:: Research ::

Interpretable Machine Learning

Since traditional Machine Learning (ML) techniques use black-box models, the internal operation of the model is unknown to human. Due to this black-box nature of the ML model, the trustworthiness of their predictions is sometimes questionable. Interpretable Machine Learning (IML) is a way of dissecting the ML models to overcome this shortcoming and provide a more reasoned explanation of model predictions. In this paper, we explore several IML methods and their applications in various domains. Moreover, a detailed survey of IML methods along with identifying the essential building blocks of a black-box model is presented here. Herein, we have identified and described the requirements of IML models and for completeness, a taxonomy of IML methods which classifies each into distinct groupings or sub-categories, is proposed. The goal, therefore, is to describe the state-of-the-art for IML methods and explain those in more concrete and understandable ways by providing better basis of knowledge for those building blocks and our associated requirements analysis.

      In a machine learning classification problem, feature selection is a pre-processing phase that identifies important and relevant features from the original dataset to potentially reduce the computational complexity and results in the overall improvement of classification performances. Feature reduction mechanisms, such as Information Gain, Gain Ratio, Chi-squared, ReliefF, Deep Learning, etc. along with domain knowledge are used to find the appropriate features (aka feature engineering) from a dataset. In this paper, we propose a novel feature selection process IMLFS based on interpretable machine learning technique to find the optimal relevant features in DDoS detection problem. Also, using Interpretable Machine Learning (IML) and based on effectiveness of the critical features, predicted outcomes (e.g.; DDoS or benign) of a classification problem are explained. We use these relevant features in feature selection phase to retrain the model effectively for better accuracy. To evaluate the proposed approach, an extensive experiment is performed using NSL-KDD dataset. Moreover, using the extracted features, we experimented with our existing Ensemble Supervised Framework for the same dataset that demonstrated the efficacy of the proposed approach by producing greater accuracy and negligible false alarms compared to existing feature selection methods.


Machine Learning Ensemble Frameworks

Over the past two decades, Distributed Denial of Service (DDoS) attacks have been responsible for most of the catastrophic failures in the Internet causing a huge amount of disruption of services across all sectors of the economy. Almost every year this attack scores top among all other attacks in terms of the cost to the overall global economy. Machine Learning (ML)-based Intrusion Detection Systems (IDSs) heal the global economy with the goal of reducing the prevalence of cyber incidents, such as DDoS. In an ML classification problem, the feature selection process, aka feature engineering, is treated as a mandatory pre-processing phase that potentially reduces the computational complexity by identifying important or relevant features from the original dataset and results in the overall improvement of classification accuracy. In this paper, we propose an ensemble framework for feature selection methods (EnFS) that combines the outputs of seven well-known feature selection methods using the majority voting (MV) technique and produces an optimal set of features. In the evaluation of the proposed framework, an extensive experiment was performed using the intrusion detection benchmark dataset NSL-KDD [1]. Furthermore, using the optimal feature set, we have experimented with ensemble supervised ML framework [2] for the same dataset that demonstrated the efficacy of our approach by producing greater accuracy and negligible false alarms compared to existing approaches.

      Distributed Denial of Service (DDoS) has been the most prominent attack in cyber-physical system over the last decade. Defending against DDoS attack is not only challenging but also strategic. Tons of new strategies and approaches have been proposed to defend against different types of DDoS attacks. The ongoing battle between the attackers and defenders is full-fledged due to its newest strategies and techniques. Machine learning (ML) has promising outcomes in different research fields including cybersecurity. In this paper, ensemble unsupervised ML approach is used to implement an intrusion detection system which has the noteworthy accuracy to detect DDoS attacks. The goal of this research is to increase the DDoS attack detection accuracy while decreasing the false positive rate. The NSL-KDD dataset and twelve feature sets from existing research are used for experimentation to compare our ensemble results with those of our individual and other existing models.


      Distributed Denial of Service (DDoS) attacks have been the prominent attacks over the last decade. A Network Intrusion Detection System (NIDS) should seamlessly configure to fight against these attackers’ new approaches and patterns of DDoS attack. In this paper, we propose a NIDS which can detect existing as well as new types of DDoS attacks. The key feature of our NIDS is that it combines different classifiers using ensemble models, with the idea that each classifier can target specific aspects/types of intrusions, and in doing so provides a more robust defense mechanism against new intrusions. Further, we perform a detailed analysis of DDoS attacks, and based on this domainknowledge verify the reduced feature set [27, 28] to significantly improve accuracy. We experiment with and analyze NSL-KDD dataset with reduced feature set and our proposed NIDS can detect 99.1% of DDoS attacks successfully. We compare our results with other existing approaches. Our NIDS approach has the learning capability to keep up with new and emerging DDoS attack patterns.


Internet of Medical Things (IoMT)

The emergence of the Internet of Medical Things (IoMT) has introduced a monumental change in facilitating the management of diseases, improving diseases diagnosis and treatment methods, and reducing healthcare cost and errors. This change has greatly impacted the quality of healthcare for both patients and all frontline healthcare workers. However, the IoMT is far from being immune to security and privacy breaches due to the wide variety IoMT vendors and products available on the market as well as the massive number of devices transmitting sensitive medical data wirelessly to the cloud. The lack of security awareness among healthcare users (e.g., patients, medical staff) aggravates the deficiencies and can facilitate attacks that jeopardize the patients’ lives. Therefore, ensuring the security and privacy of the IoMT becomes an urgent issue worthy of further investigation and resolution. Security cannot be planned for, managed, monitored, or controlled if it cannot be measured. However, security assessment poses problems for novice IoMT adopters when choosing security measures that are both sufficient and robust. Accordingly, we developed a web-based IoMT Security Assessment Framework (IoMT-SAF) based on a novel ontological scenario-based approach to recommend security features in IoMT and assess protection and deterrence in IoMT solutions. IoMT-SAF supports the selection of a solution that matches the stakeholder's security objectives and supports the decision-making process. The novelty of IoMT-SAF lies in its granularity, extensibility, as well as its ability to adapt to new stakeholders, and conformance to technology and medical standards.


Stealth Migration Protocol to MTD in Cloud Computing

A stealth migration protocol is proposed in this paper that obfuscates the virtual machine (VM) migration from intruders and enhances the security of the MTD process. Starting by encrypting the VM data and generating a secret key that is split along with the encrypted data into small chunks. Then the fragments are transmitted through intermediate VMs on the way to the destination VM. As a result, the chances of an intruder detecting the VM migration is reduced. The migration traffic is maintained close to normal traffic by adjusting the chunk size, thereby avoiding the attention of the intruder. Finally, the normal and migration traffic patterns are analyzed with the proposed protocol


Crowd Sourcing

Crowdsourcing is an approach whereby employers call for workers online with different capabilities to process a task for monetary reward. With a vast amount of tasks posted every day, satisfying the workers, employers, and service providers who are the stakeholders of any crowdsourcing system is critical to its success. To achieve this, the system should address three objectives: (1) match the worker with suitable tasks that fit the worker’s interests and skills and raise the worker’s rewards and rating, (2) give the employer more acceptable solutions with lower cost and time and raise the employer’s rating, and (3) raise the rate of accepted tasks, which will raise the aggregated commissions to the service provider and improve the average rating of the registered users (employers and workers) accordingly. For these objectives, we present a mechanism design that is capable of reaching holistic satisfaction using a multi-objective recommendation system. In contrast, all previous crowdsourcing recommendation systems are designed to address one stakeholder who could be either the worker or the employer. Moreover, our unique contribution is to consider each stakeholder to be self serving. Considering selfish behavior from every stakeholder, we provide a more qualified recommendation for each stakeholder.


Real Time Monitors and Intelligent Agents

We propose a framework based on Collaborative Runtime Monitors (CoRuM) for application-level security. CoRuM detects the abnormal behavior of an application by observing critical characteristics during program runtime. In this paper, we discuss the application’s critical and essential characteristics to be monitored, the components of the framework, and its workflow on different use case scenarios. We provide experimental results on typical cyber-attacks and provide the throughput and detection accuracy measures. We also propose multidimensional preventive measures using honeypot and backup servers.


A Game Theory Inspired Defense Architecture (GIDA)| Simulation

While there are significant advances in information technologyand infrastructure which offer new opportunities, cyberspace is still far from completely secured. In many cases, the employed security solutions are ad hoc and lack a quantitative decision framework. While they are effective in solving the particular problems they are designed for, they generally fail to respond well in a dynamically changing scenario. To this end, we propose a holistic security approach in this paper. We find that game theory provides huge potential to place such an approach on a solid analytical setting. We consider the interaction between the attacks and the defense mechanisms as a game played between the attacker and the defender (system administrator). In particular, we propose a game theory inspired defense architecture in which a game model acts as the brain. We focus on one of our recently proposed game models, namely imperfect information stochastic game. Although this game model seems to be promising, it also faces new challenges which warrant future attention. We discuss our current ideas on extending this model to address such challenges.


AVOIDIT: A Cyber Attack Taxonomy
AVOIDIT is a cyber attack taxonomy that provides the ability to classify attack vectors to assist defenders with disseminating defense strategies. We use five major classifiers to characterize the nature of an attack, which are classification by attack vector, classification by attack target, classification by operational impact, classification by informational impact, and classification by defense. It is presented in a tree-like structure to neatly classify attack vectors and common vulnerabilities used to launch cyber attacks. We believe AVOIDIT offers a foundation for the cyber security community and the ability to continuously grow as attacks and defenses become more sophisticated.
      We foresee AVOIDIT as a repository schema for a knowledge management system within a local network. A knowledge management system (KMS) harnesses the ability to utilize knowledge from subject matter experts and prior data to create a system where information can be shared throughout the organization. The goal is to create an organization that is resilient to attacks in all functional areas. The KMS will enable attack data to flow more accurately within an organization. AVOIDT KMS will utilize the Game Theoretic Inspired Defense Architecture System to investigate the applicability of determining the action space of the defender and attacker. AVOIDIT KMS will integrate attack information into the GIDA architecture making the data easier for game agents to locate the most relevant defense mechanism.

Figure - AVOIDIT KMS: A Cyber Attack Taxonomy Knowledge Management System