Darius Mihai

Bio: Darius Mihai is an academic researcher from Politehnica University of Bucharest. The author has contributed to research in topics: Computer science & Hypervisor. The author has an hindex of 1, co-authored 6 publications receiving 3 citations.

The Proposition and Evaluation of the RoEduNet-SIMARGL2021 Network Intrusion Detection Dataset.

Abstract: Cybersecurity is an arms race, with both the security and the adversaries attempting to outsmart one another, coming up with new attacks, new ways to defend against those attacks, and again with new ways to circumvent those defences. This situation creates a constant need for novel, realistic cybersecurity datasets. This paper introduces the effects of using machine-learning-based intrusion detection methods in network traffic coming from a real-life architecture. The main contribution of this work is a dataset coming from a real-world, academic network. Real-life traffic was collected and, after performing a series of attacks, a dataset was assembled. The dataset contains 44 network features and an unbalanced distribution of classes. In this work, the capability of the dataset for formulating machine-learning-based models was experimentally evaluated. To investigate the stability of the obtained models, cross-validation was performed, and an array of detection metrics were reported. The gathered dataset is part of an effort to bring security against novel cyberthreats and was completed in the SIMARGL project.

Suspend feature for multiple devices of same type in bhyve

Abstract: The FreeBSD specific hypervisor solution, bhyve, is a mature virtualization solution that allows its users to configure the virtual machines in a robust manner by adding different types of devices. Moreover, the virtual machine state can be suspended for a later use by using the snapshotting mechanism. However, the existing snapshot mechanism can only store the state of one device of each type. This behaviour may be troublesome for entities that want to use the save and restore mechanism for virtual machines with multiple same type devices (e.g., two disks, two network interfaces) since it can lead to an inconsistent virtual machine state. This paper proposes a solution for extending this feature by allowing the saving and restoration of multiple devices of the same type, whenever they are used together.

Booting a Linux Kernel Under Bhyve on ARMv7

Abstract: ARM processors are more energy efficient when compared to their older and more powerful x86 counterparts. As such, more complex systems (e.g., servers) would greatly benefit from using them should they become powerful enough to be able to handle complex tasks. One such task, that is an essential tool for system administrators, is the ability to run virtual machines in order to provide secure and isolated environments for certain applications. With ARM-powered servers being under development for years already, anticipating the needs of system administrators and adding relevant features to the operating system may prove critical to increase the user base. Linux is by far the most successful free operating system, so any virtualization mechanism will need to be able to run a virtual machine with Linux before it may be considered viable for use in large-scale deployments. Consequently, bhyve, FreeBSD’s virtual machine manager requires a proof of concept that runs a Linux-based operating system.

Symmetric Multiprocessor Support for bhyve on arm64

Abstract: In the years, ARM started to take its share of the personal computers and server markets. Their CPUs are known for their low power consumption and mobile market supremacy. In these new areas, virtualization is used to provide working machines in the cloud and create secure environments. The FreeBSD community started developing an ARM-based hypervisor, but it was not tested on real hardware and without some features that AMD64 has. Furthermore, nowadays, computers usually have more CPUs, to perform the task in parallel and increase the speed of the overall system. This paper presents the SMP (Symmetric Multiprocessor Support) added to bhyve on arm64. This feature allows the user to start a virtual machine when the host operating system has more than one cores and the ability to start a virtual machine with more virtual CPUs.

Towards Zero-Shot Flow-Based Cyber-Security Anomaly Detection Framework

Abstract: Network flow-based cyber anomaly detection is a difficult and complex task. Although several approaches to tackling this problem have been suggested, many research topics remain open. One of these concerns the problem of model transferability. There is a limited number of papers which tackle transfer learning in the context of flow-based network anomaly detection, and the proposed approaches are mostly evaluated on outdated datasets. The majority of solutions employ various sophisticated approaches, where different architectures of shallow and deep machine learning are leveraged. Analysis and experimentation show that different solutions achieve remarkable performance in a single domain, but transferring the performance to another domain is tedious and results in serious deterioration in prediction quality. In this paper, an innovative approach is proposed which adapts sketchy data structures to extract generic and universal features and leverages the principles of domain adaptation to improve classification quality in zero- and few-shot scenarios. The proposed approach achieves an F1 score of 0.99 compared to an F1 score of 0.97 achieved by the best-performing related methods.

How to Effectively Collect and Process Network Data for Intrusion Detection

Abstract: The number of security breaches in the cyberspace is on the rise. This threat is met with intensive work in the intrusion detection research community. To keep the defensive mechanisms up to date and relevant, realistic network traffic datasets are needed. The use of flow-based data for machine-learning-based network intrusion detection is a promising direction for intrusion detection systems. However, many contemporary benchmark datasets do not contain features that are usable in the wild. The main contribution of this work is to cover the research gap related to identifying and investigating valuable features in the NetFlow schema that allow for effective, machine-learning-based network intrusion detection in the real world. To achieve this goal, several feature selection techniques have been applied on five flow-based network intrusion detection datasets, establishing an informative flow-based feature set. The authors’ experience with the deployment of this kind of system shows that to close the research-to-market gap, and to perform actual real-world application of machine-learning-based intrusion detection, a set of labeled data from the end-user has to be collected. This research aims at establishing the appropriate, minimal amount of data that is sufficient to effectively train machine learning algorithms in intrusion detection. The results show that a set of 10 features and a small amount of data is enough for the final model to perform very well.

VHS-22 – A Very Heterogeneous Set of Network Traffic Data for Threat Detection

Abstract: Researching new methods of detecting network threats, e.g., malware-related, requires large and diverse sets of data. In recent years, a variety of network traffic datasets have been proposed, which have been intensively used by the research community. However, most of them are quite homogeneous, which means that detecting threats using these data became relatively easy, allowing for detection accuracy close to 100%. Therefore, they are not a challenge anymore. As a remedy, in this article we propose a VHS-22 dataset – a Very Heterogeneous Set of network traffic data. We prepared it using a software network probe and a set of existing datasets. We describe the process of dataset creation, as well as its basic statistics. We also present initial experiments on attack detection, which yielded lower results than for other datasets. We claim that the data in the VHS-22 dataset are more demanding, and therefore that our dataset can better stimulate further progress in detecting network threats.

Malicious Network Behavior Detection Using Fusion of Packet Captures Files and Business Feature Data.

Abstract: Information and communication technologies have essential impacts on people’s life. The real time convenience of the internet greatly facilitates the information transmission and knowledge exchange of users. However, network intruders utilize some communication holes to complete malicious attacks. Some traditional machine learning (ML) methods based on business features and deep learning (DL) methods extracting features automatically are used to identify these malicious behaviors. However, these approaches tend to use only one type of data source, which can result in the loss of some features that can not be mined in the data. In order to address this problem and to improve the precision of malicious behavior detection, this paper proposed a one-dimensional (1D) convolution-based fusion model of packet capture files and business feature data for malicious network behavior detection. Fusion models improve the malicious behavior detection results compared with single ones in some available network traffic and Internet of things (IOT) datasets. The experiments also indicate that early data fusion, feature fusion and decision fusion are all effective in the model. Moreover, this paper also discusses the adaptability of one-dimensional convolution and two-dimensional (2D) convolution to network traffic data.

Human-driven and human-centred cybersecurity: policy-making implications

Abstract: Purpose The purpose of this paper is to challenge the prevailing, stereotypical approach of the human aspect of cybersecurity, i.e. treating people as weakness or threat. Instead, several reflections are presented, pertaining to the ways of making cybersecurity human-centred. Design/methodology/approach This paper bases on the authors’ own experiences, gathered whilst working in cybersecurity projects; the resulting comments and reflections have been enriched and backed up by the results of a targeted literature study. Findings The findings show that the way the human aspects of cybersecurity are understood is changing, and deviates from the stereotypical approach. Practical implications This paper provides a number of practical recommendations for policymakers, as well as cybersecurity managers on how to make the cybersecurity more human-centred; it also inspires further research directions. Originality/value This paper presents a fresh, positive approach to humans in cybersecurity and opens the doors to further discourse about new paradigms in the field.