In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted traffic.While research on anomaly d...In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted traffic.While research on anomaly detection using AI(Artificial Intelligence)is actively progressing,the encrypted nature of the data poses challenges for labeling,resulting in data imbalance and biased feature extraction toward specific nodes.This study proposes a reconstruction error-based anomaly detection method using an autoencoder(AE)that utilizes packet metadata excluding specific node information.The proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data,leveraging a small amount of packet metadata.This makes it well-suited for direct application in IoT environments due to its low resource consumption.In experiments comparing feature extraction methods for AE-based anomaly detection,we found that using flowbased features significantly improves accuracy,precision,F1 score,and AUC(Area Under the Receiver Operating Characteristic Curve)score compared to packet-based features.Additionally,for flow-based features,the proposed method showed a 30.17%increase in F1 score and improved false positive rates compared to Isolation Forest and OneClassSVM.Furthermore,the proposedmethod demonstrated a 32.43%higherAUCwhen using packet features and a 111.39%higher AUC when using flow features,compared to previously proposed oversampling methods.This study highlights the impact of feature extraction methods on attack detection in imbalanced,encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods.展开更多
With the commercialization of 5th-generation mobile communications(5G)networks,a large-scale internet of things(IoT)environment is being built.Security is becoming increasingly crucial in 5G network environments due t...With the commercialization of 5th-generation mobile communications(5G)networks,a large-scale internet of things(IoT)environment is being built.Security is becoming increasingly crucial in 5G network environments due to the growing risk of various distributed denial of service(DDoS)attacks across vast IoT devices.Recently,research on automated intrusion detection using machine learning(ML)for 5G environments has been actively conducted.However,5G traffic has insufficient data due to privacy protection problems and imbalance problems with significantly fewer attack data.If this data is used to train an ML model,it will likely suffer from generalization errors due to not training enough different features on the attack data.Therefore,this paper aims to study a training method to mitigate the generalization error problem of the ML model that classifies IoT DDoS attacks even under conditions of insufficient and imbalanced 5G traffic.We built a 5G testbed to construct a 5G dataset for training to solve the problem of insufficient data.To solve the imbalance problem,synthetic minority oversampling technique(SMOTE)and generative adversarial network(GAN)-based conditional tabular GAN(CTGAN)of data augmentation were used.The performance of the trained ML models was compared and meaningfully analyzed regarding the generalization error problem.The experimental results showed that CTGAN decreased the accuracy and f1-score compared to the Baseline.Still,regarding the generalization error,the difference between the validation and test results was reduced by at least 1.7 and up to 22.88 times,indicating an improvement in the problem.This result suggests that the ML model training method that utilizes CTGANs to augment attack data for training data in the 5G environment mitigates the generalization error problem.展开更多
As Internet of Things(IoT)devices with security issues are connected to 5G mobile networks,the importance of IoT Botnet detection research in mobile network environments is increasing.However,the existing research foc...As Internet of Things(IoT)devices with security issues are connected to 5G mobile networks,the importance of IoT Botnet detection research in mobile network environments is increasing.However,the existing research focused on AI-based IoT Botnet detection research in wired network environments.In addition,the existing research related to IoT Botnet detection in ML-based mobile network environments have been conducted up to 4G.Therefore,this paper conducts a study on ML-based IoT Botnet traffic detection in the 5G core network.The binary and multiclass classification was performed to compare simple normal/malicious detection and normal/threetype IoT Botnet malware detection.In both classification methods,the IoT Botnet detection performance using only 5GC’s GTP-U packets decreased by at least 22.99%of accuracy compared to detection in wired network environment.In addition,by conducting a feature importance experiment,the importance of feature study for IoT Botnet detection considering 5GC network characteristics was confirmed.Since this paper analyzed IoT botnet traffic passing through the 5GC network using ML and presented detection results,think it will be meaningful as a reference for research to link AI-based security to the 5GC network.展开更多
基金supported by Institute of Information&Communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.RS-2023-00235509,Development of Security Monitoring Technology Based Network Behavior against Encrypted Cyber Threats in ICT Convergence Environment).
文摘In the IoT(Internet of Things)domain,the increased use of encryption protocols such as SSL/TLS,VPN(Virtual Private Network),and Tor has led to a rise in attacks leveraging encrypted traffic.While research on anomaly detection using AI(Artificial Intelligence)is actively progressing,the encrypted nature of the data poses challenges for labeling,resulting in data imbalance and biased feature extraction toward specific nodes.This study proposes a reconstruction error-based anomaly detection method using an autoencoder(AE)that utilizes packet metadata excluding specific node information.The proposed method omits biased packet metadata such as IP and Port and trains the detection model using only normal data,leveraging a small amount of packet metadata.This makes it well-suited for direct application in IoT environments due to its low resource consumption.In experiments comparing feature extraction methods for AE-based anomaly detection,we found that using flowbased features significantly improves accuracy,precision,F1 score,and AUC(Area Under the Receiver Operating Characteristic Curve)score compared to packet-based features.Additionally,for flow-based features,the proposed method showed a 30.17%increase in F1 score and improved false positive rates compared to Isolation Forest and OneClassSVM.Furthermore,the proposedmethod demonstrated a 32.43%higherAUCwhen using packet features and a 111.39%higher AUC when using flow features,compared to previously proposed oversampling methods.This study highlights the impact of feature extraction methods on attack detection in imbalanced,encrypted traffic environments and emphasizes that the one-class method using AE is more effective for attack detection and reducing false positives compared to traditional oversampling methods.
基金This work was supported by Institute of Information&communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2021-0-00796Research on Foundational Technologies for 6GAutonomous Security-by-Design toGuarantee Constant Quality of Security).
文摘With the commercialization of 5th-generation mobile communications(5G)networks,a large-scale internet of things(IoT)environment is being built.Security is becoming increasingly crucial in 5G network environments due to the growing risk of various distributed denial of service(DDoS)attacks across vast IoT devices.Recently,research on automated intrusion detection using machine learning(ML)for 5G environments has been actively conducted.However,5G traffic has insufficient data due to privacy protection problems and imbalance problems with significantly fewer attack data.If this data is used to train an ML model,it will likely suffer from generalization errors due to not training enough different features on the attack data.Therefore,this paper aims to study a training method to mitigate the generalization error problem of the ML model that classifies IoT DDoS attacks even under conditions of insufficient and imbalanced 5G traffic.We built a 5G testbed to construct a 5G dataset for training to solve the problem of insufficient data.To solve the imbalance problem,synthetic minority oversampling technique(SMOTE)and generative adversarial network(GAN)-based conditional tabular GAN(CTGAN)of data augmentation were used.The performance of the trained ML models was compared and meaningfully analyzed regarding the generalization error problem.The experimental results showed that CTGAN decreased the accuracy and f1-score compared to the Baseline.Still,regarding the generalization error,the difference between the validation and test results was reduced by at least 1.7 and up to 22.88 times,indicating an improvement in the problem.This result suggests that the ML model training method that utilizes CTGANs to augment attack data for training data in the 5G environment mitigates the generalization error problem.
基金This work was supported by Institute of Information&communications Technology Planning&Evaluation(IITP)grant funded by the Korea government(MSIT)(No.2021-0-00796,Research on Foundational Technologies for 6G Autonomous Security-by-Design to Guarantee Constant Quality of Security)。
文摘As Internet of Things(IoT)devices with security issues are connected to 5G mobile networks,the importance of IoT Botnet detection research in mobile network environments is increasing.However,the existing research focused on AI-based IoT Botnet detection research in wired network environments.In addition,the existing research related to IoT Botnet detection in ML-based mobile network environments have been conducted up to 4G.Therefore,this paper conducts a study on ML-based IoT Botnet traffic detection in the 5G core network.The binary and multiclass classification was performed to compare simple normal/malicious detection and normal/threetype IoT Botnet malware detection.In both classification methods,the IoT Botnet detection performance using only 5GC’s GTP-U packets decreased by at least 22.99%of accuracy compared to detection in wired network environment.In addition,by conducting a feature importance experiment,the importance of feature study for IoT Botnet detection considering 5GC network characteristics was confirmed.Since this paper analyzed IoT botnet traffic passing through the 5GC network using ML and presented detection results,think it will be meaningful as a reference for research to link AI-based security to the 5GC network.
