Artificial intelligence (AI) techniques vastly improve the effectiveness of security monitoring through data analysis, resulting in better threat detection, faster incident response, and robust security posture. AI techniques, particularly machine learning (ML) and deep learning (DL) analyze diverse data sources, like network traffic logs, system logs and events, access control records, video surveillance footage, social media, and other open-source intelligence, for security monitoring. This article discusses several studies that reflect the growing importance of AI in security monitoring.
Image credit: Tapati Rinchumrus/Shutterstock
Optical Network Security Monitoring
The secure and reliable operation of optical networks, a critical communication infrastructure supporting consistent network traffic growth, is essential for diverse applications and services. Optical network building blocks, like amplifiers, switches, and optical fibers, have inherent vulnerabilities, which can be exploited to execute physical-layer attacks to disrupt services. Attack methods can significantly differ in their damaging potential, sophistication, and difficulty in counteracting and detecting them.
The physical-layer attack techniques have complex effects on optical channel parameters, which make their detection extremely challenging. ML-driven automation of network diagnosis and management facilitates the cost-efficient management of complex optical communication networks. The recent proliferation of ML techniques in optical networking has led to the development of robust methods for automated and cognitive management of optical security.
These techniques successfully detected unauthorized signals in the network and identified jamming and polarization scrambling attacks. A study published in the Journal of Lightwave Technology presented an ML-based framework for autonomous and cognitive security diagnostics of physical-layer security in optical networks.
The framework comprised attack identification and detection modules that leveraged semi-supervised learning (SSL), unsupervised learning (UL), and supervised learning (SL) approaches to detect attacks and identify their intensity and type. The framework also consisted of a module for connection- and linkwise localization of attacks/an attack localization module that deduced the location of a breached link/harmful connection. This entire framework was incorporated into network management systems (NMS).
Additionally, the study proposed a window-based attack detection (WAD) approach to improve the performance of ML approaches by addressing the influence of false negatives and false positives. The performance of the ML approaches used in the proposed framework was evaluated in the study. Specifically, artificial neural networks (ANN), one-class support vector machine (OCSVM), and density-based spatial clustering of applications with noise (DBSCAN) were chosen for SL, SSL, and UL, respectively, owing to their state-of-the-art (SOTA) performance in many tasks.
Python and the Scikit-learn implementation were utilized to perform the evaluation using a dataset containing a total of 20,160 samples. ANN displayed a very high accuracy by achieving the maximum F1 score of one, with no false positives or false negatives.
Although the OCSVM approach also demonstrated good accuracy, it attained the highest F1 score of 0.963, which is lower than ANN. DBSCAN showed significantly lower accuracy, with the highest F1 score of 0.8. Thus, WAD was used to overcome the inaccuracies of only UL and SSL as ANN did not generate any false positives or false negatives. Results displayed that the proposed WAD approach effectively addressed the impact of false negatives and false positives, ensuring the reliable application of SSL and UL models during the optical network operation.
Network Security Monitoring
The emergence and rapid development of AI technology, big data, and mobile communication have led to the constant intellectualization of network infrastructure and security. This resulted in the wide adoption of information technology in industrial control, which increased the importance of network security monitoring.
A paper published in the Journal of Physics: Conference Series presented a DL-based network security monitoring method and examined its feasibility. Non-invasive network security monitoring was realized through the collection of data, feature extraction, and training the neural network model using the network security power consumption information.
This method could detect network security information attacks that are not detectable at the network level and improve the overall security performance of the network. Results demonstrated that the DL-based network security monitoring method increased the network security efficiency by 24%.
Smart Cyber-physical Grid Security Monitoring
The development of power systems and smart grid technologies have become vital with the surging demand for electrical energy. Smart grids are the new generation power systems applying intelligent features and tools to provide higher manageability, reliability, stability, and performance.
However, higher vulnerability to cyberattacks due to the reliance on information and communication technology systems is a big challenge for power systems/smart grids. A paper published in Security of Cyber-Physical Systems evaluated several ML algorithms to detect attacks to address this challenge.
Initially, the attacks on a dataset from a smart grid were detected using ML algorithms, and then the results were compared based on f-score. Random forest (RF) displayed the best performance when the test time/score time was ignored, while the k-nearest neighbor (KNN) demonstrated a great performance considering all aspects.
Context-aware Security Monitoring
ML techniques are receiving attention in intrusion detection due to the rising volume of data produced by monitoring tools and the growing sophistication shown by attackers in concealing their activity. However, the existing approaches for intrusion detection have several important limitations related to the relevance and quantity of the generated alerts. Recently, knowledge graphs have been adopted in the cybersecurity domain to alleviate a number of these drawbacks as they seamlessly integrate data from several domains using human-understandable vocabularies.
A study published at the 2021 IEEE International Conference on Cyber Security and Resilience (CSR) discussed using ML on knowledge graphs for intrusion detection and experimentally evaluated a link-prediction method for scoring anomalous activity in industrial systems.
Specifically, researchers applied relational learning on knowledge graphs for security monitoring and intrusion detection. The graph embedding methods' collective learning properties enable the resulting models to generalize beyond individual observations, benefiting from the rich set of relationship and entity types.
Thus, this approach ensures efficient utilization of training data, potentially shorter baselining periods, and inherent effectiveness against false alarms in the presence of previously unobserved events. The proposed method was tested using an industrial automation system prototype across diverse scenarios. After the initial unsupervised training, the method generated intuitively interpretable and well-calibrated alerts in different scenarios.
Specifically, it effectively leveraged the context information to produce a meaningful range of severity scores, which is useful in the intrusion detection systems (IDS) setting as observations are typically not easily categorized as completely malicious or benign a priori. Thus, this study effectively displayed the feasibility of using relational ML on knowledge graphs for security monitoring.
Face Detection in Security Monitoring
The rapid development of video monitoring has led to massive monitoring image generation that has exceeded the processing range of human resources. Thus, intelligent video retrieval technology has become an indispensable part of video monitoring systems to process such information.
This technology integrates AI, computer vision, and video processing to substantially improve the efficiency of monitoring and the linkage and accuracy of monitoring systems. Emerging technologies like face recognition are increasingly being applied to the security monitoring system.
A study published in IEEE Access presented a video-oriented cascaded intelligent face detection algorithm based on the face detection neural network and DL theory. This algorithm builds a DL network by cascading several features, including semantic, edge, contour, and local features, and advances layer by layer. Based on the semantic features, the input data information is obtained to precisely achieve face detection under non-ideal conditions.
Simulation results in the study demonstrated that the proposed intelligent face detection algorithm attained good detection performance for multi-face and single-face images. The method also had strong robustness for rotating faces. Moreover, the algorithm was also fast and could effectively meet the real-time face detection requirements.
To summarize, AI is transforming security monitoring from optical networks to smart grids. However, bias, cost, complexity, and data quality-related issues must be mitigated to implement AI on a wider scale.
References and Further Reading
Furdek, M., Natalino, C., Lipp, F., Hock, D., Di Giglio, A., Schiano, M. (2020). Machine learning for optical network security monitoring: A practical perspective. Journal of Lightwave Technology, 38(11), 2860-2871. https://doi.org/10.1109/JLT.2020.2987032
Yu, T., Yin, X., Yao, M., Liu, T. (2021). Network security monitoring method based on deep learning. Journal of Physics: Conference Series, 1955, 1, 012040. https://doi.org/10.1088/1742-6596/1955/1/012040
Rouzbahani, H.M., Faraji, Z., Amiri-Zarandi, M., Karimipour, H. (2020). AI-Enabled Security Monitoring in Smart Cyber Physical Grids. Security of Cyber-Physical Systems. https://doi.org/10.1007/978-3-030-45541-5_8
Garrido, J. S., Dold, D., Frank, J. (2021). Machine learning on knowledge graphs for context-aware security monitoring. 2021 IEEE International Conference on Cyber Security and Resilience (CSR), 55-60. https://doi.org/10.1109/CSR51186.2021.9527927
Dong, Z., Wei, J., Chen, X., Zheng, P. (2020). Face detection in security monitoring based on artificial intelligence video retrieval technology. IEEE Access, 8, 63421-63433. https://doi.org/10.1109/ACCESS.2020.2982779