Deep Learning Applications for Cyber Security

In recent years, deep learning frameworks have been applied in many domains and achieved promising performance. However, recent work have demonstrated that deep learning frameworks are vulnerable to adversarial attacks. A trained neural network can be manipulated by small perturbations added to legitimate samples. In computer vision domain, these small perturbations could be imperceptible to human. As deep learning techniques have become the core part for many security-critical applications including identity recognition camera, malware detection software, self-driving cars, adversarial attacks have become one crucial security threat to many deep learning applications in real world. In this chapter, we first review some state-of-the-art adversarial attack techniques for deep learning frameworks in both white-box and black-box settings. We then discuss recent methods to defend against adversarial attacks on deep learning frameworks. Finally, we explore recent work applying adversarial attack techniques to some popular commercial deep learning applications, such as image classification, speech recognition and malware detection. These projects demonstrate that many commercial deep learning frameworks are vulnerable to malicious cyber security attacks.

In this chapter, we exploit the deep learning and adaptive neuro-fuzzy inference system (ANFIS) techniques to develop an intelligent situational awareness system for energy management systems of the emergency hybrid auxiliary power unit (APU) for more-electric aircrafts. Our proposed security control strategy consists of two main mechanisms: (1) deep learning-based attack detection scheme that explores the techniques of convolutional neural networks, deconvolutional neural networks, and recurrent neural networks and (2) adaptive neuro-fuzzy inference system (ANFIS)-based estimation method to calculate the true values of the compromised data. In this chapter, we also present some simulation results to illustrate the effectiveness of our proposed method in detecting the cyber-attacks, such as false data injection (FDI) attacks, and mitigating the impact of the cyber-attacks in the energy management for the hybrid APUs in more-electric aircrafts.

The Cyber-physical Systems (CPS) are a combination of integrated physical processes, networking and computation to be minored and controlled y embedded subsystems via networked systems with feedback loops to change their behaviour when needed. Whilst the increased use of CPS brings more threats to the public, and thus security problems in this area have become a global issue to make it necessary to develop new approaches for securing CPS. The CPS utilise three-level architecture based on the respective functions of each layer: the perception layer, the transmission layer, and the application layer. Security in specific, CPS applications is currently the most important security objective of CPS because it offers the importance of CPS in its improving functionality

This chapter focuses on the application aspect which is more related to people’s daily lives, and will present a real-time system including distributed multi-camera system that integrates computing and communicating capabilities with monitoring on people in the physical world, namely person re-identification in the cyber-physical surveillance systems. The increasing sophistication and diversity of threats to public security have been causing a critical demand for the development and deployment of reliable, secure, and time-efficient visual intelligent surveillance systems in smart cities. For example, visual surveillance for indoor environments, like metro stations, plays an important role both in the assurance of safety conditions for the public and in the management of the transport network. Recent progress in computer vision techniques and related visual analytics offers new prospects for an intelligent surveillance system. A major recent development is the massive success resulting from using deep learning techniques to enable a significant boosting to visual analysis performance and initiate new research directions to understand visual content. For example, convolutional neural networks have demonstrated superiority on modelling high-level visual concepts. It is expected that the development of deep learning and its related visual analytic methodologies would further influence the field of intelligent surveillance systems. In view of the high demand for a prevalent surveillance system by the metropolis communities, this chapter will introduce recent research based on deep neural networks and pipelines to the practitioners and human investigators undertaking forensic and security analysis of large volumes of open-world CCTV video data sourced from a large distributed multi-camera network covering complex urban environments with transport links. This chapter will address the challenges of using deep learning and related techniques to understand and promote the use of ubiquitous intelligent surveillance systems.

Advanced metering infrastructure (AMI) is the primary step to establish a modern smart grid. AMI enables a flexible two-way communication between smart meters and utility company for monitoring and billing purposes. However, AMI suffers from the deceptive behavior of malicious consumers who report false electricity usage in order to reduce their bills, which is known as electricity theft cyber-attacks. In this chapter, we present deep learning-based detectors that can efficiently thwart electricity theft cyber-attacks in smart grid AMI networks. First, we present a customer-specific detector based on a deep feed-forward and recurrent neural networks (RNN). Then, we develop generalized electricity theft detectors that are more robust against contamination attacks compared with customer-specific detectors. In all detectors, optimization of hyperparameters is investigated to improve the performance of the developed detectors. In particular, the hyperparameters of the detectors are optimized via sequential, random, and genetic optimization-based grid search approaches. Extensive test studies are carried out against real energy consumption data to investigate all detectors performance. Also, the performance of the developed deep learning-based detectors is compared with a shallow machine learning approach and a superior performance is observed for the deep learning-based detectors.

As the reliance on the Internet and its constituent applications increase, so too does the value in exploiting these networking systems. Methods to detect and mitigate these threats can no longer rely on singular facets of information, they must be able to adapt to new threats by learning from a diverse range of information. For its ability to learn complex inferences from large data sources, deep learning has become one of the most publicised techniques of machine learning in recent years. This chapter aims to investigate a deep learning technique typically used for image classification, the convolutional neural network (CNN), and how its methodology can be adapted to detect and classify malicious network traffic.

Botnets play an important role in malware distribution and they are widely used for spreading malicious activities in the Internet. The study of the literature shows that a large subset of botnets use DNS poisoning to spread out malicious activities and that there are various methods for their detection using DNS queries. However, since botnets generate domain names quite frequently, the resolution of domain names can be very time consuming. Hence, the detection of botnets can be extremely difficult. This chapter propose a novel deep learning framework to detect malicious domains generated by malicious Domain Generation Algorithms (DGA). The proposed DGA detection method, named, Deep Bot Detect (DBD) is able to evaluate data from large scale networks without reverse engineering or performing Non-Existent Domain (NXDomain) inspection. The framework analyzes domain names and categorizes them using statistical features, which are extracted implicitly through deep learning architectures. The framework is tested and deployed in our lab environment. The experimental results demonstrate the effectiveness of the proposed framework and shows that the proposed method has high accuracy and low false-positive rates. The proposed framework is a simple architecture that contains fewer learnable parameters compared to other character-based, short text classification models. Therefore, the proposed framework is faster to train and is less prone to over-fitting. The framework provides an early detection mechanism for the identification of Domain-Flux botnets propagating in a network and it helps keep the Internet clean from related malicious activities.

In recent years, modern botnets employ the technique of domain generation algorithm (DGA) to evade detection solutions that use either reverse engineering methods, or blacklisting of malicious domain names. DGA facilitates generation of large number of pseudo random domain names to connect to the command and control server. This makes DGAs very convincing for botnet operators (botmasters) to make their botnets more effective and resilient to blacklisting and efforts of shutting-down attacks. Detecting the malicious domains generated by the DGAs in real time is the most challenging task and significant research has been carried out by applying different machine learning algorithms. This research considers contemporary state-of-the-art DGA malicious detection approaches and proposes a deep learning architecture for detecting the DGA generated domain names.

This chapter presents extensive experiments conducted with various Deep Neural Networks (DNN), mainly, convolutional neural network (CNN), Recurrent Neural Network (RNN), Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Bidirectional Long Short-Term Memory (BiLSTM), Bidirectional Recurrent Neural Network (BiRNN) and CNN-LSTM layers deep learning architectures for the binary class and multi-class detection. An extensive study of the performance and efficiency of the proposed DGA Malicious Detector is conducted through rigorous experimentation and testing of two different datasets. The first dataset consists of public sources and the second dataset is from private sources. We perform a comprehensive measurement study of the DGA by analyzing more than three Million domain names. Our experiments show our DGA Malicious Detector is capable of effectively identifying domains generated by DGA families with high accuracy of 99.7% and 97.1% for the two datasets respectively. A comparative study of the deep learning approaches shows good benchmarking of our DGA Malicious Detector.

Software Defined Networking (SDN) is emerging as a key technology for future Internet. SDN provides a global network along with the capability to dynamically control network flow. One key advantage of SDN, as compared to the traditional network, is that by virtue of centralized control it allows better provisioning of network security. Nevertheless, the flexibility provided by SDN architecture manifests several new network security issues that must be addressed to strengthen SDN network security. So, in this paper, we propose a Gated Recurrent Unit Recurrent Neural Network (GRU-RNN) enabled intrusion detection system for SDN. The proposed approach was tested using the NSL-KDD and CICIDS2017 dataset, and we achieved an accuracy of 89% and 99% respectively with low dimensional feature sets that can be extracted at the SDN controller. We also evaluated network performance of our proposed approach in terms of throughput and latency. Our test results show that the proposed GRU-RNN model does not deteriorate the network performance. Through extensive experimental evaluation, we conclude that our proposed approach exhibits a strong potential for intrusion detection in the SDN environments.

To evade detection, attackers usually obfuscate malicious Android applications. These malicious applications often have randomly generated application IDs or package names, and they are also often signed with randomly created certificates. Conventional machine learning models for detecting such malware are neither robust enough nor scalable to the volume of Android applications that are being produced on a daily basis. Recurrent neural networks (RNN) and convolutional neural networks (CNN) have been applied to identify malware by learning patterns in sequence data. We propose a novel malware classification method for malicious Android applications using stacked RNNs and CNNs so that our model learns the generalized correlation between obfuscated string patterns from an application’s package name and the certificate owner name. The model extracts machine learning features using embedding and gated recurrent units (GRU), and an additional CNN unit further optimizes the feature extraction process. Our experiments demonstrate that our approach outperforms Ngram-based models and that our feature extraction method is robust to obfuscation and sufficiently lightweight for Android devices.

A precursor to successful automatic child exploitation material recognition is the ability to automatically identify pornography (largely solved) involving children (largely unsolved). Identifying children’s faces in images previously labelled as pornographic can provide a solution. Automatic child face detection plays an important role in online environments by facilitating Law Enforcing Agencies (LEA) to track online child abuse, bullying, sexual assault, but also can be used to detect cybercriminals who are targeting children to groom up them with a view of molestation later. Previous studies have investigated this problem in an attempt to identify only children faces from a pool of adult faces, which aims to extract information from the basic low- and high-level features i.e., colour, texture, skin tone, shape, facial structures etc. on child and adult faces. Typically, this is a machine learning-based architecture that accomplish a categorization task with the aim of identifying a child face, given a set of child and adult faces using classification technique based on extracted features from the training images. In this paper, we present a deep learning methodology, where machine learns the features straight away from the training images without having any information provided by humans to identify children faces. Compared to the results published in a couple of recent work, our proposed approach yields the highest precision and recall, and overall accuracy in recognition.