• A basic probability assignment methodology for unsupervised wireless intrusion detection

      Ghafir, Ibrahim; Kyriakopoulos, K.G.; Aparicio-Navarro, F.J.; Lambotharan, S.; Assadhan, B.; Binsalleeh, A.H. (2018-07-11)
      The broadcast nature of wireless local area networks has made them prone to several types of wireless injection attacks, such as Man-in-the-Middle (MitM) at the physical layer, deauthentication, and rogue access point attacks. The implementation of novel intrusion detection systems (IDSs) is fundamental to provide stronger protection against these wireless injection attacks. Since most attacks manifest themselves through different metrics, current IDSs should leverage a cross-layer approach to help toward improving the detection accuracy. The data fusion technique based on the Dempster–Shafer (D-S) theory has been proven to be an efficient technique to implement the cross-layer metric approach. However, the dynamic generation of the basic probability assignment (BPA) values used by D-S is still an open research problem. In this paper, we propose a novel unsupervised methodology to dynamically generate the BPA values, based on both the Gaussian and exponential probability density functions, the categorical probability mass function, and the local reachability density. Then, D-S is used to fuse the BPA values to classify whether the Wi-Fi frame is normal (i.e., non-malicious) or malicious. The proposed methodology provides 100% true positive rate (TPR) and 4.23% false positive rate (FPR) for the MitM attack and 100% TPR and 2.44% FPR for the deauthentication attack, which confirm the efficiency of the dynamic BPA generation methodology.
    • Denial of service detection using dynamic time warping

      Diab, D.M.; AsSadhan, B.; Binsalleeh, H.; Lambotharan, S.; Kyriakopoulos, K.G.; Ghafir, Ibrahim (2021)
      With the rapid growth of security threats in computer networks, the need for developing efficient security‐warning systems is substantially increasing. Distributed denial‐of‐service (DDoS) and DoS attacks are still among the most effective and dreadful attacks that require robust detection. In this work, we propose a new method to detect TCP DoS/DDoS attacks. Since analyzing network traffic is a promising approach, our proposed method utilizes network traffic by decomposing the TCP traffic into control and data planes and exploiting the dynamic time warping (DTW) algorithm for aligning these two planes with respect to the minimum Euclidean distance. By demonstrating that the distance between the control and data planes is considerably small for benign traffic, we exploit this characteristic for detecting attacks as outliers. An adaptive thresholding scheme is implemented by adjusting the value of the threshold in accordance with the local statistics of the median absolute deviation (MAD) of the distances between the two planes. We demonstrate the efficacy of the proposed method for detecting DoS/DDoS attacks by analyzing traffic data obtained from publicly available datasets.
    • Hidden Markov models and alert correlations for the prediction of advanced persistent threats

      Ghafir, Ibrahim; Kyriakopoulos, K.G.; Lambotharan, S.; Aparicio-Navarro, F.J.; Assadhan, B.; Binsalleeh, H.; Diab, D.M. (2019-07)
      Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively.