Anca Delia Jurcut

Faithful Chiagoziem Onwuegbuche, Adelodun Olaoluwa, Anca Delia Jurcut et al.

Ransomware remains a critical threat to cybersecurity, yet publicly available datasets for training machine learning-based ransomware detection models are scarce and often have limited sample size, diversity, and reproducibility. In this paper, we introduce MLRan, a behavioural ransomware dataset, comprising over 4,800 samples across 64 ransomware families and a balanced set of goodware samples. The samples span from 2006 to 2024 and encompass the four major types of ransomware: locker, crypto, ransomware-as-a-service, and modern variants. We also propose guidelines (GUIDE-MLRan), inspired by previous work, for constructing high-quality behavioural ransomware datasets, which informed the curation of our dataset. We evaluated the ransomware detection performance of several machine learning (ML) models using MLRan. For this purpose, we performed feature selection by conducting mutual information filtering to reduce the initial 6.4 million features to 24,162, followed by recursive feature elimination, yielding 483 highly informative features. The ML models achieved an accuracy, precision and recall of up to 98.7%, 98.9%, 98.5%, respectively. Using SHAP and LIME, we identified critical indicators of malicious behaviour, including registry tampering, strings, and API misuse. The dataset and source code for feature extraction, selection, ML training, and evaluation are available publicly to support replicability and encourage future research, which can be found at https://github.com/faithfulco/mlran.

Furqan Rustam, Islam Obaidat, Anca Delia Jurcut

Multi-environment (M-En) networks integrate diverse traffic sources, including Internet of Things (IoT) and traditional computing systems, creating complex and evolving conditions for malicious traffic detection. Existing machine learning (ML)-based approaches, typically trained on static single-domain datasets, often fail to generalize across heterogeneous network environments. To address this gap, we develop a realistic Docker-NS3-based testbed that emulates both IoT and traditional traffic conditions, enabling the generation and capture of live, labeled network flows. The resulting M-En Dataset combines this traffic with curated public PCAP traces to provide comprehensive coverage of benign and malicious behaviors. Building on this foundation, we propose Multi-LF, a real-time continuous learning framework that combines a lightweight model (M1) for rapid detection with a deeper model (M2) for high-confidence refinement and adaptation. A confidence-based coordination mechanism enhances efficiency without compromising accuracy, while weight interpolation mitigates catastrophic forgetting during continuous updates. Features extracted at 1-second intervals capture fine-grained temporal patterns, enabling early recognition of evolving attack behaviors. Implemented and evaluated within the Docker-NS3 testbed on live traffic, Multi-LF achieves an accuracy of 0.999 while requiring human intervention for only 0.0026 percent of packets, demonstrating its effectiveness and practicality for real-time malicious traffic detection in heterogeneous network environments.

Amin Shahraki, Mahmoud Abbasi, Amir Taherkordi et al.

Network Traffic Classification (NTC) has become an important feature in various network management operations, e.g., Quality of Service (QoS) provisioning and security services. Machine Learning (ML) algorithms as a popular approach for NTC can promise reasonable accuracy in classification and deal with encrypted traffic. However, ML-based NTC techniques suffer from the shortage of labeled traffic data which is the case in many real-world applications. This study investigates the applicability of an active form of ML, called Active Learning (AL), in NTC. AL reduces the need for a large number of labeled examples by actively choosing the instances that should be labeled. The study first provides an overview of NTC and its fundamental challenges along with surveying the literature on ML-based NTC methods. Then, it introduces the concepts of AL, discusses it in the context of NTC, and review the literature in this field. Further, challenges and open issues in AL-based classification of network traffic are discussed. Moreover, as a technical survey, some experiments are conducted to show the broad applicability of AL in NTC. The simulation results show that AL can achieve high accuracy with a small amount of data.

Promise Agbedanu, Anca Delia Jurcut

In this era of explosive growth in technology, the internet of things (IoT) has become the game changer when we consider technologies like smart homes and cities, smart energy, security and surveillance, and healthcare. The numerous benefits provided by IoT have become attractive technologies for users and cybercriminals. Cybercriminals of today have the tools and the technology to deploy millions of sophisticated attacks. These attacks need to be investigated; this is where digital forensics comes into play. However, it is not easy to conduct a forensic investigation in IoT systems because of the heterogeneous nature of the IoT environment. Additionally, forensic investigators mostly rely on evidence from service providers, a situation that can lead to evidence contamination. To solve this problem, the authors proposed a blockchain-based IoT forensic model that prevents the admissibility of tampered logs into evidence.

Mahmoud Said Elsayed, Nhien-An Le-Khac, Soumyabrata Dev et al.

With the rapid technological advancements, organizations need to rapidly scale up their information technology (IT) infrastructure viz. hardware, software, and services, at a low cost. However, the dynamic growth in the network services and applications creates security vulnerabilities and new risks that can be exploited by various attacks. For example, User to Root (U2R) and Remote to Local (R2L) attack categories can cause a significant damage and paralyze the entire network system. Such attacks are not easy to detect due to the high degree of similarity to normal traffic. While network anomaly detection systems are being widely used to classify and detect malicious traffic, there are many challenges to discover and identify the minority attacks in imbalanced datasets. In this paper, we provide a detailed and systematic analysis of the existing Machine Learning (ML) approaches that can tackle most of these attacks. Furthermore, we propose a Deep Learning (DL) based framework using Long Short Term Memory (LSTM) autoencoder that can accurately detect malicious traffics in network traffic. We perform our experiments in a publicly available dataset of Intrusion Detection Systems (IDSs). We obtain a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our method provides great confidence in securing these networks from malicious traffic.

Mahmoud Said Elsayed, Nhien-An Le-Khac, Soumyabrata Dev et al.

Software-Defined Networking (SDN) is an emerging paradigm, which evolved in recent years to address the weaknesses in traditional networks. The significant feature of the SDN, which is achieved by disassociating the control plane from the data plane, facilitates network management and allows the network to be efficiently programmable. However, the new architecture can be susceptible to several attacks that lead to resource exhaustion and prevent the SDN controller from supporting legitimate users. One of these attacks, which nowadays is growing significantly, is the Distributed Denial of Service (DDoS) attack. DDoS attack has a high impact on crashing the network resources, making the target servers unable to support the valid users. The current methods deploy Machine Learning (ML) for intrusion detection against DDoS attacks in the SDN network using the standard datasets. However, these methods suffer several drawbacks, and the used datasets do not contain the most recent attack patterns - hence, lacking in attack diversity. In this paper, we propose DDoSNet, an intrusion detection system against DDoS attacks in SDN environments. Our method is based on Deep Learning (DL) technique, combining the Recurrent Neural Network (RNN) with autoencoder. We evaluate our model using the newly released dataset CICDDoS2019, which contains a comprehensive variety of DDoS attacks and addresses the gaps of the existing current datasets. We obtain a significant improvement in attack detection, as compared to other benchmarking methods. Hence, our model provides great confidence in securing these networks.

Guerrino Mazzarolo, Anca Delia Jurcut

Insider threats have become reality for civilian firms such as Tesla, which experienced sabotage and intellectual property theft, and Capital One, which suffered from fraud. Even greater social impact was caused by the data breach at the US Department of Defense, perpetrated by well-known attackers Chelsea Manning and Edward Snowden, whose espionage and hacktivist activities are widely known. The dramatic increase of such incidents in recent years and the incalculable damage committed by insiders must serve as a warning for all members of the cyber security community. It is no longer acceptable to continue to underestimate the problem of insider threats. Firms, organizations, institutions and governments need to lead and embrace a cultural change in their security posture. Through the adoption of an Insider Threat Program that engages all the strategic branches (including HR, Legal, Information Assurance, Cyber Security and Intelligence), coordinated by the chief information security officer and supported by c-level executive, it is possible to implement a framework that can prevent, detect, and respond to disloyal and/or unintentional insider threats. Hence, defending your enterprise from insider threats is a vital part of information security best practices. It is essential that your company highly valuable classified data and assets are protected from its greatest threat: the enemy within the gates.

Mahmoud Said Elsayed, Nhien-An Le-Khac, Soumyabrata Dev et al.

With the advent of Software Defined Networks (SDNs), there has been a rapid advancement in the area of cloud computing. It is now scalable, cheaper, and easier to manage. However, SDNs are more prone to security vulnerabilities as compared to legacy systems. Therefore, machine-learning techniques are now deployed in the SDN infrastructure for the detection of malicious traffic. In this paper, we provide a systematic benchmarking analysis of the existing machine-learning techniques for the detection of malicious traffic in SDNs. We identify the limitations in these classical machine-learning based methods, and lay the foundation for a more robust framework. Our experiments are performed on a publicly available dataset of Intrusion Detection Systems (IDSs).