Nour Moustafa | The University of New South Wales (original) (raw)

Papers by Nour Moustafa

2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), Dec 1, 2021

Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discoverin... more Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate. Index Terms-Network intrusion detection, ensemble learning, neural networks, deep learning, machine learning. • We develop a deep ensemble neural network, Ensem-bleNet, for efficient threat detection. Unlike the traditional ensemble designs, which are mainly based on simple and weak ML models, our ensemble design is constructed with the DNN models so that the high learning potential of DNN can be utilized for good detection performance.

ACM Computing Surveys

The Internet of Things (IoT) ecosystem connects physical devices to the internet, offering signif... more The Internet of Things (IoT) ecosystem connects physical devices to the internet, offering significant advantages in agility, responsiveness, and potential environmental benefits. The number and variety of IoT devices are sharply increasing, and as they do, they generate significant data sources. Deep learning (DL) algorithms are increasingly integrated into IoT applications to learn and infer patterns and make intelligent decisions. However, current IoT paradigms rely on centralized storage and computing to operate the DL algorithms. This key central component can potentially cause issues in scalability, security threats, and privacy breaches. Federated learning (FL) has emerged as a new paradigm for DL algorithms to preserve data privacy. Although FL helps reduce privacy leakage by avoiding transferring client data, it still has many challenges related to models’ vulnerabilities and attacks. With the emergence of blockchain and smart contracts, the utilization of these technologie...

arXiv (Cornell University), Nov 7, 2017

Network forensic techniques help in tracking different types of cyber attack by monitoring and in... more Network forensic techniques help in tracking different types of cyber attack by monitoring and inspecting network traffic. However, with the high speed and large sizes of current networks, and the sophisticated philosophy of attackers, in particular mimicking normal behaviour and/or erasing traces to avoid detection, investigating such crimes demands intelligent network forensic techniques. This paper suggests a real-time collaborative network Forensic scheme (RCNF) that can monitor and investigate cyber intrusions. The scheme includes three components of capturing and storing network data, selecting important network features using chi-square method and investigating abnormal events using a new technique called correntropy-variation. We provide a case study using the UNSW-NB15 dataset for evaluating the scheme, showing its high performance in terms of accuracy and false alarm rate compared with three recent state-of-the-art mechanisms.

7th International Conference on Artificial Intelligence and Applications

The popularity of IoT smart things is rising, due to the automation they provide and its effects ... more The popularity of IoT smart things is rising, due to the automation they provide and its effects on productivity. However, it has been proven that IoT devices are vulnerable to both well established and new IoT-specific attack vectors. In this paper, we propose the Particle Deep Framework, a new network forensic framework for IoT networks that utilised Particle Swarm Optimisation to tune the hyperparameters of a deep MLP model and improve its performance. The PDF is trained and validated using Bot-IoT dataset, a contemporary network-traffic dataset that combines normal IoT and non-IoT traffic, with well known botnet-related attacks. Through experimentation, we show that the performance of a deep MLP model is vastly improved, achieving an accuracy of 99.9% and false alarm rate of close to 0%.

2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), 2021

Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discoverin... more Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate. Index Terms-Network intrusion detection, ensemble learning, neural networks, deep learning, machine learning. • We develop a deep ensemble neural network, Ensem-bleNet, for efficient threat detection. Unlike the traditional ensemble designs, which are mainly based on simple and weak ML models, our ensemble design is constructed with the DNN models so that the high learning potential of DNN can be utilized for good detection performance.

2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021

The Internet of Things (IoT) paradigm has displayed tremendous growth in recent years, resulting ... more The Internet of Things (IoT) paradigm has displayed tremendous growth in recent years, resulting in innovations like Industry 4.0 and smart environments that provide improvements to efficiency, management of assets and facilitate intelligent decision making. However, these benefits are offset by considerable cybersecurity concerns that arise due to inherent vulnerabilities, which hinder IoT-based systems' Confidentiality, Integrity, and Availability. Security vulnerabilities can be detected through the application of penetration testing, and specifically, a subset of the information-gathering stage, known as vulnerability identification. Yet, existing penetration testing solutions can not discover zero-day vulnerabilities from IoT environments, due to the diversity of generated data, hardware constraints, and environmental complexity. Thus, it is imperative to develop effective penetration testing solutions for the detection of vulnerabilities in smart IoT environments. In this paper, we propose a deep learning-based penetration testing framework, namely Long Short-Term Memory Recurrent Neural Network-Enabled Vulnerability Identification (LSTM-EVI). We utilize this framework through a novel cybersecurity-oriented testbed, which is a smart airport-based testbed comprised of both physical and virtual elements. The framework was evaluated using this testbed and on real-time data sources. Our results revealed that the proposed framework achieves about 99% detection accuracy for scanning attacks, outperforming other four peer techniques.

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020

High false alarm rate and low detection rate are the major sticking points for unknown threat per... more High false alarm rate and low detection rate are the major sticking points for unknown threat perception. To address the problems, in the paper, we present a densely connected residual network (Densely-ResNet) for attack recognition. Densely-ResNet is built with several basic residual units, where each of them consists of a series of Conv-GRU subnets by wide connections. Our evaluation shows that Densely-ResNet can accurately discover various unknown threats that appear in edge, fog and cloud layers and simultaneously maintain a much lower false alarm rate than existing algorithms.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2018

As Supervisory Control and Data Acquisition (SCADA) systems control several critical infrastructu... more As Supervisory Control and Data Acquisition (SCADA) systems control several critical infrastructures, they have connected to the internet. Consequently, SCADA systems face different sophisticated types of cyber adversaries. This paper suggests a Probability Risk Identification based Intrusion Detection System (PRI-IDS) technique based on analysing network traffic of Modbus TCP/IP for identifying replay attacks. It is acknowledged that Modbus TCP is usually vulnerable due to its unauthenticated and unencrypted nature. Our technique is evaluated using a simulation environment by configuring a testbed, which is a custom SCADA network that is cheap, accurate and scalable. The testbed is exploited when testing the IDS by sending individual packets from an attacker located on the same LAN as the Modbus master and slave. The experimental results demonstrated that the proposed technique can effectively and efficiently recognise replay attacks.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2018

The IoT is a network of interconnected everyday objects called "things" that have been augmented ... more The IoT is a network of interconnected everyday objects called "things" that have been augmented with a small measure of computing capabilities. Lately, the IoT has been affected by a variety of different botnet activities. As botnets have been the cause of serious security risks and financial damage over the years, existing Network forensic techniques cannot identify and track current sophisticated methods of botnets. This is because commercial tools mainly depend on signature-based approaches that cannot discover new forms of botnet. In literature, several studies have conducted the use of Machine Learning (ML) techniques in order to train and validate a model for defining such attacks, but they still produce high false alarm rates with the challenge of investigating the tracks of botnets. This paper investigates the role of ML techniques for developing a Network forensic mechanism based on network flow identifiers that can track suspicious activities of botnets. The experimental results using the UNSW-NB15 dataset revealed that ML techniques with flow identifiers can effectively and efficiently detect botnets' attacks and their tracks.

ArXiv, 2021

Network Intrusion Detection Systems (NIDSs) datasets are essential tools used by researchers for ... more Network Intrusion Detection Systems (NIDSs) datasets are essential tools used by researchers for the training and evaluation of Machine Learning (ML)-based NIDS models. There are currently five datasets, known as NF-UNSW-NB15, NF-BoT-IoT, NF-ToN-IoT, NF-CSE-CIC-IDS2018 and NF-UQ-NIDS, which are made up of a common feature set. However, their performances in classifying network traffic, mainly using the multi-classification method, is often unreliable. Therefore, this paper proposes a standard NetFlow feature set, to be used in future NIDS datasets due to the tremendous benefits of having a common feature set. NetFlow has been widely utilised in the networking industry for its practical scaling properties. The evaluation is done by extracting and labelling the proposed features from four well-known datasets. The newly generated datasets are known as NFUNSW-NB15-v2, NF-BoT-IoT-v2, NF-ToN-IoT-v2, NF-CSE-CIC-IDS2018-v2 and NF-UQ-NIDS-v2. Their performances have been compared to their re...

In modern networked society, smart networks are indispensable to offer intelligent communications... more In modern networked society, smart networks are indispensable to offer intelligent communications and automated services to end-users and organizations. Machine learning (ML)based network intrusion detection system (NIDS) plays a critical role in safeguarding smart networks against novel cyber threats. However, there are two challenges in the existing designs: 1) achieving an outstanding performance of threat detection often produces high false positives, leading to alert fatigue and 2) the interpretability of detection results is low, making a difficulty of understanding cyber threats and taking prompt actions against them. To tackle these challenges, in this paper, we propose a cyber defense mechanism, namely DarkHunter, which includes three new components: stream processor, detection engine and incident analyzer. The stream processor converts raw network packets into data records, including statistical features, which involve latent patterns of legitimates or anomalies to be effe...

ArXiv, 2017

Network intrusion detection systems are an active area of research to identify threats that face ... more Network intrusion detection systems are an active area of research to identify threats that face computer networks. Network packets comprise of high dimensions which require huge effort to be examined effectively. As these dimensions contain some irrelevant features, they cause a high False Alarm Rate (FAR). In this paper, we propose a hybrid method as a feature selection, based on the central points of attribute values and an Association Rule Mining algorithm to decrease the FAR. This algorithm is designed to be implemented in a short processing time, due to its dependency on the central points of feature values with partitioning data records into equal parts. This algorithm is applied on the UNSW-NB15 and the NSLKDD data sets to adopt the highest ranked features. Some existing techniques are used to measure the accuracy and FAR. The experimental results show the proposed model is able to improve the accuracy and decrease the FAR. Furthermore, its processing time is extremely short.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2021

Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a r... more Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a reliable intelligence tool to protect networks against cyberattacks. Network data features has a great impact on the performances of ML-based NIDSs. However, evaluating ML models often are not reliable, as each ML-enabled NIDS is trained and validated using different data features that may do not contain security events. Therefore, a common ground feature set from multiple datasets is required to evaluate an ML model's detection accuracy and its ability to generalise across datasets. This paper presents NetFlow features from four benchmark NIDS datasets known as UNSW-NB15, BoT-IoT, ToN-IoT, and CSE-CIC-IDS2018 using their publicly available packet capture files. In a real-world scenario, NetFlow features are relatively easier to extract from network traffic compared to the complex features used in the original datasets, as they are usually extracted from packet headers. The generated Netflow datasets have been labelled for solving binary-and multiclass-based learning challenges. Preliminary results indicate that NetFlow features lead to similar binary-class results and lower multi-class classification results amongst the four datasets compared to their respective original features datasets.

IEEE Access, 2020

Advances in the Internet of Things (IoT) and aviation sector have resulted in the emergence of sm... more Advances in the Internet of Things (IoT) and aviation sector have resulted in the emergence of smart airports. Services and systems powered by the IoT enable smart airports to have enhanced robustness, efficiency and control, governed by real-time monitoring and analytics. Smart sensors control the environmental conditions inside the airport, automate passenger-related actions and support airport security. However, these augmentations and automation introduce security threats to network systems of smart airports. Cyber-attackers demonstrated the susceptibility of IoT systems and networks to Advanced Persistent Threats (APT), due to hardware constraints, software flaws or IoT misconfigurations. With the increasing complexity of attacks, it is imperative to safeguard IoT networks of smart airports and ensure reliability of services, as cyber-attacks can have tremendous consequences such as disrupting networks, cancelling travel, or stealing sensitive information. There is a need to adopt and develop new Artificial Intelligence (AI)-enabled cyber-defence techniques for smart airports, which will address the challenges brought about by the incorporation of IoT systems to the airport business processes, and the constantly evolving nature of contemporary cyber-attacks. In this study, we present a holistic review of existing smart airport applications and services enabled by IoT sensors and systems. Additionally, we investigate several types of cyber defence tools including AI and data mining techniques, and analyse their strengths and weaknesses in the context of smart airports. Furthermore, we provide a classification of smart airport subsystems based on their purpose and criticality and address cyber threats that can affect the security of smart airport's networks.

Sustainability, 2020

With the increasing popularity of the Internet of Things (IoT) platforms, the cyber security of t... more With the increasing popularity of the Internet of Things (IoT) platforms, the cyber security of these platforms is a highly active area of research. One key technology underpinning smart IoT systems is machine learning, which classifies and predicts events from large-scale data in IoT networks. Machine learning is susceptible to cyber attacks, particularly data poisoning attacks that inject false data when training machine learning models. Data poisoning attacks degrade the performances of machine learning models. It is an ongoing research challenge to develop trustworthy machine learning models resilient and sustainable against data poisoning attacks in IoT networks. We studied the effects of data poisoning attacks on machine learning models, including the gradient boosting machine, random forest, naive Bayes, and feed-forward deep learning, to determine the levels to which the models should be trusted and said to be reliable in real-world IoT settings. In the training phase, a lab...

IEEE Access, 2020

This paper reviews the background and related studies in the areas of cloud systems, intrusion de... more This paper reviews the background and related studies in the areas of cloud systems, intrusion detection and blockchain applications against cyber attacks. This work aims to discuss collaborative anomaly detection systems for discovering insider and outsider attacks from cloud centres, including the technologies of virtualisation and containerisation, along with trusting intrusion detection and cloud systems using blockchain. Moreover, the ability to detect such malicious attacks is critical for conducting necessary mitigation, at an early stage, to minimise the impact of disruption and restore cloud operations and their live migration processes. This paper presents an overview of cloud architecture and categorises potential state-of-the-art security events based on their occurrence at different cloud deployment models. Network Intrusion Detection Systems (NIDS) in the cloud, involving types of classification and common detection approaches, are also described. Collaborative NIDSs for cloud-based blockchain applications are also explained to demonstrate how blockchain can address challenges related to data privacy and trust management. A summary of the research challenges and future research directions in these fields is also explained.

Neural Computing and Applications, 2021

Human-to-machine (H2M) communication is an important evolution in the industrial internet of heal... more Human-to-machine (H2M) communication is an important evolution in the industrial internet of health things (IIoHT), where many H2M interfaces are remotely interacting with industrial and medical assets. Lightweight protocols, such as constrained application protocol (CoAP), have been widely utilised in transferring sensing data of medical devices to endusers in smart satellite-based healthcare IIoT networks (SmartSat-IIoHT). However, such protocols are extensively deployed without appropriate security configurations, making attackers' mission easier for abusing these protocols to launch advanced cyber threats. This paper, therefore, presents a new threat intelligence framework to examine and model CoAP protocol's attacks in these systems. We present a ransom denial of service (RDoS) as a new threat that would exploit this protocol's vulnerabilities. We propose many RDoS attack's techniques to understand the attack indicators and analyse their behaviour on systems. Moreover, we present a real-time discovery of attacks' network behaviours using deep learning. The experiment results demonstrate that this proposed discovery model obtains a better performance in revealing RDoS than other conventional machine learning algorithms and accomplishing high fidelity of protecting SmartSat-IIoHT networks.

IEEE Access, 2021

Cyber-Physical Systems (CPS) underpin global critical infrastructure, including power, water, gas... more Cyber-Physical Systems (CPS) underpin global critical infrastructure, including power, water, gas systems and smart grids. CPS, as a technology platform, is unique as a target for Advanced Persistent Threats (APTs), given the potentially high impact of a successful breach. Additionally, CPSs are targets as they produce significant amounts of heterogeneous data from the multitude of devices and networks included in their architecture. It is, therefore, essential to develop efficient privacy-preserving techniques for safeguarding system data from cyber attacks. This paper introduces a comprehensive review of the current privacy-preserving techniques for protecting CPS systems and their data from cyber attacks. Concepts of Privacy preservation and CPSs are discussed, demonstrating CPSs' components and the way these systems could be exploited by either cyber and physical hacking scenarios. Then, classification of privacy preservation according to the way they would be protected, including perturbation, authentication, machine learning (ML), cryptography and blockchain, are explained to illustrate how they would be employed for data privacy preservation. Finally, we show existing challenges, solutions and future research directions of privacy preservation in CPSs.

IEEE Access, 2020

Although the Internet of Things (IoT) can increase efficiency and productivity through intelligen... more Although the Internet of Things (IoT) can increase efficiency and productivity through intelligent and remote management, it also increases the risk of cyber-attacks. The potential threats to IoT applications and the need to reduce risk have recently become an interesting research topic. It is crucial that effective Intrusion Detection Systems (IDSs) tailored to IoT applications be developed. Such IDSs require an updated and representative IoT dataset for training and evaluation. However, there is a lack of benchmark IoT and IIoT datasets for assessing IDSs-enabled IoT systems. This paper addresses this issue and proposes a new data-driven IoT/IIoT dataset with the ground truth that incorporates a label feature indicating normal and attack classes, as well as a type feature indicating the sub-classes of attacks targeting IoT/IIoT applications for multi-classification problems. The proposed dataset, which is named TON_IoT, includes Telemetry data of IoT/IIoT services, as well as Operating Systems logs and Network traffic of IoT network, collected from a realistic representation of a medium-scale network at the Cyber Range and IoT Labs at the UNSW Canberra (Australia). This paper also describes the proposed dataset of the Telemetry data of IoT/IIoT services and their characteristics. TON_IoT has various advantages that are currently lacking in the state-of-the-art datasets: i) it has various normal and attack events for different IoT/IIoT services, and ii) it includes heterogeneous data sources. We evaluated the performance of several popular Machine Learning (ML) methods and a Deep Learning model in both binary and multi-class classification problems for intrusion detection purposes using the proposed Telemetry dataset.

IEEE Internet of Things Journal, 2021

There has been significant research in incorporating both blockchain and intrusion detection to i... more There has been significant research in incorporating both blockchain and intrusion detection to improve data privacy and detect existing and emerging cyberattacks, respectively. In these approaches, learning-based ensemble models can facilitate the identification of complex malicious events and concurrently ensure data privacy. Such models can also be used to provide additional security and privacy assurances during the live migration of virtual machines (VMs) in the cloud and to protect Internet-of-Things (IoT) networks. This would allow the secure transfer of VMs between data centers or cloud providers in real time. This article proposes a deep blockchain framework (DBF) designed to offer security-based distributed intrusion detection and privacy-based blockchain with smart contracts in IoT networks. The intrusion detection method is employed by a bidirectional long short-term memory (BiLSTM) deep learning algorithm to deal with sequential network data and is assessed using the data sets of UNSW-NB15 and BoT-IoT. The privacybased blockchain and smart contract methods are developed using the Ethereum library to provide privacy to the distributed intrusion detection engines. The DBF framework is compared with peer privacy-preserving intrusion detection techniques, and the experimental outcomes reveal that DBF outperforms the other competing models. The framework has the potential to be used as a decision support system that can assist users and cloud providers in securely migrating their data in a timely and reliable manner.

2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), Dec 1, 2021

Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discoverin... more Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate. Index Terms-Network intrusion detection, ensemble learning, neural networks, deep learning, machine learning. • We develop a deep ensemble neural network, Ensem-bleNet, for efficient threat detection. Unlike the traditional ensemble designs, which are mainly based on simple and weak ML models, our ensemble design is constructed with the DNN models so that the high learning potential of DNN can be utilized for good detection performance.

ACM Computing Surveys

The Internet of Things (IoT) ecosystem connects physical devices to the internet, offering signif... more The Internet of Things (IoT) ecosystem connects physical devices to the internet, offering significant advantages in agility, responsiveness, and potential environmental benefits. The number and variety of IoT devices are sharply increasing, and as they do, they generate significant data sources. Deep learning (DL) algorithms are increasingly integrated into IoT applications to learn and infer patterns and make intelligent decisions. However, current IoT paradigms rely on centralized storage and computing to operate the DL algorithms. This key central component can potentially cause issues in scalability, security threats, and privacy breaches. Federated learning (FL) has emerged as a new paradigm for DL algorithms to preserve data privacy. Although FL helps reduce privacy leakage by avoiding transferring client data, it still has many challenges related to models’ vulnerabilities and attacks. With the emergence of blockchain and smart contracts, the utilization of these technologie...

arXiv (Cornell University), Nov 7, 2017

Network forensic techniques help in tracking different types of cyber attack by monitoring and in... more Network forensic techniques help in tracking different types of cyber attack by monitoring and inspecting network traffic. However, with the high speed and large sizes of current networks, and the sophisticated philosophy of attackers, in particular mimicking normal behaviour and/or erasing traces to avoid detection, investigating such crimes demands intelligent network forensic techniques. This paper suggests a real-time collaborative network Forensic scheme (RCNF) that can monitor and investigate cyber intrusions. The scheme includes three components of capturing and storing network data, selecting important network features using chi-square method and investigating abnormal events using a new technique called correntropy-variation. We provide a case study using the UNSW-NB15 dataset for evaluating the scheme, showing its high performance in terms of accuracy and false alarm rate compared with three recent state-of-the-art mechanisms.

7th International Conference on Artificial Intelligence and Applications

The popularity of IoT smart things is rising, due to the automation they provide and its effects ... more The popularity of IoT smart things is rising, due to the automation they provide and its effects on productivity. However, it has been proven that IoT devices are vulnerable to both well established and new IoT-specific attack vectors. In this paper, we propose the Particle Deep Framework, a new network forensic framework for IoT networks that utilised Particle Swarm Optimisation to tune the hyperparameters of a deep MLP model and improve its performance. The PDF is trained and validated using Bot-IoT dataset, a contemporary network-traffic dataset that combines normal IoT and non-IoT traffic, with well known botnet-related attacks. Through experimentation, we show that the performance of a deep MLP model is vastly improved, achieving an accuracy of 99.9% and false alarm rate of close to 0%.

2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS), 2021

Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discoverin... more Machine learning (ML)-based intrusion detection systems (IDSs) play a critical role in discovering unknown threats in a large-scale cyberspace. They have been adopted as a mainstream hunting method in many organizations, such as financial institutes, manufacturing companies and government agencies. However, existing designs achieve a high threat detection performance at the cost of a large number of false alarms, leading to alert fatigue. To tackle this issue, in this paper, we propose a neural-network-based defense mechanism named DarkHunter. DarkHunter incorporates both supervised learning and unsupervised learning in the design. It uses a deep ensemble network (trained through supervised learning) to detect anomalous network activities and exploits an unsupervised learning-based scheme to trim off mis-detection results. For each detected threat, DarkHunter can trace to its source and present the threat in its original traffic format. Our evaluations, based on the UNSW-NB15 dataset, show that DarkHunter outperforms the existing ML-based IDSs and is able to achieve a high detection accuracy while keeping a low false positive rate. Index Terms-Network intrusion detection, ensemble learning, neural networks, deep learning, machine learning. • We develop a deep ensemble neural network, Ensem-bleNet, for efficient threat detection. Unlike the traditional ensemble designs, which are mainly based on simple and weak ML models, our ensemble design is constructed with the DNN models so that the high learning potential of DNN can be utilized for good detection performance.

2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021

The Internet of Things (IoT) paradigm has displayed tremendous growth in recent years, resulting ... more The Internet of Things (IoT) paradigm has displayed tremendous growth in recent years, resulting in innovations like Industry 4.0 and smart environments that provide improvements to efficiency, management of assets and facilitate intelligent decision making. However, these benefits are offset by considerable cybersecurity concerns that arise due to inherent vulnerabilities, which hinder IoT-based systems' Confidentiality, Integrity, and Availability. Security vulnerabilities can be detected through the application of penetration testing, and specifically, a subset of the information-gathering stage, known as vulnerability identification. Yet, existing penetration testing solutions can not discover zero-day vulnerabilities from IoT environments, due to the diversity of generated data, hardware constraints, and environmental complexity. Thus, it is imperative to develop effective penetration testing solutions for the detection of vulnerabilities in smart IoT environments. In this paper, we propose a deep learning-based penetration testing framework, namely Long Short-Term Memory Recurrent Neural Network-Enabled Vulnerability Identification (LSTM-EVI). We utilize this framework through a novel cybersecurity-oriented testbed, which is a smart airport-based testbed comprised of both physical and virtual elements. The framework was evaluated using this testbed and on real-time data sources. Our results revealed that the proposed framework achieves about 99% detection accuracy for scanning attacks, outperforming other four peer techniques.

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020

High false alarm rate and low detection rate are the major sticking points for unknown threat per... more High false alarm rate and low detection rate are the major sticking points for unknown threat perception. To address the problems, in the paper, we present a densely connected residual network (Densely-ResNet) for attack recognition. Densely-ResNet is built with several basic residual units, where each of them consists of a series of Conv-GRU subnets by wide connections. Our evaluation shows that Densely-ResNet can accurately discover various unknown threats that appear in edge, fog and cloud layers and simultaneously maintain a much lower false alarm rate than existing algorithms.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2018

As Supervisory Control and Data Acquisition (SCADA) systems control several critical infrastructu... more As Supervisory Control and Data Acquisition (SCADA) systems control several critical infrastructures, they have connected to the internet. Consequently, SCADA systems face different sophisticated types of cyber adversaries. This paper suggests a Probability Risk Identification based Intrusion Detection System (PRI-IDS) technique based on analysing network traffic of Modbus TCP/IP for identifying replay attacks. It is acknowledged that Modbus TCP is usually vulnerable due to its unauthenticated and unencrypted nature. Our technique is evaluated using a simulation environment by configuring a testbed, which is a custom SCADA network that is cheap, accurate and scalable. The testbed is exploited when testing the IDS by sending individual packets from an attacker located on the same LAN as the Modbus master and slave. The experimental results demonstrated that the proposed technique can effectively and efficiently recognise replay attacks.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2018

The IoT is a network of interconnected everyday objects called "things" that have been augmented ... more The IoT is a network of interconnected everyday objects called "things" that have been augmented with a small measure of computing capabilities. Lately, the IoT has been affected by a variety of different botnet activities. As botnets have been the cause of serious security risks and financial damage over the years, existing Network forensic techniques cannot identify and track current sophisticated methods of botnets. This is because commercial tools mainly depend on signature-based approaches that cannot discover new forms of botnet. In literature, several studies have conducted the use of Machine Learning (ML) techniques in order to train and validate a model for defining such attacks, but they still produce high false alarm rates with the challenge of investigating the tracks of botnets. This paper investigates the role of ML techniques for developing a Network forensic mechanism based on network flow identifiers that can track suspicious activities of botnets. The experimental results using the UNSW-NB15 dataset revealed that ML techniques with flow identifiers can effectively and efficiently detect botnets' attacks and their tracks.

ArXiv, 2021

Network Intrusion Detection Systems (NIDSs) datasets are essential tools used by researchers for ... more Network Intrusion Detection Systems (NIDSs) datasets are essential tools used by researchers for the training and evaluation of Machine Learning (ML)-based NIDS models. There are currently five datasets, known as NF-UNSW-NB15, NF-BoT-IoT, NF-ToN-IoT, NF-CSE-CIC-IDS2018 and NF-UQ-NIDS, which are made up of a common feature set. However, their performances in classifying network traffic, mainly using the multi-classification method, is often unreliable. Therefore, this paper proposes a standard NetFlow feature set, to be used in future NIDS datasets due to the tremendous benefits of having a common feature set. NetFlow has been widely utilised in the networking industry for its practical scaling properties. The evaluation is done by extracting and labelling the proposed features from four well-known datasets. The newly generated datasets are known as NFUNSW-NB15-v2, NF-BoT-IoT-v2, NF-ToN-IoT-v2, NF-CSE-CIC-IDS2018-v2 and NF-UQ-NIDS-v2. Their performances have been compared to their re...

In modern networked society, smart networks are indispensable to offer intelligent communications... more In modern networked society, smart networks are indispensable to offer intelligent communications and automated services to end-users and organizations. Machine learning (ML)based network intrusion detection system (NIDS) plays a critical role in safeguarding smart networks against novel cyber threats. However, there are two challenges in the existing designs: 1) achieving an outstanding performance of threat detection often produces high false positives, leading to alert fatigue and 2) the interpretability of detection results is low, making a difficulty of understanding cyber threats and taking prompt actions against them. To tackle these challenges, in this paper, we propose a cyber defense mechanism, namely DarkHunter, which includes three new components: stream processor, detection engine and incident analyzer. The stream processor converts raw network packets into data records, including statistical features, which involve latent patterns of legitimates or anomalies to be effe...

ArXiv, 2017

Network intrusion detection systems are an active area of research to identify threats that face ... more Network intrusion detection systems are an active area of research to identify threats that face computer networks. Network packets comprise of high dimensions which require huge effort to be examined effectively. As these dimensions contain some irrelevant features, they cause a high False Alarm Rate (FAR). In this paper, we propose a hybrid method as a feature selection, based on the central points of attribute values and an Association Rule Mining algorithm to decrease the FAR. This algorithm is designed to be implemented in a short processing time, due to its dependency on the central points of feature values with partitioning data records into equal parts. This algorithm is applied on the UNSW-NB15 and the NSLKDD data sets to adopt the highest ranked features. Some existing techniques are used to measure the accuracy and FAR. The experimental results show the proposed model is able to improve the accuracy and decrease the FAR. Furthermore, its processing time is extremely short.

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2021

Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a r... more Machine Learning (ML)-based Network Intrusion Detection Systems (NIDSs) have proven to become a reliable intelligence tool to protect networks against cyberattacks. Network data features has a great impact on the performances of ML-based NIDSs. However, evaluating ML models often are not reliable, as each ML-enabled NIDS is trained and validated using different data features that may do not contain security events. Therefore, a common ground feature set from multiple datasets is required to evaluate an ML model's detection accuracy and its ability to generalise across datasets. This paper presents NetFlow features from four benchmark NIDS datasets known as UNSW-NB15, BoT-IoT, ToN-IoT, and CSE-CIC-IDS2018 using their publicly available packet capture files. In a real-world scenario, NetFlow features are relatively easier to extract from network traffic compared to the complex features used in the original datasets, as they are usually extracted from packet headers. The generated Netflow datasets have been labelled for solving binary-and multiclass-based learning challenges. Preliminary results indicate that NetFlow features lead to similar binary-class results and lower multi-class classification results amongst the four datasets compared to their respective original features datasets.

IEEE Access, 2020

Advances in the Internet of Things (IoT) and aviation sector have resulted in the emergence of sm... more Advances in the Internet of Things (IoT) and aviation sector have resulted in the emergence of smart airports. Services and systems powered by the IoT enable smart airports to have enhanced robustness, efficiency and control, governed by real-time monitoring and analytics. Smart sensors control the environmental conditions inside the airport, automate passenger-related actions and support airport security. However, these augmentations and automation introduce security threats to network systems of smart airports. Cyber-attackers demonstrated the susceptibility of IoT systems and networks to Advanced Persistent Threats (APT), due to hardware constraints, software flaws or IoT misconfigurations. With the increasing complexity of attacks, it is imperative to safeguard IoT networks of smart airports and ensure reliability of services, as cyber-attacks can have tremendous consequences such as disrupting networks, cancelling travel, or stealing sensitive information. There is a need to adopt and develop new Artificial Intelligence (AI)-enabled cyber-defence techniques for smart airports, which will address the challenges brought about by the incorporation of IoT systems to the airport business processes, and the constantly evolving nature of contemporary cyber-attacks. In this study, we present a holistic review of existing smart airport applications and services enabled by IoT sensors and systems. Additionally, we investigate several types of cyber defence tools including AI and data mining techniques, and analyse their strengths and weaknesses in the context of smart airports. Furthermore, we provide a classification of smart airport subsystems based on their purpose and criticality and address cyber threats that can affect the security of smart airport's networks.

Sustainability, 2020

With the increasing popularity of the Internet of Things (IoT) platforms, the cyber security of t... more With the increasing popularity of the Internet of Things (IoT) platforms, the cyber security of these platforms is a highly active area of research. One key technology underpinning smart IoT systems is machine learning, which classifies and predicts events from large-scale data in IoT networks. Machine learning is susceptible to cyber attacks, particularly data poisoning attacks that inject false data when training machine learning models. Data poisoning attacks degrade the performances of machine learning models. It is an ongoing research challenge to develop trustworthy machine learning models resilient and sustainable against data poisoning attacks in IoT networks. We studied the effects of data poisoning attacks on machine learning models, including the gradient boosting machine, random forest, naive Bayes, and feed-forward deep learning, to determine the levels to which the models should be trusted and said to be reliable in real-world IoT settings. In the training phase, a lab...

IEEE Access, 2020

This paper reviews the background and related studies in the areas of cloud systems, intrusion de... more This paper reviews the background and related studies in the areas of cloud systems, intrusion detection and blockchain applications against cyber attacks. This work aims to discuss collaborative anomaly detection systems for discovering insider and outsider attacks from cloud centres, including the technologies of virtualisation and containerisation, along with trusting intrusion detection and cloud systems using blockchain. Moreover, the ability to detect such malicious attacks is critical for conducting necessary mitigation, at an early stage, to minimise the impact of disruption and restore cloud operations and their live migration processes. This paper presents an overview of cloud architecture and categorises potential state-of-the-art security events based on their occurrence at different cloud deployment models. Network Intrusion Detection Systems (NIDS) in the cloud, involving types of classification and common detection approaches, are also described. Collaborative NIDSs for cloud-based blockchain applications are also explained to demonstrate how blockchain can address challenges related to data privacy and trust management. A summary of the research challenges and future research directions in these fields is also explained.

Neural Computing and Applications, 2021

Human-to-machine (H2M) communication is an important evolution in the industrial internet of heal... more Human-to-machine (H2M) communication is an important evolution in the industrial internet of health things (IIoHT), where many H2M interfaces are remotely interacting with industrial and medical assets. Lightweight protocols, such as constrained application protocol (CoAP), have been widely utilised in transferring sensing data of medical devices to endusers in smart satellite-based healthcare IIoT networks (SmartSat-IIoHT). However, such protocols are extensively deployed without appropriate security configurations, making attackers' mission easier for abusing these protocols to launch advanced cyber threats. This paper, therefore, presents a new threat intelligence framework to examine and model CoAP protocol's attacks in these systems. We present a ransom denial of service (RDoS) as a new threat that would exploit this protocol's vulnerabilities. We propose many RDoS attack's techniques to understand the attack indicators and analyse their behaviour on systems. Moreover, we present a real-time discovery of attacks' network behaviours using deep learning. The experiment results demonstrate that this proposed discovery model obtains a better performance in revealing RDoS than other conventional machine learning algorithms and accomplishing high fidelity of protecting SmartSat-IIoHT networks.

IEEE Access, 2021

Cyber-Physical Systems (CPS) underpin global critical infrastructure, including power, water, gas... more Cyber-Physical Systems (CPS) underpin global critical infrastructure, including power, water, gas systems and smart grids. CPS, as a technology platform, is unique as a target for Advanced Persistent Threats (APTs), given the potentially high impact of a successful breach. Additionally, CPSs are targets as they produce significant amounts of heterogeneous data from the multitude of devices and networks included in their architecture. It is, therefore, essential to develop efficient privacy-preserving techniques for safeguarding system data from cyber attacks. This paper introduces a comprehensive review of the current privacy-preserving techniques for protecting CPS systems and their data from cyber attacks. Concepts of Privacy preservation and CPSs are discussed, demonstrating CPSs' components and the way these systems could be exploited by either cyber and physical hacking scenarios. Then, classification of privacy preservation according to the way they would be protected, including perturbation, authentication, machine learning (ML), cryptography and blockchain, are explained to illustrate how they would be employed for data privacy preservation. Finally, we show existing challenges, solutions and future research directions of privacy preservation in CPSs.

IEEE Access, 2020

Although the Internet of Things (IoT) can increase efficiency and productivity through intelligen... more Although the Internet of Things (IoT) can increase efficiency and productivity through intelligent and remote management, it also increases the risk of cyber-attacks. The potential threats to IoT applications and the need to reduce risk have recently become an interesting research topic. It is crucial that effective Intrusion Detection Systems (IDSs) tailored to IoT applications be developed. Such IDSs require an updated and representative IoT dataset for training and evaluation. However, there is a lack of benchmark IoT and IIoT datasets for assessing IDSs-enabled IoT systems. This paper addresses this issue and proposes a new data-driven IoT/IIoT dataset with the ground truth that incorporates a label feature indicating normal and attack classes, as well as a type feature indicating the sub-classes of attacks targeting IoT/IIoT applications for multi-classification problems. The proposed dataset, which is named TON_IoT, includes Telemetry data of IoT/IIoT services, as well as Operating Systems logs and Network traffic of IoT network, collected from a realistic representation of a medium-scale network at the Cyber Range and IoT Labs at the UNSW Canberra (Australia). This paper also describes the proposed dataset of the Telemetry data of IoT/IIoT services and their characteristics. TON_IoT has various advantages that are currently lacking in the state-of-the-art datasets: i) it has various normal and attack events for different IoT/IIoT services, and ii) it includes heterogeneous data sources. We evaluated the performance of several popular Machine Learning (ML) methods and a Deep Learning model in both binary and multi-class classification problems for intrusion detection purposes using the proposed Telemetry dataset.

IEEE Internet of Things Journal, 2021

There has been significant research in incorporating both blockchain and intrusion detection to i... more There has been significant research in incorporating both blockchain and intrusion detection to improve data privacy and detect existing and emerging cyberattacks, respectively. In these approaches, learning-based ensemble models can facilitate the identification of complex malicious events and concurrently ensure data privacy. Such models can also be used to provide additional security and privacy assurances during the live migration of virtual machines (VMs) in the cloud and to protect Internet-of-Things (IoT) networks. This would allow the secure transfer of VMs between data centers or cloud providers in real time. This article proposes a deep blockchain framework (DBF) designed to offer security-based distributed intrusion detection and privacy-based blockchain with smart contracts in IoT networks. The intrusion detection method is employed by a bidirectional long short-term memory (BiLSTM) deep learning algorithm to deal with sequential network data and is assessed using the data sets of UNSW-NB15 and BoT-IoT. The privacybased blockchain and smart contract methods are developed using the Ethereum library to provide privacy to the distributed intrusion detection engines. The DBF framework is compared with peer privacy-preserving intrusion detection techniques, and the experimental outcomes reveal that DBF outperforms the other competing models. The framework has the potential to be used as a decision support system that can assist users and cloud providers in securely migrating their data in a timely and reliable manner.