Intelligent Network Management and Control E-Book

Table of Contents

Cover

Title Page

Copyright

Introduction

PART 1: AI and Network Security

1 Intelligent Security of Computer Networks

1.1. Introduction

1.2. AI in the service of cybersecurity

1.3. AI applied to intrusion detection

1.4. AI misuse

1.5. Conclusion

1.6. References

2 An Intelligent Control Plane for Security Services Deployment in SDN-based Networks

2.1. Introduction

2.2. Software-defined networking

2.3. Security in SDN-based networks

2.4. Intelligence in SDN-based networks

2.5. AI contribution to security

2.6. AI contribution to security in SDN-based networks

2.7. Deployment of an intrusion prevention service

2.8. Stakes

2.9. Conclusion

2.10. References

PART 2: AI and Network Optimization

3 Network Optimization using Artificial Intelligence Techniques

3.1. Introduction

3.2. Artificial intelligence

3.3. Network optimization

3.4. Network application of AI

3.5. Conclusion

3.6. References

4 Multicriteria Optimization Methods for Network Selection in a Heterogeneous Environment

4.1. Introduction

4.2. Multicriteria optimization and network selection

4.3. “Modified-SAW” for network selection in a heterogeneous environment

4.4. Conclusion

4.5. References

PART 3: AI and the Cloud Approach

5 Selection of Cloud Computing Services: Contribution of Intelligent Methods

5.1. Introduction

5.2. Scientific and technical prerequisites

5.3. Similar works

5.4. Surveyed works

5.5. Conclusion

5.6. References

6 Intelligent Computation Offloading in the Context of Mobile Cloud Computing

6.1. Introduction

6.2. Basic definitions

6.3. MCC architecture

6.4. Offloading decision

6.5. AI-based solutions

6.6. Conclusion

6.7. References

PART 4: AI and New Communication Architectures

7 Intelligent Management of Resources in a Smart Grid-Cloud for Better Energy Efficiency

7.1. Introduction

7.2. Smart grid and cloud data center: fundamental concepts and architecture

7.3. State-of-the-art on the energy efficiency techniques of cloud data centers

7.4. State-of-the-art on the decision-aiding techniques in a smart grid-cloud system

7.5. Conclusion

7.6. References

8 Toward New Intelligent Architectures for the Internet of Vehicles

8.1. Introduction

8.2. Internet of Vehicles

8.3. IoV architectures proposed in the literature

8.4. Our proposal of intelligent IoV architecture

8.5. Stakes

8.6. Conclusion

8.7. References

PART 5: Intelligent Radio Communications

9 Artificial Intelligence Application to Cognitive Radio Networks

9.1. Introduction

9.2. Cognitive radio

9.3. Application of AI in CR

9.4. Categorization and use of techniques in CR

9.5. Conclusion

9.6. References

10 Cognitive Radio Contribution to Meeting Vehicular Communication Needs of Autonomous Vehicles

10.1. Introduction

10.2. Autonomous vehicles

10.3. Connected vehicle

10.4. Communication architectures

10.5. Contribution of CR to vehicular networks

10.6. SERENA project: self-adaptive selection of radio access technologies using CR

10.7. Conclusion

10.8. References

List of Authors

Index

End User License Agreement

List of Tables

Chapter 2

Table 2.1. Classification of shared network information (Oktian et al. 2017)

Table 2.2. System configuration of SDN networks

Table 2.3. The most commonly used machine learning techniques for computer secur...

Table 2.4. Construction of rule heading

Chapter 4

Table 4.1. Weighting methods

Table 4.2. Advantages and drawbacks of multicriteria optimization methods

Table 4.3. Values of simulations

Table 4.4. Input matrix

Table 4.5. Weighting vectors

Table 4.6. Ranking for VoIP

Table 4.7. Ranking for video service

Table 4.8. Ranking for best effort service

Table 4.9. Ranking when one alternative disappears

Chapter 7

Table 7.1. Comparative table of works

Chapter 8

Table 8.1. Comparison of various proposed architectures

Chapter 10

Table 10.1. Various SAE automation levels (source: 2014 SAE International)

Table 10.2. Constraints expressed for road safety vehicular applications

Table 10.3. Constraints expressed for vehicular entertainment applications

Table 10.4. ITS-G5 system

Table 10.5. Table of ITS-G5 frequency allocation in Europe (IEEE 2010)

List of Illustrations

Chapter 1

Figure 1.1. Progress in image recognition (benchmark ImageNet), “Electronic Fron...

Figure 1.2. Organizations and countries relying on artificial intelligence to id...

Chapter 2

Figure 2.1. Simplified SDN architecture (Zhang et al. 2017)

Figure 2.2. Control plane distribution models

Figure 2.3. Architecture of IPSec tunnel service deployment in an SDN-based netw...

Figure 2.4. Tunnel deployment process

Figure 2.5. Logical topology of the test bed

Figure 2.6. Physical topology of the test bed

Figure 2.7. (A) Performance of the deployment of IPSec security service on SDN. ...

Figure 2.7. (B) Performance of the deployment of IPSec security service on SDN. ...

Figure 2.8. Architecture of signature learning service

Figure 2.9. Architecture of a Learning Node (LN)

Figure 2.10. Architecture of an intelligent SDN with IDS

Figure 2.11. Interactions between components of data architecture

Chapter 3

Figure 3.1. Analogy square of ES

Figure 3.2. Artificial neural network (Decourt 2018)

Chapter 4

Figure 4.1. A heterogeneous environment (Bendaoud 2018)

Figure 4.2. Heterogeneous environment (Bendaoud 2018)

Figure 4.3. Network selection process (Bendaoud et al. 2018b)

Figure 4.4. Network selection process

Figure 4.5. Delay and lost packets comparison for N(0) and N(4). For a color ver...

Figure 4.6. Throughput and delay comparison for N(5) and N(4). For a color versi...

Figure 4.7. Comparison between N(2) and N(4). For a color version of this figure...

Figure 4.8. Comparison between N(2) and N(1). For a color version of this figure...

Chapter 5

Figure 5.1. Public deployment of cloud computing. For a color version of this fi...

Figure 5.2. Private deployment of cloud computing. For a color version of this f...

Figure 5.3. Community deployment of cloud computing. For a color version of this...

Figure 5.4. Distribution of customer/provider management in a cloud computing en...

Chapter 6

Figure 6.1. Conversion of an application code into a weighted relation graph (Mo...

Figure 6.2. Stages of offloading decision

Figure 6.3. Star graph

Figure 6.4. Generic architecture of MCC (Gupta and Gupta 2012)

Figure 6.5. B&B tree

Figure 6.6. Chromosome

Chapter 7

Figure 7.1. Smart grid network architecture

2

. For a color version of this figure...

Figure 7.2. Generation, transportation and distribution systems in the smart gri...

Figure 7.3. Interaction of data centers with the smart grid and its users

Figure 7.4. Fog–cloud computing system

Figure 7.5. Example of smart micro-grid-cloud architecture. For a color version ...

Chapter 8

Figure 8.1. Presentation of C-ITS architecture

Figure 8.2. Presentation of IoV architectures described in the literature

Figure 8.3. Our proposal

Chapter 9

Figure 9.1. Learning process in cognitive radio networks (Abbas et al. 2015)

Figure 9.2. V-shaped formation of Anser flight (Bestaoui 2015)

Chapter 10

Figure 10.1. Autonomous vehicle (Hubaux 2005)

Figure 10.2. Illustration of C-ITS systems (ETSI 2010)

Figure 10.3. Reference architecture of an ITS station (ETSI 2010)

Figure 10.4. Cognition loop

Figure 10.5. The main problems related to CR in the literature (Singh et al. 201...

Figure 10.6. Example of cognitive loop of the SERENA project

Guide

Cover

Table of Contents

Title Page

Copyright

Introduction

Begin Reading

List of Authors

Index

End User License Agreement

Pages

Page v

Page iii

Page iv

Page xiii

Page xiv

Page 1

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Page 9

Page 10

Page 11

Page 12

Page 13

Page 14

Page 15

Page 16

Page 17

Page 18

Page 19

Page 20

Page 21

Page 22

Page 23

Page 24

Page 25

Page 26

Page 27

Page 28

Page 29

Page 30

Page 31

Page 32

Page 33

Page 34

Page 35

Page 36

Page 37

Page 38

Page 39

Page 40

Page 41

Page 42

Page 43

Page 44

Page 45

Page 46

Page 47

Page 48

Page 49

Page 50

Page 51

Page 52

Page 53

Page 54

Page 55

Page 56

Page 57

Page 58

Page 59

Page 60

Page 61

Page 63

Page 65

Page 66

Page 67

Page 68

Page 69

Page 70

Page 71

Page 72

Page 73

Page 74

Page 75

Page 76

Page 77

Page 78

Page 79

Page 80

Page 81

Page 82

Page 83

Page 84

Page 85

Page 86

Page 87

Page 89

Page 90

Page 91

Page 92

Page 93

Page 94

Page 95

Page 96

Page 97

Page 98

Page 99

Page 100

Page 101

Page 102

Page 103

Page 104

Page 105

Page 106

Page 107

Page 108

Page 109

Page 110

Page 111

Page 112

Page 113

Page 114

Page 115

Page 117

Page 119

Page 120

Page 121

Page 122

Page 123

Page 124

Page 125

Page 126

Page 127

Page 128

Page 129

Page 130

Page 131

Page 132

Page 133

Page 134

Page 135

Page 136

Page 137

Page 138

Page 139

Page 140

Page 141

Page 142

Page 143

Page 144

Page 145

Page 146

Page 147

Page 148

Page 149

Page 150

Page 151

Page 152

Page 153

Page 154

Page 155

Page 156

Page 157

Page 158

Page 159

Page 160

Page 161

Page 162

Page 163

Page 164

Page 165

Page 166

Page 167

Page 169

Page 171

Page 172

Page 173

Page 174

Page 175

Page 176

Page 177

Page 178

Page 179

Page 180

Page 181

Page 182

Page 183

Page 184

Page 185

Page 186

Page 187

Page 188

Page 189

Page 190

Page 191

Page 192

Page 193

Page 194

Page 195

Page 196

Page 197

Page 198

Page 199

Page 200

Page 201

Page 202

Page 203

Page 204

Page 205

Page 206

Page 207

Page 208

Page 209

Page 210

Page 211

Page 212

Page 213

Page 214

Page 215

Page 217

Page 219

Page 220

Page 221

Page 222

Page 223

Page 224

Page 225

Page 226

Page 227

Page 228

Page 229

Page 230

Page 231

Page 232

Page 233

Page 234

Page 235

Page 236

Page 237

Page 238

Page 239

Page 240

Page 241

Page 242

Page 243

Page 245

Page 246

Page 247

Page 248

Page 249

Page 250

Page 251

Page 252

Page 253

Page 254

Page 255

Page 256

Page 257

Page 258

Page 259

Page 260

Page 261

Page 262

Page 263

Page 264

Page 265

Page 266

Page 267

Page 268

Page 269

Page 270

Page 271

Page 272

Page 273

Page 275

Page 276

Page 277

Page 278

Page 279

Page 280

SCIENCES

Networks and Communications, Field Director – Guy Pujolle

Network Management and Control, Subject Head – Francine Krief

Intelligent Network Management and Control

Intelligent Security, Multi-criteria Optimization, Cloud Computing, Internet of Vehicles, Intelligent Radio

Coordinated by

First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd

27-37 St George’s Road

London SW19 4EU

UK

www.iste.co.uk

John Wiley & Sons, Inc.

111 River Street

Hoboken, NJ 07030

USA

www.wiley.com

© ISTE Ltd 2020

The rights of Badr Benmammar to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2020937506

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

ISBN 978-1-78945-008-8

ERC code:

PE7 Systems and Communication Engineering

PE7_1 Control engineering

PE7_8 Networks (communication networks, sensor networks, networks of robots, etc.)

Introduction

Badr BENMAMMAR

Abou Bekr Belkaid University, Tlemcen, Algeria

Computer network management and control previously involved mainly purely technical tasks of network equipment maintenance, with the goal of ensuring their proper operation and further development.

Due to the current emergence of computer networks and the development of a steadily growing number of applications able to operate on a network (and more generally on the Internet), the management and control of a computer network can no longer do without artificial intelligence throughout its stages.

This is what our introductory book to intelligent management and control of computer networks endeavors to prove. Our aim is to present the use of artificial intelligence in networks through their intelligent control.

The main objective of artificial intelligence is to design systems that are able to replicate human behavior in its reasoning activities. Defining artificial intelligence is nevertheless not a simple task. The extent of the field is such that it is impossible to narrow it down to a specific field of research.

According to the definition given by one of its creators, Marvin Lee Minsky, artificial intelligence is “the construction of computer programs that engage in tasks that are currently more satisfactorily performed by human beings because they require high-level mental processes such as: perceptual learning, memory organization and critical reasoning”.

In computer networks, artificial intelligence applications relate to several domains, such as intelligent radio communications, new communication architectures, cloud computing, network optimization and security.

This book addresses topical issues that are mainly related to intelligent security for computer networks, deployment of security services in software-defined networking (SDN), optimization of networks by means of artificial intelligence techniques and multiple criteria optimization methods for the selection of networks in a heterogeneous environment. The book deals also with the selection of cloud computing services, intelligent computation offloading in the context of mobile cloud computing, smart management of resources in a smart grid-cloud system for better energy efficiency, Internet of vehicles (IoV), relying on its new architectures, artificial intelligence application in cognitive radio networks and finally the contribution of intelligent radio to addressing the road communication needs of autonomous vehicles.

The various subjects dealt with in this book are organized in parts, each of which contains two chapters. This structure is intended to make it easier for the reader to comprehend the contribution of artificial intelligence to each specific field.

PART 1AI and Network Security

1Intelligent Security of Computer Networks

Abderrazaq SEMMOUD and Badr BENMAMMAR

Abou Bekr Belkaid University, Tlemcen, Algeria

1.1. Introduction

Artificial intelligence (AI) and machine learning have rapidly progressed in recent years, facilitating the development of a broad range of applications. For example, AI is an essential component of widely used technologies such as automatic speech recognition, machine translation, spam filters and facial recognition. Promising technologies are currently the object of research or small-scale pilot projects, among which it is worth mentioning self-driving cars, digital assistants and drones activated by AI. Looking further into the future, advanced AI may reduce the need for human labor and improve governance quality.

A wide variety of tasks are automated using AI. Games, car driving and image classification are some of the tasks commonly studied by AI researchers. A broad set of tasks can be transformed by AI. At the very least, every task requiring human intelligence is a potential target for AI innovation. While the field of AI dates back to 1950, several years of rapid progress and growth have recently led to higher reliability. Sudden performance gains have been accomplished by researchers in a number of fields. Figure 1.1 illustrates this trend in the case of image recognition, where over the past few years AI systems have increased their performance in terms of classification accuracy from about 70% to nearly perfect classification accuracy (98%), which surpasses the human reference (95%) (Brundage et al. 2018).

Figure 1.1.Progress in image recognition (benchmark ImageNet), “Electronic Frontier Foundation’s AI Progress Measurement” (August 2017)

From a security perspective, a number of AI developments are worth mentioning. For example, target-face recognition and space navigation capacities are applicable to autonomous weapons systems. Similarly, image, text and voice generation possibilities could be used online to imitate other persons or influence public opinion by disseminating AI-generated content via social networks. These technical developments can also be considered early indicators of the potential of AI. Unsurprisingly, AI systems may soon qualify for an even wider range of security related tasks.

Information security is defined as the protection of computer systems against any unauthorized access, use, disruption, modification or destruction in order to provide confidentiality, integrity and availability (Peltier 2010). Information security does not refer to any particular security technology, but rather to a strategy involving persons, processes, rules and tools required in order to detect, prevent, document and mitigate current threats. With increasingly interconnected networks, security services are becoming ever more important. Connectivity is no longer an option in the commercial world, and its potential risks do not outweigh its advantages. Consequently, cybersecurity services should offer adequate protection to companies operating in a relatively open environment. Compared to classical approaches to computer security, several new hypotheses related to current computer networks should be formulated:

– modern networks are very large and further interconnected, and they are more accessible; consequently, potential attackers can easily connect and access these networks remotely;

– network interconnection increases the probability of attacks directed at large size networks such as the Internet by means of a set of widely known and open protocols.

The complexity of computer systems and applications is steadily growing. Consequently, it has become increasingly difficult to correctly analyze, secure and test computer system security. When these systems and their applications are connected to large networks, the risk of threats significantly increases. In view of adequate protection of computer networks, the deployed procedures and technologies must ensure (Khidzir et al. 2018):

–

confidentiality

: due to data confidentiality, only authorized users have access to sensitive information;

–

integrity

: due to data integrity, only authorized users can modify sensitive information; integrity could also ensure data authenticity;

–

availability

: due to system and data availability, authorized users have uninterrupted access to resources and important data.

The confidentiality, integrity and availability triad is a fundamental concept of information security. Each organization strives to ensure these three elements of the information system. Confidentiality prevents unauthorized disclosure of sensitive information (Kumar et al. 2018). Integrity prevents any unauthorized modification of information, thus ensuring information accuracy. Cryptographic hashing functions (such as SHA-1 or SHA-2) can be used to ensure data integrity. Availability prevents loss of access to resources and information (Kumar et al. 2018).

1.2. AI in the service of cybersecurity

AI systems are generally efficient, being less time and money-consuming than a human being when fulfilling a given task. AI systems are also evolutionary, as their computation power enables the completion of far more tasks in the same amount of time. For example, a typical facial recognition system is both efficient and evolutionary; once developed, it can be applied to numerous camera flows with a significantly lower cost than that of human analysts employed to perform a similar job. This explains why cybersecurity experts are seriously looking into AI and its potential contribution to mitigating certain problems. As an example, machine learning used by many AI algorithms can help detect malware, which are increasingly difficult to identify and isolate due to their growing capacity to adapt to traditional security solutions (Veiga 2018).

Capgemini Research Institute has conducted a survey of 850 managers of seven large industrial companies: among the top management members included in this survey, 20% are information systems managers and 10% are responsible for information systems security. Companies headquartered in France, Germany, United Kingdom, the United States, Australia, India and Italy are mentioned in the report (Capgemini Research Institute 2019). Capgemini noted that, as digital companies develop, their cyberattack risk increases exponentially. It has been noted that 21% of companies declared one cybersecurity breach experience leading to unauthorized access in 2018. The price paid by companies for cybersecurity breaches is heavy (20% declared losses of over 50 million dollars). According to this survey, 69% of the companies estimate a need for AI to counteract cyberattacks. The majority of telecommunications companies (80%) declared that they relied on AI to identify the threats and counteract the attacks. According to the Capgemini report, the telecommunications sector declared the highest losses of over 50 million dollars, which led to AI being considered a priority in counteracting the costly breaches in this sector. Understandably, consumer goods sellers (78%) and banks (75%) came second and third, respectively, in this ranking, as these sectors increasingly rely on digital models. Companies based in the United States have as their top priority AI-based cybersecurity applications and platforms.

Figure 1.2.Organizations and countries relying on artificial intelligence to identify threats and counteract attacks

New vulnerabilities are discovered every day in the current programs, and these may infect and take control of a company’s entire network. In contrast to traditional software vulnerabilities (for example, buffer memory overflow), the current intelligent systems have a certain number of vulnerabilities. This involves in particular data input causing errors in learning systems (Biggio et al. 2012), taking advantage of the flaws in the design of autonomous systems’ objectives (Amodei et al. 2016) and the use of inputs designed to falsify the classification of machine learning systems (Szegedy et al. 2013). As these vulnerabilities show, intelligent systems may outperform humans, but their potential failures are also unrivaled.

An ideal cyberdefense would offer full protection to users, while preserving system performances. Although this ideal cyberdefense may currently seem very distant, steps could be taken toward it by rendering cyberdefense more intelligent. The idea of using AI techniques in cybersecurity is not new. Landwehr (2008) states that, at their start, computer security and AI did not seem to have much in common. Researchers in the field of AI wanted computers to do by themselves what humans were able to do, whereas the researchers in the security field tried to solve the leakages in the computer systems, which they considered vulnerable. According to Schneier (2008), “The Internet is the most complex machine ever built. We barely understand how it works, not to mention how to secure it”. Given the rapid multiplication of new web applications and the increasing use of wireless networks (Barth and Mitchell 2008) and the Internet of Things, cybersecurity has become the most complex threat to society.

The need for securing web applications against attacks (such as Cross Site Scripting [XSS], Cross Site Request Forgery [CSRF] and code injection) is increasingly obvious and pressing. Over time, XSS and CSRF scripts have been used to conduct various attacks. Some of them can be interpreted as direct bypasses of the original security policy. The same security policy was similar to a simple and efficient protection, but it turned out it could be easily bypassed and certain functionalities of modern websites could be blocked. According to Crockford (2015), the security policies adopted by most browsers “block useful contents and authorize dangerous contents”. These policies are currently being reviewed. However, the detection of attacks such as XSS, CSRF or code injection requires more than a simple rule, namely a context-dependent reasoning capacity.

The use of AI in cybersecurity generally involves certain smart tools and their application to intrusion detection (Ahmad et al. 2016; Kalaivani et al. 2019) or other aspects of cybersecurity (Ahlan et al. 2015). This approach involves the use of other AI techniques developed for problems that are entirely different from cybersecurity; this may work in certain cases, but it has inherent and strict limitations. Cybersecurity has specific needs, and meeting them requires new specifically developed AI techniques. Obviously, AI has substantially evolved in certain fields, but there is still a need for learning and developing new intelligent techniques adapted to cybersecurity. In this context, according to Landwehr (2008) one “AI

branch related to computer security from its earliest age is automated reasoning, particularly when applied to programs and systems. Though the SATAN program of Dan Farmer and Wietse Venema, launched in 1995, has not yet been identified as AI, it has automated a process searching for vulnerabilities in system configurations that would require much more human efforts”. Ingham et al. (2007) have proposed an inductive reasoning system for the protection of web applications. The works of Vigna and co-workers (Mutz et al. 2007; Cova et al. 2007, 2010; Kirdaa et al. 2009; Robertson et al. 2010) have also dealt with the protection of web applications against cyberattacks. Firewalls using deep packet inspections can be considered a sort of AI instantiation in cybersecurity. Firewalls have been part of the cyberdefense arsenal for many years. Although in most cases more sophisticated techniques (Mishra et al. 2011; Valentín and Malý 2014; Tekerek and Bay 2019) are also used, filtering relies on the port number. Firewalls cannot rely on the port number, as most web applications use the same port as the rest of the web traffic. Deep packet inspection is the only option enabling the identification of malware code in a legitimate application. The idea of application layer filtering of the Transmission Control Protocol/Internet Protocol (TCP/IP) model was introduced in the third generation of firewall in the 1990s. The modest success of these technologies is an indication that much more is still to be done in AI, so that it can make a significant difference in terms of cybersecurity. Nevertheless, it is worth noting that using AI in cybersecurity is not necessarily a miracle solution. For example, attacks without malware, which require no software download and dissimulate malware activities inside legitimate cloud computing services, are on the increase, and AI is not yet able to counteract these types of network breach.

1.3. AI applied to intrusion detection

Intrusion detection is defined as the process of intelligent monitoring of events occurring in a computer system or network and their analysis in search for signs of security policy breach (Bace 2000). The main objective of intrusion detection systems is to protect network availability, confidentiality and integrity. Intrusion detection systems are defined both by the method used to detect the attacks and by their location in the network. The intrusion detection system can be deployed as a network- or host-based system in order to detect the anomalies. Abusive use is detected based on the correspondence between known models of hostile activities and the database of previous attacks. These models are very effective for identifying known attacks and vulnerabilities, but less relevant in identifying new security threats. Anomaly detection looks for something rare or uncommon, applying statistical or intelligent measurements to compare the current activity to previous knowledge. Intrusion detection systems rely on the fact that they often need many data for the artificial learning algorithms. They generally require more computer resources, as several metrics are often preserved and must be updated for each system activity (Ahmad et al. 2016). The intrusion detection expert system (IDES) (Lunt 1993) developed by Stanford Research Institute (SRI) formulates expert knowledge on the known models of attack and vulnerabilities of the system in the form of if–then rules. The time-based inductive machine (Teng and Chen 1990) learns several sequential models to ensure the detection of anomalies in a network. Several approaches using the artificial neural networks for intrusion detection systems have been proposed (Kang and Kang 2016; Kim et al. 2016; Vinayakumar et al. 2017; Hajimirzaei and Navimipour 2019). AI-based techniques are categorized in various classes (Mukkamala and Sung 2003a; Novikov et al. 2006).

1.3.1.Techniques based on decision trees

Decision trees are powerful and widespread nonparametric learning tools used for classification and prediction problems. Their purpose is to create a model that predicts the values of the target variable, relying on a set of sequences of decision rules deduced from learning data. Rai et al. (2016) have developed an algorithm based on the C4.5 decision tree approach. The most relevant characteristics are selected by means of information gain and the fractional value is selected so that it renders the classifier unbiased with respect to the most frequent values. In the work of Sahu and Babu (2015), a database referred to as ”Kyoto 2006+” is used for the experiments. In Kyoto 2006+, each instance is labeled as “normal” (no attack), “attack” (known attack) and “unknown attack”. The Decision Tree algorithm (J48) is used to classify the packets. Experiments confirm that the generated rules operate with 97.2% accuracy. Moon et al. (2017) proposed an intrusion detection system based on decision trees using packet behavior analysis to detect the attacks. Peng et al. (2018) proposed a technique that involves a preprocessing for data digitization, followed by their normalization, in order to improve detection efficiency. Then a method based on decision trees is used.

1.3.2.Techniques based on data exploration

Data exploration aims to eliminate the manual elements used for the design of intrusion detection systems. Various data exploration techniques have been developed and widely used. The main data exploration techniques are presented in the following sections.

1.3.2.1. Fuzzy logic

Fuzzy logic has been used in the field of computer networks security, particularly for intrusion detection (Idris and Shanmugam 2005; Shanmugavadivu and Nagarajan 2011; Balan et al. 2015; Kudłacik et al. 2016; Sai Satyanarayana Reddy et al. 2019), for two main reasons. First, several quantitative parameters used in the context of intrusion detection, for example processor use time and connection interval, can be potentially considered as fuzzy variables. Second, the security concept is itself fuzzy. To put it differently, the fuzzy concept helps in preventing a sharp distinction between normal and abnormal behaviors. Kudłacik et al. (2016) have applied fuzzy logic for intrusion detection. The proposed solution analyzes the user activity over a relatively short period of time, creating a local user profile. A more in-depth analysis involves the creation of a more general structure based on a defined number of local user profiles, known as a “fuzzy profile”. The fuzzy profile represents the behavior of the computer system user. Fuzzy profiles are directly used in order to detect user behavior anomalies, and therefore potential intrusions. Idris and Shanmugam (2005) proposed a modified FIRE system. It is a mechanism for the automation of the fuzzy rule generation process and the reduction of human intervention making use of AI techniques.

1.3.2.2. Genetic algorithms

Genetic algorithms are techniques derived from genetics and natural evolution, which have been used to find approximate solutions to optimization and search problems. The main advantages of genetic algorithms are their flexibility and robustness as global search method. As for drawbacks, they are computationally time-consuming, as they handle several solutions simultaneously. Genetic algorithms have been used in various manners in the field of intrusion detection (Hoque et al. 2012; Aslahi-Shahri et al. 2016; Hamamoto et al. 2018). Hoque et al. (2012) presented an intrusion detection system using a genetic algorithm to effectively detect anomalies in the network. Aslahi-Shahri et al. (2016) proposed a hybrid method that uses support vector machines and genetic algorithms for intrusion detection. The results indicate that this algorithm can reach a 97.3% true positive rate and a 1.7% false positive rate.

1.3.3.Rule-based techniques

Rule-based techniques (Li et al. 2010; Yang et al. 2013) generally involve the application of a set of association rules for data classification. In this context, if a rule stipulates that if event X occurs, then event Y is likely to occur, events X and Y can be described as sets of pairs (variable, value). The advantage of using rules is that they tend to be simple and intuitive, unstructured and less rigid. Nevertheless, a drawback is that rules are difficult to preserve and, in certain cases, inadequate for the representation of various types of information.

Turner et al. (2016) developed an algorithm for monitoring the enabled/disabled state of the rules of an intrusion detection system based on signatures. The algorithm is implemented in Python and runs on Snort (Roesch 1999). Agarwal and Joshi (2000) proposed a general framework in two stages for learning a rule-based model (PNrule) in order to learn classifier models on a set of data. They extensively used various distributions of classes in the learning data. The KDD Cups database was used for learning and testing their system.

1.3.4.Machine learning-based techniques

Machine learning can be defined as the capacity of a program to learn and improve the performances of a series of tasks in time. Machine learning techniques focus on the creation of a system model that improves its performances relying on the previous results. Furthermore, it can be said that machine learning–based systems have the capacity to handle the execution strategy depending on the new inputs. The main machine learning techniques are presented in the following sections.

1.3.4.1. Artificial neural networks

Artificial neural networks learn to predict the behavior of various system users. If correctly designed and implemented, neural networks can potentially solve several problems encountered by rule-based approaches. The main advantage of neural networks is their tolerance to inaccurate data and uncertain information and their capacity to deduce solutions without previous knowledge on data regularities. Cunningham and Lippmann (2000) of MIT Lincoln Laboratory conducted a number of tests using neural networks. The system searched for attack-specific key words specific in the network traffic. In Ponkarthika and Saraswathy (2018), a model of intrusion detection system is explored as a function of deep learning. Long–short term memory (LSTM) architecture was applied to a recurrent neural network for the learning of an intrusion detection system using the KDD Cup 1999 dataset.

1.3.4.2. Bayesian networks

A Bayesian network is a probabilistic graphical model representing a set of random variables in the form of an acyclic oriented graph. This technique is generally used for intrusion detection in combination with statistical diagrams. It has several advantages, notably the capacity to code the interdependences between variables and to predict events, as well as the possibility of integrating both previous knowledge and previous data (Heckerman 2008). Its major drawback is that results are comparable to statistical techniques, but this requires additional computation efforts. Kruegel et al. (2003) proposed a multisensor fusion approach using a Bayesian network–based classifier for the classification and cancellation of false alarms, according to which the outputs of various sensors of the intrusion detection system are aggregated to generate a single alarm. Han et al. (2015) proposed an intrusion detection algorithm based on Bayesian networks relying on the analysis into main components. The authors calculate the characteristic data value of the attack on the original network, and then extract the main properties by analysis into main components.

1.3.4.3. Markov chains

A Markov chain is a random process related to a finite number of states, with memoryless transition probabilities. During the learning phase, probabilities associated with transitions are estimated from the normal behavior of the target system. Detection of anomalies is then achieved by comparing the anomaly score obtained for the sequences observed at a fixed threshold. In the case of a hidden Markov model (Hu et al. 2009; Zegeye et al. 2018; Liang et al. 2019), the system we are interested in is assumed to be a Markov process in which states and transitions are masked. In the literature, several methods have been presented for solving the intrusion detection problem by inspecting the packet headers. Mahoney and Chan (2001) experimented with anomaly detection on DARPA network data by comparing the header fields of the network packet. Several systems use the Markov model for intrusion detection: PHAD (Packet Header Anomaly Detector) (Mahoney and Chan 2001), LERAD (Learning Rules for Anomaly Detection) (Mahoney and Chan 2002a) and ALAD (Application Layer Anomaly Detector) (Mahoney and Chan 2002b). In the book of Zegeye et al. (2018), an intrusion detection system using the hidden Markov model is proposed. The phase of network traffic analysis involves characteristic extraction techniques, reduction of dimensions and vector quantization, which plays an important role in large sets of data, as the amount of data transmitted increases every day. Model performances with respect to the KDD 99 dataset indicate an accuracy above 99%.

1.3.4.4. Support-vector machines

The support-vector machine is a technique used for solving various learning, classification and prediction problems. The support-vector machine was employed in an implementation of the structural risk minimization (SRM) principle of Vapnik (1998), which minimizes the generalization error, in the sense of true error on unseen examples. The basic support-vector machine addresses problems with two classes, in which data are separated by a hyperplane defined by a certain number of support vectors. Support vectors are a subset of learning data serving to define the limit between the two classes. When the support-vector machine cannot separate two classes, it solves this problem by mapping the input data in spaces of high-dimensional functions by means of a kernel function. In a high-dimensional space, it is possible to create a hyperplane enabling a linear separation (which corresponds to a curved surface in the lower input space). Consequently, the kernel function plays an important role in the support-vector machine. In practice, various kernel functions can be used, such as linear, polynomial, or Gaussian. A remarkable property of the support-vector machine is its learning capacity, which does not depend on the dimensionality of the characteristic space. This means that the support-vector machine can generalize when given numerous functionalities. Mukkamala and Sung (2003b) showed the many advantages of the support-vector machine compared to other techniques. Support-vector machines surpass neural networks in terms of upgradability, learning time, runtime and prediction accuracy. Mukkamala and Sung (2003a) also applied support-vector machines for the extraction of intrusion detection characteristics of KDD files. They empirically proved that the functionalities selected using the support-vector machine yielded similar results as the use of a full set of functionalities. This decrease in the number of functionalities reduces the computation efforts. Chen et al. (2005) also proved that support-vector machines surpassed neural networks.

1.3.5.Clustering techniques

Clustering techniques operate by organizing observed data in groups, depending on a given similarity or a distance measurement. Similarity can be measured by using the cosine formula, the binary weighted cosine formula proposed by Rawat (2005) or other formulas. The most commonly used procedure for clustering involves the selection of a representative point for each cluster. Then each new data point is classified as belonging to a given group depending on the proximity to the corresponding representative point. There are at least two approaches for the classification-based detection of anomalies. In the first approach, the anomaly detection model is formed using unlabeled data including both normal and attack traffic. In the second approach, the model is formed using only normal data and a normal activity profile is created. The idea underlying the first approach is that abnormal or attack data represent a small percentage of the total data. If this hypothesis is verified, anomalies and attacks can be detected depending on cluster size: large clusters correspond to normal data and the other data points to attacks. Liao and Vemuri (2002) used the K-nearest neighbor (K-nn) approach, based on the Euclidian distance, to define the belonging of data points to a given cluster. The Minnesota intrusion detection system is a network-based anomaly detection approach that uses data exploration and clustering techniques (Levent et al. 2004).

Leung and Leckie (2005) proposed an unsupervised anomaly detection approach for intrusion detection on a network. The proposed algorithm, known as “fpMAFIA”, is a clustering algorithm based on density and on grid for large data sets. The major advantage of this algorithm is that it can produce arbitrary forms and cover over 95% of the set of data with appropriate values of parameters. The authors proved that the algorithm evolves linearly with respect to the number of registrations in the set of data. They evaluated the accuracy of the newly proposed algorithm and proved that it enables reaching a reasonable detection rate.

1.3.6.Hybrid techniques

Many researchers suggested that the monitoring capacity of current IDS systems could be improved by adopting a hybrid approach including detection techniques of both anomalies and signatures (Lunt et al. 1992; Anderson et al. 1995; Fortuna et al. 2002; Hwang et al. 2007). Sabhnani and Serpen (2003) proved that no single classification technique enables the detection of all the attack classes at an acceptable false alarm rate and with a good detection accuracy. The authors used various techniques to classify the intrusions by means of a KDD 1998 dataset. Many researchers proved that the hybrid or set-based classification technique can improve detection accuracy (Mukkamala et al. 2005; Chen et al. 2005; Aslahi-Shahri et al. 2016; Hamamoto et al. 2018; Hajimirzaei and Navimipour 2019; Sai Satyanarayana Reddy et al. 2019). A hybrid approach involves the integration of various learning or decision-making models. Each learning model operates differently and uses a different set of functionalities. The integration of various learning models yields better results than the individual learning or decision-making models and reduces their individual limitations. A significant advantage of the combination of redundant and complementary classification techniques is that it increases robustness and accuracy in most applications.

Various methods combining various classification techniques were proposed in the literature (Menahem et al. 2009; Witten et al. 2016). Ensemble methods have a common objective: to build a combination of certain models, instead of using a single model to improve the results. Mukkamala and its collaborators (2005) proved that the use of ensemble classifiers led to the best possible accuracy for each category of attack models. Chebrolu et al. (2005) used the Classification And Regression Trees-Bayesian network (CART-BN) approach for intrusion detection. Zainal et al. (2009) proposed the hybridization of linear genetic programming of the adaptive neural fuzzy inference system and of random forests for intrusion detection. They proved empirically that by assigning appropriate weights to the classifiers in a hybrid approach, the accuracy of detection of all the classes of network traffic is improved compared to an individual classifier. Menahem et al. (2009) used various classifiers and tried to take advantage of their strengths. Hwang et al. (2007) proposed a three-level hybrid approach to detect intrusions. The first level of the system is a signature-based approach in order to filter the known attacks using the black list concept. The second level of the system is an anomaly detector that uses the white list concept to distinguish between the normal traffic and the attack traffic surpassed by the first level. The third level of the system uses support vectors machines in order to classify the unknown attack traffic. The success of a hybrid method depends on many factors, notably the size of the learning sample, the choice of a basic classifier, the exact manner in which the forming set is modified, the choice of combination method and finally the data distribution and the potential capacity of the basic classifier chosen for solving the problem (Rokach 2010).

1.4. AI misuse

AI is a double use domain. AI systems and the manner in which they are designed can serve both civilian and military purposes, and in a broader sense, beneficial or harmful purposes. Given that certain tasks requiring intelligence are benign while others are not, AI is double edged in the same way that human intelligence is. Researchers in the field of AI cannot avoid producing systems that can serve harmful purposes. For example, the difference between the capacities of an autonomous drone used for delivering parcels and the capacities of an autonomous drone used for delivering explosives is not necessarily too wide. Moreover, fundamental research aiming to improve our comprehension of AI, its capacities and its control seem to be inherently double edged.

AI and machine learning have an increasingly important impact on the security of citizens, organizations and states. Misuse of AI will impact the way in which we build and manage our digital infrastructure, as well as the design and distribution of AI systems, therefore it will probably require an institutional policy. It is worth noting here that the threats caused by AI misuse have been highlighted in heavily publicized contexts (for example, during a Congress hearing (Moore and Anderson 2012), a workshop organized by the White House and a report of the US Department for Homeland Security).

The increasing use of AI for the development of cyberattack techniques and the absence of development of adequate defenses has three major consequences.

1.4.1.Extension of existing threats

For many known attacks, the progress of AI is expected to enlarge the set of players capable of conducting the attack, their attack speed and the set of possible targets. This is a consequence of the efficiency, upgradability and ease of dissemination of AI systems. In particular, the dissemination of intelligent and efficient systems can increase the number of players who can afford specific attacks. If the reliable intelligent systems are also evolutionary (upgradable), then even the players who already have the required resources to conduct these attacks may acquire the capacity to execute them at a much faster pace.

An example of a threat that is susceptible to develop in this manner is the phishing attack threat. These attacks use personalized messages to obtain sensitive information or money from their victims. The attacker often introduces himself as one of the friends, colleagues or professional contacts of the target. The most advanced phishing attacks require significant qualified manpower, as the attacker must identify the high value targets, research their social and professional networks, and then generate messages that are acceptable to the target.

1.4.2.Introduction of new threats

AI progress will enable new varieties of attacks. These attacks may use AI systems to conduct certain tasks more successfully than any human being.

Due to their unlimited capacities, in contrast with those of humans, intelligent systems could enable players to conduct attacks that would otherwise be impossible. For example, most persons are not able to efficiently imitate the voice of other persons. Consequently, the creation of audio files resembling recordings of human speech becomes essential in these cases. Nevertheless, significant progress has been recently achieved in the development of speech synthesis systems, which learn to imitate human voice. Such systems would in turn enable new methods for spreading disinformation and imitating others.

Moreover, AI systems could be used to control certain aspects of malware behavior that would be impossible to control manually. For example, a virus designed to modify the behavior of ventilated computers, as in the case of the Stuxnet program, used to disrupt the Iranian nuclear program, cannot receive commands once these computers are infected. Limited communication problems also occur under water and in the presence of signal jammers.

1.4.3.Modification of the typical threat character

Properties of AI such as efficiency, upgradability and capacities surpassing those of humans may enable very relevant attacks. Attackers are often faced with a compromise between the frequency, the extent of their attacks and their efficiency. For example, spear phishing is more effective than classical phishing, which does not involve adapting messages to individuals, but it is relatively costly and cannot be conducted en mass. More generic phishing attacks are profitable despite their very low success rates, simply because of their extent. If the frequency and upgradability of certain attacks, including spear phishing, are improved, AI systems can mitigate these compromises. Moreover, properties such as efficiency and upgradability, particularly in the context of target identification and analysis, lead also to finely targeted attacks. The attackers are often interested in adapting their attacks to the characteristics of their targets, aiming at targets with certain properties, such as significant assets or an association with certain political groups. Nevertheless, the attackers must often find a balance between efficiency, the upgradability of their attacks and target precision. A further example could be the use of drone swarms that deploy facial recognition technology to kill specific individuals in a crowd, instead of less targeted forms of violence.

Cyberattacks are increasingly alarming in terms of complexity and quantity, a consequence of the lack of awareness and understanding of the actual needs. This lack of support explains the insufficient dynamism, attention and willingness to commit funds and resources for cybersecurity in many organizations. In order to limit the impact of cyberattacks, the following recommendations are suggested (Brundage et al. 2018):

– decision-makers should closely cooperate with technical researchers to study, prevent and limit the potential misuse of AI;

– researchers and engineers in the AI field should seriously consider the double-edged nature of their work, by allowing considerations linked to abusive use to influence the research priorities and norms and by proactively addressing concerned players when harmful applications are predictable;

– public authorities should actively try to broaden the range of stakeholders and experts in the field that are involved in the discussions related to these challenges.

1.5. Conclusion

AI is a broad domain to be explored by cybersecurity researchers and experts. As the capacity of intelligent systems increases, they will first reach and then surpass human capacities in many fields. In cybersecurity, AI can be used to strengthen the defenses of computer infrastructure. It is worth noting that, as AI covers fields considered reserved to humans, the security threats will increase in variety, difference and intelligence compared to actually existing techniques. Defense against these threats is very difficult, as cybersecurity experts themselves can be targeted by spear phishing attacks. Consequently, preparing for potential misuses of AI associated with this transition is an important task. The use of intelligent techniques aims to identify real-time attacks, with little or no human interaction, and to stop them before they cause damages. In conclusion, AI can be considered as a powerful tool in solving cybersecurity problems.

1.6. References

Agarwal, R. and Joshi, M.V. (2000). A new framework for learning classifier models in data mining [Online]. Available at: https://pdfs.semanticscholar.org/db6e/1d67f7912efa65f94807dc81b24dea2de158.pdf [Accessed January 2019].

Ahlan, A.R., Lubis, M., and Lubis, A.R. (2015). Information security awareness at the knowledge-based institution: Its antecedents and measures. Procedia Computer Science (PCS). 72(2015), 361–373.