Genetic Algorithms to Detect Cyberattacks
Algorithms mimicking principles of genetic reproduction are used to detect cyberattacks in large, complex networks. These algorithms import principles of reproduction, natural selection, and maintenance of diversity.
The major attacks that affect a large number of computers in the world daily can be classified into four attacks — Probing, Denial of Service (DoS), User to Root (U2R), Remote to User (R2L) attacks.
Denial of Service (DoS) involves flooding target hosts with strategic traffic to consume and expend their computational resources causing them to crash. A probe is a crafted attack to acquire its targets’ unique “fingerprint”. The attacker learns the network infrastructure of the host and is able to learn its location and defensive capabilities.
User 2 Root (U2R) attacks involve the attacker gaining access to a normal user account and exploiting the vulnerabilities in the system to gain access to the root, the most powerful node in the system. In Root 2 Local (R2L) attacks, an attacker sends packets to the target host that are intended to disclose vulnerabilities that would enable the attacker to exploit a local user’s privileges.
Genetic Algorithms involve selection, recombination, mutation, and reproduction. The selection principle is applied by specifying criteria and evaluating selected results. The genes could be booleans (true or false), integers, real numbers, string variables, or their combinations.
Selection and reproduction of an individual is largely based on its adaptation to the environment. Individuals compete to pass their genes to the next generation. In evolutionary algorithms, selection is based on a fitness function which determines how optimal a solution is. The higher the optimality, the larger are the chances of its recombination and reproduction. Over the iterations, you create generations of fitter solutions.
Recombination is the process that determines if solutions are kept or discarded. The main objective of recombination is to specify the significance of good solutions and combine the “good genes” while keeping the population size the same.
Mutation changes a part of DNA, mainly through recombination anomalies. The newly created genes by means of selection and recombination can be further applied to mutation. Though a mistake, mutation induces noise or randomness in the data to increase the variability of solutions.
The Layered approach for detecting cyberattacks draws its motivation from airport systems, where a number of security checks are performed one by one. This model ensures integrity, availability and confidentiality of data or service over the layers. The goal of using this layered model is to reduce computation and the overall time required to detect anomalous activities.
The algorithm’s four layers correspond to the four attack groups — probe, DoS, R2L, and U2R. There is no exact mathematics for calculating the most optimal filter parameters, so, genetic algorithms are used iteratively to maximally approximate.
As the number of reproductive rounds increases, so do the accuracy of attack detection and time complexity, until the solution converges at 80% accuracy.
This was a summary of this paper.
More content at plainenglish.io