IoT Botnet Detection Using Salp Swarm and Ant Lion Hybrid Optimization Model

Ruba Abu Khurma; Iman Almomani; Ibrahim Aljarah

doi:10.3390/sym13081377

IoT Botnet Detection Using Salp Swarm and Ant Lion Hybrid Optimization Model

Symmetry ◽

10.3390/sym13081377 ◽

2021 ◽

Vol 13 (8) ◽

pp. 1377

Author(s):

Ruba Abu Khurma ◽

Iman Almomani ◽

Ibrahim Aljarah

Keyword(s):

Energy Savings ◽

Dimensional Space ◽

False Positive Rate ◽

Denial Of Service ◽

Traffic Monitoring ◽

True Positive ◽

Space Problem ◽

Iot Applications ◽

Positive Rate ◽

Ant Lion

In the last decade, the devices and appliances utilizing the Internet of things (IoT) have expanded tremendously, which has led to revolutionary developments in the network industry. Smart homes and cities, wearable devices, traffic monitoring, health systems, and energy savings are typical IoT applications. The diversity in IoT standards, protocols, and computational resources makes them vulnerable to security attackers. Botnets are challenging security threats in IoT devices that cause severe Distributed Denial of Service (DDoS) attacks. Intrusion detection systems (IDS) are necessary for safeguarding Internet-connected frameworks and enhancing insufficient traditional security countermeasures, including authentication and encryption techniques. This paper proposes a wrapper feature selection model (SSA–ALO) by hybridizing the salp swarm algorithm (SSA) and ant lion optimization (ALO). The new model can be integrated with IDS components to handle the high-dimensional space problem and detect IoT attacks with superior efficiency. The experiments were performed using the N-BaIoT benchmark dataset, which was downloaded from the UCI repository. This dataset consists of nine datasets that represent real IoT traffic. The experimental results reveal the outperformance of SSA–ALO compared to existing related approaches using the following evaluation measures: TPR (true positive rate), FPR (false positive rate), G-mean, processing time, and convergence curves. Therefore, the proposed SSA–ALO model can serve IoT applications by detecting intrusions with high true positive rates that reach 99.9% and with a minimal delay even in imbalanced intrusion families.

Download Full-text

PRATD: A Phased Remote Access Trojan Detection Method with Double-Sided Features

Electronics ◽

10.3390/electronics9111894 ◽

2020 ◽

Vol 9 (11) ◽

pp. 1894

Author(s):

Chun Guo ◽

Zihua Song ◽

Yuan Ping ◽

Guowei Shen ◽

Yuhei Cui ◽

...

Keyword(s):

False Positive ◽

Detection Method ◽

False Positive Rate ◽

True Positive Rate ◽

Remote Access ◽

Detection Methods ◽

Security Threats ◽

True Positive ◽

Trojan Detection ◽

Positive Rate

Remote Access Trojan (RAT) is one of the most terrible security threats that organizations face today. At present, two major RAT detection methods are host-based and network-based detection methods. To complement one another’s strengths, this article proposes a phased RATs detection method by combining double-side features (PRATD). In PRATD, both host-side and network-side features are combined to build detection models, which is conducive to distinguishing the RATs from benign programs because that the RATs not only generate traffic on the network but also leave traces on the host at run time. Besides, PRATD trains two different detection models for the two runtime states of RATs for improving the True Positive Rate (TPR). The experiments on the network and host records collected from five kinds of benign programs and 20 famous RATs show that PRATD can effectively detect RATs, it can achieve a TPR as high as 93.609% with a False Positive Rate (FPR) as low as 0.407% for the known RATs, a TPR 81.928% and FPR 0.185% for the unknown RATs, which suggests it is a competitive candidate for RAT detection.

Download Full-text

A HMM-R Approach to Detect L-DDoS Attack Adaptively on SDN Controller

Future Internet ◽

10.3390/fi10090083 ◽

2018 ◽

Vol 10 (9) ◽

pp. 83 ◽

Cited By ~ 3

Author(s):

Wentao Wang ◽

Xuan Ke ◽

Lingxia Wang

Keyword(s):

Data Center ◽

False Positive ◽

Data Flow ◽

Denial Of Service ◽

True Positive ◽

Ddos Attacks ◽

Data Center Network ◽

Data Packets ◽

Positive Rate ◽

Sdn Controller

A data center network is vulnerable to suffer from concealed low-rate distributed denial of service (L-DDoS) attacks because its data flow has the characteristics of data flow delay, diversity, and synchronization. Several studies have proposed addressing the detection of L-DDoS attacks, most of them are only detect L-DDoS attacks at a fixed rate. These methods cause low true positive and high false positive in detecting multi-rate L-DDoS attacks. Software defined network (SDN) is a new network architecture that can centrally control the network. We use an SDN controller to collect and analyze data packets entering the data center network and calculate the Renyi entropies base on IP of data packets, and then combine them with the hidden Markov model to get a probability model HMM-R to detect L-DDoS attacks at different rates. Compared with the four common attack detection algorithms (KNN, SVM, SOM, BP), HMM-R is superior to them in terms of the true positive rate, the false positive rate, and the adaptivity.

Download Full-text

Considerations on the region of interest in the ROC space

Statistical Methods in Medical Research ◽

10.1177/09622802211060515 ◽

2021 ◽

pp. 096228022110605

Author(s):

Luigi Lavazza ◽

Sandro Morasca

Keyword(s):

Receiver Operating Characteristic ◽

Operating Characteristic ◽

False Positive Rate ◽

Area Under The Curve ◽

Region Of Interest ◽

True Positive Rate ◽

True Positive ◽

Receiver Operating Characteristic Curves ◽

Positive Rate ◽

Receiver Operating

Receiver Operating Characteristic curves have been widely used to represent the performance of diagnostic tests. The corresponding area under the curve, widely used to evaluate their performance quantitatively, has been criticized in several respects. Several proposals have been introduced to improve area under the curve by taking into account only specific regions of the Receiver Operating Characteristic space, that is, the plane to which Receiver Operating Characteristic curves belong. For instance, a region of interest can be delimited by setting specific thresholds for the true positive rate or the false positive rate. Different ways of setting the borders of the region of interest may result in completely different, even opposing, evaluations. In this paper, we present a method to define a region of interest in a rigorous and objective way, and compute a partial area under the curve that can be used to evaluate the performance of diagnostic tests. The method was originally conceived in the Software Engineering domain to evaluate the performance of methods that estimate the defectiveness of software modules. We compare this method with previous proposals. Our method allows the definition of regions of interest by setting acceptability thresholds on any kind of performance metric, and not just false positive rate and true positive rate: for instance, the region of interest can be determined by imposing that [Formula: see text] (also known as the Matthews Correlation Coefficient) is above a given threshold. We also show how to delimit the region of interest corresponding to acceptable costs, whenever the individual cost of false positives and false negatives is known. Finally, we demonstrate the effectiveness of the method by applying it to the Wisconsin Breast Cancer Data. We provide Python and R packages supporting the presented method.

Download Full-text

The performance of delta check methods.

Clinical Chemistry ◽

10.1093/clinchem/25.12.2034 ◽

1979 ◽

Vol 25 (12) ◽

pp. 2034-2037 ◽

Cited By ~ 21

Author(s):

L B Sheiner ◽

L A Wheeler ◽

J K Moore

Keyword(s):

False Positive ◽

False Positive Rate ◽

True Positive Rate ◽

True Positive ◽

Discriminant Functions ◽

Linear Discriminant ◽

Operating Rate ◽

Positive Rate ◽

The Relationship

Abstract The percentage of mislabeled specimens detected (true-positive rate) and the percentage of correctly labeled specimens misidentified (false-positive rate) were computed for three previously proposed delta check methods and two linear discriminant functions. The true-positive rate was computed from a set of pairs of specimens, each having one member replaced by a member from another pair chosen at random. The relationship between true-positive and false-positive rates was similar among the delta check methods tested, indicating equal performance for all of them over the range of false-positive rate of interest. At a practical false-positive operating rate of about 5%, delta check methods detect only about 50% of mislabeled specimens; even if the actual mislabeling rate is moderate (e.g., 1%), only abot 10% of specimens flagged a by a delta check will actually have been mislabeled.

Download Full-text

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Energies ◽

10.3390/en13195176 ◽

2020 ◽

Vol 13 (19) ◽

pp. 5176

Author(s):

Ghada Elbez ◽

Hubert B. Keller ◽

Atul Bohara ◽

Klara Nahrstedt ◽

Veit Hagenmeyer

Keyword(s):

False Positive ◽

False Positive Rate ◽

Denial Of Service ◽

Statistical Hypothesis ◽

Physical Security ◽

Dos Attacks ◽

Iec 61850 ◽

Detection Delay ◽

Positive Rate ◽

Arfima Model

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics.

Download Full-text

Physical Tampering Detection Using Single COTS Wi-Fi Endpoint

Sensors ◽

10.3390/s21165665 ◽

2021 ◽

Vol 21 (16) ◽

pp. 5665

Author(s):

Poh Yuen Chan ◽

Alexander I-Chi Lai ◽

Pei-Yuan Wu ◽

Ruey-Beei Wu

Keyword(s):

False Positive Rate ◽

True Positive Rate ◽

Relative Orientation ◽

True Positive ◽

Channel State ◽

Detection Mechanism ◽

Tampering Detection ◽

State Information ◽

Positive Rate ◽

Commercial Off The Shelf

This paper proposes a practical physical tampering detection mechanism using inexpensive commercial off-the-shelf (COTS) Wi-Fi endpoint devices with a deep neural network (DNN) on channel state information (CSI) in the Wi-Fi signals. Attributed to the DNN that identifies physical tampering events due to the multi-subcarrier characteristics in CSI, our methodology takes effect using only one COTS Wi-Fi endpoint with a single embedded antenna to detect changes in the relative orientation between the Wi-Fi infrastructure and the endpoint, in contrast to previous sophisticated, proprietary approaches. Preliminary results show that our detectors manage to achieve a 95.89% true positive rate (TPR) with no worse than a 4.12% false positive rate (FPR) in detecting physical tampering events.

Download Full-text

DDoS Detection and Prevention Based on Joint Entropy and Conditional Entropy

Key Engineering Materials ◽

10.4028/www.scientific.net/kem.474-476.2129 ◽

2011 ◽

Vol 474-476 ◽

pp. 2129-2133

Author(s):

Yong Hao Gu ◽

Wei Ming Wu

Keyword(s):

False Positive ◽

False Positive Rate ◽

Denial Of Service ◽

Conditional Entropy ◽

High Sensitivity ◽

Joint Entropy ◽

Positive Rate ◽

Single Attribute ◽

Ddos Detection ◽

The Stability

Distributed Denial of Service (DDoS) imposes a very serious threat to the stability of the Internet. Compared with many detection approaches, detecting DDoS attacks based on entropy has advantages such as simplicity, high sensitivity and low false positive rate. But the method with single attribute entropy has high false positive rate when detecting attribute forged attacks. This paper presents a detecting method based on joint entropy and a filtering way based on conditional entropy. The efficiency of this scheme is validated with simulation on the research lab network.

Download Full-text

Actor Critic Deep Reinforcement Learning for Neural Malware Control

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i01.5449 ◽

2020 ◽

Vol 34 (01) ◽

pp. 1005-1012

Author(s):

Yu Wang ◽

Jack Stokes ◽

Mady Marinescu

Keyword(s):

Operating System ◽

Reinforcement Learning ◽

False Positive ◽

Partial Information ◽

False Positive Rate ◽

True Positive Rate ◽

True Positive ◽

New Model ◽

Positive Rate ◽

Execution Speed

In addition to using signatures, antimalware products also detect malicious attacks by evaluating unknown files in an emulated environment, i.e. sandbox, prior to execution on a computer's native operating system. During emulation, a file cannot be scanned indefinitely, and antimalware engines often set the number of instructions to be executed based on a set of heuristics. These heuristics only make the decision of when to halt emulation using partial information leading to the execution of the file for either too many or too few instructions. Also this method is vulnerable if the attackers learn this set of heuristics. Recent research uses a deep reinforcement learning (DRL) model employing a Deep Q-Network (DQN) to learn when to halt the emulation of a file. In this paper, we propose a new DRL-based system which instead employs a modified actor critic (AC) framework for the emulation halting task. This AC model dynamically predicts the best time to halt the file's execution based on a sequence of system API calls. Compared to the earlier models, the new model is capable of handling adversarial attacks by simulating their behaviors using the critic model. The new AC model demonstrates much better performance than both the DQN model and antimalware engine's heuristics. In terms of execution speed (evaluated by the halting decision), the new model halts the execution of unknown files by up to 2.5% earlier than the DQN model and 93.6% earlier than the heuristics. For the task of detecting malicious files, the proposed AC model increases the true positive rate by 9.9% from 69.5% to 76.4% at a false positive rate of 1% compared to the DQN model, and by 83.4% from 41.2% to 76.4% at a false positive rate of 1% compared to a recently proposed LSTM model.

Download Full-text

Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

Journal of Sensors ◽

10.1155/2015/465402 ◽

2015 ◽

Vol 2015 ◽

pp. 1-11 ◽

Cited By ~ 1

Author(s):

Jian Kang ◽

Mei Yang ◽

Junyao Zhang

Keyword(s):

Network Traffic ◽

False Positive Rate ◽

Denial Of Service ◽

Threshold Value ◽

Detection Accuracy ◽

Packet Header ◽

Positive Rate ◽

Spectrum Density ◽

Microscopic Feature ◽

Low Rate

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we chooseF featurein TCP packet header as a microscopic feature and,P featureandD featureof network traffic as macroscopic features. Based on these features, we establishmultistream fused hidden Markov model(MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

Download Full-text

Identification of Influential Variants in Significant Aggregate Rare Variant Tests

Human Heredity ◽

10.1159/000513290 ◽

2021 ◽

pp. 1-13

Author(s):

Rachel Z. Blumhagen ◽

David A. Schwartz ◽

Carl D. Langefeld ◽

Tasha E. Fingerlin

Keyword(s):

Outlier Detection ◽

Rare Variant ◽

False Positive ◽

Rare Variants ◽

False Positive Rate ◽

Experimental Studies ◽

Detection Methods ◽

True Positive ◽

Adaptive Combination ◽

Positive Rate

Introduction: Studies that examine the role of rare variants in both simple and complex disease are increasingly common. Though the usual approach of testing rare variants in aggregate sets is more powerful than testing individual variants, it is of interest to identify the variants that are plausible drivers of the association. We present a novel method for prioritization of rare variants after a significant aggregate test by quantifying the influence of the variant on the aggregate test of association. Methods: In addition to providing a measure used to rank variants, we use outlier detection methods to present the computationally efficient Rare Variant Influential Filtering Tool (RIFT) to identify a subset of variants that influence the disease association. We evaluated several outlier detection methods that vary based on the underlying variance measure: interquartile range (Tukey fences), median absolute deviation, and SD. We performed 1,000 simulations for 50 regions of size 3 kb and compared the true and false positive rates. We compared RIFT using the Inner Tukey to 2 existing methods: adaptive combination of p values (ADA) and a Bayesian hierarchical model (BeviMed). Finally, we applied this method to data from our targeted resequencing study in idiopathic pulmonary fibrosis (IPF). Results: All outlier detection methods observed higher sensitivity to detect uncommon variants (0.001 < minor allele frequency, MAF > 0.03) compared to very rare variants (MAF <0.001). For uncommon variants, RIFT had a lower median false positive rate compared to the ADA. ADA and RIFT had significantly higher true positive rates than that observed for BeviMed. When applied to 2 regions found previously associated with IPF including 100 rare variants, we identified 6 polymorphisms with the greatest evidence for influencing the association with IPF. Discussion: In summary, RIFT has a high true positive rate while maintaining a low false positive rate for identifying polymorphisms influencing rare variant association tests. This work provides an approach to obtain greater resolution of the rare variant signals within significant aggregate sets; this information can provide an objective measure to prioritize variants for follow-up experimental studies and insight into the biological pathways involved.

Download Full-text