Professional Documents
Culture Documents
Threat Intelligence Model - Main1
Threat Intelligence Model - Main1
INTRODUCTION
1.1. Background to the Study
Attacks on data architectures have increased considerably over the years as newer technologies
and architectures emerge. The chief cause of attacks is vulnerability of a system which was
identified and exploited. These attacks can also be referred to as threats or data intrusion. A
threat is a potential action or event which negatively impacts on a system by altering its normal
not an accidental occurrence. The after effect(s) of a threat (if not prevented) is usually chaotic
Threats are initiated against system is various sectors such as banking, social networking, web-
based systems and other organizational systems which deal majorly with data especially big data.
The threats can be inform of viruses, phishing sites, hacking, malware threats (spyware, ransom
ware etc.), denial of service etc. The main aim of these is to corrupt, disrupt and steal data for
malicious use.
Threat intelligence is therefore very important in order to totally avert or reduce critically the
after effect of threats to the system. Threat intelligence also provides adequate information that
will be utilized for threat detection and handling both for present and future threats. This simply
implies that by knowing the nature of the threat, you can easily tackle it.
There are so many techniques of threat detection which have been proposed by researchers
however, the choice of a threat detection technique will be solely dependent on the nature of
threat which a particular system is prone to and also the performance of that technique in the
detection of previous threats of other systems. Also while making a choice of a detection
1
technique it is noteworthy that attackers have grown increasingly sophisticated and resistant to
threat detection architectures put up by researchers by cracking into these architectures and
introducing threats into them also. These attackers are able to evade very sophisticated tools and
systems such as intrusion detection systems and botnets which were supposed to protect the
system from their attack. This has posed serious problem to several organizations, data
consumers and even the research communities as the struggle continues for an intelligent threat
detection system which can both identify and block threats without any form of human
intervention.
Developing computational security models to analyze different threat incident patterns and
eventually identify the threats utilizing cyber security data can be used for building a data-driven
intelligent threat detection system for web-based information systems (Sarker et al, 2020).
There is a process which must be followed for effective and accurate threat detection. However,
this process if often neglected by researchers and cyber security administrators who just jump
into development of intrusion detection system. The process is as follows: threat intelligence,
threat analysis or behavioural analytics, model development and finally threat/anomaly detection.
Negligence to this vital steps has led to a lot of failed threat detection systems. Other challenges
include lack of competent algorithms for the detection of new attacks, unrobust model which
datasets with weak threat patterns and use of poor parameters for evaluation of threat detection
system. We hope to tackle the problem of incompetent threat detection algorithm using improved
2
1.3. Aim and Objectives
The aim of this study is to develop enhanced intelligent threat detection model for data security
system using historical threat patterns and Artificial Neural Networks (ANNs).
ii. Train the proposed model using historical threat patterns. Training set will contain
80% of dataset.
iii. Test the model using 20% of the dataset to ascertain model efficiency.
iv. Implement the proposed threat detection model using Java Programming language
v. Evaluate our proposed model’s results against the existing threat detection model.
The benefits of threat detection in an information system are enormous and cannot be
overemphasized. Without threats, data will be secure, available, be confidential and retain its
integrity within the information system. Threat detection reduces data breaches and breach
attempts and guarantees measurable improvement in the security of data and its environs. It also
enhances better data management by analysts and data administrators. Therefore, a threat
detection system could be beneficial to data consumers (financial institutions and their
customers), to organizations who manage data (especially big data), to web-based application
developers and users, to security administrators, to security analysts and to the research
community.
3
1.5. Scope of the Study
This study explores data security measures to curb threat on data architectures across various
sectors and organizations who use information systems. It covers areas such as: threat
intelligence gathering using historical threat datasets from public repositories, threat/anomaly
identification and analysis, threat modeling and threat detection using ANNs on Java platform.
This study does not cover detection of threats on other platforms or architectures except
information systems.
In this section we will be defining the basic key terms related to our study:
ii. Threat Intelligence: This can be defined as information about threats and threat
iii. Information System: This is a system that is designed to collect, process, store and
distribute data and information. It consist of tasks, people, structure and technology.
iv. Data Security: Data security means protecting digital data from destructive forces
4
v. Security Threat: These are software attacks, theft of intellectual property, identity
vi. Cyber security: This is the protection of computer systems and networks from
vii. Data Breach: A data breach is the intentional or unintentional release of secure or
unintentional information disclosure, data leak, information leakage and also data
spill
viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper
and scareware.
violations
x. Big Data: This is an extremely large data sets that may be analyzed computationally
and interactions.
5
CHAPTER TWO
LITERATURE REVIEW
Several definitions of threats have been provided by researchers and research communities over
the years however, just a few of them truly captures and expresses the key components in the
According to ISO 27005 (2008), a threat can be defined as a potential cause of an incident that
may result in harm of systems and organization. This definition captures the cause and effect of
the word and expresses in with regards to personal and organizational effect of threat.
Another definition was given by ENISA (2017). They defined threat as any circumstance or
event with the potential to adversely impact an asset (i.e. anything that has value to the
organization, its business operations and their continuity, including information resources that
support the organization's mission (expressed in ISO/IEC PDTR 13335-1) through unauthorized
Finally, according to NIST (2006), a threat may be defined as any circumstance or event with
the potential to adversely impact organizational operations (including mission, functions, image,
service. Also, the potential for a threat-source to successfully exploit a particular information
6
system vulnerability. We are adopting the definition by ENISA and NIST as they fully capture
the meaning, characteristics, types and impacts of threat to an information system or any other
host. From the definitions given above, the fact that threat no matter he nature, source, host, will
always leaves a negative impact (Seker, 2019). It can also be deduced that everyone is at risk of a
cyber-attack.
According to Seker (2020), cyber threats are categorized into the following:
computer, server, client, or computer network. There are several types of malware such
II. Web-based Attacks: A web based attack occurs when user’s personal and sensitive data
such as their credit card, Social Security, or medical information which should be kept
III. Web application Attacks: Grave weaknesses or vulnerabilities allow criminals to gain
direct and public access to databases in order to churn sensitive data, and this is known as
a web application attack. Many of these databases contain valuable information (e.g.
personal data and financial details) making them a repeated object of attacks
IV. Denial of Service: A denial-of-service attack is a cyber-attack in which the culprit strive
running one or more bots. The bots serve as a tool to automate mass attacks, such as data
7
theft, server crashing, and malware distribution. Botnets can be used to carryout
Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to
access the device and its connection. Assembly of a botnet is usually the infiltration stage
of a multi-layer scheme.
VI. Phishing: Phishing is a type of social engineering where an attacker sends a fraudulent
message designed to hoax a human victim into revealing delicate information to the
VII. Spam: An E-mail spam is an irrelevant or unwanted messages sent over the internet,
usually to a large number of users, for the purposes of advertising, phishing, spreading
malware, etc.
permanently block access to it unless a ransom is paid. While some simple ransomware
may lock the system so that it is not difficult for a knowledgeable person to reverse, more
IX. Insider threat: An insider threat is a malicious threat to an organization that comes from
business associates, who have inside information concerning the organization's security
X. Exploit kits: Exploit kits or exploit packs refer to a type of hacking toolkit that
8
XI. Data breaches: A data breach is the intentional or unintentional release of protected or
XII. Identity theft: Identity theft occurs when someone uses another person's personal
identifying information, like their name, identifying number, or credit card number,
The knowledge of the different types of threats led to the deployment of five methods of threat
monitoring and detection. These methods were used to prevent or mitigate against the risks of
threats, which implies that they were both proactive and reactive in nature.
b) Advanced analytics techniques that can sift through massive amounts of information,
investigations.
c) Malware analysis using methods that don’t rely on file signatures and go straight to the
hostile activity.
d) Incident detection and response practices that align security personnel, processes, and
spend less time on routine tasks and more time defending high-priority assets and address
9
e) Open-source intelligence (OSINT) is collecting information from the public, open tools,
Internet (such as blogs, dark-web, websites, YouTube, Twitter, Facebook, etc.), Public
Commercial Data (commercial imagery, financial and industrial assessments, etc.), Grey
Threat modeling can be described as a process by which possible threats, such as basic
viewpoint. The impulse behind threat modeling is to provide safeguards with a precise
examination of the probable attacker's profile, the in all likelihood attack vectors, and the assets.
In application development, threat modeling is an iterative procedure which begins during the
early planning stage and continues all through the application lifespan. This is because
applications are mostly prone to changes which required that they be updated in order to adapt.
Therefore, during the update sage stage, threat modeling process should be repeated. Another
reason for threat iteration is because the possibility of describing almost all cyber threats with a
There are various methodologies for modelling threats, however, we will briefly sate and discuss
10
STRIDE: This methodology of threat introduced in 1999 at Microsoft (Kohnfelder and Garg,
2016). The acronym STRIDE was coined from key letter of the following six classes: spoofing
identity, tampering with data, repudiation, information disclosure, denial of service and elevation
of privilege.
11
PASTA: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling
VAST: VAST is an acronym which stands for Visual, Agile, and Simple Threat modeling.
VAST is a threat modeling methodology that handles a large number of the deficiencies
Threat intelligence tools are important security tools which adopt global security data for
proactive identification, migration and remediation of security threats. These tools are designed
to match the new and daily evolving threat trends. Some of these tools are:
TLP is an information-sharing model that was created by the UK Government's Centre for
Protection of National Infrastructure (CPNI) in the early 2000s. This model was purposed for
classification and management of shared sensitive information (Luiijf and Kerkamp, 2015). TLP
has 4 different categories named by traffic lights which are red, amber, green and white and all
present at the meeting only. Sources may use TLP:RED when information cannot be
12
effectively acted upon by additional parties and could lead to impacts on a party's
circulated widely within a particular community and the organizations which take
part in that community. However, the information may not be published or posted
organizations. Sources may use TLP: GREEN when information is useful for the
awareness of all participating organizations as well as with peers within the broader
community or sector.
MILE Working Group developed standards for exchanging incident data. The group described a
package of standards such as Incident Object Description and Exchange Format (IODEF),
IODEF for Structured Cyber Security Information (IODEFSCI), and Real-time Inter-network
IODEF has over 30 classes and subclasses including Contact, Monetary Impact, Time,
13
b. Real-time Inter-network Defense (RID): RID defines a protocol to facilitate sharing
computer and network security incidents which is a standard for communicating for cyber
threat intelligence. Five massage types are used by RID which are Request,
Acknowledgement, Result, Report, and Query. Policy Class in RID allows different
policies.
OpenIOC gives a standard arrangement and terms for portraying the artifacts encountered
during an investigation. It was presented by Mandiant in 2011. OpenIOC contains definitions for
specific technical details including over 500 indicator terms. It is easy to add new items. A
VERIS is a framework to define and share an incident which was proposed by Verizon in 2010.
Its purpose is to provide a common language for describing security incidents in a structured and
repeatable manner. VERIS is to collect, classify, analyze, compare, and share information
security incident data. There are five sections in VERIS schema. Incident tracking, Victim
demographics, Incident description, Discovery & response, and Impact assessment. There are
multiple elements (with specific data types and variables names) in each section.
OTX was created AlienVault for sharing threat data in 2012. OTX is open to the global
automates the process of updating your security infrastructure with threat data. To collect cyber
14
CIF was introduced by the Research and Education Network Information Sharing and Analysis
Center (REN-ISAC) in 2009 which is a client/server system for sharing threat intelligence data.
It uses information for identification (incident response), detection (IDS) and mitigation (null
route). CIF data contains information on the type of threat, severity of an attack, and the
confidence of the data. It also has labeling data and access control features.
G. MITRE Standards
MITRE has developed some standards for different needs of cyber threat intelligence
management systems.
properties that are noticeable in all framework and network operations. It provides over
70 defined objects that can be used to define measurable events or stateful properties.
defining threat information including threat details with the context of the threat which
was first presented in 2012. It uses cases such as Analyzing Cyber Threats, Specifying
Indicator Patterns for Cyber Threats, Managing Cyber Threat Prevention and Response
(shown in figure - 5) tying together a diverse set of cyber threat information along with:
15
i. Cyber Observables (e.g., a registry key is created, network traffic occurs to specific IP
iv. Adversary Tactics, Techniques, and Procedures (including attack patterns, malware,
vii. Cyber Attack Campaigns (sets of Incidents and/or TTP with a shared intent).
Intrusion detection systems (IDSs) can be defined as a vital part of a complete defense-in-depth
architecture for computer network security. IDS is an effective security technology, which can
detect, prevent and possibly react to the attack (Base and Mell, 2001). Target sources of
activities, are monitored by this technology and audit data are collected and inspected in search
for evidence of intrusive behaviors. The IDS raises an alarm on detection of a suspicious or
malicious attempts, and notifies the network administrator using the alarm for effective and
prompt response. The main objective of IDS is to detect all intrusions in an efficient manner.
IDSs can be classified based on different points of view such as detection approach, targets,
In the classification based on detection method, there are two types of IDS: anomaly and misuse
(signature) based detection. In the anomaly detection, the IDS tries to determine whether
16
deviation from the established normal usage patterns can be flagged as intrusions. While the
misuse detection uses patterns of well-known attacks or weak spots of the system to identify
17
The second classification is based on the source of information, which classifies an IDS as either
host or network-based. A host-based IDS (HIDS) analyzes events such as process identifiers and
system calls, mainly related to OS information. While a network-based IDS (NIDS) analyzes
network related events: traffic volume, IP addresses, service ports, protocol usage, etc. (Teodoro
et al, 2009).
Even though IDS solutions have been used for about twenty years, an important problem is still
not fully addressed. This is the problem of lack of a system that can differentiate between fake
and real threat alerts. For example, a single IDS sensor can generate tens of thousands of alerts
in a day which might overwhelm the data analyst. Inspecting thousands of alerts per day is
unfeasible, especially if 99% of them are false alerts. False alerts, also known as false positives
occur when a legitimate activity has been mistakenly classified as malicious by the IDS. The vast
imbalance between the actual and false alarms generated has undoubtedly undermined the
Regardless of the fact that anomaly-based IDSs produce more false positives rather than misuse-
based IDSs, false positives are inevitable in all types of IDS. This has led to an increased
research in the field of false positives reduction techniques and researches on IDSs have focused
18
Other identified issues of IDS are:
a. Deficiency or incomplete Data set: Datasets play a vital role in the results of an intrusion
detection system. However, the currently used datasets are outdated and cannot be
b. Algorithms for Detection: Lack of competent algorithms which can match all the case in
small time and match the terms efficiently. The algorithms also provide no rules for the
detection of new attacks to be identified form old attach patterns, thereby identifying only
old attacks.
c. Integration of multiple formats of data: the conventional IDS can only identify or detect a
single threat type at a time. There should be room for multiple formats which can detect
d. Platform dependencies: Most IDS are platform dependent which means that a particular
IDS can only be integrated into a particular platform for which it was built and not for
any other. This does not promote cross-platform adaptability and inter-application
intractability.
e. Weak Design: The design of the conventional IDS is not user friendly, which makes it
weak. It should have two parts, one core part which consists of detection algorithm and
second part will be the part associated with pattern matching. This part should be updated
on the fly. I.e. it should not affect the detection process of the system but only updates the
other parts without touching core part of the system. Thus every update should be added
19
f. Evaluation of IDS: The evaluation of the conventional IDS suffers from three major
drawbacks: Collecting script and victim software, Different requirements for testing
There are so many merits of an ID system, some of them are briefly discussed here.
reliable source of information about distrustful or malicious network traffic. There are
few or none practical alternatives to an ID that allow you to track network traffic in
depth.
ii. Defense: AN IDS enhances a layer of defense to your security profile, providing a useful
iii. Response capabilities: Though ID probably will be of limited use, you may want to
enable some of the response features of the IDS. For instance, they can be configured to
terminate a user session that violates policy. Obviously, you must consider the risks of
taking this step, since you may accidentally terminate a valid user session. However, in
iv. Tracking of virus propagation: When a virus first hits your network, an IDS can tell
network to infect other machines. This can be a great help in slowing or stopping a virus's
v. Evidence: - properly configured IDS can produce data that can form the basis for a civil
20
According to Myriam (2018), cyber-attacks can be sent to anybody at all irrespective of
architecture, or framework. This statement refers to the set of activities and measures, technical
and non-technical, which are intended to protect the ‘real geography’ of cyberspace and also
devices, software, and the information they contain and communicate with, from all possible
Technology advances every day, and so do cybercriminals as they are becoming more
sophisticated and getting ahead of current Cybersecurity controls. In order to get ahead of
cybercriminals, experts have adopted the use of Artificial Intelligence (AI) to counter new cyber-
human thinking (Lidestri 2018). AI has several branches or subsets. One AI-based technique
such as Machine Learning (ML) and Deep Learning. Machine Learning is a subset of AI that
teaches machines how to make decisions (Feizollah et al, 2013). Deep Learning (DL) is as a type
handling humongous datasets. This allows its application in a large array of fields such as image
rendering, stock market prediction, and agriculture. DL improves areas of Cybersecurity such as
intrusion detection and botnet detection due to the high processing power that it has to examine
Cybersecurity experts are using ML and DL to solve problems in the areas of Botnet Detection,
and Intrusion Detection and Prevention Systems (IDPS). However, the integration of AI-based
address to ensure cyber safety. AI may also impact technology consumers who are using devices
21
2.3.1 Machine Learning Algorithms for Threat Detection
Generally, there are six different machine learning algorithms that can be used to develop a
threat detection system or an intrusion detection system. However, two of them are outstanding
Before adopting any of the ML techniques, it is noteworthy, that these algorithms are different in
approach and therefore require different types of data in order to explore its full potential.
ANNs are nodes which imitate the human brain. His technique is made up of processing nodes
which are connected to each other and to a hidden layer (Jean-Phillipe, 2018). This technique is
very useful for recognizing complex patterns which are difficult for human to recognize. They
can also be used to recognize unprecise patterns. This technique improves data and network
security when applied to a threat detection framework. A typical example of its application is in
the recognition of legitimate connections from fake ones during a port scan by a cybercriminal
for open hotspots to tap. ANN will trigger an alert due to its recognition of the connection
patterns. It is a proactive algorithm that stops the attack before it becomes successful. ANNs can
be used to detect several cyber threats from Phishing, denial of service, insider threat, malware,
GA detects threats by learning from experience given to previous anomaly behavior. Just like the
human brain can detect danger in fire and avoid it because of the experience of ancestors. GA is
useful to detect common threats with common patterns. So, GA uses the previous patterns to
make decisions on new patterns that the system cannot recognize (Jean-Phillipe, 2018). Applying
this method to ML-based threat detection system would improve the detection rates for new
22
anomalies. For example, if a ransomware manages to penetrate the firewall, via email or other
vector, when it intends to spread and encrypt files, the ML-based IDPS using GA will detect it
and prevent the encryption of a large cluster of devices across the network.
Fig. 2: A Typical Neural Network Configuration (Source: Choi and Lee, 2018)
23
Feeding supervised machine learning algorithms with a dataset which contains information about
what normal network traffic should look like and providing a whitelist that the ML-based threat
detection system will use to detect threats. The ML-based threat detection system can make
24
VIII. different organizational or
social contexts
IX. Information systems (IS)
involve a variety of in-
X. formation technologies (IT) such
as computers, soft-
XI. ware, databases,
communication systems, the
Inter-
XII. net, mobile devices and much
more, to perform spe-
XIII. cific tasks, interact with and
inform various actors in
XIV. different organizational or
social contexts
XV.Information systems (IS)
involve a variety of in-
25
XVI. formation technologies (IT)
such as computers, soft-
XVII. ware, databases,
communication systems, the
Inter-
XVIII. net, mobile devices and
much more, to perform spe-
XIX. cific tasks, interact with and
inform various actors in
XX.different organizational or
social contexts
XXI. Information systems (IS)
involve a variety of in-
XXII. formation technologies (IT)
such as computers, soft-
XXIII. ware, databases,
communication systems, the
Inter-
26
XXIV. net, mobile devices and
much more, to perform spe-
XXV. cific tasks, interact with and
inform various actors in
XXVI. different organizational or
social contexts
Information systems (IS) involve a variety of information technologies (IT) such as computers,
software, databases, communication systems, the Internet, mobile devices and much more, to
perform specific tasks, interact with and inform various actors in different organizational or
social contexts. According to O’Brien and Marakas (2007), the applications of information
systems that are implemented in today’s business world can be classified in several different
ways. For example, several types of information systems can be classified as either
27
The Roles of Different
Types of
IS In Business
Organizations
Transaction Processing Systems
i. Transaction processing systems (TPS)
These are the basic business systems that serve the operational level of the organization. A
transaction processing system is a computerized system that performs and records the daily
routine transactions necessary to the conduct of the business (Laudon and laudon, 2006). At
the lowest level of the organizational hierarchy we find the transaction processing systems that
Process control systems is Monitor and control industrial or physical processes. Examples:
petroleum refining, power generation, and steel production systems. For example, a petroleum
continually and make instant (real-time) adjustments that control the refinery process
28
(O’Brian et al, 2007) . A process control system comprises the whole range of: equipment,
Office automation systems are one of the most widely used types of information systems
that will help managers control the flow of information in organizations. Enterprise
collaboration systems (office automation systems) are enhance team and workgroup
communications and productivity. Office automation systems: are other types of information
systems are not specific to any one level in the organization but provide important support for a
broad range of users. Office information systems are designed to support office tasks with
information technology. Voice mail, multimedia system, electronic mail, video conferencing, file
transfer, and even group decisions can be achieved by office information systems.
A Decision Support System is a computer based system intended for use by a particular
in the process of solving a semi structured decision. According to Heidarkhani, et al. (2009).
Decision Support Systems are a Kind of organizational information computerize systems that
help manager in decision making that needs modeling, formulation, calculating, comparing,
DSS are specifically designed to help management make decisions in situations where
there is uncertainty about the possible outcomes of those decisions. According to Shim
29
managers in making many complex decisions, such as decisions needed to solve poorly
.
v. Expert Systems
Expert systems are the category of AI which has been used most successfully in building
commercial applications. .According to O’Brien and Marakas (2007) Expert systems are
Knowledge-based systems that provide expert advice and act as expert consultants to users.
emulate human reasoning. According to Shim (2001) Expert System is a set of computer
Knowledge Management
Systems
2.5. Related Work
Sadotra and Sharma (2016) presented a review on integrated intrusion detection system in cyber
security. They surveyed the current state of the art on the algorithms which have been deployed
for the detection of anomalies and intrusion in the cyber space. The survey algorithms were
Support Vector Machines (SVMs), NSL-KDD, IDS system and HYBRITQ-4(J48, Boyer Moore,
KNN). However, they could not implement an intrusion detection system to handle the
Yogitha and Kalyani (2013) proposed intrusion detection system using Support Vector Machine
(SVM). NSL-KDD Cup’99 data set which is improver version of KDD Cup’99 data set was used
for experimenting verification. The use of his algorithm made data preprocessing simpler which
resulted in reduction in the time required for building SVM. Classification was done using SVM.
30
They reduced false positive and increased attack detection rate by performing proper kernel
selection using Gaussian Radial Basis. However, this system is ambiguous and will consume
They described basic concepts of network intrusion detection system, components and types of
attacks. They identified the three types of IDS as data source, analysis engine and response
manager. An overview of genetic algorithm was also provided in the study. The genetic
algorithm was used to randomly select the input (chromosome) and calculate the fitness value for
each generated initial chromosome. The iteration performed operations such as sorting, selection,
crossover, mutation and finally calculates the fitness value for chromosome. However, this
model is not intelligent and cannot be used for intrusion attack detection.
Venkatesan, et al. (2012) presented a survey on intrusion detection using data mining techniques.
The anomaly detection system was described in two phases, training and testing. They adopted
clustering and sliding window for monitoring the network traffic by mining the frequent patterns
using algorithms. The algorithms were used in real time monitoring. The frequent multi-pattern
capturing algorithm recorded high detection rate. They evaluated the percentage for detection
rate and false alarm rate. However, they did not discuss the performance evaluation of their
Hader et al (2021) proposed a real-time sequential deep extreme learning machine cyber security
intrusion detection system. The model was used to determine the rating of security aspects
contributing to their significance. An investigation was carried on the viability of the proposed
framework by evaluating dataset and calculating the accuracy parameters to validate. The results
of the system showed that the framework outperformed other conventional algorithms and
31
therefore had practical significance. However, this model is unrobust and cannot be used for the
Sarkar et al (2020) proposed IntruTree, a machine learning based cyber security intrusion
detection model. The model analyzes the ranking of security features based on level of
importance and then developed a tree based intrusion generalized detection system using selected
dimensions. The dataset was evaluated by computing the precision, recall, F-score, accuracy and
ROC values. The result from the evaluation was used to compare with other conventional
machine learning algorithms such as SVM etc. However, this model cannot be incorporated into
an information system.
Ghafir et al (2018) presented a study defending against the advanced persistent threat by
detection of disguised executable files. The study was aimed at detecting disguised exe file
which were transferred over a connection. The detection was primarily carried out by comparing
the MIME type of the file and the file name extension. The module was simulated and evaluated
and the results demonstrated successful detection of disguised files. However, this study has a
persistent threat. Machine learning algorithms were the basis of the model. They analyzed the
legitimate traffic for normal users and extracted data such as CPU usage, memory usage, open
ports and number of files in the system32 folder. They injected a piece of malware, which was
previously used for the APT attack, into the network and the four features were extracted. The
detection model was trained by applying different machine learning algorithms on the dataset of
32
benign and malicious features. However, they did not evaluate the system to ascertain its
practical significance.
advanced persistent threat (APT). This approach was dependent on mathematical and
computational analysis to filter spam emails. Tokens, which were considered as a group of words
and characters such as (click here, free, Viagra, replica), were defined for the detection algorithm
to separate legitimate and spam emails. However, the system could only be used for email-spam
Khraisat et al (2019) presented a survey of intrusion detection systems, their techniques, datasets
and challenges. The taxonomy of recent systems for intrusion detection were surveyed in the
study and the datasets which were commonly used for the implementation were analyzed also.
The techniques which are adopted by attackers to perpetrate the intrusion were identified and
discussed. The researchers finally discussed future scopes which could be used to make the
computer systems more secure and block out malicious attacks. However, they could not
Gamachchi et al (2017) proposed a graph based framework for malicious insider threat detection.
The proposed model was a hybrid framework based on anomaly detection and graphical analysis
processes. Heterogeneous data was analyzed and isolated malicious users who were hiding
behind others. The result from the study showed that the framework could be used to
differentiate between majorities of users who show typical behaviours from the minority of users
who demonstrate suspicious behaviours. However, this framework cannot be used to detect
33
Nance and Marty (2011) proposed a study on identifying and visualizing the malicious insider
threat using biparticle graphs. They introduced the use of bipartite graphs for identifying and
visualizing insider threat. They tried to establish acceptable insider behavior patterns based on
workgroup role classifications. Although this approach was quite useful for detecting certain
insider threats, however, it has the limitation of a high false positive rate.
Kumar et al (2017) proposed practical machine learning for cloud intrusion detection, challenges
and the way forward. They described the difficulties in developing an intrusion detection system
for the cloud. They proposed that a hybrid approach would yield better results and demonstrated
how the combinations can be carried out in form of filters, features or even a single machine
learning unit. They defined approaches for collecting high quality evaluation data using other
security products or red teams (recommended) and grow the dataset using SMOTE or possibly
GANs. For the way forward, they shared a framework for disrupting attack. However, this
Chaudhari and Patil (2017) proposed intrusion detection systems, classification, techniques and
datasets to implement. They presented the classification of IDS, different Data mining
approaches and datasets for the operative detection of pattern for both malicious and normal
activities in network, which would help to develop secure information system. They also
provided a short study of various datasets that are useful for an intrusion detection system.
Govindarajan et.al. (2009) proposed intrusion detection using k-Nearest Neighbour (k-NN).
They presented novel K-nearest neighbour classifier which was applied on Intrusion detection
system and the system performance was evaluated in terms of Run time and Error rate on normal
34
and malicious dataset. The results demonstrated that the new classifier is more accurate than
existing K-nearest neighbour classifier. However, the system required a regular update of the
Mohammadreza et al. (2010) proposed intrusion detection using data mining techniques. Support
Vector Machine and classification tree Data mining technique were used for intrusion detection
in network. They compared C4.5 and Support Vector Machine by experimental result and found
that C4.5 algorithm had better performance in term of detection rate and false alarm rate than
SVM, but for U2R attack SVM performed better. However, the system presented no difference
Denatious and John (2012) proposed a survey on data mining techniques to enhance intrusion
detection. They defined diverse data mining approaches useful for detecting intrusions. They also
described the classification of Intrusion detection system and its working. It was discovered that
clustering was more suitable for large amount of network traffics than classification in the
domain of intrusion detection because enormous amount of data needed to collect to use
classification. However, the system recorded low detection rate and high false alarm.
Amudha and Rauf (2011) presented performance analysis of data mining approaches in intrusion
detection. They observed that Random forest gave better detection rate, accuracy and false alarm
rate for Probe and DOS attack & Naive Bayes Tree gave better performance in case of U2R and
R2L attack. Also it was observed that the execution time of Naive Bayes Tree was more as
compared to other classifier. However, the result cannot be generalized and therefore cannot be
35
Naidu and Avadhani (2012) proposed a comparison of data mining techniques for intrusion
detection. They utilized three Data mining algorithms SVM, Ripper rule and C5.0 tree for
Intrusion detection and also compared their efficiency. Their results demonstrated that C5.0
decision tree was more efficient than others. All the three Data mining techniques gave a
decision higher than 96%. However, this model cannot be applied in evaluating other machine
learning techniques.
Chitrakar and Chuanhe (2012) proposed anomaly based intrusion detection using a hybrid
learning approaches of combining k-Medoids clustering with Naïve Bayes classification. They
observed from the result that the hybrid method outperformed K-Means clustering technique
followed by Naïve Bayes classification. They also observed that time complexity increases when
number of data points increased. However, the model recorded false classification errors due to
Chitrakar and Chaunhe (2012) proposed an anomaly detection using support vector machine
classification with k-Medoids clustering technique. The proposed hybrid model produced better
demonstrated enhancement in both Accuracy and Detection Rate while reducing False Alarm
Rate as compared to the k- Medoids clustering approach followed by Naïve Bayes classification
technique. However, they could not implement a threat detection system for information system.
Chuque (2020) proposed digital threat detection model to mitigate Cybersecurity risks in
Cybersecurity index. Their results established that there is a relationship between the variables
Model of Detection of Digital Threats and Cybersecurity Risks in Organizations. However, they
36
Niyaz et al (2015) proposed a deep learning approach for network intrusion detection system.
They adopted Self-taught Learning (STL), a deep learning based technique, on NSL-KDD - a
benchmark dataset for network intrusion. They presented the performance of their technique and
compared it with a few previous work. Compared metrics included accuracy, precision, recall,
and f-measure values. However, his model cannot be applied in an information system.
Ferrag et al (2020) presented deep learning for cyber security intrusion detection, approaches,
datasets and comparative study. They provided a review of intrusion detection systems based on
deep learning approaches. They described 35 well-known cyber datasets and provided a
classification of these datasets into seven categories; namely, network traffic-based dataset,
dataset, android apps-based dataset, IoT traffic-based dataset, and internet-connected devices-
based dataset. Seven deep learning models including recurrent neural networks, deep neural
networks, restricted Boltzmann machines, deep belief networks, convolutional neural networks,
deep Boltzmann machines, and deep autoencoders were analyzed. For each model, the
performance was studied in two categories of classification (binary and multiclass) under two
new real traffic datasets, namely, the CSECIC-IDS2018 dataset and the Bot-IoT dataset.
However, they could not implement an intrusion detection system using their findings.
Hodo et al (2017) presented a taxonomy and survey of shallow and deep network intrusion
specifically in anomaly detection. They assessed the performance efficiency of feature selection
in ML for IDS. They proposed that the convolutional neural network (CNN) classifier is an
underused classifier and it could have provided massive improvements in cyber security if it was
37
used to its full prospective. However, they could not develop an intrusion detection system to
Ford and Siraj (2014) proposed application of machine learning in cyber security. They analyzed
the applications of machine learning techniques in the protection of the cyberspace from
techniques were depicted. The work concluded that although the machine learning techniques
were expanding various ways to protect cyberspace against cybercriminals, still there is an
immense number of advancements needed to protect the classifiers from adversarial attacks.
Detection System which have been deployed for the the drawbacks of the
2 Yogitha and Intrusion They proposed intrusion detection However, this system is
Kalyani Detection System system using Support Vector ambiguous and will
(2013) using Data Machine (SVM). NSL-KDD consume time and resources
38
increased attack detection rate by
3 Chandrakar Application of They described basic concepts of However, this model is not
initial chromosome.
4 Venkatesan, A Survey on They adopted clustering and However, they did not
et al. (2012) Intrusion sliding window for monitoring the discuss the performance
(2021) Sequential Deep the viability of the proposed unrobust and cannot be used
Security Intrusion parameters to validate. The results the model does not provide
Detection System. of the system showed that the any threat blockage
significance.
6 Sarkar et al IntruTree: A The model analyzes the ranking of However, this model cannot
7 Ghafir et al Defending The study was aimed at detecting However, this study has a
(2018) Against the disguised exe file which were narrow scope as it can only
40
results demonstrated successful
8 Chandran et An Efficient They analyzed the legitimate However, they did not
al (2015) Classification traffic for normal users and evaluate the system to
Model for extracted data such as CPU usage, ascertain its practical
malicious features.
9 Chandra et A Practical This approach was dependent on However, the system could
Email-Spam analysis to filter spam emails. detection and not for any
10 Khraisat et Survey of The taxonomy of recent systems However, they could not
11 Gamachchi A Graph Based The proposed model was a hybrid However, this framework
Malicious Insider detection and graphical analysis external threats attack the
suspicious behaviours.
12 Nance and Identifying and They introduced the use of However, it has the
Marty Visualizing the bipartite graphs for identifying and limitation of a high false
13 Kumar et al Practical Machine They described the difficulties in However, this framework
(2017) Learning for developing an intrusion detection does not respond to attacks
42
Cloud Intrusion system for the cloud. They defined on time before harm is
attack.
14 Chaudhari Intrusion They presented the classification However, this could only
and Patil Detection of IDS, different Data mining detect and classify known
system.
n et. al. Detection using neighbour classifier which was required a regular update of
(2009) k-Nearest applied on Intrusion detection the rules which were used.
43
Neighbour system and the system
reza et al. Detection using classification tree Data mining presented no difference
(2010) Data Mining technique were used for intrusion between an attack attempt
17 Denatious Survey on Data They defined diverse data mining However, the system
and John Mining approaches useful for detecting recorded low detection rate
(2012) Techniques to intrusions. It was discovered that and high false alarm.
44
to collect to use classification.
18 Amudha Performance They observed that Random forest However, the results cannot
and Rauf Analysis of Data gave better detection rate, be generalized and therefore
(2011) Mining accuracy and false alarm rate for cannot be applied for real
to other classifier.
19 Naidu and A Comparison of They utilized three Data mining However, this model cannot
Avadhani Data Mining algorithms SVM, Ripper rule and be applied in evaluating
(2012) Techniques for C5.0 tree for Intrusion detection other machine learning
20 Chitrakar Anomaly Based They observed from the result that However, the model
Chuanhe Detection Using a K-Means clustering technique errors due to over fitting of
Naïve Bayes
Classification.
21 Chitrakar An Anomaly The proposed hybrid model However, they could not
classification technique.
22 Chuque Digital Threat They evaluated the influence of However, they could nor
(2020) Detection Model Cybersecurity infrastructure in the implement their model with
Organizations.
23 Niyaz et al A Deep Learning They adopted Self-taught Learning However, his model cannot
46
(2015) Approach for (STL), a deep learning based be applied in an information
measure values.
24 Ferrag et al Deep Learning They provided a review of However, they could not
Security Intrusion on deep learning approaches. They detection system using their
25 Hodo et al Shallow and Deep They compared performance of However, they could not
47
System: the performance efficiency of identified challenges.
Survey
26 Ford and Application of They analyzed the applications of However, they could not
Siraj (2014) Machine machine learning techniques in the implement their findings in
were depicted.
While reviewing several related literatures on threat intelligence, IDS, cyber-attacks and the
application of AI in solving these prevailing issues, we developed a keen interest in the work
carried out by Haider et al (2020). They proposed a real-time sequential deep extreme learning
machine cyber security intrusion detection system. Their proposed model was used to initially
determine the rating of security aspects contributing to their significance and then it was later
characteristics. The authors did a good job as their model performed efficiently when evaluated
using their defined parameters. However, the dataset used in the research was too scanty to
produce a result that will be generalized. Secondly, their adopted algorithm (RTS-DELM-
CSIDS) was based on unsupervised learning technique and is therefore not suitable for
recognition of complex patterns such as threat patterns as it does not map a target output. We
48
hope to improve on the work carried out by these authors by applying ANN on an improved
CHAPTER THREE
49
3.1 Methodology
Agile methodology was adopted in this approach. The agile methodology is an iterative and
incremental based development where requirements are changeable depending on the needs of
the customer. Agile method helps in adaptive planning, time boxing and development in an
interactions throughout the development cycle. The Agile method follows the same processes
that are outlined in the SLDC such as the requirements gathering, analysis, design, coding testing
and delivers a prototype of the design to the client while waiting for his/her response before
delivering the complete software which will contain the user’s modified corrections and
requirements.
The Agile methodology is iterative and therefore allow for necessary adjustments until the user
requirements are all met, this makes it people oriented. Using the agile model helps to save the
cost of development as the whole project is broken into less expensive modules which can be
executed with minimal cost, this is called parsimony. The methodology is adaptive, convergent
and handles design risks using the best tool in software development. This methodology is
regarded as one of the best models of the Software Development life cycle (SDLC).
The existing system was developed by Haider et al (2020). They proposed a RTS-DELM-CSIDS
framework which uses an innovative strategy to mitigate the number of fake alerts over the
period. The existing system achieved this feat by accessing human expert feedback and
modifying the learning model based on that information. Using this approach, they reduced the
risk of repeated false alerts with identical data. In the training process, information labelling was
50
skipped because the percentage of traffic segments was the only necessary prior information.
However, the existing approach supported identifying the correct labels for unlabeled details. It
also suggested adjustments in instances where conventional approaches classified the training
samples through human experts. The existing IDS offered a scheme for simplifying the
assessment of human safety experts’ decisions. Accordingly, the framework could identify
the program was able to spot human mistakes while marking the data and proposing corrections.
Moreover, the framework could identify new traffic segments using a scoring scheme. The
existing model provided a rapidly-updating framework which could identify the adaptability
dilemma of existing approaches. One use of this framework was suitable to upgrade the learning
framework based on current information and novel forms of attacks with minimal computational
cost.
The components of the existing system are discussed briefly in this section.
i. Dataset: Publicly accessible intrusion dataset from Kaggle, which consists of two
types: regular and attack was used in the existing system. The dataset was labelled
NSLKDD (a revamped version of KDD 99, which has many improvements relative to
the initial KDD 99 dataset). The NSL-KDD dataset consists of 41 features per record.
The data collection layer used the collected sensor data as inputs.
ii. Data Processing: Various cleanup processes of data and inspection methods are
applied in the preprocessing layer to remove irregularities from the actual data. The
51
Internet Real-time Dataset
Anomaly
Grant Access
RTS-DELM-CSIDS Detection
Evaluation Phase
Normal Attack
52
iii. RTS-DELM-CSIDS: The DELM mitigates numerous network builder problems, such
as network security and connectivity concerns. Given that sending and processing
data consumes 80 percent of the network’s energy, data reduction and feature
extraction techniques could minimize processing and further prolong the network’s
lifespan. The DELM framework adjusted the data compression performance threshold
iv. Training Dataset: The data were divided up randomly into 70% training (103,962
were evaluated and several forms of active functions were. The RTS-DELM-CSIDS
was also evaluated to accurately predict the efficiency of this system. The output was
Detection System.
53
Grant Access
ELSE
Detect Anomaly
Step 9: Store Marked Attacks in Database.
Step 10: End
3.2.3. Disadvantages of the Existing System
i. The existing system makes use of an unsupervised learning algorithm, i.e. deep
ii. The algorithms used was weak and cannot be used to detect new threats except the
iii. The existing system lacked a good visualization model for demonstrating the results
iv. The existing system was not user friendly and it also has an ambiguous design.
The proposed system is an enhancement of the existing system analyzed above. The first
improvement by the proposed model is in terms of the datasets used for building the model. We
have adopted the UNSW-NB15 dataset. The dataset contains nine types of threat such as
backdoor, denial of service (DoS), Reconnaissance, Shellcode, worms, Fuzzers, Analysis, and
Generic threats. The dataset contains 49 features which were derived from the implementation of
twelve algorithms via the Argus, Bro-IDS tools. The total number of records in the dataset is
2,540,044 which are stored in 4 CSV files. After data cleaning, in which redundant and empty
records were deleted, the dataset was split into training set (80%) and test set (20%). The raining
set contains 175, 341 records and the test set contains 82,332 records.
The ANN which is the most efficient technique for recognizing complex and unprecise patterns
which are difficult for human to recognize was adopted for training the dataset.
54
Improved Data Acquisition
Threat Dataset Layer
Feed Forward
Neural Network Training Dataset
INFORMATION
SYSTEM
Classification of Threat
Patterns Initiate Threat
Grant Access Alert Protocol
55
The Feed-Forward Neural Network, which is the purest form of ANN was applied to the dataset
using a defined amount of epochs. ANN technique improves data and network security when
applied to a threat detection framework. The threat patterns are used to train the model and
mapped to target outputs. ANN is also used to classify the recognized threat according to insider
or external threats. Also, ANN differentiates between normal requests and threats which are sent
The information system used in this study is the transaction management system (e-banking
system). The threat detection system is integrated into the information system for identification
i. Datasets: We adopted the UNSW-NB15 dataset. The dataset contains nine types of
ii. ANN Intelligent Model: the model was used to train the dataset for detection of new
and old threat from threat patterns. The algorithm was also used for classification and
to define a set of rules for initiating an alert and blockage protocol for handling the
detected threat.
56
Where TDM = threat detection model
Step 9: Differentiate Attack Outputs
IF Output = Normal Request
THEN
Grant Access
ELSE
Detect Threat
Step 10: Initiate threat alert protocol
Alert Message = type of threat + New/Old threat
Step 11: Block threat = threat block protocol
Step 12: If Threat = New
Then
Update Threat dataset
Step 13: End
i. The proposed system makes use of a supervised learning algorithm, i.e. ANN which
ii. The algorithms used is very efficient and can recognize even unprecise patterns from
large datasets. The model can also identify new threat whether insider or outsider
threats
iii. The existing system has a good visualization model for demonstrating the results
iv. The existing system is friendly and it also has a simple design.
57
3.3.4 Anatomy of the Proposed System
Coding
Intelligent Threat Detection Java
Model
Type
Simulated
IDE
Netbeans
Parts/Features
Training Model: Feed-Forward NN
Classifier: ANN
Detection System
Coding
Transaction Processing Java
Information System
Type
Simulated
IDE
Netbeans
Parts/Features
User Registration System
Financial Registration System
Threat Alert and Blockage system
58
3.4 Design Specifications of the Proposed System
This section illustrates the output specification, input specification and database design of the
Proposed System
59
CONCLUSION
Threat detection is very vital to the security of data within an information system. Vulnerabilities
have been identified as the general cause of threats. However, there is no confirmed solution for
handling vulnerabilities as they are found in in very sophisticated architecture. This is why the
attention has been tilted rather to the detection and blockage of threats that are sent to the IS.
ANN has been applied to an improved threat dataset with over 2 million threat records with 9
different threat patterns and 49 attributes. The model will be used to detect threats sent to the
information system and differentiate them from normal service request. The proposed model will
also fire threat alert upon detection and then proceed to block the threat. This model outperforms
previous threat detection system because it is robust, user friendly, with simple design and
intelligent algorithms and also it blocks threats which is deficient in other threat detection
systems.
60
REFERENCES
62
Nance, K. and Marty, R. (2011). Identifying and Visualizing the Malicious Insider Threat using
Biparticle Graphs. 44th Hawaii International Conference on System Sciences. 1-9.
Niyaz, Q., Sun, W., Javaid, A. Y and Alam, M. (2015). A Deep Learning Approach for Network
Intrusion Detection System (2015). BICT’ 2015. 1-6. DOI 10.4108/eai.3-12-2015.2262516
Sadotra, P. and Sharma, C. (2016). A Review on Integrated Intrusion Detection System in Cyber
Security. International Journal of Computer Science and Mobile Computing. 5(9), 23-28.
Sarker, I. H.., Abushark, Y. B., Alsolami, F. and Khan, A. I. (2020). IntruDTree: A machine
learning based cyber security intrusion detection model. Symmetry. 12(754), 1-15.
Seker, E. (2019). Cyber threat intelligence understanding fundamentals. Research Gate
Publication. 4, 2-11.
Teodoro, P.G., Verdejo, J.D., Fernandez, G.M. and Vazquez, E. (2009). Anomaly-based
Network
Intrusion Detection: techniques, systems and challenges. Computer Security. 1-10.
Tjhai, G.C. Furnell, S.M., Papadaki, M., Clarke, N.L. (2010). A Preliminary two-stage alarm
correlation and filtering system using SOM neural network and k-Means algorithm.
Ucedavalez, T. and Morana, M. (2015). Risk Centric Modeling process for attack simulation &
threat analysis. 20-26
Venkatesan, R., Ganesan, R. and Selvakumar, A.L. (2012). A Survey on Intrusion Detection
using
Data Mining Techniques. International Journal of Computers and Distributed Systems.
2(11).
Yogita, B.B. and Kalyani, C.W. (2013). Intrusion Detection System using Data Mining
Technique:
SVM. International Journal of Emerging Technology and Advanced Engineering. 3(3)
63