Service and Infrastructure Anomaly Detection (L-ADS and LUCID)

L-ADS (Live Anom­aly Detec­tion Sys­tem) allows the detec­tion of anom­alies in the net­work, that is, cyber-attacks, main­ten­ance noti­fic­a­tions, issues out of nor­mal­ity. It works by mon­it­or­ing the traffic which is enter­ing into Fog­At­las and among the microservices and alerts about any abnor­mal situ­ation. It is integ­rable with any type of plat­form.
ATOS has evolved this asset with­in the DECENTER pro­ject which ini­tially was developed in sev­er­al cyber­se­cur­ity EU research pro­jects, and now it has been improved in Edge, Fog and Cloud sys­tems.
L-ADS is a high poten­tial asset for cyber­se­cur­ity envir­on­ments and has been suc­cess­fully presen­ted in sev­er­al work­shops and con­fer­ences. More inform­a­tion about this asset can be found in the paper, “LADS: A Live Anom­aly Detec­tion Sys­tem based on Machine Learn­ing Meth­ods”.

More on the link:  https://www.scitepress.org/Papers/2019/79489/pdf/index.html

Part­ner: ATOS

LUCID (Light­weight, Usable CNN in DDoS Detec­tion) is a light­weight Deep Learn­ing-based DDoS detec­tion frame­work suit­able for online resource-con­strained envir­on­ments, which lever­ages Con­vo­lu­tion­al Neur­al Net­works (CNNs) to learn the beha­vi­or of DDoS and benign traffic flows with both low pro­cessing over­head and attack detec­tion time. LUCID includes a data­set-agnost­ic pre-pro­cessing mech­an­ism that pro­duces traffic obser­va­tions con­sist­ent with those col­lec­ted in exist­ing online sys­tems, where the detec­tion algorithms must cope with seg­ments of traffic flows col­lec­ted over pre-defined time win­dows.

The cur­rent LUCID’s CNN and pre-pro­cessing tools are imple­men­ted in Python v3.8 with Ker­as and Tensor­flow 2 and the source code is pub­licly avail­able at: https://github.com/doriguzzi/lucid-ddos under the Apache 2.0 license. The code is provided with the guidelines on how to install the required lib­rar­ies and how to use LUCID, from the pre-pro­cessing of the traffic traces, to the train­ing and test­ing phases.

In addi­tion, the latest ver­sion of the code imple­ments the “online infer­ence” mode to per­form infer­ence on live net­work traffic or on pre-recor­ded traffic traces saved in pcap format. 

More details on the archi­tec­ture of LUCID and its per­form­ance in terms of detec­tion accur­acy and exe­cu­tion time are avail­able in the fol­low­ing research paper:

Doriguzzi-Cor­in, S. Mil­lar, S. Scott-Hay­ward, J. Martínez-del-Rincón and D. Siracusa, “Lucid: A Prac­tic­al, Light­weight Deep Learn­ing Solu­tion for DDoS Attack Detec­tion,” in IEEE Trans­ac­tions on Net­work and Ser­vice Man­age­ment, vol. 17, no. 2, pp. 876–889, June 2020, doi: 10.1109/TNSM.2020.2971776.

Part­ner: FBK