Browsing by Author "Kyriakopoulos, Konstantinos"
Now showing 1 - 12 of 12
Results Per Page
Sort Options
Item Open Access Addressing Multi-Stage Attacks Using Expert Knowledge and Contextual Information(2019-02-21) Chadza, T.A.; Kyriakopoulos, Konstantinos; Ghafir, I.; Lambotharan, Sangarapillai; AsSadhan, B.; Aparicio-Navarro, Francisco J.New challenges in the cyber-threat domain are driven by tactical and meticulously designed Multi-Stage Attacks (MSAs). Current state-of-the-art (SOTA) Intrusion Detection Systems (IDSs) are developed to detect individual attacks through the use of signatures or identifying manifested anomalies in the network environment. However, an MSA differs from traditional one-off network attacks as it requires a set of sequential stages, whereby each stage may not be malicious when manifested individually, therefore, potentially be underestimated by current IDSs. This work proposes a new approach towards addressing this challenging type of cyber-attacks by employing external sources of information, beyond the conventional use of signatures and monitored network data. In particular, both expert knowledge and contextual information in the form of Pattern-of-Life (PoL) of the network are shown to be influential in giving an advantage against SOTA techniques. We compare our proposed anomaly-based IDS, based on decision making powered by the Dempster-Shafer (D-S) Theory and Fuzzy Cognitive Maps (FCMs), against Snort, one of the most widely deployed IDS in the world. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the Detection Rate (DR) of MSAs by almost 50%.Item Open Access Automatic Dataset Labelling and Feature Selection for Intrusion Detection Systems(IEEE, 2014-11-20) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Parish, David J.Correctly labelled datasets are commonly required. Three particular scenarios are highlighted, which showcase this need. When using supervised Intrusion Detection Systems (IDSs), these systems need labelled datasets to be trained. Also, the real nature of the analysed datasets must be known when evaluating the efficiency of the IDSs when detecting intrusions. Another scenario is the use of feature selection that works only if the processed datasets are labelled. In normal conditions, collecting labelled datasets from real networks is impossible. Currently, datasets are mainly labelled by implementing off-line forensic analysis, which is impractical because it does not allow real-time implementation. We have developed a novel approach to automatically generate labelled network traffic datasets using an unsupervised anomaly based IDS. The resulting labelled datasets are subsets of the original unlabelled datasets. The labelled dataset is then processed using a Genetic Algorithm (GA) based approach, which performs the task of feature selection. The GA has been implemented to automatically provide the set of metrics that generate the most appropriate intrusion detection results.Item Open Access A Basic Probability Assignment Methodology for Unsupervised Wireless Intrusion Detection(IEEE, 2018-07-11) Ghafir, I.; Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Lambotharan, Sangarapillai; AsSadhan, B.; BinSalleeh, H.The broadcast nature of Wireless Local Area Networks (WLANs) has made them prone to several types of wireless injection attacks, such as Man-in-the-Middle (MitM) at the physical layer, deauthentication and rogue access point attacks. The implementation of novel Intrusion Detection Systems (IDSs) is fundamental to provide stronger protection against these wireless injection attacks. Because most attacks manifest themselves through different metrics, current IDSs should leverage a cross-layer approach to help towards improving the detection accuracy. The data fusion technique based on Dempster-Shafer (D-S) theory has been proven to be an efficient data fusion technique to implement the cross-layer metric approach. However, the dynamic generation of the Basic Probability Assignment (BPA) values used by D-S is still an open research problem. In this paper, we propose a novel unsupervised methodology to dynamically generate the BPA values, based on both the Gaussian and exponential probability density functions (pdf), the categorical probability mass function (pmf), and the local reachability density (lrd). Then, D-S is used to fuse the BPA values to classify whether the Wi-Fi frame is normal (i.e. non-malicious) or malicious. The proposed methodology provides 100% True Positive Rate (TPR) and 4.23% False Positive Rate (FPR) for the MitM attack, and 100% TPR and 2.44% FPR for the deauthentication attack, which confirm the efficiency of the dynamic BPA generation methodology.Item Open Access A Data Fusion Technique to Detect Wireless Network Virtual Jamming Attacks(IEEE, 2015-11-12) Escudero-Andreu, G.; Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Parish, David J.; Santoro, D.; Vadursi, M.Wireless communications are potentially exposed to jamming due to the openness of the medium and, in particular, to virtual jamming, which allows more energy-efficient attacks. In this paper we tackle the problem of virtual jamming attacks on IEEE 802.11 networks and present a data fusion solution for the detection of a type of virtual jamming attack (namely, NAV attacks), based on the real-time monitoring of a set of metrics. The detection performance is evaluated in a number of real scenarios.Item Open Access A Hybrid Intrusion Detection System for Virtual Jamming Attacks on Wireless Networks(Elsevier, 2017-05-17) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Escudero-Andreu, G.; Santoro, D.; Vadursi, M.; Parish, D. J.Wireless communications are vulnerable to certain number of cyber-attacks and intrusion attempts due to the intrinsic openness of the communication channel. Virtual jamming attack stands out among other attacks. This type of attack is easy to implement, energy-efficient to be launched, and represents one of the most important threats to the security of wireless networks. As the complexity of the attacks keeps increasing, new and more robust detection mechanisms need to be developed. A number of Network Intrusion Detection Systems (NIDSs) have been presented in the literature to detect this type of attack. To tackle the problem of virtual jamming attacks on IEEE 802.11 networks, we present a novel Hybrid-NIDS (H-NIDS) based on Dempster-Shafer (DS) Theory of Evidence. The proposed method aims at combining the advantages of signature-based and anomaly-based NIDSs. The performance of the proposed solution has been experimentally evaluated with multiple scenarios in an IEEE 802.11 network.Item Open Access A look into the information your smartphone leaks(IEEE, 2017-10-19) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Chadza, Timothy; Kyriakopoulos, KonstantinosSome smartphone applications (apps) pose a risk to users’ personal information. Events of apps leaking information stored in smartphones illustrate the danger that they present. In this paper, we investigate the amount of personal information leaked during the installation and use of apps when accessing the Internet. We have opted for the implementation of a Man-in-the-Middle proxy to intercept the network traffic generated by 20 popular free apps installed on different smartphones of distinctive vendors. This work describes the technical considerations and requirements for the deployment of the monitoring WiFi network employed during the conducted experiments. The presented results show that numerous mobile and personal unique identifiers, along with personal information are leaked by several of the evaluated apps, commonly during the installation process.Item Open Access Manual and Automatic Assigned Thresholds in Multi-layer Data Fusion Intrusion Detection System for 802.11 Attacks(IET, 2013-12-19) Kyriakopoulos, Konstantinos; Aparicio-Navarro, Francisco J.; Parish, D. J.Abuse attacks on wireless networks are becoming increasingly sophisticated. Most of the recent research on intrusion detection systems for wireless attacks either focuses on just one layer of observation or uses a limited number of metrics without proper data fusion techniques. However, the true status of a network is rarely accurately detectable by examining only one network layer. The goal of this study is to detect injection types of attacks in wireless networks by fusing multi-metrics using the Dempster-Shafer (D-S) belief theory. When combining beliefs, an important step to consider is the automatic and self-adaptive process of basic probability assignment (BPA). This study presents a comparison between manual and automatic BPA methods using the D-S technique. Custom tailoring BPAs in an optimum manner under specific network conditions could be extremely time consuming and difficult. In contrast, automatic methods have the advantage of not requiring any prior training or calibration from an administrator. The results show that multi-layer techniques perform more efficiently when compared with conventional methods. In addition, the automatic assignment of beliefs makes the use of such a system easier to deploy while providing a similar performance to that of a manual system.Item Open Access Multi-Stage Attack Detection Using Contextual Information(2018) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Ghafir, I.; Lambotharan, Sangarapillai; Chambers, J.The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an Advanced Persistent Threat (APT) like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%.Item Open Access Statistical anomaly detection in communication networks(Defence Science and Technology Laboratory, 2018-02-08) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Kyriakopoulos, Konstantinos; Gong, Yu; Rixson, Matthew; Barrington, StephenThis chapter describes the development of algorithms for automatic detection of anomalies from multi-dimensional, undersampled and incomplete datasets. The challenge in this work is to identify and classify behaviours as normal or abnormal, safe or threatening, from an irregular and often heterogeneous sensor network. Many defence and civilian applications can be modelled as complex networks of interconnected nodes with unknown or uncertain spatio-temporal relations. The behavior of such heterogeneous networks can exhibit dynamic properties, reflecting evolution in both network structure (new nodes appearing and existing nodes disappearing), as well as inter-node relations. The UDRC work has addressed not only the detection of anomalies, but also the identification of their nature and their statistical characteristics. Normal patterns and changes in behavior have been incorporated to provide an acceptable balance between true positive rate, false positive rate, performance and computational cost. Data quality measures have been used to ensure the models of normality are not corrupted by unreliable and ambiguous data. The context for the activity of each node in complex networks offers an even more efficient anomaly detection mechanism. This has allowed the development of efficient approaches which not only detect anomalies but which also go on to classify their behaviour.Item Open Access Support Vector Machine for Network Intrusion and Cyber-Attack Detection(IEEE, 2017-12-21) Ghanem, Kinan; Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Lambotharan, Sangarapillai; Chambers, Jonathon A.Cyber-security threats are a growing concern in networked environments. The development of Intrusion Detection Systems (IDSs) is fundamental in order to provide extra level of security. We have developed an unsupervised anomaly-based IDS that uses statistical techniques to conduct the detection process. Despite providing many advantages, anomaly-based IDSs tend to generate a high number of false alarms. Machine Learning (ML) techniques have gained wide interest in tasks of intrusion detection. In this work, Support Vector Machine (SVM) is deemed as an ML technique that could complement the performance of our IDS, providing a second line of detection to reduce the number of false alarms, or as an alternative detection technique. We assess the performance of our IDS against one-class and two-class SVMs, using linear and non-linear forms. The results that we present show that linear two-class SVM generates highly accurate results, and the accuracy of the linear one-class SVM is very comparable, and it does not need training datasets associated with malicious data. Similarly, the results evidence that our IDS could benefit from the use of ML techniques to increase its accuracy when analysing datasets comprising of non-homogeneous features.Item Open Access Using Pattern-of-Life as Contextual Information for Anomaly-based Intrusion Detection Systems(IEEE, 2017-10-20) Aparicio-Navarro, Francisco J.; Kyriakopoulos, Konstantinos; Gong, Yu; Parish, David J.; Chambers, Jonathon A.As the complexity of cyber-attacks keeps increasing, new robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measurable network traffic, but also on the available highlevel information related to the protected network. To this end, we make use of the Pattern-of-Life (PoL) of a computer network as the main source of high-level information. We propose two novel approaches that make use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. There are four main aims of the work. First, to evaluate the efficiency of the proposed approaches in identifying the presence of attacks. Second, to identify which of the proposed approaches to integrate an FCM into the IDS framework produces the best results. Third, to identify which of the metrics used in the design of the FCM produces the best detection results. Fourth, to evidence the improved detection performance that contextual information can offer in IDSs. The results that we present verify that the proposed approaches improve the effectiveness of our IDS by reducing the total number of false alarms; providing almost perfect detection rate (i.e., 99.76%) and only 6.33% false positive rate, depending on the particular metric combination.Item Open Access Using the Pattern-of-Life in Networks to Improve the Effectiveness of Intrusion Detection Systems(IEEE, 2017-07-31) Aparicio-Navarro, Francisco J.; Chambers, Jonathon A.; Kyriakopoulos, Konstantinos; Gong, Yu; Parish, David J.As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high- level information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination.