Protecting and Mitigating Against Cyber Threats E-Book

Table of Contents

Cover

Table of Contents

Series Page

Title Page

Copyright Page

Preface

Part I: FOUNDATIONS OF AI & ML IN SECURITY

1 Foundations of AI and ML in Security

1.1 Introduction

1.2 Understanding Security Attacks

1.3 Evolution of Information, Cyber Issues/Threats Attacks

1.4 Machine Learning for Security and Vulnerability

1.5 Challenges and Future Directions

1.6 Summary

References

2 Application of AI and ML in Threat Detection

2.1 Introduction

2.2 Foundation of AI and ML in Security

2.3 AI and ML in Applications in Threat Detection

2.4 AI/ML Based Network Intrusion Detection Systems (NIDS)

2.5 Threat Intelligence and Predictive Analytics

2.6 Challenges and Considerations

2.7 Integration and Interoperability

2.8 Future Directions

2.9 Conclusion

References

3 Artificial Intelligence and Machine Learning Applications in Threat Detection

3.1 Introduction

3.2 Foundations of Threat Detection

3.3 Overview of AI and ML

3.4 AI and ML Techniques for Threat Detection

3.5 Challenges and Solutions

3.6 Future Trends and Innovations

Conclusion

References

Part II: AI & ML APPLICATIONS IN THREAT DETECTION

4 Comparison Study Between Different Machine Learning (ML) Models Integrated with a Network Intrusion Detection System (NIDS)

4.1 Introduction

4.2 Related Work

4.3 Methodology

4.4 Proposed Model

4.5 Experimental Result

4.6 Conclusion and Future Work

References

5 Applications of AI, Machine Learning and Deep Learning for Cyber Attack Detection

5.1 Introduction

5.2 Background

5.3 Role of AI for Cyber Attack Detection

5.4 Cyber Security Data Sources and Feature Engineering

5.5 Training Models for Anomaly Detection in Network Traffic

5.6 Case Study: The Use of AI and ML in Combating Cyber Attacks

5.7 Challenges of Artificial Intelligence Applications in Cyber Threat Detection

5.8 Future Trends

5.9 Conclusion

References

6 AI-Based Prioritization of Indicators of Intelligence in a Threat Intelligence Sharing Platform

6.1 Introduction

6.2 Related Work

6.3 Methodology

6.4 Proposed Model

6.5 Experimental Result/Result Analysis

6.6 Conclusion

References

7 Email Spam Classification Using Novel Fusion of Machine Learning and Feed Forward Neural Network Approaches

7.1 Introduction

7.2 Literature Review

7.3 Proposed Methodology

7.4 Experimentation and Results

7.5 Conclusion

References

8 Intrusion Detection in Wireless Networks Using Novel Classification Models

8.1 Introduction

8.2 Literature Review

8.3 Methodology

8.4 State of the Art

8.5 Result Analysis

8.6 Conclusion

References

9 Detection and Proactive Prevention of Website Swindling Using Hybrid Machine Learning Model

9.1 Introduction

9.2 Related Literature Survey

9.3 Proposed Framework

9.4 Implementation

9.5 Result Analysis

9.6 Conclusion

References

Part III: ADVANCED SECURITY SOLUTIONS & CASE STUDIES

10 Securing the Future Networks: Blockchain-Based Threat Detection for Advanced Cyber Security

10.1 Introduction

10.2 Understanding Blockchain Technology

10.3 Challenges in Traditional Threat Detection

10.4 Integrating Blockchain into Cybersecurity

10.5 Challenges and Considerations of Blockchain in Cybersecurity

10.6 Future Trends and Innovations and Case Studies of Blockchain Technology

10.7 Conclusion

References

11 Mitigating Pollution Attacks in Network Coding-Enabled Mobile Small Cells for Enhanced 5G Services in Rural Areas

11.1 Introduction

11.2 Literature Survey

11.3 Proposed Model

11.4 Results

11.5 Conclusion

References

12 Enhancing Multi-Access Edge Computing Efficiency through Communal Network Selection

12.1 Introduction

12.2 Related Work

12.3 Existing System

12.4 Proposed System

12.5 Implementation

12.6 Results and Discussion

12.7 Conclusion

12.8 Future Scope

References

13 Enhancing Cyber-Security and Network Security Through Advanced Video Data Summarization Techniques

13.1 Introduction

13.2 Video Summarization Techniques

13.3 Notable Advanced Techniques

13.4 Graph-Based and Unsupervised Summarization

13.5 Secure and Multi-Video Summarization

13.6 Advanced Scene and Activity-Based Summarization

13.7 Performance Benchmarking and Evaluation

13.8 Challenges and Future Directions

13.9 Conclusion

References

14 Deepfake Face Detection Using Deep Convolutional Neural Networks: A Comparative Study

14.1 Introduction

14.2 Literature Review

14.3 Methodology

14.4 Result Analysis

14.5 Conclusion

14.6 Acknowledgement

References

15 Detecting Low-Rate DDoS Attacks for CS

15.1 Introduction

15.2 Requirement Specification

15.3 Method and Technologies Involved

15.4 Testing and Validation

15.5 Results

15.6 Conclusion and Future Scope

References

16 Image Privacy Using Reversible Data Hiding and Encryption

16.1 Introduction

16.2 Literature Survey

16.3 Methodology

16.4 Result Analysis

16.5 Conclusion

Acknowledgment

References

17 Object Detection in Aerial Imagery Using Object Centric Masked Image Modeling (OCMIM)

17.1 Introduction

17.2 Literature Review

17.3 Methodology

17.4 State of the Art

17.5 Results Analysis

17.6 Conclusion

Acknowledgment

References

18 Encryption and Decryption of Credit Card Data Using Quantum Cryptography

18.1 Introduction

18.2 Related Works

18.3 Methodology

18.4 Proposed Model

18.5 Experimental Result/Result Analysis

18.6 Conclusion and Future Work

References

19 Securing Secrets: Exploring Diverse Encryption and Decryption Through Cryptography with Deep Dive to AES

19.1 Introduction

19.2 Related Work

19.3 Methodology

19.4 UML Diagram

19.5 Architecture Diagram

19.6 Implementation

19.7 Conclusion

References

20 Secure Pass: Hash-Based Password Generator and Checker with Randomized Function

20.1 Introduction

20.2 Related Work

20.3 Methodology

20.4 Conclusion and Future Work

References

21 Beyond Passwords: Face Authentication as a Futuristic Solution for Web Security

21.1 Introduction

21.2 Literature Review

21.3 Methodology

21.4 Proposed Model

21.5 Experimental Result/Result Analysis

21.6 Conclusion and Future Work

References

22 Cryptographic Key Application for Biometric Implementation in Automobiles

22.1 Introduction

22.2 Related Work

22.3 Methodology

22.4 Proposed Methodology

22.5 Results and Analysis

22.6 Conclusion

References

23 Password Strength Testing: An Overview and Evaluation

23.1 Introduction

23.2 Related Work

23.3 Methodology

23.4 Result

23.5 Discussion

23.6 Conclusion

23.7 Future Work

References

24 Digital Forensics Analysis on the Internet of Things and Assessment of Cyberattacks

24.1 Introduction

24.2 Background

24.3 The D4I Framework

24.4 Application Illustration

24.5 Discussion

24.6 Conclusion

References

25 Closing the Security Gap: Towards Robust and Explainable AI for Diabetic Retinopathy

25.1 Introduction

25.2 Security Challenges in AI-Based DR Diagnosis

25.3 Building Robust and Explainable AI Systems

25.4 Benefits of Robust and Explainable AI

25.5 Conclusion: The Future of Secure AI in DR Diagnosis

References

26 Applications of Leveraging Diverse Machine Learning Models for Heart Stroke Prediction and its Security Aspects in Healthcare

26.1 Introduction

26.2 Literature Review

26.3 Approaches

26.4 Analysis and Interpretation

26.5 Machine Learning and Security Considerations

26.6 Suggestions

26.7 Conclusion

References

27 Enhancing Healthcare Security: A Revolutionary Methodology for Deep Learning-Based Intrusion Detection

27.1 Introduction

27.2 Allied Works

27.3 Proposed IDS Approach

27.4 Results and Discussion

27.5 Conclusion

References

28 AI and ML Application in Cybersecurity Hazard Recognition: Challenges, Opportunities, and Future Perspectives in Ethiopia, Horn of Africa

28.1 Introduction

28.2 AI and ML Application in Cybersecurity Hazard Recognition

28.3 Detailed Applications of AI and ML in Ethiopia Perspectives

28.4 Scam and Deception Recognition in Ethiopia

28.5 Hazard Acumen Examination in Ethiopia

28.6 AI and ML in Cybersecurity: Future Perspectives in Ethiopia

28.7 Conclusion

Acknowledgement

References

Index

End User License Agreement

List of Tables

Chapter 4

Table 4.1 Comparative analysis of results for two models.

Chapter 7

Table 7.1 Output of ML algorithms.

Table 7.2 Model comparison.

Chapter 11

Table 11.1 Node information processing time levels.

Table 11.2 Message fragmentation time levels.

Table 11.3 Message padding accuracy levels.

Table 11.4 Key set generation accuracy levels.

Table 11.5 Node authentication time levels.

Table 11.6 Packet pattern analysis time levels.

Table 11.7 Pollution attack detection accuracy levels.

Chapter 14

Table 14.1 Analyze the proposed model in comparison to existing approaches.

Table 14.2 Experiment results.

Table 14.3 Classification report.

Chapter 16

Table 16.1 Comparison of result.

Table 16.2 With AES and RSA.

Table 16.3 Using PLS utilized in the publication [10].

Chapter 17

Table 17.1 Model performance metrics.

Chapter 18

Table 18.1 Output of code.

Chapter 27

Table 27.1 Confusion-matrix.

Table 27.2 Classification report of the proposed IDS using GRU.

Table 27.3 Performance metrics for the classifiers for attack detection.

List of Illustrations

Chapter 1

Figure 1.1 General overview of a security model using AI and ML.

Figure 1.2 Overview of a basic firewall and its features.

Figure 1.3 Types of primary security attacks.

Figure 1.4 Overview of data collection and data preprocessing steps for Ml model...

Figure 1.5 Overview and functions of web application firewall.

Figure 1.6 SSDLC lifecycle combining security SW development.

Chapter 4

Figure 4.1 The work model of how XGBoost was applied.

Figure 4.2 The work model of how ExtraTrees was applied.

Figure 4.3 Confusion matrix.

Figure 4.4 ROC curve for XGBoost.

Figure 4.5 Confusion matrix of ExtraTrees classifier.

Figure 4.6 ROC curve for ExtraTrees classifier.

Chapter 5

Figure 5.1 Taxonomy of various types of cyber attacks.

Figure 5.2 The CIA triad for cyber security systems and attacks against CIA tria...

Figure 5.3 Classification of different cyber security systems.

Figure 5.4 Classification of different cyber security domains.

Figure 5.5 Types of features considered during feature engineering.

Chapter 6

Figure 6.1 Proposed workflow model.

Figure 6.2 Section of the code to observe IP addresses.

Figure 6.3 Section of the code to observe prioritization.

Figure 6.4 Section of the code to observe multiple text files.

Figure 6.5 Suspicious requests.

Chapter 7

Figure 7.1 Proposed method.

Figure 7.2 Precision, recall, f1-score of ML algorithms.

Figure 7.3 Accuracy of ML algorithms.

Figure 7.4 Accuracy comparison of all models.

Chapter 8

Figure 8.1 Model flow.

Figure 8.2 Classes in dataset.

Chapter 9

Figure 9.1 Activity diagram of the system.

Figure 9.2 Workflow of the model.

Figure 9.3 Existing models performances.

Figure 9.4 Experimental results of accuracy in phishing website detection.

Figure 9.5 Experimental results.

Chapter 10

Figure 10.1 Evolution of cyber security.

Figure 10.2 Various solutions offered by blockchain for cybersecurity.

Figure 10.3 The challenges in traditional threat detection methods.

Figure 10.4 Expected cybercrime in the coming years (source: https://www.statist...

Figure 10.5 Blockchain as a lifecycle for enhanced security.

Chapter 11

Figure 11.1 NC enabled small cell model [18].

Figure 11.2 Pollution attack in NC enabled small cell network [8].

Figure 11.3 Polluted packet in SC network [23].

Figure 11.4 Proposed model framework.

Figure 11.5 Node information processing time levels.

Figure 11.6 Message fragmentation time levels.

Figure 11.7 Message padding accuracy levels.

Figure 11.8 Key set generation accuracy levels.

Figure 11.9 Node authentication time levels.

Figure 11.10 Packet pattern analysis time levels.

Figure 11.11 Pollution attack detection accuracy levels.

Chapter 12

Figure 12.1 Latency graph.

Figure 12.2 Computational cost graph.

Chapter 13

Figure 13.1 Video summarization techniques.

Figure 13.2 Model architecture of the proposed classification and summarization ...

Figure 13.3 Evaluation of metrics.

Chapter 14

Figure 14.1 D-CNN [1] architecture.

Figure 14.2 System architecture used in paper.

Chapter 15

Figure 15.1 Deep learning method overview.

Figure 15.2 Flowchart for model evaluation.

Figure 15.3 DDoS detection system.

Figure 15.4 Confusion matrix w.r.to true vs predicted values.

Figure 15.5 Receiver operating characteristic curve.

Figure 15.6 Confusion matrix w.r.to accuracy vs training data size.

Figure 15.7 Accuracy vs. training and ROC AUC vs. training data size.

Chapter 16

Figure 16.1 Encoding data.

Figure 16.2 AES architecture (Source: http://crypto.stackexchange.com/questions/...

Figure 16.3 Encryption using PLS.

Figure 16.4 Before and after encoding with data (Source https://www.cbit.ac.in/g...

Figure 16.5 Output.

Chapter 17

Figure 17.1 Sample architecture.

Figure 17.2 Comparison between M-RCNN and extended version using M-RCNN.

Figure 17.3 Object detection for test sets.

Chapter 18

Figure 18.1 Proposed workflow model.

Figure 18.2 Flow diagram of code.

Chapter 19

Figure 19.1 Encryption and decryption of data using two keys in AES [20].

Figure 19.2 UML diagram for the proposed model.

Figure 19.3 Cipher block chaining mode encryption [21].

Chapter 20

Figure 20.1 Workflow model.

Figure 20.2 String generator on easy level.

Figure 20.3 String generator on medium level.

Figure 20.4 It shows the strength of password.

Figure 20.5 It shows the limitations in current password.

Chapter 21

Figure 21.1 Workflow diagram of web server.

Chapter 22

Figure 22.1 Use of cloud technology as a storage medium.

Figure 22.2 Proposed work plan model.

Figure 22.3 Workflow model of the system designed.

Figure 22.4 Modified code example 1.

Figure 22.5 Output obtained for example 1.

Figure 22.6 Modified code example 2.

Figure 22.7 Output obtained for example 2.

Chapter 24

Figure 24.1 NIST’s recommended digital forensics process.

Figure 24.2 The steps of cyber kill chain.

Figure 24.3 The suggested method.

Figure 24.4 Visualization of the D4I framework.

Chapter 25

Figure 25.1 Security challenges for DR diagnosis.

Figure 25.2 Adversarial training.

Figure 25.3 Data augmentation.

Figure 25.4 Saliency maps.

Figure 25.5 Data governance.

Figure 25.6 Data security protocols.

Figure 25.7 Federated learning.

Chapter 26

Figure 26.1 Distribution level of individuals.

Graph 26.1 Hypertension.

Graph 26.2 Heart disease.

Graph 26.3 Smoking status.

Chapter 27

Figure 27.1 Percentage of data split as malicious and normal data.

Figure 27.2 Confusion-matrix.

Figure 27.3 Classification of the GRU-based IDS model.

Guide

Cover Page

Table of Contents

Series Page

Title Page

Copyright Page

Preface

Begin Reading

Index

WILEY END USER LICENSE AGREEMENT

Pages

ii

iii

iv

xxi

xxii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

Scrivener Publishing100 Cummings Center, Suite 541JBeverly, MA 01915-6106

Publishers at ScrivenerMartin Scrivener ([email protected])Phillip Carmical ([email protected])

Protecting and Mitigating Against Cyber Threats

Deploying Artificial Intelligence and Machine Learning

Edited by

and

This edition first published 2025 by John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA and Scrivener Publishing LLC, 100 Cummings Center, Suite 541J, Beverly, MA 01915, USA© 2025 Scrivener Publishing LLCFor more information about Scrivener publications please visit www.scrivenerpublishing.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

Wiley Global Headquarters111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Limit of Liability/Disclaimer of WarrantyWhile the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials, or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read.

Library of Congress Cataloging-in-Publication Data

ISBN 978-1-394-30522-3

Front cover image courtesy of Adobe FireflyCover design by Russell Richardson

Preface

In today’s rapidly evolving digital landscape, the sophistication and frequency of cyber threats have reached unprecedented levels. With each technological advancement comes the potential for exploitation, challenging organizations and security professionals to continuously innovate their defense mechanisms. Among the most promising innovations are Artificial Intelligence (AI) and Machine Learning (ML), which have revolutionized cybersecurity by offering dynamic, adaptive, and highly efficient solutions to combat evolving threats.

This book is designed to guide readers through the critical role that AI and ML play in modern security frameworks. It explores the foundational concepts of these technologies within the context of cybersecurity and highlights their practical applications and the advanced solutions they enable.

The book is structured into three comprehensive sections:

Part I: Foundations of AI & ML in Security

This section introduces the core principles of AI and ML in the context of cybersecurity. Readers will learn about the essential algorithms, models, and techniques that form the backbone of AI-driven security solutions. This section is crucial for understanding how these technologies can be harnessed to build smarter, more resilient security systems.

Part II: AI & ML Applications in Threat Detection

This section delves into real-world applications of AI and ML in detecting and preventing cyber threats. From identifying anomalous behaviors to predicting and neutralizing potential attacks, this section explores the versatility of these technologies in crafting proactive defense strategies. Practical examples, current trends, and industry-specific applications illustrate the transformative impact of AI and ML on threat detection.

Part III: Advanced Security Solutions & Case Studies

The final section showcases advanced security solutions that integrate AI and ML, demonstrating how these tools can be deployed to counter complex cyber threats. Case studies of successful implementations provide insights into the challenges faced by various industries and the innovative strategies used to overcome them. This section also highlights cutting-edge research and future trends, offering readers a glimpse into the next generation of cybersecurity solutions.

Throughout this book, we aim to equip security professionals, researchers, and students with the knowledge and tools needed to harness the power of AI and ML for advanced threat protection. By combining theoretical foundations with practical insights, this book serves as a comprehensive resource for those seeking to stay ahead in the battle against evolving cyber threats.

We hope this work inspires further exploration and development of AI and ML solutions, empowering the cybersecurity community to build a safer digital future. We extend our gratitude to everyone who contributed to this important work, and to Martin Scrivener and Scrivener Publishing for making its publication possible.

Part IFOUNDATIONS OF AI & ML IN SECURITY

1Foundations of AI and ML in Security

Sunil Kumar Mohapatra*, Ankita Biswal, Harapriya Senapati, Adyasha Swain and Swarupa Pattanaik

Centurion University of Technology and Management, Bhubaneswar, India

Abstract

The Internet has been ingrained in people’s daily lives worldwide; simultaneously, online criminal behavior has inspired advances in cybersecurity. Traditional cybersecurity approaches involve proactive efforts involving technologies, best practices, and policies to ensure information confidentiality, integrity, and availability. However, they have limitations, such as relying on static defense mechanisms, struggling with advanced threats, being dependent on perimeter defense, and the false positives/negatives. These vulnerabilities lead to increased Phishing attacks, Ransomware attacks, DDoS, MitM attacks, SQL Injection, IOT exploitation, and Social Engineering attacks. So, several data-driven computational models such as AI and ML have been revolutionized to address these security issues. The pillar of AI and ML in security lies in their potential to inspect vast amounts of data, make predictions, and detect patterns or decisions without explicit programming. Feature engineering methodology selects, manipulates, and builds essential features from raw data to improve the effectiveness of machine learning models in detecting and preventing cyber-attacks. These processes contribute to developing a clean, informative, and balanced dataset to train accurate and trustworthy machine learning models for cybersecurity tasks. Integrating real-time detection with WAF provides a proactive and dynamic security mechanism, allowing enterprises to respond quickly to developing cyber threats and defend their web applications from diverse attacks. This chapter elaborates on the technique for leveraging AI and ML in cybersecurity, emphasizing their synergistic role in improving attack detection, response, and overall system resilience.

Keywords: Artificial intelligence, machine learning, cybersecurity, data acquisition, web application firewall, SQL injection

Abbreviations

AI

Artificial Intelligence

ML

Machine Learning

DDoS

Distributed Denial of Service

WAF

Web application Firewalls

IoT

Internet of Things

ALF

Application-Layer Filtering

IDS

Intrusion Detection Systems

NS

Network Segmentation

VPN

Virtual Private Network

ODK

Open Data Kit

DNN

Deep Neural Network MANET

Mobile Ad-hoc Network MAC

Media Access Control

SIEM

Security Information and Event Management

SOC

Security Operation Center

EDR

Endpoint Detection and Response

LOLBins

Living-off-the-Land Binaries

C&A

Certificate and Accreditation

SSDLC

Secure Software Development Life Cycle

1.1 Introduction

In the digital age, Artificial Intelligence (AI) and Machine Learning (ML) are leading the way in technological advancements, bringing innovation to various fields, including healthcare, finance, and especially cybersecurity [1]. This chapter explores how AI and ML play a crucial role in strengthening digital security measures against the complex and evolving cyber threats accompanying the increasing use of the internet in our daily lives. As online criminal activities grow, there’s a pressing need to rethink our approach to cybersecurity. Traditional security strategies, although foundational, show significant shortcomings. These methods often rely on set rules and focus on defending the network’s perimeter. However, they struggle to keep up with the speed and sophistication of modern cyber threats. This struggle manifests in several ways: an over-reliance on known threat patterns makes it hard to identify new types of attacks; there’s difficulty managing false alarms, where legitimate activities are wrongly flagged as threats, and vice versa; and there’s a general lack of flexibility in responding to evolving threats. These issues highlight the urgent need for security solutions that are more dynamic and adaptable. This necessity for cybersecurity innovation has made AI and ML valuable tools in the fight against cybercrime. Unlike traditional methods, AI and ML can analyze vast amounts of data to spot patterns, anomalies, and potential vulnerabilities without being explicitly programmed to look for them. This ability is essential in cybersecurity, where threats continually change and new vulnerabilities emerge. By integrating AI and ML into cybersecurity practices, we enable a more proactive and intelligent defense system. This system can adapt to new threats in real time, offering a more effective way to protect digital assets and information.

1.1.1 The Convergence of AI and ML in Security

The convergence of AI and ML with cybersecurity represents a pivotal shift in addressing digital threats, heralding a new era of innovation that promises to enhance cyber threats’ identification, anticipation, and neutralization with unparalleled efficiency and accuracy. Traditional cybersecurity methods, largely dependent on static databases filled with signatures of known threats, are increasingly inadequate in the face of sophisticated and evolving cyber-attacks. In stark contrast, AI and ML algorithms excel at parsing through extensive and intricate datasets, identifying subtle patterns, anomalies, and potential vulnerabilities without being programmed to look for specific threats. This capability is indispensable in cybersecurity, where the threat landscape is dynamic but rapidly and continuously evolves, rendering previously effective threat signatures obsolete. AI and ML stand out by offering cybersecurity systems the ability to transition from reactive postures—where responses are only initiated after an attack has been detected—to proactive stances that predict and adapt to new threats in real time. This shift is crucial for modern cybersecurity frameworks, which must be agile enough to anticipate and mitigate threats before they can cause harm. Traditional cybersecurity defense, relying on predefined rules and known threat signatures, often fails to detect novel or sophisticated cyber-attacks until too late. AI and ML, however, can uncover and respond to such threats more swiftly and effectively through continuous learning and analysis. The integration of AI and ML into cybersecurity tools and practices enhances the ability to detect complex attacks, such as polymorphic malware, which changes its code to avoid detection or sophisticated phishing schemes that conventional systems might overlook. By analyzing user behavior, network traffic, and other indicators of compromise in real-time, AI-driven systems can identify potential security breaches with a high degree of accuracy, significantly reducing the incidence of false positives and negatives that can hinder the effectiveness of traditional security measures.

Moreover, the adaptability of AI and ML algorithms means that cybersecurity systems can learn from each attack, improving their predictive capabilities over time [2]. This learning process is crucial for keeping pace with the rapidly changing tactics employed by cybercriminals. For instance, machine learning models that analyze network traffic patterns can adapt to recognize the shifting behaviors indicative of a Distributed Denial of Service (DDoS) attack, enabling pre-emptive action to mitigate the attack before it can cause significant disruption. However, the potential of AI and ML in cybersecurity is challenging. The reliance on quality data for training models means that any biases in the data can lead to inaccurate predictions or overlooked threats. Additionally, as cyber attackers become more sophisticated, there is a growing risk of adversarial AI, where attackers use AI techniques to evade detection or to create more effective attacks. This cat-and-mouse game underscores the need for ongoing research, development, and ethical considerations in deploying AI and ML in cybersecurity.

A visual representation of this integration can be depicted in a block diagram illustrating the cybersecurity model powered by AI and ML. This model starts with data collection, gathering diverse datasets from network traffic, endpoints, and logs. It then proceeds to data preprocessing and feature engineering, where raw data is transformed into a format that ML algorithms can efficiently process. The heart of the model lies in the threat detection and analysis phase, where AI and ML techniques are employed to identify potential threats and vulnerabilities. Finally, the response mechanism, informed by the insights generated through AI and ML analysis, takes actions to mitigate identified threats, thereby closing the loop in a dynamic and adaptive cybersecurity system. Figure 1.1 represents the general overview of an AI/ML-based security model to mitigate different attack types.

Figure 1.1 General overview of a security model using AI and ML.

In the realm of cybersecurity, leveraging Artificial Intelligence (AI) and Machine Learning (ML) begins with meticulous data collection, where diverse sources such as network traffic, system logs, endpoint data, and user behavior analytics are mined to gather a broad spectrum of information, including log files, network packets, and authentication events [3]. This data undergoes pre-processing, which includes cleaning to remove irrelevant details and normalization to ensure uniformity across datasets, along with feature extraction to pinpoint the critical attributes needed for in-depth analysis. The next step, feature engineering, involves:

Selecting the most pertinent features

Transforming them into ML-friendly formats

Reducing dimensionality to focus on the most informative variables without overwhelming the models

Various ML models, including those designed for anomaly detection and pattern recognition, are trained on this curated data and continually refined through evaluation to improve their predictive accuracy. These models play a crucial role in threat detection and analysis, identifying deviations from normal behavior, predicting future attacks with predictive analytics, and scrutinizing user behavior for signs of insider threats. When threats are detected, the response is swift and automated, ranging from blocking traffic to generating alerts for security teams, all underpinned by detailed incident response planning. The feedback loop is critical, as models are retrained with new data from emerging threats, ensuring continuous learning and adaptation. Lastly, integration with existing security infrastructure ensures that AI/ML systems complement traditional security tools, allowing for seamless data sharing and coordination, thereby enhancing the overall efficacy of cybersecurity defense.

The primary contribution of this chapter related to the foundation of AI and ML in security is mentioned in the following points.

In the very first of this chapter we present the overview of fundamental AI and ML ideas pertinent to security applications. Understand the different types of attacks and vulnerabilities. Then, discuss the different types of traditional approaches present in AI and ML security. We are analyzing the technological, privacy, and ethical issues around AI and ML in security.

Accordingly, the examination of AI and ML applications for threat detection, encompassing anomaly and behavioral analysis is discussed.

Then the application of Machine Learning for security and vulnerability explores the relationship between cybersecurity and ML, explaining why ML is especially well-suited to improving security protocols.

With an emphasis on the different kinds of injection attacks, how they exploit vulnerabilities, and real-world examples, Understanding Injection Attacks offers a thorough understanding of one of the most common cybersecurity risks.

Challenges and future directions examine how the cybersecurity industry changes, highlighting the urgent issues that security professionals must deal with and new developments that may affect the industry going forward.

This study follows a structured arrangement. It begins with Section 1.1, which provides an introduction to the topic, including the primary objectives. Then the understanding of different security attacks-related works is presented in Section 1.2. The pertinent of the evolution of information and cyber issues are examined in Section 1.3. Section 1.4 then focuses on the application of Machine Learning for Security and Vulnerability. Then section 1.5 discussed a case study on Understanding Injection Attacks. Section 1.6 deals with the Challenges and Future Directions of this work. Finally, Section 1.7 provides a conclusion that summarization of this work.

1.2 Understanding Security Attacks

Cyber threats manifest in a spectrum of attacks, each exploiting specific vulnerabilities within systems to achieve malicious ends. Phishing attacks, for example, leverage users’ trust in their digital communications, tricking them into divulging sensitive information through deceitful emails or websites that mimic legitimate entities. Ransomware attacks encrypt critical data, rendering it inaccessible to users and demanding payment for its release. Distributed Denial of Service (DDoS) attacks inundate networks with excessive traffic, disrupting services and causing significant downtime. SQL injections bypass traditional security measures to manipulate databases and gain unauthorized access, while zero-day exploits target previously unknown vulnerabilities, leaving developers scrambling to patch their systems. Insider threats pose a unique challenge, as they originate from within the organization, exploiting legitimate access for nefarious purposes. The Internet of Things (IoT) expands the attack surface, introducing many devices into networks, each potentially a weak link in the security chain. These attacks highlight the diversity of threats facing digital systems and underscore the critical vulnerabilities inherent in relying on static, rule-based security mechanisms that struggle to adapt to the evolving tactics of cyber adversaries.

1.2.1 Types of Attacks and Vulnerability

Cyber threats manifest in diverse attacks, each exploiting specific system vulnerabilities to achieve malicious outcomes. The landscape is varied and complex, from phishing attacks that leverage users’ inherent trust in their digital communications to ransomware that encrypts critical data, demanding ransom for its release. Distributed Denial of Service (DDoS) attacks, SQL injections, zero-day exploits, insider threats, and the vulnerabilities introduced by the Internet of Things (IoT) further highlight the spectrum of challenges faced [4]. These attacks underscore the critical vulnerabilities present in relying on static, rule-based security mechanisms, which often struggle to adapt to the constantly evolving tactics employed by cyber adversaries. Phishing attacks meticulously crafted to mimic legitimate communications illustrate the cunning exploitation of human trust.

In contrast, ransomware attacks exploit the essential dependency on digital data, crippling organizations by locking away vital information. DDoS attacks exploit the fundamental openness and interconnectedness of the internet, overwhelming systems with traffic to the point of inaccessibility. SQL injection attacks exploit vulnerabilities in web applications, allowing attackers to manipulate databases and gain unauthorized access, highlighting deficiencies in secure coding practices. Zero-day exploits represent a particularly insidious threat, exploiting unknown vulnerabilities before they can be addressed, underscoring the reactive nature of much of cybersecurity. Insider threats, often overlooked, exploit the access and trust granted to organization members, revealing the need for robust access controls and continuous monitoring. The proliferation of IoT devices introduces new vulnerabilities, expanding the attack surface with many devices often lacking basic security features. Together, these attacks paint a picture of a digital landscape fraught with vulnerabilities, necessitating a cybersecurity approach that is dynamic, intelligent, and capable of anticipating and adapting to emerging threats.

1.2.2 How Attacks Exploit Vulnerabilities

The exploitation of vulnerabilities by cyber-attacks is a testament to the sophistication of cybercriminals and the ongoing arms race between attackers and defenders [5]. By exploiting human psychology, phishing attacks demonstrate how easily digital trust can be manipulated for malicious purposes. Ransomware attacks leverage the critical importance of data, targeting weaknesses in backup and security practices to demand ransom for data release. DDoS attacks exploit the structural openness of the internet, transforming a network’s accessibility into its Achilles’ heel. SQL injection attacks reveal vulnerabilities in input validation practices, where attackers can insert malicious code into databases, manipulating or exfiltrating data. Zero-day exploits highlight the challenge of developing secure software, taking advantage of vulnerabilities before they are known or patched. Insider threats reveal vulnerabilities not in technology but in organizational trust and access control, where those within an organization misuse their access for harmful purposes. The IoT expands vulnerabilities beyond traditional computing devices, introducing many connected devices, each with potential security weaknesses. Exploiting these vulnerabilities underscores a critical reality in cybersecurity: that threats are not just technological but are deeply intertwined with human and organizational factors. This reality necessitates a cybersecurity strategy as flexible and dynamic as the threats it aims to combat, leveraging advanced technologies and understanding human behavior to anticipate and neutralize threats before they can exploit vulnerabilities.

1.2.3 Real-World Examples of AI and ML for Security

AI and ML technologies have the potential to revolutionize how we predict, identify, and response to cyber-attacks [6]. For instance, AI-driven behavior analysis systems monitor network and user activities, using ML algorithms to identify patterns that may indicate a breach or malicious activity. These systems can detect anomalies that deviate from the norm, such as unusual access patterns or data movement, often the first indicators of a security incident. ML algorithms are particularly effective in identifying phishing websites analyzing URLs, and webpage content to distinguish between legitimate and malicious sites with remarkable accuracy. In the fight against ransomware, AI technologies can monitor file access patterns, identifying and isolating suspicious behavior that may indicate the onset of an attack, thereby preventing data encryption before it begins.

Furthermore, AI and ML enhance threat intelligence, aggregating and analyzing vast amounts of data from various sources to identify emerging threats and vulnerabilities. This proactive approach to cybersecurity enables organizations to stay one step ahead of cybercriminals, adapting defense in real-time to the evolving digital threat landscape. These realworld applications not only showcase the capabilities of these technologies to enhance cybersecurity applications but also highlight the most adaptive, intelligent, and proactive security measures. As these technologies continue to evolve, their integration into cybersecurity strategies promises to significantly improve our ability to defend against and mitigate the impact of cyber-attacks, shaping the future of digital security.

1.3 Evolution of Information, Cyber Issues/Threats Attacks

As network technology advanced, the early days of corporate communication included closed systems with restricted access to known parties. This type of communication decreases susceptibility to external security concerns. However, as local area networks (LANs) grew and personal computers became common, the Internet emerged, posing additional security vulnerabilities. While closed systems with restricted access were once sufficient, the rise of the Internet has led to new vulnerabilities that can’t be ignored. To reduce these hazards, firewalls were established. Firewalls are a barrier between internal and external networks, such as the Internet, enforcing access control restrictions to prevent unauthorized access and potential security breaches. They aim to find a balance between allowing access to the Internet and protecting security. Network security became more difficult as organizations extended their operations and began to integrate with supply chain management and enterprise resource planning systems. This necessitates the adoption of security mechanisms beyond typical firewalls.

Cyberattacks and data breaches result in substantial expenses. Firewalls prohibit unwanted access to a network. It can be a hardware or software unit that filters incoming and outgoing traffic within a private network using rules to detect and prevent cyberattacks [6, 7]. Integrating extra security measures into the firewall infrastructure improves the overall network security posture, giving organizations better protection against changing cyber threats as they extend their digital footprint and interact with external partners and systems. Firewalls help in access control, which enforces policies for user-specific access to devices, applications, and network resources. Authentication techniques check the identification of persons or devices seeking to connect to a network or access specified resources. This ensures that only authorized persons or systems can access sensitive data or services. Intrusion Detection Systems (IDS) analyze network traffic for unusual behavior or patterns that might signal unauthorized access or a possible security breach. It can detect and notify administrators about such situations in real time. Firewalls facilitate Network Segmentation (NS) by dividing a network into separate zones or segments with different security requirements. This helps contain security incidents and limit the impact of breaches by compartmentalizing sensitive data and resources. Many modern firewalls offer Application-Layer Filtering (ALF) capabilities, allowing organizations to control and monitor the use of specific applications or protocols. This enables administrators to enforce acceptable use, productivity, and compliance policies.

Firewalls often include VPN functionality, allowing secure remote access to the internal network for remote workers, branch offices, or business partners. VPNs encrypt communication over public networks, ensuring confidentiality and data integrity. Firewalls create logs and offer monitoring tools, allowing administrators to follow network activity, detect security problems, and investigate possible threats. This enables proactive threat detection, incident response, and forensic analysis. Enterprise-grade firewalls are built for high availability and redundancy, providing continuous protection with little downtime. Redundant firewall setups, failover techniques, and load balancing all ensure that network connectivity and security remain unbroken. Vulnerability assessment tools check networks, systems, and applications for possible flaws or vulnerabilities that attackers can exploit. Organizations can lower the risk of security events by proactively detecting and responding to these vulnerabilities [8]. Firewalls help fulfill compliance and regulatory requirements for data protection and privacy. Organizations that install robust firewall solutions may show compliance with industry standards and laws such as the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act. Companies can mitigate these risks by proactively securing their networks and safeguarding themselves against potential losses [9]. Figure 1.2 represents the integration of a basic firewall to implement access control and authentication in a network.

Figure 1.2 Overview of a basic firewall and its features.

1.3.1 Cyber Security Threats

Firewalls are a vital component in cyber security architecture; however, owing to the current growth in technology and communication approaches, firewalls have failed to protect against cyber-attacks. Cyber assaults are projected to be the most significant worldwide danger in recent times. Cybercrime refers to committing a crime utilizing technology like computers, cell phones, or tablets. The analysis estimates that illegal activity costs the global economy $575 billion yearly. China had a unique perspective on the Internet when it first became widely available globally. China viewed the Internet as a new kind of media due to the widespread availability of radio and television recordings [10]. Cybercrime differs from typical crimes, posing unique risks for both offending and victims [11]. Cyber threats such as National cyber warfare programs that are sponsored by governments pose a serious threat to national security. These programs have become increasingly sophisticated and can cause damage ranging from propaganda to loss of life. Hostile nations are particularly dangerous, as they can use technology to target critical infrastructures. These threats can cause significant and long-lasting damage to national security, which is why it is crucial to take measures to counter them and protect ourselves. Cyber dangers have evolved from an IT issue to a business concern, and cyber strategies are increasingly shifting from IT to business to support strategic goals and development. As more businesses expand their Cyber Threat Intelligence (CTI) capabilities, many are still in the early stages of process development and experiencing growing pains [12]. The COVID19 epidemic has led to a reduction in engagement between CTI teams and business operations groups, notwithstanding previous hopeful trends. Building bridges may be challenging for companies, making cooperation more complex than it was previously. Boards are increasingly identifying cybersecurity as a key corporate concern. In this year’s research, 70% of respondents said cyber was a regular issue on their board’s agenda, whether monthly or quarterly. Cyber increasingly plays an important part in strategic business decisions. Cybersecurity is widely regarded as an important aspect of organizational success. The majority of survey respondents (86%) said that cyber activities had a significant impact on the organization [13].

Thus, cybersquatting ideas, goals, or definitions integrate national policy and technological elements, with cybersecurity being described as preserving the confidentiality, integrity, and availability of data is an absolute necessity for computer system data [14].

1.3.2 The Most Prevalent Security Attacks

In network security, the common term is vulnerability, threat, and attack. Threats are Individuals who are competent, ready, and willing to exploit any security. The threats asses the network for vulnerability and attacks the network it intends to compromise. According to Figure 1.3 primarily, there are two categorizations of attack, i.e., Active Attack, and Passive Attack [15].

Active and passive attacks both obtain access to the network and monitor or steal sensitive information, but active attacks manipulate data by deleting, encrypting, or damaging it. Malware refers to malicious software that is designed to harm or exploit programmable devices, services, or networks. Worms, viruses, and Trojan horses are among the several forms of malicious programs. Trojan horses prompt users to input critical information on trusted screens. An attacker can impersonate the Windows logon screen by running a program that prompts users to enter their username and password. The application would communicate the information to the attacker and return a Windows error for an incorrect password. After logging out, the user would see the correct Windows logon page, unaware that their password had been taken [16, 17]. Some of the primary challenges faced are discussed as follows [18]:

Figure 1.3 Types of primary security attacks.

Cyberspace: This environment includes elements such as digital systems, network devices, software, and clients. It connects the systems with the digital space using secure software and creates an environment free of malicious attacks.

Cybercrime: A set of illegal activities performed through malicious software set up by individuals to enter the digital environment. Cybercrimes generally target computers in an unauthorized way to access the content.

Cyber Force: It is the ability to manage cyberspace and gain information from digital space using malicious software tools.

Computer Crackers: A group of persons capable of illegally manipulating computer systems. Their primary goal is to get access to the systems to collect, modify, and alter information and data.

1.4 Machine Learning for Security and Vulnerability

Machines can already comprehend natural language, interact, draw graphics, generate films, and do other tasks thanks to recent and fast breakthroughs in machine learning (ML) [19]. Modern machine learning models are created and trained utilizing ML programming frameworks. Machine learning employs algorithms derived from prior datasets and statistical analysis to create predictions about a computer’s behavior [20]. The computer can then adjust how it operates, even doing functions for which it was not programmed. Cyber assaults are becoming more common and complicated these days, and machine learning can improve itself to confront new threats. Machine learning’s capacity to analyze massive volumes of data and identify patterns makes it perfect for identifying assaults in their early phases, revealing network weaknesses, and predicting when and how future cyber-attacks will occur [21]. These capabilities resulted in machine learning as an important cyber threat detection, prevention, and mitigation tool. Researchers are increasingly combining Machine Learning (ML) and cyber-security fields by using fully labeled datasets with Supervised Learning (SL), unlabeled datasets with Unsupervised Learning, or a combination of labeled and unlabeled data with Semi-Supervised Learning to detect cyber-attacks [22]. Online Social Network Platform(OSN) traits can be distinguished in two categories malicious and benign bots [23]. Twitter datasets have been analyzed to identify suspicious bot behaviors, such as “like fraud” and “retweet” spam. Then GMM, S3VM, LP, and LS are four semi-supervised methods used to categorize bots as harmful or benign. S3VM achieved the highest recall, 89%, and F1 score, 76%, respectively. This led to the conclusion that categorizing human users and harmful bots is not as successful as categorizing benign bots. Misclassification of benign and dangerous bots can occur if distinguishing features are not properly chosen due to their differing behavioral tendencies. Tweet, retweet, hashtag, mention, and URL were the features that were taken into account by the authors [24]. The selected features’ time patterns are critical for accurately identifying the behavioral attributes of different bot kinds. The authors provide a new category of bots and create a comprehensive bot profiling framework by using the classification algorithm LR, which gave a 74% F1 score. Researchers present a machine-learning pipeline for identifying fake profiles on social networks [25]. The authors’ approach organizes fake accounts into clusters to detect if they were generated by the same perpetrator instead of making individual predictions. Random forest, logistic regression, and support vector machine classifiers has been used to train the models. Random Forest outperformed all other algorithms with an AUC of 98%. The system performed well in both in-sample and outof-sample data evaluations and has been deployed in production to identify and limit over 250,000 accounts.

1.4.1 Data Collection and Preprocessing

We can see these vulnerabilities can manifest themselves into world issues if not detected and prevented at the correct time. To detect a security issue, we’ve to find out the pattern that can be detected from a huge collection of data. Data collection and preparation are critical tasks that demand careful thought. This phase ensures that the data is clean and properly formatted for subsequent investigation. Understanding the interactions between molecules in B1B network analysis is critical for discovering novel therapeutic targets or medication candidates. However, this method necessitates thorough and precise data collection, which may be difficult given the enormous amount of information accessible. Computer security researchers and ICTD academics investigate security and privacy attitudes, practices, and needs in businesses that use the Open Data Kit (ODK). They ran a threat modeling exercise to identify potential security threats, followed by a survey and interviews with technology professionals to confirm our findings using real-world deployment experiences [26]. Our findings are helpful to both data acquisition organizations and tool developers. Mughal et al. [27] proposed protocol-based end-to-end security, encrypted data storage, and recovery mechanisms on mobile devices using open data. The OpenX DATA tool completes missing labels in partially labeled or unlabeled datasets to provide multi-target data with labels in the joint label space [27].

Wireless technologies like Bluetooth or Wi-Fi allow mobile devices to form Mobile Ad-hoc Networks (MANETs) without a centralized structure [28]. This unique jamming detection approach detects bit errors in individual packets based on received signal strength, making it ideal for protecting reactive alarm systems with little network traffic. This uses Chipcon CC1000 and CC2420 radios and involves three strategies to identify bit mistakes by using predefined information, error correcting codes, and constrained node wiring. To identify the jamming assault, Hamieh, and Ben-Othman implemented the idea that a jammer’s access to a channel is dependent on the access of active nodes, and this reliance is greater in a jamming state than in a normal network [29]. Strasses et al. [30] presented an energy-efficient reactive surveillance application without introducing additional wireless network traffic. A transmission node initially gathers reception error and reception accurate times using the Media Access Control (MAC) protocol. It then calculates the correlation coefficient value of the data as mentioned earlier to measure dependency. Finally, the calculated value is compared to a predetermined threshold to detect the jamming assault.

Due to adverse issues such as limited battery power and mobility of MANETs, prevention based on cryptographic primitives is ineffective. Pang et al. [31] studied traffic inside an internet enterprise by obtaining multiple packet traces from two internal network locations of LBNL in the USA. The mentioned tracing machine contained four NICs, each capturing unidirectional traffic, while the kernel did not report any packet-capture drops. The Authors in [32] analyzed that out of 1260 malware samples, 86.0% were repackaged copies of legitimate apps with harmful payloads. This highlights the importance of identifying repackaged apps in Android Markets. Zhou et al. collected 1260 Android malware samples from 49 families over a year to characterize the bulk of malware from August 2010 to October 2011. Their analysis of malware samples found that 86.0% repackage legal programs with malicious payloads, 36.7% use platform-level vulnerabilities to elevate privilege, and 93.0% have bot-like capabilities [33]. The general steps for data processing in the machine learning model is represented in Figure 1.4. It starts from the data collection to get the balanced data set for model development.

Figure 1.4 Overview of data collection and data preprocessing steps for Ml model [31].

1.4.2 Feature Engineering for Security Attack Detection

Feature selection and feature engineering are two vital approaches in machine learning that improve model performance and accuracy. In the constantly evolving era of data explosion, extracting relevant characteristics from massive datasets is critical for developing effective prediction models. Both strategies significantly improve model performance and accuracy in the context of machine learning. Feature engineering focuses on designing new features or modifying existing ones to make them more helpful to the algorithm whereas feature selection focuses on picking the most significant subset of features from the dataset [34]. Feature engineering is the method of converting raw data into features appropriate for machine learning models. In other words, identifying, extracting, and converting the most essential characteristics from accessible data to create more accurate and efficient machine learning models. To employ Machine Learning for network security applications, feature engineering, and selection are crucial for preparing network traffic data and optimizing detection efficiency. Domain expertise and automated approaches are often used to clean, engineer, reduce, and pick useful characteristics. The efficacy of machine learning models is highly influenced by the quality of the features used to train them. Feature engineering is a collection of approaches that allow us to develop new features by merging or changing existing ones. These strategies assist in emphasizing the most relevant patterns and correlations in the data, allowing the machine-learning model to learn more successfully. Feature engineering addresses inappropriate data, missing values, human errors, general mistakes, and inadequate data sources using the “imputation” approach. Imputation helps manage irregularities in datasets [35]. The authors in [36] implemented an imputation technique across selected datasets, which has the potential for implementation in real-world scenarios. Rostami et al. [37] provided twelve machine-learning models for imputation implemented on categorical values in a dataset with a large number of incomplete samples. These models were used to create a more comprehensive dataset without any missing Adversarial Tactics, Techniques, and Common Knowledge strategy characteristics. The suggested technique has been assessed by the authors on a test dataset of 867 unseen samples, and it gave classification accuracy of 99.88% to 100%.

This technique handles Outliers by finding and removing incorrect values. Outliers are data points or values that drastically differ from the rest of the data and negatively impair the model’s performance [38]. Standard deviation and Z-score are the two most well-known techniques to identify outliers in a dataset. A technique [39] has been designed for the Security Information and Event Management (SIEM) system to assist the Security Operation Center (SOC) analyst in the reasoning process of finding anomalies/outliers and deciding maliciousness. This technique was first evaluated on a public dataset and assessed against different algorithms, then was deployed in production alongside an International enterprise’s SIEM having 100,000 assets, utilizing 20 terabytes of Endpoint Detection and Response (EDR) logs to detect Living-off-the-Land Binaries (LOLBins). The log transform corrects skewed data, resulting in a distribution that closely matches a normal distribution after transformation [40