- Computer Science Department King Hussein School of Computing Sciences, Princess Sumaya University for Technology, Amman, Jordan
- 0797388388
- Dr. Mouhammd Alkasassbeh graduated from school of computing, Portsmouth University, UK in 2008. He is currently an as... moreDr. Mouhammd Alkasassbeh graduated from school of computing, Portsmouth University, UK in 2008. He is currently an associate professor Computer Science Dept. Princess Sumaya University for Technology. His research interests include Network Traffic Analysis, Network Fault Detection, Classification Network Fault and abnormality and Machine learning in area of computer networking and network security.edit
Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. These systems have the potential to identify and report deviations from normal behaviors, which is crucial for the sustainability and resilience... more
Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. These systems have the potential to identify and report deviations from normal behaviors, which is crucial for the sustainability and resilience of networks. A large amount of IDSs have been proposed in the literature, but only few of them found success in real-world environments. This study illustrates a taxonomy and a survey on state-of-the-art intrusion detection systems. It also depicts the characteristics of successful IDSs and sheds light on the gaps that need to be resolved for future IDSs to become fit for deployment in realistic environments.
Research Interests:
The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. This integration allows a discretely defined state-machine to act on continuous universes and handle uncertainty in applications like... more
The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. This integration allows a discretely defined state-machine to act on continuous universes and handle uncertainty in applications like Intrusion Detection Systems (IDS). The typical IDS detection mechanisms are targeted to detect and prevent single-stage attacks. These types of attacks can be detected using either a common convincing threshold or by pre-defined rules. However, attack techniques have changed in recent years. Currently, the largest proportion of attacks performed, are multi-step attacks. The goal of this paper is to introduce a novel detection mechanism for multi-step attacks built upon Fuzzy Rule Interpolation (FRI) based fuzzy automaton. In that respect, the FRI method instruments the fuzzy automaton to be able to act on a not fully defined state transition rule-base, by offering interpolated conclusion even for situations which are not explicitly defined. In the suggested model, the intrusion definition state transition rule-base is defined using an open source fuzzy declarative language. On the multi-step attack benchmark dataset introduced in this paper, the proposed detection mechanism was able to achieve 97.836% detection rate. Furthermore, in the studied examples, the suggested method was able not only to detect but also early detect the multi-step attack in stages, where the planned attack is not fully elaborated and hence less harmful. According to these results, the IDS built upon the FRI based fuzzy automaton could be a useful device for detecting multi-step attacks, even in cases when the intrusion state transition rule-based is incomplete. The early detection of multi-step attacks also allows the administrator to take the necessary actions in time, to mitigate the potential threats.
Research Interests:
With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are... more
With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are legitimate. There are so-called phishing sites that deceive users into serving their interests. This paper dealt with this problem using machine learning algorithms in addition to employing a novel dataset that related to phishing detection, which contains 5000 legitimate web-pages and 5000 phish-ing ones. In order to obtain the best results, various machine learning algorithms were tested. Then J48, Random forest, and Multilayer perceptron were chosen. Different feature selection tools were employed to the dataset in order to improve the efficiency of the models. The best result of the experiment achieved by utilizing 20 features out of 48 features and applying it to Random forest algorithm. The accuracy was 98.11%.
Research Interests:
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the... more
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the hardware resources (CPU, memory, and bandwidth). In this paper, we introduce an efficient detection model to detect network anomalies using Lazy.IBk as a machine learning classifier, Correlation, and ReliefF as an approach for attribute evaluators only SNMP-MIB interface parameters. This model achieves high accuracy 99.94% with minimal hardware resources consumption. Thus, this model can be adopted in the intrusion detection system (IDS) to increase its performance and efficiency.
Research Interests:
Network anomalies are destructive to networks. Intrusion detection systems monitor network component behavior to detect unusual activity (i.e., possible threats). Application-layer Simple Network Management Protocol (SNMP) has been used... more
Network anomalies are destructive to networks. Intrusion detection systems monitor network component behavior to detect unusual activity (i.e., possible threats). Application-layer Simple Network Management Protocol (SNMP) has been used for decades via TCP/IP protocol to manage network devices. Raw data security evaluation in intrusion detection incurs latency in detection. Management Information Base (MIB) combined with SNMP is a solution for this, the traditional approach of SNMP is centralized. Thus, rendering it unreliable and non-adaptive to network changes when it comes to distributed network. In distributed network, using single or multiple light Mobile Agents are an optimal solution for data gathering as they can move from one source node to another, executing naturally at each. This helps complete tasks without increasing the network overheads, and contributes to decreasing latency. This paper focuses on finding the optimal number of mobile agents to complete the data retrieval task with the minimum routing time, without affecting the network bandwidth, to solve the Simple Network Management Protocol-Management Information Base centralization issue, and enhance detection time. Two types of agents are used in this paper; link agent for discovering the network, and data agents for MIB gathering. The link agent runs in the home node to discover the network and define nodes' connectivity. Then, network is partitioned based on its execution time. Single mobile agent is sent to each partition to complete MIB retrieval task. This approach aims to finish MIB retrieval task with minimum routing time and keeps generating of mobile agents under control to maintain optimal network bandwidth. Our approach are enhancement on two approaches were proposed in previous studies in the same filed this paper will present details on each approach and conduct a comparison regarding number of agents used to gather MIB data and the time needed to complete the gathering task
Research Interests:
Leader election is an important issue in distributed systems and communication networks. Many protocols and algorithms that are running on distributed systems need a leader to ensure smooth execution; the leader has the responsibility to... more
Leader election is an important issue in distributed systems and communication networks. Many protocols and algorithms that are running on distributed systems need a leader to ensure smooth execution; the leader has the responsibility to synchronize and coordinate the system processes. The absence of the leader makes the system inconsistent, and therefore unreliable. Such problem, however, can be solved by leader election algorithms. In this paper, we propose-for the first time-a new leader election algorithm to solve the leader failure in honeycomb mesh network. The honeycomb mesh network desired due to its low network cost, regularity, and scalability. The proposed algorithm aims to select exactly one node among all active nodes in the network to be a new leader, the node, which is elected as the new leader, has more priority over other nodes. The performance of the proposed algorithm is evaluated by computing the number of messages and time steps required to elect a new leader and complete the algorithm mission. The mathematical evaluation shows that the proposed algorithm requires O(n) messages in O() time steps in the best case to complete, as well as O(n 1.5) messages in O() time steps in the worst case.
Research Interests:
Practical task of information reliability and security is the effective intrusion detection and prevention. Open systems are vulnerable. Having in detail information about system structures, more and more sophisticated network intrusion... more
Practical task of information reliability and security is the effective intrusion detection and prevention. Open systems are vulnerable. Having in detail information about system structures, more and more sophisticated network intrusion methods could be easily developed and quickly tested. Intruders are always keeping update information about the current technology and generate new intrusion methods. There are several defense solutions against intrusions. The most common solution is Intrusion Detection System (IDS). For giving a short overview of some IDS methods, this paper applies the commonly available KDD-99 dataset for compare and discuss the IDS performance in case of different intrusion types. In this paper, the IDS performance of the J48, Random Forest, Random Tree, Decision Table, Multi-layer Perceptron (MLP) and Naive Bayes Classifier compared based on the average accuracy rate, precision, false positive and false negative performance in case of DOS, R2L, U2R, and PROBE attacks. Moreover, the focus would be on false alarm values. During the tests, the random forest algorithm produced the highest average of accuracy rate 93.77%, while the Random tree algorithm had the lowest rate 90.57%. The lowest value of false negative was produced by the decision table algorithm.
Research Interests:
SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results, but using SNMP-MIB huge dataset is not efficient and it is also time and resources consuming. In this paper, a REP Tree, J48(Decision Tree)... more
SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results, but using SNMP-MIB huge dataset is not efficient and it is also time and resources consuming. In this paper, a REP Tree, J48(Decision Tree) and Random Forest classifiers were used to train a model that can detect the anomalies and predict the network attacks that my affect the Internet Protocol(IP) group. This trained model can be used in the devices that are used to detect the anomalies such as intrusion detection systems.
Research Interests:
The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative... more
The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative mechanisms to reduce energy consumption in these networks and prolong the lifetime. Experts have suggested several WSN-based clustering protocols, since most clustering protocols are homogeneous, and LEACH and M-GEAR are among the most common examples of these protocols. In this paper, we propose six models for the division of wireless sensor networks (WSNs), in each of these models we will distribute sensor nodes to four zones randomly in the field of the sensor area. We install the cluster heads (CHs) in the middle of the geometry shapes of each area, where the shape of the circle or square or both, will be used, and the location of the sink will be in the center of the sensor area. The sensor nodes that are located around the sink and within the geometric shape used will directly connect to the sink. The external nodes will contact the nearest CHs, and to determine the nearest CHs we will apply the Dijkstra's algorithm. For the average number of dead nodes, the square circle method achieved the best result (73.42), followed by the circle square method which got a result (79,66). The largest number of dead nodes showed when using one square only where the result was (97.15). We make a comparison between the outcomes and M-GEAR and LEACH protocols, our model (square circle) stabilizes energy use within sensor nodes. However, nodes in M-GEAR and LEACH do not stay alive for a long time, they die when the stability period is over.
Research Interests:
Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which aims to reduce the network performance from doing it's intended functions. Moreover, DOS Attacks can cause a huge damage on the data... more
Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which aims to reduce the network performance from doing it's intended functions. Moreover, DOS Attacks can cause a huge damage on the data Confidentiality, Integrity and Availability. This paper introduced a system that detects the network traffic and varies the DOS attacks from normal traffic based on an adopted dataset. The results had shown that the adopted algorithms with the ICMP variables achieved a high accuracy percentage with approximately 99.6% in detecting ICMP Echo attack, HTTP Flood Attack, and Slowloris attack. Moreover, the designed model succeeded with a rate of 100% in varying normal traffic from various DOS attacks.
Research Interests:
-The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP congestion handling. A modification of RED called the Gentle RED (GRED) has been proposed by adding the Gentle parameter to the original... more
-The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP congestion handling. A modification of RED called the Gentle RED (GRED) has been proposed by adding the Gentle parameter to the original implementation of RED. This parameter has been turned on by default in the NS2 simulator versions 2.1b and later; claiming that it helps in smoothing out traffic in routers and increases network performance. In this article we revisit this parameter and show, through simulation, that this parameter should be turned off in current simulations of RED using the NS2 simulator and it should be replaced by any adaptation parameter such as the Adaptive parameter in ARED.
Research Interests:
Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanism that used to sense and classify any abnormal actions. Therefore, the... more
Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanism that used to sense and classify any abnormal actions. Therefore, the IDS must be always up to date with the latest intruder attacks signatures to preserve confidentiality, integrity and availability of the services. The speed of the IDS is very important issue as well learning the new attacks. This research work illustrates how the Knowledge Discovery and Data Mining (or Knowledge Discovery in Databases) KDD dataset is very handy for testing and evaluating different Machine Learning Techniques. It mainly focus-es on the KDD preprocess part in order to prepare a decent and fair experimental data set. The techniques J48, Random Forest, Random Tree, MLP, Na-ïve Bayes and Bayes Network classifiers have been chosen for this study. It has been proven that the Random forest classifier has achieved the highest accuracy rate for detecting and classifying all KDD dataset attacks, which are of type (DOS, R2L, U2R, and PROBE).
Research Interests:
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well... more
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.
Research Interests:
Phishing is one of the most common attacks on the internet that employs social engineering techniques like deceiving user with forged websites in an attempt to gain sensitive information such as credentials and credit card details. This... more
Phishing is one of the most common attacks on the internet that employs social engineering techniques like deceiving user with forged websites in an attempt to gain sensitive information such as credentials and credit card details. This information can be misused, resulting in large financial losses to these users. Phishing detection algorithms can be an effective approach to safeguarding users from such attacks. This paper will review different phishing detection approaches which include: Content-Based, Heuristic-Based, and Fuzzy rule-based approaches.
Research Interests:
This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving data between machines without alerting firewalls and intrusion detection systems (IDSs) on the network. 2 The DNS protocol has three... more
This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving data between machines without alerting firewalls and intrusion detection systems (IDSs) on the network. 2 The DNS protocol has three characteristics that make it well suited to be used as a covert tunnel. 3 First, DNS is fundamental for the proper functioning of many applications and Internet browsing. Most organisations do not implement a security policy for DNS traffic. Second, DNS is used to communicate with internal clients and external remote servers. And third, the DNS protocol has several fields that can be used to embed other data. The most used fields by tunnelling utilities are the NULL and TXT records. The main motivation behind using the DNS protocol as a covert tunnel is to bypass captive portals for paid wifi services in places such as airports and hotels. Other motivations include stealing data, evading detection for unau-thorised access, installing and controlling malware, and bypassing firewalls and Internet access policies. There are several tools available for DNS tunnelling. These tools differ in flexibility, throughput and the technique used to embed data into DNS traffic. Examples of these tools include OzymanDNS, dns2tcp, Iodine and DNScat .4 There are two general methods of detecting DNS tunnels: the first is pay-load analysis in which a single DNS request is analysed. Attributes such as the length of the packet, the number of bytes and the content of the packet are examined and used to create detection rules (signatures). The second is traffic analysis, in which the overall traffic is analysed over a period of time. Attributes such as the volume of DNS traffic, number of hostnames per domain and domain history are used as an indication of tunnelling. 5 In this article, an experimental setup of the Iodine DNS tunnelling tool is implemented. Analysis of tunnelled DNS traffic is conducted to carve out the encapsulated IP packet. Several detection mechanisms are presented to detect DNS tunnelling using both payload and traffic analysis methods.
Research Interests:
With increasing technology developments, there is a massive number of websites with varying purposes. But a particular type exists within this large collection, the so-called phishing sites which aim to deceive their users. The main... more
With increasing technology developments, there is a massive number of websites with varying purposes. But a particular type exists within this large collection, the so-called phishing sites which aim to deceive their users. The main challenge in detecting phishing websites is discovering the techniques that have been used. Where phishers are continually improving their strategies and creating web pages that can protect themselves against many forms of detection methods. Therefore, it is very necessary to develop reliable, active and contemporary methods of phishing detection to combat the adaptive techniques used by phishers. In this paper, different phishing detection approaches are reviewed by classifying them into three main groups. Then, the proposed model is presented in two stages. In the first stage, different machine learning algorithms are applied to validate the chosen dataset and applying features selection methods on it. Thus, the best accuracy was achieved by utilizing only 20 features out of 48 features combined with Random Forest is 98.11%. While in the second stage, the same dataset is applied to various fuzzy logic algorithms. As well the experimental results from the application of Fuzzy logic algorithms were incredible. Where in applying the FURIA algorithm with only five features the accuracy rate was 99.98%. Finally, comparison and discussion of the results between applying machine learning algorithms and fuzzy logic algorithms is done. Where the performance of using fuzzy logic algorithms exceeds the use of machine learning algorithms.
Research Interests:
Trading strategies can be used to exploit certain patterns within the market. The Pairs Trading Strategy exploits the co-movement nature of pairs of stocks to gain profit. This paper introduces a new methodology framework for the Pairs... more
Trading strategies can be used to exploit certain patterns within the market. The Pairs Trading Strategy exploits the co-movement nature of pairs of stocks to gain profit. This paper introduces a new methodology framework for the Pairs Trading Strategy from mining to monitoring and trading pairs at appropriate times to gain profit. This framework is implemented in a system that sends out alerts to traders at appropriate times according to the strategy. The proposed recommendation system is tested using synthetic data, proving its validity by showing gains in profit for each test. ARTICLE HISTORY
Research Interests:
Recently, the Internet of Things (IoT) has been used in technology for different aspects to increase the efficiency and comfort of human life. Protecting the IoT infrastructure is not a straightforward task. There is an urgent need to... more
Recently, the Internet of Things (IoT) has been used in technology for different aspects to increase the efficiency
and comfort of human life. Protecting the IoT infrastructure is not a straightforward task. There is an urgent need to handle
different attack scenarios within the IoT smart environment. Attackers continuously targeted the modern aspects of technology,
and trying abusing these technologies using complex attack scenarios such as Botnet attacks. Botnet attacks considered a
serious challenge faces of the IoT smart environment. In this paper, we introduce a novel idea that capable of supporting the
detecting of IoT-Botnet attack and in meanwhile to avoid the issues associated with the deficiencies of the knowledge-based
representation and the binary decision. This paper aims to introduce a detection approach for the IoT-BotNet attack by using
the Fuzzy Rule Interpolation (FRI). The FRI reasoning methods added a benefit to enhance the robustness of fuzzy systems
and effectively reduce the system’s complexity. These benefits help the Intrusion Detection System (IDS) to generate more
realistic and comprehensive alerts. The proposed approach was applied to an open-source BoT-IoT dataset from the Cyber
Range Lab of the center of UNSW Canberra Cyber. The proposed approach was tested, evaluated and obtained a 95.4%
detection rate. Moreover, it effectively smooth the boundary between normal and IoT-BotNet traffics because of its fuzzynature, as well as, it had the ability to generate the required IDS alert in case of the deficiencies of the knowledge-based
representation.
and comfort of human life. Protecting the IoT infrastructure is not a straightforward task. There is an urgent need to handle
different attack scenarios within the IoT smart environment. Attackers continuously targeted the modern aspects of technology,
and trying abusing these technologies using complex attack scenarios such as Botnet attacks. Botnet attacks considered a
serious challenge faces of the IoT smart environment. In this paper, we introduce a novel idea that capable of supporting the
detecting of IoT-Botnet attack and in meanwhile to avoid the issues associated with the deficiencies of the knowledge-based
representation and the binary decision. This paper aims to introduce a detection approach for the IoT-BotNet attack by using
the Fuzzy Rule Interpolation (FRI). The FRI reasoning methods added a benefit to enhance the robustness of fuzzy systems
and effectively reduce the system’s complexity. These benefits help the Intrusion Detection System (IDS) to generate more
realistic and comprehensive alerts. The proposed approach was applied to an open-source BoT-IoT dataset from the Cyber
Range Lab of the center of UNSW Canberra Cyber. The proposed approach was tested, evaluated and obtained a 95.4%
detection rate. Moreover, it effectively smooth the boundary between normal and IoT-BotNet traffics because of its fuzzynature, as well as, it had the ability to generate the required IDS alert in case of the deficiencies of the knowledge-based
representation.
Research Interests:
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders... more
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders them as a favorable target for multiple security breaches, especially botnet attacks. In this study, the conceptual frameworks of IoT botnet attacks will be explored, alongside several machine-learning based botnet detection techniques. This study also analyzes and contrasts several botnet Detection techniques based on the Bot-IoT Dataset; a recent realistic IoT dataset that comprises state-of-the-art IoT botnet attack scenarios.
Research Interests:
One of the most effective threats that targeting cybercriminals to limit network performance is Denial of Service (DOS) attack. Thus, data security, completeness and efficiency could be greatly damaged by this type of attacks. This paper... more
One of the most effective threats that targeting cybercriminals to limit network performance is Denial of Service (DOS) attack. Thus, data security, completeness and efficiency could be greatly damaged by this type of attacks. This paper developed a network traffic system that relies on adopted dataset to differentiate the DOS attacks from normal traffic. The detection model is built with five Rule-based machine learning classifiers (DecisionTable, JRip, OneR, PART and ZeroR). The findings have shown that the ICMP variables are implemented in the identification of ICMP attack, HTTP flood attack, and Slowloris at a high accuracy of approximately 99.7% using PART classifier. In addition, PART classifier has succeeded in classifying normal traffic from different DOS attacks at 100%.
Research Interests:
The use of bot malware and botnets as a tool to facilitate other malicious cyber activities (e.g. distributed denial of service attacks, dissemination of malware and spam, and click fraud). However, detection of botnets, particularly... more
The use of bot malware and botnets as a tool to facilitate other malicious cyber activities (e.g. distributed denial of service attacks, dissemination of malware and spam, and click fraud). However, detection of botnets, particularly peer-to-peer (P2P) botnets, is challenging. Hence, in this paper we propose a sophisticated traffic reduction mechanism, integrated with a reinforcement learning technique. We then evaluate the proposed approach using real-world network traffic, and achieve a detection rate of 98.3%. The approach also achieves a relatively low false positive rate (i.e. 0.012%).
Research Interests:
The numerous security loopholes in the design and implementation of many IoT devices have rendered them an easy target for botnetattacks. Several approaches to implement behavioral IoT botnet attacks detection have been explored,... more
The numerous security loopholes in the design and implementation of many IoT devices have rendered them an easy target for botnetattacks. Several approaches to implement behavioral IoT botnet attacks detection have been explored, including machine learning. The maingoal of previous studies was to achieve the highest possible accuracy in distinguishing normal from malicious IoT traffic, with minimal regardto the identification of the particular type of attack that is being launched. In this study, we present a machine learning based approach fordetecting IoT botnet attacks that not only helps distinguish normal from malicious traffic, but also detects the type of the IoT botnet attack.To achieve this goal, the Bot-IoT dataset, in which instances have main attack and sub-attack categories, was utilized after performing theSynthetic Minority Over-sampling Technique (SMOTE), among other preprocessing techniques. Moreover, multiple classifiers were testedand the results from the best three, namely: J48, Random Forest (RF), and Multilayer Perceptron (MLP) networks were reported. The resultsshowed the superiority of the RF and J48 classifiers compared to the MLP networks and other state-of-the-art solutions. The accuracy of thebest binary classifier reported in this study reached 0.999, whereas the best accuracies of main attack and subcategories classifications reached0.96 and 0.93, respectively. Only few studies address the classification errors in this domain, yet, it was assessed in this study in terms of FalseNegative (FN) rates. J48 and RF classifiers, here also, outperformed the MLP network classifier, and achieved a maximum micro FN rate forsubcategories classification of 0.076
Research Interests:
Attackers take advantage of every second that the anti-vendor delays identifying the attacking malware signature and to provide notifications. In addition, the longer the detection period delayed, the greater the damage to the host... more
Attackers take advantage of every second that the anti-vendor delays identifying the attacking malware signature and to provide notifications. In addition, the longer the detection period delayed, the greater the damage to the host device. To put it another way, the lack of ability to detect attacks early complicates the problem and rises serious harm. Consequently, this research intends to develop a knowledgeable anti-malware system capable of immediately detecting and terminating malware actions, rather than waiting for anti-malware updates. The research concentrates in its scope on the detection of malware on the Internet of Things (IoT), based on Machine Learning (ML) techniques. A latest open source ML algorithm called the Light Gradient Boosting Algorithm (LightGBM) has been used to develop our instant host and network layer anti-malware approach without any human intervention. For examination reasons, the suggested approach serves the LightGBM machine learning algorithm to adopt datasets obtained from real IoT devices using the LightGBM machine learning algorithm. The results indicate a successful method to detecting and classifying high accuracy malware at both network and host levels based on the Holdout method of cross-validation. Additionally, this result is better than many prior related studies which used different algorithms of Machine Learning and Deep Learning. Though, an old study which used the same dataset was the best among the literature. However, it still slightly less than what this study achieved, besides the complexity which deep learning adds. Lastly, the results show the ability of the proposed approach to detect IoT botnet attacks fast, which is a vital feature to end botnet activity before spreading to any new network device.
Research Interests:
In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware vendor delays identifying the attacking malware signature and provide the updates. Furthermore, the longer the detection phase delayed, the... more
In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware vendor delays identifying the attacking malware signature and provide the updates. Furthermore, the longer the detection phase delayed, the greater the damage to the host device. In other words, the inability to early detection of attacks complicates the problem and increases damage. Therefore, this study aims to develop an intelligent anti-malware system capable to instantly detect and terminate malware activities instead of waiting for anti-malware updates. In its scope, the study focuses on the Internet of Things (IoT) malware detection based on Machine Learning (ML) techniques. A recent open-source ML algorithm called Light Gradient Boosting Algorithm (LightGBM) is used to develop our instant anti-malware approach at both host and network layers without the need for any human intervention. The results show a promising approach for detecting and classifying malware with high accuracy reaches almost (100%) at both the network and host levels based on the cross-validation Holdout method. Furthermore, the results show the ability of the proposed approach to early detect IoT botnet attacks, which is an essential feature for terminating the botnet activity before propagating to a new network device.
Research Interests:
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders... more
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders them as a favorable target for multiple security breaches, especially botnet attacks. In this study, the conceptual frameworks of IoT botnet attacks will be explored, alongside several machinelearning based botnet detection techniques. This study also analyzes and contrasts several botnet Detection techniques based on the Bot-IoT Dataset; a recent realistic IoT dataset that comprises state-of-the-art IoT botnet attack scenarios.
Research Interests:
Research Interests:
ABSTRACT Existing centralized based network management approaches suffer from problems such as insufficient scalability, availability and flexibility, as networks become more distributed. Mobile Agents (MA), upgraded with intelligence,... more
ABSTRACT Existing centralized based network management approaches suffer from problems such as insufficient scalability, availability and flexibility, as networks become more distributed. Mobile Agents (MA), upgraded with intelligence, can present a reasonable new technology that will help to achieve distributed management. These agents migrate from one node to another, accessing an appropriate subset of MIB variables from each node analysing them locally and retaining the results of this analysis during their subsequence migration. One of the network fault management tasks is fault detection, and in this work we purpose statistical method based on Wiener filter to capture the abnormal changes in the behaviour of the MIB variables. my algorithm was implemented on data obtained from two different scenarios in the laboratory, with four different fault case studies. The purpose of this is to provide the manager node with a high level of information, such as a set of conclusions or recommendations, rather than large volumes of data relating to each management task.
In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware vendor delays identifying the attacking malware signature and provide the updates. Furthermore, the longer the detection phase delayed, the... more
In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware vendor delays identifying the attacking malware signature and provide the updates. Furthermore, the longer the detection phase delayed, the greater the damage to the host device. In other words, the inability to early detection of attacks complicates the problem and increases damage. Therefore, this study aims to develop an intelligent anti-malware system capable to instantly detect and terminate malware activities instead of waiting for anti-malware updates. In its scope, the study focuses on the Internet of Things (IoT) malware detection based on Machine Learning (ML) techniques. A recent open-source ML algorithm called Light Gradient Boosting Algorithm (LightGBM) is used to develop our instant anti-malware approach at both host and network layers without the need for any human intervention. The results show a promising approach for detecting and classifying malware with high accuracy reaches almost (100%) at both the network and host levels based on the cross-validation Holdout method. Furthermore, the results show the ability of the proposed approach to early detect IoT botnet attacks, which is an essential feature for terminating the botnet activity before propagating to a new network device.
Research Interests:
Research Interests:
Generally, malware has come to be known as one of the biggest threats, so malware is a program which operates malicious actions and steals information, to specifically identify it as software which is designed specifically to through... more
Generally, malware has come to be known as one of the biggest threats, so malware is a program which operates malicious actions and steals information, to specifically identify it as software which is designed specifically to through breaking the system of a computer without consent from the owner. This chapter aimed to study feature selection and malware classification using machine learning. The identification of such features was done through the intuition that various parts of the PE files’ features can correlate with one another less than with the class files, being clean or dirty. Such features are implemented as algorithms in machine learning to help classify the malware, resulting in such classification to be properly implemented in antivirus programs to help enhance the rate of detection.
Research Interests:
This paper presents a methodology for improving the security of identification and authentication processes using Keystroke Dynamics (KSD). KSD is considered a behavioral biometric operating as a second level of security along with the... more
This paper presents a methodology for improving the security of identification and authentication processes using Keystroke Dynamics (KSD). KSD is considered a behavioral biometric operating as a second level of security along with the login process after inserting user name and password. KSD is mainly about observing the way in which the user types. Firstly, we propose four new time features; these features represent the user’s behavior. Secondly, due to the unavailability of standard dataset, a new behavioral dataset is built. Thirdly, we propose employing KSD on CAPTCHA Code for the identification process. In this research, we applied three different classification techniques namely: J48, Random Forest and Multi-layer Perceptron (MLP), to accurately identify the user behavior (legitimate or illegitimate) and its authority. Random Forest showed the best result for the identification with accuracy (93.13%), however for the authorization process the highest accuracy was obtained usi...
The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative... more
The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative mechanisms to reduce energy consumption in these networks and prolong the lifetime. Experts have suggested several WSN-based clustering protocols, since most clustering protocols are homogeneous, and LEACH and M-GEAR are among the most common examples of these protocols. In this paper, we propose six models for the division of wireless sensor networks (WSNs), in each of these models we will distribute sensor nodes to four zones randomly in the field of the sensor area. We install the cluster heads (CHs) in the middle of the geometry shapes of each area, where the shape of the circle or square or both, will be used, and the location of the sink will be in the center of the sensor area. The sensor nodes that are located around the sink and within the ge...
Research Interests:
Research Interests:
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well... more
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.
Research Interests:
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the... more
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the hardware resources (CPU, memory, and bandwidth). In this paper, we introduce an efficient detection model to detect network anomalies using Lazy. IBk as a machine learning classifier, Correlation, and ReliefF as an approach for attribute evaluators only SNMP-MIB interface parameters. This model achieves a high accuracy of 99.94% with minimal hardware resources consumption. Thus, this model can be adopted in the intrusion detection system (IDS) to increase its performance and efficiency.
Research Interests:
Research Interests:
Cloud computing is currently a major focal point for researchers owing to its widespread application and benefits. Cloud computing's complete reliance on the internet for service provision and its distributed nature pose challenges to... more
Cloud computing is currently a major focal point for researchers owing to its widespread application and benefits. Cloud computing's complete reliance on the internet for service provision and its distributed nature pose challenges to security, the most serious being insider Distributed Denial of Service (DDoS) which causes a total deactivation of service. Traditional defence mechanisms, such as firewalls, are unable to detect insider attacks. This work proposes an anomaly intrusion detection approach in the hypervisor layer to discourage DDoS activities between virtual machines. The proposed approach is implemented by the evolutionary neural network which integrates the particle swarm optimisation with neural network for detection and classification of the traffic that is exchanged between virtual machines. The performance analysis and results of our proposed approach detect and classify the DDoS attacks in the cloud environment with minimum false alarms and high detection accuracy.
Research Interests:
The Domain Name System (DNS) protocol is the backbone of the Internet. It facilitates connection to websites and services using understandable names that are easy to remember. DNS converts these names to their corresponding IP addresses... more
The Domain Name System (DNS) protocol is the backbone of the Internet. It facilitates connection to websites and services using understandable names that are easy to remember. DNS converts these names to their corresponding IP addresses in order to establish the communication through the network. The security of the DNS protocol was not originally a major concern for organisations since the protocol was not intended to be used for regular data transmission. 1 However, in recent years, attackers have developed tools that have taken advantage of this situation and utilised DNS for malicious purposes, such as covert tunnelling and data exfiltration.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Telecom companies usually offer several rate plans or bundles to satisfy the customers’ different needs. Finding and recommending the best offer that perfectly matches the customer’s needs is crucial in maintaining customer loyalty and... more
Telecom companies usually offer several rate plans or bundles to satisfy the customers’ different needs. Finding and recommending the best offer that perfectly matches the customer’s needs is crucial in maintaining customer loyalty and the company’s revenue in the long run. This paper presents an effective method of detecting a group of customers who have the potential to upgrade their telecom package. The used data is an actual dataset extracted from call detail records (CDRs) of a telecom operator. The method utilizes an enhanced k-means clustering model based on customer profiling. The results show that the proposed k-means-based clustering algorithm more effectively identifies potential customers willing to upgrade to a higher tier package compared to the traditional k-means algorithm. Our results showed that our proposed clustering model accuracy was over 90%, while the traditional k-means accuracy was under 70%.
Research Interests:
Smartphones are an essential part of all aspects of our lives. Socially, politically, and commercially, there is almost complete reliance on smartphones as a communication tool, a source of information, and for entertainment. Rapid... more
Smartphones are an essential part of all aspects of our lives. Socially, politically, and commercially, there is almost complete reliance on smartphones as a communication tool, a source of information, and for entertainment. Rapid developments in the world of information and cyber security have necessitated close attention to the privacy and protection of smartphone data. Spyware detection systems have recently been developed as a promising and encouraging solution for smartphone users’ privacy protection. The Android operating system is the most widely used worldwide, making it a significant target for many parties interested in targeting smartphone users’ privacy. This paper introduces a novel dataset collected in a realistic environment, obtained through a novel data collection methodology based on a unified activity list. The data are divided into three main classes: the first class represents normal smartphone traffic; the second class represents traffic data for the spyware i...
Research Interests:
Nowadays, the rapid growth of technology delivers many new concepts and notations that aim to increase the efficiency and comfort of human life. One of these techniques is the Internet of Things (IoT). The IoT has been used to achieve... more
Nowadays, the rapid growth of technology delivers many new concepts and notations that aim to increase the efficiency and comfort of human life. One of these techniques is the Internet of Things (IoT). The IoT has been used to achieve efficient operation management, cost-effective operations, better business opportunities, etc. However, there are many challenges facing implementing an IoT smart environment. The most critical challenge is protecting the IoT smart environment from different attacks. The IoT Botnet attacks are considered a serious challenge. The danger of this attack lies in that it could be used for several threatening commands. Therefore, the Botnet attacks could be implemented to perform the DDoS attacks, phishing attacks, spamming, and other attack scenarios. This paper has introduced a detection approach against the IoT Botnet attacks using the interpolation reasoning method. The suggested detection approach was implemented using the interpolation reasoning method...
Research Interests:
This paper introduces a novel detection method for phishing website attacks while avoiding the issues associated with the deficiencies of the knowledge-based representation and the binary decision. The suggested detection method was... more
This paper introduces a novel detection method for phishing website attacks while avoiding the issues associated with the deficiencies of the knowledge-based representation and the binary decision. The suggested detection method was performed using Fuzzy Rule Interpolation (FRI). The FRI reasoning methods added the benefit of enhancing the robustness of fuzzy systems and effectively reducing the system’s complexity. These benefits help the Intrusion Detection System (IDS) to generate more realistic and comprehensive alerts in case of phishing attacks. The proposed method was applied to an open-source benchmark phishing website dataset. The results show that the proposed detection method obtained a 97.58% detection rate and effectively reduced the false alerts. Moreover, it effectively smooths the boundary between normal and phishing attack traffic because of its fuzzy nature. It has the ability to generate the required security alert in case of deficiencies in the knowledge-based re...
Research Interests:
Abstract: Over the years, network attacks have evolved into more complex and sophisticated methods for network intrusion. As network domains become bigger in terms of size, the number of external users increases and thus the systems... more
Abstract: Over the years, network attacks have evolved into more complex and sophisticated methods for network intrusion. As network domains become bigger in terms of size, the number of external users increases and thus the systems become more open and subject to security threats. Thus, the intrusion detection system was introduced to automatically detect network attacks. Commercial solutions however are generally centralized and suffer from scalability problems when applied in large networks. For this reason, in this paper, the distributed model was adopted to eliminate the scalability issues. Mobile agent combines with statistical methods based on the Wiener filter to collect and analyze the network data in order to detect anomalous behaviour in the network traffic. The algorithm was tested against four network attacks in both light and heavy traffic scenarios. Key words: Mobile agent • distributed network management • wiener filter • intrusion detection • MIB variables
One of the most effective threats that targeting cybercriminals to limit network performance is Denial of Service (DOS) attack. Thus, data security, completeness and efficiency could be greatly damaged by this type of attacks. This paper... more
One of the most effective threats that targeting cybercriminals to limit network performance is Denial of Service (DOS) attack. Thus, data security, completeness and efficiency could be greatly damaged by this type of attacks. This paper developed a network traffic system that relies on adopted dataset to differentiate the DOS attacks from normal traffic. The detection model is built with five Rule-based machine learning classifiers (DecisionTable, JRip, OneR, PART and ZeroR). The findings have shown that the ICMP variables are implemented in the identification of ICMP attack, HTTP flood attack, and Slowloris at a high accuracy of approximately 99.7% using PART classifier. In addition, PART classifier has succeeded in classifying normal traffic from different DOS attacks at 100%.
Research Interests:
One of the most common internet attacks causing significant economic losses in recent years is the Denial of Service (DoS) flooding attack. As a countermeasure, intrusion detection systems equipped with machine learning classification... more
One of the most common internet attacks causing significant economic losses in recent years is the Denial of Service (DoS) flooding attack. As a countermeasure, intrusion detection systems equipped with machine learning classification algorithms were developed to detect anomalies in network traffic. These classification algorithms had varying degrees of success, depending on the type of DoS attack used. In this paper, we use an SNMP-MIB dataset from real testbed to explore the most prominent DoS attacks and the chances of their detection based on the classification algorithm used. The results show that most DOS attacks used nowadays can be detected with high accuracy using machine learning classification techniques based on features provided by SNMP-MIB. We also conclude that of all the attacks we studied, the Slowloris attack had the highest detection rate, on the other hand TCP-SYN had the lowest detection rate throughout all classification techniques, despite being one of the mos...
Research Interests:
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders... more
The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders them as a favorable target for multiple security breaches, especially botnet attacks. In this study, the conceptual frameworks of IoT botnet attacks will be explored, alongside several machinelearning based botnet detection techniques. This study also analyzes and contrasts several botnet Detection techniques based on the Bot-IoT Dataset; a recent realistic IoT dataset that comprises state-of-the-art IoT botnet attack scenarios.
Research Interests:
Enhancing network services and security can be achieved by performing network traffic classification identifying applications, which is one of the primary components of network operations and management. The traditional transport-layer... more
Enhancing network services and security can be achieved by performing network traffic classification identifying applications, which is one of the primary components of network operations and management. The traditional transport-layer and port-based classification approaches have some limitations in achieving accurate identification. In this paper, a real test bed is used to collect first-hand traffic dataset from five different VoIP and Non-VoIP applications that are used by majority of Internet community, namely Skype, YouTube, Yahoo Messenger, GTalk and PayPal. The collected data encompasses new features that have never been used before. In addition, a classification step is performed using off-the-shelf machine learning techniques, specifically Random Forest J48, meta.AdaBoost (J48) and MultiLayer Perceptron to classify the traffic. Our experimental results show that using the new features can dramatically improve the true positive ratio by up to 98% and this is significant out...
Many approaches have evolved to enhance network attacks detection anomaly using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of hardware... more
Many approaches have evolved to enhance network attacks detection anomaly using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of hardware resources (CPU, memory, and bandwidth). In this paper we introduce an efficient detection model to detect network attacks anomaly using Lazy.IBk as a machine learning classifier and Correlation, and ReliefF as attribute evaluators on SNMP-MIB interface parameters. This model achieved accurate results (100%) with minimal hardware resources consumption. Thus, this model can be adopted in intrusion detection system (IDS) to increase its performance and efficiency.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Attackers take advantage of every second that the anti- vendor delays identifying the attacking malware signature and to provide notifications. In addition, the longer the detection period delayed, the greater the damage to the host... more
Attackers take advantage of every second that the anti- vendor delays identifying the attacking malware signature and to provide notifications. In addition, the longer the detection period delayed, the greater the damage to the host device. To put it another way, the lack of ability to detect attacks early complicates the problem and rises serious harm. Consequently, this research intends to develop a knowledgeable anti-malware system capable of immediately detecting and terminating malware actions, rather than waiting for anti-malware updates. The research concentrates in its scope on the detection of malware on the Internet of Things (IoT), based on Machine Learning (ML) techniques. A latest open source ML algorithm called the Light Gradient Boosting Algorithm (LightGBM) has been used to develop our instant host and network layer antimalware approach without any human intervention. For examination reasons, the suggested approach serves the LightGBM machine learning algorithm to ad...
Research Interests:
Research Interests:
With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are... more
With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are legitimate. There are so-called phishing sites that deceive users into serving their interests. This paper dealt with this problem using machine learning algorithms in addition to employing a novel dataset that related to phishing detection, which contains 5000 legitimate web-pages and 5000 phishing ones. In order to obtain the best results, various machine learning algorithms were tested. Then J48, Random forest, and Multilayer perceptron were chosen. Different feature selection tools were employed to the dataset in order to improve the efficiency of the models. The best result of the experiment achieved by utilizing 20 features out of 48 features and applying it to Random forest algorithm. The accuracy was 98.11%.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
The digital society is an outcome of the Internet which has nearly made everything connected and accessible no matter where or when. Nevertheless, despite the fact that conventional IP networks are complicated and very hard to manage,... more
The digital society is an outcome of the Internet which has nearly made everything connected and accessible no matter where or when. Nevertheless, despite the fact that conventional IP networks are complicated and very hard to manage, they are still widely adopted. The already established policies make the network configuration/reconfiguration a complex process that reacts to errors, load, and modifications. The prevailing networks are vertically integrated which makes things more and more complicated: Data planes and control are strapped together. Software-defined networking is a model that is meant to solve this issue by splitting the vertical integration and detaching the network’s control logic from the implicit routers and switches; this could be achieved by reinforcing centralization of network control and making the network programmable. In this work, we worked to implement MPLS networks with SDN, to enhance the traffic engineering over the network, and to minimize the ...