Threat Intelligence Model - Main1

CHAPTER ONE
INTRODUCTION
1.1. Background to the Study
Attacks on data architectures have increased considerably over the years as newer technologies
and architectures emerge. The chief cause of attacks is vulnerability of a system which was
identified and exploited. These attacks can also be referred to as threats or data intrusion. A
threat is a potential action or event which negatively impacts on a system by altering its normal
functionality or even crippling it to a level of non-functionality. A threat is usually initiated, it is
not an accidental occurrence. The after effect(s) of a threat (if not prevented) is usually chaotic
and harmful to data and the entire system (Seker, 2019).
Threats are initiated against system is various sectors such as banking, social networking, web-
based systems and other organizational systems which deal majorly with data especially big data.
The threats can be inform of viruses, phishing sites, hacking, malware threats (spyware, ransom
ware etc.), denial of service etc. The main aim of these is to corrupt, disrupt and steal data for
malicious use.
Threat intelligence is therefore very important in order to totally avert or reduce critically the
after effect of threats to the system. Threat intelligence also provides adequate information that
will be utilized for threat detection and handling both for present and future threats. This simply
implies that by knowing the nature of the threat, you can easily tackle it.
There are so many techniques of threat detection which have been proposed by researchers
however, the choice of a threat detection technique will be solely dependent on the nature of
threat which a particular system is prone to and also the performance of that technique in the
detection of previous threats of other systems. Also while making a choice of a detection
1
technique it is noteworthy that attackers have grown increasingly sophisticated and resistant to
threat detection architectures put up by researchers by cracking into these architectures and
introducing threats into them also. These attackers are able to evade very sophisticated tools and
systems such as intrusion detection systems and botnets which were supposed to protect the
system from their attack. This has posed serious problem to several organizations, data
consumers and even the research communities as the struggle continues for an intelligent threat
detection system which can both identify and block threats without any form of human
intervention.
Developing computational security models to analyze different threat incident patterns and
eventually identify the threats utilizing cyber security data can be used for building a data-driven
intelligent threat detection system for web-based information systems (Sarker et al, 2020).
1.2. Statement of the Problem
There is a process which must be followed for effective and accurate threat detection. However,
this process if often neglected by researchers and cyber security administrators who just jump
into development of intrusion detection system. The process is as follows: threat intelligence,
threat analysis or behavioural analytics, model development and finally threat/anomaly detection.
Negligence to this vital steps has led to a lot of failed threat detection systems. Other challenges
include lack of competent algorithms for the detection of new attacks, unrobust model which
cannot be integrated in multiple platforms/information systems, use of incomplete or outdated
datasets with weak threat patterns and use of poor parameters for evaluation of threat detection
system. We hope to tackle the problem of incompetent threat detection algorithm using improved
threat dataset, thereby making the system robust.
2
1.3. Aim and Objectives
The aim of this study is to develop enhanced intelligent threat detection model for data security
in information systems. The specific objectives are to:
i. Develop a model for threat identification, detection and blockage in an information
system using historical threat patterns and Artificial Neural Networks (ANNs).
ii. Train the proposed model using historical threat patterns. Training set will contain
80% of dataset.
iii. Test the model using 20% of the dataset to ascertain model efficiency.
iv. Implement the proposed threat detection model using Java Programming language
and MySQL as database.
v. Evaluate our proposed model’s results against the existing threat detection model.
1.4. Significance of the Study
The benefits of threat detection in an information system are enormous and cannot be
overemphasized. Without threats, data will be secure, available, be confidential and retain its
integrity within the information system. Threat detection reduces data breaches and breach
attempts and guarantees measurable improvement in the security of data and its environs. It also
enhances better data management by analysts and data administrators. Therefore, a threat
detection system could be beneficial to data consumers (financial institutions and their
customers), to organizations who manage data (especially big data), to web-based application
developers and users, to security administrators, to security analysts and to the research
community.
3
1.5. Scope of the Study
This study explores data security measures to curb threat on data architectures across various
sectors and organizations who use information systems. It covers areas such as: threat
intelligence gathering using historical threat datasets from public repositories, threat/anomaly
identification and analysis, threat modeling and threat detection using ANNs on Java platform.
1.6. Limitation of the Study
This study does not cover detection of threats on other platforms or architectures except
information systems.
1.7. Definition of Terms
In this section we will be defining the basic key terms related to our study:
i. Threat: A threat is a potential negative action or event facilitated by vulnerability
that results in unwanted impact on a system.
ii. Threat Intelligence: This can be defined as information about threats and threat
actors that initiate threats into the cyber space.
iii. Information System: This is a system that is designed to collect, process, store and
distribute data and information. It consist of tasks, people, structure and technology.
iv. Data Security: Data security means protecting digital data from destructive forces
and from unwanted users and actions.
4
v. Security Threat: These are software attacks, theft of intellectual property, identity
theft, sabotage and information extortion.
vi. Cyber security: This is the protection of computer systems and networks from
information disclosure, theft or damage.
vii. Data Breach: A data breach is the intentional or unintentional release of secure or
private/confidential information to an untrusted environment. It is also called
unintentional information disclosure, data leak, information leakage and also data
spill
viii. Malware: Malware is any software intentionally designed to cause damage to a
computer, server, client, or computer network. Types of malware include computer
viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper
and scareware.
ix. Intrusion Detection System: An intrusion detection system is a device or software
application that monitors a network or systems for malicious activity or policy
violations
x. Big Data: This is an extremely large data sets that may be analyzed computationally
to reveal patterns, trends, and associations, especially relating to human behaviour
and interactions.
5
CHAPTER TWO
LITERATURE REVIEW
2.1 Threat Intelligence: An Overview
Several definitions of threats have been provided by researchers and research communities over
the years however, just a few of them truly captures and expresses the key components in the
meaning of the word.
According to ISO 27005 (2008), a threat can be defined as a potential cause of an incident that
may result in harm of systems and organization. This definition captures the cause and effect of
the word and expresses in with regards to personal and organizational effect of threat.
Another definition was given by ENISA (2017). They defined threat as any circumstance or
event with the potential to adversely impact an asset (i.e. anything that has value to the
organization, its business operations and their continuity, including information resources that
support the organization's mission (expressed in ISO/IEC PDTR 13335-1) through unauthorized
access, destruction, disclosure, modification of data, and/or denial of service.
Finally, according to NIST (2006), a threat may be defined as any circumstance or event with
the potential to adversely impact organizational operations (including mission, functions, image,
or reputation), organizational assets, or individuals through an information system via
unauthorized access, destruction, disclosure, modification of information, and/or denial of
service. Also, the potential for a threat-source to successfully exploit a particular information
6
system vulnerability. We are adopting the definition by ENISA and NIST as they fully capture
the meaning, characteristics, types and impacts of threat to an information system or any other
host. From the definitions given above, the fact that threat no matter he nature, source, host, will
always leaves a negative impact (Seker, 2019). It can also be deduced that everyone is at risk of a
cyber-attack.
2.1.1 Classifications of Cyber Threats
According to Seker (2020), cyber threats are categorized into the following:
I. Malware: A malware is any software deliberately designed to cause damage to a
computer, server, client, or computer network. There are several types of malware such
as computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue
software, wiper and scareware.
II. Web-based Attacks: A web based attack occurs when user’s personal and sensitive data
such as their credit card, Social Security, or medical information which should be kept
private become public, leading to potentially grave consequences.
III. Web application Attacks: Grave weaknesses or vulnerabilities allow criminals to gain
direct and public access to databases in order to churn sensitive data, and this is known as
a web application attack. Many of these databases contain valuable information (e.g.
personal data and financial details) making them a repeated object of attacks
IV. Denial of Service: A denial-of-service attack is a cyber-attack in which the culprit strive
to make a machine or network resource unavailable to its intended users by temporarily
or indefinitely disrupting services of a host connected to the Internet.
V. Botnets: A botnet is a number of hijacked Internet-connected devices, each of which is
running one or more bots. The bots serve as a tool to automate mass attacks, such as data
7
theft, server crashing, and malware distribution. Botnets can be used to carryout
Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to
access the device and its connection. Assembly of a botnet is usually the infiltration stage
of a multi-layer scheme.
VI. Phishing: Phishing is a type of social engineering where an attacker sends a fraudulent
message designed to hoax a human victim into revealing delicate information to the
attacker or to project malicious software on the victim's infrastructure like ransomware
VII. Spam: An E-mail spam is an irrelevant or unwanted messages sent over the internet,
usually to a large number of users, for the purposes of advertising, phishing, spreading
malware, etc.
VIII. Ransomware: Ransomware is a kind of malware from cryptovirology that portends to
permanently block access to it unless a ransom is paid. While some simple ransomware
may lock the system so that it is not difficult for a knowledgeable person to reverse, more
advanced malware uses a technique called cryptoviral extortion.
IX. Insider threat: An insider threat is a malicious threat to an organization that comes from
people within the organization, such as employees, former employees, contractors or
business associates, who have inside information concerning the organization's security
practices, data and computer systems.
X. Exploit kits: Exploit kits or exploit packs refer to a type of hacking toolkit that
cybercriminals use to take advantage of vulnerabilities in systems/devices so they can
distribute malware or do other malicious activities. They normally target popular
software such as AdobeFlash Java, Microsoft Silverlight.
8
XI. Data breaches: A data breach is the intentional or unintentional release of protected or
private/confidential information to an untrusted environment. Further terms for this
occurrence include unintentional information disclosure, data leak, information leakage
and also data spill.
XII. Identity theft: Identity theft occurs when someone uses another person's personal
identifying information, like their name, identifying number, or credit card number,
without their permission, to commit fraud or other crimes.
2.1.2 Conventional Methods of Threat Detection
The knowledge of the different types of threats led to the deployment of five methods of threat
monitoring and detection. These methods were used to prevent or mitigate against the risks of
threats, which implies that they were both proactive and reactive in nature.
a) Network and endpoint monitoring that is constant and comprehensive, including
capabilities such as full-packet capture and behavior-based threat detection on hosts.
b) Advanced analytics techniques that can sift through massive amounts of information,
such as network traffic, in near-real-time to spot suspicious behaviors and accelerate
investigations.
c) Malware analysis using methods that don’t rely on file signatures and go straight to the
actual behavior of executables, whether collected on the network or endpoints, to detect
hostile activity.
d) Incident detection and response practices that align security personnel, processes, and
technologies to streamline and accelerate workflows so security operations teams can
spend less time on routine tasks and more time defending high-priority assets and address
the riskiest threats.
9
e) Open-source intelligence (OSINT) is collecting information from the public, open tools,
or resources to be used in an intelligence context. Data flow for OSINT can be
categorized into 6 classifications. Media (newspapers, magazines, radio, television, etc.),
Internet (such as blogs, dark-web, websites, YouTube, Twitter, Facebook, etc.), Public
Government Data (public government reports, speeches, conferences, etc.), Professional
and Academic Publications (journal, academic papers, dissertation, theses, etc.),
Commercial Data (commercial imagery, financial and industrial assessments, etc.), Grey
Literature (technical reports, preprints, patents, business documents, etc.)
2.1.3 Threat Modelling
Threat modeling can be described as a process by which possible threats, such as basic
vulnerabilities can be distinguished, stated, and organized from a theoretical attacker’s
viewpoint. The impulse behind threat modeling is to provide safeguards with a precise
examination of the probable attacker's profile, the in all likelihood attack vectors, and the assets.
In application development, threat modeling is an iterative procedure which begins during the
early planning stage and continues all through the application lifespan. This is because
applications are mostly prone to changes which required that they be updated in order to adapt.
Therefore, during the update sage stage, threat modeling process should be repeated. Another
reason for threat iteration is because the possibility of describing almost all cyber threats with a
one-time process is very bleak.
2.1.4 Threat Modelling Methodologies
There are various methodologies for modelling threats, however, we will briefly sate and discuss
some of the most frequently used.
10
STRIDE: This methodology of threat introduced in 1999 at Microsoft (Kohnfelder and Garg,
2016). The acronym STRIDE was coined from key letter of the following six classes: spoofing
identity, tampering with data, repudiation, information disclosure, denial of service and elevation
of privilege.
Figure 2.1: An Overview of Threat Modelling Process (Source: Meier, 2003)
11
PASTA: The Process for Attack Simulation and Threat Analysis (PASTA) is a threat modeling
methodology with 7 stages building up to the impact of threat (UcedaVelez, 2015).
VAST: VAST is an acronym which stands for Visual, Agile, and Simple Threat modeling.
VAST is a threat modeling methodology that handles a large number of the deficiencies
especially adaptability which is deficient in past methodologies (Agarwal, 2016). Alternative
threat model are AS/NZS 4360:2004, CVSS, and OCTAVE.
2.1.5 Threat Intelligence Tools and Standards
Threat intelligence tools are important security tools which adopt global security data for
proactive identification, migration and remediation of security threats. These tools are designed
to match the new and daily evolving threat trends. Some of these tools are:
I. Traffic Light Protocol (TLP)
TLP is an information-sharing model that was created by the UK Government's Centre for
Protection of National Infrastructure (CPNI) in the early 2000s. This model was purposed for
classification and management of shared sensitive information (Luiijf and Kerkamp, 2015). TLP
has 4 different categories named by traffic lights which are red, amber, green and white and all
colors have different meanings.
a. RED/(TLP:RED): Non-disclosable information and restricted to representatives
present at the meeting only. Sources may use TLP:RED when information cannot be
12
effectively acted upon by additional parties and could lead to impacts on a party's
privacy, reputation, or operations if misused.
b. GREEN/TLP: GREEN: Community-wide. Information in this category can be
circulated widely within a particular community and the organizations which take
part in that community. However, the information may not be published or posted
publicly on the Internet, nor released outside of the community of participating
organizations. Sources may use TLP: GREEN when information is useful for the
awareness of all participating organizations as well as with peers within the broader
community or sector.
c. WHITE/TLP: WHITE: Unlimited; public information. Subject to standard
copyright rules, WHITE information may be distributed freely, without restriction.
Sources may use TLP:WHITE when information carries minimal
II. Managed Incident Lightweight Exchange (MILE)
MILE Working Group developed standards for exchanging incident data. The group described a
package of standards such as Incident Object Description and Exchange Format (IODEF),
IODEF for Structured Cyber Security Information (IODEFSCI), and Real-time Inter-network
Defense (RID) (Seker, 2019)
a. Incident Object Description and Exchange Format (IODEF): IODEF describes an
information framework to represent computer and network security incidents. To do this
IODEF has over 30 classes and subclasses including Contact, Monetary Impact, Time,
Operating System, and Application.
13
b. Real-time Inter-network Defense (RID): RID defines a protocol to facilitate sharing
computer and network security incidents which is a standard for communicating for cyber
threat intelligence. Five massage types are used by RID which are Request,
Acknowledgement, Result, Report, and Query. Policy Class in RID allows different
policies.
III. Open Indicators of Compromise (OpenIOC) Framework
OpenIOC gives a standard arrangement and terms for portraying the artifacts encountered
during an investigation. It was presented by Mandiant in 2011. OpenIOC contains definitions for
specific technical details including over 500 indicator terms. It is easy to add new items. A
specific malware sample or family can be described using Boolean logic.
IV. Vocabulary for Event Recording and Incident Sharing (VERIS)
VERIS is a framework to define and share an incident which was proposed by Verizon in 2010.
Its purpose is to provide a common language for describing security incidents in a structured and
repeatable manner. VERIS is to collect, classify, analyze, compare, and share information
security incident data. There are five sections in VERIS schema. Incident tracking, Victim
demographics, Incident description, Discovery & response, and Impact assessment. There are
multiple elements (with specific data types and variables names) in each section.
V. Open Threat Exchange (OTX)
OTX was created AlienVault for sharing threat data in 2012. OTX is open to the global
community. It delivers community-generated threat data, enables collaborative research, and
automates the process of updating your security infrastructure with threat data. To collect cyber
threat intelligence OTX uses a centralized system. OTX Threat.
VI. Collective Intelligence Framework (CIF)
14
CIF was introduced by the Research and Education Network Information Sharing and Analysis
Center (REN-ISAC) in 2009 which is a client/server system for sharing threat intelligence data.
It uses information for identification (incident response), detection (IDS) and mitigation (null
route). CIF data contains information on the type of threat, severity of an attack, and the
confidence of the data. It also has labeling data and access control features.
G. MITRE Standards
MITRE has developed some standards for different needs of cyber threat intelligence
management systems.
a. Cyber Observable eXpression (CybOX): CybOX is an institutionalized diagram for the
determination, capture, characterization, and correspondence of occasions or stateful
properties that are noticeable in all framework and network operations. It provides over
70 defined objects that can be used to define measurable events or stateful properties.
CybOX supports a wide range of relevant Cybersecurity domains including: Threat
assessment and characterization (detailed attack patterns), Malware characterization,
Operational event management, Logging, Cyber situational awareness, Incident response,
Indicator sharing, Digital forensics.
b. Structured Threat Information Expression (STIX): STIX is another standard for
defining threat information including threat details with the context of the threat which
was first presented in 2012. It uses cases such as Analyzing Cyber Threats, Specifying
Indicator Patterns for Cyber Threats, Managing Cyber Threat Prevention and Response
Activities, Sharing Cyber Threat Information. STIX provides a unifying architecture
(shown in figure - 5) tying together a diverse set of cyber threat information along with:
15
i. Cyber Observables (e.g., a registry key is created, network traffic occurs to specific IP
addresses, email from a specific address is observed, etc.).
ii. Indicators (potential observables with attached meaning and context).
iii. Incidents (instances of specific adversary actions).
iv. Adversary Tactics, Techniques, and Procedures (including attack patterns, malware,
exploits, kill chains, tools, infrastructure, victim targeting, etc.).
v. Exploit Targets (e.g., vulnerabilities, weaknesses, or configurations).
vi. Courses of Action (e.g., incident response or vulnerability/ weakness remedies).
vii. Cyber Attack Campaigns (sets of Incidents and/or TTP with a shared intent).
viii. Cyber Threat Actors (identification and/or characterization of the adversary.
2.2 Intrusion Detection System (IDS)
Intrusion detection systems (IDSs) can be defined as a vital part of a complete defense-in-depth
architecture for computer network security. IDS is an effective security technology, which can
detect, prevent and possibly react to the attack (Base and Mell, 2001). Target sources of
activities, are monitored by this technology and audit data are collected and inspected in search
for evidence of intrusive behaviors. The IDS raises an alarm on detection of a suspicious or
malicious attempts, and notifies the network administrator using the alarm for effective and
prompt response. The main objective of IDS is to detect all intrusions in an efficient manner.
2.2.1 Classification of IDS
IDSs can be classified based on different points of view such as detection approach, targets,
reaction on detection etc.
In the classification based on detection method, there are two types of IDS: anomaly and misuse
(signature) based detection. In the anomaly detection, the IDS tries to determine whether
16
deviation from the established normal usage patterns can be flagged as intrusions. While the
misuse detection uses patterns of well-known attacks or weak spots of the system to identify
intrusions (Sadotra and Sharma, 2016).
Figure 2.2: Classification of IDS (Source: Sadothra and Sharma, 2016)
17
The second classification is based on the source of information, which classifies an IDS as either
host or network-based. A host-based IDS (HIDS) analyzes events such as process identifiers and
system calls, mainly related to OS information. While a network-based IDS (NIDS) analyzes
network related events: traffic volume, IP addresses, service ports, protocol usage, etc. (Teodoro
et al, 2009).
2.2.2 Challenges of Conventional Intrusion Detection Systems
Even though IDS solutions have been used for about twenty years, an important problem is still
not fully addressed. This is the problem of lack of a system that can differentiate between fake
and real threat alerts. For example, a single IDS sensor can generate tens of thousands of alerts
in a day which might overwhelm the data analyst. Inspecting thousands of alerts per day is
unfeasible, especially if 99% of them are false alerts. False alerts, also known as false positives
occur when a legitimate activity has been mistakenly classified as malicious by the IDS. The vast
imbalance between the actual and false alarms generated has undoubtedly undermined the
performance of IDS (Tjhai et al, 2010).
Regardless of the fact that anomaly-based IDSs produce more false positives rather than misuse-
based IDSs, false positives are inevitable in all types of IDS. This has led to an increased
research in the field of false positives reduction techniques and researches on IDSs have focused
on how to handle these alerts.
18
Other identified issues of IDS are:
a. Deficiency or incomplete Data set: Datasets play a vital role in the results of an intrusion
detection system. However, the currently used datasets are outdated and cannot be
analyzed to detect newer threats in its host.
b. Algorithms for Detection: Lack of competent algorithms which can match all the case in
small time and match the terms efficiently. The algorithms also provide no rules for the
detection of new attacks to be identified form old attach patterns, thereby identifying only
old attacks.
c. Integration of multiple formats of data: the conventional IDS can only identify or detect a
single threat type at a time. There should be room for multiple formats which can detect
different threat patterns to be integrated.
d. Platform dependencies: Most IDS are platform dependent which means that a particular
IDS can only be integrated into a particular platform for which it was built and not for
any other. This does not promote cross-platform adaptability and inter-application
intractability.
e. Weak Design: The design of the conventional IDS is not user friendly, which makes it
weak. It should have two parts, one core part which consists of detection algorithm and
second part will be the part associated with pattern matching. This part should be updated
on the fly. I.e. it should not affect the detection process of the system but only updates the
other parts without touching core part of the system. Thus every update should be added
on the fly without stopping the intrusion detection system.
19
f. Evaluation of IDS: The evaluation of the conventional IDS suffers from three major
drawbacks: Collecting script and victim software, Different requirements for testing
different types of IDS and Testing with different parameters.
2.2.3 Advantages of an IDS
There are so many merits of an ID system, some of them are briefly discussed here.
i. Visibility: AN IDS provides a clear view of what's going on within a network. It is a
reliable source of information about distrustful or malicious network traffic. There are
few or none practical alternatives to an ID that allow you to track network traffic in
depth.
ii. Defense: AN IDS enhances a layer of defense to your security profile, providing a useful
backstop to some of your other security measures.
iii. Response capabilities: Though ID probably will be of limited use, you may want to
enable some of the response features of the IDS. For instance, they can be configured to
terminate a user session that violates policy. Obviously, you must consider the risks of
taking this step, since you may accidentally terminate a valid user session. However, in
certain cases it can be an important tool to prevent damage to the network.
iv. Tracking of virus propagation: When a virus first hits your network, an IDS can tell
you which machines it compromised, as well as how it is propagating through the
network to infect other machines. This can be a great help in slowing or stopping a virus's
progress and making sure you remove it.
v. Evidence: - properly configured IDS can produce data that can form the basis for a civil
or criminal case against someone who misuses your network.
2.3 Artificial Intelligence in Threat Detection and IDS
20
According to Myriam (2018), cyber-attacks can be sent to anybody at all irrespective of
architecture, or framework. This statement refers to the set of activities and measures, technical
and non-technical, which are intended to protect the ‘real geography’ of cyberspace and also
devices, software, and the information they contain and communicate with, from all possible
threats (Cavelty 2010).
Technology advances every day, and so do cybercriminals as they are becoming more
sophisticated and getting ahead of current Cybersecurity controls. In order to get ahead of
cybercriminals, experts have adopted the use of Artificial Intelligence (AI) to counter new cyber-
attacks (Harel, et al, 2017).
AI is a discipline in computer science that uses complex mathematical algorithms to imitate
human thinking (Lidestri 2018). AI has several branches or subsets. One AI-based technique
such as Machine Learning (ML) and Deep Learning. Machine Learning is a subset of AI that
teaches machines how to make decisions (Feizollah et al, 2013). Deep Learning (DL) is as a type
of ML that performs pattern recognition and predictions (Polson, 2017). DL is capable of
handling humongous datasets. This allows its application in a large array of fields such as image
rendering, stock market prediction, and agriculture. DL improves areas of Cybersecurity such as
intrusion detection and botnet detection due to the high processing power that it has to examine
data and learn from experience.
Cybersecurity experts are using ML and DL to solve problems in the areas of Botnet Detection,
and Intrusion Detection and Prevention Systems (IDPS). However, the integration of AI-based
technologies in organizations may have implications which Cybersecurity experts need to
address to ensure cyber safety. AI may also impact technology consumers who are using devices
that, in one way or another, are already using the technology.
21
2.3.1 Machine Learning Algorithms for Threat Detection
Generally, there are six different machine learning algorithms that can be used to develop a
threat detection system or an intrusion detection system. However, two of them are outstanding
and will be discussed in this section.
Before adopting any of the ML techniques, it is noteworthy, that these algorithms are different in
approach and therefore require different types of data in order to explore its full potential.
I. Artificial Neural Networks (ANNs)
ANNs are nodes which imitate the human brain. His technique is made up of processing nodes
which are connected to each other and to a hidden layer (Jean-Phillipe, 2018). This technique is
very useful for recognizing complex patterns which are difficult for human to recognize. They
can also be used to recognize unprecise patterns. This technique improves data and network
security when applied to a threat detection framework. A typical example of its application is in
the recognition of legitimate connections from fake ones during a port scan by a cybercriminal
for open hotspots to tap. ANN will trigger an alert due to its recognition of the connection
patterns. It is a proactive algorithm that stops the attack before it becomes successful. ANNs can
be used to detect several cyber threats from Phishing, denial of service, insider threat, malware,
identity theft, etc.
II. Genetic Algorithm
GA detects threats by learning from experience given to previous anomaly behavior. Just like the
human brain can detect danger in fire and avoid it because of the experience of ancestors. GA is
useful to detect common threats with common patterns. So, GA uses the previous patterns to
make decisions on new patterns that the system cannot recognize (Jean-Phillipe, 2018). Applying
this method to ML-based threat detection system would improve the detection rates for new
22
anomalies. For example, if a ransomware manages to penetrate the firewall, via email or other
vector, when it intends to spread and encrypt files, the ML-based IDPS using GA will detect it
and prevent the encryption of a large cluster of devices across the network.
Input Layer Hidden Layer 1 Hidden Layer 2 Output Layer
Fig. 2: A Typical Neural Network Configuration (Source: Choi and Lee, 2018)
23
Feeding supervised machine learning algorithms with a dataset which contains information about
what normal network traffic should look like and providing a whitelist that the ML-based threat
detection system will use to detect threats. The ML-based threat detection system can make
decisions against different new patterns.
II.4. Information Systems
III. Information systems (IS)

involve a variety of in-
IV. formation technologies (IT)
such as computers, soft-
V. ware, databases, communication
systems, the Inter-
VI. net, mobile devices and much
more, to perform spe-
VII. cific tasks, interact with and
inform various actors in
24
VIII. different organizational or
social contexts
IX. Information systems (IS)
X. formation technologies (IT) such
as computers, soft-
XI. ware, databases,
communication systems, the
Inter-
XII. net, mobile devices and much
more, to perform spe-
XIII. cific tasks, interact with and
XIV. different organizational or
social contexts
XV.Information systems (IS)
25
XVI. formation technologies (IT)
XVII. ware, databases,
Inter-
XVIII. net, mobile devices and
much more, to perform spe-
XIX. cific tasks, interact with and
XX.different organizational or
social contexts
XXI. Information systems (IS)
XXII. formation technologies (IT)
XXIII. ware, databases,
Inter-
26
XXIV. net, mobile devices and
much more, to perform spe-
XXV. cific tasks, interact with and
XXVI. different organizational or
social contexts
Information systems (IS) involve a variety of information technologies (IT) such as computers,
software, databases, communication systems, the Internet, mobile devices and much more, to
perform specific tasks, interact with and inform various actors in different organizational or
social contexts. According to O’Brien and Marakas (2007), the applications of information
systems that are implemented in today’s business world can be classified in several different
ways. For example, several types of information systems can be classified as either
operations (Support of business operation) or (Support of managerial decision making).
Support of business operation such as transaction processing systems, process control
systems and Enterprise collaboration systems (office automation system). Support of
managerial decision making such as management information system, decision support
system and executive information systems. According
2.3.1 Application of Different Types of Information Systems
27
The Roles of Different
Types of
IS In Business
Organizations
Transaction Processing Systems
i. Transaction processing systems (TPS)
These are the basic business systems that serve the operational level of the organization. A
transaction processing system is a computerized system that performs and records the daily
routine transactions necessary to the conduct of the business (Laudon and laudon, 2006). At
the lowest level of the organizational hierarchy we find the transaction processing systems that
support the day-to-day activities of the business (Belle et al, 2001).
ii. Process Control Systems:
Process control systems is Monitor and control industrial or physical processes. Examples:
petroleum refining, power generation, and steel production systems. For example, a petroleum
refinery uses electronic sensors linked to computers to monitor chemical processes
continually and make instant (real-time) adjustments that control the refinery process
28
(O’Brian et al, 2007) . A process control system comprises the whole range of: equipment,
computer programs, operating procedures.
iii. Enterprise Collaboration Systems (Office Automation Systems)
Office automation systems are one of the most widely used types of information systems
that will help managers control the flow of information in organizations. Enterprise
collaboration systems (office automation systems) are enhance team and workgroup
communications and productivity. Office automation systems: are other types of information
systems are not specific to any one level in the organization but provide important support for a
broad range of users. Office information systems are designed to support office tasks with
information technology. Voice mail, multimedia system, electronic mail, video conferencing, file
transfer, and even group decisions can be achieved by office information systems.
Management Information Systems

Decision Support Systems
iv. Decision-support systems (DSS
A Decision Support System is a computer based system intended for use by a particular
manager or usually a group of managers at any organizational level in making a decision
in the process of solving a semi structured decision. According to Heidarkhani, et al. (2009).
Decision Support Systems are a Kind of organizational information computerize systems that
help manager in decision making that needs modeling, formulation, calculating, comparing,
selecting the best option or predict the scenarios .
DSS are specifically designed to help management make decisions in situations where
there is uncertainty about the possible outcomes of those decisions. According to Shim
(2006), a decision support system is a computer-based information system that assists
29
managers in making many complex decisions, such as decisions needed to solve poorly
defined or semi-structured problems
.
v. Expert Systems
Expert systems are the category of AI which has been used most successfully in building
commercial applications. .According to O’Brien and Marakas (2007) Expert systems are
Knowledge-based systems that provide expert advice and act as expert consultants to users.
According to Patterson (2001) an expert system is a computer program that tries to
emulate human reasoning. According to Shim (2001) Expert System is a set of computer
programs that perform a task at the level of a human expert.
Knowledge Management
Systems
2.5. Related Work
Sadotra and Sharma (2016) presented a review on integrated intrusion detection system in cyber
security. They surveyed the current state of the art on the algorithms which have been deployed
for the detection of anomalies and intrusion in the cyber space. The survey algorithms were
Support Vector Machines (SVMs), NSL-KDD, IDS system and HYBRITQ-4(J48, Boyer Moore,
KNN). However, they could not implement an intrusion detection system to handle the
drawbacks of the existing algorithms surveyed.
Yogitha and Kalyani (2013) proposed intrusion detection system using Support Vector Machine
(SVM). NSL-KDD Cup’99 data set which is improver version of KDD Cup’99 data set was used
for experimenting verification. The use of his algorithm made data preprocessing simpler which
resulted in reduction in the time required for building SVM. Classification was done using SVM.
30
They reduced false positive and increased attack detection rate by performing proper kernel
selection using Gaussian Radial Basis. However, this system is ambiguous and will consume
time and resources in its development.
Chandrakar et al (2014) presented application of genetic algorithm in intrusion detection system.
They described basic concepts of network intrusion detection system, components and types of
attacks. They identified the three types of IDS as data source, analysis engine and response
manager. An overview of genetic algorithm was also provided in the study. The genetic
algorithm was used to randomly select the input (chromosome) and calculate the fitness value for
each generated initial chromosome. The iteration performed operations such as sorting, selection,
crossover, mutation and finally calculates the fitness value for chromosome. However, this
model is not intelligent and cannot be used for intrusion attack detection.
Venkatesan, et al. (2012) presented a survey on intrusion detection using data mining techniques.
The anomaly detection system was described in two phases, training and testing. They adopted
clustering and sliding window for monitoring the network traffic by mining the frequent patterns
using algorithms. The algorithms were used in real time monitoring. The frequent multi-pattern
capturing algorithm recorded high detection rate. They evaluated the percentage for detection
rate and false alarm rate. However, they did not discuss the performance evaluation of their
system to ascertain its efficiency.
Hader et al (2021) proposed a real-time sequential deep extreme learning machine cyber security
intrusion detection system. The model was used to determine the rating of security aspects
contributing to their significance. An investigation was carried on the viability of the proposed
framework by evaluating dataset and calculating the accuracy parameters to validate. The results
of the system showed that the framework outperformed other conventional algorithms and
31
therefore had practical significance. However, this model is unrobust and cannot be used for the
detection of different forms of cyber threats.
Sarkar et al (2020) proposed IntruTree, a machine learning based cyber security intrusion
detection model. The model analyzes the ranking of security features based on level of
importance and then developed a tree based intrusion generalized detection system using selected
important features. The model reduced computational complexity by reducing feature
dimensions. The dataset was evaluated by computing the precision, recall, F-score, accuracy and
ROC values. The result from the evaluation was used to compare with other conventional
machine learning algorithms such as SVM etc. However, this model cannot be incorporated into
an information system.
Ghafir et al (2018) presented a study defending against the advanced persistent threat by
detection of disguised executable files. The study was aimed at detecting disguised exe file
which were transferred over a connection. The detection was primarily carried out by comparing
the MIME type of the file and the file name extension. The module was simulated and evaluated
and the results demonstrated successful detection of disguised files. However, this study has a
narrow scope as it can only detect one type of threat.
Chandran et al (2015) proposed an efficient classification model for detecting advanced
persistent threat. Machine learning algorithms were the basis of the model. They analyzed the
legitimate traffic for normal users and extracted data such as CPU usage, memory usage, open
ports and number of files in the system32 folder. They injected a piece of malware, which was
previously used for the APT attack, into the network and the four features were extracted. The
detection model was trained by applying different machine learning algorithms on the dataset of
32
benign and malicious features. However, they did not evaluate the system to ascertain its
practical significance.
Chandra et al (2016) proposed a practical approach to email-spam filters to protect from
advanced persistent threat (APT). This approach was dependent on mathematical and
computational analysis to filter spam emails. Tokens, which were considered as a group of words
and characters such as (click here, free, Viagra, replica), were defined for the detection algorithm
to separate legitimate and spam emails. However, the system could only be used for email-spam
detection and not for any other threat(s).
Khraisat et al (2019) presented a survey of intrusion detection systems, their techniques, datasets
and challenges. The taxonomy of recent systems for intrusion detection were surveyed in the
study and the datasets which were commonly used for the implementation were analyzed also.
The techniques which are adopted by attackers to perpetrate the intrusion were identified and
discussed. The researchers finally discussed future scopes which could be used to make the
computer systems more secure and block out malicious attacks. However, they could not
implement a system for detection or identification of intrusion.
Gamachchi et al (2017) proposed a graph based framework for malicious insider threat detection.
The proposed model was a hybrid framework based on anomaly detection and graphical analysis
processes. Heterogeneous data was analyzed and isolated malicious users who were hiding
behind others. The result from the study showed that the framework could be used to
differentiate between majorities of users who show typical behaviours from the minority of users
who demonstrate suspicious behaviours. However, this framework cannot be used to detect
external threats attack the system.
33
Nance and Marty (2011) proposed a study on identifying and visualizing the malicious insider
threat using biparticle graphs. They introduced the use of bipartite graphs for identifying and
visualizing insider threat. They tried to establish acceptable insider behavior patterns based on
workgroup role classifications. Although this approach was quite useful for detecting certain
insider threats, however, it has the limitation of a high false positive rate.
Kumar et al (2017) proposed practical machine learning for cloud intrusion detection, challenges
and the way forward. They described the difficulties in developing an intrusion detection system
for the cloud. They proposed that a hybrid approach would yield better results and demonstrated
how the combinations can be carried out in form of filters, features or even a single machine
learning unit. They defined approaches for collecting high quality evaluation data using other
security products or red teams (recommended) and grow the dataset using SMOTE or possibly
GANs. For the way forward, they shared a framework for disrupting attack. However, this
framework does not respond to attacks on time before harm is done.
Chaudhari and Patil (2017) proposed intrusion detection systems, classification, techniques and
datasets to implement. They presented the classification of IDS, different Data mining
approaches and datasets for the operative detection of pattern for both malicious and normal
activities in network, which would help to develop secure information system. They also
provided a short study of various datasets that are useful for an intrusion detection system.
However, this could only detect and classify known attacks.
Govindarajan et.al. (2009) proposed intrusion detection using k-Nearest Neighbour (k-NN).
They presented novel K-nearest neighbour classifier which was applied on Intrusion detection
system and the system performance was evaluated in terms of Run time and Error rate on normal
34
and malicious dataset. The results demonstrated that the new classifier is more accurate than
existing K-nearest neighbour classifier. However, the system required a regular update of the
rules which were used.
Mohammadreza et al. (2010) proposed intrusion detection using data mining techniques. Support
Vector Machine and classification tree Data mining technique were used for intrusion detection
in network. They compared C4.5 and Support Vector Machine by experimental result and found
that C4.5 algorithm had better performance in term of detection rate and false alarm rate than
SVM, but for U2R attack SVM performed better. However, the system presented no difference
between an attack attempt and a successful attack.
Denatious and John (2012) proposed a survey on data mining techniques to enhance intrusion
detection. They defined diverse data mining approaches useful for detecting intrusions. They also
described the classification of Intrusion detection system and its working. It was discovered that
clustering was more suitable for large amount of network traffics than classification in the
domain of intrusion detection because enormous amount of data needed to collect to use
classification. However, the system recorded low detection rate and high false alarm.
Amudha and Rauf (2011) presented performance analysis of data mining approaches in intrusion
detection. They observed that Random forest gave better detection rate, accuracy and false alarm
rate for Probe and DOS attack & Naive Bayes Tree gave better performance in case of U2R and
R2L attack. Also it was observed that the execution time of Naive Bayes Tree was more as
compared to other classifier. However, the result cannot be generalized and therefore cannot be
applied for real world analysis.
35
Naidu and Avadhani (2012) proposed a comparison of data mining techniques for intrusion
detection. They utilized three Data mining algorithms SVM, Ripper rule and C5.0 tree for
Intrusion detection and also compared their efficiency. Their results demonstrated that C5.0
decision tree was more efficient than others. All the three Data mining techniques gave a
decision higher than 96%. However, this model cannot be applied in evaluating other machine
learning techniques.
Chitrakar and Chuanhe (2012) proposed anomaly based intrusion detection using a hybrid
learning approaches of combining k-Medoids clustering with Naïve Bayes classification. They
observed from the result that the hybrid method outperformed K-Means clustering technique
followed by Naïve Bayes classification. They also observed that time complexity increases when
number of data points increased. However, the model recorded false classification errors due to
over fitting of algorithms.
Chitrakar and Chaunhe (2012) proposed an anomaly detection using support vector machine
classification with k-Medoids clustering technique. The proposed hybrid model produced better
performance compared to k-Medoids with Naïve Bayes classification. The approach
demonstrated enhancement in both Accuracy and Detection Rate while reducing False Alarm
Rate as compared to the k- Medoids clustering approach followed by Naïve Bayes classification
technique. However, they could not implement a threat detection system for information system.
Chuque (2020) proposed digital threat detection model to mitigate Cybersecurity risks in
organizations by evaluating the influence of Cybersecurity infrastructure in the global
Cybersecurity index. Their results established that there is a relationship between the variables
Model of Detection of Digital Threats and Cybersecurity Risks in Organizations. However, they
could nor implement their model with a programming language.
36
Niyaz et al (2015) proposed a deep learning approach for network intrusion detection system.
They adopted Self-taught Learning (STL), a deep learning based technique, on NSL-KDD - a
benchmark dataset for network intrusion. They presented the performance of their technique and
compared it with a few previous work. Compared metrics included accuracy, precision, recall,
and f-measure values. However, his model cannot be applied in an information system.
Ferrag et al (2020) presented deep learning for cyber security intrusion detection, approaches,
datasets and comparative study. They provided a review of intrusion detection systems based on
deep learning approaches. They described 35 well-known cyber datasets and provided a
classification of these datasets into seven categories; namely, network traffic-based dataset,
electrical network-based dataset, internet traffic-based dataset, virtual private network-based
dataset, android apps-based dataset, IoT traffic-based dataset, and internet-connected devices-
based dataset. Seven deep learning models including recurrent neural networks, deep neural
networks, restricted Boltzmann machines, deep belief networks, convolutional neural networks,
deep Boltzmann machines, and deep autoencoders were analyzed. For each model, the
performance was studied in two categories of classification (binary and multiclass) under two
new real traffic datasets, namely, the CSECIC-IDS2018 dataset and the Bot-IoT dataset.
However, they could not implement an intrusion detection system using their findings.
Hodo et al (2017) presented a taxonomy and survey of shallow and deep network intrusion
detection system. They compared performance of diverse machine learning techniques,
specifically in anomaly detection. They assessed the performance efficiency of feature selection
in ML for IDS. They proposed that the convolutional neural network (CNN) classifier is an
underused classifier and it could have provided massive improvements in cyber security if it was
37
used to its full prospective. However, they could not develop an intrusion detection system to
curb the identified challenges.
Ford and Siraj (2014) proposed application of machine learning in cyber security. They analyzed
the applications of machine learning techniques in the protection of the cyberspace from
cybercriminals. Various obstacles faced during the implementation of machine learning
techniques were depicted. The work concluded that although the machine learning techniques
were expanding various ways to protect cyberspace against cybercriminals, still there is an
immense number of advancements needed to protect the classifiers from adversarial attacks.
However, they could not implement their findings in a programming language.
Table 2.1: Summary of Related Work
S/N AUTHOR/ RESEARCH SUMMARY OF FINDINGS LIMITATION(S) OF

YEAR CARRIED OUT THE WORK
1 Sadotra and A Review on They surveyed the current state of However, they could not
Sharma Integrated the art on the algorithms (such as implement an intrusion
(2016) Intrusion SVM, KNN, NSL-KDD etc.) detection system to handle
Detection System which have been deployed for the the drawbacks of the
in Cyber Security detection of anomalies and existing algorithms
intrusion in the cyber space. surveyed.
2 Yogitha and Intrusion They proposed intrusion detection However, this system is
Kalyani Detection System system using Support Vector ambiguous and will
(2013) using Data Machine (SVM). NSL-KDD consume time and resources
Mining Cup’99 data set was used for in its development.
Technique: SVM experimenting verification. They
reduced false positive and
38
increased attack detection rate by
performing proper kernel selection
using Gaussian Radial Basis.
3 Chandrakar Application of They described basic concepts of However, this model is not
et al (2014) Genetic network intrusion detection intelligent and cannot be
Algorithm in system, components and types of used for intrusion attack
Intrusion attacks. An overview of genetic detection.
Detection System. algorithm was also provided in the
study. The genetic algorithm was
used to randomly select the input
(chromosome) and calculate the
fitness value for each generated
initial chromosome.
4 Venkatesan, A Survey on They adopted clustering and However, they did not
et al. (2012) Intrusion sliding window for monitoring the discuss the performance
Detection using network traffic by mining the evaluation of their system to
Data Mining frequent patterns using algorithms. ascertain its efficiency.
Techniques. The algorithms were used in real
time monitoring. They evaluated
the percentage for detection rate
and false alarm rate.
5 Hader et al A Real-Time An investigation was carried on However, this model is
(2021) Sequential Deep the viability of the proposed unrobust and cannot be used
Extreme Learning framework by evaluating dataset for the detection of different

39
Machine Cyber and calculating the accuracy forms of cyber threats and
Security Intrusion parameters to validate. The results the model does not provide
Detection System. of the system showed that the any threat blockage
framework outperformed other platform for the detected
conventional algorithms and threats.
therefore had practical
significance.
6 Sarkar et al IntruTree: A The model analyzes the ranking of However, this model cannot
(2020) Machine security features based on level of be incorporated into an
Learning Based importance and then developed a information system.
Cyber Security tree based intrusion generalized
Intrusion detection system using selected
Detection Model. important features. The model
reduced computational complexity
by reducing feature dimensions.
7 Ghafir et al Defending The study was aimed at detecting However, this study has a
(2018) Against the disguised exe file which were narrow scope as it can only
Advanced transferred over a connection. The detect one type of threat.
Persistent Threat detection was primarily carried out
by Detection of by comparing the MIME type of
Disguised the file and the file name
Executable Files. extension. The module was
simulated and evaluated and the
40
results demonstrated successful
detection of disguised files.
8 Chandran et An Efficient They analyzed the legitimate However, they did not
al (2015) Classification traffic for normal users and evaluate the system to
Model for extracted data such as CPU usage, ascertain its practical
Detecting memory usage, open ports and significance.
Advanced number of files in the system32
Persistent Threat. folder. The detection model was
trained by applying different
machine learning algorithms on
the dataset of benign and
malicious features.
9 Chandra et A Practical This approach was dependent on However, the system could
al (2016) Approach to mathematical and computational only be used for email-spam
Email-Spam analysis to filter spam emails. detection and not for any
Filters to Protect Tokens, which were considered as other threat(s).
from Advanced a group of words and characters
Persistent Threat such as (click here, free, Viagra,
replica), were defined for the
detection algorithm to separate
legitimate and spam emails.
10 Khraisat et Survey of The taxonomy of recent systems However, they could not
al (2019) Intrusion for intrusion detection were implement a system for
Detection surveyed in the study and the detection or identification of

41
Systems, their datasets which were commonly intrusion.
Techniques, used for the implementation were
Datasets and analyzed also. The techniques
Challenges. which are adopted by attackers to
perpetrate the intrusion were
identified and discussed.
11 Gamachchi A Graph Based The proposed model was a hybrid However, this framework
et al (2017) Framework for framework based on anomaly cannot be used to detect
Malicious Insider detection and graphical analysis external threats attack the
Threat Detection. processes. The result from the system.
study showed that the framework
could be used to differentiate
between majorities of users who
show typical behaviours from the
minority of users who demonstrate
suspicious behaviours.
12 Nance and Identifying and They introduced the use of However, it has the
Marty Visualizing the bipartite graphs for identifying and limitation of a high false
(2011) Malicious Insider visualizing insider threat. They positive rate.
Threat using tried to establish acceptable insider
Biparticle Graphs. behavior patterns based on
workgroup role classifications.
13 Kumar et al Practical Machine They described the difficulties in However, this framework
(2017) Learning for developing an intrusion detection does not respond to attacks
42
Cloud Intrusion system for the cloud. They defined on time before harm is
Detection, approaches for collecting high done.
Challenges and quality evaluation data using other
the Way Forward. security products or red teams
(recommended) and grow the
dataset using SMOTE or possibly
GANs. For the way forward, they
shared a framework for disrupting
attack.
14 Chaudhari Intrusion They presented the classification However, this could only
and Patil Detection of IDS, different Data mining detect and classify known
(2017) Systems, approaches and datasets for the attacks.
Classification, operative detection of pattern for
Techniques and both malicious and normal
Datasets to activities in network, which would
Implement. help to develop secure information
system. They also provided a short
study of various datasets that are
useful for an intrusion detection
system.
15 Govindaraja Intrusion They presented novel K-nearest However, the system
n et. al. Detection using neighbour classifier which was required a regular update of
(2009) k-Nearest applied on Intrusion detection the rules which were used.
43
Neighbour system and the system
performance was evaluated in
terms of Run time and Error rate
on normal and malicious dataset.
16 Mohammad Intrusion Support Vector Machine and However, the system
reza et al. Detection using classification tree Data mining presented no difference
(2010) Data Mining technique were used for intrusion between an attack attempt
Techniques. detection in network. They and a successful attack.
compared C4.5 and Support
Vector Machine by experimental
result and found that C4.5
algorithm had better performance
in term of detection rate and false
alarm rate than SVM, but for U2R
attack SVM performed better.
17 Denatious Survey on Data They defined diverse data mining However, the system
and John Mining approaches useful for detecting recorded low detection rate
(2012) Techniques to intrusions. It was discovered that and high false alarm.
Enhance Intrusion clustering was more suitable for
Detection. large amount of network traffics
than classification in the domain of
intrusion detection because
enormous amount of data needed
44
to collect to use classification.
18 Amudha Performance They observed that Random forest However, the results cannot
and Rauf Analysis of Data gave better detection rate, be generalized and therefore
(2011) Mining accuracy and false alarm rate for cannot be applied for real
Approaches in Probe and DOS attack & Naive world analysis.
Intrusion Bayes Tree gave better
Detection. performance in case of U2R and
R2L attack. Also it was observed
that the execution time of Naive
Bayes Tree was more as compared
to other classifier.
19 Naidu and A Comparison of They utilized three Data mining However, this model cannot
Avadhani Data Mining algorithms SVM, Ripper rule and be applied in evaluating
(2012) Techniques for C5.0 tree for Intrusion detection other machine learning
Intrusion and also compared their efficiency. techniques.
Detection. Their results demonstrated that
C5.0 decision tree was more
efficient than others.
20 Chitrakar Anomaly Based They observed from the result that However, the model
and Intrusion the hybrid method outperformed recorded false classification
Chuanhe Detection Using a K-Means clustering technique errors due to over fitting of
(2012) Hybrid Learning followed by Naïve Bayes algorithms.
Approaches of classification. They also observed
Combining k- that time complexity increases

45
Medoids when number of data points
Clustering with increased.
Naïve Bayes
Classification.
21 Chitrakar An Anomaly The proposed hybrid model However, they could not
and Detection using produced better performance implement a threat detection
Chaunhe Support Vector compared to k-Medoids with system for information
(2012) Machine Naïve Bayes classification. The system.
Classification approach demonstrated
with k-Medoids enhancement in both Accuracy
Clustering and Detection Rate while reducing
Technique. False Alarm Rate as compared to
the k- Medoids clustering
approach followed by Naïve Bayes
classification technique.
22 Chuque Digital Threat They evaluated the influence of However, they could nor
(2020) Detection Model Cybersecurity infrastructure in the implement their model with
to Mitigate global Cybersecurity index. Their a programming language
Cybersecurity results established that there is a
Risks in relationship between the variables
Organizations Model of Detection of Digital
Threats and Cybersecurity Risks in
Organizations.
23 Niyaz et al A Deep Learning They adopted Self-taught Learning However, his model cannot
46
(2015) Approach for (STL), a deep learning based be applied in an information
Network technique, on NSL-KDD - a system.
Intrusion benchmark dataset for network
Detection System. intrusion. They presented the
performance of their technique and
compared it with a few previous
work. Compared metrics included
accuracy, precision, recall, and f-
measure values.
24 Ferrag et al Deep Learning They provided a review of However, they could not
(2020) for Cyber intrusion detection systems based implement an intrusion
Security Intrusion on deep learning approaches. They detection system using their
Detection, described 35 well-known cyber findings.
Approaches, datasets and provided a
Datasets and classification of these datasets into
Comparative seven categories. Seven deep
Study. learning models including
recurrent neural networks and
deep autoencoders were analyzed.
25 Hodo et al Shallow and Deep They compared performance of However, they could not
(2017) Network diverse machine learning develop an intrusion
Intrusion techniques, specifically in detection system to curb the
Detection anomaly detection. They assessed
47
System: the performance efficiency of identified challenges.
Taxonomy and feature selection in ML for IDS.
Survey
26 Ford and Application of They analyzed the applications of However, they could not
Siraj (2014) Machine machine learning techniques in the implement their findings in
Learning in Cyber protection of the cyberspace from a programming language.
Security. cybercriminals. Various obstacles
faced during the implementation
of machine learning techniques
were depicted.
2.5.1. Our Approach
While reviewing several related literatures on threat intelligence, IDS, cyber-attacks and the
application of AI in solving these prevailing issues, we developed a keen interest in the work
carried out by Haider et al (2020). They proposed a real-time sequential deep extreme learning
machine cyber security intrusion detection system. Their proposed model was used to initially
determine the rating of security aspects contributing to their significance and then it was later
used to develop a comprehensive intrusion detection framework focused on the essential
characteristics. The authors did a good job as their model performed efficiently when evaluated
using their defined parameters. However, the dataset used in the research was too scanty to
produce a result that will be generalized. Secondly, their adopted algorithm (RTS-DELM-
CSIDS) was based on unsupervised learning technique and is therefore not suitable for
recognition of complex patterns such as threat patterns as it does not map a target output. We
48
hope to improve on the work carried out by these authors by applying ANN on an improved
threat pattern dataset to detect future threat patterns in an information system.
CHAPTER THREE
MATERIALS AND METHODS
49
3.1 Methodology
Agile methodology was adopted in this approach. The agile methodology is an iterative and
incremental based development where requirements are changeable depending on the needs of
the customer. Agile method helps in adaptive planning, time boxing and development in an
iterative manner. This methodology is a theoretical framework that promotes foreseen
interactions throughout the development cycle. The Agile method follows the same processes
that are outlined in the SLDC such as the requirements gathering, analysis, design, coding testing
and delivers a prototype of the design to the client while waiting for his/her response before
delivering the complete software which will contain the user’s modified corrections and
requirements.
3.1.1. Justification of the Methodology
The Agile methodology is iterative and therefore allow for necessary adjustments until the user
requirements are all met, this makes it people oriented. Using the agile model helps to save the
cost of development as the whole project is broken into less expensive modules which can be
executed with minimal cost, this is called parsimony. The methodology is adaptive, convergent
and handles design risks using the best tool in software development. This methodology is
regarded as one of the best models of the Software Development life cycle (SDLC).
3.2 Analysis of the Existing System
The existing system was developed by Haider et al (2020). They proposed a RTS-DELM-CSIDS
framework which uses an innovative strategy to mitigate the number of fake alerts over the
period. The existing system achieved this feat by accessing human expert feedback and
modifying the learning model based on that information. Using this approach, they reduced the
risk of repeated false alerts with identical data. In the training process, information labelling was
50
skipped because the percentage of traffic segments was the only necessary prior information.
However, the existing approach supported identifying the correct labels for unlabeled details. It
also suggested adjustments in instances where conventional approaches classified the training
samples through human experts. The existing IDS offered a scheme for simplifying the
assessment of human safety experts’ decisions. Accordingly, the framework could identify
irregularities based on predetermined observations. Therefore, with supervised feature learning,
the program was able to spot human mistakes while marking the data and proposing corrections.
Moreover, the framework could identify new traffic segments using a scoring scheme. The
existing model provided a rapidly-updating framework which could identify the adaptability
dilemma of existing approaches. One use of this framework was suitable to upgrade the learning
framework based on current information and novel forms of attacks with minimal computational
cost.
3.2.1 Explanation of Existing System Components.
The components of the existing system are discussed briefly in this section.
i. Dataset: Publicly accessible intrusion dataset from Kaggle, which consists of two
types: regular and attack was used in the existing system. The dataset was labelled
NSLKDD (a revamped version of KDD 99, which has many improvements relative to
the initial KDD 99 dataset). The NSL-KDD dataset consists of 41 features per record.
The data collection layer used the collected sensor data as inputs.
ii. Data Processing: Various cleanup processes of data and inspection methods are
applied in the preprocessing layer to remove irregularities from the actual data. The
application layer implements the DELM framework to optimize Cybersecurity for
any malicious or intrusive activity.
51
Internet Real-time Dataset
Load Data Data Data

Load Data
Acquisition Acquisition
Layer Layer
Data Processing Data Processing Database for

Marked
Feature Selection Feature Selection Attacks
Training Dataset Training Dataset
Anomaly
Grant Access
RTS-DELM-CSIDS Detection
Evaluation Phase
Normal Attack
Figure 3.1: Architecture of Real-Time Sequential Deep Extreme Learning Machine

Cybersecurity Intrusion Detection System: Existing System (Source: Haider et al, 2020)
52
iii. RTS-DELM-CSIDS: The DELM mitigates numerous network builder problems, such
as network security and connectivity concerns. Given that sending and processing
data consumes 80 percent of the network’s energy, data reduction and feature
extraction techniques could minimize processing and further prolong the network’s
lifespan. The DELM framework adjusted the data compression performance threshold
within networks. The RTS-DELM upgraded the framework as a series of learning
algorithms, without requiring previously trained data.
iv. Training Dataset: The data were divided up randomly into 70% training (103,962
samples) and 30% validation (44,554 samples).
v. Evaluation: In this phase, a specific number of neurons in hidden layers in a network
were evaluated and several forms of active functions were. The RTS-DELM-CSIDS
was also evaluated to accurately predict the efficiency of this system. The output was
compared with the counterpart algorithms of the RTS-DELM-CSIDS algorithm using
multiple statistical measures.
3.2.2 Algorithm of the Existing System
Algorithm of a Real-Time Sequential Deep Extreme Learning Machine Cybersecurity Intrusion
Detection System.
Step 1: Extract NSLKDD Dataset

Step 2: Initiate Sensors for Real time dataset (RTD) access
Step 3: Preprocess datasets
Datasets = NSLKDD + RTD
Step 4: Perform feature Selection (FS)
Step 5: Split Data = Training Set (70%), Test Set (30%)
Step 6: Implement RTS-DELM-CSIDS on Training Set
Step 7: Evaluate RTS-DELM-CSIDS
Step 8: Differentiate Attack Outputs
IF Output = Normal
THEN
53
Grant Access
ELSE
Detect Anomaly
Step 9: Store Marked Attacks in Database.
Step 10: End
3.2.3. Disadvantages of the Existing System
i. The existing system makes use of an unsupervised learning algorithm, i.e. deep
learning algorithms, therefore the result are less accurate.
ii. The algorithms used was weak and cannot be used to detect new threats except the
ones stored in the dataset.
iii. The existing system lacked a good visualization model for demonstrating the results
gotten from their implementation.
iv. The existing system was not user friendly and it also has an ambiguous design.
3.3 Analysis of the Proposed System
The proposed system is an enhancement of the existing system analyzed above. The first
improvement by the proposed model is in terms of the datasets used for building the model. We
have adopted the UNSW-NB15 dataset. The dataset contains nine types of threat such as
backdoor, denial of service (DoS), Reconnaissance, Shellcode, worms, Fuzzers, Analysis, and
Generic threats. The dataset contains 49 features which were derived from the implementation of
twelve algorithms via the Argus, Bro-IDS tools. The total number of records in the dataset is
2,540,044 which are stored in 4 CSV files. After data cleaning, in which redundant and empty
records were deleted, the dataset was split into training set (80%) and test set (20%). The raining
set contains 175, 341 records and the test set contains 82,332 records.
The ANN which is the most efficient technique for recognizing complex and unprecise patterns
which are difficult for human to recognize was adopted for training the dataset.
54
Improved Data Acquisition
Threat Dataset Layer
Data Processing: Removal

of Empty and Redundant
Fields
Feed Forward
Neural Network Training Dataset
INTELLIGENT ANN Update Threat

MODEL FOR THREAT Dataset
DETECTION
INFORMATION
SYSTEM
Classification of Threat
Patterns Initiate Threat
Grant Access Alert Protocol
Normal Request Detected Threat
Figure 3.2: Architecture of the Proposed System
55
The Feed-Forward Neural Network, which is the purest form of ANN was applied to the dataset
using a defined amount of epochs. ANN technique improves data and network security when
applied to a threat detection framework. The threat patterns are used to train the model and
mapped to target outputs. ANN is also used to classify the recognized threat according to insider
or external threats. Also, ANN differentiates between normal requests and threats which are sent
to the information system.
The information system used in this study is the transaction management system (e-banking
system). The threat detection system is integrated into the information system for identification
of both new and old threats.
3.3.1 Description of Proposed System Components
i. Datasets: We adopted the UNSW-NB15 dataset. The dataset contains nine types of
threat such as backdoor, denial of service (DoS), Reconnaissance, Shellcode, worms,
Fuzzers, Analysis, and Generic threats.
ii. ANN Intelligent Model: the model was used to train the dataset for detection of new
and old threat from threat patterns. The algorithm was also used for classification and
to define a set of rules for initiating an alert and blockage protocol for handling the
detected threat.
3.3.2 Algorithm of the Proposed System
Step 1: Extract UNSW-NB15 dataset

Step 2: Remove redundant & empty records = Data Processing
Step 3: Extract features from improved dataset
Step 4: Split Data = Training Set (80%), Test Set (20%)
Step 5: Implement ANN on Training Set
Step 6: Classify Threat Patterns using ANN
Classification = Insider + Outsider
Step 7: launch IS (information system)
Step 8: Integrate TDM into IS
56
Where TDM = threat detection model
Step 9: Differentiate Attack Outputs
IF Output = Normal Request
THEN
Grant Access
ELSE
Detect Threat
Step 10: Initiate threat alert protocol
Alert Message = type of threat + New/Old threat
Step 11: Block threat = threat block protocol
Step 12: If Threat = New
Then
Update Threat dataset
Step 13: End
3.3.3 Advantages of the proposed System
i. The proposed system makes use of a supervised learning algorithm, i.e. ANN which
is very efficient for recognition of complex patterns.
ii. The algorithms used is very efficient and can recognize even unprecise patterns from
large datasets. The model can also identify new threat whether insider or outsider
threats
iii. The existing system has a good visualization model for demonstrating the results
gotten from their implementation.
iv. The existing system is friendly and it also has a simple design.
57
3.3.4 Anatomy of the Proposed System
Coding
Intelligent Threat Detection Java
Model
Type
Simulated
IDE
Netbeans
Parts/Features
Training Model: Feed-Forward NN
Classifier: ANN
Detection System
Coding
Transaction Processing Java
Information System
Type
Simulated
IDE
Netbeans
Parts/Features
User Registration System
Financial Registration System
Threat Alert and Blockage system
58
3.4 Design Specifications of the Proposed System
This section illustrates the output specification, input specification and database design of the
Proposed System
Table 3.1: Output specification
Input Expected output
User access validation Login successful

(username + password)
Threat Dataset Test-sets successfully accepted
Classification result Insider Threat/Outsider Threat
Table 3.2: Input specification
Field Name Field Type Null Default

Threat Patterns Varchar No None
Threat Features Varchar No None
59
CONCLUSION
Threat detection is very vital to the security of data within an information system. Vulnerabilities
have been identified as the general cause of threats. However, there is no confirmed solution for
handling vulnerabilities as they are found in in very sophisticated architecture. This is why the
attention has been tilted rather to the detection and blockage of threats that are sent to the IS.
ANN has been applied to an improved threat dataset with over 2 million threat records with 9
different threat patterns and 49 attributes. The model will be used to detect threats sent to the
information system and differentiate them from normal service request. The proposed model will
also fire threat alert upon detection and then proceed to block the threat. This model outperforms
previous threat detection system because it is robust, user friendly, with simple design and
intelligent algorithms and also it blocks threats which is deficient in other threat detection
systems.
60
REFERENCES
Anderson (1995). An introduction to neural networks. Research gate Publication. 1-12.

Agarwal, A. (2016). VAST Methodology: Visual, Agile and Simple Threat Analysis. Wiley. 20-
26
Amudha, P. and Rauf, A. (2011). Performance Analysis of Data Mining Approaches in Intrusion
Detection. IEEE.
Base, R. and Mell, P. (2001). Special Publication on Intrusion Detection System: NIST Infidel.
Inc. Norway Institutes of Standards and Technology, Scotts Valley.
Calderon, R. (2019). Benefits of Arificial Intelligence in Cyber Security. Economic Crime
Forensics Programs. 36. 1-22.
Cavelty, M. D. (2010). Cyber-security. The Routledge Handbook of New Security
Studies, 154-162.
Chandrakar, O., Singh, R. and Barik, L.B. (2014). Application of Genetic Algorihm in Intrusion
Detection System. International Institute for Science, Technology and Education. 4(1).
Chandran, S., Hrudya, P. and Poornachandra, P. (2015). An Efficient Classification Model for
Detecting Advanced Persistent Threat. Advances in Computing, Communication and
Informatics (ICACCI). 1-10.
Chandra, J.V., Challa, N. and Pasupuleti, S.K. (2016). A Practical Approach to E-mail Spam
Filters to Protect from Advanced persistent Threat. 2016 International Conference on
Circuits,
Power and Computing Technologies (ICCPCT). 1-5
Chaud, R.R. and Patil, S.P. (2017). Intrusion detection system: classification, techniques and
datasets to implement. International Research Journal of Engineering and Technology
(IRJET), 4(2). 1860-1866.
Chitrakar, R. and Chuanhe (2012). Anomaly Based Intrusion Detection using Hybrid Learning
Approaches of Combining k-Medoids Clustering and Support Vector Machine. IEEE.
Chitrakar, R. and Chuanhe (2012). Anomaly Based Intrusion Detection using Hybrid Learning
Approaches of Combining k-Medoids Clustering and Naïve Bayes Classification. IEEE.
Chuque, F.E.J. (20120). Digital threat Detection to Mitigate Cyber Security Risks in
Organizations. Gyancity Journal of Electronics and Computer Sciences. 5(1), 76-90
Denatious, D.K. and John, A. (2012). Survey on Data Mining Techniques to enhance Intrusion
detection. International Conference on Computer Communication and Information, 2012.
61
Ferrag, M.A., Maglaras, L., Moschoyannis, S. and Janicce, H. (2020). Deep Learning for Cyber
Security Approaches, Datasets and Comparative Study. Research gate Publication. 1-20
Ford, V. and Siraj, A. (2014). Application of Machine Learning in Cybersecurity. In proceedings
of 27th International conference on Computer Science in Industry and Engineering, 2014.
Gamachchi, A., Sun, Li and Boztas, S. (2017). A Graph Based Framework for Malicious Insider
Threat Detection. Proceedings of the 50th Hawaii International Conference on System
Sciences. 2638-2647.
Ghafir, I., Hammoudeh, M. and Prenosil, V. (2018). Defending against the Advanced Persistent
Threat: Detection of Disguised Executable Files. PeerJ Preprints. 1-10.
Govindarajan and Chandarasekaran, R. (2009). Intrusion Detection using k-Nearest Neighbour.
ICAC IEEE. 12-20.
Haider, A., Khan, M.A., Rehman, A., Rahman, M.U and Kim, H.S. (2020). A Real-time
Sequential
Deep ExtremeLearning Machine Cyber Security Intrusion Detection System. Computers,
Materials and Continua. 66(2), 1785-1798.
Hodo, E., Belleken, X., Hamilton, A., Tachlatzis, C. and Alkinson, R. (2017). Shallow and Depp
Network Intrusion Detection System: A Taxonomy and Survey. arXiv Preprint. 1-12
Khraisat, A., Gondal, I., Vamplew, P. and Kamruzzaman, J. (2019). Survey of intrusion
detection
system: techniques, datasets and challenges. Cybersecurity, Open Access. 2(20), 1-22.
Kohnfelder, L. and Garg, P. (2016). Threats to our products. Microsoft publication. 1-11.
Kumar, R.S.S., Wicker, A. and Swann, M. (2017). Practical Machine Learning for Cloud
Intrusion
Detection: Challenges and the Way Forward. In Proceedings of AISec’17, New York. 1-10.
Luiijf. E. and Kernkamp, A. (2015). Sharing Cybersecurity Information. Research gate
publication. 112-121.
Meier, J.D. (2003). Improving web application security: threats & counter measures. Microsoft
Corporation.
Mohammadreza, E., Memar, S., Sidi, F. and Affendey, L.S. (2010). Intrusion Detection using
Data
Mining Techniques. IEEE. 200-203
Naidu, R.C.A. and Avadhani (2012). A Comparison of Data Mining Techniques for Intrusion
Detection. International Conference on Advanced Communication Control and Computer
Technologies. 41-44.
62
Nance, K. and Marty, R. (2011). Identifying and Visualizing the Malicious Insider Threat using
Biparticle Graphs. 44th Hawaii International Conference on System Sciences. 1-9.
Niyaz, Q., Sun, W., Javaid, A. Y and Alam, M. (2015). A Deep Learning Approach for Network
Intrusion Detection System (2015). BICT’ 2015. 1-6. DOI 10.4108/eai.3-12-2015.2262516
Sadotra, P. and Sharma, C. (2016). A Review on Integrated Intrusion Detection System in Cyber
Security. International Journal of Computer Science and Mobile Computing. 5(9), 23-28.
Sarker, I. H.., Abushark, Y. B., Alsolami, F. and Khan, A. I. (2020). IntruDTree: A machine
learning based cyber security intrusion detection model. Symmetry. 12(754), 1-15.
Seker, E. (2019). Cyber threat intelligence understanding fundamentals. Research Gate
Publication. 4, 2-11.
Teodoro, P.G., Verdejo, J.D., Fernandez, G.M. and Vazquez, E. (2009). Anomaly-based
Network
Intrusion Detection: techniques, systems and challenges. Computer Security. 1-10.
Tjhai, G.C. Furnell, S.M., Papadaki, M., Clarke, N.L. (2010). A Preliminary two-stage alarm
correlation and filtering system using SOM neural network and k-Means algorithm.
Ucedavalez, T. and Morana, M. (2015). Risk Centric Modeling process for attack simulation &
threat analysis. 20-26
Venkatesan, R., Ganesan, R. and Selvakumar, A.L. (2012). A Survey on Intrusion Detection
using
Data Mining Techniques. International Journal of Computers and Distributed Systems.
2(11).
Yogita, B.B. and Kalyani, C.W. (2013). Intrusion Detection System using Data Mining
Technique:
SVM. International Journal of Emerging Technology and Advanced Engineering. 3(3)
63

Threat Intelligence Model - Main1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Intelligence Model - Main1

Uploaded by

Copyright:

Available Formats

CHAPTER ONE

functionality or even crippling it to a level of non-functionality. A threat is usually initiated, it is

and harmful to data and the entire system (Seker, 2019).

1.2. Statement of the Problem

cannot be integrated in multiple platforms/information systems, use of incomplete or outdated

threat dataset, thereby making the system robust.

in information systems. The specific objectives are to:

i. Develop a model for threat identification, detection and blockage in an information

and MySQL as database.

1.4. Significance of the Study

1.6. Limitation of the Study

1.7. Definition of Terms

i. Threat: A threat is a potential negative action or event facilitated by vulnerability

that results in unwanted impact on a system.

actors that initiate threats into the cyber space.

and from unwanted users and actions.

theft, sabotage and information extortion.

information disclosure, theft or damage.

private/confidential information to an untrusted environment. It is also called

viii. Malware: Malware is any software intentionally designed to cause damage to a

computer, server, client, or computer network. Types of malware include computer

ix. Intrusion Detection System: An intrusion detection system is a device or software

application that monitors a network or systems for malicious activity or policy

to reveal patterns, trends, and associations, especially relating to human behaviour

2.1 Threat Intelligence: An Overview

meaning of the word.

access, destruction, disclosure, modification of data, and/or denial of service.

or reputation), organizational assets, or individuals through an information system via

unauthorized access, destruction, disclosure, modification of information, and/or denial of

2.1.1 Classifications of Cyber Threats

I. Malware: A malware is any software deliberately designed to cause damage to a

as computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue

software, wiper and scareware.

private become public, leading to potentially grave consequences.

to make a machine or network resource unavailable to its intended users by temporarily

or indefinitely disrupting services of a host connected to the Internet.

V. Botnets: A botnet is a number of hijacked Internet-connected devices, each of which is

attacker or to project malicious software on the victim's infrastructure like ransomware

VIII. Ransomware: Ransomware is a kind of malware from cryptovirology that portends to

advanced malware uses a technique called cryptoviral extortion.

people within the organization, such as employees, former employees, contractors or

practices, data and computer systems.

cybercriminals use to take advantage of vulnerabilities in systems/devices so they can

distribute malware or do other malicious activities. They normally target popular

software such as AdobeFlash Java, Microsoft Silverlight.

private/confidential information to an untrusted environment. Further terms for this

occurrence include unintentional information disclosure, data leak, information leakage

and also data spill.

without their permission, to commit fraud or other crimes.

2.1.2 Conventional Methods of Threat Detection

a) Network and endpoint monitoring that is constant and comprehensive, including

capabilities such as full-packet capture and behavior-based threat detection on hosts.

such as network traffic, in near-real-time to spot suspicious behaviors and accelerate

actual behavior of executables, whether collected on the network or endpoints, to detect

technologies to streamline and accelerate workflows so security operations teams can

the riskiest threats.

or resources to be used in an intelligence context. Data flow for OSINT can be

categorized into 6 classifications. Media (newspapers, magazines, radio, television, etc.),

Government Data (public government reports, speeches, conferences, etc.), Professional

and Academic Publications (journal, academic papers, dissertation, theses, etc.),

Literature (technical reports, preprints, patents, business documents, etc.)

2.1.3 Threat Modelling

vulnerabilities can be distinguished, stated, and organized from a theoretical attacker’s

one-time process is very bleak.