A Hybrid Machine Learning and Signature-Based Approach for Detecting Network Pivoting in BYOD Environments
DOI:
https://doi.org/10.63158/journalisi.v8i1.1428Keywords:
Network pivoting detection, lateral movement, BYOD security, hybrid intrusion detection, insider threat detectionAbstract
This study addresses the challenge of detecting network pivoting, a lateral movement technique that is difficult to identify in insider and BYOD environments because malicious transitions can resemble normal internal activity. The objective was to improve detection of both known and unknown pivoting behaviours while supporting practical triage in resource-constrained institutions. A hybrid detection framework was developed that fuses Snort signature alerts with machine learning classification and unsupervised anomaly detection using behavioural features derived from BYOD-like network traffic. The approach was evaluated in a controlled testbed and supported by organisational survey findings on awareness and monitoring practice. Results show the hybrid system achieved 96.2% classification accuracy with a 4.5% false positive rate when distinguishing normal traffic, suspicious activity, and pivoting attacks. Compared with signature-only and machine-learning-only baselines, the hybrid design detected simulated pivoting attempts earlier and more consistently. User acceptance testing also reported strong satisfaction with the integrated dashboard for monitoring, filtering, and reporting. The key contribution is a unified, dashboard-oriented fusion of signature and behavioural evidence that strengthens early lateral movement detection and reduces manual correlation effort.
Downloads
References
[1] R. S. Marques, H. Al-Khateeb, G. Epiphaniou, and C. Maple, “APIVADS: A novel privacy-preserving pivot attack detection scheme based on statistical pattern recognition,” IEEE Trans. Inf. Forensics Secur., vol. 17, pp. 700–715, 2022, doi: 10.1109/TIFS.2022.3146076.
[2] U. Aslam, E. Batool, S. N. Ahsan, and A. Sultan, “Hybrid network intrusion detection system using machine learning classification and rule based learning system,” Int. J. Grid Distrib. Comput., vol. 10, no. 2, pp. 51–62, Feb. 2017, doi: 10.14257/ijgdc.2017.10.2.05.
[3] D. Vinod and M. Prasad, “A novel hybrid automatic intrusion detection system using machine learning technique for anomalous detection based on traffic prediction,” in Proc. Int. Conf. Netw. Commun. (ICNWC), Chennai, India, Apr. 2023, pp. 1–7, doi: 10.1109/ICNWC57852.2023.10127442.
[4] Z. Sui, H. Shu, F. Kang, Y. Huang, and G. Huo, “A comprehensive review of tunnel detection on multilayer protocols: From traditional to machine learning approaches,” Appl. Sci., vol. 13, no. 3, Art. no. 1974, Feb. 2023, doi: 10.3390/app13031974.
[5] R. Palanisamy, A. A. Norman, and M. L. M. Kiah, “Compliance with bring your own device security policies in organizations: A systematic literature review,” Comput. Secur., vol. 98, Art. no. 101998, Nov. 2020, doi: 10.1016/j.cose.2020.101998.
[6] M. Husák, G. Apruzzese, S. J. Yang, and G. Werner, “Towards an efficient detection of pivoting activity,” in Proc. IFIP/IEEE Int. Symp. Integr. Netw. Manag. (IM), 2021, pp. 980–985.
[7] G. Apruzzese, F. Pierazzi, M. Colajanni, and M. Marchetti, “Detection and threat prioritization of pivoting attacks in large networks,” IEEE Trans. Emerg. Top. Comput., vol. 8, no. 2, pp. 404–415, Apr.–Jun. 2020, doi: 10.1109/TETC.2017.2764885.
[8] E. Espinal and Z. Castro, “Machine learning techniques for network systems,” HAL Open Archive, hal-04598713, Jun. 2024.
[9] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, “A design science research methodology for information systems research,” J. Manag. Inf. Syst., vol. 24, no. 3, pp. 45–77, Dec. 2007, doi: 10.2753/MIS0742-1222240302.
[10] K. Schwaber, Agile Project Management with Scrum. Redmond, WA, USA: Microsoft Press, 2004.
[11] V. Paxson, “Bro: A system for detecting network intruders in real-time,” Comput. Netw., vol. 31, no. 23–24, pp. 2435–2463, Dec. 1999, doi: 10.1016/S1389-1286(99)00112-7.
[12] M. Roesch, “Snort: Lightweight intrusion detection for networks,” in Proc. 13th USENIX Conf. Syst. Admin. (LISA ’99), Seattle, WA, USA, Dec. 1999, pp. 229–238.
[13] L. Breiman, “Random forests,” Mach. Learn., vol. 45, no. 1, pp. 5–32, Oct. 2001, doi: 10.1023/A:1010933404324.
[14] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in Proc. IEEE Int. Conf. Data Min. (ICDM), Pisa, Italy, Dec. 2008, pp. 413–422, doi: 10.1109/ICDM.2008.17.
[15] B. Schölkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and R. C. Williamson, “Estimating the support of a high-dimensional distribution,” Neural Comput., vol. 13, no. 7, pp. 1443–1471, Jul. 2001, doi: 10.1162/089976601750264965.
[16] C. Smiliotopoulos, G. Kambourakis, and C. Kolias, “Detecting lateral movement: A systematic survey,” Heliyon, vol. 10, no. 4, Art. no. e26317, Feb. 2024, doi: 10.1016/j.heliyon.2024.e26317.
[17] N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, “SMOTE: Synthetic minority over-sampling technique,” J. Artif. Intell. Res., vol. 16, pp. 321–357, Jun. 2002, doi: 10.1613/jair.953.
[18] L. Li, K. Jamieson, G. DeSalvo, A. Rostamizadeh, and A. Talwalkar, “Hyperband: A novel bandit-based approach to hyperparameter optimization,” J. Mach. Learn. Res., vol. 18, no. 185, pp. 1–52, 2018, doi: 10.48550/arXiv.1603.06560.
[19] A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design science in information systems research,” MIS Q., vol. 28, no. 1, pp. 75–105, Mar. 2004, doi: 10.2307/25148625.
[20] S. Gregor and A. R. Hevner, “Positioning and presenting design science research for maximum impact,” MIS Q., vol. 37, no. 2, pp. 337–355, Jun. 2013, doi: 10.25300/MISQ/2013/37.2.01.
[21] J. Venable, J. Pries-Heje, and R. Baskerville, “FEDS: A framework for evaluation in design science research,” Eur. J. Inf. Syst., vol. 25, no. 1, pp. 77–89, Jan. 2016, doi: 10.1057/ejis.2014.36.
[22] T. Dybå and T. Dingsøyr, “Empirical studies of agile software development: A systematic review,” Inf. Softw. Technol., vol. 50, no. 9–10, pp. 833–859, Aug. 2008, doi: 10.1016/j.infsof.2008.01.006.
[23] A. Hinderks, F. J. Domínguez Mayo, J. Thomaschewski, and M. J. Escalona, “Approaches to manage the user experience process in agile software development: A systematic literature review,” Inf. Softw. Technol., vol. 150, Art. no. 106957, Oct. 2022, doi: 10.1016/j.infsof.2022.106957.
[24] F. Pedregosa et al., “Scikit-learn: Machine learning in Python,” J. Mach. Learn. Res., vol. 12, pp. 2825–2830, Oct. 2011, doi: 10.48550/arXiv.1201.0490.
[25] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and E. Vázquez, “Anomaly-based network intrusion detection: Techniques, systems and challenges,” Comput. Secur., vol. 28, no. 1–2, pp. 18–28, Feb. 2009, doi: 10.1016/j.cose.2008.08.003.
[26] T. Pietraszek and A. Tanner, “Data mining and machine learning—Towards reducing false positives in intrusion detection,” Inf. Secur. Tech. Rep., vol. 10, no. 3, pp. 169–183, 2005, doi: 10.1016/j.istr.2005.07.001.
[27] G. González-Granadillo, S. González-Zarzosa, and R. Diaz, “Security information and event management (SIEM): Analysis, trends, and usage in critical infrastructures,” Sensors, vol. 21, no. 14, Art. no. 4759, Jul. 2021, doi: 10.3390/s21144759.
[28] M. Ratchford, O. El-Gayar, C. Noteboom, and Y. Wang, “BYOD security issues: A systematic literature review,” Inf. Secur. J. Glob. Perspect., vol. 31, no. 3, pp. 253–273, May 2022, doi: 10.1080/19393555.2021.1923873.
[29] Y. Gong, S. Cui, S. Liu, B. Jiang, C. Dong, and Z. Lu, “Graph-based insider threat detection: A survey,” Comput. Netw., vol. 254, Art. no. 110757, Dec. 2024, doi: 10.1016/j.comnet.2024.110757.
[30] F. Moomtaheen, S. S. Bagui, S. C. Bagui, and D. Mink, “Extended isolation forest for intrusion detection in Zeek data,” Information, vol. 15, no. 7, Art. no. 404, Jul. 2024, doi: 10.3390/info15070404.
[31] H. He, Imbalanced Learning: Foundations, Algorithms, and Applications, 1st ed. Somerset, NJ, USA: John Wiley & Sons, 2013.
[32] T. Saito and M. Rehmsmeier, “The precision-recall plot is more informative than the ROC plot when evaluating binary classifiers on imbalanced datasets,” PLoS One, vol. 10, no. 3, Art. no. e0118432, Mar. 2015, doi: 10.1371/journal.pone.0118432.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Journal of Information Systems and Informatics
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors Declaration
- The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
- The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
- The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
- The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
- The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
- The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
- If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
- The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights
