WP3 ｜ Implementation report
We realized a lightweight cyber attack detection system that can be implemented in IoT systems with few resources using machine learning algorithms, and evaluated its performance. Specifically, the following three studies were carried out at the same time.
New feature selection algorithm ｜ CST-GR
We researched a lightweight and effective attack detection system using the newly proposed feature selection algorithm | CST-GR. Implemented on a resource-poor Raspberry Pi and verified detection performance using public datasets collected from the IoT environment. This system makes it possible to significantly reduce the number of features used for detection by using the CST-GR algorithm that selects features in two stages for each type of attack. The proposed system is lightweight enough to be implemented in a Raspberry Pi environment,
but at the cost of little detection performance.
At the same time, we verified various types of machine learning algorithms. The detection accuracy (TPR and FPR) of RF (random forest) was slightly better than that of J48 (decision tree), but the detection time of J48 was about 10 times faster than that of RF. As a result of verification, J48 was the most suitable for this proposal, and the results of this research were published in the January 2020 issue of the international academic journal Electronics (refereed).
System to detect multiple attacks sequentially
We proposed, realized, and demonstrated the performance of a system that sequentially detects multiple attacks. It was demonstrated that better detection performance was achieved by feature selection and training of each classifier for a specific attack. The results of this research were presented at the international conference IEEE CyberSciTech 2019 (refereed).
Sequential attack detection system
We implemented and demonstrated the performance of a sequential attack detection system that comprehensively improves detection performance using multiple classifiers. In existing systems, the higher the detection rate, the higher the number of fake alerts. In this research, we proposed and implemented a sequential detection system that can improve both of these, and demonstrated its performance.
This result was announced at the international conference CANDAR 2019 (refereed).
In order to efficiently detect attacks in the SDN environment that is often used in the IoT era, we continued research on automatic threshold extraction technology. The automatic extraction method used so far has been further generalized and its performance has been verified. Most of the existing detection plans are two-step methods that introduce triggers, but since the trigger conditions are directly related to the detection performance (especially false positive rate and false negative rate), this WP is more suitable for the trigger conditions. I am also conducting research on.
In the existing research, a method of generating a light and shade image from the program code and identifying malware by a convolutional neural network (CNN) has been proposed. However, the existing implementation of the image processing CNN algorithm required 5 layers and about 2,000 nodes. On the other hand, we introduced the nearest neighbor method for the preprocessing of the input image to the CNN, reduced the approximate weight of the image, and made a compact implementation of the CNN consisting of two layers and about 100 nodes. We evaluated the deterioration of accuracy due to the weight reduction of CNN by mounting experiments, and demonstrated that malware identification is possible with 95% accuracy and the same accuracy as existing methods. Furthermore, we demonstrated that the accuracy of discrimination between normal software and the three types of real IoT malware Mirai and Gafgyft is 70% or more, demonstrating the effectiveness of the proposed method.