Abstract
Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security, and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high fidelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This article proposes a novel Multi-Agent Data Exfiltration Detector Architecture (MADEX), inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfiltration activities performed by evasive and stealthy malware that hides malicious traffic from an infected host in low-latency networks. Our approach uses cross-network traffic information collected by agents to effectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behavior of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classification when exposed to malicious traffic. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy, and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2, that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfiltration in critical mission systems. To the best of our knowledge, this is the first article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artificial immune system approach while it satisfies strict latency requirements.
- A. K. Abbas, A. H. H. Lichtman, and S. Pillai. 2017. Cellular and Molecular Immunology E-Book. Elsevier Health Sciences. Retrieved from https://books.google.co.uk/books?id=L4FUDgAAQBAJ.Google Scholar
- Shabnam Aboughadareh and Christoph Csallner. 2016. Detecting rootkits with the RAI runtime application inventory. In Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering (SSPREW’16). ACM, 1–12. Google Scholar
Digital Library
- Atif Ahmad, Jeb Webb, Kevin C. Desouza, and James Boorman. 2019. Strategically motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack. Comput. Secur. 86 (2019), 402–418. DOI:DOI:https://doi.org/10.1016/j.cose.2019.07.001Google Scholar
Digital Library
- A. Aijaz and M. Sooriyabandara. 2019. The Tactile Internet for industries: A review. Proc. IEEE 107, 2 (2019), 414–435.Google Scholar
Cross Ref
- Wathiq Laftah Al-Yaseen, Zulaiha Ali Othman, and Mohd Zakree Ahmad Nazri. 2017. Real-time multi-agent system for an adaptive intrusion detection system. Pattern Recog. Lett. 85 (2017), 56–64. DOI:DOI:https://doi.org/10.1016/j.patrec.2016.11.018 Google Scholar
Digital Library
- Vishwa Teja Alaparthy and Salvatore Domenic Morgera. 2018. A multi-level intrusion detection system for wireless sensor networks based on immune theory. IEEE Access 6 (2018), 47364,47373. Google Scholar
Cross Ref
- Sahar Aldhaheri, Daniyal Alghazzawi, Li Cheng, Bander Alzahrani, and Abdullah Al-Barakati. 2020. DeepDCA: Novel network-based detection of IoT attacks using artificial immune system. Appl. Sci. 10 (03 2020), 1909. DOI:DOI:https://doi.org/10.3390/app10061909Google Scholar
- Abdelhamied A. Ateya, Ammar Muthanna, Irina Gudkova, Anastasia Vybornova, and Andrey Koucheryavy. 2017. Intelligent core network for Tactile Internet system. In Proceedings of the International Conference on Future Networks and Distributed Systems (ICFNDS’17). Association for Computing Machinery, New York, NY. DOI:DOI:https://doi.org/10.1145/3102304.3102326 Google Scholar
Digital Library
- Shahram Behzad. 2018. An artificial immune based approach for detection and isolation misbehavior attacks in wireless networks. J. Comput. (2018), 705–720. DOI:DOI:https://doi.org/10.17706/jcp.13.6.705-720Google Scholar
- Z. Berkay Celik, R. J. Walls, P. McDaniel, and A. Swami. 2015. Malware traffic detection using tamper resistant features. In Proceedings of the IEEE Military Communications Conference. 330–335. DOI:DOI:https://doi.org/10.1109/MILCOM.2015.7357464Google Scholar
- Pieter Burghouwt, Marcel Spruit, and Henk Sips. 2015. Detection of Botnet command and control traffic by the identification of untrusted destinations. In Proceedings of the International Conference on Security and Privacy in Communication Networks, Jing Tian, Jiwu Jing, and Mudhakar Srivatsa (Eds.). Springer International Publishing, Cham, 174–182. Google Scholar
Cross Ref
- Andrew Carlin, Mohammad Hammoudeh, and Omar Aldabbas. 2015. Intrusion detection and countermeasure of virtual cloud systems-state of the art and current challenges. Int. J. Adv. Comput. Sci. Applic. 6, 6 (2015).Google Scholar
- Aniello Castiglione, Roberto De Prisco, Alfredo De Santis, Ugo Fiore, and Francesco Palmieri. 2014. A botnet-based command and control approach relying on swarm intelligence. J. Netw. Comput. Applic. 38 (2014), 22–33. DOI:DOI:https://doi.org/10.1016/j.jnca.2013.05.002 Google Scholar
Digital Library
- Paulo André Castro and Jaime Simão Sichman. 2013. Automated asset management based on partially cooperative agents for a world of risks. Appl. Intell. 38, 2 (Mar. 2013), 210–225. DOI:DOI:https://doi.org/10.1007/s10489-012-0366-8 Google Scholar
Digital Library
- T. Cejka, V. Bartos, M. Svepes, Z. Rosa, and H. Kubatova. 2016. NEMEA: A framework for network traffic analysis. In Proceedings of the 12th International Conference on Network and Service Management (CNSM’16). 195–201. DOI:DOI:https://doi.org/10.1109/CNSM.2016.7818417 Google Scholar
Digital Library
- Milan Čermák, Pavel Čeleda, and Jan Vykopal. 2014. Detection of DNS traffic anomalies in large networks. In Advances in Communication Networking, Yvon Kermarrec (Ed.). Springer International Publishing, Cham, 215–226. Google Scholar
- S. Sibi Chakkaravarthy, D. Sangeetha, and V. Vaidehi. 2019. A survey on malware analysis and mitigation techniques. Comput. Sci. Rev. 32 (2019), 1–23. DOI:DOI:https://doi.org/10.1016/j.cosrev.2019.01.002Google Scholar
Digital Library
- Jiageng Chen, Chunhua Su, Kuo-Hui Yeh, and Moti Yung. 2018. Special Issue on Advanced Persistent Threat. https://doi.org/10.1016/j.future.2017.11.005Google Scholar
- B. Claise, B. Trammell, and P. Aitken. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. RFC 7011 (Internet Standard). Retrieved from https://www.ietf.org/rfc/rfc7011.txt.Google Scholar
- Anne Collinot, Alexis Drogoul, and Philippe Benhamou. 1996. Agent oriented design of a soccer robot team. In Proceedings of the 2nd International Conference on Multi-agent Systems (ICMAS’96). 41–47.Google Scholar
- Michael Coppola. 2013. Accessed 14 Apr. 2020. Suteresu: An LKM rootkit targeting Linux 2.6/3.x on x86(64), and ARM. Retrieved from https://github.com/mncoppola.Google Scholar
- F. M. David, E. M. Chan, J. C. Carlyle, and R. H. Campbell. 2008. Cloaker: Hardware supported rootkit concealment. In Proceedings of the IEEE Symposium on Security and Privacy (SP’08). IEEE, 296–310. Google Scholar
Digital Library
- Leandro De Castro and Jon Timmis. 2002. Artificial Immune Systems: A New Computational Intelligence Approach. Springer-VerlagLondon. https://www.springer.com/gp/book/9781852335946. Google Scholar
Digital Library
- Eric Diehl. 2016. Law 1: Attackers will Always Find Their Way. Springer International Publishing, Cham, 1–43. DOI:DOI:https://doi.org/10.1007/978-3-319-42641-9_1Google Scholar
- El-Sayed M. El-Alfy. 2019. Nature-inspired Cyber Security and Resiliency: Fundamentals, Techniques and Applications.Institution of Engineering and Technology. https://books.google.co.uk/books/about/Nature_Inspired_Cyber_Security_and_Resil.html?id=vzqUDwAAQBAJ&source=kp_book_description&redir_esc=y. Google Scholar
- G. Epiphaniou, P. Pillai, M. Bottarelli, H. Al-Khateeb, M. Hammoudeh, and C. Maple. 2020. Electronic regulation of data sharing and processing using smart ledger technologies for supply-chain security. IEEE Trans. Eng. Manag. (2020), 1–15. https://doi.org/10.1109/TEM.2020.2987113Google Scholar
- J. Doyne Farmer, Norman H. Packard, and Alan S. Perelson. 1986. The immune system, adaptation, and machine learning. Phys. D: Nonlin. Phenom. 22, 1 (1986), 187–204. DOI:DOI:https://doi.org/10.1016/0167-2789(86)90240-X Google Scholar
Digital Library
- Diogo A. B. Fernandes, Mário M. Freire, Paulo A. P. Fazendeiro, and Pedro R. M. Inácio. 2017. Applications of artificial immune systems to computer security: A survey. J. Inf. Secur. Applic. 35 (2017), 138–159. DOI:DOI:https://doi.org/10.1016/j.jisa.2017.06.007 Google Scholar
Digital Library
- Martin Fischer. 2017. Accessed 14 Apr. 2020. r77 Rootkit: Ring 3 Rootkit DLL. Retrieved from https://github.com/bytecode77/r77-rootkit.Google Scholar
- R. Geetha Ramani and S. Suresh Kumar. 2019. Nonvolatile kernel rootkit detection using cross-view clean boot in cloud computing. Concurr. Computat.: Pract. Exper. 33, 3 (2019). https://browzine.com/libraries/1684/journals/12613/issues/379973128?showArticleInContext=doi%3A10.1002%2Fcpe.5239. Google Scholar
- Giovanni Giacobbi. 1995. Accessed 14 Apr. 2020. The GNU netCat Project. Retrieved from https://seclists.org/bugtraq/1995/Oct/28.Google Scholar
- Julie Greensmith. 2007. The Dendritic Cell Algorithm. Ph.D. Dissertation. Citeseer. University of Nottingham.Google Scholar
- Julie Greensmith and Uwe Aickelin. 2010. The deterministic dendritic cell algorithm. CoRR abs/1006.1512 (2010). Google Scholar
Digital Library
- Julie Greensmith, Uwe Aickelin, and Steve Cayzer. 2005. Introducing dendritic cells as a novel immune-inspired algorithm for anomaly detection. In Proceedings of the 4th International Conference on Artificial Immune Systems (ICARIS’05). Springer-Verlag, Berlin, 153–167. DOI:DOI:https://doi.org/10.1007/11536444_12 Google Scholar
Digital Library
- Julie Greensmith, Uwe Aickelin, and Steve Cayzer. 2008. Detecting danger: The dendritic cell algorithm. In Robust Intelligent Systems. Springer Publishing Company, London, 89–112. Retrieved from http://eprints.nottingham.ac.uk/987/.Google Scholar
- Julie Greensmith, Uwe Aickelin, and Gianni Tedesco. 2007. Information fusion for anomaly detection with the dendritic cell algorithm. Inf. Fus. Retrieved from http://eprints.nottingham.ac.uk/570/.Google Scholar
- Mohammad Hammoudeh, Robert Newman, Christopher Dennett, and Sarah Mount. 2013. Interpolation techniques for building a continuous map from discrete wireless sensor network data. Wirel. Commun. Mob. Comput. 13, 9 (2013), 809–827.Google Scholar
Cross Ref
- Mohammad Hammoudeh, Robert Newman, Christopher Dennett, Sarah Mount, and Omar Aldabbas. 2015. Map as a service: A framework for visualising and maximising information return from multi-modalwireless sensor networks. Sensors 15, 9 (2015), 22970–23003.Google Scholar
Cross Ref
- Zahra Jadidi, Vallipuram Muthukkumarasamy, Elankayer Sithirasenan, and Kalvinder Singh. 2016. A probabilistic sampling method for efficient flow-based analysis. J. Commun. Netw. 18, 5 (2016), 818–825. Google Scholar
Cross Ref
- Vicente Julian and Vicente Botti. 2019. Multi-agent systems. Appl. Sci. 9, 7 (Apr. 2019), 1402. DOI:DOI:https://doi.org/10.3390/app9071402Google Scholar
Cross Ref
- Simon Kemp. 2019. Accessed 13 Jun. 2019. DIGITAL 2019: GLOBAL DIGITAL OVERVIEW. Retrieved from https://datareportal.com/reports/digital-2019-global-digital-overview.Google Scholar
- Geraldine Lee, Gregory Epiphaniou, Haider Al-Khateeb, and Carsten Maple. 2019. Security and privacy of things: Regulatory challenges and gaps for the secure integration of cyber-physical systems. In Proceedings of the 3rd International Congress on Information and Communication Technology, Xin-She Yang, Simon Sherratt, Nilanjan Dey, and Amit Joshi (Eds.). Springer Singapore, 1–12. Google Scholar
Cross Ref
- Linlin Li, Liangxu Sun, and Gang Wang. 2018. An intrusion detection model based on danger theory for wireless sensor networks. Int. J. Online Eng. 14, 9 (2018), 53,65. Google Scholar
Cross Ref
- Euripidis Loukis, Yannis Charalabidis, and Leif Skiftenes Flak. 2019. Introduction to the minitrack on towards government 3.0: Disruptive ICTs, advanced policy informatics/analytics and government as a platform. In Proceedings of the 52nd Hawaii International Conference on System Sciences.Google Scholar
Cross Ref
- P. Matzinger. 1994. Tolerance, danger, and the extended family. Ann. Rev. Immunol. 12, 1 (1994), 991–1045. DOI:DOI:https://doi.org/10.1146/annurev.iy.12.040194.005015Google Scholar
Cross Ref
- Nikola Milosevic, Ali Dehghantanha, and Kim-Kwang Raymond Choo. 2017. Machine learning aided Android malware classification. Comput. Electric. Eng. (7 2017). DOI:DOI:https://doi.org/10.1016/j.compeleceng.2017.02.013Google Scholar
- Mohamad Farhan Mohamad Mohsin, Azuraliza Abu Bakar, and Abdul Razak Hamdan. 2014. Outbreak detection model based on danger theory. Appl. Soft Comput. J. 24 (2014), 612–622. Google Scholar
Digital Library
- Seyyedeh Atefeh Musavi and Mehdi Kharrazi. 2014. Back to static analysis for kernel-level rootkit detection. IEEE Trans. Inf. Forens. Secur. 9, 9 (2014), 1465–1476. Google Scholar
Digital Library
- P. Narang, S. Ray, C. Hota, and V. Venkatakrishnan. 2014. PeerShark: Detecting peer-to-peer botnets by tracking conversations. In Proceedings of the IEEE Security and Privacy Workshops. 108–115. DOI:DOI:https://doi.org/10.1109/SPW.2014.25 Google Scholar
Digital Library
- Robert Oates, Graham Kendall, and Jonathan M. Garibaldi. 2008. Frequency analysis for dendritic cell population tuning. Evolut. Intell. 1, 2 (2008), 145–157.Google Scholar
Cross Ref
- G. Pellegrino, Q. Lin, C. Hammerschmidt, and S. Verwer. 2017. Learning behavioral fingerprints from netflows using timed automata. In Proceedings of the IFIP/IEEE Symposium on Integrated Network and Service Management (IM’17). 308–316. DOI:DOI:https://doi.org/10.23919/INM.2017.7987293Google Scholar
Cross Ref
- Ilias Raftopoulos. 2014. Extrusion Detection: Monitoring, Detecting, and Characterizing Internal Infections. Ph.D. Dissertation. ETH Zurich.Google Scholar
- G. Ramadhan, Y. Kurniawan, and Chang-Soo Kim. 2016. Design of TCP SYN flood DDoS attack detection using artificial immune systems. In Proceedings of the 6th International Conference on System Engineering and Technology (ICSET’16). 72–76.Google Scholar
Cross Ref
- P. Keerthi Reddy, G. Soniya, and K. Ramya Sree. 2019. A novel approach for intrusion detection and prevention system. (2019). https://doi.org/10.32628/CSEIT1952320Google Scholar
- E. M. Rudd, A. Rozsa, M. Günther, and T. E. Boult. 2017. A survey of stealth malware attacks, mitigation measures, and steps toward autonomous open world solutions. IEEE Commun. Surv. Tutor. 19, 2 (2017), 1145–1172. DOI:DOI:https://doi.org/10.1109/COMST.2016.2636078Google Scholar
Digital Library
- Packet Storm Security. Accessed 14 Apr. 2020. cb-r00tkit Rootkit. Retrieved from https://packetstormsecurity.com/files/29877/cb-r00tkit.tgz.html.Google Scholar
- Neda Afzali Seresht and Reza Azmi. 2014. MAIS-IDS: A distributed intrusion detection system using multi-agent AIS approach. Eng. Applic. Artif. Intell. 35 (2014), 286–298. DOI:DOI:https://doi.org/10.1016/j.engappai.2014.06.022 Google Scholar
Digital Library
- Shahaboddin Shamshirband, Nor Badrul Anuar, Miss Laiha Mat Kiah, Vala Ali Rohani, Dalibor Petković, Sanjay Misra, and Abdul Nasir Khan. 2014. Co-FAIS: Cooperative fuzzy artificial immune system for detecting intrusion in wireless sensor networks. J. Netw. Comput. Applic. 42 (2014), 102–117. DOI:DOI:https://doi.org/10.1016/j.jnca.2014.03.012Google Scholar
Cross Ref
- Benjamin Smith, Mohan Rao, Sylvian Crozon, and Niranjan Mayya. 2019. Systems and methods for cyber intrusion detection and prevention. US Patent App. 16/120,745.Google Scholar
- Rabia Tahir. 2018. A study on malware and malware detection techniques. Int. J. Educ. Manag. Eng. 8, 2 (2018), 20.Google Scholar
Cross Ref
- Andrew S. Tanenbaum. 2014. Computer Networks (5th ed.), Andrew S. Tanenbaum, David J. Wetherall, Eds.). Pearson, Harlow, Essex. Google Scholar
Digital Library
- A. Tayal, N. Hubballi, and N. Tripathi. 2017. Communication recurrence and similarity detection in network flows. In Proceedings of the IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS’17). 1–6. DOI:DOI:https://doi.org/10.1109/ANTS.2017.8384174Google Scholar
- Donghai Tian, Rui Ma, Xiaoqi Jia, and Changzhen Hu. 2019. A kernel rootkit detection approach based on virtualization and machine learning. IEEE Access 7 (2019), 91657–91666. Google Scholar
Cross Ref
- Muhammad Fahad Umer, Muhammad Sher, and Yaxin Bi. 2017. Flow-based intrusion detection: Techniques and challenges. Comput. Secur. 70 (2017), 238–254. DOI:DOI:https://doi.org/10.1016/j.cose.2017.05.009Google Scholar
Cross Ref
- Lisa Vaas. 2007. Researchers: “Blue pill” rootkit detectable (security researcher working on hypervisor rootkit detection). eWeek (2007). https://www.eweek.com/security/researchers-blue-pill-rootkit-detectable/. Google Scholar
- A. Vance. 2014. Flow based analysis of advanced persistent threats detecting targeted attacks in cloud computing. In Proceedings of the 1st International Scientific-Practical Conference Problems of Infocommunications Science and Technology. 173–176. DOI:DOI:https://doi.org/10.1109/INFOCOMMST.2014.6992342Google Scholar
Cross Ref
- Steven Walker-Roberts, Mohammad Hammoudeh, Omar Aldabbas, Mehmet Aydin, and Ali Dehghantanha. 2019. Threats on the horizon: Understanding security threats in the era of cyber-physical systems. J. Supercomput. (24 Oct. 2019). DOI:DOI:https://doi.org/10.1007/s11227-019-03028-9Google Scholar
- Jianxiong Wang. 2010. A rule-based approach for rootkit detection. In Proceedings of the 2nd IEEE International Conference on Information Management and Engineering, Vol. 3. IEEE, 405–408. Google Scholar
Cross Ref
- Mohammad Wazid, Ashok Kumar Das, and Jong-Hyouk Lee. 2019. User authentication in a tactile internet based remote surgery environment: Security issues, challenges, and future research directions. Pervas. Mob. Comput. 54 (2019), 71–85. DOI:DOI:https://doi.org/10.1016/j.pmcj.2019.02.004Google Scholar
Cross Ref
- S. Wolfram. 1986. Approaches to complexity engineering. Physica D 22 (Oct. 1986), 385–399. Google Scholar
Digital Library
- Michael Wooldridge. 2009. An Introduction to MultiAgent Systems (2nd ed.). Wiley Publishing. Google Scholar
Digital Library
- Michael Wooldridge and Nicholas R. Jennings. 1995. Intelligent agents: Theory and practice. Knowl. Eng. Rev. 10, 2 (1995), 115–152.Google Scholar
Cross Ref
- Meriem Zekri and Labiba Souici-Meslati. 2014. Immunological approach for intrusion detection. https://doi.org/10.46298/arima.1974Google Scholar
- Christian T. Zenger, Jan Zimmer, Mario Pietersz, Benedikt Driessen, and Christof Paar. 2016. Constructive and destructive aspects of adaptive wormholes for the 5G Tactile Internet. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec’16). Association for Computing Machinery, New York, NY, 109–120. DOI:DOI:https://doi.org/10.1145/2939918.2939923 Google Scholar
Digital Library
Index Terms
A Flow-based Multi-agent Data Exfiltration Detection Architecture for Ultra-low Latency Networks
Recommendations
Detection of Stealth Process using Hooking
WCI '15: Proceedings of the Third International Symposium on Women in Computing and InformaticsMalware writers adapt multiple methods to make the malware detection process difficult. Hiding the presence of malware during its execution is one of them. Malware written for espionage, data stealing, or rootkits have this key characteristic of ...
Automated containment of rootkits attacks
Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to ...
Analysis and detection of malicious data exfiltration in web traffic
MALWARE '12: Proceedings of the 2012 7th International Conference on Malicious and Unwanted Software (MALWARE)Data stealing botnets pose a great risk to the security of networks and the privacy of their users. Most of these botnets use the web as a medium for communication, making them difficult to detect given that web traffic constitutes about 70% of Internet ...






Comments