In recent years, integrated circuits (ICs) have become significant for various industries and their security has been given greater priority, specifically in the supply chain. Budgetary constraints have compelled IC designers to offshore manufacturing to third-party companies. When the designer gets the manufactured ICs back, it is imperative to test for potential threats like hardware trojans (HT). In this paper, a novel multilevel game-theoretic framework is introduced to analyze the interactions between a malicious IC manufacturer and the tester. In particular, the game is formulated as a non-cooperative, zerosum, repeated game using prospect theory (PT) that captures different players’ rationalities under uncertainty. The repeated game is separated into a learning stage, in which the defender learns about the attacker’s tendencies, and an actual game stage, where this learning is used. Experiments show great incentive for the attacker to deceive the defender about their actual rationality by “playing dumb” in the learning stage (deception). This scenario is captured using hypergame theory to model the attacker’s view of the game. The optimal deception rationality of the attacker is analytically derived to maximize utility gain. For the defender, a first-step deception mitigation process is proposed to thwart the effects of deception. Simulation results show that the attacker can profit from the deception as it can successfully insert HTs in the manufactured ICs without being detected. This paper has been accepted for publication in IEEE Cyber Science Conference 2020

Machine learning (ML)-based network intrusion detection systems (NIDS) have become a contemporary approach to efficiently protect network communications from cyber attacks. However, ML models can become exploited by adversarial poisonings, like random label manipulation (RLM), which can compromise multi-controller software-defined network (MSDN) operations. In this paper, we develop the Trans-controller Adversarial Perturbation Detection (TAPD) framework for NIDS in multi-controller SDN setups. The detection framework takes advantage of the SDN architecture and focuses on the periodic transference of network intrusion detection models across the SDN controllers in the topology, and validates the models using the local datasets to calculate errors in their predictions with the ground truth. We demonstrate the efficacy of this framework in detecting RLM attacks in an MSDN setup. Results indicate efficient detection performance achieved by the TAPD framework in determining the presence of Random Label Manipulation attacks and the localization of the compromised controllers. We find that the framework works well even when there is a significant number of compromised agents in a large multi-controller setting. However, the performance begins to deteriorate when more than 40% of the SDN controllers in the MSDN have become compromised.

With the usage of machine learning (ML) algorithms in modern-day network intrusion detection systems (NIDS), contemporary network communications are efficiently protected from cyber threats. However, these ML algorithms are starting to be compromised by adversarial attacks that ambush the ML pipeline. In this paper, we demonstrate the feasibility of an adversarial attack called the Cosine Similarity Label Manipulation (CSLM), which is geared toward compromising training labels for ML-based NIDS, and how they can affect ML pipelines. We demonstrate the efficacy of the attacks towards both single and multi-controller software-defined network (SDN) setups. Results indicate that the proposed attacks provide substantial deterioration of classifier performance in single SDNs, specifically, those that utilize RF, which deteriorates  ~50% under Min-CSLM attacks, and SVMs, which undergo ~60% deterioration from a Max-CSLM attack. We also note that RF, SVM, and MLP classifiers are also extensively vulnerable to these attacks in MSDNs as they incur the most observed utility deterioration. MLP-based uniform multi-controller setups (MSDN) incur the most deterioration under both proposed CSLM attacks with ~28% decrease in performance, while SVM and RF-based variable MSDNs incur the most deterioration under both CSLM attacks with ~30% and ~35% decrease in performance, respectively.

With the expanded applications of modern-day networking, network infrastructures are at risk from cyber attacks and intrusions. Multiple datasets have been proposed in literature that can be used to create Machine Learning (ML) based Network Intrusion Detection Systems (NIDS). However, many of these datasets suffer from sub-optimal performance and do not adequately represent all types of intrusions in an effective manner. Another problem with these datasets is the low accuracy of tail classes. To address these issues, in this paper, we propose the University of Nevada - Reno Intrusion Detection Dataset (UNR-IDD) that provides researchers with a wider range of samples and scenarios. The proposed dataset utilizes network port statistics for more fine-grained control and analysis of intrusions. We provide a benchmark to show efficient performance for both binary and multi-class classification tasks using different ML algorithms. The paper further explains the intrusion detection activities rather than providing a generic black-box output of the ML algorithms. In comparison with the other established NIDS datasets, we obtain better performance with an Fµ score of 94% and a minimum F score of 86%. This performance can be credited to prioritizing high scoring average and minimum F-Measure scores for modeled intrusions. This manuscript has been accepted for publication in 2023 IEEE Consumer Communications and Networking Conference.