Search Results (15)

The rapid development of information technology has made cyberspace security an increasingly critical issue. Network intrusion detection methods are practical approaches to protecting network systems from cyber attacks. However, cyberspace security threats have topological dependencies and fine-grained attack semantics. Existing graph-based approaches either underestimate edge-level features or fail to balance detection accuracy with adversarial robustness. To handle these problems, we propose a novel graph neural network–based method for network intrusion detection called the adversarial hierarchical-aware edge attention learning method (AH-EAT). It leverages the natural graph structure of computer networks to achieve robust, multi-grained intrusion detection. Specifically, AH-EAT includes three main modules: an edge-based graph attention embedding module, a hierarchical multi-grained detection module, and an adversarial training module. In the first module, we apply graph attention networks to aggregate node and edge features according to their importance. This effectively captures the network’s key topological information. In the second module, we first perform coarse-grained detection to distinguish malicious flows from benign ones, and then perform fine-grained classification to identify specific attack types. In the third module, we use projected gradient descent to generate adversarial perturbations on network flow features during training, enhancing the model’s robustness to evasion attacks. Experimental results on four benchmark intrusion detection datasets show that AH-EAT achieves 90.73% average coarse-grained accuracy and 1.45% ASR on CIC-IDS2018 under adversarial attacks, outperforming state-of-the-art methods in both detection accuracy and robustness. Full article

Domain Generation Algorithms (DGAs) remain a persistent technique used by modern malware to establish stealthy command-and-control (C&C) channels, thereby evading traditional blacklist-based defenses. Detecting such evolving threats is especially challenging in decentralized environments where raw traffic data cannot be aggregated due to privacy or policy constraints. To address this, we present FedSAGE, a security-aware federated intrusion detection framework that combines Variational Autoencoder (VAE)-based latent representation learning with unsupervised clustering and resource-efficient client selection. Each client encodes its local domain traffic into a semantic latent space using a shared, pre-trained VAE trained solely on benign domains. These embeddings are clustered via affinity propagation to group clients with similar data distributions and identify outliers indicative of novel threats without requiring any labeled DGA samples. Within each cluster, FedSAGE selects only the fastest clients for training, balancing computational constraints with threat visibility. Experimental results from the multi-zones DGA dataset show that FedSAGE improves detection accuracy by up to 11.6% and reduces energy consumption by up to 93.8% compared to standard FedAvg under non-IID conditions. Notably, the latent clustering perfectly recovers ground-truth DGA family zones, enabling effective anomaly detection in a fully unsupervised manner while remaining privacy-preserving. These foundations demonstrate that FedSAGE is a practical and lightweight approach for decentralized detection of evasive malware, offering a viable solution for secure and adaptive defense in resource-constrained edge environments. Full article

Machine learning (ML) promises advances in automation and threat detection for the future generations of communication networks. However, new threats are introduced, as adversaries target ML systems with malicious data. Adversarial attacks on tree-based ML models involve crafting input perturbations that exploit non-smooth decision boundaries, causing misclassifications. These so-called evasion attacks are imperceptible, as they do not significantly alter the input data distribution and have been shown to degrade the performance of tree-based models across various tasks. Adversarial training and genetic algorithms have been proposed as potential defenses against these attacks. In this paper, we explore the robustness of tree-based models for network intrusion detection systems. This study evaluates an optimization approach inspired by genetic algorithms to generate adversarial samples and studies the impact of adversarial training on the accuracy of attack detection. This paper exposed random forest and extreme gradient boosting classifiers to various adversarial samples generated from communication network-related CIC-IDS2019 and 5G-NIDD datasets. The results indicate that the improvements of robustness to adversarial attacks come with a cost to the accuracy of the network intrusion detection models. These costs can be optimized with intelligent, use case-specific feature engineering. Full article

The growing use of VPNs, proxy servers, and Tor browsers has significantly enhanced online privacy and anonymity. However, these technologies are also exploited by cybercriminals to obscure their identities, posing serious cybersecurity threats. Existing detection methods face challenges in accurately tracing the real IP addresses hidden behind these anonymization tools. This study presents a novel approach to unmasking true identities by leveraging honeypots and Canarytokens to track concealed connections. By embedding deceptive tracking mechanisms within decoy systems, we successfully capture the real IP addresses of users attempting to evade detection. Our methodology was rigorously tested across various network environments and payload types, ensuring effectiveness in real-world scenarios. The findings demonstrate the practicality and scalability of using Canarytokens for IP unmasking, providing a non-intrusive, legally compliant solution to combat online anonymity misuse. This research contributes to strengthening cyber threat intelligence, offering actionable insights for law enforcement, cybersecurity professionals, and digital forensics. Future work will focus on enhancing detection accuracy and addressing the advanced evasion tactics used by sophisticated attackers. Full article

Recently, Machine Learning (ML)-based solutions have been widely adopted to tackle the wide range of security challenges that have affected the progress of the Internet of Things (IoT) in various domains. Despite the reported promising results, the ML-based Intrusion Detection System (IDS) proved to be vulnerable to adversarial examples, which pose an increasing threat. In fact, attackers employ Adversarial Machine Learning (AML) to cause severe performance degradation and thereby evade detection systems. This promoted the need for reliable defense strategies to handle performance and ensure secure networks. This work introduces RobEns, a robust ensemble framework that aims at: (i) exploiting state-of-the-art ML-based models alongside ensemble models for IDSs in the IoT network; (ii) investigating the impact of evasion AML attacks against the provided models within a black-box scenario; and (iii) evaluating the robustness of the considered models after deploying relevant defense methods. In particular, four typical AML attacks are considered to investigate six ML-based IDSs using three benchmarking datasets. Moreover, multi-class classification scenarios are designed to assess the performance of each attack type. The experiments indicated a drastic drop in detection accuracy for some attempts. To harden the IDS even further, two defense mechanisms were derived from both data-based and model-based methods. Specifically, these methods relied on feature squeezing as well as adversarial training defense strategies. They yielded promising results, enhanced robustness, and maintained standard accuracy in the presence or absence of adversaries. The obtained results proved the efficiency of the proposed framework in robustifying IDS performance within the IoT context. In particular, the accuracy reached 100% for black-box attack scenarios while preserving the accuracy in the absence of attacks as well. Full article

Internet usage has grown exponentially, with individuals and companies performing multiple daily transactions in cyberspace rather than in the real world. The coronavirus (COVID-19) pandemic has accelerated this process. As a result of the widespread usage of the digital environment, traditional crimes have also shifted to the digital space. Emerging technologies such as cloud computing, the Internet of Things (IoT), social media, wireless communication, and cryptocurrencies are raising security concerns in cyberspace. Recently, cyber criminals have started to use cyber attacks as a service to automate attacks and leverage their impact. Attackers exploit vulnerabilities that exist in hardware, software, and communication layers. Various types of cyber attacks include distributed denial of service (DDoS), phishing, man-in-the-middle, password, remote, privilege escalation, and malware. Due to new-generation attacks and evasion techniques, traditional protection systems such as firewalls, intrusion detection systems, antivirus software, access control lists, etc., are no longer effective in detecting these sophisticated attacks. Therefore, there is an urgent need to find innovative and more feasible solutions to prevent cyber attacks. The paper first extensively explains the main reasons for cyber attacks. Then, it reviews the most recent attacks, attack patterns, and detection techniques. Thirdly, the article discusses contemporary technical and nontechnical solutions for recognizing attacks in advance. Using trending technologies such as machine learning, deep learning, cloud platforms, big data, and blockchain can be a promising solution for current and future cyber attacks. These technological solutions may assist in detecting malware, intrusion detection, spam identification, DNS attack classification, fraud detection, recognizing hidden channels, and distinguishing advanced persistent threats. However, some promising solutions, especially machine learning and deep learning, are not resistant to evasion techniques, which must be considered when proposing solutions against intelligent cyber attacks. Full article

Intrusion detection and prevention are two of the most important issues to solve in network security infrastructure. Intrusion detection systems (IDSs) protect networks by using patterns to detect malicious traffic. As attackers have tried to dissimulate traffic in order to evade the rules applied, several machine learning-based IDSs have been developed. In this study, we focused on one such model involving several algorithms and used the NSL-KDD dataset as a benchmark to train and evaluate its performance. We demonstrate a way to create adversarial instances of network traffic that can be used to evade detection by a machine learning-based IDS. Moreover, this traffic can be used for training in order to improve performance in the case of new attacks. Thus, a generative adversarial network (GAN)—i.e., an architecture based on a deep-learning algorithm capable of creating generative models—was implemented. Furthermore, we tested the IDS performance using the generated adversarial traffic. The results showed that, even in the case of the GAN-generated traffic (which could successfully evade IDS detection), by using the adversarial traffic in the testing process, we could improve the machine learning-based IDS performance. Full article

Despite the highly secure content sharing and the optimized forwarding mechanism, the content delivery in a Named Data Network (NDN) still suffers from numerous vulnerabilities that can be exploited to reduce the efficiency of such architecture. Malicious attacks in NDN have become more sophisticated and the foremost challenge is to identify unknown and obfuscated malware, as the malware authors use different evasion techniques for information concealing to prevent detection by an Intrusion Detection System (IDS). For the most part, NDN faces immense negative impacts from attacks such as Cache Pollution Attacks (CPA), Cache Privacy Attacks, Cache Poisoning Attacks, and Interest Flooding Attacks (IFA), that target different security components, including availability, integrity, and confidentiality. This poses a critical challenge to the design of IDS in NDN. This paper provides the latest taxonomy, together with a review of the significant research works on IDSs up to the present time, and a classification of the proposed systems according to the taxonomy. It provides a structured and comprehensive overview of the existing IDSs so that a researcher can create an even better mechanism for the previously mentioned attacks. This paper discusses the limits of the techniques applied to design IDSs with recent findings that can be further exploited in order to optimize those detection and mitigation mechanisms. Full article

Gaseous exchanges of mercury (Hg) at the water–air interface in contaminated sites strongly influence its fate in the environment. In this study, diurnal gaseous Hg exchanges were seasonally evaluated by means of a floating flux chamber in two freshwater environments impacted by anthropogenic sources of Hg, specifically historical mining activity (Solkan Reservoir, Slovenia) and the chlor-alkali industry (Torviscosa dockyard, Italy), and in a pristine site, Cavazzo Lake (Italy). The highest fluxes (21.88 ± 11.55 ng m⁻² h⁻¹) were observed at Solkan, coupled with high dissolved gaseous mercury (DGM) and dissolved Hg (THg_D) concentrations. Conversely, low vertical mixing and saltwater intrusion at Torviscosa limited Hg mobility through the water column, with higher Hg concentrations in the deep layer near the contaminated sediments. Consequently, both DGM and THg_D in surface water were generally lower at Torviscosa than at Solkan, resulting in lower fluxes (19.01 ± 12.65 ng m⁻² h⁻¹). However, at this site, evasion may also be limited by high atmospheric Hg levels related to dispersion of emissions from the nearby chlor-alkali plant. Surprisingly, comparable fluxes (15.56 ± 12.78 ng m⁻² h⁻¹) and Hg levels in water were observed at Cavazzo, suggesting a previously unidentified Hg input (atmospheric depositions or local geology). Overall, at all sites the fluxes were higher in the summer and correlated to incident UV radiation and water temperature due to enhanced photo production and diffusivity of DGM, the concentrations of which roughly followed the same seasonal trend. Full article

Adversarial attacks represent a critical issue that prevents the reliable integration of machine learning methods into cyber defense systems. Past work has shown that even proficient detectors are highly affected just by small perturbations to malicious samples, and that existing countermeasures are immature. We address this problem by presenting AppCon, an original approach to harden intrusion detectors against adversarial evasion attacks. Our proposal leverages the integration of ensemble learning to realistic network environments, by combining layers of detectors devoted to monitor the behavior of the applications employed by the organization. Our proposal is validated through extensive experiments performed in heterogeneous network settings simulating botnet detection scenarios, and consider detectors based on distinct machine- and deep-learning algorithms. The results demonstrate the effectiveness of AppCon in mitigating the dangerous threat of adversarial attacks in over 75% of the considered evasion attempts, while not being affected by the limitations of existing countermeasures, such as performance degradation in non-adversarial settings. For these reasons, our proposal represents a valuable contribution to the development of more secure cyber defense platforms. Full article

In recent years, dynamic user verification has become one of the basic pillars for insider threat detection. From these threats, the research presented in this paper focuses on masquerader attacks, a category of insiders characterized by being intentionally conducted by persons outside the organization that somehow were able to impersonate legitimate users. Consequently, it is assumed that masqueraders are unaware of the protected environment within the targeted organization, so it is expected that they move in a more erratic manner than legitimate users along the compromised systems. This feature makes them susceptible to being discovered by dynamic user verification methods based on user profiling and anomaly-based intrusion detection. However, these approaches are susceptible to evasion through the imitation of the normal legitimate usage of the protected system (mimicry), which is being widely exploited by intruders. In order to contribute to their understanding, as well as anticipating their evolution, the conducted research focuses on the study of mimicry from the standpoint of an uncharted terrain: the masquerade detection based on analyzing locality traits. With this purpose, the problem is widely stated, and a pair of novel obfuscation methods are introduced: locality-based mimicry by action pruning and locality-based mimicry by noise generation. Their modus operandi, effectiveness, and impact are evaluated by a collection of well-known classifiers typically implemented for masquerade detection. The simplicity and effectiveness demonstrated suggest that they entail attack vectors that should be taken into consideration for the proper hardening of real organizations. Full article

In the field of network intrusion, malware usually evades anomaly detection by disguising malicious behavior as legitimate access. Therefore, detecting these attacks from network traffic has become a challenge in this an adversarial setting. In this paper, an enhanced Hidden Markov Model, called the Anti-Adversarial Hidden Markov Model (AA-HMM), is proposed to effectively detect evasion pattern, using the Dynamic Window and Threshold techniques to achieve adaptive, anti-adversarial, and online-learning abilities. In addition, a concept called Pattern Entropy is defined and acts as the foundation of AA-HMM. We evaluate the effectiveness of our approach employing two well-known benchmark data sets, NSL-KDD and CTU-13, in terms of the common performance metrics and the algorithm’s adaptation and anti-adversary abilities. Full article

The advancements in the Internet has enabled connecting more devices into this technology every day. The emergence of the Internet of Things has aggregated this growth. Lack of security in an IoT world makes these devices hot targets for cyber criminals to perform their malicious actions. One of these actions is the Botnet attack, which is one of the main destructive threats that has been evolving since 2003 into different forms. This attack is a serious threat to the security and privacy of information. Its scalability, structure, strength, and strategy are also under successive development, and that it has survived for decades. A bot is defined as a software application that executes a number of automated tasks (simple but structurally repetitive) over the Internet. Several bots make a botnet that infects a number of devices and communicates with their controller called the botmaster to get their instructions. A botnet executes tasks with a rate that would be impossible to be done by a human being. Nowadays, the activities of bots are concealed in between the normal web flows and occupy more than half of all web traffic. The largest use of bots is in web spidering (web crawler), in which an automated script fetches, analyzes, and files information from web servers. They also contribute to other attacks, such as distributed denial of service (DDoS), SPAM, identity theft, phishing, and espionage. A number of botnet detection techniques have been proposed, such as honeynet-based and Intrusion Detection System (IDS)-based. These techniques are not effective anymore due to the constant update of the bots and their evasion mechanisms. Recently, botnet detection techniques based upon machine/deep learning have been proposed that are more capable in comparison to their previously mentioned counterparts. In this work, we propose a deep learning-based engine for botnet detection to be utilized in the IoT and the wearable devices. In this system, the normal and botnet network traffic data are transformed into image before being given into a deep convolutional neural network, named DenseNet with and without considering transfer learning. The system is implemented using Python programming language and the CTU-13 Dataset is used for evaluation in one study. According to our simulation results, using transfer learning can improve the accuracy from 33.41% up to 99.98%. In addition, two other classifiers of Support Vector Machine (SVM) and logistic regression have been used. They showed an accuracy of 83.15% and 78.56%, respectively. In another study, we evaluate our system by an in-house live normal dataset and a solely botnet dataset. Similarly, the system performed very well in data classification in these studies. To examine the capability of our system for real-time applications, we measure the system training and testing times. According to our examination, it takes 0.004868 milliseconds to process each packet from the network traffic data during testing. Full article

In recent years, botnets have become one of the major threats to information security because they have been constantly evolving in both size and sophistication. A number of botnet detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective because recent botnets are equipped with sophisticated code update and evasion techniques. A number of studies have shown that abnormal botnet detection methods are more effective than signature-based methods because anomaly-based botnet detection methods do not require pre-built botnet signatures and hence they have the capability to detect new or unknown botnets. In this direction, this paper proposes a botnet detection model based on machine learning using Domain Name Service query data and evaluates its effectiveness using popular machine learning techniques. Experimental results show that machine learning algorithms can be used effectively in botnet detection and the random forest algorithm produces the best overall detection accuracy of over 90%. Full article

Most people in the world now live in cities. Urbanisation simultaneously isolates people from nature and contributes to biodiversity decline. As cities expand, suburban development and the road infrastructure to support them widens their impact on wildlife. Even so, urban communities, especially those on the peri-urban fringe, endeavour to support biodiversity through wildlife friendly gardens, green spaces and corridors, and conservation estates. On one hand, many who live on city fringes do so because they enjoy proximity to nature, however, the ever increasing intrusion of roads leads to conflict with wildlife. Trauma (usually fatal) to wildlife and (usually emotional and financial) to people ensues. Exposure to this trauma, therefore, should inform attitudes towards wildlife vehicle collisions (WVC) and be linked to willingness to reduce risk of further WVC. While there is good anecdotal evidence for this response, competing priorities and better understanding of the likelihood of human injury or fatalities, as opposed to wildlife fatalities, may confound this trend. In this paper we sought to explore this relationship with a quantitative study of driver behaviour and attitudes to WVC from a cohort of residents and visitors who drive through a peri-urban reserve (Royal National Park) on the outskirts of Sydney, Australia. We distributed a self-reporting questionnaire and received responses from 105 local residents and 51 visitors to small townships accessed by roads through the national park. We sought the respondents’ exposure to WVC, their evasive actions in an impending WVC, their attitudes to wildlife fatalities, their strategies to reduce the risk of WVC, and their willingness to adopt new ameliorative measures. The results were partitioned by driver demographics and residency. Residents were generally well informed about mitigation strategies but exposure led to a decrease in viewing WVC as very serious. In addition, despite most respondents stating they routinely drive slower when collision risk is high (at dusk and dawn), our assessment of driving trends via traffic speeds suggested this sentiment was not generally adhered to. Thus we unveil some of the complexities in tackling driver’s willingness to act on reducing risk of WVC, particularly when risk of human trauma is low. Full article