Anomaly-based Correlation of IDS Alarms

An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure. The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge. The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison. The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field

Intrusion alert reduction based on unsupervised and supervised learning algorithms

Security and protection of information is an ever-evolving process in the field of information security. One of the major tools of protection is the Intrusion Detection Systems (IDS). For so many years, IDS have been developed for use in computer networks, they have been widely used to detect a range of network attacks; but one of its major drawbacks is that attackers, with the evolution of time and technology make it harder for IDS systems to cope. A sub-branch of IDS-Intrusion Alert Analysis was introduced into the research system to combat these problems and help support IDS by analyzing the alert triggered by the IDS. Intrusion Alert analysis has served as a good support for IDS systems for many years but also has its own short comings which are the amount of the voluminous number of alerts produced by IDS systems. From years of research, it has been observed that majority of the alerts produced are undesirables such as duplicates, false alerts, etc., leading to huge amounts of alerts causing alert flooding. This research proposed the reduction alert by targeting these undesirable alerts through the integration of supervised and unsupervised algorithms and approach. The research first selects significant features by comparing two feature ranking techniques this targets duplicates, low priority and irrelevant alert. To achieve further reduction, the research proposed the integration of supervised and unsupervised algorithms to filter out false alerts. Based on this, an effective model was gotten which achieved 94.02% reduction rate of alerts. Making use of the dataset ISCX 2012, experiments were conducted and the model with the highest reduction rate was chosen. The model was evaluated against other experimental results and benchmarked against a related work, it also improved on the said related work

Analysis and Detection of Outliers in GNSS Measurements by Means of Machine Learning Algorithms

L'abstract è presente nell'allegato / the abstract is in the attachmen

Intelligent optical methods in image analysis for human detection

This thesis was submitted for the degree of Doctor of Philosophy and was awarded by Brunel University.This thesis introduces the concept of a person recognition system for use on an integrated autonomous surveillance camera. Developed to enable generic surveillance tasks without the need for complex setup procedures nor operator assistance, this is achieved through the novel use of a simple dynamic noise reduction and object detection algorithm requiring no previous knowledge of the installation environment and without any need to train the system to its installation. The combination of this initial processing stage with a novel hybrid neural network structure composed of a SOM mapper and an MLP classifier using a combination of common and individual input data lines has enabled the development of a reliable detection process, capable of dealing with both noisy environments and partial occlusion of valid targets. With a final correct classification rate of 94% on a single image analysis, this provides a huge step forwards as compared to the reported 97% failure rate of standard camera surveillance systems

Hyperspectral-Augmented Target Tracking

With the global war on terrorism, the nature of military warfare has changed significantly. The United States Air Force is at the forefront of research and development in the field of intelligence, surveillance, and reconnaissance that provides American forces on the ground and in the air with the capability to seek, monitor, and destroy mobile terrorist targets in hostile territory. One such capability recognizes and persistently tracks multiple moving vehicles in complex, highly ambiguous urban environments. The thesis investigates the feasibility of augmenting a multiple-target tracking system with hyperspectral imagery. The research effort evaluates hyperspectral data classification using fuzzy c-means and the self-organizing map clustering algorithms for remote identification of moving vehicles. Results demonstrate a resounding 29.33% gain in performance from the baseline kinematic-only tracking to the hyperspectral-augmented tracking. Through a novel methodology, the hyperspectral observations are integrated in the MTT paradigm. Furthermore, several novel ideas are developed and implemented—spectral gating of hyperspectral observations, a cost function for hyperspectral observation-to-track association, and a self-organizing map filtering method. It appears that relatively little work in the target tracking and hyperspectral image classification literature exists that addresses these areas. Finally, two hyperspectral sensor modes are evaluated—Pushbroom and Region-of-Interest. Both modes are based on realistic technologies, and investigating their performance is the goal of performance-driven sensing. Performance comparison of the two modes can drive future design of hyperspectral sensors