Dr. Mouhammd Alkasassbeh graduated from school of computing, Portsmouth University, UK in 2008. He is currently an associate professor Computer Science Dept. Princess Sumaya University for Technology. His research interests include Network Traffic Analysis, Network Fault Detection, Classification Network Fault and abnormality and Machine learning in area of computer networking and network security. Phone: 0797388388 Address: Computer Science Department King Hussein School of Computing Sciences, Princess Sumaya University for Technology, Amman, Jordan
Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. The... more Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. These systems have the potential to identify and report deviations from normal behaviors, which is crucial for the sustainability and resilience of networks. A large amount of IDSs have been proposed in the literature, but only few of them found success in real-world environments. This study illustrates a taxonomy and a survey on state-of-the-art intrusion detection systems. It also depicts the characteristics of successful IDSs and sheds light on the gaps that need to be resolved for future IDSs to become fit for deployment in realistic environments.
The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. T... more The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. This integration allows a discretely defined state-machine to act on continuous universes and handle uncertainty in applications like Intrusion Detection Systems (IDS). The typical IDS detection mechanisms are targeted to detect and prevent single-stage attacks. These types of attacks can be detected using either a common convincing threshold or by pre-defined rules. However, attack techniques have changed in recent years. Currently, the largest proportion of attacks performed, are multi-step attacks. The goal of this paper is to introduce a novel detection mechanism for multi-step attacks built upon Fuzzy Rule Interpolation (FRI) based fuzzy automaton. In that respect, the FRI method instruments the fuzzy automaton to be able to act on a not fully defined state transition rule-base, by offering interpolated conclusion even for situations which are not explicitly defined. In the suggested model, the intrusion definition state transition rule-base is defined using an open source fuzzy declarative language. On the multi-step attack benchmark dataset introduced in this paper, the proposed detection mechanism was able to achieve 97.836% detection rate. Furthermore, in the studied examples, the suggested method was able not only to detect but also early detect the multi-step attack in stages, where the planned attack is not fully elaborated and hence less harmful. According to these results, the IDS built upon the FRI based fuzzy automaton could be a useful device for detecting multi-step attacks, even in cases when the intrusion state transition rule-based is incomplete. The early detection of multi-step attacks also allows the administrator to take the necessary actions in time, to mitigate the potential threats.
With increasing technology developments, the Internet has become everywhere and accessible by eve... more With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are legitimate. There are so-called phishing sites that deceive users into serving their interests. This paper dealt with this problem using machine learning algorithms in addition to employing a novel dataset that related to phishing detection, which contains 5000 legitimate web-pages and 5000 phish-ing ones. In order to obtain the best results, various machine learning algorithms were tested. Then J48, Random forest, and Multilayer perceptron were chosen. Different feature selection tools were employed to the dataset in order to improve the efficiency of the models. The best result of the experiment achieved by utilizing 20 features out of 48 features and applying it to Random forest algorithm. The accuracy was 98.11%.
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIB... more Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the hardware resources (CPU, memory, and bandwidth). In this paper, we introduce an efficient detection model to detect network anomalies using Lazy.IBk as a machine learning classifier, Correlation, and ReliefF as an approach for attribute evaluators only SNMP-MIB interface parameters. This model achieves high accuracy 99.94% with minimal hardware resources consumption. Thus, this model can be adopted in the intrusion detection system (IDS) to increase its performance and efficiency.
Network anomalies are destructive to networks. Intrusion detection systems monitor network compon... more Network anomalies are destructive to networks. Intrusion detection systems monitor network component behavior to detect unusual activity (i.e., possible threats). Application-layer Simple Network Management Protocol (SNMP) has been used for decades via TCP/IP protocol to manage network devices. Raw data security evaluation in intrusion detection incurs latency in detection. Management Information Base (MIB) combined with SNMP is a solution for this, the traditional approach of SNMP is centralized. Thus, rendering it unreliable and non-adaptive to network changes when it comes to distributed network. In distributed network, using single or multiple light Mobile Agents are an optimal solution for data gathering as they can move from one source node to another, executing naturally at each. This helps complete tasks without increasing the network overheads, and contributes to decreasing latency. This paper focuses on finding the optimal number of mobile agents to complete the data retrieval task with the minimum routing time, without affecting the network bandwidth, to solve the Simple Network Management Protocol-Management Information Base centralization issue, and enhance detection time. Two types of agents are used in this paper; link agent for discovering the network, and data agents for MIB gathering. The link agent runs in the home node to discover the network and define nodes' connectivity. Then, network is partitioned based on its execution time. Single mobile agent is sent to each partition to complete MIB retrieval task. This approach aims to finish MIB retrieval task with minimum routing time and keeps generating of mobile agents under control to maintain optimal network bandwidth. Our approach are enhancement on two approaches were proposed in previous studies in the same filed this paper will present details on each approach and conduct a comparison regarding number of agents used to gather MIB data and the time needed to complete the gathering task
Leader election is an important issue in distributed systems and communication networks. Many pro... more Leader election is an important issue in distributed systems and communication networks. Many protocols and algorithms that are running on distributed systems need a leader to ensure smooth execution; the leader has the responsibility to synchronize and coordinate the system processes. The absence of the leader makes the system inconsistent, and therefore unreliable. Such problem, however, can be solved by leader election algorithms. In this paper, we propose-for the first time-a new leader election algorithm to solve the leader failure in honeycomb mesh network. The honeycomb mesh network desired due to its low network cost, regularity, and scalability. The proposed algorithm aims to select exactly one node among all active nodes in the network to be a new leader, the node, which is elected as the new leader, has more priority over other nodes. The performance of the proposed algorithm is evaluated by computing the number of messages and time steps required to elect a new leader and complete the algorithm mission. The mathematical evaluation shows that the proposed algorithm requires O(n) messages in O() time steps in the best case to complete, as well as O(n 1.5) messages in O() time steps in the worst case.
Practical task of information reliability and security is the effective intrusion detection and p... more Practical task of information reliability and security is the effective intrusion detection and prevention. Open systems are vulnerable. Having in detail information about system structures, more and more sophisticated network intrusion methods could be easily developed and quickly tested. Intruders are always keeping update information about the current technology and generate new intrusion methods. There are several defense solutions against intrusions. The most common solution is Intrusion Detection System (IDS). For giving a short overview of some IDS methods, this paper applies the commonly available KDD-99 dataset for compare and discuss the IDS performance in case of different intrusion types. In this paper, the IDS performance of the J48, Random Forest, Random Tree, Decision Table, Multi-layer Perceptron (MLP) and Naive Bayes Classifier compared based on the average accuracy rate, precision, false positive and false negative performance in case of DOS, R2L, U2R, and PROBE attacks. Moreover, the focus would be on false alarm values. During the tests, the random forest algorithm produced the highest average of accuracy rate 93.77%, while the Random tree algorithm had the lowest rate 90.57%. The lowest value of false negative was produced by the decision table algorithm.
SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results... more SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results, but using SNMP-MIB huge dataset is not efficient and it is also time and resources consuming. In this paper, a REP Tree, J48(Decision Tree) and Random Forest classifiers were used to train a model that can detect the anomalies and predict the network attacks that my affect the Internet Protocol(IP) group. This trained model can be used in the devices that are used to detect the anomalies such as intrusion detection systems.
The issue of energy consumption and the age of the network is one of the essential features in th... more The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative mechanisms to reduce energy consumption in these networks and prolong the lifetime. Experts have suggested several WSN-based clustering protocols, since most clustering protocols are homogeneous, and LEACH and M-GEAR are among the most common examples of these protocols. In this paper, we propose six models for the division of wireless sensor networks (WSNs), in each of these models we will distribute sensor nodes to four zones randomly in the field of the sensor area. We install the cluster heads (CHs) in the middle of the geometry shapes of each area, where the shape of the circle or square or both, will be used, and the location of the sink will be in the center of the sensor area. The sensor nodes that are located around the sink and within the geometric shape used will directly connect to the sink. The external nodes will contact the nearest CHs, and to determine the nearest CHs we will apply the Dijkstra's algorithm. For the average number of dead nodes, the square circle method achieved the best result (73.42), followed by the circle square method which got a result (79,66). The largest number of dead nodes showed when using one square only where the result was (97.15). We make a comparison between the outcomes and M-GEAR and LEACH protocols, our model (square circle) stabilizes energy use within sensor nodes. However, nodes in M-GEAR and LEACH do not stay alive for a long time, they die when the stability period is over.
Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which a... more Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which aims to reduce the network performance from doing it's intended functions. Moreover, DOS Attacks can cause a huge damage on the data Confidentiality, Integrity and Availability. This paper introduced a system that detects the network traffic and varies the DOS attacks from normal traffic based on an adopted dataset. The results had shown that the adopted algorithms with the ICMP variables achieved a high accuracy percentage with approximately 99.6% in detecting ICMP Echo attack, HTTP Flood Attack, and Slowloris attack. Moreover, the designed model succeeded with a rate of 100% in varying normal traffic from various DOS attacks.
-The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP ... more -The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP congestion handling. A modification of RED called the Gentle RED (GRED) has been proposed by adding the Gentle parameter to the original implementation of RED. This parameter has been turned on by default in the NS2 simulator versions 2.1b and later; claiming that it helps in smoothing out traffic in routers and increases network performance. In this article we revisit this parameter and show, through simulation, that this parameter should be turned off in current simulations of RED using the NS2 simulator and it should be replaced by any adaptation parameter such as the Adaptive parameter in ARED.
Network security engineers work to keep services available all the time by handling intruder atta... more Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanism that used to sense and classify any abnormal actions. Therefore, the IDS must be always up to date with the latest intruder attacks signatures to preserve confidentiality, integrity and availability of the services. The speed of the IDS is very important issue as well learning the new attacks. This research work illustrates how the Knowledge Discovery and Data Mining (or Knowledge Discovery in Databases) KDD dataset is very handy for testing and evaluating different Machine Learning Techniques. It mainly focus-es on the KDD preprocess part in order to prepare a decent and fair experimental data set. The techniques J48, Random Forest, Random Tree, MLP, Na-ïve Bayes and Bayes Network classifiers have been chosen for this study. It has been proven that the Random forest classifier has achieved the highest accuracy rate for detecting and classifying all KDD dataset attacks, which are of type (DOS, R2L, U2R, and PROBE).
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on con... more Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.
Phishing is one of the most common attacks on the internet that employs social engineering techni... more Phishing is one of the most common attacks on the internet that employs social engineering techniques like deceiving user with forged websites in an attempt to gain sensitive information such as credentials and credit card details. This information can be misused, resulting in large financial losses to these users. Phishing detection algorithms can be an effective approach to safeguarding users from such attacks. This paper will review different phishing detection approaches which include: Content-Based, Heuristic-Based, and Fuzzy rule-based approaches.
This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving... more This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving data between machines without alerting firewalls and intrusion detection systems (IDSs) on the network. 2 The DNS protocol has three characteristics that make it well suited to be used as a covert tunnel. 3 First, DNS is fundamental for the proper functioning of many applications and Internet browsing. Most organisations do not implement a security policy for DNS traffic. Second, DNS is used to communicate with internal clients and external remote servers. And third, the DNS protocol has several fields that can be used to embed other data. The most used fields by tunnelling utilities are the NULL and TXT records. The main motivation behind using the DNS protocol as a covert tunnel is to bypass captive portals for paid wifi services in places such as airports and hotels. Other motivations include stealing data, evading detection for unau-thorised access, installing and controlling malware, and bypassing firewalls and Internet access policies. There are several tools available for DNS tunnelling. These tools differ in flexibility, throughput and the technique used to embed data into DNS traffic. Examples of these tools include OzymanDNS, dns2tcp, Iodine and DNScat .4 There are two general methods of detecting DNS tunnels: the first is pay-load analysis in which a single DNS request is analysed. Attributes such as the length of the packet, the number of bytes and the content of the packet are examined and used to create detection rules (signatures). The second is traffic analysis, in which the overall traffic is analysed over a period of time. Attributes such as the volume of DNS traffic, number of hostnames per domain and domain history are used as an indication of tunnelling. 5 In this article, an experimental setup of the Iodine DNS tunnelling tool is implemented. Analysis of tunnelled DNS traffic is conducted to carve out the encapsulated IP packet. Several detection mechanisms are presented to detect DNS tunnelling using both payload and traffic analysis methods.
With increasing technology developments, there is a massive number of websites with varying purpo... more With increasing technology developments, there is a massive number of websites with varying purposes. But a particular type exists within this large collection, the so-called phishing sites which aim to deceive their users. The main challenge in detecting phishing websites is discovering the techniques that have been used. Where phishers are continually improving their strategies and creating web pages that can protect themselves against many forms of detection methods. Therefore, it is very necessary to develop reliable, active and contemporary methods of phishing detection to combat the adaptive techniques used by phishers. In this paper, different phishing detection approaches are reviewed by classifying them into three main groups. Then, the proposed model is presented in two stages. In the first stage, different machine learning algorithms are applied to validate the chosen dataset and applying features selection methods on it. Thus, the best accuracy was achieved by utilizing only 20 features out of 48 features combined with Random Forest is 98.11%. While in the second stage, the same dataset is applied to various fuzzy logic algorithms. As well the experimental results from the application of Fuzzy logic algorithms were incredible. Where in applying the FURIA algorithm with only five features the accuracy rate was 99.98%. Finally, comparison and discussion of the results between applying machine learning algorithms and fuzzy logic algorithms is done. Where the performance of using fuzzy logic algorithms exceeds the use of machine learning algorithms.
Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. The... more Intrusion Detection Systems (IDSs) have become essential to the sound operations of networks. These systems have the potential to identify and report deviations from normal behaviors, which is crucial for the sustainability and resilience of networks. A large amount of IDSs have been proposed in the literature, but only few of them found success in real-world environments. This study illustrates a taxonomy and a survey on state-of-the-art intrusion detection systems. It also depicts the characteristics of successful IDSs and sheds light on the gaps that need to be resolved for future IDSs to become fit for deployment in realistic environments.
The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. T... more The integration of a fuzzy system and automaton theory can form the concept of fuzzy automaton. This integration allows a discretely defined state-machine to act on continuous universes and handle uncertainty in applications like Intrusion Detection Systems (IDS). The typical IDS detection mechanisms are targeted to detect and prevent single-stage attacks. These types of attacks can be detected using either a common convincing threshold or by pre-defined rules. However, attack techniques have changed in recent years. Currently, the largest proportion of attacks performed, are multi-step attacks. The goal of this paper is to introduce a novel detection mechanism for multi-step attacks built upon Fuzzy Rule Interpolation (FRI) based fuzzy automaton. In that respect, the FRI method instruments the fuzzy automaton to be able to act on a not fully defined state transition rule-base, by offering interpolated conclusion even for situations which are not explicitly defined. In the suggested model, the intrusion definition state transition rule-base is defined using an open source fuzzy declarative language. On the multi-step attack benchmark dataset introduced in this paper, the proposed detection mechanism was able to achieve 97.836% detection rate. Furthermore, in the studied examples, the suggested method was able not only to detect but also early detect the multi-step attack in stages, where the planned attack is not fully elaborated and hence less harmful. According to these results, the IDS built upon the FRI based fuzzy automaton could be a useful device for detecting multi-step attacks, even in cases when the intrusion state transition rule-based is incomplete. The early detection of multi-step attacks also allows the administrator to take the necessary actions in time, to mitigate the potential threats.
With increasing technology developments, the Internet has become everywhere and accessible by eve... more With increasing technology developments, the Internet has become everywhere and accessible by everyone. There are a considerable number of web-pages with different benefits. Despite this enormous number, not all of these sites are legitimate. There are so-called phishing sites that deceive users into serving their interests. This paper dealt with this problem using machine learning algorithms in addition to employing a novel dataset that related to phishing detection, which contains 5000 legitimate web-pages and 5000 phish-ing ones. In order to obtain the best results, various machine learning algorithms were tested. Then J48, Random forest, and Multilayer perceptron were chosen. Different feature selection tools were employed to the dataset in order to improve the efficiency of the models. The best result of the experiment achieved by utilizing 20 features out of 48 features and applying it to Random forest algorithm. The accuracy was 98.11%.
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIB... more Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the hardware resources (CPU, memory, and bandwidth). In this paper, we introduce an efficient detection model to detect network anomalies using Lazy.IBk as a machine learning classifier, Correlation, and ReliefF as an approach for attribute evaluators only SNMP-MIB interface parameters. This model achieves high accuracy 99.94% with minimal hardware resources consumption. Thus, this model can be adopted in the intrusion detection system (IDS) to increase its performance and efficiency.
Network anomalies are destructive to networks. Intrusion detection systems monitor network compon... more Network anomalies are destructive to networks. Intrusion detection systems monitor network component behavior to detect unusual activity (i.e., possible threats). Application-layer Simple Network Management Protocol (SNMP) has been used for decades via TCP/IP protocol to manage network devices. Raw data security evaluation in intrusion detection incurs latency in detection. Management Information Base (MIB) combined with SNMP is a solution for this, the traditional approach of SNMP is centralized. Thus, rendering it unreliable and non-adaptive to network changes when it comes to distributed network. In distributed network, using single or multiple light Mobile Agents are an optimal solution for data gathering as they can move from one source node to another, executing naturally at each. This helps complete tasks without increasing the network overheads, and contributes to decreasing latency. This paper focuses on finding the optimal number of mobile agents to complete the data retrieval task with the minimum routing time, without affecting the network bandwidth, to solve the Simple Network Management Protocol-Management Information Base centralization issue, and enhance detection time. Two types of agents are used in this paper; link agent for discovering the network, and data agents for MIB gathering. The link agent runs in the home node to discover the network and define nodes' connectivity. Then, network is partitioned based on its execution time. Single mobile agent is sent to each partition to complete MIB retrieval task. This approach aims to finish MIB retrieval task with minimum routing time and keeps generating of mobile agents under control to maintain optimal network bandwidth. Our approach are enhancement on two approaches were proposed in previous studies in the same filed this paper will present details on each approach and conduct a comparison regarding number of agents used to gather MIB data and the time needed to complete the gathering task
Leader election is an important issue in distributed systems and communication networks. Many pro... more Leader election is an important issue in distributed systems and communication networks. Many protocols and algorithms that are running on distributed systems need a leader to ensure smooth execution; the leader has the responsibility to synchronize and coordinate the system processes. The absence of the leader makes the system inconsistent, and therefore unreliable. Such problem, however, can be solved by leader election algorithms. In this paper, we propose-for the first time-a new leader election algorithm to solve the leader failure in honeycomb mesh network. The honeycomb mesh network desired due to its low network cost, regularity, and scalability. The proposed algorithm aims to select exactly one node among all active nodes in the network to be a new leader, the node, which is elected as the new leader, has more priority over other nodes. The performance of the proposed algorithm is evaluated by computing the number of messages and time steps required to elect a new leader and complete the algorithm mission. The mathematical evaluation shows that the proposed algorithm requires O(n) messages in O() time steps in the best case to complete, as well as O(n 1.5) messages in O() time steps in the worst case.
Practical task of information reliability and security is the effective intrusion detection and p... more Practical task of information reliability and security is the effective intrusion detection and prevention. Open systems are vulnerable. Having in detail information about system structures, more and more sophisticated network intrusion methods could be easily developed and quickly tested. Intruders are always keeping update information about the current technology and generate new intrusion methods. There are several defense solutions against intrusions. The most common solution is Intrusion Detection System (IDS). For giving a short overview of some IDS methods, this paper applies the commonly available KDD-99 dataset for compare and discuss the IDS performance in case of different intrusion types. In this paper, the IDS performance of the J48, Random Forest, Random Tree, Decision Table, Multi-layer Perceptron (MLP) and Naive Bayes Classifier compared based on the average accuracy rate, precision, false positive and false negative performance in case of DOS, R2L, U2R, and PROBE attacks. Moreover, the focus would be on false alarm values. During the tests, the random forest algorithm produced the highest average of accuracy rate 93.77%, while the Random tree algorithm had the lowest rate 90.57%. The lowest value of false negative was produced by the decision table algorithm.
SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results... more SNMP-MIB is a widely used approach that uses machine learning to classify data and obtain results, but using SNMP-MIB huge dataset is not efficient and it is also time and resources consuming. In this paper, a REP Tree, J48(Decision Tree) and Random Forest classifiers were used to train a model that can detect the anomalies and predict the network attacks that my affect the Internet Protocol(IP) group. This trained model can be used in the devices that are used to detect the anomalies such as intrusion detection systems.
The issue of energy consumption and the age of the network is one of the essential features in th... more The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative mechanisms to reduce energy consumption in these networks and prolong the lifetime. Experts have suggested several WSN-based clustering protocols, since most clustering protocols are homogeneous, and LEACH and M-GEAR are among the most common examples of these protocols. In this paper, we propose six models for the division of wireless sensor networks (WSNs), in each of these models we will distribute sensor nodes to four zones randomly in the field of the sensor area. We install the cluster heads (CHs) in the middle of the geometry shapes of each area, where the shape of the circle or square or both, will be used, and the location of the sink will be in the center of the sensor area. The sensor nodes that are located around the sink and within the geometric shape used will directly connect to the sink. The external nodes will contact the nearest CHs, and to determine the nearest CHs we will apply the Dijkstra's algorithm. For the average number of dead nodes, the square circle method achieved the best result (73.42), followed by the circle square method which got a result (79,66). The largest number of dead nodes showed when using one square only where the result was (97.15). We make a comparison between the outcomes and M-GEAR and LEACH protocols, our model (square circle) stabilizes energy use within sensor nodes. However, nodes in M-GEAR and LEACH do not stay alive for a long time, they die when the stability period is over.
Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which a... more Denial of Service (DOS) attack is one of the most attack that attract the cyber criminals which aims to reduce the network performance from doing it's intended functions. Moreover, DOS Attacks can cause a huge damage on the data Confidentiality, Integrity and Availability. This paper introduced a system that detects the network traffic and varies the DOS attacks from normal traffic based on an adopted dataset. The results had shown that the adopted algorithms with the ICMP variables achieved a high accuracy percentage with approximately 99.6% in detecting ICMP Echo attack, HTTP Flood Attack, and Slowloris attack. Moreover, the designed model succeeded with a rate of 100% in varying normal traffic from various DOS attacks.
-The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP ... more -The Random Early Detection (RED) is used as an Active Queue Management (AQM) Technique for TCP congestion handling. A modification of RED called the Gentle RED (GRED) has been proposed by adding the Gentle parameter to the original implementation of RED. This parameter has been turned on by default in the NS2 simulator versions 2.1b and later; claiming that it helps in smoothing out traffic in routers and increases network performance. In this article we revisit this parameter and show, through simulation, that this parameter should be turned off in current simulations of RED using the NS2 simulator and it should be replaced by any adaptation parameter such as the Adaptive parameter in ARED.
Network security engineers work to keep services available all the time by handling intruder atta... more Network security engineers work to keep services available all the time by handling intruder attacks. Intrusion Detection System (IDS) is one of the obtainable mechanism that used to sense and classify any abnormal actions. Therefore, the IDS must be always up to date with the latest intruder attacks signatures to preserve confidentiality, integrity and availability of the services. The speed of the IDS is very important issue as well learning the new attacks. This research work illustrates how the Knowledge Discovery and Data Mining (or Knowledge Discovery in Databases) KDD dataset is very handy for testing and evaluating different Machine Learning Techniques. It mainly focus-es on the KDD preprocess part in order to prepare a decent and fair experimental data set. The techniques J48, Random Forest, Random Tree, MLP, Na-ïve Bayes and Bayes Network classifiers have been chosen for this study. It has been proven that the Random forest classifier has achieved the highest accuracy rate for detecting and classifying all KDD dataset attacks, which are of type (DOS, R2L, U2R, and PROBE).
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on con... more Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.
Phishing is one of the most common attacks on the internet that employs social engineering techni... more Phishing is one of the most common attacks on the internet that employs social engineering techniques like deceiving user with forged websites in an attempt to gain sensitive information such as credentials and credit card details. This information can be misused, resulting in large financial losses to these users. Phishing detection algorithms can be an effective approach to safeguarding users from such attacks. This paper will review different phishing detection approaches which include: Content-Based, Heuristic-Based, and Fuzzy rule-based approaches.
This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving... more This article focuses on covert tunnelling, which refers to the mechanism of sending and receiving data between machines without alerting firewalls and intrusion detection systems (IDSs) on the network. 2 The DNS protocol has three characteristics that make it well suited to be used as a covert tunnel. 3 First, DNS is fundamental for the proper functioning of many applications and Internet browsing. Most organisations do not implement a security policy for DNS traffic. Second, DNS is used to communicate with internal clients and external remote servers. And third, the DNS protocol has several fields that can be used to embed other data. The most used fields by tunnelling utilities are the NULL and TXT records. The main motivation behind using the DNS protocol as a covert tunnel is to bypass captive portals for paid wifi services in places such as airports and hotels. Other motivations include stealing data, evading detection for unau-thorised access, installing and controlling malware, and bypassing firewalls and Internet access policies. There are several tools available for DNS tunnelling. These tools differ in flexibility, throughput and the technique used to embed data into DNS traffic. Examples of these tools include OzymanDNS, dns2tcp, Iodine and DNScat .4 There are two general methods of detecting DNS tunnels: the first is pay-load analysis in which a single DNS request is analysed. Attributes such as the length of the packet, the number of bytes and the content of the packet are examined and used to create detection rules (signatures). The second is traffic analysis, in which the overall traffic is analysed over a period of time. Attributes such as the volume of DNS traffic, number of hostnames per domain and domain history are used as an indication of tunnelling. 5 In this article, an experimental setup of the Iodine DNS tunnelling tool is implemented. Analysis of tunnelled DNS traffic is conducted to carve out the encapsulated IP packet. Several detection mechanisms are presented to detect DNS tunnelling using both payload and traffic analysis methods.
With increasing technology developments, there is a massive number of websites with varying purpo... more With increasing technology developments, there is a massive number of websites with varying purposes. But a particular type exists within this large collection, the so-called phishing sites which aim to deceive their users. The main challenge in detecting phishing websites is discovering the techniques that have been used. Where phishers are continually improving their strategies and creating web pages that can protect themselves against many forms of detection methods. Therefore, it is very necessary to develop reliable, active and contemporary methods of phishing detection to combat the adaptive techniques used by phishers. In this paper, different phishing detection approaches are reviewed by classifying them into three main groups. Then, the proposed model is presented in two stages. In the first stage, different machine learning algorithms are applied to validate the chosen dataset and applying features selection methods on it. Thus, the best accuracy was achieved by utilizing only 20 features out of 48 features combined with Random Forest is 98.11%. While in the second stage, the same dataset is applied to various fuzzy logic algorithms. As well the experimental results from the application of Fuzzy logic algorithms were incredible. Where in applying the FURIA algorithm with only five features the accuracy rate was 99.98%. Finally, comparison and discussion of the results between applying machine learning algorithms and fuzzy logic algorithms is done. Where the performance of using fuzzy logic algorithms exceeds the use of machine learning algorithms.
The Internet as we know it Today, comprises several fundamental interrelated networks, among whic... more The Internet as we know it Today, comprises several fundamental interrelated networks, among which is the Internet of Things (IoT). Despite their versatility, several IoT devices are vulnerable from a security perspective, which renders them as a favorable target for multiple security breaches, especially botnet attacks. In this study, the conceptual frameworks of IoT botnet attacks will be explored, alongside several machinelearning based botnet detection techniques. This study also analyzes and contrasts several botnet Detection techniques based on the Bot-IoT Dataset; a recent realistic IoT dataset that comprises state-of-the-art IoT botnet attack scenarios.
ABSTRACT Existing centralized based network management approaches suffer from problems such as in... more ABSTRACT Existing centralized based network management approaches suffer from problems such as insufficient scalability, availability and flexibility, as networks become more distributed. Mobile Agents (MA), upgraded with intelligence, can present a reasonable new technology that will help to achieve distributed management. These agents migrate from one node to another, accessing an appropriate subset of MIB variables from each node analysing them locally and retaining the results of this analysis during their subsequence migration. One of the network fault management tasks is fault detection, and in this work we purpose statistical method based on Wiener filter to capture the abnormal changes in the behaviour of the MIB variables. my algorithm was implemented on data obtained from two different scenarios in the laboratory, with four different fault case studies. The purpose of this is to provide the manager node with a high level of information, such as a set of conclusions or recommendations, rather than large volumes of data relating to each management task.
Advances in Intelligent Systems and Computing, 2020
In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware ve... more In Zero-Day malware challenges, attackers take advantage of every second that the anti-malware vendor delays identifying the attacking malware signature and provide the updates. Furthermore, the longer the detection phase delayed, the greater the damage to the host device. In other words, the inability to early detection of attacks complicates the problem and increases damage. Therefore, this study aims to develop an intelligent anti-malware system capable to instantly detect and terminate malware activities instead of waiting for anti-malware updates. In its scope, the study focuses on the Internet of Things (IoT) malware detection based on Machine Learning (ML) techniques. A recent open-source ML algorithm called Light Gradient Boosting Algorithm (LightGBM) is used to develop our instant anti-malware approach at both host and network layers without the need for any human intervention. The results show a promising approach for detecting and classifying malware with high accuracy reaches almost (100%) at both the network and host levels based on the cross-validation Holdout method. Furthermore, the results show the ability of the proposed approach to early detect IoT botnet attacks, which is an essential feature for terminating the botnet activity before propagating to a new network device.
Handbook of Computer Networks and Cyber Security, 2020
Generally, malware has come to be known as one of the biggest threats, so malware is a program wh... more Generally, malware has come to be known as one of the biggest threats, so malware is a program which operates malicious actions and steals information, to specifically identify it as software which is designed specifically to through breaking the system of a computer without consent from the owner. This chapter aimed to study feature selection and malware classification using machine learning. The identification of such features was done through the intuition that various parts of the PE files’ features can correlate with one another less than with the class files, being clean or dirty. Such features are implemented as algorithms in machine learning to help classify the malware, resulting in such classification to be properly implemented in antivirus programs to help enhance the rate of detection.
This paper presents a methodology for improving the security of identification and authentication... more This paper presents a methodology for improving the security of identification and authentication processes using Keystroke Dynamics (KSD). KSD is considered a behavioral biometric operating as a second level of security along with the login process after inserting user name and password. KSD is mainly about observing the way in which the user types. Firstly, we propose four new time features; these features represent the user’s behavior. Secondly, due to the unavailability of standard dataset, a new behavioral dataset is built. Thirdly, we propose employing KSD on CAPTCHA Code for the identification process. In this research, we applied three different classification techniques namely: J48, Random Forest and Multi-layer Perceptron (MLP), to accurately identify the user behavior (legitimate or illegitimate) and its authority. Random Forest showed the best result for the identification with accuracy (93.13%), however for the authorization process the highest accuracy was obtained usi...
The issue of energy consumption and the age of the network is one of the essential features in th... more The issue of energy consumption and the age of the network is one of the essential features in the design of the wireless sensor network (WSN), which has led researchers in the field of networks and communications to work on innovative mechanisms to reduce energy consumption in these networks and prolong the lifetime. Experts have suggested several WSN-based clustering protocols, since most clustering protocols are homogeneous, and LEACH and M-GEAR are among the most common examples of these protocols. In this paper, we propose six models for the division of wireless sensor networks (WSNs), in each of these models we will distribute sensor nodes to four zones randomly in the field of the sensor area. We install the cluster heads (CHs) in the middle of the geometry shapes of each area, where the shape of the circle or square or both, will be used, and the location of the sink will be in the center of the sensor area. The sensor nodes that are located around the sink and within the ge...
2019 2nd International Conference on new Trends in Computing Sciences (ICTCS), 2019
Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on con... more Fuzzy Rule Interpolation (FRI) offers a convenient way for delivering rule based decisions on continuous universes avoiding the burden of binary decisions. In contrast with the classical fuzzy systems, FRI decision is also performing well on partially complete rule bases serving the methodologies having incremental rule base creation structure. These features make the FRI methods to be perfect candidate for detecting and preventing different types of attacks in an Intrusion Detection System (IDS) application. This paper aims to introduce a detection approach for slow port scan attacks by adapting the FRI reasoning method. A controlled test-bed environment was also designed and implemented for the purpose of this study. The proposed detection approach was tested and evaluated using different observations. Experimental analysis on a real test-bed environment provides useful insights about the effectiveness of the proposed detection approach. These insights include information regarding the detection approach's efficacy in detecting the port scan attack and in determining its level of severity. In the discussion the efficacy of the proposed detection approach is compared to the SNORT IDS. The results of the comparison showed that the SNORT IDS was unable to detect the slow and very slow port scan attacks whereas the proposed FRI rule based detection approach was able to detect the attacks and generate comprehensive results to further analyze the attack's severity.
2019 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), 2019
Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIB... more Many approaches have evolved to enhance the process of detecting network anomalies using SNMP-MIBs. Most of these approaches focus on machine learning algorithms with a lot of SNMP-MIB database parameters, which may consume most of the hardware resources (CPU, memory, and bandwidth). In this paper, we introduce an efficient detection model to detect network anomalies using Lazy. IBk as a machine learning classifier, Correlation, and ReliefF as an approach for attribute evaluators only SNMP-MIB interface parameters. This model achieves a high accuracy of 99.94% with minimal hardware resources consumption. Thus, this model can be adopted in the intrusion detection system (IDS) to increase its performance and efficiency.
International Journal of Computer Applications in Technology, 2018
Cloud computing is currently a major focal point for researchers owing to its widespread applicat... more Cloud computing is currently a major focal point for researchers owing to its widespread application and benefits. Cloud computing's complete reliance on the internet for service provision and its distributed nature pose challenges to security, the most serious being insider Distributed Denial of Service (DDoS) which causes a total deactivation of service. Traditional defence mechanisms, such as firewalls, are unable to detect insider attacks. This work proposes an anomaly intrusion detection approach in the hypervisor layer to discourage DDoS activities between virtual machines. The proposed approach is implemented by the evolutionary neural network which integrates the particle swarm optimisation with neural network for detection and classification of the traffic that is exchanged between virtual machines. The performance analysis and results of our proposed approach detect and classify the DDoS attacks in the cloud environment with minimum false alarms and high detection accuracy.
The Domain Name System (DNS) protocol is the backbone of the Internet. It facilitates connection ... more The Domain Name System (DNS) protocol is the backbone of the Internet. It facilitates connection to websites and services using understandable names that are easy to remember. DNS converts these names to their corresponding IP addresses in order to establish the communication through the network. The security of the DNS protocol was not originally a major concern for organisations since the protocol was not intended to be used for regular data transmission. 1 However, in recent years, attackers have developed tools that have taken advantage of this situation and utilised DNS for malicious purposes, such as covert tunnelling and data exfiltration.
International Journal of Electrical and Computer Engineering (IJECE), 2022
Telecom companies usually offer several rate plans or bundles to satisfy the customers’ different... more Telecom companies usually offer several rate plans or bundles to satisfy the customers’ different needs. Finding and recommending the best offer that perfectly matches the customer’s needs is crucial in maintaining customer loyalty and the company’s revenue in the long run. This paper presents an effective method of detecting a group of customers who have the potential to upgrade their telecom package. The used data is an actual dataset extracted from call detail records (CDRs) of a telecom operator. The method utilizes an enhanced k-means clustering model based on customer profiling. The results show that the proposed k-means-based clustering algorithm more effectively identifies potential customers willing to upgrade to a higher tier package compared to the traditional k-means algorithm. Our results showed that our proposed clustering model accuracy was over 90%, while the traditional k-means accuracy was under 70%.
Smartphones are an essential part of all aspects of our lives. Socially, politically, and commerc... more Smartphones are an essential part of all aspects of our lives. Socially, politically, and commercially, there is almost complete reliance on smartphones as a communication tool, a source of information, and for entertainment. Rapid developments in the world of information and cyber security have necessitated close attention to the privacy and protection of smartphone data. Spyware detection systems have recently been developed as a promising and encouraging solution for smartphone users’ privacy protection. The Android operating system is the most widely used worldwide, making it a significant target for many parties interested in targeting smartphone users’ privacy. This paper introduces a novel dataset collected in a realistic environment, obtained through a novel data collection methodology based on a unified activity list. The data are divided into three main classes: the first class represents normal smartphone traffic; the second class represents traffic data for the spyware i...
Nowadays, the rapid growth of technology delivers many new concepts and notations that aim to inc... more Nowadays, the rapid growth of technology delivers many new concepts and notations that aim to increase the efficiency and comfort of human life. One of these techniques is the Internet of Things (IoT). The IoT has been used to achieve efficient operation management, cost-effective operations, better business opportunities, etc. However, there are many challenges facing implementing an IoT smart environment. The most critical challenge is protecting the IoT smart environment from different attacks. The IoT Botnet attacks are considered a serious challenge. The danger of this attack lies in that it could be used for several threatening commands. Therefore, the Botnet attacks could be implemented to perform the DDoS attacks, phishing attacks, spamming, and other attack scenarios. This paper has introduced a detection approach against the IoT Botnet attacks using the interpolation reasoning method. The suggested detection approach was implemented using the interpolation reasoning method...
Uploads
articles by Prof. Mouhammd Al-kasassbeh