Saudi Cultural Missions Theses & Dissertations

Permanent URI for this communityhttps://drepo.sdl.edu.sa/handle/20.500.14154/10

Browse

Subject: search.filters.subject.Intrusion Detection System

Search Results

Now showing 1 - 3 of 3
  • No Thumbnail Available
    ItemRestricted
    Enhance Deep Learning for Cybersecurity Challenges in Software-Defined Networks
    (University of Warwick, 2024-09) Alsaadi, Sami; Leeson, Mark and Lakshminarayana, Subhash
    Traditional network devices, such as a router or switch, incorporate the control plane and the data plane. IT operators independently set traffic policies on each device. Nonetheless, this architectural setup raises operational expenses and complicates the dynamic adaptation and maintenance of secure network configurations. Software-defined Networking (SDN) represents a revolutionary approach to network management, offering enhanced flexibility. SDN promotes rapid innovation in networking by centralizing control and making it programmable. However, security concerns pose significant barriers to the broader adoption of SDN, as this new architecture potentially opens novel attack vectors previously non-existent or more challenging to exploit. Machine Learning (ML) strategies for SDN security rely heavily on feature engineering, requiring expert knowledge and causing delays. Therefore, enhancing intrusion detection is essential for protecting SDN architectures against diverse threats. The thesis develops techniques for detecting malicious activities in SDN using Deep Learning DL. It starts by evaluating CNNs on an SDN dataset, leading to a new CNN-based detection approach that employs a novel regularization method to reduce kernel weights and address overfitting, improving effectiveness against unrecognized attacks. Additionally, a semi-supervised learning method using an LSTM autoencoder combined with One Class SVM is introduced, specifically designed to detect DDoS attacks. This approach enhances the detection capabilities within SDN environments, showcasing the potential of DL in advancing network security.
    20 0
  • Thumbnail Image
    ItemRestricted
    The Detection of Advanced Persistent Threats in Software Defined Networks using Machine Learning
    (2023-08-06) Alqahtani, Abdullah Hamad; Clark, John A
    A Software-Defined Network (SDN) is a new type of network architecture that separates the control and network planes. The centralised controller can programmatically manage the underlying network devices. Although SDN provides many advantages, it raises new security challenges. A stealth attack is a particularly dangerous kind of attack adopted by adversaries who aim to avoid detection, typically by incurring lower levels of traffic during their activities than would arouse suspicion. Advanced Persistent Threats (APTs) are sophisticated attacks that implement stealth behaviour during their campaigns. They present major challenges to the security of systems. Little research has been carried out on detecting APTs in the context of SDNs. This is the focus of this thesis. Initially, an enhancement of scanning capabilities in SDN is introduced and an open source scanner tool is adapted to operate more stealthily (allowing extended periods of time between operations it carries out). It has been made publicly and freely available to researchers. In this thesis, it is used to generate datasets (using Mininet) to train and evaluate detection models. Existing datasets do not adequately represent the presence of APTs, or do not do so in the context of SDNs. Thus, generating our own datasets was essential for the work in this thesis. However, we still make use of existing datasets in our evaluations, e.g. to show our approaches may still work effectively against non-APT threats. Of particular interest in this thesis is the use of stealth techniques as part of ‘flow rule reconstruction’ attacks, where attackers seek to infer aspects of packet handling policies that apply at targeted nodes. Inferring such information facilitates further attacks. The most common Machine Learning (ML) techniques for signature-based detection (such as Decision Tree, K-Nearest Neighbour, Random Forest, XGBoost and Support Vector Machine) and for anomaly-based detection (such as Local Outlier Factor, Isolation Forest and One-class SVM) are evaluated. Consequently, XGBoost is proposed as a signature-based model to detect known stealth attacks in SDN and is shown to be highly effective. Subsequently, a hybrid detection model is constructed by combining XGBoost (as a signature-based detection module) and a One-class SVM (as an anomaly-based detection module) leveraging the complementary aspects of these techniques to allow known and unknown attacks to be detected. This is the first demonstration of the effectiveness of a hybrid approach for APT detection in SDNs. As systems evolve, the effectiveness of an ML-based classifier degrades because the distribution of the data it needs to handle increasingly deviates from that over which it was trained. This is known as concept drift. One cause of such drift is attackers changing their behaviour. A hybrid system (signature-based detection using an Adaptive Random Forest and anomaly-based detection using an Adaptive One- Class SVM) is presented that uses concept drift detection to instigate appropriate run-time model retraining. The approach can detect known and unknown attacks and adapt itself incrementally when concept drift happens. This is the first time concept drift has been considered in the context of intrusion detection for SDNs. The validity of our IDS schemes is assessed using various datasets with different attacks and network sizes. ML-pipeline techniques commonly ignored in the IDS literature are employed as part of the work: hyperparameter tuning to generalised the model, imbalanced datasets are subject to resampling to prevent bias in predictions and feature reduction is employed to focus modelling on smaller numbers of highly informative features. Our proposed models are compared with available benchmark results in the field and also with competing approaches as part of our comprehensive empirical evaluation. Performance metrics such as Accuracy, Recall, Precision, and F1-score are used in the evaluation. These steps collectively ensure that our schemes are robust, accurate, and capable of generalising to new attack scenarios. Overall, we show how machine learning can effectively detect APT stealth attacks under constant contextual conditions and under change. We address the detection of both known and unseen attacks. This is the first thesis to comprehensively address the effective detection of APTs in an SDN context and demonstrates that machine learning has a critical part to play in addressing the challenges APTs pose to SDNs.
    37 0
  • Thumbnail Image
    ItemRestricted
    Optimising IDS configurations for IoT Networks Using AI approaches
    (Saudi Digital Library, 2023) Alshahrani, Abdulmonem; John A. Clark
    The number of internet-connected smart objects, known as the Internet of Things (IoT), has increased significantly in recent years. The low cost of manufacturing has enabled a proliferation of smart devices across many tasks and domains. Such devices, however, are typically resource constrained. This has led to the emergence of Low-Power and Lossy Networks (LLNs) which require efficient communication protocols. The Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed for such a purpose. The RPL is the de-facto standard routing protocol for the IoT. Nevertheless, RPL-enabled networks are susceptible to many attacks as these devices are unattended, resource-constrained, and connected via unreliable networks. Deploying Intrusion Detection Systems (IDSs) in such a large and resource-constrained environment is a challenging task. The resource-constrained nature of many devices and nodes restricts what tasks those nodes can realistically expect to perform. There may be a great many choices as to what detection functionality is allocated and where. There are cost/benefit trade-offs between them and inappropriately favouring one over the another may cause an ineffective IDS deployment. In this research, we investigate the use of a metaheuristic- based optimisation method, namely a Genetic Algorithm (GA), to discover optimal IDS placements and configurations for the Low Power and Lossy Networks (LLNs). To the best of our knowledge, this is the first attempt to optimise IDS configurations for emerging and constrained networks while incorporating a wider set of aspects than currently considered. Our approach seeks to optimise and balance detection performance (either detection rate or F1 score), coverage (nodes are monitored by an appropriate number of probes), feasibility cost (nodes host detection functionality within their capability), and deployment cost (seeking to reduce the number of probes deployed). We propose a framework that makes trades-offs between these functional and non-functional constraints. A genetic algorithm-based optimisation approach is developed to address the IDS optimisation task. However, the fitness function is evaluated in part via a computationally expensive simulation. We show how a neural network can be used as a surrogate fitness function evaluation, providing better results more cheaply. Experimental results show that the proposed function approximation is more computationally efficient. Our approximation-based GA system is 1.6 times faster than the corresponding simulation-based GA system. It also gives better results. Furthermore, when used repeatedly to generate candidate placements and configurations the resource costs per generation reduce drastically. The surrogate model is valuable as it significantly reduces the evaluation time and computation. However, generality is still a limitation. Therefore, we propose a transfer-learning Deep Neural Networks (DNNs) approach, that harnesses the experience of previously trained neural networks, to develop a general proxy model for evaluating IDS configurations of variant newly-presented networks more accurately.
    27 0

Copyright owned by the Saudi Digital Library (SDL) © 2025