139,99 €
The management and control of networks can no longer be envisaged without the introduction of artificial intelligence at all stages. Intelligent Network Management and Control deals with topical issues related mainly to intelligent security of computer networks, deployment of security services in SDN (software-defined networking), optimization of networks using artificial intelligence techniques and multi-criteria optimization methods for selecting networks in a heterogeneous environment. This book also focuses on selecting cloud computing services, intelligent unloading of calculations in the context of mobile cloud computing, intelligent resource management in a smart grid-cloud system for better energy efficiency, new architectures for the Internet of Vehicles (IoV), the application of artificial intelligence in cognitive radio networks and intelligent radio input to meet the on-road communication needs of autonomous vehicles.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 425
Cover
Title Page
Copyright
Introduction
PART 1: AI and Network Security
1 Intelligent Security of Computer Networks
1.1. Introduction
1.2. AI in the service of cybersecurity
1.3. AI applied to intrusion detection
1.4. AI misuse
1.5. Conclusion
1.6. References
2 An Intelligent Control Plane for Security Services Deployment in SDN-based Networks
2.1. Introduction
2.2. Software-defined networking
2.3. Security in SDN-based networks
2.4. Intelligence in SDN-based networks
2.5. AI contribution to security
2.6. AI contribution to security in SDN-based networks
2.7. Deployment of an intrusion prevention service
2.8. Stakes
2.9. Conclusion
2.10. References
PART 2: AI and Network Optimization
3 Network Optimization using Artificial Intelligence Techniques
3.1. Introduction
3.2. Artificial intelligence
3.3. Network optimization
3.4. Network application of AI
3.5. Conclusion
3.6. References
4 Multicriteria Optimization Methods for Network Selection in a Heterogeneous Environment
4.1. Introduction
4.2. Multicriteria optimization and network selection
4.3. “Modified-SAW” for network selection in a heterogeneous environment
4.4. Conclusion
4.5. References
PART 3: AI and the Cloud Approach
5 Selection of Cloud Computing Services: Contribution of Intelligent Methods
5.1. Introduction
5.2. Scientific and technical prerequisites
5.3. Similar works
5.4. Surveyed works
5.5. Conclusion
5.6. References
6 Intelligent Computation Offloading in the Context of Mobile Cloud Computing
6.1. Introduction
6.2. Basic definitions
6.3. MCC architecture
6.4. Offloading decision
6.5. AI-based solutions
6.6. Conclusion
6.7. References
PART 4: AI and New Communication Architectures
7 Intelligent Management of Resources in a Smart Grid-Cloud for Better Energy Efficiency
7.1. Introduction
7.2. Smart grid and cloud data center: fundamental concepts and architecture
7.3. State-of-the-art on the energy efficiency techniques of cloud data centers
7.4. State-of-the-art on the decision-aiding techniques in a smart grid-cloud system
7.5. Conclusion
7.6. References
8 Toward New Intelligent Architectures for the Internet of Vehicles
8.1. Introduction
8.2. Internet of Vehicles
8.3. IoV architectures proposed in the literature
8.4. Our proposal of intelligent IoV architecture
8.5. Stakes
8.6. Conclusion
8.7. References
PART 5: Intelligent Radio Communications
9 Artificial Intelligence Application to Cognitive Radio Networks
9.1. Introduction
9.2. Cognitive radio
9.3. Application of AI in CR
9.4. Categorization and use of techniques in CR
9.5. Conclusion
9.6. References
10 Cognitive Radio Contribution to Meeting Vehicular Communication Needs of Autonomous Vehicles
10.1. Introduction
10.2. Autonomous vehicles
10.3. Connected vehicle
10.4. Communication architectures
10.5. Contribution of CR to vehicular networks
10.6. SERENA project: self-adaptive selection of radio access technologies using CR
10.7. Conclusion
10.8. References
List of Authors
Index
End User License Agreement
Chapter 2
Table 2.1. Classification of shared network information (Oktian et al. 2017)
Table 2.2. System configuration of SDN networks
Table 2.3. The most commonly used machine learning techniques for computer secur...
Table 2.4. Construction of rule heading
Chapter 4
Table 4.1. Weighting methods
Table 4.2. Advantages and drawbacks of multicriteria optimization methods
Table 4.3. Values of simulations
Table 4.4. Input matrix
Table 4.5. Weighting vectors
Table 4.6. Ranking for VoIP
Table 4.7. Ranking for video service
Table 4.8. Ranking for best effort service
Table 4.9. Ranking when one alternative disappears
Chapter 7
Table 7.1. Comparative table of works
Chapter 8
Table 8.1. Comparison of various proposed architectures
Chapter 10
Table 10.1. Various SAE automation levels (source: 2014 SAE International)
Table 10.2. Constraints expressed for road safety vehicular applications
Table 10.3. Constraints expressed for vehicular entertainment applications
Table 10.4. ITS-G5 system
Table 10.5. Table of ITS-G5 frequency allocation in Europe (IEEE 2010)
Chapter 1
Figure 1.1. Progress in image recognition (benchmark ImageNet), “Electronic Fron...
Figure 1.2. Organizations and countries relying on artificial intelligence to id...
Chapter 2
Figure 2.1. Simplified SDN architecture (Zhang et al. 2017)
Figure 2.2. Control plane distribution models
Figure 2.3. Architecture of IPSec tunnel service deployment in an SDN-based netw...
Figure 2.4. Tunnel deployment process
Figure 2.5. Logical topology of the test bed
Figure 2.6. Physical topology of the test bed
Figure 2.7. (A) Performance of the deployment of IPSec security service on SDN. ...
Figure 2.7. (B) Performance of the deployment of IPSec security service on SDN. ...
Figure 2.8. Architecture of signature learning service
Figure 2.9. Architecture of a Learning Node (LN)
Figure 2.10. Architecture of an intelligent SDN with IDS
Figure 2.11. Interactions between components of data architecture
Chapter 3
Figure 3.1. Analogy square of ES
Figure 3.2. Artificial neural network (Decourt 2018)
Chapter 4
Figure 4.1. A heterogeneous environment (Bendaoud 2018)
Figure 4.2. Heterogeneous environment (Bendaoud 2018)
Figure 4.3. Network selection process (Bendaoud et al. 2018b)
Figure 4.4. Network selection process
Figure 4.5. Delay and lost packets comparison for N(0) and N(4). For a color ver...
Figure 4.6. Throughput and delay comparison for N(5) and N(4). For a color versi...
Figure 4.7. Comparison between N(2) and N(4). For a color version of this figure...
Figure 4.8. Comparison between N(2) and N(1). For a color version of this figure...
Chapter 5
Figure 5.1. Public deployment of cloud computing. For a color version of this fi...
Figure 5.2. Private deployment of cloud computing. For a color version of this f...
Figure 5.3. Community deployment of cloud computing. For a color version of this...
Figure 5.4. Distribution of customer/provider management in a cloud computing en...
Chapter 6
Figure 6.1. Conversion of an application code into a weighted relation graph (Mo...
Figure 6.2. Stages of offloading decision
Figure 6.3. Star graph
Figure 6.4. Generic architecture of MCC (Gupta and Gupta 2012)
Figure 6.5. B&B tree
Figure 6.6. Chromosome
Chapter 7
Figure 7.1. Smart grid network architecture
2
. For a color version of this figure...
Figure 7.2. Generation, transportation and distribution systems in the smart gri...
Figure 7.3. Interaction of data centers with the smart grid and its users
Figure 7.4. Fog–cloud computing system
Figure 7.5. Example of smart micro-grid-cloud architecture. For a color version ...
Chapter 8
Figure 8.1. Presentation of C-ITS architecture
Figure 8.2. Presentation of IoV architectures described in the literature
Figure 8.3. Our proposal
Chapter 9
Figure 9.1. Learning process in cognitive radio networks (Abbas et al. 2015)
Figure 9.2. V-shaped formation of Anser flight (Bestaoui 2015)
Chapter 10
Figure 10.1. Autonomous vehicle (Hubaux 2005)
Figure 10.2. Illustration of C-ITS systems (ETSI 2010)
Figure 10.3. Reference architecture of an ITS station (ETSI 2010)
Figure 10.4. Cognition loop
Figure 10.5. The main problems related to CR in the literature (Singh et al. 201...
Figure 10.6. Example of cognitive loop of the SERENA project
Cover
Table of Contents
Title Page
Copyright
Introduction
Begin Reading
List of Authors
Index
End User License Agreement
Page v
Page iii
Page iv
Page xiii
Page xiv
Page 1
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
Page 41
Page 42
Page 43
Page 44
Page 45
Page 46
Page 47
Page 48
Page 49
Page 50
Page 51
Page 52
Page 53
Page 54
Page 55
Page 56
Page 57
Page 58
Page 59
Page 60
Page 61
Page 63
Page 65
Page 66
Page 67
Page 68
Page 69
Page 70
Page 71
Page 72
Page 73
Page 74
Page 75
Page 76
Page 77
Page 78
Page 79
Page 80
Page 81
Page 82
Page 83
Page 84
Page 85
Page 86
Page 87
Page 89
Page 90
Page 91
Page 92
Page 93
Page 94
Page 95
Page 96
Page 97
Page 98
Page 99
Page 100
Page 101
Page 102
Page 103
Page 104
Page 105
Page 106
Page 107
Page 108
Page 109
Page 110
Page 111
Page 112
Page 113
Page 114
Page 115
Page 117
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126
Page 127
Page 128
Page 129
Page 130
Page 131
Page 132
Page 133
Page 134
Page 135
Page 136
Page 137
Page 138
Page 139
Page 140
Page 141
Page 142
Page 143
Page 144
Page 145
Page 146
Page 147
Page 148
Page 149
Page 150
Page 151
Page 152
Page 153
Page 154
Page 155
Page 156
Page 157
Page 158
Page 159
Page 160
Page 161
Page 162
Page 163
Page 164
Page 165
Page 166
Page 167
Page 169
Page 171
Page 172
Page 173
Page 174
Page 175
Page 176
Page 177
Page 178
Page 179
Page 180
Page 181
Page 182
Page 183
Page 184
Page 185
Page 186
Page 187
Page 188
Page 189
Page 190
Page 191
Page 192
Page 193
Page 194
Page 195
Page 196
Page 197
Page 198
Page 199
Page 200
Page 201
Page 202
Page 203
Page 204
Page 205
Page 206
Page 207
Page 208
Page 209
Page 210
Page 211
Page 212
Page 213
Page 214
Page 215
Page 217
Page 219
Page 220
Page 221
Page 222
Page 223
Page 224
Page 225
Page 226
Page 227
Page 228
Page 229
Page 230
Page 231
Page 232
Page 233
Page 234
Page 235
Page 236
Page 237
Page 238
Page 239
Page 240
Page 241
Page 242
Page 243
Page 245
Page 246
Page 247
Page 248
Page 249
Page 250
Page 251
Page 252
Page 253
Page 254
Page 255
Page 256
Page 257
Page 258
Page 259
Page 260
Page 261
Page 262
Page 263
Page 264
Page 265
Page 266
Page 267
Page 268
Page 269
Page 270
Page 271
Page 272
Page 273
Page 275
Page 276
Page 277
Page 278
Page 279
Page 280
SCIENCES
Networks and Communications, Field Director – Guy Pujolle
Network Management and Control, Subject Head – Francine Krief
Coordinated by
Badr Benmammar
First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.
Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:
ISTE Ltd
27-37 St George’s Road
London SW19 4EU
UK
www.iste.co.uk
John Wiley & Sons, Inc.
111 River Street
Hoboken, NJ 07030
USA
www.wiley.com
© ISTE Ltd 2020
The rights of Badr Benmammar to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
Library of Congress Control Number: 2020937506
British Library Cataloguing-in-Publication Data
A CIP record for this book is available from the British Library
ISBN 978-1-78945-008-8
ERC code:
PE7 Systems and Communication Engineering
PE7_1 Control engineering
PE7_8 Networks (communication networks, sensor networks, networks of robots, etc.)
Badr BENMAMMAR
Abou Bekr Belkaid University, Tlemcen, Algeria
Computer network management and control previously involved mainly purely technical tasks of network equipment maintenance, with the goal of ensuring their proper operation and further development.
Due to the current emergence of computer networks and the development of a steadily growing number of applications able to operate on a network (and more generally on the Internet), the management and control of a computer network can no longer do without artificial intelligence throughout its stages.
This is what our introductory book to intelligent management and control of computer networks endeavors to prove. Our aim is to present the use of artificial intelligence in networks through their intelligent control.
The main objective of artificial intelligence is to design systems that are able to replicate human behavior in its reasoning activities. Defining artificial intelligence is nevertheless not a simple task. The extent of the field is such that it is impossible to narrow it down to a specific field of research.
According to the definition given by one of its creators, Marvin Lee Minsky, artificial intelligence is “the construction of computer programs that engage in tasks that are currently more satisfactorily performed by human beings because they require high-level mental processes such as: perceptual learning, memory organization and critical reasoning”.
In computer networks, artificial intelligence applications relate to several domains, such as intelligent radio communications, new communication architectures, cloud computing, network optimization and security.
This book addresses topical issues that are mainly related to intelligent security for computer networks, deployment of security services in software-defined networking (SDN), optimization of networks by means of artificial intelligence techniques and multiple criteria optimization methods for the selection of networks in a heterogeneous environment. The book deals also with the selection of cloud computing services, intelligent computation offloading in the context of mobile cloud computing, smart management of resources in a smart grid-cloud system for better energy efficiency, Internet of vehicles (IoV), relying on its new architectures, artificial intelligence application in cognitive radio networks and finally the contribution of intelligent radio to addressing the road communication needs of autonomous vehicles.
The various subjects dealt with in this book are organized in parts, each of which contains two chapters. This structure is intended to make it easier for the reader to comprehend the contribution of artificial intelligence to each specific field.
Abderrazaq SEMMOUD and Badr BENMAMMAR
Abou Bekr Belkaid University, Tlemcen, Algeria
Artificial intelligence (AI) and machine learning have rapidly progressed in recent years, facilitating the development of a broad range of applications. For example, AI is an essential component of widely used technologies such as automatic speech recognition, machine translation, spam filters and facial recognition. Promising technologies are currently the object of research or small-scale pilot projects, among which it is worth mentioning self-driving cars, digital assistants and drones activated by AI. Looking further into the future, advanced AI may reduce the need for human labor and improve governance quality.
A wide variety of tasks are automated using AI. Games, car driving and image classification are some of the tasks commonly studied by AI researchers. A broad set of tasks can be transformed by AI. At the very least, every task requiring human intelligence is a potential target for AI innovation. While the field of AI dates back to 1950, several years of rapid progress and growth have recently led to higher reliability. Sudden performance gains have been accomplished by researchers in a number of fields. Figure 1.1 illustrates this trend in the case of image recognition, where over the past few years AI systems have increased their performance in terms of classification accuracy from about 70% to nearly perfect classification accuracy (98%), which surpasses the human reference (95%) (Brundage et al. 2018).
Figure 1.1.Progress in image recognition (benchmark ImageNet), “Electronic Frontier Foundation’s AI Progress Measurement” (August 2017)
From a security perspective, a number of AI developments are worth mentioning. For example, target-face recognition and space navigation capacities are applicable to autonomous weapons systems. Similarly, image, text and voice generation possibilities could be used online to imitate other persons or influence public opinion by disseminating AI-generated content via social networks. These technical developments can also be considered early indicators of the potential of AI. Unsurprisingly, AI systems may soon qualify for an even wider range of security related tasks.
Information security is defined as the protection of computer systems against any unauthorized access, use, disruption, modification or destruction in order to provide confidentiality, integrity and availability (Peltier 2010). Information security does not refer to any particular security technology, but rather to a strategy involving persons, processes, rules and tools required in order to detect, prevent, document and mitigate current threats. With increasingly interconnected networks, security services are becoming ever more important. Connectivity is no longer an option in the commercial world, and its potential risks do not outweigh its advantages. Consequently, cybersecurity services should offer adequate protection to companies operating in a relatively open environment. Compared to classical approaches to computer security, several new hypotheses related to current computer networks should be formulated:
– modern networks are very large and further interconnected, and they are more accessible; consequently, potential attackers can easily connect and access these networks remotely;
– network interconnection increases the probability of attacks directed at large size networks such as the Internet by means of a set of widely known and open protocols.
The complexity of computer systems and applications is steadily growing. Consequently, it has become increasingly difficult to correctly analyze, secure and test computer system security. When these systems and their applications are connected to large networks, the risk of threats significantly increases. In view of adequate protection of computer networks, the deployed procedures and technologies must ensure (Khidzir et al. 2018):
–
confidentiality
: due to data confidentiality, only authorized users have access to sensitive information;
–
integrity
: due to data integrity, only authorized users can modify sensitive information; integrity could also ensure data authenticity;
–
availability
: due to system and data availability, authorized users have uninterrupted access to resources and important data.
The confidentiality, integrity and availability triad is a fundamental concept of information security. Each organization strives to ensure these three elements of the information system. Confidentiality prevents unauthorized disclosure of sensitive information (Kumar et al. 2018). Integrity prevents any unauthorized modification of information, thus ensuring information accuracy. Cryptographic hashing functions (such as SHA-1 or SHA-2) can be used to ensure data integrity. Availability prevents loss of access to resources and information (Kumar et al. 2018).
AI systems are generally efficient, being less time and money-consuming than a human being when fulfilling a given task. AI systems are also evolutionary, as their computation power enables the completion of far more tasks in the same amount of time. For example, a typical facial recognition system is both efficient and evolutionary; once developed, it can be applied to numerous camera flows with a significantly lower cost than that of human analysts employed to perform a similar job. This explains why cybersecurity experts are seriously looking into AI and its potential contribution to mitigating certain problems. As an example, machine learning used by many AI algorithms can help detect malware, which are increasingly difficult to identify and isolate due to their growing capacity to adapt to traditional security solutions (Veiga 2018).
Capgemini Research Institute has conducted a survey of 850 managers of seven large industrial companies: among the top management members included in this survey, 20% are information systems managers and 10% are responsible for information systems security. Companies headquartered in France, Germany, United Kingdom, the United States, Australia, India and Italy are mentioned in the report (Capgemini Research Institute 2019). Capgemini noted that, as digital companies develop, their cyberattack risk increases exponentially. It has been noted that 21% of companies declared one cybersecurity breach experience leading to unauthorized access in 2018. The price paid by companies for cybersecurity breaches is heavy (20% declared losses of over 50 million dollars). According to this survey, 69% of the companies estimate a need for AI to counteract cyberattacks. The majority of telecommunications companies (80%) declared that they relied on AI to identify the threats and counteract the attacks. According to the Capgemini report, the telecommunications sector declared the highest losses of over 50 million dollars, which led to AI being considered a priority in counteracting the costly breaches in this sector. Understandably, consumer goods sellers (78%) and banks (75%) came second and third, respectively, in this ranking, as these sectors increasingly rely on digital models. Companies based in the United States have as their top priority AI-based cybersecurity applications and platforms.
Figure 1.2.Organizations and countries relying on artificial intelligence to identify threats and counteract attacks
New vulnerabilities are discovered every day in the current programs, and these may infect and take control of a company’s entire network. In contrast to traditional software vulnerabilities (for example, buffer memory overflow), the current intelligent systems have a certain number of vulnerabilities. This involves in particular data input causing errors in learning systems (Biggio et al. 2012), taking advantage of the flaws in the design of autonomous systems’ objectives (Amodei et al. 2016) and the use of inputs designed to falsify the classification of machine learning systems (Szegedy et al. 2013). As these vulnerabilities show, intelligent systems may outperform humans, but their potential failures are also unrivaled.
An ideal cyberdefense would offer full protection to users, while preserving system performances. Although this ideal cyberdefense may currently seem very distant, steps could be taken toward it by rendering cyberdefense more intelligent. The idea of using AI techniques in cybersecurity is not new. Landwehr (2008) states that, at their start, computer security and AI did not seem to have much in common. Researchers in the field of AI wanted computers to do by themselves what humans were able to do, whereas the researchers in the security field tried to solve the leakages in the computer systems, which they considered vulnerable. According to Schneier (2008), “The Internet is the most complex machine ever built. We barely understand how it works, not to mention how to secure it”. Given the rapid multiplication of new web applications and the increasing use of wireless networks (Barth and Mitchell 2008) and the Internet of Things, cybersecurity has become the most complex threat to society.
The need for securing web applications against attacks (such as Cross Site Scripting [XSS], Cross Site Request Forgery [CSRF] and code injection) is increasingly obvious and pressing. Over time, XSS and CSRF scripts have been used to conduct various attacks. Some of them can be interpreted as direct bypasses of the original security policy. The same security policy was similar to a simple and efficient protection, but it turned out it could be easily bypassed and certain functionalities of modern websites could be blocked. According to Crockford (2015), the security policies adopted by most browsers “block useful contents and authorize dangerous contents”. These policies are currently being reviewed. However, the detection of attacks such as XSS, CSRF or code injection requires more than a simple rule, namely a context-dependent reasoning capacity.
The use of AI in cybersecurity generally involves certain smart tools and their application to intrusion detection (Ahmad et al. 2016; Kalaivani et al. 2019) or other aspects of cybersecurity (Ahlan et al. 2015). This approach involves the use of other AI techniques developed for problems that are entirely different from cybersecurity; this may work in certain cases, but it has inherent and strict limitations. Cybersecurity has specific needs, and meeting them requires new specifically developed AI techniques. Obviously, AI has substantially evolved in certain fields, but there is still a need for learning and developing new intelligent techniques adapted to cybersecurity. In this context, according to Landwehr (2008) one “AI
branch related to computer security from its earliest age is automated reasoning, particularly when applied to programs and systems. Though the SATAN program of Dan Farmer and Wietse Venema, launched in 1995, has not yet been identified as AI, it has automated a process searching for vulnerabilities in system configurations that would require much more human efforts”. Ingham et al. (2007) have proposed an inductive reasoning system for the protection of web applications. The works of Vigna and co-workers (Mutz et al. 2007; Cova et al. 2007, 2010; Kirdaa et al. 2009; Robertson et al. 2010) have also dealt with the protection of web applications against cyberattacks. Firewalls using deep packet inspections can be considered a sort of AI instantiation in cybersecurity. Firewalls have been part of the cyberdefense arsenal for many years. Although in most cases more sophisticated techniques (Mishra et al. 2011; Valentín and Malý 2014; Tekerek and Bay 2019) are also used, filtering relies on the port number. Firewalls cannot rely on the port number, as most web applications use the same port as the rest of the web traffic. Deep packet inspection is the only option enabling the identification of malware code in a legitimate application. The idea of application layer filtering of the Transmission Control Protocol/Internet Protocol (TCP/IP) model was introduced in the third generation of firewall in the 1990s. The modest success of these technologies is an indication that much more is still to be done in AI, so that it can make a significant difference in terms of cybersecurity. Nevertheless, it is worth noting that using AI in cybersecurity is not necessarily a miracle solution. For example, attacks without malware, which require no software download and dissimulate malware activities inside legitimate cloud computing services, are on the increase, and AI is not yet able to counteract these types of network breach.
Intrusion detection is defined as the process of intelligent monitoring of events occurring in a computer system or network and their analysis in search for signs of security policy breach (Bace 2000). The main objective of intrusion detection systems is to protect network availability, confidentiality and integrity. Intrusion detection systems are defined both by the method used to detect the attacks and by their location in the network. The intrusion detection system can be deployed as a network- or host-based system in order to detect the anomalies. Abusive use is detected based on the correspondence between known models of hostile activities and the database of previous attacks. These models are very effective for identifying known attacks and vulnerabilities, but less relevant in identifying new security threats. Anomaly detection looks for something rare or uncommon, applying statistical or intelligent measurements to compare the current activity to previous knowledge. Intrusion detection systems rely on the fact that they often need many data for the artificial learning algorithms. They generally require more computer resources, as several metrics are often preserved and must be updated for each system activity (Ahmad et al. 2016). The intrusion detection expert system (IDES) (Lunt 1993) developed by Stanford Research Institute (SRI) formulates expert knowledge on the known models of attack and vulnerabilities of the system in the form of if–then rules. The time-based inductive machine (Teng and Chen 1990) learns several sequential models to ensure the detection of anomalies in a network. Several approaches using the artificial neural networks for intrusion detection systems have been proposed (Kang and Kang 2016; Kim et al. 2016; Vinayakumar et al. 2017; Hajimirzaei and Navimipour 2019). AI-based techniques are categorized in various classes (Mukkamala and Sung 2003a; Novikov et al. 2006).
Decision trees are powerful and widespread nonparametric learning tools used for classification and prediction problems. Their purpose is to create a model that predicts the values of the target variable, relying on a set of sequences of decision rules deduced from learning data. Rai et al. (2016) have developed an algorithm based on the C4.5 decision tree approach. The most relevant characteristics are selected by means of information gain and the fractional value is selected so that it renders the classifier unbiased with respect to the most frequent values. In the work of Sahu and Babu (2015), a database referred to as ”Kyoto 2006+” is used for the experiments. In Kyoto 2006+, each instance is labeled as “normal” (no attack), “attack” (known attack) and “unknown attack”. The Decision Tree algorithm (J48) is used to classify the packets. Experiments confirm that the generated rules operate with 97.2% accuracy. Moon et al. (2017) proposed an intrusion detection system based on decision trees using packet behavior analysis to detect the attacks. Peng et al. (2018) proposed a technique that involves a preprocessing for data digitization, followed by their normalization, in order to improve detection efficiency. Then a method based on decision trees is used.
Data exploration aims to eliminate the manual elements used for the design of intrusion detection systems. Various data exploration techniques have been developed and widely used. The main data exploration techniques are presented in the following sections.
Fuzzy logic has been used in the field of computer networks security, particularly for intrusion detection (Idris and Shanmugam 2005; Shanmugavadivu and Nagarajan 2011; Balan et al. 2015; Kudłacik et al. 2016; Sai Satyanarayana Reddy et al. 2019), for two main reasons. First, several quantitative parameters used in the context of intrusion detection, for example processor use time and connection interval, can be potentially considered as fuzzy variables. Second, the security concept is itself fuzzy. To put it differently, the fuzzy concept helps in preventing a sharp distinction between normal and abnormal behaviors. Kudłacik et al. (2016) have applied fuzzy logic for intrusion detection. The proposed solution analyzes the user activity over a relatively short period of time, creating a local user profile. A more in-depth analysis involves the creation of a more general structure based on a defined number of local user profiles, known as a “fuzzy profile”. The fuzzy profile represents the behavior of the computer system user. Fuzzy profiles are directly used in order to detect user behavior anomalies, and therefore potential intrusions. Idris and Shanmugam (2005) proposed a modified FIRE system. It is a mechanism for the automation of the fuzzy rule generation process and the reduction of human intervention making use of AI techniques.
Genetic algorithms are techniques derived from genetics and natural evolution, which have been used to find approximate solutions to optimization and search problems. The main advantages of genetic algorithms are their flexibility and robustness as global search method. As for drawbacks, they are computationally time-consuming, as they handle several solutions simultaneously. Genetic algorithms have been used in various manners in the field of intrusion detection (Hoque et al. 2012; Aslahi-Shahri et al. 2016; Hamamoto et al. 2018). Hoque et al. (2012) presented an intrusion detection system using a genetic algorithm to effectively detect anomalies in the network. Aslahi-Shahri et al. (2016) proposed a hybrid method that uses support vector machines and genetic algorithms for intrusion detection. The results indicate that this algorithm can reach a 97.3% true positive rate and a 1.7% false positive rate.
Rule-based techniques (Li et al. 2010; Yang et al. 2013) generally involve the application of a set of association rules for data classification. In this context, if a rule stipulates that if event X occurs, then event Y is likely to occur, events X and Y can be described as sets of pairs (variable, value). The advantage of using rules is that they tend to be simple and intuitive, unstructured and less rigid. Nevertheless, a drawback is that rules are difficult to preserve and, in certain cases, inadequate for the representation of various types of information.
Turner et al. (2016) developed an algorithm for monitoring the enabled/disabled state of the rules of an intrusion detection system based on signatures. The algorithm is implemented in Python and runs on Snort (Roesch 1999). Agarwal and Joshi (2000) proposed a general framework in two stages for learning a rule-based model (PNrule) in order to learn classifier models on a set of data. They extensively used various distributions of classes in the learning data. The KDD Cups database was used for learning and testing their system.
Machine learning can be defined as the capacity of a program to learn and improve the performances of a series of tasks in time. Machine learning techniques focus on the creation of a system model that improves its performances relying on the previous results. Furthermore, it can be said that machine learning–based systems have the capacity to handle the execution strategy depending on the new inputs. The main machine learning techniques are presented in the following sections.
Artificial neural networks learn to predict the behavior of various system users. If correctly designed and implemented, neural networks can potentially solve several problems encountered by rule-based approaches. The main advantage of neural networks is their tolerance to inaccurate data and uncertain information and their capacity to deduce solutions without previous knowledge on data regularities. Cunningham and Lippmann (2000) of MIT Lincoln Laboratory conducted a number of tests using neural networks. The system searched for attack-specific key words specific in the network traffic. In Ponkarthika and Saraswathy (2018), a model of intrusion detection system is explored as a function of deep learning. Long–short term memory (LSTM) architecture was applied to a recurrent neural network for the learning of an intrusion detection system using the KDD Cup 1999 dataset.
A Bayesian network is a probabilistic graphical model representing a set of random variables in the form of an acyclic oriented graph. This technique is generally used for intrusion detection in combination with statistical diagrams. It has several advantages, notably the capacity to code the interdependences between variables and to predict events, as well as the possibility of integrating both previous knowledge and previous data (Heckerman 2008). Its major drawback is that results are comparable to statistical techniques, but this requires additional computation efforts. Kruegel et al. (2003) proposed a multisensor fusion approach using a Bayesian network–based classifier for the classification and cancellation of false alarms, according to which the outputs of various sensors of the intrusion detection system are aggregated to generate a single alarm. Han et al. (2015) proposed an intrusion detection algorithm based on Bayesian networks relying on the analysis into main components. The authors calculate the characteristic data value of the attack on the original network, and then extract the main properties by analysis into main components.
A Markov chain is a random process related to a finite number of states, with memoryless transition probabilities. During the learning phase, probabilities associated with transitions are estimated from the normal behavior of the target system. Detection of anomalies is then achieved by comparing the anomaly score obtained for the sequences observed at a fixed threshold. In the case of a hidden Markov model (Hu et al. 2009; Zegeye et al. 2018; Liang et al. 2019), the system we are interested in is assumed to be a Markov process in which states and transitions are masked. In the literature, several methods have been presented for solving the intrusion detection problem by inspecting the packet headers. Mahoney and Chan (2001) experimented with anomaly detection on DARPA network data by comparing the header fields of the network packet. Several systems use the Markov model for intrusion detection: PHAD (Packet Header Anomaly Detector) (Mahoney and Chan 2001), LERAD (Learning Rules for Anomaly Detection) (Mahoney and Chan 2002a) and ALAD (Application Layer Anomaly Detector) (Mahoney and Chan 2002b). In the book of Zegeye et al. (2018), an intrusion detection system using the hidden Markov model is proposed. The phase of network traffic analysis involves characteristic extraction techniques, reduction of dimensions and vector quantization, which plays an important role in large sets of data, as the amount of data transmitted increases every day. Model performances with respect to the KDD 99 dataset indicate an accuracy above 99%.
The support-vector machine is a technique used for solving various learning, classification and prediction problems. The support-vector machine was employed in an implementation of the structural risk minimization (SRM) principle of Vapnik (1998), which minimizes the generalization error, in the sense of true error on unseen examples. The basic support-vector machine addresses problems with two classes, in which data are separated by a hyperplane defined by a certain number of support vectors. Support vectors are a subset of learning data serving to define the limit between the two classes. When the support-vector machine cannot separate two classes, it solves this problem by mapping the input data in spaces of high-dimensional functions by means of a kernel function. In a high-dimensional space, it is possible to create a hyperplane enabling a linear separation (which corresponds to a curved surface in the lower input space). Consequently, the kernel function plays an important role in the support-vector machine. In practice, various kernel functions can be used, such as linear, polynomial, or Gaussian. A remarkable property of the support-vector machine is its learning capacity, which does not depend on the dimensionality of the characteristic space. This means that the support-vector machine can generalize when given numerous functionalities. Mukkamala and Sung (2003b) showed the many advantages of the support-vector machine compared to other techniques. Support-vector machines surpass neural networks in terms of upgradability, learning time, runtime and prediction accuracy. Mukkamala and Sung (2003a) also applied support-vector machines for the extraction of intrusion detection characteristics of KDD files. They empirically proved that the functionalities selected using the support-vector machine yielded similar results as the use of a full set of functionalities. This decrease in the number of functionalities reduces the computation efforts. Chen et al. (2005) also proved that support-vector machines surpassed neural networks.
Clustering techniques operate by organizing observed data in groups, depending on a given similarity or a distance measurement. Similarity can be measured by using the cosine formula, the binary weighted cosine formula proposed by Rawat (2005) or other formulas. The most commonly used procedure for clustering involves the selection of a representative point for each cluster. Then each new data point is classified as belonging to a given group depending on the proximity to the corresponding representative point. There are at least two approaches for the classification-based detection of anomalies. In the first approach, the anomaly detection model is formed using unlabeled data including both normal and attack traffic. In the second approach, the model is formed using only normal data and a normal activity profile is created. The idea underlying the first approach is that abnormal or attack data represent a small percentage of the total data. If this hypothesis is verified, anomalies and attacks can be detected depending on cluster size: large clusters correspond to normal data and the other data points to attacks. Liao and Vemuri (2002) used the K-nearest neighbor (K-nn) approach, based on the Euclidian distance, to define the belonging of data points to a given cluster. The Minnesota intrusion detection system is a network-based anomaly detection approach that uses data exploration and clustering techniques (Levent et al. 2004).
Leung and Leckie (2005) proposed an unsupervised anomaly detection approach for intrusion detection on a network. The proposed algorithm, known as “fpMAFIA”, is a clustering algorithm based on density and on grid for large data sets. The major advantage of this algorithm is that it can produce arbitrary forms and cover over 95% of the set of data with appropriate values of parameters. The authors proved that the algorithm evolves linearly with respect to the number of registrations in the set of data. They evaluated the accuracy of the newly proposed algorithm and proved that it enables reaching a reasonable detection rate.
Many researchers suggested that the monitoring capacity of current IDS systems could be improved by adopting a hybrid approach including detection techniques of both anomalies and signatures (Lunt et al. 1992; Anderson et al. 1995; Fortuna et al. 2002; Hwang et al. 2007). Sabhnani and Serpen (2003) proved that no single classification technique enables the detection of all the attack classes at an acceptable false alarm rate and with a good detection accuracy. The authors used various techniques to classify the intrusions by means of a KDD 1998 dataset. Many researchers proved that the hybrid or set-based classification technique can improve detection accuracy (Mukkamala et al. 2005; Chen et al. 2005; Aslahi-Shahri et al. 2016; Hamamoto et al. 2018; Hajimirzaei and Navimipour 2019; Sai Satyanarayana Reddy et al. 2019). A hybrid approach involves the integration of various learning or decision-making models. Each learning model operates differently and uses a different set of functionalities. The integration of various learning models yields better results than the individual learning or decision-making models and reduces their individual limitations. A significant advantage of the combination of redundant and complementary classification techniques is that it increases robustness and accuracy in most applications.
Various methods combining various classification techniques were proposed in the literature (Menahem et al. 2009; Witten et al. 2016). Ensemble methods have a common objective: to build a combination of certain models, instead of using a single model to improve the results. Mukkamala and its collaborators (2005) proved that the use of ensemble classifiers led to the best possible accuracy for each category of attack models. Chebrolu et al. (2005) used the Classification And Regression Trees-Bayesian network (CART-BN) approach for intrusion detection. Zainal et al. (2009) proposed the hybridization of linear genetic programming of the adaptive neural fuzzy inference system and of random forests for intrusion detection. They proved empirically that by assigning appropriate weights to the classifiers in a hybrid approach, the accuracy of detection of all the classes of network traffic is improved compared to an individual classifier. Menahem et al. (2009) used various classifiers and tried to take advantage of their strengths. Hwang et al. (2007) proposed a three-level hybrid approach to detect intrusions. The first level of the system is a signature-based approach in order to filter the known attacks using the black list concept. The second level of the system is an anomaly detector that uses the white list concept to distinguish between the normal traffic and the attack traffic surpassed by the first level. The third level of the system uses support vectors machines in order to classify the unknown attack traffic. The success of a hybrid method depends on many factors, notably the size of the learning sample, the choice of a basic classifier, the exact manner in which the forming set is modified, the choice of combination method and finally the data distribution and the potential capacity of the basic classifier chosen for solving the problem (Rokach 2010).
AI is a double use domain. AI systems and the manner in which they are designed can serve both civilian and military purposes, and in a broader sense, beneficial or harmful purposes. Given that certain tasks requiring intelligence are benign while others are not, AI is double edged in the same way that human intelligence is. Researchers in the field of AI cannot avoid producing systems that can serve harmful purposes. For example, the difference between the capacities of an autonomous drone used for delivering parcels and the capacities of an autonomous drone used for delivering explosives is not necessarily too wide. Moreover, fundamental research aiming to improve our comprehension of AI, its capacities and its control seem to be inherently double edged.
AI and machine learning have an increasingly important impact on the security of citizens, organizations and states. Misuse of AI will impact the way in which we build and manage our digital infrastructure, as well as the design and distribution of AI systems, therefore it will probably require an institutional policy. It is worth noting here that the threats caused by AI misuse have been highlighted in heavily publicized contexts (for example, during a Congress hearing (Moore and Anderson 2012), a workshop organized by the White House and a report of the US Department for Homeland Security).
The increasing use of AI for the development of cyberattack techniques and the absence of development of adequate defenses has three major consequences.
For many known attacks, the progress of AI is expected to enlarge the set of players capable of conducting the attack, their attack speed and the set of possible targets. This is a consequence of the efficiency, upgradability and ease of dissemination of AI systems. In particular, the dissemination of intelligent and efficient systems can increase the number of players who can afford specific attacks. If the reliable intelligent systems are also evolutionary (upgradable), then even the players who already have the required resources to conduct these attacks may acquire the capacity to execute them at a much faster pace.
An example of a threat that is susceptible to develop in this manner is the phishing attack threat. These attacks use personalized messages to obtain sensitive information or money from their victims. The attacker often introduces himself as one of the friends, colleagues or professional contacts of the target. The most advanced phishing attacks require significant qualified manpower, as the attacker must identify the high value targets, research their social and professional networks, and then generate messages that are acceptable to the target.
AI progress will enable new varieties of attacks. These attacks may use AI systems to conduct certain tasks more successfully than any human being.
Due to their unlimited capacities, in contrast with those of humans, intelligent systems could enable players to conduct attacks that would otherwise be impossible. For example, most persons are not able to efficiently imitate the voice of other persons. Consequently, the creation of audio files resembling recordings of human speech becomes essential in these cases. Nevertheless, significant progress has been recently achieved in the development of speech synthesis systems, which learn to imitate human voice. Such systems would in turn enable new methods for spreading disinformation and imitating others.
Moreover, AI systems could be used to control certain aspects of malware behavior that would be impossible to control manually. For example, a virus designed to modify the behavior of ventilated computers, as in the case of the Stuxnet program, used to disrupt the Iranian nuclear program, cannot receive commands once these computers are infected. Limited communication problems also occur under water and in the presence of signal jammers.
Properties of AI such as efficiency, upgradability and capacities surpassing those of humans may enable very relevant attacks. Attackers are often faced with a compromise between the frequency, the extent of their attacks and their efficiency. For example, spear phishing is more effective than classical phishing, which does not involve adapting messages to individuals, but it is relatively costly and cannot be conducted en mass. More generic phishing attacks are profitable despite their very low success rates, simply because of their extent. If the frequency and upgradability of certain attacks, including spear phishing, are improved, AI systems can mitigate these compromises. Moreover, properties such as efficiency and upgradability, particularly in the context of target identification and analysis, lead also to finely targeted attacks. The attackers are often interested in adapting their attacks to the characteristics of their targets, aiming at targets with certain properties, such as significant assets or an association with certain political groups. Nevertheless, the attackers must often find a balance between efficiency, the upgradability of their attacks and target precision. A further example could be the use of drone swarms that deploy facial recognition technology to kill specific individuals in a crowd, instead of less targeted forms of violence.
Cyberattacks are increasingly alarming in terms of complexity and quantity, a consequence of the lack of awareness and understanding of the actual needs. This lack of support explains the insufficient dynamism, attention and willingness to commit funds and resources for cybersecurity in many organizations. In order to limit the impact of cyberattacks, the following recommendations are suggested (Brundage et al. 2018):
– decision-makers should closely cooperate with technical researchers to study, prevent and limit the potential misuse of AI;
– researchers and engineers in the AI field should seriously consider the double-edged nature of their work, by allowing considerations linked to abusive use to influence the research priorities and norms and by proactively addressing concerned players when harmful applications are predictable;
– public authorities should actively try to broaden the range of stakeholders and experts in the field that are involved in the discussions related to these challenges.
AI is a broad domain to be explored by cybersecurity researchers and experts. As the capacity of intelligent systems increases, they will first reach and then surpass human capacities in many fields. In cybersecurity, AI can be used to strengthen the defenses of computer infrastructure. It is worth noting that, as AI covers fields considered reserved to humans, the security threats will increase in variety, difference and intelligence compared to actually existing techniques. Defense against these threats is very difficult, as cybersecurity experts themselves can be targeted by spear phishing attacks. Consequently, preparing for potential misuses of AI associated with this transition is an important task. The use of intelligent techniques aims to identify real-time attacks, with little or no human interaction, and to stop them before they cause damages. In conclusion, AI can be considered as a powerful tool in solving cybersecurity problems.
Agarwal, R. and Joshi, M.V. (2000). A new framework for learning classifier models in data mining [Online]. Available at: https://pdfs.semanticscholar.org/db6e/1d67f7912efa65f94807dc81b24dea2de158.pdf [Accessed January 2019].
Ahlan, A.R., Lubis, M., and Lubis, A.R. (2015). Information security awareness at the knowledge-based institution: Its antecedents and measures. Procedia Computer Science (PCS). 72(2015), 361–373.