Browsing by Author "Aparicio-Navarro, Francisco J."
Now showing 1 - 19 of 19
Results Per Page
Sort Options
Item Open Access Adding Contextual Information to Intrusion Detection Systems Using Fuzzy Cognitive Maps(IEEE, 2016-06-23) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Kyriakos; Parish, David J.; Chambers, Jonathon A.In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning engines supported by contextual information about the network, cognitive information and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have developed. The experimental results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections.Item Open Access Addressing Multi-Stage Attacks Using Expert Knowledge and Contextual Information(2019-02-21) Chadza, T.A.; Kyriakopoulos, Konstantinos; Ghafir, I.; Lambotharan, Sangarapillai; AsSadhan, B.; Aparicio-Navarro, Francisco J.New challenges in the cyber-threat domain are driven by tactical and meticulously designed Multi-Stage Attacks (MSAs). Current state-of-the-art (SOTA) Intrusion Detection Systems (IDSs) are developed to detect individual attacks through the use of signatures or identifying manifested anomalies in the network environment. However, an MSA differs from traditional one-off network attacks as it requires a set of sequential stages, whereby each stage may not be malicious when manifested individually, therefore, potentially be underestimated by current IDSs. This work proposes a new approach towards addressing this challenging type of cyber-attacks by employing external sources of information, beyond the conventional use of signatures and monitored network data. In particular, both expert knowledge and contextual information in the form of Pattern-of-Life (PoL) of the network are shown to be influential in giving an advantage against SOTA techniques. We compare our proposed anomaly-based IDS, based on decision making powered by the Dempster-Shafer (D-S) Theory and Fuzzy Cognitive Maps (FCMs), against Snort, one of the most widely deployed IDS in the world. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the Detection Rate (DR) of MSAs by almost 50%.Item Open Access Automatic Dataset Labelling and Feature Selection for Intrusion Detection Systems(IEEE, 2014-11-20) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Parish, David J.Correctly labelled datasets are commonly required. Three particular scenarios are highlighted, which showcase this need. When using supervised Intrusion Detection Systems (IDSs), these systems need labelled datasets to be trained. Also, the real nature of the analysed datasets must be known when evaluating the efficiency of the IDSs when detecting intrusions. Another scenario is the use of feature selection that works only if the processed datasets are labelled. In normal conditions, collecting labelled datasets from real networks is impossible. Currently, datasets are mainly labelled by implementing off-line forensic analysis, which is impractical because it does not allow real-time implementation. We have developed a novel approach to automatically generate labelled network traffic datasets using an unsupervised anomaly based IDS. The resulting labelled datasets are subsets of the original unlabelled datasets. The labelled dataset is then processed using a Genetic Algorithm (GA) based approach, which performs the task of feature selection. The GA has been implemented to automatically provide the set of metrics that generate the most appropriate intrusion detection results.Item Open Access A Basic Probability Assignment Methodology for Unsupervised Wireless Intrusion Detection(IEEE, 2018-07-11) Ghafir, I.; Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Lambotharan, Sangarapillai; AsSadhan, B.; BinSalleeh, H.The broadcast nature of Wireless Local Area Networks (WLANs) has made them prone to several types of wireless injection attacks, such as Man-in-the-Middle (MitM) at the physical layer, deauthentication and rogue access point attacks. The implementation of novel Intrusion Detection Systems (IDSs) is fundamental to provide stronger protection against these wireless injection attacks. Because most attacks manifest themselves through different metrics, current IDSs should leverage a cross-layer approach to help towards improving the detection accuracy. The data fusion technique based on Dempster-Shafer (D-S) theory has been proven to be an efficient data fusion technique to implement the cross-layer metric approach. However, the dynamic generation of the Basic Probability Assignment (BPA) values used by D-S is still an open research problem. In this paper, we propose a novel unsupervised methodology to dynamically generate the BPA values, based on both the Gaussian and exponential probability density functions (pdf), the categorical probability mass function (pmf), and the local reachability density (lrd). Then, D-S is used to fuse the BPA values to classify whether the Wi-Fi frame is normal (i.e. non-malicious) or malicious. The proposed methodology provides 100% True Positive Rate (TPR) and 4.23% False Positive Rate (FPR) for the MitM attack, and 100% TPR and 2.44% FPR for the deauthentication attack, which confirm the efficiency of the dynamic BPA generation methodology.Item Open Access A Data Fusion Technique to Detect Wireless Network Virtual Jamming Attacks(IEEE, 2015-11-12) Escudero-Andreu, G.; Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Parish, David J.; Santoro, D.; Vadursi, M.Wireless communications are potentially exposed to jamming due to the openness of the medium and, in particular, to virtual jamming, which allows more energy-efficient attacks. In this paper we tackle the problem of virtual jamming attacks on IEEE 802.11 networks and present a data fusion solution for the detection of a type of virtual jamming attack (namely, NAV attacks), based on the real-time monitoring of a set of metrics. The detection performance is evaluated in a number of real scenarios.Item Open Access Detection of Advanced Persistent Threat Using Machine-Learning Correlation Analysis(Elsevier, 2018-07-06) Ghafir, I.; Hammoudeh, M.; Prenosil, V.; Han, L.; Hegarty, R.; Rabie, K.; Aparicio-Navarro, Francisco J.As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%.Item Open Access Disguised executable files in spear-phishing emails: Detecting the point of entry in advanced persistent threat(ACM, 2018-06-27) Ghafir, I.; Prenosil, V.; Hammoudeh, M.; Aparicio-Navarro, Francisco J.; Rabie, K.; Jabban, A.In recent years, cyber attacks have caused substantial financial losses and been able to stop fundamental public services. Among the serious attacks, Advanced Persistent Threat (APT) has emerged as a big challenge to the cyber security hitting selected companies and organisations. The main objectives of APT are data exfiltration and intelligence appropriation. As part of the APT life cycle, an attacker creates a Point of Entry (PoE) to the target network. This is usually achieved by installing malware on the targeted machine to leave a back-door open for future access. A common technique employed to breach into the network, which involves the use of social engineering, is the spear phishing email. These phishing emails may contain disguised executable fi les. This paper presents the disguised executable le detection (DeFD) module, which aims at detecting disguised exe files transferred over the network connections. The detection is based on a comparison between the MIME type of the transferred fi le and the fi le name extension. This module was experimentally evaluated and the results show a successful detection of disguised executable files.Item Embargo FFDA: A novel Four-Factor Distributed Authentication mechanism(IEEE, 2022-08-16) Edwards, Jack; Aparicio-Navarro, Francisco J.; Maglaras, Leandros; Douligeris, ChristosThis article presents a novel multi-factor authentication mechanism that makes the authentication process robust to several attacks. The mechanism is using several databases to store the user key and an external USB device that the user carries with him. The system is divided into several groups, each one storing a part of the fragmented user key, as an additional security measure. The proposed mechanism has four factors of authentication but one the same time is easy to use and apply to many modern systems that are used in maritime.Item Open Access Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats(IEEE, 2019-07-22) Ghafir, Ibrahim; Kyriakopoulos, Konstantinos G.; Lambotharan, Sangarapillai; Aparicio-Navarro, Francisco J.; AsSadhan, Basil; BinSalleeh, Hamad; Diab, Diab M.Cyber security has become a matter of a global interest and several attacks target industrial companies and governmental organisations. The Advanced Persistent Threats (APTs) have emerged as a new and complex version of Multi-Stage Attacks (MSAs), targeting selected companies and organisations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker’s strategies and aims. This work proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases, the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts which are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilises the Hidden Markov Model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91:80%. Additionally, it predicts the next step of the APT campaign with an accuracy of 66:50%, 92:70% and 100% based on two, three and four correlated alerts, respectively.Item Open Access A Hybrid Intrusion Detection System for Virtual Jamming Attacks on Wireless Networks(Elsevier, 2017-05-17) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Escudero-Andreu, G.; Santoro, D.; Vadursi, M.; Parish, D. J.Wireless communications are vulnerable to certain number of cyber-attacks and intrusion attempts due to the intrinsic openness of the communication channel. Virtual jamming attack stands out among other attacks. This type of attack is easy to implement, energy-efficient to be launched, and represents one of the most important threats to the security of wireless networks. As the complexity of the attacks keeps increasing, new and more robust detection mechanisms need to be developed. A number of Network Intrusion Detection Systems (NIDSs) have been presented in the literature to detect this type of attack. To tackle the problem of virtual jamming attacks on IEEE 802.11 networks, we present a novel Hybrid-NIDS (H-NIDS) based on Dempster-Shafer (DS) Theory of Evidence. The proposed method aims at combining the advantages of signature-based and anomaly-based NIDSs. The performance of the proposed solution has been experimentally evaluated with multiple scenarios in an IEEE 802.11 network.Item Open Access Intrusion Detection System for Platooning Connected Autonomous Vehicles(2019) Kosmanos, Dimitrios; Pappas, Apostolos; Aparicio-Navarro, Francisco J.; Maglaras, Leandros; Janicke, Helge; Boiten, Eerke Albert; Argyriou, AntoniosThe deployment of Connected Autonomous Vehicles (CAVs) in Vehicular Ad Hoc Networks (VANETs) requires secure wireless communication in order to ensure reliable connectivity and safety. However, this wireless communication is vulnerable to a variety of cyber atacks such as spoofing or jamming attacks. In this paper, we describe an Intrusion Detection System (IDS) based on Machine Learning (ML) techniques designed to detect both spoofing and jamming attacks in a CAV environment. The IDS would reduce the risk of traffic disruption and accident caused as a result of cyber-attacks. The detection engine of the presented IDS is based on the ML algorithms Random Forest (RF), k-Nearest Neighbour (k-NN) and One-Class Support Vector Machine (OCSVM), as well as data fusion techniques in a cross-layer approach. To the best of the authors’ knowledge, the proposed IDS is the first in literature that uses a cross-layer approach to detect both spoofing and jamming attacks against the communication of connected vehicles platooning. The evaluation results of the implemented IDS present a high accuracy of over 90% using training datasets containing both known and unknown attacks.Item Open Access A look into the information your smartphone leaks(IEEE, 2017-10-19) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Chadza, Timothy; Kyriakopoulos, KonstantinosSome smartphone applications (apps) pose a risk to users’ personal information. Events of apps leaking information stored in smartphones illustrate the danger that they present. In this paper, we investigate the amount of personal information leaked during the installation and use of apps when accessing the Internet. We have opted for the implementation of a Man-in-the-Middle proxy to intercept the network traffic generated by 20 popular free apps installed on different smartphones of distinctive vendors. This work describes the technical considerations and requirements for the deployment of the monitoring WiFi network employed during the conducted experiments. The presented results show that numerous mobile and personal unique identifiers, along with personal information are leaked by several of the evaluated apps, commonly during the installation process.Item Open Access Manual and Automatic Assigned Thresholds in Multi-layer Data Fusion Intrusion Detection System for 802.11 Attacks(IET, 2013-12-19) Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Parish, D. J.Abuse attacks on wireless networks are becoming increasingly sophisticated. Most of the recent research on intrusion detection systems for wireless attacks either focuses on just one layer of observation or uses a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. The goal of this study is to detect injection types of attacks in wireless networks by fusing multi-metrics using the Dempster-Shafer (D-S) belief theory. When combining beliefs, an important step to consider is the automatic and self-adaptive process of basic probability assignment (BPA). This study presents a comparison between manual and automatic BPA methods using the D-S technique. Custom tailoring BPAs in an optimum manner under specific network conditions could be extremely time consuming and difficult. In contrast, automatic methods have the advantage of not requiring any prior training or calibration from an administrator. The results show that multi-layer techniques perform more efficiently when compared with conventional methods. In addition, the automatic assignment of beliefs makes the use of such a system easier to deploy while providing a similar performance to that of a manual system.Item Open Access Multi-Stage Attack Detection Using Contextual Information(2018) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Ghafir, I.; Lambotharan, Sangarapillai; Chambers, J.The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an Advanced Persistent Threat (APT) like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%.Item Open Access A novel intrusion detection system against spoofing attacks in connected electric vehicles(Elsevier, 2019-12-02) Kosmanos, Dimitrios; Pappas, Apostolos; Maglaras, Leandros; Moschoyiannis, Sotiris; Aparicio-Navarro, Francisco J.; Argyriou, Antonios; Janicke, HelgeThe Electric Vehicles (EVs) market has seen rapid growth recently despite the anxiety about driving range. Recent proposals have explored charging EVs on the move, using dynamic wireless charging that enables power exchange between the vehicle and the grid while the vehicle is moving. Specifically, part of the literature focuses on the intelligent routing of EVs in need of charging. Inter-Vehicle communications (IVC) play an integral role in intelligent routing of EVs around a static charging station or dynamic charging on the road network. However, IVC is vulnerable to a variety of cyber-attacks such as spoofing. In this paper, a probabilistic cross-layer Intrusion Detection System (IDS), based on Machine Learning (ML) techniques, is introduced. The proposed IDS is capable of detecting spoofing attacks with more than 90% accuracy. The IDS uses a new metric, Position Verification using Relative Speed (PVRS), which seems to have a significant effect in classification results. PVRS compares the distance between two communicating nodes that is observed by On-Board Units (OBU) and their estimated distance using the relative speed value that is calculated using interchanged signals in the Physical (PHY) layer.Item Open Access Statistical anomaly detection in communication networks(Defence Science and Technology Laboratory (Dstl) publication, DSTL/PUB107185., 2018-02-08) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Kyriakopoulos, Konstantinos; Gong, Yu; Rixson, Matthew; Barrington, StephenThis chapter describes the development of algorithms for automatic detection of anomalies from multi-dimensional, undersampled and incomplete datasets. The challenge in this work is to identify and classify behaviours as normal or abnormal, safe or threatening, from an irregular and often heterogeneous sensor network. Many defence and civilian applications can be modelled as complex networks of interconnected nodes with unknown or uncertain spatio-temporal relations. The behavior of such heterogeneous networks can exhibit dynamic properties, reflecting evolution in both network structure (new nodes appearing and existing nodes disappearing), as well as inter-node relations. The UDRC work has addressed not only the detection of anomalies, but also the identification of their nature and their statistical characteristics. Normal patterns and changes in behavior have been incorporated to provide an acceptable balance between true positive rate, false positive rate, performance and computational cost. Data quality measures have been used to ensure the models of normality are not corrupted by unreliable and ambiguous data. The context for the activity of each node in complex networks offers an even more efficient anomaly detection mechanism. This has allowed the development of efficient approaches which not only detect anomalies but which also go on to classify their behaviour.Item Open Access Support Vector Machine for Network Intrusion and Cyber-Attack Detection(IEEE, 2017-12-21) Ghanem, Kinan; Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Lambotharan, Sangarapillai; Chambers, Jonathon A.Cyber-security threats are a growing concern in networked environments. The development of Intrusion Detection Systems (IDSs) is fundamental in order to provide extra level of security. We have developed an unsupervised anomaly-based IDS that uses statistical techniques to conduct the detection process. Despite providing many advantages, anomaly-based IDSs tend to generate a high number of false alarms. Machine Learning (ML) techniques have gained wide interest in tasks of intrusion detection. In this work, Support Vector Machine (SVM) is deemed as an ML technique that could complement the performance of our IDS, providing a second line of detection to reduce the number of false alarms, or as an alternative detection technique. We assess the performance of our IDS against one-class and two-class SVMs, using linear and non-linear forms. The results that we present show that linear two-class SVM generates highly accurate results, and the accuracy of the linear one-class SVM is very comparable, and it does not need training datasets associated with malicious data. Similarly, the results evidence that our IDS could benefit from the use of ML techniques to increase its accuracy when analysing datasets comprising of non-homogeneous features.Item Open Access Using Pattern-of-Life as Contextual Information for Anomaly-based Intrusion Detection Systems(IEEE, 2017-10-20) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Gong, Yu; Parish, David J.; Chambers, Jonathon A.As the complexity of cyber-attacks keeps increasing, new robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measurable network traffic, but also on the available highlevel information related to the protected network. To this end, we make use of the Pattern-of-Life (PoL) of a computer network as the main source of high-level information. We propose two novel approaches that make use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. There are four main aims of the work. First, to evaluate the efficiency of the proposed approaches in identifying the presence of attacks. Second, to identify which of the proposed approaches to integrate an FCM into the IDS framework produces the best results. Third, to identify which of the metrics used in the design of the FCM produces the best detection results. Fourth, to evidence the improved detection performance that contextual information can offer in IDSs. The results that we present verify that the proposed approaches improve the effectiveness of our IDS by reducing the total number of false alarms; providing almost perfect detection rate (i.e., 99.76%) and only 6.33% false positive rate, depending on the particular metric combination.Item Open Access Using the Pattern-of-Life in Networks to Improve the Effectiveness of Intrusion Detection Systems(IEEE, 2017-07-31) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Kyriakopoulos, Konstantinos; Gong, Yu; Parish, David J.As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high- level information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination.