Methods and Apparatuses for detecting security attacks in a communication network.

Technical Field

The present disclosure generally relates to the field of network security, and, more specifically, to a method for detecting attacks in a network comprising a plurality of communicatively interconnected network nodes, a method for controlling detection of attacks in such a network, a distributed security agent for detecting attacks in such a network and a centralised security agent method for controlling detection of attacks in such a network.

Background

With the development of wireless communication technologies, more and more devices, including not only conventional mobile phone devices but also different type of Internet of Things, loT devices as well as devices supporting Vehicle to everything, V2X, are enabled with network connectivity. As an example, the fifthgeneration, 5G, networks provide a massive volume of heterogeneous devices with seamless connectivity and computational resources for autonomous and intelligent operation.

Traditional network security frameworks assume a network perimeter as a trust zone protected against unauthorized access. In a traditional network, any device operating in the trust zone, after appropriate authentication and authorization, is deemed trusted.

However, due to the diverse radio environment, mobility, and heterogeneity of the next-generation networks, identification of the network perimeter is challenging or even not possible. Traditional network security architectures are therefore insufficient in providing network security in such a complex and dynamic network environment.

Most conventional security protocols assume a strong trust relationship among network entities and services providing authentication and authorization. Such assumptions can lead to serious security issues. A few scenarios where these issues are exploited to deploy privacy attacks, such as denial-of-service DoS, man-in-the-middle, and impersonation attacks.

Zero trust architecture, ZTA, is provided as a solution to address security requirements in a network with an untrusted infrastructure. A ZTA provides network assurance under the assumption that no device, requesting access to the network resources, can be trusted even after initial authentication and authorization. Every access request is individually authorized and monitored during the access period for compliance with security policy rules.

Dynamic risk assessment and trust evaluation are key elements of a ZTA. According to a proposed smart ZTA for 5G network, real-time monitoring of the security state of network assets is performed to evaluate the risk of individual access requests, and to decide on access authorization using a dynamic trust algorithm. The risk evaluation scheme is demanding in terms of network resources.

This envisioned architecture adopts a service-based architecture, SBA, like defined by the 3GPP specification of 5G networks, by leveraging the open radio access network, O-RAN, architecture. However, one issue that this architecture fails to take into account is that a deployed security agent securing the ZTA could be malicious and could provide false detection and decisions. By assuming the trustworthiness of all security agents, it leaves a potential security gap.

Against this background, there remains the need of a method and security agent which can be used to effectively and accurately detect attacks to a network, providing optimal security in the meantime taking into account resource constraints in the network.

Summary

Accordingly, exemplary embodiments of the present disclosure address these and other difficulties in a network adopting the ZTA architecture.

In a first aspect of the present disclosure, there is presented a method for detecting attacks in a network comprising a plurality of communicatively interconnected network nodes, the network further comprising a centralised security agent, CSA, and at least one distributed security agent, DSA, connected to the CSA. The method is performed by the at least one distributed security agent and comprises the at least one DSA selecting a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost, wherein the function is calculated by the CSA.

The method also comprises the at least one DSA selecting a detection strategy based on a first indicator related to a most secure state of the at least one distributed security agent and a second indicator related to a maximum attack potential from suspected attacking network nodes, wherein the first indicator and the second indicator are calculated by the CSA.

The method further comprises the at least one DSA detecting an attack based on the selected detection technique and the selected detection strategy.

The present disclosure is based on the insight that optimal security for a network comprising a plurality of communicatively interconnected network nodes may be ensured by configuring a single trusted CSA and at least one, normally a plurality of, DSA which operates under the control of the CSA. Each DSA in its operation simultaneously optimize both a detection technique and a detection strategy that it uses to detect attacks to the network, by way of control from the CSA.

Based on the inventive idea of the present disclosure, the at least one, or each DSA operates to select a detection technique used by the same by taking into account both attack detection accuracy and detection cost. It allows the detection technique to be adapted depending on expected or target detection performance, allowing resources used for detecting the attacks to be optimized accordingly.

Moreover, the at least one DSA operates to select a detection strategy used by the same by taking into account a most secure state of the at least one DSA and a maximum attack potential from suspected attacking network nodes. The detection strategy is adapted to the current security state of the network when potential influence from all assets in the network are considered.

The selection of both the detection technique and the detection strategy are performed under control of the CSA, which is trusted and has an overview of the security status of the network. The method of the present disclosure thereby ensures effective and accurate detection of attacks to the network.

The method allows the detection technique and detection strategy used by each DSA to be adapted based on real-time security state in the network, with balanced consideration of the accuracy of attacks detection and optimal use of the resource constraints, thereby decreasing the energy and computation overhead cost used to run the network. In an example of the present disclosure, the selecting steps are performed in response to a suspected attack determined by monitoring attacks from a plurality of network nodes within a radio coverage range of the at least one DSA under an active mode determined by the CSA.

It can be understood by those skilled in the art that accurate detection of attacks to the network depends on reliable monitoring of network nodes accessing the network. Therefore, network nodes within a coverage area of a DSA are monitored when the CSA considers that the DSA is “fit” to perform such monitoring and instructs it to do so.

The DSA therefore performs the monitoring under control of the CSA, this helps to prevent malicious distributed agent from compromising the security of the network.

When a suspected attack is determined by the DSA, the steps for selecting the detection technique and detection strategy are performed by the DSA, followed by detecting an attack based on the selected detection technique and the selected detection strategy.

In an example of the present disclosure, the suspected attack is determined via rule-based attack detection based on a vote mechanism by the at least one DSA and a plurality of neighbouring DSAs.

This allows a suspected attack determined by one DSA to be checked and confirmed by other DSAs in its neighbourhood. It thereby provides a more reliable monitoring process.

In an example of the present disclosure, the method further comprises the at least one DSA switches to an idle mode of not monitoring attacks when a security index of the at least one DSA, calculated by the CSA according to a plurality of security parameters of the DSA, is below a threshold value.

As discussed above the DSA acts under control of the CSA. Therefore, when a DSA is determined to be malicious when for example a security index of the DSA is found to be below a threshold value, the CSA can disable the DSA, thereby preventing any security risk from being caused by the DSA.

In an example of the present disclosure, the security parameters of the at least one DSA comprise an Attacks Detection Rate, ADR, a False Detection Rate, FDR, and a Quality of Data Rate, QDR of the at least one DSA. The security index of a DSA may be evaluated by considering the above security parameters of the same. As long as the ADR and QDR of the DSA together is considered higher than the FDR, the related DSA can stay active. Otherwise, the CSA may disable the DSA.

In a second aspect of the present disclosure, there is presented a method for controlling detection of attacks in a network comprising a plurality of communicatively interconnected network nodes, the network further comprising a centralised security agent, CSA, and at least one distributed security agent, DSA connected to the CSA. The method is performed by the CSA and comprises the CSA requesting the at least one DSA to select a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost, wherein the function is calculated by the CSA.

The method further comprises the CSA requesting the at least one DSA to select a detection strategy based on a first indicator related to a most secure state of the at least one DSA and a second indicator related to a maximum attack potential from suspected attacking node devices, wherein the first indicator and the second indicator are calculated by the CSA.

As discussed above under the first aspect of the present disclosure, a DSA which is configured to detect attacks to the network act or operate under the control of the CSA. Specifically, the detection technique and the detection strategy used by the DSA are selected respectively based on a function and indicators calculated by the CSA. The method ensures that detection of attacks is performed with balanced consideration of the accuracy of attacks detection and optimal use of the resource constraints.

In an example of the present disclosure, the requesting steps are performed in response to a suspected attack determined by monitoring attacks from a plurality of network nodes within a radio coverage range of the at least one DSA under an active mode determined by the CSA.

When a suspected attack is determined by a DSA, it reports the suspected attack to the CSA, by for example transmitting a message that includes information related to the suspected attack, such as attack features, detection time and identity. The CSA in turn calculates the function based on parameters related to attack detection accuracy and detection cost of the DSA as well as the indicators and requests the DSA to make selections accordingly. In an example of the present disclosure, the method further comprises the CSA requesting the at least one DSA to switch to an idle mode of not monitoring attacks when a security index of the at least one DSA, calculated according to a plurality of security parameters of the DSA, is below a threshold value.

This prevents a DSA, which is determined to be malicious, from making attack to the network.

In an example of the present disclosure, the security parameters of the at least one DSA comprise an Attacks Detection Rate, ADR, a False Detection Rate, FDR, and a Quality of Data Rate, QDR of the at least one DSA.

In an example of the present disclosure, the detection technique comprises a first detection technique prioritising attack detection accuracy and a second detection technique prioritising detection cost control.

Accordingly, the first requesting step comprises requesting the at least one DSA to select the first detection technique when the parameter, calculated by the CSA, is below a threshold value and to select the second detection technique when the parameter, calculated by the CSA, is above the threshold value.

It can be understood by those skilled in the art a trade-off sometimes has to be made between achieving higher attack detection rate together with low false positive rate and reasonable cost of detection. Based on this consideration, a DSA may operate according to one of the two detection techniques respectively prioritising accurate attack detection and low detection cost. The detection technique is selected by the detection technique selection module based on the parameter calculated by the CSA.

This allows the appropriate detection technique to be selected for the DSA, balancing the requirement of accurate attack detection and reasonable detection cost.

In an example of the present disclosure, the parameter is calculated by the CSA based on a False Positive Rate, FPR, a New Attacks detection Rate, NAR, a Cost Rate, CR, and a Malicious Level.

Those parameters represent different or conflicting factors in determining the detection technique to be used by a DSA. By considering those parameters simultaneously, a practical criterion for selecting the detection technique to be used is achieved. In an example of the present disclosure, the first detection technique comprises a machine learning-based attack detection and the second detection technique comprises a machine learning-based attack detection combining a rulebased attack detection.

The detection technique module may select a robust detection technique which is machine learning-based to a more robust/ heavy detection technique which is a hybrid detection combining both rules-based and machine learning-based detection with a goal of reducing the false positive rate generated by the DSA. Moreover, the detection technique module may switch from the more robust/heavy detection technique to the robust detection technique with a goal to reduce the cost, such as energy consumption, computation overhead etc.

In an example of the present disclosure, the detection strategy comprises a standalone detection strategy of each DSA performs local monitoring, the second requesting step comprises requesting the at least one DSA to select the standalone detection strategy when the first indicator, calculated by the CSA, is to be larger than the second indicator.

In another example of the present disclosure, the detection strategy comprises a collaborative detection strategy, the second requesting step comprises requesting the at least one DSA to select the collaborative detection strategy when the first indicator, calculated by the CSA, is to be smaller than the second indicator.

It will be understood by those skilled person that a group of DSAs when acting collaboratively will be able to provide a more accurate detection strategy while a single DSA can make detection more efficiently. Therefore, depending on a comparison result between the first indicator related to a most secure state of the DSA and the second indicator related to a maximum attack potential from suspected attacking node device, one of the detection strategy may be adopted based on the security state in the network.

A third aspect of the present disclosure presents a distributed security agent, DSA, for detecting attacks in a network comprising a plurality of communicatively interconnected network nodes, the network further comprising a centralised security agent, CSA, and at least the DSA connected to the CSA, the DSA is configured to select a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost, wherein the function is calculated by the CSA. The DSA is further configured to select a detection strategy based on a first indicator related to a most secure state of the at least one DSA and a second indicator related to a maximum attack potential from suspected attacking network nodes, wherein the first indicator and the second indicator are calculated by the CSA.

The DSA is further configured to detect an attack based on the selected detection technique and the selected detection strategy.

The DSA operates to detect attacks to the network based on the method according to the first aspect of the present disclosure.

A fourth aspect of the present disclosure presents a centralised security agent, CSA, for controlling detection of attacks in a network comprising a plurality of communicatively interconnected network nodes, the network further comprising the CSA and at least one distributed security agent, DSA, connected to the CSA.

The CSA is configured to request the at least one DSA to select a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost, wherein the function is calculated by the CSA.

The CSA is further configured to request the at least one DSA to select a detection strategy based on a first indicator related to a most secure state of the at least one DSA and a second indicator related to a maximum attack potential from suspected attacking node devices, wherein the first indicator and the second indicator are calculated by the CSA.

The CSA operates to control detection of attacks to the network based on the method according to the second aspect of the present disclosure.

A fifth aspect of the present disclosure presents a system for detecting attacks and controlling the detecting attacks in a network comprising a plurality of communicatively interconnected network nodes, the system comprising a centralised security agent, CSA, according to the fourth aspect of the present disclosure and at least one distributed security agent, DSA, according to the third aspect of the present disclosure which is connected to the centralised trusted security.

A sixth aspect of the present disclosure presents a computer program product, comprising a computer readable storage medium storing instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the first aspect of the present disclosure. A seventh aspect of the present disclosure presents a computer program product, comprising a computer readable storage medium storing instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the second aspect of the present disclosure presents.

The above mentioned and other features and advantages of the disclosure will be best understood from the following description referring to the attached drawings. In the drawings, like reference numerals denote identical parts or parts performing an identical or comparable function or operation.

Brief description of the drawings

Fig. 1 schematically illustrates, in a block diagram, a system for controlling detection of attacks in a network comprising a plurality of communicatively interconnected node devices according to the present disclosure.

Fig. 2 schematically illustrates, in a block diagram, an exemplary embodiment of a DSA in accordance with the present disclosure.

Fig. 3 schematically illustrates, in a flow chart type diagram, a procedure of a centralized security agent controlling operation state of a monitoring module of a distributed security agent, according to the present disclosure.

Fig. 4 schematically illustrates, in a flow chart type diagram, a procedure of a centralized security agent controlling a detection technique selection module of a distributed security agent to select a detection technique to be used by a detection module of the same distributed security agent.

Fig. 5 schematically illustrates, in a flow chart type diagram, a procedure of a centralized security agent controlling a detection strategy selection module of a distributed security agent to select a detection strategy to be used by a detection module of the same distributed security agent.

Fig. 6 illustrates, in a flow chart type diagram and from a system perspective, operation of the centralized security agent and Distributed Security Agents according to the present disclosure.

Fig. 7 illustrates, in a flow chart type diagram, a method for detecting attacks in a network by a Distributed Security Agent according to the present disclosure. Fig. 8 illustrates, in a flow chart type diagram, a method for controlling detection of attacks in a network by a Centralised Security Agent according to the present disclosure.

Detailed description

Embodiments contemplated by the present disclosure will now be described in more detail with reference to the accompanying drawings. Other embodiments, however, are contained within the scope of the subject matter disclosed herein. The disclosed subject matter should not be construed as limited to only the embodiments set forth herein. Rather, the illustrated embodiments are provided by way of example to convey the scope of the subject matter to those skilled in the art.

In the following descriptions, a ‘network node’, a ‘node device’ and a ‘node’ are used interchangeably to refer to a node or device accessing a network comprising a plurality of communicatively interconnected network nodes.

The solution as proposed by the present disclosure relates to a new security framework addressing one of the ZTA’s principle, which is the attacks monitoring, detection and response. The ZTA framework proposed by the present disclosure consists of a number of Distributed Security Agent, DSA, deployed within a network, such as in a Radio Access network or core networks and a Centralized Security Agent, CSA. The CSA is a trusted entity configured to play the role of, for instance, a security information management system or a security Manager.

The CSA and DSAs interact with each other with a goal to activate optimally a set of defence modules, configured for monitoring, selecting detection technique and detection strategy to be used for attack detection, run by the DSAs.

The optimal activations are performed by way of monitoring and analysing a set of security and network parameters, including Attacks Detection Rate, ADR, False Detection Rate, FDR, Quality of Date Rate, QDR, New Attacks detection Rate, NAR, Cost Rate, CR, and Malicious Level, ML.

The novel ZTA framework of the present disclosure addresses the correlation between the optimal activation of detection process, the optimal activation of detection technique and the optimal activation of detection strategy, while ensuring optimal network cost including energy consumption, computational overhead and so on. Figure 1 schematically illustrates, in a block diagram, a system 10 for detecting attacks and controlling the detecting attacks in a network comprising a plurality of communicatively interconnected node devices.

The system 10 comprises a CSA 11 and a plurality of DSAs 12, each of which is deployed in the network comprising the plurality of node devices and connected to the CSA 11 via a communication network 13 such as a telecommunication network or internet. Each DSA 12 is arranged to monitor one or more node devices 19 which are in its radio coverage area and trying to access the network.

In Figure 1 only devices monitored by the leftmost DSA 12 is indicated with reference numbers. The node devices 19 monitored by each DSA 12 may comprise traditional mobile phone devices or Internet of Things devices of various types.

The CSA 11 is a trusted entity which is deployed for example in a cloud network and arranged to control functional modules of the plurality DSAs 12, which will be detailed further in the following.

The DSA 20 is deployed in for example a radio access network or a core network of a mobile telecommunication system. Functional modules of a DSA may include a monitoring module, a detection technique selection module, a detection strategy selection module and a detection module as illustrated in Figure 2, which schematically illustrates, in a block diagram, an exemplary embodiment of a DSA 20 in accordance with the present disclosure.

A DSA 20 comprises a monitoring module 210, a detection technique selection module 220, a detection strategy selection module 230 and a detection module 240. The detection module 240 is communicatively connected to each of the monitoring module 210, the detection technique selection module 220 and the detection strategy selection module 230.

The CSA 11 may communicate with the DSA 12, so as to request the monitoring module 210 to be in an active or idle mode, to request the detection technique selection module 220 to select or activate an appropriate detection technique, and to request the detection strategy selection module 230 to select or activate a suitable detection strategy. The selected detection technique and strategy will be used by the detecting module 240 to detection attacks to the network. The functional modules of the DSA 20, when combined, ensure optimal efficient security and optimal network cost in terms of for example energy, computational overhead, etc.

The monitoring module 210 is described first hereafter.

The monitoring module 210 of the DSA 20 is configured to monitor behaviors of targets or node devices 19, located within a radio range of the related DSA. The monitoring module 210 may also monitor behaviors of node devices 19 within a radio range of nearby or neighboring DSAs.

As a way of monitoring the behaviors of a node device 19, the monitoring module 210 of each DSA 20 runs rules-based attacks detection. A set of rules related to each attack’s behavior are maintained by the CSA 11 as the single trusted entity in the network. Furthermore, the CSA 11 may update the detections rules related to each attack. The rules are provided periodically by the CSA 11 to each of the DSA 12 via the network 13.

As an example of the used rules, a number of flooding messages and a number of packets dropped may be used to detect, for instance, Distributed Denial of Service, DDoS, attacks, while a measured signal strength intensity may be used to detect hello flood and jamming attacks.

The monitoring module 210 does not have an ability to detect accurately an attacker due to a lightweight detection technique that the monitoring module 210 executes. However, the monitoring module 210 is configured to suspect if there is an attack within the proximity of the related DSA 20.

This suspected behavior may be a real attack or may be a false detection, that is, the monitoring module 210 may suspect normal behavior as a malicious behavior.

In this case, when the monitoring module 210 of a DSA 20 suspects an attack, a vote mechanism is executed to determine if the suspected attack is to be reported to the CSA 11. The vote mechanism is performed as follows.

First of all, the DSA 20 comprising the monitoring module 210 suspecting an attack broadcasts an Anomaly message to neighboring DSAs. The Anomaly message comprises an identity of a suspected attacker and the related attack rules.

DSAs in the neighborhood of the DSA transmitting the Anomaly message respond to the transmitting DSA by indicating whether the suspected attacker or monitored target 19 is considered as attacker or not. The DSA transmitting the Anomaly message then computes a number of time, defined as a suspected number, where the monitored target is suspected to execute an attack. The suspected number is the number of time where the suspected a behaviour considered as a suspected attack by neighbouring DSAs as well.

Therefore, when the suspected number is above a security threshold, as an example, the security threshold may be defined as the number of security agents that detect the monitored target as a suspected attack, a Detection Technique selection module is activated as explained in the following section.

It is noted that, the monitoring module 210 is not activated all the time and may switch from an active mode to an idle mode under certain circumstances. In practice, the CSA 11 monitors the monitoring module 210 of each DSA 20 by analyzing certain security parameters according to formula 1 below. The security parameters comprise Attacks Detection Rate, ADR, False Detection Rate, FDR and Quality of Data Rate, QDR.

U=PixADR+p ₂ ^x QDR-p ₃ ^x FDR (1)

Here II is the utility function of the monitoring module. ADR is the number of detected attacks over the total number of attackers. FDR is the number of false detections over the total number of detections including both false and correct detection.

QDR is the relevant information (Anomaly message) that the monitoring module 210 sends to a detection technique selection module. QDR is close to one (1) when the relevant information used by the detection technique selection module allow an accurate detection of attack; otherwise QDR is close to zero.

Pi , p ₂ and p ₃ are the weights parameters .

The CSA 11 requests the monitoring module 210 to stay on active when the following condition is reached: /3I*ADR+I32*QDR>I33*FDR. And the CSA 11 requests the monitoring module 210 to switch from the active mode to and an idle mode when [31 *ADR+(32*QDR«[33xFDR.

This procedure is illustrated schematically in a flow chart type diagram of Figure 3, which is detailed in the following.

At step 31 , the CSA 11 calculates an security index II for a DSA according to formula 1. At step 32, the CSA 11 checks the value of II and decides if II is greater than zero. If II is larger than zero, the flow proceeds to step 33 and the DSA is requested to stay alive by the CSA 11.

Otherwise, if II is below zero, the flow proceeds to step 34 and the DSA is requested to switch to the idle mode by the CSA 11.

It follows logically that the DSA will switch to the idle mode in response to receiving the request from the CSA 11.

In the following the detection technique selection module 220 is described.

The detection technique selection module 220 is configured to select a detection technique to be used to detect attacks by the DSA 20. As an example, machine learning-based attacks detection may be used for achieving reduced detection cost in terms of for example energy consumption and computation overhead. On the other hand, a hybrid detection technique combining both rules-based and machine learning-based algorithm may be used to increase the attacks detection rate and reduce the false positive rate by the DSA.

The detection technique selection module 220 is configured to, under control of the CSA 11 , switches from a robust detection technique, which may be for example the machine learning-based detection, to more robust/heavy detection technique, which may be for example the hybrid detection combining rules-based detection and machine learning-based detection.

According to the present disclosure, the CSA 11 is responsible for requesting each DSA which detection technique should be activated by the DSA. This is done by monitoring a set of parameters, by the CSA 11 , defined as follow: False Positive Rate, FPR, New Attacks detection Rate, NAR, Cost Rate, CR and Malicious Level, ML.

The CSA calculates a value for a function F as shown in formula (2) and makes decisions over time, i.e., requesting a relevant DSA to activate an optimal detection technique based on the value of the function F.

F = a . NAR — (a ₂ . FPR + a ₃ . ML + a ₄ . CR) (2) wherein NAR, FPR, CR and ML e [0,1], a , a ₂ and a ₃ e [0,1] are the weight parameters, NAR is the number of detected new attacks (such as zero-day attacks) over the total number of attackers; ML is a probability of node to be a malicious device, when ML=1 the node is an attacker, when ML=0 the node is a normal device; CR is the network cost rate, when CR= 1 when the node consumes all its network cost (e.g. 100% of energy consumption).

When F is close to 0, which shows that it is desirable to increase the detection accuracy, the CSA 11 will request the related DSA, specifically, the detection technique selection module 210 of the DSA, to switch from machine learning detection to hybrid detection incorporating a further detection technique such as rule-based detection. The detection accuracy thereby is increased, insuring secure operation of the network.

When the value of F is between 0 and 0.5, which shows that the detection accuracy is of a satisfying level. In this case, for the purpose of reducing detection cost such as computational resources used for detecting attack, the CSA will request the related DSA, specifically, the detection technique selection module 210 of the DSA, to switch from the hybrid/heavy detection technique to the relatively less heavy but robust detection technique.

When F is close to 1 , which shows that the detection accuracy is quite high the detection technique selection module 210 of the DSA will be requested by the CSA 11 to activate only the robust detection technique such as the machine learning detection, which would provide sufficient detection accuracy with low detection cost.

The above procedure is illustrated with reference to Figure 4, which is a flow chart type diagram 40 illustrating how a detection technique selection module of a DSA is controlled by the CSA to select an appropriate detection technique.

When the detection technique selection module of a DSA is activated under control of the CSA, At step 41 , the CSA 11 calculates the function F based on parameters related to attack detection accuracy and detection cost as discussed above.

At step 42, the CSA 11 determines if the value of the function is larger than a threshold value. In an example, the threshold value is set to 0.

If the value of the function F is not higher or lower than the threshold value, at step 43, the CSA 11 instructs or requests the DSA to select a first detection technique prioritising attack detection accuracy, such as the hybrid detection combining rules-based detection and machine learning-based detection. This helps to increase the attacks detection rate and reduce the false positive rate by the DSA. If the value of the function is higher than the threshold value, at step 44, the CSA 11 instructs or requests the DSA to select a second detection technique prioritising detection cost control, such as the machine learning-based detection. This technique is used to achieve reduced detection cost in terms of for example energy consumption and computation overhead.

The detection Strategy selection Module 230 is described in the following. This module is configured to select either a standalone detection strategy in which a local monitoring and a local detection is performed by a DSA or a collaborative detection strategy in which neighbouring DSAs perform a collaborative monitoring and collaborative detection.

The collaborative monitoring consists of sharing the relevant information to detect new attacks (defined as new attacks’ features) and the collaborative detection consists of executing by the neighbouring DSAs a collaborative machine learning algorithm (such as Federated Learning algorithm) with the goal to harden the security, while considering the network cost, that is, to increase the NAR and decrease CR.

The activation of a detection strategy by a DSA is requested by the CSA 11. A proposed Security Game Model as detailed in the following is used by the CSA to ensure optimal activation of an appropriate detection strategy by a DSA.

In the proposed game model, two kinds of security players are considered, that is, the security agents including both the CSA and the DSAs, and attacker player including network nodes 19 trying to access the network.

The CSA and DSA players work together with goal to increase the utility function F as discussed above with reference to formula 2, whereas the main purpose of the attacker is to decrease the utility function F. Therefore, the security game model is defined as a Min Max function as shown in formulars 3 and 4.

F ¹ = Argmax Argmtn F(NAR, FPR, ML, CR) (3)

F ² = Argmax Argmin F NAR, FPR, ML, CR') (4)

F ¹ is the utility function of the security player, F ² is the utility function of the attacker player. Each player aims to maximize its utility function and minimize the utility function of its opponents; as shown in formulas 3 and 4. The CSA monitors F ¹ and F ² with a goal to activate optimally the detection strategy, that is the standalone or collaborative detection strategy.

The CSA assigns F ¹ to a DSA player; moreover, the CSA assigns F ² to a suspected attacker player detected by a DSA.

The CSA requests the DSA to activate its standalone detection strategy when the following condition is reached: F ¹ » F ² and F 0. The CSA requests DSA to switch from standalone detection strategy to collaborative detection strategy when the following condition is reached: F ¹ « F ² and (a ₂ . FPR + a ₂ . ML~) > a^. NAR.

It can be contemplated by those skilled in the art that F ¹ relates to a most secure state of the DSA while F ² related to a maximum attack potential from a suspected attacking network node. When the DSA is considered to be in a rather secure state, the standalone detection strategy may be adopted. In contrast, when the risk of attack from a certain suspected attacker is higher, it is better to adopt the collaborative detection strategy where neighboring DSAs work together to detect the attack.

The above procedure is illustrated with reference to Figure 5, which is a flow chart type diagram 50 illustrating how a detection strategy selection module of a DSA is controlled by the CSA to select an appropriate detection strategy.

At step 51 , the CSA 11 calculates the first indicator F ¹ and the second indicator F ² based on the above formulas 3 and 4.

At step 52, the CSA 11 checks whether the condition that F ¹ » F ² and met.

When the above condition is met, at step 53, the CSA instructs the DSA, specifically, the detection strategy selection module of the DSA, to select the standalone detection strategy.

When the above condition is not met, at step 54, the CSA instructs the DSA, specifically, the detection strategy selection module of the DSA, to select the collaborative detection strategy.

Figure 6 illustrates, in a flow chart type diagram 60 and from a system perspective, operation of the CSA and DSAs according to the present disclosure.

At step 611 , the CSA monitors a monitoring by a DSA, by analyzing security parameters according to formula 1 discussed above. When the CSA determines at step 612 that /3 ₁ XADR+I3 ₂ XQDR<I3 ₃ X FDR, the CSA will, at step 613, requests the monitoring module of the DSA to switch to an idle mode. This disables the DSA for participating in attack detection and prevent any possible risk posed by a malicious DSA.

When determined at step 612 that /3 ₁ XADR+/3 ₂ XQDR>/3 ₃ XFDR, at step 614 the relevant DSA remains active and monitors attack by using rule-based attack detection.

If the DSA suspects no attack, it keeps on monitoring attack 614. In the case that the DSA suspects an attack at step 615, then the vote mechanism as described above is used to determine whether this is a real attack. Specifically, at step 616, the DSA checks whether the suspected number is larger than the number of DSA and the CSA that detect the monitored target as posing a suspected attack.

When it is determined at step 617 the suspected number is not larger than the number of DSA and the CSA that detect the monitored target as posing a suspected attack, the DSA continues to monitor 614 attack.

If the suspected number is not larger than the number of DSA and the CSA that detect the monitored target as posing a suspected attack at step 617, the detection technique selection module of the DSA is activated at step 618.

At step 619, in response to the DSA being activated, the CSA monitors and computes the function F of the DSA according to formula 2 as describe above.

At step 620, the CSA determines if F is close to zero. If the determination result is yes, at step 621 , the DSA is requested by the CSA to switch from machine learning detection to hybrid detection. On the other hand, if the detection result is no (N), at step 622, the DSA is requested by the CSA to switch back from hybrid detection to the machine learning based detection.

The CSA at step 623 also computes the indicators F ¹ and F ² based on the above formulas 3 and 4.

At step 624, the CSA determines if F ¹ » F ² and F 0 . If the determination result is yes (Y), at step 625, the CSA requests the DSA to activate its standalone detection strategy. Instead, if the determination result is no (N), at step 626, the CSA requests the DSA to activate its collaborative detection strategy. From the perspective of a DSA which is actively monitoring attacks, a method 70 for detecting attacks in the network by the DSA based on the appropriate detection technique and strategy is described in the following with reference to Figure 7.

At step 71 , the DSA selects a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost. The detailed procedure of calculation by the CSA is described above with reference to Figure 4.

At step 72, the DSA selects a detection strategy based on a first indicator related to a most secure state of the at least one distributed security agent and a second indicator related to a maximum attack potential from suspected attacking network nodes. The detailed procedure of calculating the first indicator and the second indicator by the CSA is described above with reference to Figure 5.

With both the detection technique and the detection strategy selected, the DSA at step 73 performs detection of an attack based on the selected detection technique and the selected detection strategy.

Detailed method of detecting an attack by the DSA is known to those skilled in the art and will not be elaborated here.

From the perspective of the CSA, a method 80 for controlling detection of attacks in a network by a DSA is described in the following with reference to Figure 8.

At step 81 , the CSA requests at least one DSA to select a detection technique with reference to a function calculated based on parameters related to both attack detection accuracy and detection cost. The detailed procedure of calculation by the CSA is described above with reference to Figure 4.

As described in detail with reference to Figure 4, the requesting step 81 may comprise requesting the at least one DSA to select a first detection technique prioritising attack detection accuracy or a second detection technique prioritising detection cost control.

At step 82, the CSA requests the at least one DSA to select a detection strategy based on a first indicator related to a most secure state of the at least one DSA and a second indicator related to a maximum attack potential from suspected attacking node devices. The detailed procedure of calculating the first indicator and the second indicator by the CSA is described above with reference to Figure 5.

As described in detail with reference to Figure 4, the requesting step 82 may comprise requesting the at least one DSA to select the standalone detection strategy or a collaborative detection strategy.

The present disclosure is not limited to the examples as disclosed above and can be modified and enhanced by those skilled in the art beyond the scope of the present disclosure as disclosed in the appended claims without having to apply inventive skills and for use in any data communication, data exchange and data processing environment, system or network.