EXPLAINABLE AI METHODS FOR ENHANCING AI-BASED NETWORK INTRUSION DETECTION SYSTEMS

Osvaldo Guilherme Arreche (18569509)

03 September 2024

<p dir="ltr">In network security, the exponential growth of intrusions stimulates research toward developing advanced artificial intelligence (AI) techniques for intrusion detection systems (IDS). However, the reliance on AI for IDS presents challenges, including the performance variability of different AI models and the lack of explainability of their decisions, hindering the comprehension of outputs by human security analysts. Hence, this thesis proposes end-to-end explainable AI (XAI) frameworks tailored to enhance the understandability and performance of AI models in this context.</p><p><br></p><p dir="ltr">The first chapter benchmarks seven black-box AI models across one real-world and two benchmark network intrusion datasets, laying the foundation for subsequent analyses. Subsequent chapters delve into feature selection methods, recognizing their crucial role in enhancing IDS performance by extracting the most significant features for identifying anomalies in network security. Leveraging XAI techniques, novel feature selection methods are proposed, showcasing superior performance compared to traditional approaches.</p><p><br></p><p dir="ltr">Also, this thesis introduces an in-depth evaluation framework for black-box XAI-IDS, encompassing global and local scopes. Six evaluation metrics are analyzed, including descrip tive accuracy, sparsity, stability, efficiency, robustness, and completeness, providing insights into the limitations and strengths of current XAI methods.</p><p><br></p><p dir="ltr">Finally, the thesis addresses the potential of ensemble learning techniques in improving AI-based network intrusion detection by proposing a two-level ensemble learning framework comprising base learners and ensemble methods trained on input datasets to generate evalua tion metrics and new datasets for subsequent analysis. Feature selection is integrated into both levels, leveraging XAI-based and Information Gain-based techniques.</p><p><br></p><p dir="ltr">Holistically, this thesis offers a comprehensive approach to enhancing network intrusion detection through the synergy of AI, XAI, and ensemble learning techniques by providing open-source codes and insights into model performances. Therefore, it contributes to the security advancement of interpretable AI models for network security, empowering security analysts to make informed decisions in safeguarding networked systems.<br></p>

System and network security

artificial intelligence - AI

Intrusion Detection Systems (IDS)

explainable ai system

ensemble learner

feature selection applied

Achieving Compositional Security and Privacy in IoT Environments

Muslum Ozgur Ozmen (18870154)

11 September 2024

<p dir="ltr">The Internet of Things (IoT) systems include sensors that measure the physical world, actuators that influence it, and IoT apps that automate these sensors and actuators. Although IoT environments have revolutionized our lives by integrating digital connectivity into physical processes, they also introduce unique security and privacy concerns. Particularly, these systems include multiple components that are unified through the cyber and physical domains. For instance, smart homes include various devices and multiple IoT apps that control these devices. Thus, attacks against any single component can have rippling effects, amplifying due to the composite behavior of sensors, actuators, apps, and the physical environment.</p><p dir="ltr">In this dissertation, I explore the emerging security and privacy issues that arise from the complex physical interactions in IoT environments. To discover and mitigate these emerging issues, there is a need for composite reasoning techniques that consider the interplay between digital and physical domains. This dissertation addresses these challenges to build secure IoT environments and enhance user privacy with new formal techniques and systems.</p><p dir="ltr">To this end, I first describe my efforts in ensuring the safety and security of IoT en- vironments. Particularly, I introduced IoTSeer, a security service that discovers physical interaction vulnerabilities among IoT apps. I then proposed attacks that evade prior event verification systems by exploiting the complex physical interactions between IoT sensors and actuators. To address them, I developed two defenses, software patching and sensor placement, to make event verification systems robust against evasion attacks. These works provide a suite of tools to achieve compositional safety and security in IoT environments. </p><p dir="ltr">Second, I discuss my work that identifies the privacy risks of emerging IoT devices. I designed DMC-Xplorer to find vulnerabilities in voice assistant platforms and showed that an adversary can eavesdrop on privacy-sensitive device states and prevent users from controlling devices. I then developed a remote side-channel attack against intermittent devices to infer privacy-sensitive information about the environment in which they are deployed. These works highlight new privacy issues in emerging commodity devices used in IoT environments.</p>

Data and information privacy

System and network security

IoT Security

Cyber-physical systems security

Internet of Things

Privacy

Formal Methods

A basic probability assignment methodology for unsupervised wireless intrusion detection

Ghafir, Ibrahim, Kyriakopoulos, K.G., Aparicio-Navarro, F.J., Lambotharan, S., Assadhan, B., Binsalleeh, A.H.

24 January 2020

Yes / The broadcast nature of wireless local area networks has made them prone to several types of wireless injection attacks, such as Man-in-the-Middle (MitM) at the physical layer, deauthentication, and rogue access point attacks. The implementation of novel intrusion detection systems (IDSs) is fundamental to provide stronger protection against these wireless injection attacks. Since most attacks manifest themselves through different metrics, current IDSs should leverage a cross-layer approach to help toward improving the detection accuracy. The data fusion technique based on the Dempster–Shafer (D-S) theory has been proven to be an efficient technique to implement the cross-layer metric approach. However, the dynamic generation of the basic probability assignment (BPA) values used by D-S is still an open research problem. In this paper, we propose a novel unsupervised methodology to dynamically generate the BPA values, based on both the Gaussian and exponential probability density functions, the categorical probability mass function, and the local reachability density. Then, D-S is used to fuse the BPA values to classify whether the Wi-Fi frame is normal (i.e., non-malicious) or malicious. The proposed methodology provides 100% true positive rate (TPR) and 4.23% false positive rate (FPR) for the MitM attack and 100% TPR and 2.44% FPR for the deauthentication attack, which confirm the efficiency of the dynamic BPA generation methodology. / Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.

Basic probability assignment

Data fusion

Dempster-Shafer theory

Intrusion detection system

Local reachability density

Network security

Probability density function

Wireless injection attacks

Enhancing Network Security through Investigative Traffic Analysis: A Case Study

SUNNY, WINLIYA JEWEL, MOHAN, ANJANA

January 2024

In this time of increasing cyber risks, robust intrusion detection systems (IDS) arefundamentally necessary for protecting network systems. This master thesis compares twoprimary network intrusion detection resources to clarify their effectiveness, advantages, andboundaries. The investigation follows a thorough approach, including reviewing existingliterature, practical experimentation, and assessing their performance. The primary goal revolves around a deeper comprehension of the operational procedures, threatdetection capacity, and scalability of the chosen IDS solutions. Through carefulexperimentation and scrutiny, this study investigates various elements such as detection accuracy, false favorable rates, the usage of resources, and resilience in varied networksituations. Real-life data sets and contrived attack situations are harnessed to measure the proficiency of these tools in identifying both identified and fresh intrusion efforts. Finally, our experimentation did not identify a single optimal tool due to certain imperfections in both evaluated tools. However, these findings were instrumental in concluding the properties that would constitute an ideal tool. In the end, this study propels the forward arena of networksecurity, offering a detailed insight into the capabilities and limitations of day-to-day intrusion detection tools. This study aims to strengthen cybersecurity defenses and nurture improved decision-making capabilities. These efforts mitigate the constantly changing threats caused byharmful entities in our digital world.

intrusion detection system

network traffic analysis

Zeek

Snort

network security

signature-based detection

Computer and Information Sciences

Data- och informationsvetenskap

Computer Engineering

Datorteknik

Engineering and Technology

Teknik och teknologier

Analyzing Secure and Attested Communication in Mobile Devices

Muhammad Ibrahim (19761798)

01 October 2024

<p dir="ltr">To assess the security of mobile devices, I begin by identifying the key entities involved in their operation: the user, the mobile device, and the service or device being accessed. Users rely on mobile devices to interact with services and perform essential tasks. These devices act as gateways, enabling communication between the user and the back-end services. For example, a user may access their bank account via a banking app on their mobile device, which communicates with the bank’s back-end server. In such scenarios, the server must authenticate the user to ensure only authorized individuals can access sensitive information. However, beyond user authentication, it is crucial for connected services and devices to verify the integrity of the mobile device itself. A compromised mobile device can have severe consequences for both the user and the services involved.</p><p dir="ltr">My research focuses on examining the methods used by various entities to attest and verify the integrity of mobile devices. I conduct a comprehensive analysis of mobile device attestation from multiple perspectives. Specifically, I investigate how attestation is carried out by back-end servers of mobile apps, IoT devices controlled by mobile companion apps, and large language models (LLMs) accessed via mobile apps.</p><p dir="ltr">In the first case, back-end servers of mobile apps must attest to the integrity of the device to protect against tampered apps and devices, which could lead to financial loss, data breaches, or intellectual property theft. For instance, a music streaming service must implement strong security measures to verify the device’s integrity before transmitting sensitive content to prevent data leakage or unauthorized access.</p><p dir="ltr">In the second case, IoT devices must ensure they are communicating with legitimate companion apps running on attested mobile devices. Failure to enforce proper attestation for IoT companion apps can expose these devices to malicious attacks. An attacker could inject malicious code into an IoT device, potentially causing physical damage to the device or its surroundings, or even seizing control of the device, leading to critical safety risks, property damage, or harm to human lives.</p><p dir="ltr">Finally, in the third case, malicious apps can exploit prompt injection attacks against LLMs, leading to data leaks or unauthorized access to APIs and services offered by the LLM. These scenarios underscore the importance of secure and attested communication between mobile devices and the services they interact with.</p>

Software and application security

System and network security

Mobile computing

Android app interface

Android Forensics

Mobile Security & Privacy

IOT SECURITY

AI Security

Design Techniques for Secure IoT Devices and Networks

Malin Priyamal Prematilake (12201746)

25 July 2023

<p>The rapid expansion of consumer Internet-of-Things (IoT) technology across various application domains has made it one of the most sought-after and swiftly evolving technologies. IoT devices offer numerous benefits, such as enhanced security, convenience, and cost reduction. However, as these devices need access to sensitive aspects of human life to function effectively, their abuse can lead to significant financial, psychological, and physical harm. While previous studies have examined the vulnerabilities of IoT devices, insufficient research has delved into the impact and mitigation of threats to users' privacy and safety. This dissertation addresses the challenge of protecting user safety and privacy against threats posed by IoT device vulnerabilities. We first introduce a novel IWMD architecture, which serves as the last line of defense against unsafe operations of Implantable and Wearable Medical Devices (IWMDs). We demonstrate the architecture's effectiveness through a prototype artificial pancreas. Subsequent chapters emphasize the safety and privacy of smart home device users. First, we propose a unique device activity-based categorization and learning approach for network traffic analysis. Utilizing this technology, we present a new smart home security framework and a device type identification mechanism to enhance transparency and access control in smart home device communication. Lastly, we propose a novel traffic shaping technique that hinders adversaries from discerning user activities through traffic analysis. Experiments conducted on commercially available IoT devices confirm that our solutions effectively address these issues with minimal overhead.</p>

Digital health

System and network security

Networking and communications

Embedded Systems Security

Implantable Medical Device

internet of things sensors

Internet of Things (loT)

Internet of Things Healthcare Market

Security

Health

device identification

activity identification

Security Framework

Privacy

Safety

Network security.

Computer engineering.

Smart Home Privacy

IMD security

IMD

IWMD

IWMD Security

Improved performance high speed network intrusion detection systems (NIDS) : a high speed NIDS architectures to address limitations of packet loss and low detection rate by adoption of dynamic cluster architecture and traffic anomaly filtration (IADF)

Akhlaq, Monis

January 2011

Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss.

621.382

Modeling and Recognizing Network Scanning Activities with Finite Mixture Models and Hidden Markov Models / Modélisation et reconnaissance des activités de balayage du réseau à l'aide de modèles à mélange fini et de modèles de Markov cachés

De Santis, Giulia

20 December 2018

Le travail accompli dans cette thèse a consisté à construire des modèles stochastiques de deux scanners de l'Internet qui sont ZMap et Shodan. Les paquets provenant de chacun des deux scanners ont été collectés par le Laboratoire de Haute Sécurité (LHS) hébergé à Inria Nancy Grand Est, et ont été utilisés pour construire par apprentissage des chaînes de Markov cachées (HMMs). La première partie du travail consistait à modéliser l'intensité des deux scanners considérés. Nous avons cherché à savoir si l'intensité de ZMap varie en fonction du service ciblé et si les intensités des deux scanners sont comparables. Les résultats ont montré que la réponse à la première question est positive (c'est-à-dire que l'intensité de ZMap varie en fonction des ports ciblés), alors que la réponse à la deuxième question est négative. En d'autres termes, nous avons obtenu un modèle pour chaque ensemble de logs. La partie suivante du travail consistait à étudier deux autres caractéristiques des mêmes scanners : leurs mouvements spatiotemporels. Nous avons créé des ensembles d'échantillons de logs avec chacune d'elle contient une seule exécution de ZMap et Shodan. Ensuite, nous avons calculé les différences d'adresses IP ciblées consécutivement par le même scanner (c.-à-d. dans chaque échantillon), et les timestamps correspondants. Les premiers ont été utilisés pour modéliser les mouvements spatiaux, tandis que les seconds pour les mouvements temporels. Une fois que les modèles de chaînes de Markov cachées sont construites, ils ont été appliqués pour identifier les scanners d'autres ensembles de logs. Dans les deux cas, nos modèles ne sont pas capables de détecter le service ciblé, mais ils détectent correctement le scanner qui génère de nouveaux logs, avec une précision de 95% en utilisant les mouvements spatiaux et de 98% pour les mouvements temporels / The work accomplished in this PhD consisted in building stochastic models of ZMap and Shodan, respectively, two Internet-wide scanners. More in detail, packets originated by each of the two considered scanners have been collected by the High Security Lab hosted in Inria, and have been used to learn Hidden Markov Models (HMMs). The rst part of the work consisted in modeling intensity of the two considered scanners. We investigated if the intensity of ZMap varies with respect to the targeted service, and if the intensities of the two scanners are comparable. Results showed that the answer to the first question is positive (i.e., intensity of ZMap varied with respect to the targeted ports), whereas the answer to the second question is negative. In other words, we obtained a model for each set of logs. The following part of the work consisted in investigating other two features of the same scanners: their spatial and temporal movements, respectively. More in detail, we created datasets containing logs of one single execution of ZMap and Shodan, respectively. Then, we computed di erences of IP addresses consecutively targeted by the same scanner (i.e., in each sample), and of the corresponding timestamps. The former have been used to model spatial movements, whereas the latter temporal ones. Once the Hidden Markov Models are available, they have been applied to detect scanners from other sets of logs. In both cases, our models are not able to detect the targeted service, but they correctly detect the scanner that originates new logs, with an accuracy of 95% when exploiting spatial movements, and of 98% when using temporal movements

Activités du scanning des réseaux

Modèles de Markov cachés

Scanners des réseaux

Zmap

Shodan

Sécurité de réseaux

Analyse de données

Network Scanning Activities

Zmap

Shodan

Hidden Markov Models

Network Scanners

Network Security

Data Analysis

005.8

Desenvolvimento de uma metodologia baseada em redes neurais artificiais para a identificação de anomalias em redes de comunicação Profinet / Development of a methodology based on artificial neural networks to identify abnormalities in Profinet communication networks

Turcato, Afonso Celso

25 June 2015

Este trabalho propôs o desenvolvimento e a avaliação de uma metodologia com o propósito de identificar anomalias em redes de comunicação Profinet, muito utilizadas na automação de plantas industriais. A metodologia desenvolvida está fundamentada na análise das características de comunicação do protocolo Profinet e na identificação e classificação de padrões, sendo esta, uma das principais aplicações do uso de Redes Neurais Artificiais (RNA). As anomalias são identificadas por meio da análise do tráfego de rede Profinet em sua fase de operação. Tais anomalias podem ser desde defeitos comuns apresentados pelos equipamentos da rede e/ou tentativas de ataques a esta, que por sua vez, podem gerar instabilidade e mau funcionamento da unidade industrial que fazem parte. Para o desenvolvimento deste trabalho foram apresentados: o detalhamento do protocolo Profinet, os mecanismos de segurança mais utilizados atualmente, os tipos de sistemas de detecção de anomalias existentes e os principais tipos de ataques em redes de comunicação conhecidos na literatura. Alguns ensaios para a validação da metodologia foram realizados, utilizando-se uma infraestrutura de rede instalada em laboratório. Ensaios com diferentes tipos de equipamentos interligados em rede foram realizados e os resultados apresentados. Como resultado final, demonstrou-se que a metodologia utilizada obteve êxito na identificação da presença ou ausência de anomalias na rede, sendo que os resultados obtidos podem ser considerados satisfatórios e condizentes às expectativas desta dissertação. Concluiu-se então que a metodologia apresentada é factível e aplicável no meio industrial, podendo ser incorporada a uma ferramenta mais abrangente, como os analisadores de redes Profinet. / This work proposed the development and evaluation of a methodology in order to identify anomalies in Profinet communication networks, widely used in the automation of industrial plants. The methodology is based on an analysis of the communication features of the Profinet protocol and identifying and pattern classification, which is one of the main applications of the use of Artificial Neural Networks (ANN). The anomalies are identified by analyzing the Profinet network traffic in its operation phase. Such anomalies can be provided by common defects in equipment in the network and / or attempted attacks to this, which in turn can cause instability and malfunction of the plant forming part. In development of this work were presented: the details of the Profinet protocol, the security mechanisms most widely used, the types of anomalies detection systems and the main types of attacks on communication networks known in the literature. Some assays to validate the method were performed, using a network infrastructure installed in the laboratory. Tests with different types of networked equipment were performed and the results presented. The final result showed that the methodology was successful in identifying the presence or absence of anomalies in the network, and the obtained results can be considered satisfactory and consistent with expectations of this paper. It was therefore concluded that this methodology is feasible and applicable in industrial environment and can be incorporated into a more comprehensive tool, such as analyzers Profinet networks.

Artificial neural networks

Automation networks

Data network security

Faults and anomalies identification

Identificação de faltas e anomalias

Intrusão em redes de comunicação

Intrusion in communication networks

Profinet

Profinet

Redes de automação

Redes neurais artificiais

Segurança de redes de dados

Desenvolvimento de uma metodologia baseada em redes neurais artificiais para a identificação de anomalias em redes de comunicação Profinet / Development of a methodology based on artificial neural networks to identify abnormalities in Profinet communication networks

Afonso Celso Turcato

25 June 2015

Este trabalho propôs o desenvolvimento e a avaliação de uma metodologia com o propósito de identificar anomalias em redes de comunicação Profinet, muito utilizadas na automação de plantas industriais. A metodologia desenvolvida está fundamentada na análise das características de comunicação do protocolo Profinet e na identificação e classificação de padrões, sendo esta, uma das principais aplicações do uso de Redes Neurais Artificiais (RNA). As anomalias são identificadas por meio da análise do tráfego de rede Profinet em sua fase de operação. Tais anomalias podem ser desde defeitos comuns apresentados pelos equipamentos da rede e/ou tentativas de ataques a esta, que por sua vez, podem gerar instabilidade e mau funcionamento da unidade industrial que fazem parte. Para o desenvolvimento deste trabalho foram apresentados: o detalhamento do protocolo Profinet, os mecanismos de segurança mais utilizados atualmente, os tipos de sistemas de detecção de anomalias existentes e os principais tipos de ataques em redes de comunicação conhecidos na literatura. Alguns ensaios para a validação da metodologia foram realizados, utilizando-se uma infraestrutura de rede instalada em laboratório. Ensaios com diferentes tipos de equipamentos interligados em rede foram realizados e os resultados apresentados. Como resultado final, demonstrou-se que a metodologia utilizada obteve êxito na identificação da presença ou ausência de anomalias na rede, sendo que os resultados obtidos podem ser considerados satisfatórios e condizentes às expectativas desta dissertação. Concluiu-se então que a metodologia apresentada é factível e aplicável no meio industrial, podendo ser incorporada a uma ferramenta mais abrangente, como os analisadores de redes Profinet. / This work proposed the development and evaluation of a methodology in order to identify anomalies in Profinet communication networks, widely used in the automation of industrial plants. The methodology is based on an analysis of the communication features of the Profinet protocol and identifying and pattern classification, which is one of the main applications of the use of Artificial Neural Networks (ANN). The anomalies are identified by analyzing the Profinet network traffic in its operation phase. Such anomalies can be provided by common defects in equipment in the network and / or attempted attacks to this, which in turn can cause instability and malfunction of the plant forming part. In development of this work were presented: the details of the Profinet protocol, the security mechanisms most widely used, the types of anomalies detection systems and the main types of attacks on communication networks known in the literature. Some assays to validate the method were performed, using a network infrastructure installed in the laboratory. Tests with different types of networked equipment were performed and the results presented. The final result showed that the methodology was successful in identifying the presence or absence of anomalies in the network, and the obtained results can be considered satisfactory and consistent with expectations of this paper. It was therefore concluded that this methodology is feasible and applicable in industrial environment and can be incorporated into a more comprehensive tool, such as analyzers Profinet networks.

Identificação de faltas e anomalias

Intrusão em redes de comunicação

Profinet

Redes de automação

Redes neurais artificiais

Segurança de redes de dados

Artificial neural networks

Automation networks

Data network security

Faults and anomalies identification

Intrusion in communication networks

Profinet