Search Results (95)

This study introduces an enhanced Intrusion Detection System (IDS) framework for Denial-of-Service (DoS) attacks, utilizing network traffic inter-arrival time (IAT) analysis. By examining the timing between packets and other statistical features, we detected patterns of malicious activity, allowing early and effective DoS threat mitigation. We generate real DoS traffic, including normal, Internet Control Message Protocol (ICMP), Smurf attack, and Transmission Control Protocol (TCP) classes, and develop nine predictive algorithms, combining traditional machine learning and advanced deep learning techniques with optimization methods, including the synthetic minority sampling technique (SMOTE) and grid search (GS). Our findings reveal that while traditional machine learning achieved moderate accuracy, it struggled with imbalanced datasets. In contrast, Deep Neural Network (DNN) models showed significant improvements with optimization, with DNN combined with GS (DNN-GS) reaching 89% accuracy. However, we also used Recurrent Neural Networks (RNNs) combined with SMOTE and GS (RNN-SMOTE-GS), which emerged as the best-performing with a precision of 97%, demonstrating the effectiveness of combining SMOTE and GS and highlighting the critical role of advanced optimization techniques in enhancing the detection capabilities of IDS models for the accurate classification of various types of network traffic and attacks. Full article

This article aims to evaluate the runtime effectiveness of various one-class classification (OCC) techniques for anomaly detection in an industrial scenario reproduced in a laboratory setting. To address the limitations posed by restricted access to proprietary data, the study explores OCC methods that learn solely from legitimate network traffic, without requiring labeled malicious samples. After analyzing major publicly available datasets, such as KDD Cup 1999 and TON-IoT, as well as the most widely used OCC techniques, a lightweight and modular intrusion detection system (IDS) was developed in Python. The system was tested in real time on an experimental platform based on Raspberry Pi, within a simulated client–server environment using the NFSv4 protocol over TCP/UDP. Several OCC models were compared, including One-Class SVM, Autoencoder, VAE, and Isolation Forest. The results showed strong performance in terms of detection accuracy and low latency, with the best outcomes achieved using the UNSW-NB15 dataset. The article concludes with a discussion of additional strategies to enhance the runtime analysis of these algorithms, offering insights into potential future applications and improvement directions. Full article

In next-generation Low-Earth-Orbit (LEO) satellite networks, securing inter-satellite communication links (ISLs) through strong authentication is essential due to the network’s dynamic and distributed structure. Traditional authentication systems often struggle in these environments, leading to the adoption of Zero-Trust Security (ZTS) models. However, current ZTS protocols typically introduce high computational overhead, especially as the number of satellite nodes grows, which can impact both security and network performance. To overcome these challenges, a new bio-inspired ZTS framework called Manta Ray Foraging Cost-Optimized Zero-Trust Security (MRFCO-ZTS) has been introduced. This approach uses data-driven learning methods to enhance security across satellite communications. It continuously evaluates access requests by applying a cost function that accounts for risk level, likelihood of attack, and computational delay. The Manta Ray Foraging Optimization (MRFO) algorithm is used to minimize this cost, enabling effective classification of nodes as either trusted or malicious based on historical authentication records and real-time behavior. MRFCO-ZTS improves the accuracy of attacker detection while maintaining secure data exchange between authenticated satellites. Its effectiveness has been tested through numerical simulations under different satellite traffic conditions, with performance measured in terms of security accuracy, latency, and operational efficiency. Full article

Explainable artificial intelligence (XAI) is essential for fostering trust, transparency, and accountability in machine learning systems, particularly when applied in high-stakes domains. This paper introduces a novel XAI system designed for classification tasks on tabular data, which offers a balance between performance and interpretability. The proposed method, GlassBoost, first trains an XGBoost model on a given dataset and then computes gain scores, quantifying the average improvement in the model’s loss function contributed by each feature during tree splits. Based on these scores, a subset of significant features is selected. A shallow decision tree is then trained using the top d features with the highest gain scores, where d is significantly smaller than the total number of original features. This model compression yields a transparent, IF–THEN rule-based decision process that remains faithful to the original high-performing model. To evaluate the system, we apply it to an anomaly detection task in the context of intrusion detection systems (IDSs), using a dataset containing traffic features from both malicious and normal activities. Results show that our method achieves high accuracy, precision, and recall while providing a clear and interpretable explanation of its decision-making. We further validate its explainability using SHAP, a well-established approach in the field of XAI. Comparative analysis demonstrates that GlassBoost outperforms SHAP in terms of precision, recall, and accuracy, with more balanced performance across the three metrics. Likewise, our review of literature findings indicate that Glassboost outperforms many other XAI models while retaining computational efficiency. In one of our configurations, GlassBoost achieved accuracy of 0.9868, recall of 0.9792, and precision of 0.9843 using only eight features within a tree structure of a maximum depth of four. Full article

As digital infrastructure continues to expand, networks, web services, and Internet of Things (IoT) devices become increasingly vulnerable to distributed denial of service (DDoS) attacks. Remarkably, IoT devices have become attracted to DDoS attacks due to their common deployment and limited applied security measures. Therefore, attackers take advantage of the growing number of unsecured IoT devices to reflect massive traffic that overwhelms networks and disrupts necessary services, making protection of IoT devices against DDoS attacks a major concern for organizations and administrators. In this paper, the effectiveness of supervised machine learning (ML) classification and deep learning (DL) algorithms in detecting DDoS attacks on IoT networks was investigated by conducting an extensive analysis of network traffic dataset (legitimate and malicious). The performance of the models and data quality improved when emphasizing the impact of feature selection and data pre-processing approaches. Five machine learning models were evaluated by utilizing the Edge-IIoTset dataset: Random Forest (RF), Support Vector Machine (SVM), Long Short-Term Memory (LSTM), and K-Nearest Neighbors (KNN) with multiple K values, and Convolutional Neural Network (CNN). Findings revealed that the RF model outperformed other models by delivering optimal detection speed and remarkable performance across all evaluation metrics, while KNN (K = 7) emerged as the most efficient model in terms of training time. Full article

With the advancement of network communication technology and Internet of Everything (IoE) technology, which connects all edge devices to the internet, the network traffic generated in various platform environments is rapidly increasing. The increase in network traffic makes it more difficult for the detection system to analyze and detect malicious network traffic generated by malware or intruders. Additionally, processing high-dimensional network traffic data requires substantial computational resources, limiting real-time detection capabilities in practical deployments. Artificial intelligence (AI) algorithms have been widely used to detect malicious traffic, but most previous work focused on improving accuracy with various AI algorithms. Many existing methods, in pursuit of high accuracy, directly utilize the extensive raw features inherent in network traffic. This often leads to increased computational overhead and heightened complexity in detection models, potentially degrading overall system performance and efficiency. Furthermore, high-dimensional data often suffers from the curse of dimensionality, where the sparsity of data in high-dimensional space leads to overfitting, poor generalization, and increased computational complexity. This paper focused on feature engineering instead of AI algorithm selections, presenting an approach that uniquely balances detection accuracy with computational efficiency through strategic dimensionality reduction. For feature engineering, two jobs were performed: feature representations and feature analysis and selection. With effective feature engineering, we can reduce system resource consumption in the training period while maintaining high detection accuracy. We implemented a malicious network traffic detection framework based on Convolutional Neural Network (CNN) with our feature engineering techniques. Unlike previous approaches that use one-hot encoding, which increases dimensionality, our method employs label encoding and information gain to preserve critical information while reducing feature dimensions. The performance of the implemented framework was evaluated using the NSL-KDD dataset, which is the most widely used for intrusion detection system (IDS) performance evaluation. As a result of the evaluation, our framework maintained high classification accuracy while improving model training speed by approximately 17.47% and testing speed by approximately 19.44%. This demonstrates our approach’s ability to achieve a balanced performance, enhancing computational efficiency without sacrificing detection accuracy—a critical challenge in intrusion detection systems. With the reduced features, we achieved classification results of a precision of 0.9875, a recall of 0.9930, an F1-score of 0.9902, and an accuracy of 99.06%, with a false positive rate of 0.65%. Full article

The landscape of 5G communication introduces heightened risks from malicious attacks, posing significant threats to network security and availability. The unique characteristics of 5G networks, while enabling advanced communication, present challenges in distinguishing between legitimate and malicious traffic, making it more difficult to detect anonymous traffic. Current methodologies for intrusion detection within 5G communication exhibit limitations in accuracy, efficiency, and adaptability to evolving network conditions. In this study, we explore the application of an adaptive optimized machine learning-based framework to improve intrusion detection system (IDS) performance in wireless network access scenarios. The framework used involves developing a lightweight model based on a convolutional neural network with 11 layers, referred to as CSO-2D-CNN, which demonstrates fast learning rates and excellent generalization capabilities. Additionally, an optimized attention-based XGBoost classifier is utilized to improve model performance by combining the benefits of parallel gradient boosting and attention mechanisms. By focusing on the most relevant features, this attention mechanism makes the model suitable for complex and high-dimensional traffic patterns typical of 5G communication. As in previous approaches, it eliminates the need to manually select features such as entropy, payload size, and opcode sequences. Furthermore, the metaheuristic Cat Swarm Optimization (CSO) algorithm is employed to fine-tune the hyperparameters of both the CSO-2D-CNN and the attention-based XGBoost classifier. Extensive experiments conducted on a recent dataset of network traffic demonstrate that the system can adapt to both binary and multiclass classification tasks for high-dimensional and imbalanced data. The results show a low false-positive rate and a high level of accuracy, with a maximum of 99.97% for multilabel attack detection and 99.99% for binary task classification, validating the effectiveness of the proposed framework in the 5G wireless context. Full article

The digital transformation of manufacturing through OT, IoT, and AI integration has created extensive networked sensor ecosystems, introducing critical cybersecurity vulnerabilities at IT-OT interfaces. This might particularly challenge the detection component of the NIST cybersecurity framework. To address this concern, the authors designed a diverse machine learning-based intrusion detection system framework for industrial control systems (DICS). DICS implements a sophisticated dual-module architecture. The screening analysis module initially categorizes network traffic as either unidentifiable or recognized packets, while the classification analysis module subsequently determines specific attack types for identifiable traffic. When unrecognized zero-day attack traffic accumulates in a buffer and reaches a predetermined threshold, the agile training module incorporates these patterns into the system, which enables continuous adaptation. During experimental validation, the authors rigorously assess dataset industrial relevance and strategically divide the datasets into four distinct groups to accurately simulate diverse network traffic patterns characteristic of real industrial environments. Moreover, the authors highlight the system’s alignment with IEC 62443 requirements for industrial control system security. In conclusion, the comprehensive analysis demonstrates that DICS delivers superior detection capabilities for malicious network traffic in industrial settings. Full article

DNS over HTTPS (DoH) is an advanced version of the traditional DNS protocol that prevents eavesdropping and man-in-the-middle attacks by encrypting queries and responses. However, it introduces new challenges such as encrypted traffic communication, masking malicious activity, tunneling attacks, and complicating intrusion detection system (IDS) packet inspection. In contrast, unencrypted packets in the traditional Non-DoH version remain vulnerable to eavesdropping, privacy breaches, and spoofing. To address these challenges, an optimized dual-path feature selection approach is designed to select the most efficient packet features for binary class (DoH-Normal, DoH-Malicious) and multiclass (Non-DoH, DoH-Normal, DoH-Malicious) classification. Ant Colony Optimization (ACO) is integrated with machine learning algorithms such as XGBoost, K-Nearest Neighbors (KNN), Random Forest (RF), and Convolutional Neural Networks (CNNs) using CIRA-CIC-DoHBrw-2020 as the benchmark dataset. Experimental results show that the proposed model selects the most effective features for both scenarios, achieving the highest detection and outperforming previous studies in IDS. The highest accuracy obtained for binary and multiclass classifications was 0.9999 and 0.9955, respectively. The optimized feature set contributed significantly to reducing computational costs and processing time across all utilized classifiers. The results provide a robust, fast, and accurate solution to challenges associated with encrypted DNS packets. Full article

The identification and classification of network traffic are crucial for maintaining network security, optimizing network management, and ensuring reliable service quality. These functions help prevent malicious activities, such as network attacks and illegal intrusions, while supporting the efficient allocation of network resources and enhancing user experience. However, the widespread use of traffic encryption technology, while improving data transmission security, also obscures the content of traffic, making it challenging to accurately classify and identify encrypted traffic. This limitation hampers both network security maintenance and further improvements in service quality. Therefore, there is an urgent need to develop an efficient and accurate encryption traffic identification method. This study addresses three key challenges: First, existing methods fail to explore the potential relationship between flow load features and sequence features during feature extraction. Second, there is a need for approaches that can adapt to the diverse characteristics of different protocols, ensuring the accuracy and robustness of encrypted traffic identification. Third, traditional deep learning models need large amounts of labeled data, which are expensive to acquire. To overcome these challenges, we propose an encrypted traffic recognition method based on a CLSTM model (a combination of 2-conv CNN and BiLSTM) and Mean Teacher collaborative learning. This approach detects and integrates traffic load features with sequence features to improve the accuracy and robustness of encrypted traffic identification while reducing the model’s reliance on labeled data through the consistency constraint of unlabeled data using Mean Teacher. Experimental results demonstrate that the CLSTM-MT collaborative learning method outperforms traditional methods in encrypted traffic identification and classification, achieving superior performance even with limited labeled data, thus addressing the high cost of data labeling. Full article

Vehicle-to-Vehicle (V2V) communications technology offers enhanced road safety, traffic efficiency, and connectivity. In V2V, vehicles cooperate by broadcasting safety messages to quickly detect and avoid dangerous situations on time or to avoid and reduce congestion. However, vehicles might misbehave, creating false information and sharing it with neighboring vehicles, such as, for example, failing to report an observed accident or falsely reporting one when none exists. If other vehicles detect such misbehavior, they can report it. However, false accusations also constitute misbehavior. In disconnected areas with limited infrastructure, the potential for misbehavior increases due to the scarcity of Roadside Units (RSUs) necessary for verifying the truthfulness of communications. In such a situation, identifying malicious behavior using a standard misbehaving management system is ineffective in areas with limited connectivity. This paper presents a novel mechanism, Distributed Reputation for Accurate Misbehavior Reporting (DRAMBR), offering a fully integrated reputation solution that utilizes reputation to enhance the accuracy of the reporting system by identifying misbehavior in rural networks. The system operates in two phases: offline, using the Local Misbehavior Detection Mechanism (LMDM), where vehicles detect misbehavior and store reports locally, and online, where these reports are sent to a central reputation server. DRAMBR aggregates the reports and integrates DBSCAN for clustering spatial and temporal misbehavior reports, Isolation Forest for anomaly detection, and Gaussian Mixture Models for probabilistic classification of reports. Additionally, Random Forest and XGBoost models are combined to improve decision accuracy. DRAMBR distinguishes between honest mistakes, intentional deception, and malicious reporting. Using an existing mechanism, the updated reputation is available even in an offline environment. Through simulations, we evaluate our proposed reputation system’s performance, demonstrating its effectiveness in achieving a reporting accuracy of approximately 98%. The findings highlight the potential of reputation-based strategies to minimize misbehavior and improve the reliability and security of V2V communications, particularly in rural areas with limited infrastructure, ultimately contributing to safer and more reliable transportation systems. Full article

The wide application of software-defined network (SDN) architecture, combined with its centralized control characteristics, have exacerbated the potential risk of network attacks, and the traditional anomaly traffic detection methods are facing the challenges of high false alarm rate and insufficient generalization ability due to the reliance on manual rule design and the difficulty in capturing dynamic temporal features. In response to these challenges, we propose a Temporal Convolutional Network (TCN)-based anomalous traffic detection method for SDN. Taking the packet length sequence as the core feature, the long-term temporal dependency in the traffic data is effectively captured by causal convolution and dilation convolution operations of the TCN model, combined with the residual connection mechanism to optimize the gradient propagation and improve the stability of the model training. The experiments validate the model performance based on the public InSDN dataset, and the results show that the method achieves high accuracy in the binary classification task of normal and malicious traffic and improves its detection accuracy by about 5% compared with traditional statistical methods and mainstream deep learning models. Full article

The rapid proliferation of IoT devices necessitates robust security measures to protect against malicious traffic. Anomaly detection, primarily through traffic classification supported by artificial intelligence and machine learning techniques, has emerged as a practical approach to enhancing IoT network security. Effective traffic classification requires efficient feature selection, which is critical for resource-constrained IoT devices with limited computational power, memory, and energy. This study proposes Statistical Moments Difference Thresholding, a feature selection method leveraging statistical central moments to identify significant features distinguishing between legitimate and malicious traffic. The aim is to reduce feature dimensionality while maintaining high detection accuracy. Validated on the MQTTset dataset through binary and multiclass classification using seven ML algorithms, the results highlight its ability to enhance computational efficiency without compromising performance, showcasing its potential in real-world IoT security applications. Full article

The rapid growth of IoT devices has increased security attack behaviors, posing a challenge to IoT security. Some Federated-Learning-based detection methods have been widely used to detect malicious attacks in the IoT by analyzing network traffic; because of the nature of Federated Learning, these methods can protect user privacy and reduce bandwidth consumption. However, existing malicious traffic detection models are often complex, requiring significant computational resources for training. In addition, high-dimensional input features often contain redundant information, which further increases computational overhead. To mitigate this, many model lightweighting techniques are utilized, and many non-end-to-end dimensionality reduction methods are employed; however, these lightweighting methods still struggle to meet the computational demands, and these feature downscaling methods tend to compromise the model’s generalizability and accuracy. In addition, existing methods are unable to dynamically select long-term dependencies when extracting traffic time-series features, limiting the performance of the model when dealing with long time series. To address the above challenges, this paper proposes a lightweight malicious traffic detection model, named the lightweight gated bidirectional temporal convolutional network (LG-BiTCN), based on Federated Learning. First, we use global average pooling (GAP) and a pointwise convolutional layer as a classification module, significantly reducing the model’s parameter count. We also propose an end-to-end adaptive PCA dimension adjustment algorithm for automatic dimensionality reduction to reduce computational complexity and enhance model generalizability. Second, we incorporate gated convolution into the LG-BiTCN architecture, allowing for the dynamic selection of long-term dependencies, enhancing detection accuracy while maintaining computational efficiency. We evaluated the LG-BiTCN’s effectiveness by comparing it with three advanced baseline models on three generic datasets. The results show that the LG-BiTCN achieves over 99.6% accuracy while maintaining the lowest computational complexity. Additionally, in a Federated Learning setup, it requires just two communication rounds to reach 96.75% accuracy. Full article

The accurate and efficient classification of network traffic, including malicious traffic, is essential for effective network management, cybersecurity, and resource optimization. However, traffic classification methods in modern, complex, and dynamic networks face significant challenges, particularly at the network edge, where resources are limited and issues such as privacy concerns and concept drift arise. Condensation techniques offer a solution by reducing the data size, simplifying complex models, and transferring knowledge from traffic data. This paper explores data and knowledge condensation methods—such as coreset selection, data compression, knowledge distillation, and dataset distillation—within the context of traffic classification tasks. It clarifies the relationship between these techniques and network traffic classification, introducing each method and its typical applications. This paper also outlines potential scenarios for applying each condensation technique, highlighting the associated challenges and open research issues. To the best of our knowledge, this is the first comprehensive summary of condensation techniques specifically tailored for network traffic classification tasks. Full article