Detection of zero-day attacks: An unsupervised port-based approach

Blaise, Agathe; Bouet, Mathieu; Conan, Vania; Secci, Stefano

doi:10.1016/j.comnet.2020.107391

Cited by 43 publications

(19 citation statements)

References 22 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Lobato, Lopez, et al [14] utilize supervised machine learning approaches such as Support Vector Machines (SVM) and Stochastic Gradient Descent (SGD) Algorithms to classify network flow telemetry as malicious or benign using an adaptive data modeling and pipeline approach with promising results, achieving precision and recall values between 65.7% and 97.3%. Blaise et al [15] utilized network flow telemetry to identify ZDTs using an unsupervised approach that identifies anomalous port usage. Sarhan et al [16] also utilized network flow telemetry to identify ZDTs using a Zero-Shot Learning approach with Random Forest (RF) and Multi-layer Perceptron (MLP) models using a novel data splitting approach to hold out attack classes as ZDTs to measure performance.…”

Section: Review Of the Literaturementioning

confidence: 99%

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

Redino¹,

Nandakumar²,

Schiller³

et al. 2022

Preprint

View full text Add to dashboard Cite

Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of assets on these networks necessitate the need for a robust AI-based Zero Day Threat detection model that can quickly analyze petabyte-scale data for potentially malicious and novel activity. In this paper, the authors introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time. The methodology utilizes network flow telemetry augmented with asset-level graph features, which are passed through a dual-autoencoder structure for anomaly and novelty detection respectively. The models have been trained and tested on four large scale datasets that are representative of real-world organizational networks and they produce strong results with high precision and recall values. The models provide a novel methodology to detect complex threats with low false-positive rates that allow security operators to avoid alert fatigue while drastically reducing their mean time to response with near-real-time detection. Furthermore, the authors also provide a novel, labelled, cyber attack dataset generated from adversarial activity that can be used for validation or training of other models. With this paper, the authors' overarching goal is to provide a novel architecture and training methodology for cyber anomaly detectors that can generalize to multiple IT networks with minimal to no retraining while still maintaining strong performance.

show abstract

Section: Review Of the Literaturementioning

confidence: 99%

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

Redino¹,

Nandakumar²,

Schiller³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Different attributes in the data set have different ranges. To reduce the impact of such difference on the detection model, we can use z-score standardization [25,26] on the data to make it a normal distribution. Using distance to measure similarity and the PCA to reduce dimensions, the z-score normalization is better than the Minmax normalization in classification and clustering algorithms.…”

Section: Numerization Of Character Datamentioning

confidence: 99%

An Improved $K$ -Means Clustering Intrusion Detection Algorithm for Wireless Networks Based on Federated Learning

Xie

Dong

Wang

2021

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

The existing wireless network intrusion detection algorithms based on supervised learning confront many challenges, such as high false detection rate, difficulty in finding unknown attack behaviors, and high cost in obtaining labeled training data sets. This paper presents an improved k -means clustering algorithm for detecting intrusions on wireless networks based on Federated Learning. The proposed algorithm allows multiple participants to train a global model without sharing their private data and can expand the amount of data in the training model and protect the local data of each participant. Furthermore, the cosine distance of multiple perspectives is introduced in the algorithm to measure the similarity between network data objects in the improved k -means clustering process, making the clustering results more reasonable and the judgment of network data behavior more accurate. The AWID, an open wireless network attack data set, is selected as the experimental data set. Its dimensionality reduces by the method of principal component analysis (PCA). Experimental results show that the improved k -means clustering intrusion detection algorithm based on Federated Learning has better performance in detection rate, false detection rate, and detection of unknown attack types.

show abstract

“…Memcached is a database-caching system used to speed up websites’ dynamic databases by caching frequent data in DRAM. Memcached uses a key-value method to store data, and it solves the problem of having an extensive data cache [ 53 ].…”

Section: The Necessity Of Securing Memcached Architecturementioning

confidence: 99%

“…The Memcached mechanism was designed to work internally, but it became exposed to unauthenticated servers, enabling exploitation via DDoS attacks [ 53 ]. A case in which IoT botnets can be deployed is shown in Figure 5 , where vulnerable Memcached servers are used for launching attacks.…”

Section: The Necessity Of Securing Memcached Architecturementioning

confidence: 99%

Memcached: An Experimental Study of DDoS Attacks for the Wellbeing of IoT Applications

Mishra

Pandya

Patel³

et al. 2021

Sensors

View full text Add to dashboard Cite

Distributed denial-of-service (DDoS) attacks are significant threats to the cyber world because of their potential to quickly bring down victims. Memcached vulnerabilities have been targeted by attackers using DDoS amplification attacks. GitHub and Arbor Networks were the victims of Memcached DDoS attacks with 1.3 Tbps and 1.8 Tbps attack strengths, respectively. The bandwidth amplification factor of nearly 50,000 makes Memcached the deadliest DDoS attack vector to date. In recent times, fellow researchers have made specific efforts to analyze and evaluate Memcached vulnerabilities; however, the solutions provided for security are based on best practices by users and service providers. This study is the first attempt at modifying the architecture of Memcached servers in the context of improving security against DDoS attacks. This study discusses the Memcached protocol, the vulnerabilities associated with it, the future challenges for different IoT applications associated with caches, and the solutions for detecting Memcached DDoS attacks. The proposed solution is a novel identification-pattern mechanism using a threshold scheme for detecting volume-based DDoS attacks. In the undertaken study, the solution acts as a pre-emptive measure for detecting DDoS attacks while maintaining low latency and high throughput.

show abstract

Detection of zero-day attacks: An unsupervised port-based approach

Cited by 43 publications

References 22 publications

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

An Improved $K$ -Means Clustering Intrusion Detection Algorithm for Wireless Networks Based on Federated Learning

Memcached: An Experimental Study of DDoS Attacks for the Wellbeing of IoT Applications

Contact Info

Product

Resources

About

Detection of zero-day attacks: An unsupervised port-based approach

Cited by 43 publications

References 22 publications

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

Zero Day Threat Detection Using Graph and Flow Based Security Telemetry

An Improved K -Means Clustering Intrusion Detection Algorithm for Wireless Networks Based on Federated Learning

Memcached: An Experimental Study of DDoS Attacks for the Wellbeing of IoT Applications

Contact Info

Product

Resources

About

An Improved $K$ -Means Clustering Intrusion Detection Algorithm for Wireless Networks Based on Federated Learning