Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
9.1
Journals
JCP
Special Issues
Intrusion/Malware Detection and Prevention in Networks—2nd Edition
share announcement

Intrusion/Malware Detection and Prevention in Networks—2nd Edition

A special issue of Journal of Cybersecurity and Privacy (ISSN 2624-800X). This special issue belongs to the section "Security Engineering & Applications".

Deadline for manuscript submissions: closed (10 March 2026) | Viewed by 20082

Special Issue Editors

Prof. Dr. Feng Wang

E-Mail Website
Guest Editor
School of Engineering, Liberty University, Lynchburg, VA 24515, USA
Interests: intrusion detection systems; machine learning; cyber security; IoT security and privacy internet measurement
Special Issues, Collections and Topics in MDPI journals
Prof. Dr. Yongning Tang

E-Mail Website
Guest Editor
School Information Technology, Illinois State University, Normal, IL 61790, USA
Interests: network security; artificial intelligence; adaptive learning
Special Issues, Collections and Topics in MDPI journals

Special Issue Information

Dear Colleagues,

This Special Issue is focused on the detection of intrusion and malware attacks on communication and networks, future Internet architectures, 5G and beyond wireless networks, enterprises, data centers, edge and cloud networks, software-defined networking (SDN), optical networks, the Internet and IoT-scale networks. We welcome the submission of papers on the following topics:

  • Distributed denial-of-service (DDoS) attack and defense;
  • Explainable prevention strategies;
  • Profiling normal or abnormal system behaviors;
  • Metrics for evaluating the effectiveness of intrusion detection techniques;
  • Access control;
  • Biometrics;
  • Jamming attack and defense;
  • Trojan attack and defense;
  • Viruses and malware;
  • Covert channel detection;
  • Malware and unwanted software

Prof. Dr. Feng Wang
Prof. Dr. Yongning Tang
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 250 words) can be sent to the Editorial Office for assessment.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Journal of Cybersecurity and Privacy is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 1200 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • distributed denial-of-service (DDoS) attack and defense
  • explainable prevention strategies
  • profiling normal or abnormal system behaviors
  • metrics for evaluating the effectiveness of intrusion detection techniques
  • access control
  • biometrics
  • jamming attack and defense
  • trojan attack and defense
  • viruses and malware
  • covert channel detection
  • malware and unwanted software

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • Reprint: MDPI Books provides the opportunity to republish successful Special Issues in book format, both online and in print.

Further information on MDPI's Special Issue policies can be found here.

Related Special Issue

Published Papers (12 papers)

Download All Papers
Order results
Result details
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:

Research

25 pages, 2957 KB  
Article
Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques
by Sebastien Kanj, Gorka Vila and Josep Pegueroles
J. Cybersecur. Priv. 2026, 6(2), 69; https://doi.org/10.3390/jcp6020069 - 8 Apr 2026
Viewed by 505
Abstract
Anti-analysis techniques, also known as evasive techniques, enable Windows malware to detect and evade dynamic inspection environments, undermining the effectiveness of virtual-machine and sandbox-based inspection. Despite extensive prior research, no unified classification has been paired with a large-scale empirical evaluation of static detection [...] Read more.
Anti-analysis techniques, also known as evasive techniques, enable Windows malware to detect and evade dynamic inspection environments, undermining the effectiveness of virtual-machine and sandbox-based inspection. Despite extensive prior research, no unified classification has been paired with a large-scale empirical evaluation of static detection capabilities for these behaviors. This paper addresses this gap by presenting a comprehensive classification and detection framework. We consolidate 94 anti-analysis techniques from academic, community, and threat-intelligence sources into nine mechanistic categories and derive corresponding YARA rules for static identification. In total, 82 YARA signatures were authored or refined and evaluated on 459,508 malware and 92,508 goodware samples. After iterative refinement using precision thresholds, 42 rules achieved high accuracy (≥75%), 16 showed moderate precision (50–75%), and 24 were discarded due to unreliability. The results indicate strong static detectability for firmware- and BIOS-based checks, but limited precision for timing-based evasions, which frequently overlap with benign behavior. Although YARA provides broad coverage of observable artifacts, its static nature limits detection under obfuscation or runtime mutation; our measurements therefore represent conservative estimates of technique prevalence. All validated rules are released in an open-source repository to support reproducibility, improve incident-response workflows, and strengthen prevention and mitigation against real-world threats. Future work will explore hybrid validation, container-evasion extensions, and forensic attribution based on signature co-occurrence patterns. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

41 pages, 4416 KB  
Article
A Novel Approach to Sybil Attack Detection in VANETs Using Verifiable Delay Functions and Hierarchical Fog-Cloud Architecture
by Habiba Hadri, Mourad Ouadou and Khalid Minaoui
J. Cybersecur. Priv. 2026, 6(2), 59; https://doi.org/10.3390/jcp6020059 - 1 Apr 2026
Viewed by 471
Abstract
Vehicular Ad Hoc Networks (VANETs) have become the foundation for the implementation of intelligent transportation systems and new vistas for road safety and traffic efficiency. However, these networks are still susceptible to Sybil attacks, a form of attack that requires malicious entities to [...] Read more.
Vehicular Ad Hoc Networks (VANETs) have become the foundation for the implementation of intelligent transportation systems and new vistas for road safety and traffic efficiency. However, these networks are still susceptible to Sybil attacks, a form of attack that requires malicious entities to create a series of fake identities in order to have an out-of-proportion influence. The present paper puts forth a new Sybil attack detection framework that combines Verifiable Delay Functions (VDFs) in synergistic cooperation with a hierarchical fog-cloud computing structure. Our method does not rely on any additional properties of VDFs but uses them to prove uniqueness computationally, deploying purposefully placed fog nodes for effective localized detection. We mathematically formulate a multi-layered detection algorithm that processes interactions between vehicles on two fog (and cloud) layers to produce suspicion scores using spatiotemporal consistency and VDF challenge-response patterns. Security analysis proves the system’s ability to resist a range of Sybil attack variants with performance evaluation outperforming at detection above 97.8% and false positives below 2.3%. The incorporation of machine learning techniques also extends detection capabilities, and our hybrid VDF-ML method proves better adaptation to the changing attack patterns. Details of implementation and detailed simulations in various traffic situations prove the feasibility and efficiency of our proposed solution to set a new level playing ground for secure VANET communications. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

26 pages, 676 KB  
Article
Comparing the Use of EMBA for IoT Firmware Security Analysis on Cloud Services and Standalone Servers
by Kenan Sansal Nuray, Oren Upton and Nicole Lang Beebe
J. Cybersecur. Priv. 2026, 6(1), 39; https://doi.org/10.3390/jcp6010039 - 22 Feb 2026
Viewed by 1314
Abstract
This paper presents an experimental comparison of the EMBA firmware security analysis framework deployed in cloud-based and standalone environments. Unlike prior studies that primarily focus on EMBA’s analytical capabilities, this work examines how deployment choices influence performance and execution time during IoT firmware [...] Read more.
This paper presents an experimental comparison of the EMBA firmware security analysis framework deployed in cloud-based and standalone environments. Unlike prior studies that primarily focus on EMBA’s analytical capabilities, this work examines how deployment choices influence performance and execution time during IoT firmware analysis. Using identical EMBA configurations and analysis modules, firmware images of varying sizes were analyzed on a standalone personal computer and a Microsoft Azure cloud-based virtual machine. Execution time, detected vulnerabilities, and resource utilization were systematically recorded to evaluate the impact of the deployment environment. The results indicate that scan duration is affected by both firmware size and execution context. For example, using EMBA v1.5.0, a 25.5 MB firmware image required approximately 14 h on a standalone system and over 25 h in the cloud. In contrast, a 30.2 MB image was completed in approximately 18 h locally and 17 h in the cloud. Despite these differences in execution time, the type and number of identified vulnerabilities were largely consistent across both environments, suggesting comparable analytical coverage. Overall, this deployment-focused evaluation provides empirical insight into performance-related trade-offs relevant to practitioners selecting local or cloud-based environments for firmware security analysis. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

19 pages, 1190 KB  
Article
Investigating Security Vulnerabilities in 5G Control and User Planes: Attack Patterns and Protection Strategies
by Samuel T. Aiello, Bhaskar P. Rimal, Frederick T. Sheldon and Yong Wang
J. Cybersecur. Priv. 2026, 6(1), 37; https://doi.org/10.3390/jcp6010037 - 17 Feb 2026
Viewed by 1377
Abstract
The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the [...] Read more.
The rollout of 5G Standalone networks introduces unprecedented flexibility and performance through service-based architecture (SBA), virtualization, open APIs, and network slicing, while simultaneously expanding the attack surface across control, user, and cross-plane interfaces. This article provides a systematic, vulnerability-prioritized, selective characterization of the current state of weaknesses specific to the 5G control and user planes and transparent risk scoring. Using a PRISMA-aligned methodology, vulnerabilities are mapped explicitly to 3GPP network functions and interfaces (e.g., AMF, SMF, UPF; N2, N4, SBA APIs) and categorized by operational evidence level ranging from theoretical analysis to documented live-network exploitation. A normalized criticality scoring model integrates likelihood, impact, exploitability, and CVSS-derived severity. The analysis shows that control-plane signaling floods, PFCP misuse, and container escapes stand out as the most pressing risks. It also exposes how little attention has been given to securing the user plane and strengthening slice isolation. The paper wraps up with clear, evidence-based hardening priorities for each plane, along with research areas that matter for today’s 5G networks and the shift toward 6G. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

16 pages, 299 KB  
Article
Security Challenges in 5G Network Slicing: A Risk-Based Analysis and Conceptual Framework
by José Dias, Silvestre Malta and Ricardo Santos
J. Cybersecur. Priv. 2026, 6(1), 35; https://doi.org/10.3390/jcp6010035 - 12 Feb 2026
Viewed by 1205
Abstract
Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. [...] Read more.
Network slicing is a core enabler of multi-tenant 5th Generation (5G) architectures, allowing heterogeneous services to coexist over shared infrastructure. However, ensuring effective isolation between slices remains a critical security challenge, as failures may enable cross-slice interference, data leakage, or cascading service disruption. This article analyses security vulnerabilities affecting 5G network slicing from a risk-oriented perspective, with particular emphasis on isolation weaknesses across orchestration, virtualization, network, and interface layers. Due to the technical immaturity and instability of current open-source slicing platforms, experimental validation of security mechanisms proved infeasible. These limitations are therefore treated as empirical evidence informing a structured vulnerability taxonomy and a qualitative risk assessment grounded in confidentiality, integrity, and availability. Building on this analysis, the article proposes a conceptual security framework that integrates defence-in-depth, zero-trust principles, continuous monitoring, and adaptive response mechanisms to enforce isolation dynamically. Aligned with established standards and regulatory references, the framework provides a coherent theoretical foundation for future experimental validation and the secure design of resilient 5G network slicing architectures. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

36 pages, 5962 KB  
Article
Evaluation of Anomaly-Based Network Intrusion Detection Systems with Unclean Training Data for Low-Rate Attack Detection
by Angela Oryza Prabowo, Deka Julian Arrizki, Baskoro Adi Pratomo, Ahmad Ibnu Fajar, Krisna Badru Wijaya, Hudan Studiawan, Ary Mazharuddin Shiddiqi and Siti Hajar Othman
J. Cybersecur. Priv. 2026, 6(1), 14; https://doi.org/10.3390/jcp6010014 - 6 Jan 2026
Viewed by 1655
Abstract
Anomaly-based network intrusion detection systems (NIDSs) complement signature-based detection methods to identify unknown (zero-day) attacks. The integration of machine and deep learning enhanced the efficiency of such NIDSs. However, since anomaly-based NIDSs heavily depend on the quality of the training data, the presence [...] Read more.
Anomaly-based network intrusion detection systems (NIDSs) complement signature-based detection methods to identify unknown (zero-day) attacks. The integration of machine and deep learning enhanced the efficiency of such NIDSs. However, since anomaly-based NIDSs heavily depend on the quality of the training data, the presence of malicious traffic in the training set can significantly degrade the model’s performance. Purging the training data of such traffic is often impractical. This study investigates performance degradation caused by increasing amounts of malicious traffic in the training data. We introduced varying portions of malicious traffic into the training sets of machine and deep learning models to determine which approach is most resilient to unclean training data. Our experiments revealed that Autoencoders, using a byte frequency feature set, achieved the highest F2 score (0.8989), with only a minor decrease of 0.0009 when trained on the most contaminated dataset. This performance drop was the smallest compared to other algorithms tested, including an Isolation Forest, a Local Outlier Factor, a One-Class Support Vector Machine, and Long Short-Term Memory. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

22 pages, 2261 KB  
Article
Statistical and Multivariate Analysis of the IoT-23 Dataset: A Comprehensive Approach to Network Traffic Pattern Discovery
by Humera Ghani, Shahram Salekzamankhani and Bal Virdee
J. Cybersecur. Priv. 2025, 5(4), 112; https://doi.org/10.3390/jcp5040112 - 16 Dec 2025
Viewed by 1442
Abstract
The rapid expansion of Internet of Things (IoT) technologies has introduced significant challenges in understanding the complexity and structure of network traffic data, which is essential for developing effective cybersecurity solutions. This research presents a comprehensive statistical and multivariate analysis of the IoT-23 [...] Read more.
The rapid expansion of Internet of Things (IoT) technologies has introduced significant challenges in understanding the complexity and structure of network traffic data, which is essential for developing effective cybersecurity solutions. This research presents a comprehensive statistical and multivariate analysis of the IoT-23 dataset to identify meaningful network traffic patterns and assess the effectiveness of various analytical methods for IoT security research. The study applies descriptive statistics, inferential analysis, and multivariate techniques, including Principal Component Analysis (PCA), DBSCAN clustering, and factor analysis (FA), to the publicly available IoT-23 dataset. Descriptive analysis reveals clear evidence of non-normal distributions: for example, the features src_bytes, dst_bytes, and src_pkts have skewness values of −4.21, −3.87, and −2.98, and kurtosis values of 38.45, 29.67, and 18.23, respectively. These values indicate highly skewed, heavy-tailed distributions with frequent outliers. Correlation analysis revealed a strong positive correlation (0.97) between orig_bytes and resp_bytes, and a strong negative correlation (−0.76) between duration and resp_bytes, while inferential statistics indicate that linear regression provides optimal modeling of data relationships. Key findings show that PCA is highly effective, capturing 99% of the dataset’s variance and enabling significant dimensionality reduction. DBSCAN clustering identifies six distinct clusters, highlighting diverse network traffic behaviors within IoT environments. In contrast, FA explains only 11.63% of the variance, indicating limited suitability for this dataset. These results establish important benchmarks for future IoT cybersecurity research and demonstrate the superior effectiveness of PCA and DBSCAN for analyzing complex IoT network traffic data. The findings offer practical guidance for researchers in selecting appropriate statistical methods for IoT dataset analysis, ultimately supporting the development of more robust cybersecurity solutions. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

40 pages, 5207 KB  
Article
Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives
by Maria-Mădălina Andronache, Alexandru Vulpe and Corneliu Burileanu
J. Cybersecur. Priv. 2025, 5(4), 98; https://doi.org/10.3390/jcp5040098 - 10 Nov 2025
Cited by 1 | Viewed by 2650
Abstract
Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, [...] Read more.
Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, file structure, embedded strings, and code signatures were examined, while in the dynamic analysis phase, the malware was executed in a virtual sandbox environment to observe process creation, network communication, and file system changes. By combining these two approaches, various types of malware files could be characterized and have their key elements revealed. This improved the understanding of the code capabilities and evasive behaviors of malicious files. The goal of these analyses was to create a database of malware profiling tools and tools that can be utilized to identify and analyze malware. The results demonstrate that integrating static and dynamic methodologies improves the accuracy of malware profiling and supports more effective threat detection and incident response strategies. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

23 pages, 1019 KB  
Article
Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models
by Michael B. Zamperini and Diana J. Schwerha
J. Cybersecur. Priv. 2025, 5(4), 83; https://doi.org/10.3390/jcp5040083 - 3 Oct 2025
Viewed by 1858
Abstract
This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in [...] Read more.
This study proposes methods of computer simulation to study and optimize the cybersecurity of Small Modular Nuclear Reactors (SMRs). SMRs hold the potential to help build a clean and sustainable power grid but will struggle to gain widespread adoption without public confidence in their security. SMRs are emerging technologies and potentially carry higher cyber threats due to remote operations, large numbers of cyber-physical systems, and cyber connections with other industrial concerns. A method of agent-based computer simulations to model the effects, or payoff, of collaboration between cyber defenders, power plants, and cybersecurity vendors is proposed to strengthen SMR cybersecurity as these new power generators enter into the market. The agent-based model presented in this research is intended to illustrate the potential of using simulation to model a payoff function for collaborative efforts between stakeholders. Employing simulation to heighten cybersecurity will help to safely leverage the potential of SMRs in a modern and low-emission energy grid. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

27 pages, 1175 KB  
Article
Microarchitectural Malware Detection via Translation Lookaside Buffer (TLB) Events
by Cristian Agredo, Daniel F. Koranek, Christine M. Schubert Kabban, Jose A. Gutierrez del Arroyo and Scott R. Graham
J. Cybersecur. Priv. 2025, 5(3), 75; https://doi.org/10.3390/jcp5030075 - 17 Sep 2025
Viewed by 1486
Abstract
Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance [...] Read more.
Prior work has shown that Translation Lookaside Buffer (TLB) data contains valuable behavioral information. Many existing methodologies rely on timing features or focus solely on workload classification. In this study, we propose a novel approach to malware classification using only TLB-related Hardware Performance Counters (HPCs), explicitly excluding any dependence on timing features such as task execution duration or memory access timing. Our methodology evaluates whether TLB data alone, without any timing information, can effectively distinguish between malicious and benign programs. We test this across three classification scenarios: (1) A binary classification problem involving distinguishing malicious from benign tasks, (2) a 4-way classification problem designed to improve separability, and (3) a 10-way classification problem with classes of individual benign and malware tasks. Our results demonstrate that even without execution time or memory access timing, TLB events achieve up to 81% accuracy for the binary, and 72% accuracy for the 4-class grouping, and 61% accuracy for the 10-class grouping. These findings demonstrate that time-independent TLB patterns can serve as robust behavioral signatures. This work expands the understanding of microarchitectural side effects by demonstrating that TLB-only features, independent of timing-based techniques, can be effectively used for real-world malware detection. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

11 pages, 610 KB  
Article
Structured Heatmap Learning for Multi-Family Malware Classification: A Deep and Explainable Approach Using CAPEv2
by Oussama El Rhayati, Hatim Essadeq, Omar El Beqqali, Hamid Tairi, Mohamed Lamrini and Jamal Riffi
J. Cybersecur. Priv. 2025, 5(3), 72; https://doi.org/10.3390/jcp5030072 - 10 Sep 2025
Viewed by 1772
Abstract
Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware [...] Read more.
Accurate malware family classification from dynamic sandbox reports continues to be a fundamental cybersecurity challenge. Most prior works depend on random splits that tend to overestimate accuracy, whereas deployment requires robustness under temporal drift as well as changing behaviors. We present a leakage-aware pipeline that transforms CAPEv2 sandbox JSON reports into structured visual heatmaps and evaluate models under stratified and chronological splits. The pipeline rigorously flattens behavioral keys, builds normalized representations, and benchmarks Random Forest, MLP, CNN64, HybridNet, and a modern ResNeXt-50 backbone. On the Avast–CTU CAPEv2 dataset containing ten malware families, Random Forest achieves nearly state-of-the-art accuracy (97.2% accuracy, 0.993 AUC) with high efficiency on CPUs, making it attractive for triage. ResNeXt-50 achieves the best overall performance (98.4% accuracy, 0.998 AUC) and provides visual interpretability via Grad-CAM, enabling analysts to verify predictions. We further quantify efficiency trade-offs (inference throughput and GPU memory) and report ablation studies on vocabulary size and keyset choices. These results affirm that though ensemble methods are still robust, heatmap-based CNNs provide better accuracy, interpretability, and robustness against drift. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

19 pages, 1079 KB  
Article
An Approach for Anomaly Detection in Network Communications Using k-Path Analysis
by Mamadou Kasse, Rodolphe Charrier, Alexandre Berred, Cyrille Bertelle and Christophe Delpierre
J. Cybersecur. Priv. 2024, 4(3), 449-467; https://doi.org/10.3390/jcp4030022 - 19 Jul 2024
Cited by 4 | Viewed by 2423
Abstract
In this paper, we present an innovative approach inspired by the Path-scan model to detect paths with k adjacent edges (k-path) exhibiting unusual behavior (synonymous with anomaly) within network communications. This work is motivated by the challenge of identifying malicious activities [...] Read more.
In this paper, we present an innovative approach inspired by the Path-scan model to detect paths with k adjacent edges (k-path) exhibiting unusual behavior (synonymous with anomaly) within network communications. This work is motivated by the challenge of identifying malicious activities carried out in vulnerable k-path in a small to medium-sized computer network. Each observed edge (time series of the number of events or the number of packets exchanged between two computers in the network) is modeled using the three-state observed Markov model, as opposed to the Path-scan model which uses a two-state model (active state and inactive state), to establish baselines of behavior in order to detect anomalies. This model captures the typical behavior of network communications, as well as patterns of suspicious activity, such as those associated with brute force attacks. We take a perspective by analyzing each vulnerable k-path, enabling the accurate detection of anomalies on the k-path. Using this approach, our method aims to enhance the detection of suspicious activities in computer networks, thus providing a more robust and accurate solution to ensure the security of computer systems. Full article
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Show Figures

Figure 1

Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying articles 1-12
Back to TopTop