Intrusion alert prioritisation and attack detection using post-correlation analysis

Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs. We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts. We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom Security Practice Team. In one scenario, our results show that false-positives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection. The proposed framework is also being developed and integrated into a pre-existing Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data

Process mining for healthcare: Characteristics and challenges

[EN] Process mining techniques can be used to analyse business processes using the data logged during their execution. These techniques are leveraged in a wide range of domains, including healthcare, where it focuses mainly on the analysis of diagnostic, treatment, and organisational processes. Despite the huge amount of data generated in hospitals by staff and machinery involved in healthcare processes, there is no evidence of a systematic uptake of process mining beyond targeted case studies in a research context. When developing and using process mining in healthcare, distinguishing characteristics of healthcare processes such as their variability and patient-centred focus require targeted attention. Against this background, the Process-Oriented Data Science in Healthcare Alliance has been established to propagate the research and application of techniques targeting the data-driven improvement of healthcare processes. This paper, an initiative of the alliance, presents the distinguishing characteristics of the healthcare domain that need to be considered to successfully use process mining, as well as open challenges that need to be addressed by the community in the future.This work is partially supported by ANID FONDECYT 1220202, Direccion de Investigacion de la Vicerrectoria de Investigacion de la Pontificia Universidad Catolica de Chile-PUENTE [Grant No. 026/2021] ; and Agencia Nacional de Investigacion y Desarrollo [Grant Nos. ANID-PFCHA/Doctorado Nacional/2019-21190116, ANID-PFCHA/Doctorado Nacional/2020-21201411] . With regard to the co-author Hilda Klasky, this manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE) . The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan)Munoz Gama, J.; Martin, N.; Fernández Llatas, C.; Johnson, OA.; Sepúlveda, M.; Helm, E.; Galvez-Yanjari, V.... (2022). Process mining for healthcare: Characteristics and challenges. Journal of Biomedical Informatics. 127:1-15. https://doi.org/10.1016/j.jbi.2022.10399411512

Process mining for healthcare: Characteristics and challenges

Process mining techniques can be used to analyse business processes using the data logged during their execution. These techniques are leveraged in a wide range of domains, including healthcare, where it focuses mainly on the analysis of diagnostic, treatment, and organisational processes. Despite the huge amount of data generated in hospitals by staff and machinery involved in healthcare processes, there is no evidence of a systematic uptake of process mining beyond targeted case studies in a research context. When developing and using process mining in healthcare, distinguishing characteristics of healthcare processes such as their variability and patient-centred focus require targeted attention. Against this background, the Process-Oriented Data Science in Healthcare Alliance has been established to propagate the research and application of techniques targeting the data-driven improvement of healthcare processes. This paper, an initiative of the alliance, presents the distinguishing characteristics of the healthcare domain that need to be considered to successfully use process mining, as well as open challenges that need to be addressed by the community in the future.This work is partially supported by ANID FONDECYT 1220202, Dirección de Investigación de la Vicerrectoría de Investigación de la Pontificia Universidad Católica de Chile - PUENTE [Grant No. 026/ 2021]; and Agencia Nacional de Investigación y Desarrollo [Grant Nos. ANID-PFCHA/Doctorado Nacional/2019–21190116, ANID-PFCHA/ Doctorado Nacional/2020–21201411]. With regard to the co-author Hilda Klasky, this manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-accessplan).Peer ReviewedArticle signat per 55 autors/es: Jorge Munoz-Gama (a)* , Niels Martin (b,c)* , Carlos Fernandez-Llatas (d,g)* , Owen A. Johnson (e)* , Marcos Sepúlveda (a)* , Emmanuel Helm (f)* , Victor Galvez-Yanjari (a)* , Eric Rojas (a) , Antonio Martinez-Millana (d) , Davide Aloini (k) , Ilaria Angela Amantea (l,q,r) , Robert Andrews (ab), Michael Arias (z) , Iris Beerepoot (o) , Elisabetta Benevento (k) , Andrea Burattin (ai), Daniel Capurro (j) , Josep Carmona (s) , Marco Comuzzi (w), Benjamin Dalmas (aj,ak), Rene de la Fuente (a) , Chiara Di Francescomarino (h) , Claudio Di Ciccio (i) , Roberto Gatta (ad,ae), Chiara Ghidini (h) , Fernanda Gonzalez-Lopez (a) , Gema Ibanez-Sanchez (d) , Hilda B. Klasky (p) , Angelina Prima Kurniati (al), Xixi Lu (o) , Felix Mannhardt (m), Ronny Mans (af), Mar Marcos (v) , Renata Medeiros de Carvalho (m), Marco Pegoraro (x) , Simon K. Poon (ag), Luise Pufahl (u) , Hajo A. Reijers (m,o) , Simon Remy (y) , Stefanie Rinderle-Ma (ah), Lucia Sacchi (t) , Fernando Seoane (g,am,an), Minseok Song (aa), Alessandro Stefanini (k) , Emilio Sulis (l) , Arthur H. M. ter Hofstede (ab), Pieter J. Toussaint (ac), Vicente Traver (d) , Zoe Valero-Ramon (d) , Inge van de Weerd (o) , Wil M.P. van der Aalst (x) , Rob Vanwersch (m), Mathias Weske (y) , Moe Thandar Wynn (ab), Francesca Zerbato (n) // (a) Pontificia Universidad Catolica de Chile, Chile; (b) Hasselt University, Belgium; (c) Research Foundation Flanders (FWO), Belgium; (d) Universitat Politècnica de València, Spain; (e) University of Leeds, United Kingdom; (f) University of Applied Sciences Upper Austria, Austria; (g) Karolinska Institutet, Sweden; (h) Fondazione Bruno Kessler, Italy; (i) Sapienza University of Rome, Italy; (j) University of Melbourne, Australia; (k) University of Pisa, Italy; (l) University of Turin, Italy; (m) Eindhoven University of Technology, The Netherlands; (n) University of St. Gallen, Switzerland; (o) Utrecht University, The Netherlands; (p) Oak Ridge National Laboratory, United States; (q) University of Bologna, Italy; (r) University of Luxembourg, Luxembourg; (s) Universitat Politècnica de Catalunya, Spain; (t) University of Pavia, Italy; (u) Technische Universitaet Berlin, Germany; (v) Universitat Jaume I, Spain; (w) Ulsan National Institute of Science and Technology (UNIST), Republic of Korea; (x) RWTH Aachen University, Germany; (y) University of Potsdam, Germany; (z) Universidad de Costa Rica, Costa Rica; (aa) Pohang University of Science and Technology, Republic of Korea; (ab) Queensland University of Technology, Australia; (ac) Norwegian University of Science and Technology, Norway; (ad) Universita degli Studi di Brescia, Italy; (ae) Lausanne University Hospital (CHUV), Switzerland; (af) Philips Research, the Netherlands; (ag) The University of Sydney, Australia; (ah) Technical University of Munich, Germany; (ai) Technical University of Denmark, Denmark; (aj) Mines Saint-Etienne, France; (ak) Université Clermont Auvergne, France; (al) Telkom University, Indonesia; (am) Karolinska University Hospital, Sweden; (an) University of Borås, SwedenPostprint (published version

Resource Utilization Prediction in Decision-Intensive Business Processes

An appropriate resource utilization is crucial for organizations in order to avoid, among other things, unnecessary costs (e.g. when resources are under-utilized) and too long execution times (e.g. due to excessive workloads, i.e. resource over-utilization). However, traditional process control and risk measurement approaches do not address resource utilization in processes. We studied an often-encountered industry case for providing large-scale technical infrastructure which requires rigorous testing for the systems deployed and identi ed the need of projecting resource utilization as a means for measuring the risk of resource underand over-utilization. Consequently, this paper presents a novel predictive model for resource utilization in decision-intensive processes, present in many domains. In particular, we predict the utilization of resources for a desired period of time given a decision-intensive business process that may include nested loops, and historical data (i.e. order and duration of past activity executions, resource pro les and their experience etc.). We have applied our method using a real business process with multiple instances and presented the outcome.Austrian Research Promotion Agency (FFG) 845638 (SHAPE)Austrian Science Fund (FWF) V 569-N31 (PRAIS

Mining intrusion detection alert logs to minimise false positives & gain attack insight

Utilising Intrusion Detection System (IDS) logs in security event analysis is crucial in the process of assessing, measuring and understanding the security state of a computer network, often defined by its current exposure and resilience to network attacks. Thus, the study of understanding network attacks through event analysis is a fast growing emerging area. In comparison to its first appearance a decade ago, the complexities involved in achieving effective security event analysis have significantly increased. With such increased complexities, advances in security event analytical techniques are required in order to maintain timely mitigation and prediction of network attacks. This thesis focusses on improving the quality of analysing network event logs, particularly intrusion detection logs by exploring alternative analytical methods which overcome some of the complexities involved in security event analysis. This thesis provides four key contributions. Firstly, we explore how the quality of intrusion alert logs can be improved by eliminating the large volume of false positive alerts contained in intrusion detection logs. We investigate probabilistic alert correlation, an alternative to traditional rule based correlation approaches. We hypothesise that probabilistic alert correlation aids in discovering and learning the evolving dependencies between alerts, further revealing attack structures and information which can be vital in eliminating false positives. Our findings showed that the results support our defined hypothesis, aligning consistently with existing literature. In addition, evaluating the model using recent attack datasets (in comparison to outdated datasets used in many research studies) allowed the discovery of a new set of issues relevant to modern security event log analysis which have only been introduced and addressed in few research studies. Secondly, we propose a set of novel prioritisation metrics for the filtering of false positive intrusion alerts using knowledge gained during alert correlation. A combination of heuristic, temporal and anomaly detection measures are used to define metrics which capture characteristics identifiable in common attacks including denial-of-service attacks and worm propagations. The most relevant of the novel metrics, Outmet is based on the well known Local Outlier Factor algorithm. Our findings showed that with a slight trade-off of sensitivity (i.e. true positives performance), outmet reduces false positives significantly. In comparison to prior state-of-the-art, our findings show that it performs more efficiently given a variation of attack scenarios. Thirdly, we extend a well known real-time clustering algorithm, CluStream in order to support the categorisation of attack patterns represented as graph like structures. Our motive behind attack pattern categorisation is to provide automated methods for capturing consistent behavioural patterns across a given class of attacks. To our knowledge, this is a novel approach to intrusion alert analysis. The extension of CluStream resulted is a novel light weight real-time clustering algorithm for graph structures. Our findings are new and complement existing literature. We discovered that in certain case studies, repetitive attack behaviour could be mined. Such a discovery could facilitate the prediction of future attacks. Finally, we acknowledge that due to the intelligence and stealth involved in modern network attacks, automated analytical approaches alone may not suffice in making sense of intrusion detection logs. Thus, we explore visualisation and interactive methods for effective visual analysis which if combined with the automated approaches proposed, would improve the overall results of the analysis. The result of this is a visual analytic framework, integrated and tested in a commercial Cyber Security Event Analysis Software System distributed by British Telecom

OrgMining 2.0: A Novel Framework for Organizational Model Mining from Event Logs

Providing appropriate structures around human resources can streamline operations and thus facilitate the competitiveness of an organization. To achieve this goal, modern organizations need to acquire an accurate and timely understanding of human resource grouping while faced with an ever-changing environment. The use of process mining offers a promising way to help address the need through utilizing event log data stored in information systems. By extracting knowledge about the actual behavior of resources participating in business processes from event logs, organizational models can be constructed, which facilitate the analysis of the de facto grouping of human resources relevant to process execution. Nevertheless, open research gaps remain to be addressed when applying the state-of-the-art process mining to analyze resource grouping. For one, the discovery of organizational models has only limited connections with the context of process execution. For another, a rigorous solution that evaluates organizational models against event log data is yet to be proposed. In this paper, we aim to tackle these research challenges by developing a novel framework built upon a richer definition of organizational models coupling resource grouping with process execution knowledge. By introducing notions of conformance checking for organizational models, the framework allows effective evaluation of organizational models, and therefore provides a foundation for analyzing and improving resource grouping based on event logs. We demonstrate the feasibility of this framework by proposing an approach underpinned by the framework for organizational model discovery, and also conduct experiments on real-life event logs to discover and evaluate organizational models.Comment: Manuscript initially submitted for review on 13/5/2020 with 38 pages, 10 figures, 11 table

Evaluating concepts for short-term control in financial service processes

Financial services are characterised by the integration of customers while the service is being delivered. This integration leads to interruptions and thus delays in the processing of a customer order until for example the customer provides the missing input. Because customer behaviour can only be planned to a certain extent this is a major problem for an efficient control of financial service processes. It would be helpful to know which concept leads to the best solution for a certain situation in controlling the process. A concept contains explicit practical knowledge e.g. using a stand-by-employee or a prioritisation of customer orders with first-infirst-out. As financial services differ from manufacturing processes application knowledge of concepts cannot be transferred one to one. To test concepts regarding their ability to deal efficiently with interruptions by customers short-term simulations should be conducted. Shortterm simulation uses the actual state of a process and is not focussing on steady-state results. The research presented focuses on comparing several concepts for short-term control using case-study data of a typical financial service process. For this process a simulation model is built based on process mining. This approach is used to gather information out of documented timestamps of underlying process-aware information systems. Such timestamps allow a historical analysis to build typical scenarios and to gather the actual state of a financial service process as a starting point for a simulation analysis. The depicted concepts are simulated for different typical scenarios points to determine respectively which concept suits best. The results show which concepts suit best in certain situations for the case study conducted. --short-term control,financial services,business process simulation

Discovering Attackers Past Behavior to Generate Online Hyper-Alerts

To support information security, organizations deploy Intrusion Detection Systems (IDS) that monitor information systems and networks, generating alerts for every suspicious behavior. However, the huge amount of alerts that an IDS triggers and their low-level representation make the alerts analysis a challenging task. In this paper, we propose a new approach based on hierarchical clustering that supports intrusion alert analysis in two main steps. First, it correlates historical alerts to identify the most common strategies attackers have used. Then, it associates upcoming alerts in real time according to the strategies discovered in the first step. The experiments were performed using a real dataset from the University of Maryland. The results showed that the proposed approach could properly identify the attack strategy patterns from historical alerts, and organize the upcoming alerts into a smaller amount of meaningful hyper-alerts

Known and unknown requirements in healthcare

We report experience in requirements elicitation of domain knowledge from experts in clinical and cognitive neurosciences. The elicitation target was a causal model for early signs of dementia indicated by changes in user behaviour and errors apparent in logs of computer activity. A Delphi-style process consisting of workshops with experts followed by a questionnaire was adopted. The paper describes how the elicitation process had to be adapted to deal with problems encountered in terminology and limited consensus among the experts. In spite of the difficulties encountered, a partial causal model of user behavioural pathologies and errors was elicited. This informed requirements for configuring data- and text-mining tools to search for the specific data patterns. Lessons learned for elicitation from experts are presented, and the implications for requirements are discussed as “unknown unknowns”, as well as configuration requirements for directing data-/text-mining tools towards refining awareness requirements in healthcare applications