The ISC International Journal of Information Security

Abstract Lateral movement, a sophisticated cyberattack strategy, enables adversaries to stealthily infiltrate networks following an initial breach. Detecting such maneuvers is exceptionally challenging, as they are designed to seamlessly blend with legitimate system operations and network traffic, rendering traditional signature-based defenses ineffective. Supervised machine learning approaches, while promising, are constrained by their dependence on pre-labeled datasets of known attack patterns. To overcome these limitations, this study introduces a novel hybrid deep learning framework that integrates a Variational Autoencoder (VAE) for robust feature extraction, coupled with a supervised classifier to identify lateral movement. Through meticulous feature engineering on the LMD dataset, the VAE is trained exclusively on normative system and network behavior, constructing a probabilistic representation of legitimate activity. Anomalies, detected via reconstruction error, signal potential malicious intrusions. Empirical evaluation demonstrates the framework’s superior performance, achieving a detection time of 00:00:02:54 and an AUC of 99.6983%, reflecting exceptional class separation and computational efficiency. This hybrid architecture delivers a scalable, high-accuracy solution, establishing the VAE as a pivotal tool for combating advanced persistent threats with unparalleled precision and operational viability. 

Abstract Intrusion Detection Systems (IDS) are vital for defending modern networks against emerging cyber threats, including zero-day attacks. In this article, we introduce GAT-AID (Graph Attention-based Anomaly and Intrusion Detection), an IDS architecture that integrates Graph Attention Networks (GATs), Multi-Layer Perceptron (MLP) classifiers, and Autoencoders. The proposed methodology represents network traffic as a graph, allowing GAT to extract complex node-wise associations across traffic flows. The embeddings generated are further processed through a dual-branch architecture, an MLP-based classifier for identifying known attack types, and an Autoencoder-based anomaly detector for flagging zero-day intrusions. The proposed GAT-AID methodology is evaluated on two widely used benchmark datasets, namely CICIDS2017 and UNSW-NB15. The experiment results demonstrate that it outperforms conventional IDS baselines, including SVM, Random Forest, CNN, and GCN models, achieving higher detection rates, improved robustness against unseen threats, and greater adaptability to evolving network environments. These findings suggest that GAT-AID is an effective and scalable solution for intelligent, real-time intrusion detection. 

Abstract Online social media is integral to human life, facilitating messaging, information sharing, and confidential communication while preserving privacy. Platforms like Twitter, Instagram, and Facebook exemplify this phenomenon. However, users face challenges due to network anomalies, often stemming from malicious activities such as identity theft for financial gain or harm. This paper proposes a novel method using user similarity measures and the Generative Adversarial Network (GAN) algorithm to identify anomalies (fake nodes) in user accounts in a large-scale social network while handling imbalanced data issues. Despite the problem's complexity, the method achieves an AUC rate of 80\% in classifying and detecting fake accounts. Notably, the study builds on previous research, highlighting advancements and insights into the evolving landscape of anomaly detection in online social networks. The findings of this study contribute to ongoing advancements in fake account detection, offering a hopeful solution for securing online spaces against fraudulent activities and anomaly detection in social networks.

Abstract With the increasing prevalence of online services, big data systems, and Internet of Things (IoT) devices, detecting anomalies in large system logs has become a significant concern. This study presents a systematic literature review of automated log analysis for anomaly detection from January 2017 to October 2024. The study classifies existing approaches into five types: hybrid, supervised, unsupervised, semi-supervised, and self-supervised. Each technique is analysed based on its assumptions, benefits, limitations, computational complexity, and performance in practical applications. Additionally, it addresses the challenges and concerns associated with developing anomaly detection systems for real-life applications using deep neural networks. The survey's objective is not to perform a statistical analysis of the published methodologies but to classify them, highlight the key features of various deployed architectures, and focus on unresolved issues that require further investigation in this domain. The study offers valuable direction for researchers, emphasising the need for scalable, robust, and interpretable anomaly detection systems. This survey advances the understanding of current capabilities and highlights future directions for enhancing the reliability of complex systems.

Abstract Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the proposed method attempts to detect it, is the most common type of DDoS attacks. The aim of this paper is to reduce the delay of real-time detection of DDoS attacks utilizing hybrid structures based on data stream algorithms. The proposed data structure (BHM ) improves the data storing mechanism presented in STONE method and consequently reduces the detection time. STONE characterizes regular network traffic of a service by aggregating it into common prefixes of IP addresses, and detecting attacks when the aggregated traffic deviates from the regular one. In BHM, history refers to the output traffic information obtained from each monitoring period to form a reference profile. The reference profile is created by employing historical information and only includes normal traffic information. The delay of DDoS attack detection increases in STONE due to long-time intervals between each monitoring period. The proposed method (F-STONE) has been compared to STONE based on attack detection time, Expected Profile Update Time (EPUT), and rate of attack detection. The evaluation results indicated significant improvements in terms of the EPUT, acceleration of attack detection and reduction of false positive rate.

Abstract Artificial Immune Systems (AIS) have long been used in the field of computer security and especially in Intrusion Detection systems. Intrusion detection based on AISs falls into two main categories. The first generation of AIS is inspired from adaptive immune reactions but, the second one which is called danger theory focuses on both adaptive and innate reactions to build a more biologically-realistic model of Human Immune System. Two algorithms named TLR and DCA are proposed in danger theory field that both of them are trying to identify the antigens based on a simple identifier. Both of them suffer from low accuracy and detection rate due to the fact that they are not taking the structure of antigens into account. In this paper, we propose an algorithm called STLR (structural TLR), which is an extended form of TLR algorithm. STLR tries to model the interaction of adaptive and innate biological immune systems and at the same time considers the structure of the antigens. The experimental results show that using the structural aspects of an antigen, STLR can lead to a great increase in the detection rate and accuracy.