Cyber Threat Detection using Multifaceted Machine Learning Approaches

Author

Curtis Ray Rookard Jr., University of Tennessee, KnoxvilleFollow

Orcid ID

https://orcid.org/0000-0002-9476-6001

Date of Award

12-2024

Degree Type

Dissertation

Degree Name

Doctor of Philosophy

Major

Industrial Engineering

Major Professor

Anahita Khojandi

Committee Members

Catalin Roman, Hugh Medal, Zhongshun Shi

Abstract

Due to the worldwide growth of cyber threats, cybersecurity has become a field of increasing importance within the past years. Henceforth, it is imperative to design robust threat detection approaches that can identify and mitigate malicious internet traffic. Several machine learning techniques have shown immense potential for cyber threat detection.

First, we propose RRIoT, a Deep Deterministic Policy Gradient reinforcement learning (RL) algorithm in conjunction with an LSTM layer within an adversarial environment to detect and identify sequential attacks. We evaluate our method against novel and state-of-the-art ML/RL algorithms. Our results indicate that our proposed RRIoT generally performs better than existing ML algorithms and performs as well as or better than novel RL algorithms with new network architectures. We leverage Shapley Additive Global Importance (SAGE) to provide additional insight into which features contribute most to a model’s performance.

Second, we present several unsupervised/semi-supervised machine learning models to combat prolific anomalous data on a computer network. Specifically, we employ five unsupervised machine learning models. We use these models separately and, when applicable, combined together to examine their anomaly detection performance on four networking datasets within both a software-defined networking and industrial internet-of-things environment. We investigate the generalizability of the models across two datasets. Our results suggest the Isolation Forest and Deep Belief Network algorithms perform better than other models in both traditional and software-defined networking environments.

Third, we provide more robust algorithms for network data analysis through the usage of federated learning, a decentralized machine learning technique which provides a secure way to analyze data. In federated learning, clients train models on their own data and provide updates to a centralized server for creation of a global model, providing confidentiality. However, federated learning averaging algorithms do not consider underlying client health or performance. In this study, we present our novel federated learning framework, FLOWS, to alleviate this issue. FLOWS is formulated as a partially observable Markov decision process which is solved using reinforcement learning. We apply our framework for intrusion detection. FLOWS generally outperforms federated learning and improves the global model’s performance.

Recommended Citation

Rookard, Curtis Ray Jr., "Cyber Threat Detection using Multifaceted Machine Learning Approaches. " PhD diss., University of Tennessee, 2024.
https://trace.tennessee.edu/utk_graddiss/11383