Malware Detection Using Decision Tree Based SVM Classifier for IoT

The development in Information and Communication Technology has led to the evolution of new computing and communication environment. Technological revolution with Internet of Things (IoTs) has developed various applications in almost all domains from health care, education to entertainment with sensors and smart devices. One of the subsets of IoT is Internet of Medical things (IoMT) which connects medical devices, hardware and software applications through internet. IoMT enables secure wireless communication over the Internet to allow efficient analysis of medical data. With these smart advancements and exploitation of smart IoT devices in health care technology there increases threat and malware attacks during transmission of highly confidential medical data. This work proposes a scheme by integrating machine learning approach and block chain technology to detect malware during data transmission in IoMT. The proposed Machine Learning based Block Chain Technology malware detection scheme (MLBCT-Mdetect) is implemented in three steps namely: feature extraction, Classification and blockchain. Feature extraction is performed by calculating the weight of each feature and reduces the features with less weight. Support Vector Machine classifier is employed in the second step to classify the malware and benign nodes. Furthermore, third step uses blockchain to store details of the selected features which eventually improves the detection of malware with significant improvement in speed and accuracy. ML-BCT-Mdetect achieves higher accuracy with low false positive rate and higher True positive rate.     

Analysis of Feature Importance and Interpretation for Malware Classification

This study was conducted to enable prompt classification of malware, which was becoming increasingly sophisticated. To do this, we analyzed the important features of malware and the relative importance of selected features according to a learning model to assess how those important features were identified. Initially, the analysis features were extracted using Cuckoo Sandbox, an open-source malware analysis tool, then the features were divided into five categories using the extracted information. The 804 extracted features were reduced by 70% after selecting only the most suitable ones for malware classification using a learning model-based feature selection method called the recursive feature elimination. Next, these important features were analyzed. The level of contribution from each one was assessed by the Random Forest classifier method. The results showed that System call features were mostly allocated. At the end, it was possible to accurately identify the malware type using only 36 to 76 features for each of the four types of malware with the most analysis samples available. These were the Trojan, Adware, Downloader, and Backdoor malware.     

ICMPTend: Internet Control Message Protocol Covert Tunnel Attack Intent Detector

The Internet Control Message Protocol (ICMP) covert tunnel refers to a network attack that encapsulates malicious data in the data part of the ICMP protocol for transmission. Its concealment is stronger and it is not easy to be discovered. Most detection methods are detecting the existence of channels instead of clarifying specific attack intentions. In this paper, we propose an ICMP covert tunnel attack intent detection framework ICMPTend, which includes five steps: data collection, feature dictionary construction, data preprocessing, model construction, and attack intent prediction. ICMPTend can detect a variety of attack intentions, such as shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attacks. We extract features from five types of attack intent found in ICMP channels. We build a multi-dimensional dictionary of malicious features, including shell attacks, sensitive directory access, communication protocol traffic theft, filling tunnel reserved words, and other common network attack keywords. For the high-dimensional and independent characteristics of ICMP traffic, we use a support vector machine (SVM) as a multi-class classifier. The experimental results show that the average accuracy of ICMPTend is 92%, training ICMPTend only takes 55 s, and the prediction time is only 2 s, which can effectively identify the attack intention of ICMP.     

An Efficient Internet Traffic Classification System Using Deep Learning for IoT

Internet of Things (IoT) defines a network of devices connected to the internet and sharing a massive amount of data between each other and a central location. These IoT devices are connected to a network therefore prone to attacks. Various management tasks and network operations such as security, intrusion detection, Quality-of-Service provisioning, performance monitoring, resource provisioning, and traffic engineering require traffic classification. Due to the ineffectiveness of traditional classification schemes, such as port-based and payload-based methods, researchers proposed machine learning-based traffic classification systems based on shallow neural networks. Furthermore, machine learning-based models incline to misclassify internet traffic due to improper feature selection. In this research, an efficient multilayer deep learning based classification system is presented to overcome these challenges that can classify internet traffic. To examine the performance of the proposed technique, Moore-dataset is used for training the classifier. The proposed scheme takes the pre-processed data and extracts the flow features using a deep neural network (DNN). In particular, the maximum entropy classifier is used to classify the internet traffic. The experimental results show that the proposed hybrid deep learning algorithm is effective and achieved high accuracy for internet traffic classification, i.e., 99.23%. Furthermore, the proposed algorithm achieved the highest accuracy compared to the support vector machine (SVM) based classification technique and k-nearest neighbours (KNNs) based classification technique.     

Malicious Traffic Detection in IoT and Local Networks Using Stacked Ensemble Classifier

Malicious traffic detection over the internet is one of the challenging areas for researchers to protect network infrastructures from any malicious activity. Several shortcomings of a network system can be leveraged by an attacker to get unauthorized access through malicious traffic. Safeguard from such attacks requires an efficient automatic system that can detect malicious traffic timely and avoid system damage. Currently, many automated systems can detect malicious activity, however, the efficacy and accuracy need further improvement to detect malicious traffic from multi-domain systems. The present study focuses on the detection of malicious traffic with high accuracy using machine learning techniques. The proposed approach used two datasets UNSW-NB15 and IoTID20 which contain the data for IoT-based traffic and local network traffic, respectively. Both datasets were combined to increase the capability of the proposed approach in detecting malicious traffic from local and IoT networks, with high accuracy. Horizontally merging both datasets requires an equal number of features which was achieved by reducing feature count to 30 for each dataset by leveraging principal component analysis (PCA). The proposed model incorporates stacked ensemble model extra boosting forest (EBF) which is a combination of tree-based models such as extra tree classifier, gradient boosting classifier, and random forest using a stacked ensemble approach. Empirical results show that EBF performed significantly better and achieved the highest accuracy score of 0.985 and 0.984 on the multi-domain dataset for two and four classes, respectively.     

Droid-IoT: Detect Android IoT Malicious Applications Using ML and Blockchain

One of the most rapidly growing areas in the last few years is the Internet of Things (IoT), which has been used in widespread fields such as healthcare, smart homes, and industries. Android is one of the most popular operating systems (OS) used by IoT devices for communication and data exchange. Android OS captured more than 70 percent of the market share in 2021. Because of the popularity of the Android OS, it has been targeted by cybercriminals who have introduced a number of issues, such as stealing private information. As reported by one of the recent studies Android malware are developed almost every 10 s. Therefore, due to this huge exploitation an accurate and secure detection system is needed to secure the communication and data exchange in Android IoT devices. This paper introduces Droid-IoT, a collaborative framework to detect Android IoT malicious applications by using the blockchain technology. Droid-IoT consists of four main engines: (i) collaborative reporting engine, (ii) static analysis engine, (iii) detection engine, and (iv) blockchain engine. Each engine contributes to the detection and minimization of the risk of malicious applications and the reporting of any malicious activities. All features are extracted automatically from the inspected applications to be classified by the machine learning model and store the results into the blockchain. The performance of Droid-IoT was evaluated by analyzing more than 6000 Android applications and comparing the detection rate of Droid-IoT with the state-of-the-art tools. Droid-IoT achieved a detection rate of 97.74% with a low false positive rate by using an extreme gradient boosting (XGBoost) classifier.     

An OpenFlow-Based Load Balancing Strategy in SDN

In today’s datacenter network, the quantity growth and complexity increment of traffic is unprecedented, which brings not only the booming of network development, but also the problem of network performance degradation, such as more chance of network congestion and serious load imbalance. Due to the dynamically changing traffic patterns, the state-of the-art approaches that do this all require forklift changes to data center networking gear. The root of problem is lack of distinct strategies for elephant and mice flows. Under this condition, it is essential to enforce accurate elephant flow detection and come up with a novel load balancing solution to alleviate the network congestion and achieve high bandwidth utilization. This paper proposed an OpenFlow-based load balancing strategy for datacenter networks that accurately detect elephant flows and enforce distinct routing schemes with different flow types so as to achieve high usage of network capacity. The prototype implemented in Mininet testbed with POX controller and verify the feasibility of our load-balancing strategy when dealing with flow confliction and network degradation. The results show the proposed strategy can adequately generate flow rules and significantly enhance the performance of the bandwidth usage compared against other solutions from the literature in terms of load balancing.     

A Novel Framework for Windows Malware Detection Using a Deep Learning Approach

Malicious software (malware) is one of the main cyber threats that organizations and Internet users are currently facing. Malware is a software code developed by cybercriminals for damage purposes, such as corrupting the system and data as well as stealing sensitive data. The damage caused by malware is substantially increasing every day. There is a need to detect malware efficiently and automatically and remove threats quickly from the systems. Although there are various approaches to tackle malware problems, their prevalence and stealthiness necessitate an effective method for the detection and prevention of malware attacks. The deep learning-based approach is recently gaining attention as a suitable method that effectively detects malware. In this paper, a novel approach based on deep learning for detecting malware proposed. Furthermore, the proposed approach deploys novel feature selection, feature co-relation, and feature representations to significantly reduce the feature space. The proposed approach has been evaluated using a Microsoft prediction dataset with samples of 21,736 malware composed of 9 malware families. It achieved 96.01% accuracy and outperformed the existing techniques of malware detection.     

Using Object Detection Network for Malware Detection and Identification in Network Traffic Packets

In recent years, the number of exposed vulnerabilities has grown rapidly and more and more attacks occurred to intrude on the target computers using these vulnerabilities such as different malware. Malware detection has attracted more attention and still faces severe challenges. As malware detection based traditional machine learning relies on exports’ experience to design efficient features to distinguish different malware, it causes bottleneck on feature engineer and is also time-consuming to find efficient features. Due to its promising ability in automatically proposing and selecting significant features, deep learning has gradually become a research hotspot. In this paper, aiming to detect the malicious payload and identify their categories with high accuracy, we proposed a packet-based malicious payload detection and identification algorithm based on object detection deep learning network. A dataset of malicious payload on code execution vulnerability has been constructed under the Metasploit framework and used to evaluate the performance of the proposed malware detection and identification algorithm. The experimental results demonstrated that the proposed object detection network can efficiently find and identify malicious payloads with high accuracy.     

Improved Enhanced Dbtma with Contention-Aware Admission Control to Improve the Network Performance in Manets

DBTMA relies entirely on RTS/CTS dialogue for un-collided transmission of data. The purpose is to improve the QoS at MAC layer by developing it over 802.11e standard. However, DBTMA does not guarantee real-time constraints without efficient method for controlling the network loads. The main challenges in MANETs include prediction of the available bandwidth, establishing communication with neighboring nodes and predicting the consumption of bandwidth flow. These challenges are provided with solutions using Contention-Aware Admission Control (CACP) protocol. In this paper, the EDBTMA protocol is combined with CACP protocol that introduces bandwidth calculation using admission control strategy. The calculation includes certain metrics like: admission control and bandwidth consumption. To compute the bandwidth of channel, bandwidth utilization and traffic priority is distinguished through dual busy tone is proposed. This operates distinctly on its own packet transmission operation. This CACP mechanism defends the conventional traffic flows from new nodes and based on the measured status information of the channel, it QoS of the admitted flows is maintained. This ensures maximum amount of bandwidth flows accommodated by resources and determines the resources in a system meet the new flow requirements while maintaining existing bandwidth flow levels.     

Deep Learning-Based Hybrid Intelligent Intrusion Detection System

Machine learning (ML) algorithms are often used to design effective intrusion detection (ID) systems for appropriate mitigation and effective detection of malicious cyber threats at the host and network levels. However, cybersecurity attacks are still increasing. An ID system can play a vital role in detecting such threats. Existing ID systems are unable to detect malicious threats, primarily because they adopt approaches that are based on traditional ML techniques, which are less concerned with the accurate classification and feature selection. Thus, developing an accurate and intelligent ID system is a priority. The main objective of this study was to develop a hybrid intelligent intrusion detection system (HIIDS) to learn crucial features representation efficiently and automatically from massive unlabeled raw network traffic data. Many ID datasets are publicly available to the cybersecurity research community. As such, we used a spark MLlib (machine learning library)-based robust classifier, such as logistic regression (LR), extreme gradient boosting (XGB) was used for anomaly detection, and a state-of-the-art DL, such as a long short-term memory autoencoder (LSTMAE) for misuse attack was used to develop an efficient and HIIDS to detect and classify unpredictable attacks. Our approach utilized LSTM to detect temporal features and an AE to more efficiently detect global features. Therefore, to evaluate the efficacy of our proposed approach, experiments were conducted on a publicly existing dataset, the contemporary real-life ISCX-UNB dataset. The simulation results demonstrate that our proposed spark MLlib and LSTMAE-based HIIDS significantly outperformed existing ID approaches, achieving a high accuracy rate of up to 97.52% for the ISCX-UNB dataset respectively 10-fold cross-validation test. It is quite promising to use our proposed HIIDS in real-world circumstances on a large-scale.     

MMALE—A Methodology for Malware Analysis in Linux Environments

In a computer environment, an operating system is prone to malware, and even the Linux operating system is not an exception. In recent years, malware has evolved, and attackers have become more qualified compared to a few years ago. Furthermore, Linux-based systems have become more attractive to cybercriminals because of the increasing use of the Linux operating system in web servers and Internet of Things (IoT) devices. Windows is the most employed OS, so most of the research efforts have been focused on its malware protection rather than on other operating systems. As a result, hundreds of research articles, documents, and methodologies dedicated to malware analysis have been reported. However, there has not been much literature concerning Linux security and protection from malware. To address all these new challenges, it is necessary to develop a methodology that can standardize the required steps to perform the malware analysis in depth. A systematic analysis process makes the difference between good and ordinary malware analyses. Additionally, a deep malware comprehension can yield a faster and much more efficient malware eradication. In order to address all mentioned challenges, this article proposed a methodology for malware analysis in the Linux operating system, which is a traditionally overlooked field compared to the other operating systems. The proposed methodology is tested by a specific Linux malware, and the obtained test results have high effectiveness in malware detection.     

BotSward: Centrality Measures for Graph-Based Bot Detection Using Machine Learning

The number of botnet malware attacks on Internet devices has grown at an equivalent rate to the number of Internet devices that are connected to the Internet. Bot detection using machine learning (ML) with flow-based features has been extensively studied in the literature. Existing flow-based detection methods involve significant computational overhead that does not completely capture network communication patterns that might reveal other features of malicious hosts. Recently, Graph-Based Bot Detection methods using ML have gained attention to overcome these limitations, as graphs provide a real representation of network communications. The purpose of this study is to build a botnet malware detection system utilizing centrality measures for graph-based botnet detection and ML. We propose BotSward, a graph-based bot detection system that is based on ML. We apply the efficient centrality measures, which are Closeness Centrality (CC), Degree Centrality (CC), and PageRank (PR), and compare them with others used in the state-of-the-art. The efficiency of the proposed method is verified on the available Czech Technical University 13 dataset (CTU-13). The CTU-13 dataset contains 13 real botnet traffic scenarios that are connected to a command-and-control (C&C) channel and that cause malicious actions such as phishing, distributed denial-of-service (DDoS) attacks, spam attacks, etc. BotSward is robust to zero-day attacks, suitable for large-scale datasets, and is intended to produce better accuracy than state-of-the-art techniques. The proposed BotSward solution achieved 99% accuracy in botnet attack detection with a false positive rate as low as 0.0001%.     

Detection of incidents and events in urban networks

Events and incidents are relatively rare, but they often have a negative impact on traffic. Reliable travel demand predictions during events and incident detection algorithms are thus essential. The authors study link flows that were collected throughout the Dutch city of Almelo. We show that reliable, event-related demand forecasting is possible, but predictions can be improved if exact start and end times of events are known, and demand variations are monitored conscientiously. For incident detection, we adopt a method that is based on the detection of outliers. Our algorithm detects most outliers, while the fraction of detections due to noisy data is only a few percent. Although our method is less suitable for automatic incident detection, it can be used in an urban warning system that alerts managers in case of a possible incident. It also enables us to study incidents off-line. In doing so, we find that a significant fraction of traffic changes route during an incident.     

DDoS Attack Detection via Multi-Scale Convolutional Neural Network

Distributed Denial-of-Service (DDoS) has caused great damage to the network in the big data environment. Existing methods are characterized by low computational efficiency, high false alarm rate and high false alarm rate. In this paper, we propose a DDoS attack detection method based on network flow grayscale matrix feature via multiscale convolutional neural network (CNN). According to the different characteristics of the attack flow and the normal flow in the IP protocol, the seven-tuple is defined to describe the network flow characteristics and converted into a grayscale feature by binary. Based on the network flow grayscale matrix feature (GMF), the convolution kernel of different spatial scales is used to improve the accuracy of feature segmentation, global features and local features of the network flow are extracted. A DDoS attack classifier based on multi-scale convolution neural network is constructed. Experiments show that compared with correlation methods, this method can improve the robustness of the classifier, reduce the false alarm rate and the missing alarm rate.     

Improving network anomaly detection via selective flow-based sampling

Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. A new flow-based sampling technique that focuses on the selection of small flows, which are usually the source of malicious traffic, is introduced and analysed. The proposed approach provides a flexible framework for preferential flow sampling that can effectively balance the tradeoff between the volume of the processed information and the anomaly detection accuracy. The performance evaluation of the impact of selective flow-based sampling on the anomaly detection process is achieved through the adoption and application of a sequential non-parametric change-point anomaly detection method on realistic data that have been collected from a real operational university campus network. The corresponding numerical results demonstrate that the proposed approach achieves to improve anomaly detection effectiveness and at the same time reduces the number of selected flows.     

Traffic Sign Detection with Low Complexity for Intelligent Vehicles Based on Hybrid Features

Globally traffic signs are used by all countries for healthier traffic flow and to protect drivers and pedestrians. Consequently, traffic signs have been of great importance for every civilized country, which makes researchers give more focus on the automatic detection of traffic signs. Detecting these traffic signs is challenging due to being in the dark, far away, partially occluded, and affected by the lighting or the presence of similar objects. An innovative traffic sign detection method for red and blue signs in color images is proposed to resolve these issues. This technique aimed to devise an efficient, robust and accurate approach. To attain this, initially, the approach presented a new formula, inspired by existing work, to enhance the image using red and green channels instead of blue, which segmented using a threshold calculated from the correlational property of the image. Next, a new set of features is proposed, motivated by existing features. Texture and color features are fused after getting extracted on the channel of Red, Green, and Blue (RGB), Hue, Saturation, and Value (HSV), and YCbCr color models of images. Later, the set of features is employed on different classification frameworks, from which quadratic support vector machine (SVM) outnumbered the others with an accuracy of 98.5%. The proposed method is tested on German Traffic Sign Detection Benchmark (GTSDB) images. The results are satisfactory when compared to the preceding work.     

High Performance Classification of Android Malware Using Ensemble Machine Learning

Although Android becomes a leading operating system in market, Android users suffer from security threats due to malwares. To protect users from the threats, the solutions to detect and identify the malware variant are essential. However, modern malware evades existing solutions by applying code obfuscation and native code. To resolve this problem, we introduce an ensemble-based malware classification algorithm using malware family grouping. The proposed family grouping algorithm finds the optimal combination of families belonging to the same group while the total number of families is fixed to the optimal total number. It also adopts unified feature extraction technique for handling seamless both bytecode and native code. We propose a unique feature selection algorithm that improves classification performance and time simultaneously. 2-gram based features are generated from the instructions and segments, and then selected by using multiple filters to choose most effective features. Through extensive simulation with many obfuscated and native code malware applications, we confirm that it can classify malwares with high accuracy and short processing time. Most existing approaches failed to achieve classification speed and detection time simultaneously. Therefore, the approach can help Android users to keep themselves safe from various and evolving cyber-attacks very effectively.     

输入排队调度算法仿真验证平台的设计与实现

描述了一个输入排队调度算法的软件仿真验证平台的设计与实现，通过该平台可以真实有效地验证各种输入排队调度算法。设计过程中使用了面向对象技术，依据实际系统功能建模，数据流在仿真过程中贴近实际处理过程且便于观测。在该平台中，集成了几种特定业务源和用于性能比较的多种典型调度算法，这使得调度算法的验证更加灵活客观。     

输气管道气体流经阀门气动噪声产生机理分析

为区分输气管道泄漏音波与阀门噪声,为输气管道音波法泄漏检测提供理论依据及数据库、控制阀门噪声提供解决办法,从音波产生机理角度采用CFD软件耦合专业声学软件方法对输气管道气体流经阀门产生的气动噪声进行研究,建立气动噪声模型,探究气动噪声产生机理及传播、衰减规律。在CFD（Computational Fluid Dynamics）软件中采用大涡湍流模型对气体流经阀门时的瞬态流场求解分析,获得流场分布如脉动压力、脉动速度数据;将CFD计算所得数据导入专业声学软件进行联合仿真,生成气动噪声源项,包括偶极子声源及四极子声源,建立气动噪声产生传播模型,求解输气管道气体流经阀门的气动噪声。