skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Detection of Zero-Day Attacks in a Software-Defined LEO Constellation Network Using Enhanced Network Metric Predictions
SATCOM is crucial for tactical networks, particularly submarines with sporadic communi- cation requirements. Emerging SATCOM technologies, such as low-earth-orbit (LEO) satellite networks, provide lower latency, greater data reliability, and higher throughput than long-distance geostationary (GEO) satellites. Software-defined networking (SDN) has been introduced to SATCOM networks due to its ability to enhance management while strengthening network control and security. In our previous work, we proposed a SD-LEO constellation for naval submarine communication networks, as well as an extreme gradient boosting (XGBoost) machine-learning (ML) approach for classifying denial-of-service attacks against the constellation. Nevertheless, zero-day attacks have the potential to cause major damage to the SATCOM network, particularly the controller architecture, due to the scarcity of data for training and testing ML models due to their novelty. This study tackles this challenge by employing a predictive queuing analysis of the SD-SATCOM controller design to rapidly generate ML training data for zero- day attack detection. In addition, we redesign our singular controller architecture to a decentralized controller architecture to eliminate singular points of failure. To our knowledge, no prior research has investigated using queuing analysis to predict SD-SATCOM controller architecture network performance for ML training to prevent zero-day attacks. Our queuing analysis accelerates the training of ML models and enhances data adaptability, enabling network operators to defend against zero-day attacks without precollected data. We utilized the CatBoost algorithm to train a multi-output regression model to predict network performance statistics. Our method successfully identified and classified normal, non-attack samples and zero-day cyberattacks with over 94% accuracy, precision, recall, and f1-scores.  more » « less
Award ID(s):
1738420
PAR ID:
10565872
Author(s) / Creator(s):
; ;
Publisher / Repository:
IEEE
Date Published:
Journal Name:
IEEE Open Journal of the Communications Society
Volume:
5
ISSN:
2644-125X
Page Range / eLocation ID:
6611 to 6634
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; (, Government Microcircuit Applications and Critical Technology Conference (GOMAC Tech))
    Satellite communication (SATCOM) is a critical infrastructure for tactical networks--especially for the intermittent communication of submarines. To ensure data reliability, recent SATCOM research has begun to embrace several advances, such as low earth orbit (LEO) satellite networks to reduce latency and increase throughput compared to long-distance geostationary (GEO) satellites, and software-defined networking (SDN) to increase network control and security. This paper proposes an SD-LEO constellation for submarines in communication networks. An SD-LEO architecture is proposed, to Denial-of-Service (DoS) attack detection and classification using the extreme gradient boosting (XGBoost) algorithm. Numerical results demonstrate greater than ninety-eight percent in accuracy, precision, recall, and F1-scores. 
    more » « less
  2. ; ; ; ; (, 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom))
    null (Ed.)
    Controllers of security-critical cyber-physical systems, like the power grid, are a very important class of computer systems. Attacks against the control code of a power-grid system, especially zero-day attacks, can be catastrophic. Earlier detection of the anomalies can prevent further damage. However, detecting zero-day attacks is extremely challenging because they have no known code and have unknown behavior. Furthermore, if data collected from the controller is transferred to a server through networks for analysis and detection of anomalous behavior, this creates a very large attack surface and also delays detection. In order to address this problem, we propose Reconstruction Error Distribution (RED) of Hardware Performance Counters (HPCs), and a data-driven defense system based on it. Specifically, we first train a temporal deep learning model, using only normal HPC readings from legitimate processes that run daily in these power-grid systems, to model the normal behavior of the power-grid controller. Then, we run this model using real-time data from commonly available HPCs. We use the proposed RED to enhance the temporal deep learning detection of anomalous behavior, by estimating distribution deviations from the normal behavior with an effective statistical test. Experimental results on a real power-grid controller show that we can detect anomalous behavior with high accuracy (>99.9%), nearly zero false positives and short (<360ms) latency. 
    more » « less
  3. (, IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    For the past decade, botnets have dominated network attacks in spite of significant research advances in defending against them. The distributed attack sources, the network size, and the diverse botnet attack techniques challenge the effectiveness of a single-point centralized security solution. This paper proposes a distributed security system against largescale disruptive botnet attacks by using SDN/NFV and machinelearning. In our system, a set of distributed network functions detect network attacks for each protocol and to collect real-time traffic information, which also gets relayed to the SDN controller for more sophisticated analyses. The SDN controller then analyzes the real-time traffic with the only forwarded information using machine learning and updates the flow rule or take routing/bandwidth-control measures, which get executed on the nodes implementing the security network functions. Our evaluations show the proposed system to be an efficient and effective defense method against botnet attacks. The evaluation results demonstrated that the proposed system detects large-scale distributed network attacks from botnets at the SDN controller while the network functions locally detect known attacks across different networking protocols. 
    more » « less
  4. ; ; (, IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN))
    For the past decade, botnets have dominated network attacks in spite of significant research advances in defending against them. The distributed attack sources, the network size, and the diverse botnet attack techniques challenge the effectiveness of a single-point centralized security solution. This paper proposes a distributed security system against large-scale disruptive botnet attacks by using SDN/NFV and machine-learning. In our system, a set of distributed network functions detect network attacks for each protocol and to collect real-time traffic information, which also gets relayed to the SDN controller for more sophisticated analyses. The SDN controller then analyzes the real-time traffic with the only forwarded information using machine learning and updates the flow rule or take routing/bandwidth-control measures, which get executed on the nodes implementing the security network functions. Our evaluations show the proposed system to be an efficient and effective defense method against botnet attacks. The evaluation results demonstrated that the proposed system detects large-scale distributed network attacks from botnets at the SDN controller while the network functions locally detect known attacks across different networking protocols. 
    more » « less
  5. ; ; (, 2024 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS))
    Zero-day vulnerabilities pose a significant challenge to robot cyber-physical systems (CPS). Attackers can exploit software vulnerabilities in widely-used robotics software, such as the Robot Operating System (ROS), to manipulate robot behavior, compromising both safety and operational effectiveness. The hidden nature of these vulnerabilities requires strong defense mechanisms to guarantee the safety and dependability of robotic systems. In this paper, we introduce ROBOCOP, a cyber-physical attack detection framework designed to protect robots from zero-day threats. ROBOCOP leverages static software features in the pre-execution analysis along with runtime state monitoring to identify attack patterns and deviations that signal attacks, thus ensuring the robot’s operational integrity. We evaluated ROBOCOP on the F1-tenth autonomous car platform. It achieves a 93% detection accuracy against a variety of zero-day attacks targeting sensors, actuators, and controller logic. Importantly, in on-robot deployments, it identifies attacks in less than 7 seconds with a 12% computational overhead. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email