Automated Network Incident Identification through Genetic Algorithm-Driven Feature Selection

Abstract

The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available.