Special Issue "Machine Learning for Cyber-Security"

A special issue of Information (ISSN 2078-2489). This special issue belongs to the section "Artificial Intelligence".

Deadline for manuscript submissions: closed (15 November 2019).

Special Issue Editor

Dr. Xavier Bellekens
Website SciProfiles
Guest Editor
Department of Electronic and Electrical Engineering, University of Strathclyde, Glasgow, G1 1XW, Scotland, UK
Interests: Cyber Security; Computer Networks; Internet of Things; Intrusion Detection Systems, Critical Infrastructures
Special Issues and Collections in MDPI journals

Special Issue Information

Dear Colleagues,

Over the past decade, the rise of new technologies, such as the Internet of Things and associated interfaces, have dramatically increased the attack surface of consumers and critical infrastructure networks. New threats are being discovered on a daily basis making it harder for current solutions to cope with the large amount of data to analyse. Numerous machine learning algorithms have found their ways in the field of cyber-security in order to identify new and unknown malware, improve intrusion detection systems, enhance spam detection, or prevent software exploit to execute.

While these applications of machine learning algorithms have been proven beneficial for the cyber-security industry, they have also highlighted a number of shortcomings, such as the lack of datasets, the inability to learn from small datasets, the cost of the architecture, to name a few. On the other hand, new and emerging algorithms, such as Deep Learning, One-shot Learning, Continuous Learning and Generative Adversarial Networks, have been successfully applied to solve natural language processing, translation tasks, image classification and even deep face recognition. It is therefore crucial to apply these new methods to cyber-security and measure the success of these less-traditional algorithms when applied to cyber-security.

This Special Issue on machine learning for cyber-security is aimed at industrial and academic researcher applying non-traditional methods to solve cyber-security problems. The key areas of this Special Issue include, but are not limited to:

Generative Adversarial Models; One-shot Learning; Continuous Learning; Challenges of Machine Learning for Cyber Security; Strength and Shortcomings of Machine Learning for Cyber-Security; Graph Representation Learning; Scalable Machine Learning for Cyber Security; Neural Graph Learning; Machine Learning Threat Intelligence; Ethics of Machine Learning for Cyber Security Applications

Dr. Xavier Bellekens
Guest Editor

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All papers will be peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Information is an international peer-reviewed open access monthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 1000 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • machine learning
  • cyber-security
  • intrusion detection systems
  • malware

Published Papers (11 papers)

Order results
Result details
Select all
Export citation of selected articles as:

Research

Jump to: Review

Open AccessArticle
Using a Long Short-Term Memory Recurrent Neural Network (LSTM-RNN) to Classify Network Attacks
Information 2020, 11(5), 243; https://doi.org/10.3390/info11050243 - 01 May 2020
Abstract
An intrusion detection system (IDS) identifies whether the network traffic behavior is normal or abnormal or identifies the attack types. Recently, deep learning has emerged as a successful approach in IDSs, having a high accuracy rate with its distinctive learning mechanism. In [...] Read more.
An intrusion detection system (IDS) identifies whether the network traffic behavior is normal or abnormal or identifies the attack types. Recently, deep learning has emerged as a successful approach in IDSs, having a high accuracy rate with its distinctive learning mechanism. In this research, we developed a new method for intrusion detection to classify the NSL-KDD dataset by combining a genetic algorithm (GA) for optimal feature selection and long short-term memory (LSTM) with a recurrent neural network (RNN). We found that using LSTM-RNN classifiers with the optimal feature set improves intrusion detection. The performance of the IDS was analyzed by calculating the accuracy, recall, precision, f-score, and confusion matrix. The NSL-KDD dataset was used to analyze the performances of the classifiers. An LSTM-RNN was used to classify the NSL-KDD datasets into binary (normal and abnormal) and multi-class (Normal, DoS, Probing, U2R, and R2L) sets. The results indicate that applying the GA increases the classification accuracy of LSTM-RNN in both binary and multi-class classification. The results of the LSTM-RNN classifier were also compared with the results using a support vector machine (SVM) and random forest (RF). For multi-class classification, the classification accuracy of LSTM-RNN with the GA model is much higher than SVM and RF. For binary classification, the classification accuracy of LSTM-RNN is similar to that of RF and higher than that of SVM. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
Unsupervised Anomaly Detection for Network Data Streams in Industrial Control Systems
Information 2020, 11(2), 105; https://doi.org/10.3390/info11020105 - 15 Feb 2020
Abstract
The development and integration of information technology and industrial control networks have expanded the magnitude of new data; detecting anomalies or discovering other valid information from them is of vital importance to the stable operation of industrial control systems. This paper proposes an [...] Read more.
The development and integration of information technology and industrial control networks have expanded the magnitude of new data; detecting anomalies or discovering other valid information from them is of vital importance to the stable operation of industrial control systems. This paper proposes an incremental unsupervised anomaly detection method that can quickly analyze and process large-scale real-time data. Our evaluation on the Secure Water Treatment dataset shows that the method is converging to its offline counterpart for infinitely growing data streams. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
MANNWARE: A Malware Classification Approach with a Few Samples Using a Memory Augmented Neural Network
Information 2020, 11(1), 51; https://doi.org/10.3390/info11010051 - 17 Jan 2020
Abstract
The ability to stop malware as soon as they start spreading will always play an important role in defending computer systems. It must be a huge benefit for organizations as well as society if intelligent defense systems could themselves detect and prevent new [...] Read more.
The ability to stop malware as soon as they start spreading will always play an important role in defending computer systems. It must be a huge benefit for organizations as well as society if intelligent defense systems could themselves detect and prevent new types of malware as soon as they reveal only a tiny amount of samples. An approach introduced in this paper takes advantage of One-shot/Few-shot learning algorithms to solve the malware classification problems using a Memory Augmented Neural Network in combination with the Natural Language Processing techniques such as word2vec, n-gram. We embed the malware’s API calls, which are very valuable sources of information for identifying malware’s behaviors, in the different feature spaces, and then feed them to the one-shot/few-shot learning models. Evaluating the model on the two datasets (FFRI 2017 and APIMDS) shows that the models with different parameters could yield high accuracy on malware classification with only a few samples. For example, on the APIMDS dataset, it was able to guess 78.85% correctly after seeing only nine malware samples and 89.59% after fine-tuning with a few other samples. The results confirmed very good accuracies compared to the other traditional methods, and point to a new area of malware research. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
Identifying WeChat Message Types without Using Traditional Traffic
Information 2020, 11(1), 18; https://doi.org/10.3390/info11010018 - 26 Dec 2019
Abstract
Attackers can eavesdrop and exploit user privacy by classifying traffic into different types of in-app service usage to identify user actions. WeChat is the largest social messaging platform, which is a popular application in China. When WeChat is shut down, it is unable [...] Read more.
Attackers can eavesdrop and exploit user privacy by classifying traffic into different types of in-app service usage to identify user actions. WeChat is the largest social messaging platform, which is a popular application in China. When WeChat is shut down, it is unable to generate traffic; that is, traditional traffic. However, the traffic still can be generated by system. How to identify the message types within WeChat with traffic generated by a system instead of traditional traffic becomes a new challenge. To deal with this challenge, we designed a system to identify and analyze the traffic of the Apple Push Notification service (APNs) to identify the message types of WeChat. In detail, we designed a system to identify and analyze the traffic of the APNs. First, the system clusters the traffic based on the session and divides it into multiple bursts. Then, it extracts the features of each burst and sends these features to the learning-based classifier to extract APNs’s traffic from the background traffic. Finally, it uses a hash-based lookup table method to analyze message types from APNs traffic. Extensive evaluation results show that we can accurately identify the six message types of APN and WeChat. In addition, we propose two coping strategies for the method proposed in this article. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
Reinforcement Learning for Efficient Network Penetration Testing
Information 2020, 11(1), 6; https://doi.org/10.3390/info11010006 - 20 Dec 2019
Abstract
Penetration testing (also known as pentesting or PT) is a common practice for actively assessing the defenses of a computer network by planning and executing all possible attacks to discover and exploit existing vulnerabilities. Current penetration testing methods are increasingly becoming non-standard, composite [...] Read more.
Penetration testing (also known as pentesting or PT) is a common practice for actively assessing the defenses of a computer network by planning and executing all possible attacks to discover and exploit existing vulnerabilities. Current penetration testing methods are increasingly becoming non-standard, composite and resource-consuming despite the use of evolving tools. In this paper, we propose and evaluate an AI-based pentesting system which makes use of machine learning techniques, namely reinforcement learning (RL) to learn and reproduce average and complex pentesting activities. The proposed system is named Intelligent Automated Penetration Testing System (IAPTS) consisting of a module that integrates with industrial PT frameworks to enable them to capture information, learn from experience, and reproduce tests in future similar testing cases. IAPTS aims to save human resources while producing much-enhanced results in terms of time consumption, reliability and frequency of testing. IAPTS takes the approach of modeling PT environments and tasks as a partially observed Markov decision process (POMDP) problem which is solved by POMDP-solver. Although the scope of this paper is limited to network infrastructures PT planning and not the entire practice, the obtained results support the hypothesis that RL can enhance PT beyond the capabilities of any human PT expert in terms of time consumed, covered attacking vectors, accuracy and reliability of the outputs. In addition, this work tackles the complex problem of expertise capturing and re-use by allowing the IAPTS learning module to store and re-use PT policies in the same way that a human PT expert would learn but in a more efficient way. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
AndroShield: Automated Android Applications Vulnerability Detection, a Hybrid Static and Dynamic Analysis Approach
Information 2019, 10(10), 326; https://doi.org/10.3390/info10100326 - 22 Oct 2019
Cited by 2
Abstract
The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” [...] Read more.
The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
An Intelligent Spam Detection Model Based on Artificial Immune System
Information 2019, 10(6), 209; https://doi.org/10.3390/info10060209 - 12 Jun 2019
Cited by 4
Abstract
Spam emails, also known as non-self, are unsolicited commercial or malicious emails, sent to affect either a single individual or a corporation or a group of people. Besides advertising, these may contain links to phishing or malware hosting websites set up to steal [...] Read more.
Spam emails, also known as non-self, are unsolicited commercial or malicious emails, sent to affect either a single individual or a corporation or a group of people. Besides advertising, these may contain links to phishing or malware hosting websites set up to steal confidential information. In this paper, a study of the effectiveness of using a Negative Selection Algorithm (NSA) for anomaly detection applied to spam filtering is presented. NSA has a high performance and a low false detection rate. The designed framework intelligently works through three detection phases to finally determine an email’s legitimacy based on the knowledge gathered in the training phase. The system operates by elimination through Negative Selection similar to the functionality of T-cells’ in biological systems. It has been observed that with the inclusion of more datasets, the performance continues to improve, resulting in a 6% increase of True Positive and True Negative detection rate while achieving an actual detection rate of spam and ham of 98.5%. The model has been further compared against similar studies, and the result shows that the proposed system results in an increase of 2 to 15% in the correct detection rate of spam and ham. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
Improving Intrusion Detection Model Prediction by Threshold Adaptation
Information 2019, 10(5), 159; https://doi.org/10.3390/info10050159 - 30 Apr 2019
Cited by 2
Abstract
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the accuracy of anomaly-based network intrusion detection systems (IDS) that are built using predictive models in a batch learning setup. This work investigates how adapting [...] Read more.
Network traffic exhibits a high level of variability over short periods of time. This variability impacts negatively on the accuracy of anomaly-based network intrusion detection systems (IDS) that are built using predictive models in a batch learning setup. This work investigates how adapting the discriminating threshold of model predictions, specifically to the evaluated traffic, improves the detection rates of these intrusion detection models. Specifically, this research studied the adaptability features of three well known machine learning algorithms: C5.0, Random Forest and Support Vector Machine. Each algorithm’s ability to adapt their prediction thresholds was assessed and analysed under different scenarios that simulated real world settings using the prospective sampling approach. Multiple IDS datasets were used for the analysis, including a newly generated dataset (STA2018). This research demonstrated empirically the importance of threshold adaptation in improving the accuracy of detection models when training and evaluation traffic have different statistical properties. Tests were undertaken to analyse the effects of feature selection and data balancing on model accuracy when different significant features in traffic were used. The effects of threshold adaptation on improving accuracy were statistically analysed. Of the three compared algorithms, Random Forest was the most adaptable and had the highest detection rates. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
DGA CapsNet: 1D Application of Capsule Networks to DGA Detection
Information 2019, 10(5), 157; https://doi.org/10.3390/info10050157 - 27 Apr 2019
Cited by 3
Abstract
Domain generation algorithms (DGAs) represent a class of malware used to generate large numbers of new domain names to achieve command-and-control (C2) communication between the malware program and its C2 server to avoid detection by cybersecurity measures. Deep learning has proven successful in [...] Read more.
Domain generation algorithms (DGAs) represent a class of malware used to generate large numbers of new domain names to achieve command-and-control (C2) communication between the malware program and its C2 server to avoid detection by cybersecurity measures. Deep learning has proven successful in serving as a mechanism to implement real-time DGA detection, specifically through the use of recurrent neural networks (RNNs) and convolutional neural networks (CNNs). This paper compares several state-of-the-art deep-learning implementations of DGA detection found in the literature with two novel models: a deeper CNN model and a one-dimensional (1D) Capsule Networks (CapsNet) model. The comparison shows that the 1D CapsNet model performs as well as the best-performing model from the literature. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Open AccessArticle
Anomaly-Based Method for Detecting Multiple Classes of Network Attacks
Information 2019, 10(3), 84; https://doi.org/10.3390/info10030084 - 26 Feb 2019
Cited by 3
Abstract
The article discusses the problem of detecting network attacks on a web server. The attention is focused on two common types of attacks: “denial of service” and “code injection”. A review and an analysis of various attack detection techniques are conducted. A new [...] Read more.
The article discusses the problem of detecting network attacks on a web server. The attention is focused on two common types of attacks: “denial of service” and “code injection”. A review and an analysis of various attack detection techniques are conducted. A new lightweight approach to detect attacks as anomalies is proposed. It is based on recognition of the dynamic response of the web server during requests processing. An autoencoder is implemented for dynamic response anomaly recognition. A case study with the MyBB web server is described. Several flood attacks and SQL injection attack are modeled and successfully detected by the proposed method. The efficiency of the detection algorithm is evaluated, and the advantages and disadvantages of the proposed approach are analyzed. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Review

Jump to: Research

Open AccessReview
A Survey of Deep Learning Methods for Cyber Security
Information 2019, 10(4), 122; https://doi.org/10.3390/info10040122 - 02 Apr 2019
Cited by 24
Abstract
This survey paper describes a literature review of deep learning (DL) methods for cyber security applications. A short tutorial-style description of each DL method is provided, including deep autoencoders, restricted Boltzmann machines, recurrent neural networks, generative adversarial networks, and several others. Then we [...] Read more.
This survey paper describes a literature review of deep learning (DL) methods for cyber security applications. A short tutorial-style description of each DL method is provided, including deep autoencoders, restricted Boltzmann machines, recurrent neural networks, generative adversarial networks, and several others. Then we discuss how each of the DL methods is used for security applications. We cover a broad array of attack types including malware, spam, insider threats, network intrusions, false data injection, and malicious domain names used by botnets. Full article
(This article belongs to the Special Issue Machine Learning for Cyber-Security)
Show Figures

Figure 1

Back to TopTop