Mo Hassan

Computer networks are vulnerable to cyber attacks that can affect the confidentiality, integrity and availability of mission critical data. Intrusion detection methods can be employed to detect these attacks in real-time. Anomaly detection offers the advantage of detecting unknown attacks in a semi-supervised fashion. This paper aims to answer the question if autoencoders, a type of semi-supervised feedforward neural network, can provide a low cost anomaly detector method for computer network data streams. Autoencoder methods were evaluated online with the KDD'99 and UNSW-NB15 data sets, demonstrating that running time and labeling cost are significantly reduced compared to traditional online classification techniques for similar detection performance. Further research would consider the trade-off between single vs stacked networks, multi-label classification, concept drift detection and active learning.

Internet of Things (IoT) devices participate in an open and distributed perception layer, with vulnerability to cyber attacks becoming a key concern for data privacy and service availability. The perception layer provides a unique challenge for intrusion detection where resources are constrained and networks are distributed. An additional challenge is that IoT networks are a continuous non-stationary data stream that, due to their variable nature, are likely to experience concept drift. This research aimed to review the practical applications of online machine learning methods for IoT network intrusion detection, to answer the question if a resource efficient architecture can be provided? An online learning architecture is introduced, with related IDS approaches reviewed and evaluated. Online learning provides a potential memory and time efficient architecture that can adapt to concept drift and perform anomaly detection, providing solutions for the resource constrained and distributed IoT perception layer. Future research should focus on addressing class imbalance in the data streams to ensure that minority attack classes are not missed.

The available commercial and freeware mobile forensics tools heavily rely on a rooted mobile device for them to extract data. The potential effects of rooting the device before extraction could pose a threat to the forensic integrity rendering the acquisition process flawed. An endeavour was made in compiling of this paper investigating the impact of rooting android mobile devices on user data integrity. The research examines and analyses data from an android Samsung phone. A framework has been developed to illustrate measures and steps to be observed in the extraction of data from mobile devices.

Intrusion Detection Systems (IDS) monitor com-puter networks for attack. Network data streams are potentially infinite and require real-time processing in order to provide timely detection of changing attacks. To address the nature of the network data stream it is important to consider the use of online data stream learning methods for IDS. Online data stream learning is an extension of Machine Learning (ML) where special consideration is given to finding anomalies in the data stream via supervised and unsupervised methods, adapting to concept drift, processing real-time events, and management of labelling cost by using Active Learning (AL). This paper asks the question of which online data stream and AL methods for IDS have been recently reviewed? A Systematic Literature Review (SLR) was performed and found that there is currently no reviews available that focus primarily on IDS data stream learning. Reviews were organised into categories and key considerations presented.

In today's socially-driven knowledge-based computing era, digital devices have become household appliances. Ubiquitous computing and social networks are life style technologies which coupled with the political drive for e-inclusion strategies have exponentially increased the rate of new 0-day exploits. We hypothesise that building an adaptive, polymorphous, distributed system that can learn from its environment and dynamically change according to external stimuli, which can provide a cost-effective proactive solution to the problem. In this research we developed a novel and simple approach to defend common network threats and anomaly attacks. The design comprises of polymorphous elementary blocks called digital cells, these simple blocks are extremely rich, much like living cells. Cells are the fundamental structural unit of life, all living organisms are made of one or more cells. The cell characteristics including, the ability of self-division to a specific limit (e.g. human cells), capability of independent existence, and the ability to communicate using signalling are going to be the fundamental elements for this research.

Machine learning based intrusion detection systems monitor network data streams for cyber attacks. Challenges in this space include detecting unknown attacks, adapting to changes in the data stream such as changes in underlying behavior, the human cost of labeling data to retrain the machine learning model and the processing and memory constraints of a real-time data stream. Failure to manage the aforementioned factors could result in missed attacks, degraded detection performance, unnecessary expense or delayed detection times. This research proposes a new semi-supervised network data stream anomaly detection method, Split Active Learning Anomaly Detector (SALAD), which combines our novel Adaptive Anomaly Threshold and Stochastic Anomaly Threshold with Fading Factor methods. A novel Reconstruction Error based Distance from Threshold strategy is proposed and evaluated as part of an active stream framework to demonstrate reduction in labeling costs. The proposed methods are evaluated with the KDD Cup 1999, and UNSW-NB15 data sets, using the scikit-multiflow framework. Results demonstrated that the proposed SALAD method offered equivalent performance to full labeled and alternative Naïve Bayes (NB) and Hoeffding Adaptive Tree (HAT) methods, with a labeling budget of just 20%, significantly reducing the required human expertise to annotate the network data. Processing times of the SALAD method were demonstrated to be significantly lower than NB and HAT methods, allowing for greatly improved responsiveness to attacks occurring in real time.

The rapid growth and usefulness of Internet of Things (IoT) has seen it being deployed in critical and strategic infrastructure sectors like healthcare, transport, agriculture, home automation, and smart industries among many others. The benefits of comfort and reliability of IoT technologies to human beings have brought with them security concerns. This is due to its large-scale connectivity and over reliance on the internet for communication making it susceptible to cyberattacks. Digital forensics experts face a daunting task of handling these cyberattacks because of the unique and complex challenges posed by IoT. Recently, researchers have been drawn to finding solutions to these challenges, however, this is still in its infancy. This paper carries out a Systematic Literature Review (SLR) of the current research advancements in IoT forensics. We define key IoT fundamentals, IoT applications, the need for IoT forensics, identify the key factors affecting IoT forensics, and review the practicality of the available IoT forensics frameworks, models, and methodologies. The SLR reveals research gaps indicating that most of the current research is more theoretical than practical. There is a need for more practical approaches to tackle the unique IoT forensics challenges. Finally, for future research directions from the SLR, we have highlighted and discussed the open challenges and requirements for IoT forensics.

<div>Machine learning based intrusion detection systems monitor network data streams for cyber attacks. Challenges in this space include detection of unknown attacks, adaptation to changes in the data stream such as changes in underlying behaviour, the human cost of labeling data to retrain the machine learning model and the processing and memory constraints of a real-time data stream. Failure to manage the aforementioned factors could result in missed attacks, degraded detection performance, unnecessary expense or delayed detection times. This research evaluated autoencoders, a type of feed-forward neural network, as online anomaly detectors for network data streams. The autoencoder method was combined with an active learning strategy to further reduce labeling cost and speed up training and adaptation times, resulting in a proposed Split Active Learning Anomaly Detector (SALAD) method. The proposed method was evaluated with the NSL-KDD, KDD Cup 1999, and UNSW-NB15 data sets, using the scikit-multiflow framework. Results demonstrated that a novel Adaptive Anomaly Threshold method, combined with a split active learning strategy offered superior anomaly detection performance with a labeling budget of just 20%, significantly reducing the required human expertise to annotate the network data. Processing times of the autoencoder anomaly detector method were demonstrated to be significantly lower than traditional online learning methods, allowing for greatly improved responsiveness to attacks occurring in real time. Future research areas are applying unsupervised threshold methods, multi-label classification, sample annotation, and hybrid intrusion detection.</div>