An Approach of Data Mining Techniques Using Firewall Detection for Security and Event Management System

Security is one of the most important issues to force a lot of research and development effort in last decades. We are introduced a mining technique like firewall detection and frequent item set selection to enhance the system security in event management system. In addition, we are increasing the deduction techniques we have try to overcome attackers in data mining rules using our SIEM project. In proposed work to leverages to significantly improve attack detection and mitigate attack consequences. And also we proposed approach in an advanced decision-making system that supports domain expert’s targeted events based on the individuality of the exposed IWIs. Furthermore, the application of different aggregation functions besides minimum and maximum of the item sets. Frequent and infrequent weighted item sets represent correlations frequently holding the data in which items may weight differently. However, we need is discovering the rare or frequent data correlations, cost function would get minimized using data mining techniques. There are many issues discovering rare data like processing the larger data, it takes more for process. Not applicable to discovering data like minimum of certain values. We need to handle the issue of discovering rare and weighted item sets, the frequent weighted itemset (WI) mining problem. Two novel quality measures are proposed to drive the WI mining process and Minimal WI mining efficiently in SIEM system

A New Metric for Prioritising Intrusion Alerts Using Correlation and Outlier Analysis

In a medium sized network, an Intrusion Detection System (IDS) could produce thousands of alerts a day many of which may be false positives. In the vast number of triggered intrusion alerts, identifying those to prioritise is highly challenging. Alert Correlation and prioritisation are both viable analytical methods which are commonly used to understand and prioritise alerts. However, to the author’s knowledge, very few dynamic prioritisation metrics exist. In this paper, a new prioritisation metric - OutMet, which is based on measuring the degree to which an alert belongs to anomalous behaviour is proposed. OutMet combines alert correlation and prioritisation analysis and in given attack scenarios, is capable of reducing false positives by upto 100%. The metric is tested and evaluated using the recently developed cyber-range dataset provided by Northrop Grumman

Error analysis of sequence modeling for projecting cyber attacks

Intrusion Detection System (IDS) has become an integral component in the field of network security. Prior research has focused on developing efficient IDSs and correlating attacks as Attack Tracks. To enhance the network analyst\u27s situational awareness, sequence modeling techniques like Variable Length Markov Models (VLMM) have been used to project likely future attacks. However, such projections are made assuming that the IDSs detect each and every attack action, which is not viable in reality. An IDS could miss an attack due to loss of packets or improper traffic analysis, or when an attacker evades detection by employing obfuscation techniques. Such missed detections, could negatively affect the prediction model, resulting in erroneous estimations. This thesis investigates the prediction performance as an error analysis of VLMM when used for projecting cyber attacks. This analysis is based on the impact of missed alerts, representing undetected attack actions. The analysis begins with an analytical study of a state-based Markov model, called Causal-State Splitting Reconstruction (CSSR), to contrast the context-based VLMM. Simulation results show that VLMM and CSSR perform comparably, with VLMM being a simpler model without the need to maintain and train the state space. A thorough design of experiments studies the effects of missing IDS alerts, by having missed alerts at different locations of the attack sequence with different rates. The experimental results suggested that the change in prediction accuracy is low when there are missed alerts in one part of the sequence and higher if they are throughout the entire sequence. Also, the prediction accuracy increases when there are rare alerts missing, and it decreases when there are common alerts missing. In addition, change in the prediction accuracy is relatively less for sequences with smaller symbol space compared to sequences with larger symbol space. Overall, the results demonstrate the robustness and limitations of VLMM when used for cyber attack prediction. The insights derived in this analysis will be beneficial to the security analyst in assessing the model in terms of its predictive performance when there are missed alerts

Cyber-Attack Prediction Based on Network Intrusion Detection Systems for Alert Correlation Techniques: A Survey

Network Intrusion Detection Systems (NIDS) are designed to safeguard the security needs of enterprise networks against cyber-attacks. However, NIDS networks suffer from several limitations, such as generating a high volume of low-quality alerts. Moreover, 99% of the alerts produced by NIDSs are false positives. As well, the prediction of future actions of an attacker is one of the most important goals here. The study has reviewed the state-of-the-art cyber-attack prediction based on NIDS Intrusion Alert, its models, and limitations. The taxonomy of intrusion alert correlation (AC) is introduced, which includes similarity-based, statistical-based, knowledge-based, and hybrid-based approaches. Moreover, the classification of alert correlation components was also introduced. Alert Correlation Datasets and future research directions are highlighted. The AC receives raw alerts to identify the association between different alerts, linking each alert to its related contextual information and predicting a forthcoming alert/attack. It provides a timely, concise, and high-level view of the network security situation. This review can serve as a benchmark for researchers and industries for Network Intrusion Detection Systems’ future progress and development

AI for IT Operations (AIOps) on Cloud Platforms: Reviews, Opportunities and Challenges

Artificial Intelligence for IT operations (AIOps) aims to combine the power of AI with the big data generated by IT Operations processes, particularly in cloud infrastructures, to provide actionable insights with the primary goal of maximizing availability. There are a wide variety of problems to address, and multiple use-cases, where AI capabilities can be leveraged to enhance operational efficiency. Here we provide a review of the AIOps vision, trends challenges and opportunities, specifically focusing on the underlying AI techniques. We discuss in depth the key types of data emitted by IT Operations activities, the scale and challenges in analyzing them, and where they can be helpful. We categorize the key AIOps tasks as - incident detection, failure prediction, root cause analysis and automated actions. We discuss the problem formulation for each task, and then present a taxonomy of techniques to solve these problems. We also identify relatively under explored topics, especially those that could significantly benefit from advances in AI literature. We also provide insights into the trends in this field, and what are the key investment opportunities