Evading Detection During Network Reconnaissance

Ilias Belalis

1 a

, Georgios Spathoulas

2 b

and Ioannis Anagnostopoulos

1 c

Department of Computer Science and Biomedical Informatics, University of Thessaly,

2-4 Papasiopoulou st., Lamia, 35131, Greece

Department of Information Security and Communication Technology,

Norwegian University of Science and Technology (NTNU), Mail Box 191, Gjøvik, NO-2815, Norway

Keywords:

Reconnaissance, Port Scanning, Detection, Evasion, Genetic Algorithm, Covert.

Abstract:

Network security attacks have seen a signiﬁcant increase in recent years. A remote attacker needs to under-

stand the topology of the victim network and extract as much information as possible for the hosts of the

network. The ﬁrst step of a network attack is called reconnaissance and aims at gathering such information.

In this paper, we analyze the detection of such activity through the use of machine learning classiﬁers. We

identify which are the characteristics of reconnaissance activity that render it detectable and employ a heuristic

approach to decide optimal values for such ﬁelds that can produce undetectable port scanning trafﬁc. Based on

those ﬁndings, a covert port scanning tool has been developed and made publicly available. The tool executes

the reconnaissance step of an attack in a way that it can evade being detected.

1 INTRODUCTION

Network security(Marin, 2005) is a set of technolo-

gies that protects the integrity, conﬁdentiality, avail-

ability of data, and usability of network infrastructure

by preventing entry or proliferation within a network

of a wide variety of potential threats. Network secu-

rity involves creating a secure infrastructure for de-

vices, applications, and users in order to work in a se-

cure manner. Speciﬁcally, Network Security involves

antivirus software, endpoint detection, and response

(Kaur and Tiwari, 2021), application security, access

control, network analytics, ﬁrewalls, intrusion detec-

tion systems (Kanika, 2013), VPN encryption, and

more.

Port Scanning(De Vivo et al., 1999) is an integral

part of active reconnaissance attacks. It is the pri-

mary source for information gathering about the in-

frastructure of a target network for the attackers. Port

scanning identiﬁes port availability by sending con-

nection requests to a target computer and recording

corresponding responses. Determining which ports

are in use enables attackers to understand which ap-

plications and services are active on the target ma-

chine. From there, an intruder can check for vulner-

https://orcid.org/0000-0002-0188-1925

https://orcid.org/0000-0003-2947-486X

https://orcid.org/0000-0002-0832-0522

abilities and initiate his attack plan. Machine Learn-

ing algorithms are increasingly used in solving cyber-

security problems and mainly in the detection of at-

tacker’s activity in a system (Xin et al., 2018). Such

algorithms have also been proposed to be used for the

detection of standard port scanning activity and have

shown high accuracy rates.

In the present paper, the detection of port scan-

ning activity is analyzed and studied to understand

the optimal approach for that. Additionally, the actual

metrics that enable detection are identiﬁed and an ap-

proach to implement an evading scanning technique

that can achieve undetected scanning of a network is

presented. The main contributions of the paper are the

following:

• Identiﬁcation of which are the most accurate clas-

siﬁcation algorithms with respect to detection of

port scanning attempts.

• Identiﬁcation of which are the most statistically

signiﬁcant parameters of network trafﬁc that can

lead to the detection of port scanning attempts.

• Design and implementation of a covert port scan-

ning tool that can evade detection from aforemen-

tioned algorithms.

The rest of the paper is structured as follows. Sec-

tion 2 presents related work in the ﬁeld of port scan-

ning detection using machine learning algorithms. In

528

Belalis, I., Spathoulas, G. and Anagnostopoulos, I.

Evading Detection During Network Reconnaissance.

DOI: 10.5220/0011685900003405

In Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP 2023), pages 528-534

ISBN: 978-989-758-624-8; ISSN: 2184-4356

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

Section 3, various machine learning classiﬁcation al-

gorithms are tested, to decide upon their applicabil-

ity to the problem. In Section 4, the results of the

ML algorithms are analyzed and the most important

features are identiﬁed. In Section 5, a heuristic ap-

proach is used to optimize the values of such feature,

to minimize the detection probability. In Section 6,

a covert port scanning tool that is able to evade de-

tection is presented. Finally, Section 7 presents our

conclusions.

2 RELATED WORK

Detecting Port Scanning attacks using Machine

Learning algorithms is one of the most popular trends

in the Cyber-defense ﬁeld. Bertoli et al. in (Bertoli

et al., 2021) described the AB-TRAP framework

which consists of (i) the generation of the attack

dataset, (ii) the bonaﬁde dataset, (iii) training of

the machine learning models, (iv) implementation of

the models and (v) the performance evaluation of

the model. They test AB-TRAP in two environ-

ments: LAN and the Internet. In both cases, has

been achieved low resource utilization and the De-

cision Tree classiﬁer provided the best performance

for the training and realization phases. Wankhede in

(Wankhede, 2019) provided anomaly detection using

machine learning techniques. Speciﬁcally, various

types of anomalies such as DoS attacks, DNS poi-

soning, and Port Scanning are presented and can be

detected by using supervised machine learning tech-

niques like feedforward neural networks. Balram et

al. in (Balram and Wiscy, 2008) described the de-

tection of TCP SYN scanning using packet counts

and neural networks. Through their work, they in-

vestigated the effectiveness of using counts of vari-

ous aggregated TCP control packets in detecting TCP

SYN scanning. Also, a neural network was trained

in order to capture normal as well as port scanning

data. TCP SYN, SYN/ACK and FIN packets show

deﬁnite patterns in their behaviour for legitimate con-

nections. As regards the detection of TCP SYN scan-

ning, a deviation from the normal behaviour is ob-

served. Jirapummin et al. in (Jirapummin and Kan-

thamanon, 2002) proposed a hybrid neural network

approach for IDS. In more detail, they presented an

intrusion detection system based on Self-Organizing

Maps (SOM) and Resilient Propagation Neural Net-

works (RPROP) for visualizing and classifying in-

trusion and normal patterns. Andropov et al. in

(Andropov et al., 2017) presented network anomaly

detection using artiﬁcial Neural networks. Through

their work, they presented a method of identifying

and classifying network anomalies using an artiﬁcial

neural network for analyzing data gathered via Net-

ﬂow protocol. The results showed high percentages

of successful identiﬁcations after a number of itera-

tions. Algaolahi et al. in (Algaolahi et al., 2021) used

supervised machine learning classiﬁers in order to de-

tect port scanning attacks. Speciﬁcally, their work is

focused on detecting port scanning attacks by using

different machine learning algorithms and comparing

them to ﬁnd the best one. As regards the results, some

algorithms such as Decision Tree and Random Forest

reach nearly 100 percent of accuracy with a short time

of training and testing.

3 DETECTION OF

RECONNAISSANCE ACTIVITY

As mentioned in the previous Section, various ap-

proaches exist in the literature that attempts to auto-

matically detect reconnaissance activity. The major-

ity of existing approaches address port scanning de-

tection, as this enables attack mitigation in its early

stages. As regards, port scanning detection, one so-

lution can be traditional network intrusion detection

systems which are complex and require resources and

maintenance. An alternative approach could be based

on lightweight machine learning classiﬁers, that upon

being properly trained can provide a fast detection

mechanism for reconnaissance network activity. The

paper focuses on machine learning-based detection of

reconnaissance activity and the evasion of detection

from such approaches.

3.1 The Classiﬁers

In the present Section, ﬁve commonly used ma-

chine learning classiﬁers were picked and used to

detect port scanning activity. The machine learn-

ing classiﬁers that were tested were: (a) De-

cision Tree (DT)(Kotsiantis, 2013), (b) Random

Forest (RT)(Pal, 2005), (c) Multi-layer Perceptron

(MLP)(Ramchoun et al., 2016), (d) k-Nearest Neigh-

bours (kNN)(Viswanath and Sarma, 2011) and (e)

Naive Bayes (NB)(Rish et al., 2001).

3.2 The Data-Set

The classiﬁers were trained and tested upon a dataset

built through the use of the AB-TRAP Project

. The

aforementioned project allows the integration of real-

istic background trafﬁc with trafﬁc produced by port

https://github.com/c2dc/AB-TRAP

Evading Detection During Network Reconnaissance

529

Table 1: TCP port scanning tools and techniques.

Port scan-

ning tools

TCP Port scanning techniques

Nmap SYN, Connect, FIN, XMAS, NULL,

ACK, Window

Unicornscan SYN, Connect, FIN, XMAS, NULL,

ACK

Hping3 SYN, Connect, FIN, XMAS, NULL,

ACK

Zmap SYN

Masscan SYN

scanning tools. Speciﬁcally, the attack network traf-

ﬁc consists of Port scanning tools and techniques as

described in Table 1. Regarding the normal trafﬁc

dataset, the MAWILab dataset (Fontugne et al., 2010)

has been used. It is 15 minutes of daily trafﬁc from

a transpaciﬁc backbone between the USA and Japan.

The data-set used consists of 416, 249 packets in total,

out of which 100, 520 have been produced by recon-

naissance activity, while the rest 315, 729 correspond

to normal trafﬁc.

Features of the trafﬁc that were identiﬁed as not

generic enough for this study were removed. Exam-

ples of such features are link layer (layer 2) ﬁelds

and features that are redundant or invariable such as

source IP address, destination IP address, IP version,

etc. Table 2 shows the ﬁelds that were fed to the clas-

siﬁers.

3.3 Classiﬁcation Results

Using the described data-set, the classiﬁers were as-

signed a supervised learning task in the form of

a binary classiﬁcation problem; classifying packets

as ”Attack” (reconnaissance activity) or ”Normal”

(background trafﬁc). The data-set was split into train-

ing and test sets at a ratio of 70-30%. Table 3 presents

the accuracy ratio per classiﬁer.

The results show that most of the classiﬁers (all

apart from Naive Bayes) achieve very high accuracy

ratios approximately equal to 99%.

4 ANALYSIS OF

RECONNAISSANCE TRAFFIC

In the present Section, further analysis of the results

of the experiments described in the previous Section

is attempted. The goal of this analysis is to understand

the data upon which port scanning trafﬁc is detectable

by most algorithms with a very high accuracy ratio.

To achieve this we need to ﬁnd the ﬁelds (features) of

the IP packets which were the most statistically signif-

icant for classiﬁers to achieve the ﬁnal result. For each

of the algorithms used, we analyzed the features’ im-

portance and concluded on the most signiﬁcant ﬁelds.

This analysis has been conducted upon the mean de-

crease impurity approach(Li et al., 1984).

Table 4 depicts the importance of all features that

have non negligible effect for at least one of the used

classiﬁers. However, for the MLP classiﬁer it was not

possible to calculate the most important ﬁelds and it

is not included in the Table 4.

The results shown in Table 4 enable us to conclude

on a minimal set of features which allow classiﬁers to

successfully detect the port scanning activity. Those

ﬁelds are:

• ip.ttl: Tools tend to pick a speciﬁc ttl value for

the packets they send and this enables classiﬁers

to identify such packets.

• tcp.srcport: Scanning tools tend to pick default

ports as source ports for the packets they send and

thus those are easily detected.

• tcp.window

size: The packets sent have speciﬁc

sizes as well, which makes such detectable.

• tcp.seq: The TCP sequence number gets default

values which make the packets detectable.

5 EVADING DETECTION

In this section, an approach to implement a port scan-

ning approach that can evade detection by a trained

classiﬁer is discussed. In other words, the covert port

scanning tools proposed attempt to conduct recon-

naissance steps while the packets it produces are not

classiﬁed as ”Attack” by the classiﬁer.

The main concept for implementing such a tool

is to build upon the important ﬁelds identiﬁed in the

previous Section. Choosing appropriate values for the

four ﬁelds discussed could enable the tool to evade de-

tection. In practice, the packets produced by the scan-

ning tool shall resemble more to the packets of normal

trafﬁc (at least for the signiﬁcant ﬁelds). So the main

task is to optimize the values of those ﬁelds towards

lowering the detection probability by all classiﬁers.

This optimization problem has been approached

through the use of genetic algorithms. The problem to

be solved is to select the optimal values for the packet

ﬁelds, identiﬁed as the most signiﬁcant ones, to min-

imize the probability for the reconnaissance activity

to be detected. The large size of the search space

(all possible values for the four ﬁelds) prohibits the

exhaustive search approach. Hence, a heuristic opti-

mization method has to be employed(Rothlauf, 2011),

so we selected to use a genetic algorithm.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

530

Table 2: Packet Fields/ ML Features.

Packet Field Description

ip.id The IP identiﬁer (IP-ID) is a 16 (32) bits ﬁeld in the IPv4 (v6) header.

ip.ﬂags.df When set, the df (Don’t Fragment) indicates that the packet cannot be frag-

mented for transmission.

ip.ttl The TTL ﬁeld, Time To Live, of an IP packet represents the maximum number

of IP routers that the packet can go through before being discarded.

ip.len Speciﬁes the length of the IP packet that includes the IP header and the user

data.

ip.dsﬁeld The Differentiated Services ﬁeld marking packets for Different Quality-Of-

Service (QoS) levels. For example, data belonging to voice and video protocols

have no acceptance for the delay.

tcp.srcport Identiﬁes the sending port.

tcp.seq TCP is a byte-oriented sequencing protocol. A Sequence Number ﬁeld is nec-

essary to ensure that missing or misordered packets can be detected and ﬁxed.

tcp.len The TCP payload size is calculated by taking the ”Total Length” from the IP

header (ip.len) and then substract the ”IP header length” (ip.hdr len) and the

”TCP header length” (tcp.hdr len).

tcp.hdr len A 4-bit ﬁeld containing the length of the IP header in 32-bit increments.

tcp.ﬂags.ﬁn Last packet from sender.

tcp.ﬂags.syn Synchronize sequence numbers. Only the ﬁrst packet sent from each end should

have this ﬂag set. Some other ﬂags and ﬁelds change meaning based on this

ﬂag, and some are only valid when it is set, and others when it is clear.

tcp.ﬂags.reset Reset the connection.

tcp.ﬂags.push Asks to push the buffered data to the receiving application.

tcp.ﬂags.ack Indicates that the Acknowledgment ﬁeld is signiﬁcant. All packets after the

initial SYN packet sent by the client should have this ﬂag set.

tcp.ﬂags.urg Indicates that the Urgent pointer ﬁeld is signiﬁcant.

tcp.ﬂags.cwr Congestion window reduced ﬂag is set by the sending host to indicate that it

received a TCP segment with the ECE ﬂag set and had responded in congestion

control mechanism.

tcp. window size The size of the receive window, which speciﬁes the number of window size

units that the sender of this segment is currently willing to receive.

tcp. urgent pointer If the URG ﬂag is set, then this 16-bit ﬁeld is an offset from the sequence

number indicating the last urgent data byte.

tcp. options.mss val The Maximum Segment Size (MSS) is a TCP Option and sets the largest seg-

ment that the local host will accept.

Table 3: Accuracy ratio per classiﬁer.

ML Classiﬁer Accuracy Ratio

Decision Tree (DT) 0.9903

Random Forest (RF) 0.9902

Multi-layer Perceptron (MLP) 0.9906

k-Nearest Neighbours (kNN) 0.9867

Naive Bayes (NB) 0.4288

The approach used was to employ the pre-trained

classiﬁers and then construct typical scanning pack-

ets (for which the values of the four signiﬁcant ﬁelds

were selected heuristically). Each selection of values

corresponds to a trafﬁc packet, which can be fed to the

trained classiﬁers, and upon the probability that the

packet is identiﬁed as port scanning, we can conclude

Table 4: Features Importance.

Feature DT RF kNN NB

ip.ttl 0.954 0.367 0.000 0.000

ip.dsﬁeld 0.025 0.000 0.000 0.000

tcp. op-

tions.mss val

0.011 0.000 0.057 0.000

tcp.hdr len 0.000 0.111 0.000 0.000

tcp. win-

dow size

0.000 0.101 0.181 0.000

tcp.srcport 0.000 0.000 0.174 0.000

tcp.seq 0.000 0.000 0.000 0.089

the ﬁtness of the selection of values. The workﬂow is

depicted in Figure 1.

The design parameters of the genetic algorithm

Evading Detection During Network Reconnaissance

531

are as follows:

• The search space comprises all possible combi-

nations of values for the four ﬁelds. Because the

candidate values for ﬁelds, such as port, size, or ttl

are actually large ranges of integer values (most of

which may be invalid or non-applicable) we con-

strained the search space according to the most

used values. By analyzing the trafﬁc data-set, we

picked the most 20 common values for each ﬁeld,

thus creating a search space with a solutions pop-

ulation p = 20

• Each solution is represented by an array of four

elements denoted as f that represents the value

assigned to each ﬁeld.

• The ﬁtness function is deﬁned as:

f it( f ) =

∑

i=1

prob

( f )

, where prob

( f ) is the probability that a packet

constructed with the values of f is classiﬁed as

port scanning activity by classiﬁer i and N is the

total number of classiﬁers.

• The initial population size is 100.

• The mutation probability is 0.1.

• The next generation is determined by uniform

crossover, with crossover probability equal to 0.5,

an elite ratio of 0.01, and 0.3 of the population

consisting of the ﬁttest members of the previous

generation (aka parents).

• The algorithm terminates when the maximum

number of allowed iterations is used. This number

is calculated as itermax = 50 ∗ p.

In order to select the most appropriate values, a pro-

gram has been developed in Python. The main func-

tions of the program are:

• Data structure with values for the most important

ﬁelds such as IP TTL, TCP Source Port, and TCP

Window Size as captured in ”Normal” network

trafﬁc.

• Using a Genetic Algorithm that feeds with the

above values each one of the ML classiﬁers such

as Decision Tree, Random Forest, Multi-layer

Perceptron, Naive Bayes, and k-Nearest Neigh-

bours.

• The Genetic Algorithm returns the values that will

have the highest average score for the above clas-

siﬁers.

The implementation of the above mechanism is

shown in Figure 1. By forging a new packet with

the values, which have been calculated by the Genetic

Figure 1: Genetic Algorithm.

Algorithm, it is possible to evade detection for Port

Scanning.

The approach proposed is based on the idea of

picking values for ﬁelds of the packets (that can be

manipulated) which will make detecting port scan-

ning activity harder. Of course, it is feasible to

train classiﬁers upon the packets produced by our ap-

proach, but a dynamically conﬁgured port scanning

tool can successfully evade detection, as retraining

classiﬁers would not be an easy measure to take.

6 COVERT NETWORK

SCANNING TOOL

In this section, we present a covert port scanning tool

that was developed in Python through the use of the

Scapy Framework. The tool performs a number of

port scanning techniques and through the use of the

values calculated in Section 5 it is able to evade de-

tection by all classiﬁers discussed in the previous Sec-

tions. The tool and its source code are available at

GitHub

The tool implements TCP SYN Scan, TCP Con-

nect Scan, TCP NULL Scan, TCP FIN Scan, and TCP

XMAS Tree Scan and enables the user to retrieve in-

formation about a network, without being detected.

To validate this claim we went through a number

https://github.com/ilbe753/Simple-Port-Scanner

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

532

of experiments. Speciﬁcally, we performed different

port scanning attempts for different types of scanning

(TCP SYN Scan, TCP Connect Scan, TCP NULL

Scan, TCP FIN Scan, and TCP XMAS Tree Scan).

For each of the above port scanning attempts, the net-

work trafﬁc was captured, through the use of wire-

shark

We trained a number of classiﬁers (DT, RF, MLP,

kNN, NB) according to the analysis presented in Sec-

tion 3. To make the experiment more realistic, we

trained those classiﬁers with multiple combinations of

real-world background trafﬁc and trafﬁc chunks pro-

duced by a number of port scanning tools, such as

nmap

, zmap

, masscan

, and hping

The covert scanning tool was used to conduct a

number of reconnaissance attempts with various tech-

niques. The activity of the covert scanning tool was

not detected in any of the scenarios. For all combina-

tions of the (a) classiﬁcation algorithm, (b) scanning

tool that has been used for training the classiﬁer and

tivity of the latter remained undetected.

7 CONCLUSIONS

In this paper, the detection of reconnaissance activ-

ity through the use of ML classiﬁers has been stud-

ied. Literature was analyzed and both efﬁcient algo-

rithms and use-full network packet ﬁelds to the pro-

cess were identiﬁed. The extracted information was

used to train a number of classiﬁers in order to detect

port scans with high accuracy. This has conﬁrmed

that it is feasible to detect port scanning activity with

this approach.

Consequently, the most signiﬁcant packet ﬁelds

that enable high accuracy ratio metrics for most of

the algorithms were identiﬁed a genetic algorithm ap-

proach was used to heuristically decide the optimal

values for such ﬁelds that would enable port scan-

ning activity while remaining undetected by classi-

ﬁers. Based on those ﬁndings, a covert port scanning

tool was developed and made publicly available for

the network security research community. The tool

was tested under various circumstances and it has al-

ways evaded detection.

As future work plans, we foresee that we can

add dynamic updates of the evasion capabilities

of the proposed tool, according to novel scanning

https://www.wireshark.org/

https://nmap.org/

https://github.com/zmap/zmap

https://github.com/robertdavidgraham/masscan

https://www.kali.org/tools/hping3/

tools/algorithms. Re-deﬁning the signiﬁcant ﬁelds

and the proper values for those may be done centrally

and then updating the conﬁguration parameters of all

instances of the covert scanning tool through an over-

the-air update.

REFERENCES

Algaolahi, A. Q., Hasan, A. A., Sallam, A., Sharaf, A. M.,

Abdu, A. A., and Alqadi, A. A. (2021). Port-scanning

attack detection using supervised machine learning

classiﬁers. In 2021 1st International Conference on

Emerging Smart Technologies and Applications (eS-

marTA), pages 1–5. IEEE.

Andropov, S., Guirik, A., Budko, M., and Budko, M.

(2017). Network anomaly detection using artiﬁcial

neural networks. In 2017 20th Conference of Open In-

novations Association (FRUCT), pages 26–31. IEEE.

Balram, S. and Wiscy, M. (2008). Detection of tcp syn scan-

ning using packet counts and neural network. In 2008

IEEE International Conference on Signal Image Tech-

nology and Internet Based Systems, pages 646–649.

IEEE.

Bertoli, G. D. C., J

unior, L. A. P., Saotome, O., Dos Santos,

A. L., Verri, F. A. N., Marcondes, C. A. C., Barbieri,

S., Rodrigues, M. S., and De Oliveira, J. M. P. (2021).

An end-to-end framework for machine learning-based

network intrusion detection system. IEEE Access,

9:106790–106805.

De Vivo, M., Carrasco, E., Isern, G., and De Vivo,

G. O. (1999). A review of port scanning techniques.

ACM SIGCOMM Computer Communication Review,

29(2):41–48.

Fontugne, R., Borgnat, P., Abry, P., and Fukuda, K. (2010).

Mawilab: Combining diverse anomaly detectors for

automated anomaly labeling and performance bench-

marking. In Proceedings of the 6th International

COnference, Co-NEXT ’10, New York, NY, USA. As-

sociation for Computing Machinery.

Jirapummin, C. and Kanthamanon, P. (2002). Hybrid neural

networks for intrusion detection system. In Proceed-

ings of the IEEK Conference, pages 928–931. The In-

stitute of Electronics and Information Engineers.

Kanika, U. (2013). Security of network using ids and ﬁre-

wall. International Journal of Scientiﬁc and Research

Publications, 3(6):1–4.

Kaur, H. and Tiwari, R. (2021). Endpoint detection and re-

sponse using machine learning. In Journal of Physics:

Conference Series, volume 2062, page 012013. IOP

Publishing.

Kotsiantis, S. B. (2013). Decision trees: a recent overview.

Artiﬁcial Intelligence Review, 39(4):261–283.

Li, B., Friedman, J., Olshen, R., and Stone, C. (1984).

Classiﬁcation and regression trees (cart). Biometrics,

40(3):358–361.

Marin, G. A. (2005). Network security basics. IEEE Secu-

rity & privacy, 3(6):68–72.

Evading Detection During Network Reconnaissance

533

Pal, M. (2005). Random forest classiﬁer for remote sensing

classiﬁcation. International Journal of Remote Sens-

ing, 26(1):217–222.

Ramchoun, H., Ghanou, Y., Ettaouil, M., and Janati Idrissi,

M. A. (2016). Multilayer perceptron: Architecture op-

timization and training.

Rish, I. et al. (2001). An empirical study of the naive bayes

classiﬁer. In IJCAI 2001 workshop on empirical meth-

ods in artiﬁcial intelligence, volume 3, pages 41–46.

Rothlauf, F. (2011). Design of modern heuristics: princi-

ples and application, volume 8. Springer.

Viswanath, P. and Sarma, T. H. (2011). An improvement

to k-nearest neighbor classiﬁer. In 2011 IEEE Recent

Advances in Intelligent Computational Systems, pages

227–231. IEEE.

Wankhede, S. B. (2019). Anomaly detection using ma-

chine learning techniques. In 2019 IEEE 5th Inter-

national Conference for Convergence in Technology

(I2CT), pages 1–3. IEEE.

Xin, Y., Kong, L., Liu, Z., Chen, Y., Li, Y., Zhu, H., Gao,

M., Hou, H., and Wang, C. (2018). Machine learning

and deep learning methods for cybersecurity. IEEE

Access, 6:35365–35381.

ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy

534