Design of Intelligent Intrusion Detection Systems

A special issue of Electronics (ISSN 2079-9292). This special issue belongs to the section "Computer Science & Engineering".

Deadline for manuscript submissions: closed (30 June 2022) | Viewed by 59724

Special Issue Editors


E-Mail Website
Guest Editor
Department of Computer Science, University of Idaho, Idaho Falls, ID 83402, USA
Interests: IoT security; critical infrastructure security; intrusion detection systems; side-channel analysis for security
Special Issues, Collections and Topics in MDPI journals

E-Mail Website
Guest Editor
Department of Information and Communication Systems Engineering, University of the Aegean, 83100 Samos, Greece
Interests: mobile and wireless networks security and privacy; VoIP security; IoT security and privacy; DNS security; intrusion detection systems; security education
Special Issues, Collections and Topics in MDPI journals

E-Mail Website
Guest Editor

Special Issue Information

Dear Colleagues,

Commerce, healthcare, manufacturing, and energy are just some of the sectors of modern society that have been revolutionized by the adoption of computer systems and the penetration of digital communications. With this digitization trend expanding with increasing rates, cyber-attacks and threats have also become an omnipresent, all-pervasive phenomenon. It is because of this penetration that today more than ever, attackers have high motivation to perform well-orchestrated attacks. To make matters worse, attackers can rely on publicly available offensive tools or acquire exploits from the dark web. It does not come as a surprise that attacks and malware become increasingly intelligent, stealthy, and robust against traditional defense practices. Recent incidents like Stuxnet or Wannacry signify the urgency for developing intelligent detection methodologies and tools able to identify never-seen-before threats. Artificial Intelligence (AI), Machine Learning (ML), and data analysis methods, while applied successfully to other domains, have only seen partial practical application in intrusion detection. The primary reasons that have been identified in the literature are: (a) high false-positive rates, (b) lack of rich data to train effective models due to the sensitive nature of the security domain, (c) requirement for an elaborate feature engineering phase conducted by human domain-experts, and (d) the inability of existing methods to create explainable models. The objective of this Special Issue is to provide the state-of-the-art in the field of anomaly and intrusion detection giving particular emphasis to intelligent techniques that are able to overcome one or all of the well-documented inefficiencies of the existing approaches. Researchers are invited to contribute novel methods, algorithms, datasets, tools, and studies in the field.

Prof. Dr. Constantinos Kolias
Dr. Georgios Kambourakis
Dr. Weizhi Meng
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Electronics is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2400 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • Scallable Anomaly Detection Methods
  • Distributed Intrusion Detection
  • Collaborative Intrusion Detection
  • Privacy Preserving IDS
  • Federated Anomaly Detection
  • Application of Deep Learning for Intrusion Detection
  • Reinforcement Learning for Intrusion Detection
  • Intrusion Detection in IoT Networks
  • Intrusion Detection for Industrial Control Systems
  • Intrusion Detection in Vehicular Networks

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • e-Book format: Special Issues with more than 10 articles can be published as dedicated e-books, ensuring wide and rapid dissemination.

Further information on MDPI's Special Issue polices can be found here.

Published Papers (10 papers)

Order results
Result details
Select all
Export citation of selected articles as:

Research

Jump to: Review

20 pages, 730 KiB  
Article
Evaluation of Black-Box Web Application Security Scanners in Detecting Injection Vulnerabilities
by Muzun Althunayyan, Neetesh Saxena, Shancang Li and Prosanta Gope
Electronics 2022, 11(13), 2049; https://doi.org/10.3390/electronics11132049 - 29 Jun 2022
Cited by 6 | Viewed by 4533
Abstract
With the Internet’s meteoric rise in popularity and usage over the years, there has been a significant increase in the number of web applications. Nearly all organisations use them for various purposes, such as e-commerce, e-banking, e-learning, and social networking. More importantly, web [...] Read more.
With the Internet’s meteoric rise in popularity and usage over the years, there has been a significant increase in the number of web applications. Nearly all organisations use them for various purposes, such as e-commerce, e-banking, e-learning, and social networking. More importantly, web applications have become increasingly vulnerable to malicious attack. To find web vulnerabilities before an attacker, security experts use black-box web application vulnerability scanners to check for security vulnerabilities in web applications. Most studies have evaluated these black-box scanners against various vulnerable web applications. However, most tested applications are traditional (non-dynamic) and do not reflect current web. This study evaluates the detection accuracy of five black-box web application vulnerability scanners against one of the most modern and sophisticated insecure web applications, representing a real-life e-commerce. The tested vulnerabilities are injection vulnerabilities, in particular, structured query language (SQLi) injection, not only SQL (NoSQL), and server-side template injection (SSTI). We also tested the black-box scanners in four modes to identify their limitations. The findings show that the black-box scanners overlook most vulnerabilities in almost all modes and some scanners missed all the vulnerabilities. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

13 pages, 571 KiB  
Article
Encrypted Malicious Traffic Detection Based on Word2Vec
by Andrey Ferriyan, Achmad Husni Thamrin, Keiji Takeda and Jun Murai
Electronics 2022, 11(5), 679; https://doi.org/10.3390/electronics11050679 - 23 Feb 2022
Cited by 15 | Viewed by 4637
Abstract
Network-based intrusion detections become more difficult as Internet traffic is mostly encrypted. This paper introduces a method to detect encrypted malicious traffic based on the Transport Layer Security handshake and payload features without waiting for the traffic session to finish while preserving privacy. [...] Read more.
Network-based intrusion detections become more difficult as Internet traffic is mostly encrypted. This paper introduces a method to detect encrypted malicious traffic based on the Transport Layer Security handshake and payload features without waiting for the traffic session to finish while preserving privacy. Our method, called TLS2Vec, creates words from the extracted features and uses Long Short-Term Memory (LSTM) for inference. We evaluated our method using traffic from three malicious applications and a benign application that we obtained from two publicly available datasets. Our results showed that TLS2Vec is promising as a tool to detect such malicious traffic. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

14 pages, 1746 KiB  
Article
Machine Learning for DDoS Attack Detection in Industry 4.0 CPPSs
by Firooz B. Saghezchi, Georgios Mantas, Manuel A. Violas, A. Manuel de Oliveira Duarte and Jonathan Rodriguez
Electronics 2022, 11(4), 602; https://doi.org/10.3390/electronics11040602 - 16 Feb 2022
Cited by 40 | Viewed by 10161
Abstract
The Fourth Industrial Revolution (Industry 4.0) has transformed factories into smart Cyber-Physical Production Systems (CPPSs), where man, product, and machine are fully interconnected across the whole supply chain. Although this digitalization brings enormous advantages through customized, transparent, and agile manufacturing, it introduces a [...] Read more.
The Fourth Industrial Revolution (Industry 4.0) has transformed factories into smart Cyber-Physical Production Systems (CPPSs), where man, product, and machine are fully interconnected across the whole supply chain. Although this digitalization brings enormous advantages through customized, transparent, and agile manufacturing, it introduces a significant number of new attack vectors—e.g., through vulnerable Internet-of-Things (IoT) nodes—that can be leveraged by attackers to launch sophisticated Distributed Denial-of-Service (DDoS) attacks threatening the availability of the production line, business services, or even the human lives. In this article, we adopt a Machine Learning (ML) approach for network anomaly detection and construct different data-driven models to detect DDoS attacks on Industry 4.0 CPPSs. Existing techniques use data either artificially synthesized or collected from Information Technology (IT) networks or small-scale lab testbeds. To address this limitation, we use network traffic data captured from a real-world semiconductor production factory. We extract 45 bidirectional network flow features and construct several labeled datasets for training and testing ML models. We investigate 11 different supervised, unsupervised, and semi-supervised algorithms and assess their performance through extensive simulations. The results show that, in terms of the detection performance, supervised algorithms outperform both unsupervised and semi-supervised ones. In particular, the Decision Tree model attains an Accuracy of 0.999 while confining the False Positive Rate to 0.001. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

28 pages, 4366 KiB  
Article
Detection of DGA-Generated Domain Names with TF-IDF
by Harald Vranken and Hassan Alizadeh
Electronics 2022, 11(3), 414; https://doi.org/10.3390/electronics11030414 - 29 Jan 2022
Cited by 21 | Viewed by 4619
Abstract
Botnets often apply domain name generation algorithms (DGAs) to evade detection by generating large numbers of pseudo-random domain names of which only few are registered by cybercriminals. In this paper, we address how DGA-generated domain names can be detected by means of machine [...] Read more.
Botnets often apply domain name generation algorithms (DGAs) to evade detection by generating large numbers of pseudo-random domain names of which only few are registered by cybercriminals. In this paper, we address how DGA-generated domain names can be detected by means of machine learning and deep learning. We first present an extensive literature review on recent prior work in which machine learning and deep learning have been applied for detecting DGA-generated domain names. We observe that a common methodology is still missing, and the use of different datasets causes that experimental results can hardly be compared. We next propose the use of TF-IDF to measure frequencies of the most relevant n-grams in domain names, and use these as features in learning algorithms. We perform experiments with various machine-learning and deep-learning models using TF-IDF features, of which a deep MLP model yields the best results. For comparison, we also apply an LSTM model with embedding layer to convert domain names from a sequence of characters into a vector representation. The performance of our LSTM and MLP models is rather similar, achieving 0.994 and 0.995 AUC, and average F1-scores of 0.907 and 0.891 respectively. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

31 pages, 651 KiB  
Article
LC-IDS: Loci-Constellation-Based Intrusion Detection for Reconfigurable Wireless Networks
by Jaime Zuniga-Mejia, Rafaela Villalpando-Hernandez, Cesar Vargas-Rosales and Mahdi Zareei
Electronics 2021, 10(24), 3053; https://doi.org/10.3390/electronics10243053 - 7 Dec 2021
Viewed by 2144
Abstract
Detection accuracy of current machine-learning approaches to intrusion detection depends heavily on feature engineering and dimensionality-reduction techniques (e.g., variational autoencoder) applied to large datasets. For many use cases, a tradeoff between detection performance and resource requirements must be considered. In this paper, we [...] Read more.
Detection accuracy of current machine-learning approaches to intrusion detection depends heavily on feature engineering and dimensionality-reduction techniques (e.g., variational autoencoder) applied to large datasets. For many use cases, a tradeoff between detection performance and resource requirements must be considered. In this paper, we propose Loci-Constellation-based Intrusion Detection System (LC-IDS), a general framework for network intrusion detection (detection of already known and previously unknown routing attacks) for reconfigurable wireless networks (e.g., vehicular ad hoc networks, unmanned aerial vehicle networks). We introduce the concept of ‘attack-constellation’, which allows us to represent all the relevant information for intrusion detection (misuse detection and anomaly detection) on a latent 2-dimensional space that arises naturally by considering the temporal structure of the input data. The attack/anomaly-detection performance of LC-IDS is analyzed through simulations in a wide range of network conditions. We show that for all the analyzed network scenarios, we can detect known attacks, with a good detection accuracy, and anomalies with low false positive rates. We show the flexibility and scalability of LC-IDS that allow us to consider a dynamic number of neighboring nodes and routing attacks in the ‘attack-constellation’ in a distributed fashion and with low computational requirements. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

25 pages, 2424 KiB  
Article
An Anomaly-Based Intrusion Detection System for Internet of Medical Things Networks
by Georgios Zachos, Ismael Essop, Georgios Mantas, Kyriakos Porfyrakis, José C. Ribeiro and Jonathan Rodriguez
Electronics 2021, 10(21), 2562; https://doi.org/10.3390/electronics10212562 - 20 Oct 2021
Cited by 51 | Viewed by 5091
Abstract
Over the past few years, the healthcare sector is being transformed due to the rise of the Internet of Things (IoT) and the introduction of the Internet of Medical Things (IoMT) technology, whose purpose is the improvement of the patient’s quality of life. [...] Read more.
Over the past few years, the healthcare sector is being transformed due to the rise of the Internet of Things (IoT) and the introduction of the Internet of Medical Things (IoMT) technology, whose purpose is the improvement of the patient’s quality of life. Nevertheless, the heterogenous and resource-constrained characteristics of IoMT networks make them vulnerable to a wide range of threats. Thus, novel security mechanisms, such as accurate and efficient anomaly-based intrusion detection systems (AIDSs), considering the inherent limitations of the IoMT networks, need to be developed before IoMT networks reach their full potential in the market. Towards this direction, in this paper, we propose an efficient and effective anomaly-based intrusion detection system (AIDS) for IoMT networks. The proposed AIDS aims to leverage host-based and network-based techniques to reliably collect log files from the IoMT devices and the gateway, as well as traffic from the IoMT edge network, while taking into consideration the computational cost. The proposed AIDS is to rely on machine learning (ML) techniques, considering the computation overhead, in order to detect abnormalities in the collected data and thus identify malicious incidents in the IoMT network. A set of six popular ML algorithms was tested and evaluated for anomaly detection in the proposed AIDS, and the evaluation results showed which of them are the most suitable. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

21 pages, 5108 KiB  
Article
A Novel Approach for Network Intrusion Detection Using Multistage Deep Learning Image Recognition
by Jevgenijus Toldinas, Algimantas Venčkauskas, Robertas Damaševičius, Šarūnas Grigaliūnas, Nerijus Morkevičius and Edgaras Baranauskas
Electronics 2021, 10(15), 1854; https://doi.org/10.3390/electronics10151854 - 1 Aug 2021
Cited by 79 | Viewed by 6622
Abstract
The current rise in hacking and computer network attacks throughout the world has heightened the demand for improved intrusion detection and prevention solutions. The intrusion detection system (IDS) is critical in identifying abnormalities and assaults on the network, which have grown in size [...] Read more.
The current rise in hacking and computer network attacks throughout the world has heightened the demand for improved intrusion detection and prevention solutions. The intrusion detection system (IDS) is critical in identifying abnormalities and assaults on the network, which have grown in size and pervasiveness. The paper proposes a novel approach for network intrusion detection using multistage deep learning image recognition. The network features are transformed into four-channel (Red, Green, Blue, and Alpha) images. The images then are used for classification to train and test the pre-trained deep learning model ResNet50. The proposed approach is evaluated using two publicly available benchmark datasets, UNSW-NB15 and BOUN Ddos. On the UNSW-NB15 dataset, the proposed approach achieves 99.8% accuracy in the detection of the generic attack. On the BOUN DDos dataset, the suggested approach achieves 99.7% accuracy in the detection of the DDos attack and 99.7% accuracy in the detection of the normal traffic. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

26 pages, 955 KiB  
Article
On the Improvement of the Isolation Forest Algorithm for Outlier Detection with Streaming Data
by Michael Heigl, Kumar Ashutosh Anand, Andreas Urmann, Dalibor Fiala, Martin Schramm and Robert Hable
Electronics 2021, 10(13), 1534; https://doi.org/10.3390/electronics10131534 - 24 Jun 2021
Cited by 29 | Viewed by 6154
Abstract
In recent years, detecting anomalies in real-world computer networks has become a more and more challenging task due to the steady increase of high-volume, high-speed and high-dimensional streaming data, for which ground truth information is not available. Efficient detection schemes applied on networked [...] Read more.
In recent years, detecting anomalies in real-world computer networks has become a more and more challenging task due to the steady increase of high-volume, high-speed and high-dimensional streaming data, for which ground truth information is not available. Efficient detection schemes applied on networked embedded devices need to be fast and memory-constrained, and must be capable of dealing with concept drifts when they occur. Different approaches for unsupervised online outlier detection have been designed to deal with these circumstances in order to reliably detect malicious activity. In this paper, we introduce a novel framework called PCB-iForest, which generalized, is able to incorporate any ensemble-based online OD method to function on streaming data. Carefully engineered requirements are compared to the most popular state-of-the-art online methods with an in-depth focus on variants based on the widely accepted isolation forest algorithm, thereby highlighting the lack of a flexible and efficient solution which is satisfied by PCB-iForest. Therefore, we integrate two variants into PCB-iForest—an isolation forest improvement called extended isolation forest and a classic isolation forest variant equipped with the functionality to score features according to their contributions to a sample’s anomalousness. Extensive experiments were performed on 23 different multi-disciplinary and security-related real-world datasets in order to comprehensively evaluate the performance of our implementation compared with off-the-shelf methods. The discussion of results, including AUC, F1 score and averaged execution time metric, shows that PCB-iForest clearly outperformed the state-of-the-art competitors in 61% of cases and even achieved more promising results in terms of the tradeoff between classification and computational costs. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

24 pages, 3149 KiB  
Article
Botnet Attack Detection Using Local Global Best Bat Algorithm for Industrial Internet of Things
by Abdullah Alharbi, Wael Alosaimi, Hashem Alyami, Hafiz Tayyab Rauf and Robertas Damaševičius
Electronics 2021, 10(11), 1341; https://doi.org/10.3390/electronics10111341 - 3 Jun 2021
Cited by 86 | Viewed by 5287
Abstract
The need for timely identification of Distributed Denial-of-Service (DDoS) attacks in the Internet of Things (IoT) has become critical in minimizing security risks as the number of IoT devices deployed rapidly grows globally and the volume of such attacks rises to unprecedented levels. [...] Read more.
The need for timely identification of Distributed Denial-of-Service (DDoS) attacks in the Internet of Things (IoT) has become critical in minimizing security risks as the number of IoT devices deployed rapidly grows globally and the volume of such attacks rises to unprecedented levels. Instant detection facilitates network security by speeding up warning and disconnection from the network of infected IoT devices, thereby preventing the botnet from propagating and thereby stopping additional attacks. Several methods have been developed for detecting botnet attacks, such as Swarm Intelligence (SI) and Evolutionary Computing (EC)-based algorithms. In this study, we propose a Local-Global best Bat Algorithm for Neural Networks (LGBA-NN) to select both feature subsets and hyperparameters for efficient detection of botnet attacks, inferred from 9 commercial IoT devices infected by two botnets: Gafgyt and Mirai. The proposed Bat Algorithm (BA) adopted the local-global best-based inertia weight to update the bat’s velocity in the swarm. To tackle with swarm diversity of BA, we proposed Gaussian distribution used in the population initialization. Furthermore, the local search mechanism was followed by the Gaussian density function and local-global best function to achieve better exploration during each generation. Enhanced BA was further employed for neural network hyperparameter tuning and weight optimization to classify ten different botnet attacks with an additional one benign target class. The proposed LGBA-NN algorithm was tested on an N-BaIoT data set with extensive real traffic data with benign and malicious target classes. The performance of LGBA-NN was compared with several recent advanced approaches such as weight optimization using Particle Swarm Optimization (PSO-NN) and BA-NN. The experimental results revealed the superiority of LGBA-NN with 90% accuracy over other variants, i.e., BA-NN (85.5% accuracy) and PSO-NN (85.2% accuracy) in multi-class botnet attack detection. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

Review

Jump to: Research

34 pages, 1907 KiB  
Review
Demystifying In-Vehicle Intrusion Detection Systems: A Survey of Surveys and a Meta-Taxonomy
by Georgios Karopoulos, Georgios Kambourakis, Efstratios Chatzoglou, José L. Hernández-Ramos and Vasileios Kouliaridis
Electronics 2022, 11(7), 1072; https://doi.org/10.3390/electronics11071072 - 29 Mar 2022
Cited by 43 | Viewed by 7325
Abstract
Breaches in the cyberspace due to cyber-physical attacks can harm the physical space, and any type of vehicle is an alluring target for wrongdoers for an assortment of reasons. Especially, as the automobiles are becoming increasingly interconnected within the Cooperative Intelligent Transport System [...] Read more.
Breaches in the cyberspace due to cyber-physical attacks can harm the physical space, and any type of vehicle is an alluring target for wrongdoers for an assortment of reasons. Especially, as the automobiles are becoming increasingly interconnected within the Cooperative Intelligent Transport System (C-ITS) realm and their level of automation elevates, the risk for cyberattacks augments along with the attack surface, thus inexorably rendering the risk of complacency and inaction sizable. Next to other defensive measures, intrusion detection systems (IDS) already comprise an inextricable component of modern automobiles in charge of detecting intrusions in the system while in operation. This work concentrates on in-vehicle IDS with the goal to deliver a fourfold comprehensive survey of surveys on this topic. First, we collect and analyze all existing in-vehicle IDS classifications and fuse them into a simpler, overarching one that can be used as a base for classifying any work in this area. Second, we gather and elaborate on the so-far available datasets which can be possibly used to train and evaluate an in-vehicle IDS. Third, we survey non-commercial simulators which may be utilized for creating a dataset or evaluating an IDS. The last contribution pertains to a thorough exposition of the future trends and challenges in this area. To our knowledge, this work provides the first wholemeal survey on in-vehicle IDS, and it is therefore anticipated to serve as a groundwork and point of reference for multiple stakeholders at varying levels. Full article
(This article belongs to the Special Issue Design of Intelligent Intrusion Detection Systems)
Show Figures

Figure 1

Back to TopTop