Intrusion, Malware Detection and Prevention in Networks

A special issue of Journal of Cybersecurity and Privacy (ISSN 2624-800X). This special issue belongs to the section "Security Engineering & Applications".

Deadline for manuscript submissions: 15 May 2024 | Viewed by 11016

Special Issue Editors

School of Engineering, Liberty University, Lynchburg, VA 24515, USA
Interests: intrusion detection systems; machine learning; cyber security; IoT security and privacy internet measurement
Special Issues, Collections and Topics in MDPI journals

E-Mail Website
Guest Editor
School Information Technology, Illinois State University, Normal, IL 61790, USA
Interests: network security; artificial intelligence; adaptive learning
Special Issues, Collections and Topics in MDPI journals

Special Issue Information

Dear Colleagues,

This Special Issue is focused on the detection of intrusion and malware attacks on communication and networks, future Internet architectures, 5G and beyond wireless networks, enterprises, data centers, edge and cloud networks, software-defined networking (SDN), optical networks, the Internet and IoT-scale networks. We welcome the submission of papers on the following topics:

  • Distributed denial-of-service (DDoS) attack and defense;
  • Explainable prevention strategies;
  • Profiling normal or abnormal system behaviors;
  • Metrics for evaluating the effectiveness of intrusion detection techniques;
  • Access control;
  • Biometrics;
  • Jamming attack and defense;
  • Trojan attack and defense;
  • Viruses and malware;
  • Covert channel detection;
  • Malware and unwanted software.

Dr. Feng Wang
Prof. Dr. Yongning Tang
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Journal of Cybersecurity and Privacy is an international peer-reviewed open access quarterly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 1000 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Related Special Issue

Published Papers (10 papers)

Order results
Result details
Select all
Export citation of selected articles as:

Research

23 pages, 3062 KiB  
Article
Data-Driven Network Anomaly Detection with Cyber Attack and Defense Visualization
by Eric Muhati and Danda Rawat
J. Cybersecur. Priv. 2024, 4(2), 241-263; https://doi.org/10.3390/jcp4020012 - 09 Apr 2024
Viewed by 225
Abstract
The exponential growth in data volumes, combined with the inherent complexity of network algorithms, has drastically affected network security. Data activities are producing voluminous network logs that often mask critical vulnerabilities. Although there are efforts to address these hidden vulnerabilities, the solutions often [...] Read more.
The exponential growth in data volumes, combined with the inherent complexity of network algorithms, has drastically affected network security. Data activities are producing voluminous network logs that often mask critical vulnerabilities. Although there are efforts to address these hidden vulnerabilities, the solutions often come at high costs or increased complexities. In contrast, the potential of open-source tools, recognized for their security analysis capabilities, remains under-researched. These tools have the potential for detailed extraction of essential network components, and they strengthen network security. Addressing this gap, our paper proposes a data analytics-driven network anomaly detection model, which is uniquely complemented with a visualization layer, making the dynamics of cyberattacks and their subsequent defenses distinctive in near real-time. Our novel approach, based on network scanning tools and network discovery services, allows us to visualize the network based on how many IP-based networking devices are live, then we implement a data analytics-based intrusion detection system that scrutinizes all network connections. We then initiate mitigation measures, visually distinguishing malicious from benign connections using red and blue hues, respectively. Our experimental evaluation shows an F1 score of 97.9% and a minimal false positive rate of 0.3% in our model, demonstrating a marked improvement over existing research in this domain. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

27 pages, 1633 KiB  
Article
A Blockchain-Based Decentralized Public Key Infrastructure Using the Web of Trust
by Ratna Halder, Dipanjan Das Roy and Dongwan Shin
J. Cybersecur. Priv. 2024, 4(2), 196-222; https://doi.org/10.3390/jcp4020010 - 31 Mar 2024
Viewed by 280
Abstract
Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, [...] Read more.
Internet applications rely on Secure Socket Layer (SSL)/Transport Security Layer (TSL) certifications to establish secure communication. However, the centralized nature of certificate authorities (CAs) poses a risk, as malicious third parties could exploit the CA to issue fake certificates to malicious web servers, potentially compromising the privacy and integrity of user data. In this paper, we demonstrate how the utilization of decentralized certificate verification with blockchain technology can effectively address and mitigate such attacks. We present a decentralized public key infrastructure (PKI) based on a distributed trust model, e.g., Web of Trust (WoT) and blockchain technologies, to overcome vulnerabilities like single points of failure and to prevent tampering with existing certificates. In addition, our infrastructure establishes a trusted key-ring network that decouples the authentication process from CAs in order to enhance secure certificate issuance and accelerate the revocation process. Furthermore, as a proof of concept, we present the implementation of our proposed system in the Ethereum blockchain, confirming that the proposed framework meets the five identified requirements. Our experimental results demonstrate the effectiveness of our proposed system in practice, albeit with additional overhead compared to conventional PKIs. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

14 pages, 911 KiB  
Article
ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and .NET Environments
by Anthony J. Rose, Scott R. Graham, Christine M. Schubert Kabban, Jacob J. Krasnov and Wayne C. Henry
J. Cybersecur. Priv. 2024, 4(2), 153-166; https://doi.org/10.3390/jcp4020008 - 25 Mar 2024
Viewed by 421
Abstract
The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of [...] Read more.
The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell’s ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI’s capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and .NET environments. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

19 pages, 4035 KiB  
Article
Anomaly Detection for Modbus over TCP in Control Systems Using Entropy and Classification-Based Analysis
by Tirthankar Ghosh, Sikha Bagui, Subhash Bagui, Martin Kadzis and Jackson Bare
J. Cybersecur. Priv. 2023, 3(4), 895-913; https://doi.org/10.3390/jcp3040041 - 01 Dec 2023
Viewed by 960
Abstract
This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach [...] Read more.
This article presents a statistical approach using entropy and classification-based analysis to detect anomalies in industrial control systems traffic. Several statistical techniques have been proposed to create baselines and measure deviation to detect intrusion in enterprise networks with a centralized intrusion detection approach in mind. Looking at traffic volume alone to find anomalous deviation may not be enough—it may result in increased false positives. The near real-time communication requirements, coupled with the lack of centralized infrastructure in operations technology and limited resources of the sensor motes, require an efficient anomaly detection system characterized by these limitations. This paper presents extended results from our previous work by presenting a detailed cluster-based entropy analysis on selected network traffic features. It further extends the analysis using a classification-based approach. Our detailed entropy analysis corroborates with our earlier findings that, although some degree of anomaly may be detected using univariate and bivariate entropy analysis for Denial of Service (DOS) and Man-in-the-Middle (MITM) attacks, not much information may be obtained for the initial reconnaissance, thus preventing early stages of attack detection in the Cyber Kill Chain. Our classification-based analysis shows that, overall, the classification results of the DOS attacks were much higher than the MITM attacks using two Modbus features in addition to the three TCP/IP features. In terms of classifiers, J48 and random forest had the best classification results and can be considered comparable. For the DOS attack, no resampling with the 60–40 (training/testing split) had the best results (average accuracy of 97.87%), but for the MITM attack, the 80–20 non-attack vs. attack data with the 75–25 split (average accuracy of 82.81%) had the best results. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

14 pages, 669 KiB  
Article
A Hybrid Dimensionality Reduction for Network Intrusion Detection
by Humera Ghani, Shahram Salekzamankhani and Bal Virdee
J. Cybersecur. Priv. 2023, 3(4), 830-843; https://doi.org/10.3390/jcp3040037 - 16 Nov 2023
Viewed by 1062
Abstract
Due to the wide variety of network services, many different types of protocols exist, producing various packet features. Some features contain irrelevant and redundant information. The presence of such features increases computational complexity and decreases accuracy. Therefore, this research is designed to reduce [...] Read more.
Due to the wide variety of network services, many different types of protocols exist, producing various packet features. Some features contain irrelevant and redundant information. The presence of such features increases computational complexity and decreases accuracy. Therefore, this research is designed to reduce the data dimensionality and improve the classification accuracy in the UNSW-NB15 dataset. It proposes a hybrid dimensionality reduction system that does feature selection (FS) and feature extraction (FE). FS was performed using the Recursive Feature Elimination (RFE) technique, while FE was accomplished by transforming the features into principal components. This combined scheme reduced a total of 41 input features into 15 components. The proposed systems’ classification performance was determined using an ensemble of Support Vector Classifier (SVC), K-nearest Neighbor classifier (KNC), and Deep Neural Network classifier (DNN). The system was evaluated using accuracy, detection rate, false positive rate, f1-score, and area under the curve metrics. Comparing the voting ensemble results of the full feature set against the 15 principal components confirms that reduced and transformed features did not significantly decrease the classifier’s performance. We achieved 94.34% accuracy, a 93.92% detection rate, a 5.23% false positive rate, a 94.32% f1-score, and a 94.34% area under the curve when 15 components were input to the voting ensemble classifier. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

38 pages, 3956 KiB  
Article
Studying Imbalanced Learning for Anomaly-Based Intelligent IDS for Mission-Critical Internet of Things
by Ghada Abdelmoumin, Danda B. Rawat and Abdul Rahman
J. Cybersecur. Priv. 2023, 3(4), 706-743; https://doi.org/10.3390/jcp3040032 - 06 Oct 2023
Viewed by 1039
Abstract
Training-anomaly-based, machine-learning-based, intrusion detection systems (AMiDS) for use in critical Internet of Things (CioT) systems and military Internet of Things (MioT) environments may involve synthetic data or publicly simulated data due to data restrictions, data scarcity, or both. However, synthetic data can be [...] Read more.
Training-anomaly-based, machine-learning-based, intrusion detection systems (AMiDS) for use in critical Internet of Things (CioT) systems and military Internet of Things (MioT) environments may involve synthetic data or publicly simulated data due to data restrictions, data scarcity, or both. However, synthetic data can be unrealistic and potentially biased, and simulated data are invariably static, unrealistic, and prone to obsolescence. Building an AMiDS logical model to predict the deviation from normal behavior in MioT and CioT devices operating at the sensing or perception layer due to adversarial attacks often requires the model to be trained using current and realistic data. Unfortunately, while real-time data are realistic and relevant, they are largely imbalanced. Imbalanced data have a skewed class distribution and low-similarity index, thus hindering the model’s ability to recognize important features in the dataset and make accurate predictions. Data-driven learning using data sampling, resampling, and generative methods can lessen the adverse impact of a data imbalance on the AMiDS model’s performance and prediction accuracy. Generative methods enable passive adversarial learning. This paper investigates several data sampling, resampling, and generative methods. It examines their impacts on the performance and prediction accuracy of AMiDS models trained using imbalanced data drawn from the UNSW_2018_IoT_Botnet dataset, a publicly available IoT dataset from the IEEEDataPort. Furthermore, it evaluates the performance and predictability of these models when trained using data transformation methods, such as normalization and one-hot encoding, to cover a skewed distribution, data sampling and resampling methods to address data imbalances, and generative methods to train the models to increase the model’s robustness to recognize new but similar attacks. In this initial study, we focus on CioT systems and train PCA-based and oSVM-based AMiDS models constructed using low-complexity PCA and one-class SVM (oSVM) ML algorithms to fit an imbalanced ground truth IoT dataset. Overall, we consider the rare event prediction case where the minority class distribution is disproportionately low compared to the majority class distribution. We plan to use transfer learning in future studies to generalize our initial findings to the MioT environment. We focus on CioT systems and MioT environments instead of traditional or non-critical IoT environments due to the stringent low energy, the minimal response time constraints, and the variety of low-power, situational-aware (or both) things operating at the sensing or perception layer in a highly complex and open environment. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

14 pages, 933 KiB  
Article
Hybrid Machine Learning-Based Approaches for Feature and Overfitting Reduction to Model Intrusion Patterns
by Fatemeh Ahmadi Abkenari, Amin Milani Fard and Sara Khanchi
J. Cybersecur. Priv. 2023, 3(3), 544-557; https://doi.org/10.3390/jcp3030026 - 25 Aug 2023
Viewed by 1122
Abstract
An intrusion detection system (IDS), whether as a device or software-based agent, plays a significant role in networks and systems security by continuously monitoring traffic behaviour to detect malicious activities. The literature includes IDSs that leverage models trained to detect known attack behaviours. [...] Read more.
An intrusion detection system (IDS), whether as a device or software-based agent, plays a significant role in networks and systems security by continuously monitoring traffic behaviour to detect malicious activities. The literature includes IDSs that leverage models trained to detect known attack behaviours. However, such models suffer from low accuracy or high overfitting. This work aims to enhance the performance of the IDS by making a model based on the observed traffic via applying different single and ensemble classifiers and lowering the classifier’s overfitting on a reduced set of features. We implement various feature reduction techniques, including Linear Regression, LASSO, Random Forest, Boruta, and autoencoders on the CSE-CIC-IDS2018 dataset to provide a training set for classifiers, including Decision Tree, Naïve Bayes, neural networks, Random Forest, and XGBoost. Our experiments show that the Decision Tree classifier on autoencoders-based reduced sets of features yields the lowest overfitting among other combinations. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

13 pages, 1576 KiB  
Article
A Deep Learning Approach for Network Intrusion Detection Using a Small Features Vector
by Humera Ghani, Bal Virdee and Shahram Salekzamankhani
J. Cybersecur. Priv. 2023, 3(3), 451-463; https://doi.org/10.3390/jcp3030023 - 03 Aug 2023
Cited by 1 | Viewed by 2594
Abstract
With the growth in network usage, there has been a corresponding growth in the nefarious exploitation of this technology. A wide array of techniques is now available that can be used to deal with cyberattacks, and one of them is network intrusion detection. [...] Read more.
With the growth in network usage, there has been a corresponding growth in the nefarious exploitation of this technology. A wide array of techniques is now available that can be used to deal with cyberattacks, and one of them is network intrusion detection. Artificial Intelligence (AI) and Machine Learning (ML) techniques have extensively been employed to identify network anomalies. This paper provides an effective technique to evaluate the classification performance of a deep-learning-based Feedforward Neural Network (FFNN) classifier. A small feature vector is used to detect network traffic anomalies in the UNSW-NB15 and NSL-KDD datasets. The results show that a large feature set can have redundant and unuseful features, and it requires high computation power. The proposed technique exploits a small feature vector and achieves better classification accuracy. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

16 pages, 653 KiB  
Article
Hourly Network Anomaly Detection on HTTP Using Exponential Random Graph Models and Autoregressive Moving Average
by Richard Li and Michail Tsikerdekis
J. Cybersecur. Priv. 2023, 3(3), 435-450; https://doi.org/10.3390/jcp3030022 - 01 Aug 2023
Viewed by 936
Abstract
Network anomaly detection solutions can analyze a network’s data volume by protocol over time and can detect many kinds of cyberattacks such as exfiltration. We use exponential random graph models (ERGMs) in order to flatten hourly network topological characteristics into a time series, [...] Read more.
Network anomaly detection solutions can analyze a network’s data volume by protocol over time and can detect many kinds of cyberattacks such as exfiltration. We use exponential random graph models (ERGMs) in order to flatten hourly network topological characteristics into a time series, and Autoregressive Moving Average (ARMA) to analyze that time series and to detect potential attacks. In particular, we extend our previous method in not only demonstrating detection over hourly data but also through labeling of nodes and over the HTTP protocol. We demonstrate the effectiveness of our method using real-world data for creating exfiltration scenarios. We highlight how our method has the potential to provide a useful description of what is happening in the network structure and how this can assist cybersecurity analysts in making better decisions in conjunction with existing intrusion detection systems. Finally, we describe some strengths of our method, its accuracy based on the right selection of parameters, as well as its low computational requirements. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

18 pages, 1915 KiB  
Article
Mitigating IoT Privacy-Revealing Features by Time Series Data Transformation
by Feng Wang, Yongning Tang and Hongbing Fang
J. Cybersecur. Priv. 2023, 3(2), 209-226; https://doi.org/10.3390/jcp3020012 - 18 May 2023
Cited by 1 | Viewed by 1278
Abstract
As the Internet of Things (IoT) continues to expand, billions of IoT devices are now connected to the internet, producing vast quantities of data. Collecting and sharing this data has become crucial to improving IoT technologies and developing new applications. However, the publication [...] Read more.
As the Internet of Things (IoT) continues to expand, billions of IoT devices are now connected to the internet, producing vast quantities of data. Collecting and sharing this data has become crucial to improving IoT technologies and developing new applications. However, the publication of privacy-preserving IoT traffic data is exceedingly challenging due to the various privacy concerns surrounding users, IoT networks, and devices. In this paper, we propose a data transformation method aimed at safeguarding the privacy of IoT devices by transforming time series datasets. Based on our measurements, we have found that the transformed datasets retain the intrinsic value of the original IoT data and maintains data utility. This approach will enable non-expert data owners to better understand and evaluate the potential device-level privacy risks associated with their IoT data while simultaneously offering a reliable solution to mitigate their concerns about privacy violations. Full article
(This article belongs to the Special Issue Intrusion, Malware Detection and Prevention in Networks)
Show Figures

Figure 1

Back to TopTop