An AI-Assisted Cyber Attack Detection Framework for Software Defined Mobile Networks G. Catania 1, L. Ganga 1, S. Milardo 2, G. Morabito 3, A. Mursia 1 1 Land & Naval Defence Electronics Division - Leonardo Spa 2 Senseable Lab MIT 3 DIEEI University of Catania
Summary Introduction Background Proposed approach Numerical example Conclusions
Introduction
Introduction Software Defined Networking (SDN) clearly separates control and data planes (Controller and Forwarding Elements/Switches) SDN solutions for ad hoc networks: Software Defined Mobile Networks (SDNM)s SDMNs can be utilized in several tactical scenarios. Recently focus on security for SDMNs: SDN paradigm shift radical change in the way security must be dealt with need for new tools that should assist cyber and IT operators Idea: Run Artificial Intelligence (AI) engines at the Controller to detect security attacks and suggest countermeasure to cyber and IT operators
The proposed platform can be used To demonstrate how AI can be used to support IT operators in handling the security of tactical networks using SDN To train military professionals in interacting with AI to improve the security of tactical networks based on SDN In all cases we exploit simulation because: It is a very valuable methodology for validating innovative concepts with small investments It is largely used for training in the military domain most organizations have simulation infrastructures and facilities
Background
SDN and tactical networks OpenFlowlike protocol Tactical network
SDN and AI Artificial Neural Networks (ANN)s mimic the behaviour of the human brain. An ANN consists of multiple interconnected nodes, called neurons, that resemble a neural network. Each neuron is connected to other neurons through weighted links and neurons are grouped together into layers. The process that allows to select the weights of the links of the network is called training. ANNs have been widely used for network management: recently ANNs have been utilized for management of SDNs for Predicting QoE Determining optimal routing More recently, AI solutions running over SDNs have been proposed to improve security as well neural networks have been utilized to detect DDoS attacks in SDNs machine learning utilized to predict attack patterns in SDN networks.
CSSE: Cyber Security Simulation Environment User GUI Database Configuration manager Scenario generator Network/ cyber simulator HLA Run Time Infrastructure Proprietary software Built on Stage Presagis Built on Riverbed Modeler
Proposed platform
An enhancement of CSSE SITL = System in The Loop Trainer Trainee GUI 2 Controller AI App Network Operating System Net App GUI 1 SiTL Database Configuration manager Scenario generator Network/ cyber simulator HLA Run Time Infrastructure
The AI App Three major modules: Measurement module: based on ONOS REST APIs which are used to collect information about the network conditions Attack detection and classification module: an LSTM-ANN trained on historical data to detect anomalies. It also implements a classification engine which identifies the type of attack Attack countermeasure module: it exploits the output of the Attack detection and classification module to determine the most appropriate countermeasure to propose to the Trainee. The Trainee is the only responsible for deciding whether to apply such countermeasure. The Attack countermeasure module also implements the interface (GUI 2) for the interactions between the AI App and the Trainee.
Numerical example
Scenario N = 8 nodes based on 802.11g, working at 24 Mbps moving in an area of 1 km 2 Transmission power of each node is p TX = 0.001 W, and the packet reception power threshold is -95dBm. There is a malicious node which performs a black hole attack, fake topology information to the Controller to attract packets and then drop them Our AI module running in the Controller detects the attack, tries to identify the malicious node(s) and informs the network manager It also provides a view of the current topology with an interface which allows to exclude the suspected node
ANN design and training The Measurement module collects local status info by nodes. This is the number of packets forwarded by the node to all other nodes, up to the current period t. It also considers the overall number of packets forwarded to the upper layers of the protocol stack the status of the network is represented as the NxN matrix V[t] in our experimental N=8 nodes V[t] contains 64 values. We focus on black hole the Attack detection and classification module is a binary classifier, it is an ANN consisting of 3 hidden layers each with 64 neurons We trained the ANN with 10000 measures, each labelled as Normal operation or Cyber attack in progress, depending on the state of the malicious node To train the network, we divided the measures into two subsets The training set contains the 75% of the measures, and The test the remaining 25% The maximum number of iterations used is 200 and the convergence is reached when the score of the ANN is not increasing by 0.0001 for two consecutive iterations 1 1 2 64 1 2 64 1 2 64 v 11 v 12 v 88 Out = {Normal operation, black hole attack in progress} Input
Numerical results 86% 86% 86% 86% 85% 85% 85% 85% 85% 84% 86% 86% 86% 86% 86% 86% 86% 85% 85% Precision Recall F1-Score Normal operations Cyber attack in progress Average Reality Classified as Normal operation Cyber attacks in progress Normal operation 1095 182 Cyber attacks in progress 173 1050
Conclusions
Concluding remarks A platform that exploits artificial intelligence to assist IT operators in detecting cyber attacks and triggering the corresponding countermeasures An enhancement of the CSSE has been designed Experimental results assess the feasibility of the overall concept Future work: Develop appropriate tools and methodologies for training the AI engines Design the most appropriate interactions modes between military IT professionals and AI tools