G-Networks Can Detect Different Types of Cyberattacks Erol Gelenbe Institute of Theoretical and Applied Informatics Polish Academy of Sciences, IITIS-PAN 44-100 Gliwice, Poland & Lab. I3S CNRS, Universit´ e Cˆ ote d’Azur, Grand Chˆ ateau, 06103 Nice Cecex 2, France & Yas ¸ar University Bornova, Izmir, Turkey ORCID: 0000-0001-9688-2201 Mert Nakıp Institute of Theoretical and Applied Informatics Polish Academy of Sciences, IITIS-PAN 44-100 Gliwice, Poland ORCID: 0000-0002-6723-6494 Abstract—Malicious network attacks are a serious source of concern, and machine learning techniques are widely used to build Attack Detectors with off-line training with real attack and non-attack data, and used online to monitor system entry points connected to networks. Many machine learning based Attack Detectors are typically trained to identify specific types attacks, and the training of such algorithms to cover several types of attacks may be excessively time consuming. This paper shows that G-Networks, which are queueing networks with product form solution and special customers such as negative customers and triggers, can be trained just with “non-attack” traffic, can accurately detect several different attack types. This is established with a special case of G-Networks with triggerred customer movement. A DARPA attack and non-attack traffic repository is used to train and test the the G-Network, yielding comparable or clearly better accuracy than most known attack detection techniques. Index Terms—Gelenbe-Networks (G-Networks), Multiple At- tack Detection, Random Neural Networks, Queueing Networks with Negative and Positive Customers, Auto-Associative Deep Random Neural Network I. I NTRODUCTION T HE edge of the Internet is populated with a wide range of devices that are part of Mobile Networks, the Internet of Things (IoT) as well as various servers and local area networks. Since 50% or more of these devices [1] are simple and hence of low-cost and low-maintenance, it is difficult (if not totally impossible) to burden them with complex security functionalities [2], and are prime targets for cyberattacks [3]– [5], including simple Denial of Service (DoS) attacks [6] which seriously interfere with the operation of numerous devices that have few resources to spare [7], [8]. Systemic approaches to securing cyber-physical systems have been suggesed [9], [10], but these may not be suitable for highly distributed systems composed of simple devices. More harmful Distributed DoS (DDoS) attacks [11] can overwhelm large networks by using proxy victims that have This research has been supported by the European Commission H2020 Program under the IoTAC Research and Innovation Action, under Grant Agreement No. 952684. been attacked and turned into “Bots”. In turn, they flood devices with attacks and overwhelming traffic, such as in the “Mirai” attack [12], and compromising Netflix, Reddit, Spotify, and Twitter [13], [14], and harming millions of IP nodes [15], [16]. Thus much research has been conducted in designing Attack Detectors (ADs) using conventional statistics or Machine Learning (ML). These can be trained on-line, or off-line with validated instances of non-attack and attack data collected dur- ing long usage periods or during substantial network attacks. The trained AD is then used online to monitor IP addresses and network ports, so as to raise an alarm when malicious incoming traffic is detected. Because of the severe effects of Botnet attacks, much work has addressed their characteristics [12], [17] and Mirai attack source code was also studied [18]. The detection of Mirai attacks from incoming traffic has used different ML methods including K-Nearest Neighbours (KNN), Support Vector Ma- chines (SVM), Decision Trees (DT), Multi-Layer Perceptrons (MLP) [19], Classification and Regression Trees [20], Gradient Boosting and Random Forests [21], Deep MLPs [22], Long- Short Term Memory [23], [24], and their comparison was also conducted [25]. Related research includes [26]–[29], and adaptive network routing to avoid nodes or paths that are subject to unusal events or an attack [30], [31] has also been investigated. G-Networks [32] are stochastic queueing networks with product form solution, and a special case of this model, known as the Random Neural Network (RNN) [33]–[35] has been shown to be effective in detecting denial of service SYN attacks [36], after being trained via gradient descent learning with both “normal” and attack data. This is a consequence of an important mathematical prop- erty that we exploit in this paper, namely the ability of G- Networks to approximate all continuous and bounded func- tions, with arbitrarily close error values that depend on the size of the network in number of queues or neurons [37], [38]. On the empirical side of things, the RNN has been very