In recent years, web-based platforms and business applications
have been rising in popularity deeming themselves indispensable
as they constitute the main backbone of business processes and in-
formation sharing. However, the unprecedented increased number
of cyber-attacks have been threatening their day-to-day opera-
tions. In particular, the Standard Query Language Injection Attack
(SQLIA) remains one of the most prevalent cyber attacks targeting
web-based applications. As a consequence, the SQLIA detection
techniques need to be constantly revamped and stay up-to-date in
order to achieve the full potential of mitigating such threats. In this
paper, we propose an artificial intelligence model based on super-
vised machine learning techniques to detect SQLIA. As part of the
proposed model, we introduce an input string validation technique
as a primary anomaly identifier using pattern matching for SQL
Query data with anomalies-injections. To evaluate our approach we
injected one type of SQLIA that is tautology attacks and measured
the performance of our model. We used three main classifiers in
our model and our findings indicate a model prediction accuracy of
98.3605% for Support Vector Machine (SVM), 96.296% for K-Nearest
Neighbors (KNN), and 97.530% for Random Forest. The approach
proposed in this paper has the potential of being used to integrate
an automated SQL Injection detection mechanism with Intrusion
Detection Systems (IDS) and Intrusion Protection Systems (IPS).
more »
« less
Detecting CAN Bus Intrusion by Applying Machine Learning Method to Graph Based Features
Modern vehicle is considered as a system vulnerable to attacks because it is connected to the outside world via a wireless interface. Although, connectivity provides more convenience and features to the passengers, however, it also becomes a pathway for the attackers targeting in-vehicle networks. Research in vehicle security is getting attention as in-vehicle attacks can impact human life safety as modern vehicle is connected to the outside world. Controller area network (CAN) is used as a legacy protocol for in-vehicle communication, However, CAN suffers from vulnerabilities due to lack of authentication, as the information about sender is missing in CAN message. In this paper, a new CAN intrusion detection system (IDS) is proposed, the CAN messages are converted to temporal graphs and CAN intrusion is detected using machine learning algorithms. Seven graph-based properties are extracted and used as features for detecting intrusions utilizing two machine learning algorithms which are support vector machine (SVM) & k-nearest neighbors (KNN). The performance of the IDS was evaluated over three CAN bus attacks are denial of service (DoS), fuzzy & spoofing attacks on real vehicular CAN bus dataset. The experimental results showed that using graph-based features, an accuracy of 97.92% & 97.99% was achieved using SVM & KNN algorithms respectively, which is better than using traditional machine learning CAN bus features.
more »
« less
- Award ID(s):
- 2035770
- NSF-PAR ID:
- 10312634
- Date Published:
- Journal Name:
- Proceedings of SAI Intelligent Systems Conference
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Machine learning-based security detection models have become prevalent in modern malware and intrusion detection systems. However, previous studies show that such models are susceptible to adversarial evasion attacks. In this type of attack, inputs (i.e., adversarial examples) are specially crafted by intelligent malicious adversaries, with the aim of being misclassified by existing state-of-the-art models (e.g., deep neural networks). Once the attackers can fool a classifier to think that a malicious input is actually benign, they can render a machine learning-based malware or intrusion detection system ineffective. Objective To help security practitioners and researchers build a more robust model against non-adaptive, white-box and non-targeted adversarial evasion attacks through the idea of ensemble model. Method We propose an approach called Omni, the main idea of which is to explore methods that create an ensemble of “unexpected models”; i.e., models whose control hyperparameters have a large distance to the hyperparameters of an adversary’s target model, with which we then make an optimized weighted ensemble prediction. Results In studies with five types of adversarial evasion attacks (FGSM, BIM, JSMA, DeepFool and Carlini-Wagner) on five security datasets (NSL-KDD, CIC-IDS-2017, CSE-CIC-IDS2018, CICAndMal2017 and the Contagio PDF dataset), we show Omni is a promising approach as a defense strategy against adversarial attacks when compared with other baseline treatments Conclusions When employing ensemble defense against adversarial evasion attacks, we suggest to create ensemble with unexpected models that are distant from the attacker’s expected model (i.e., target model) through methods such as hyperparameter optimization.more » « less
-
With the proliferation of IoT devices, securing the IoT-based network is of paramount importance. IoT-based networks consist of diversely purposed IoT devices. This diversity of IoT devices necessitates diverse dataset analysis to ensure effective implementation of Machine Learning (ML)-based cybersecurity. However, much-demanded real-world IoT data is still in short supply for active ML-based IoT data analysis. This paper presents an in-depth analysis of the real-time IoT-23 dataset [9]. Exhaustive analysis of all 20 scenarios of the IoT-23 dataset reveals the consistency between feature selection methods and detection algorithms. The proposed ML-based intrusion detection system (ML-IDS) achieves significant improvement in detection accuracy, which in some scenarios reaches 100%. Our analysis also demonstrates that the required number of features for a high detection rate of greater than 99% remains small, i.e., 2 or 3, enabling ML-IDS implementation even with resource-constrained IoT processors.more » « less
-
Investigating the nature of system intrusions in large distributed systems remains a notoriously difficult challenge. While monitoring tools (e.g., Firewalls, IDS) provide preliminary alerts through easy-to-use administrative interfaces, attack reconstruction still requires that administrators sift through gigabytes of system audit logs stored locally on hundreds of machines. At present, two fundamental obstacles prevent synergy between system-layer auditing and modern cluster monitoring tools: 1) the sheer volume of audit data generated in a data center is prohibitively costly to transmit to a central node, and 2) system- layer auditing poses a “needle-in-a-haystack” problem, such that hundreds of employee hours may be required to diagnose a single intrusion. This paper presents Winnower, a scalable system for audit-based cluster monitoring that addresses these challenges. Our key insight is that, for tasks that are replicated across nodes in a distributed application, a model can be defined over audit logs to succinctly summarize the behavior of many nodes, thus eliminating the need to transmit redundant audit records to a central monitoring node. Specifically, Winnower parses audit records into provenance graphs that describe the actions of individual nodes, then performs grammatical inference over individual graphs using a novel adaptation of Deterministic Finite Automata (DFA) Learning to produce a behavioral model of many nodes at once. This provenance model can be efficiently transmitted to a central node and used to identify anomalous events in the cluster. We have implemented Winnower for Docker Swarm container clusters and evaluate our system against real-world applications and attacks. We show that Winnower dramatically reduces storage and network overhead associated with aggregating system audit logs, by as much as 98%, without sacrificing the important information needed for attack investigation. Winnower thus represents a significant step forward for security monitoring in distributed systems.more » « less
-
Despite the increased accuracy of intrusion detection systems (IDS) in identifying cyberattacks in computer networks and devices connected to the internet, distributed or coordinated attacks can still go undetected or not detected on time. The single vantage point limits the ability of these IDSs to detect such attacks. Due to this reason, there is a need for attack characteristics’ exchange among different IDS nodes. Researchers proposed a cooperative intrusion detection system to share these attack characteristics effectively. This approach was useful; however, the security of the shared data cannot be guaranteed. More specifically, maintaining the integrity and consistency of shared data becomes a significant concern. In this paper, we propose a blockchain-based solution that ensures the integrity and consistency of attack characteristics shared in a cooperative intrusion detection system. The proposed architecture achieves this by detecting and preventing fake features injection and compromised IDS nodes. It also facilitates scalable attack features exchange among IDS nodes, ensures heterogeneous IDS nodes participation, and it is robust to public IDS nodes joining and leaving the network. We evaluate the security analysis and latency. The result shows that the proposed approach detects and prevents compromised IDS nodes, malicious features injection, manipulation, or deletion, and it is also scalable with low latency.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1007/978-3-030-82199-9_49
