices, especially wireless devices. These systems are used in almost all large-scale IT infrastructures components, and they effected with different types of network attacks such as DDoS attack. Distributed Denial of-Services (DDoS) attacks the protocols and systems that are intended to provide services (to the public) are inherently vulnerable to attacks like DDoS, which were launched against a number of important Internet sites where security precautions were in place.
Authored by Noor Hashim, Sattar Sadkhan
The Internet has evolved to the point that gigabytes and even terabytes of data are generated and processed on a daily basis. Such a stream of data is characterised by high volume, velocity and variety and is referred to as Big Data. Traditional data processing tools can no longer be used to process big data, because they were not designed to handle such a massive amount of data. This problem concerns also cyber security, where tools like intrusion detection systems employ classification algorithms to analyse the network traffic. Achieving a high accuracy attack detection becomes harder when the amount of data increases and the algorithms must be efficient enough to keep up with the throughput of a huge data stream. Due to the challenges posed by a big data environment, some monitoring systems have already shifted from deep packet inspection to flow-level inspection. The goal of this paper is to evaluate the applicability of an existing intrusion detection technique that performs deep packet inspection in a big data setting. We have conducted several experiments with Apache Spark to assess the performance of the technique when classifying anomalous packets, showing that it benefits from the use of Spark.
Authored by Fabrizio Angiulli, Angelo Furfaro, Domenico Saccá, Ludovica Sacco
The growing number of cybersecurity incidents and the always increasing complexity of cybersecurity attacks is forcing the industry and the research community to develop robust and effective methods to detect and respond to network attacks. Many tools are either built upon a large number of rules and signatures which only large third-party vendors can afford to create and maintain, or are based on complex artificial intelligence engines which, in most cases, still require personalization and fine-tuning using costly service contracts offered by the vendors.This paper introduces an open-source network traffic monitoring system based on the concept of cyberscore, a numerical value that represents how a network activity is considered relevant for spotting cybersecurity-related events. We describe how this technique has been applied in real-life networks and present the result of this evaluation.
Authored by Luca Deri, Alfredo Cardigliano
Current intrusion detection techniques cannot keep up with the increasing amount and complexity of cyber attacks. In fact, most of the traffic is encrypted and does not allow to apply deep packet inspection approaches. In recent years, Machine Learning techniques have been proposed for post-mortem detection of network attacks, and many datasets have been shared by research groups and organizations for training and validation. Differently from the vast related literature, in this paper we propose an early classification approach conducted on CSE-CIC-IDS2018 dataset, which contains both benign and malicious traffic, for the detection of malicious attacks before they could damage an organization. To this aim, we investigated a different set of features, and the sensitivity of performance of five classification algorithms to the number of observed packets. Results show that ML approaches relying on ten packets provide satisfactory results.
Authored by Idio Guarino, Giampaolo Bovenzi, Davide Di Monda, Giuseppe Aceto, Domenico Ciuonzo, Antonio Pescapè
Intrusion Detection Systems (IDSs) are crucial security mechanisms widely deployed for critical network protection. However, conventional IDSs become incompetent due to the rapid growth in network size and the sophistication of large scale attacks. To mitigate this problem, Collaborative IDSs (CIDSs) have been proposed in literature. In CIDSs, a number of IDSs exchange their intrusion alerts and other relevant data so as to achieve better intrusion detection performance. Nevertheless, the required information exchange may result in privacy leakage, especially when these IDSs belong to different self-interested organizations. In order to obtain a quantitative understanding of the fundamental tradeoff between the intrusion detection accuracy and the organizations' privacy, a repeated two-layer single-leader multi-follower game is proposed in this work. Based on our game-theoretic analysis, we are able to derive the expected behaviors of both the attacker and the IDSs and obtain the utility-privacy tradeoff curve. In addition, the existence of Nash equilibrium (NE) is proved and an asynchronous dynamic update algorithm is proposed to compute the optimal collaboration strategies of IDSs. Finally, simulation results are shown to validate the analysis.
Authored by Richeng Jin, Xiaofan He, Huaiyu Dai