R-CAD: Rare Cyber Alert Signature Relationship Extraction Through Temporal Based Learning

The large number of streaming intrusion alerts make it challenging for security analysts to quickly identify attack patterns. This is especially difficult since critical alerts often occur too rarely for traditional pattern mining algorithms to be effective. Recognizing the attack speed as an inherent indicator of differing cyber attacks, this work aggregates alerts into attack episodes that have distinct attack speeds, and finds attack actions regularly co-occurring within the same episode. This enables a novel use of the constrained SPADE temporal pattern mining algorithm to extract consistent co-occurrences of alert signatures that are indicative of attack actions that follow each other. The proposed Rare yet Co-occurring Attack action Discovery (R-CAD) system extracts not only the co-occurring patterns but also the temporal characteristics of the co-occurrences, giving the `strong rules\u27 indicative of critical and repeated attack behaviors. Through the use of a real-world dataset, we demonstrate that R-CAD helps reduce the overwhelming volume and variety of intrusion alerts to a manageable set of co-occurring strong rules. We show specific rules that reveal how critical attack actions follow one another and in what attack speed

The Multivariate EWMA Model and Health Care Monitoring

We introduce the construction of MEWMA (Multivariate exponentially weighted movingaverage) process control in the field of bio surveillance. Such introduction will both improve the reliability of data collected in bio surveillance, better interpretation of the results,improvement in the quality of results and standardization of results when more than two variables are involved. We propose sensitivity ratios as a measure of the effects of the mean shift and dispersion shift in processes under study. Using these sensitivity measures, we designed the optimal exponential weighting factor, which is consistent to results reported in control chart applications. Although ARL (average run length) is the usual measure for control chart performance in multivariate process control, it is by no means the only criterion, however, at the moment it is most widely used criterion for decision making. We suggest addition study of other criteria. For example Medial Run Length, Days to Completion, Direction of Eorrors and others

EWMA STATISTICS AND FUZZY LOGIC IN FUNCTION OF NETWORK ANOMALY DETECTION

Anomaly detection is used to monitor and capture traffic anomalies in network systems. Many anomalies manifest in changes in the intensity of network events. Because of the ability of EWMA control chart to monitor the rate of occurrences of events based on their intensity, this statistic is appropriate for implementation in control limits based algorithms. The performance of standard EWMA algorithm can be made more effective combining the logic of adaptive threshold algorithm and adequate application of fuzzy theory. This paper analyzes the theoretical possibility of applying EWMA statistics and fuzzy logic to detect network anomalies. Different aspects of fuzzy rules are discussed as well as different membership functions, trying to find the most adequate choice. It is shown that the introduction of fuzzy logic in standard EWMA algorithm for anomaly detection opens the possibility of previous warning from a network attack. Besides, fuzzy logic enables precise determination of degree of the risk

Multivariate Ewma Models and Monitoring Health Surveillance during a Pandemic

We examine a common problem is biological analytics and surveillance in health care. These methods can improve greatly the process of monitoring health data to assess changes in the likelihood of Pandemics and disease incidence in a world where medical knowledge is still largely in an embryonic period. Based on an illustration, we suggest that multivariate exponential moving-average (MEWMA) control charts are suitable in many cases where detection and inspection of several or more variables over a lengthy period of testing provide for the best analysis of data leading to pre-­diagnostic and diagnostic therapy. Though these methods came from the control of quality and continuous improvement in lean manufacturing and service operations, these methods are useful if not a vital application in the analysis of health care and therapeutic data. The indications from this study corroborate earlier findings by others that MEWMA methods fit the diagnostic activity under study. Unfortunately Pandemic Analysis is using oversimplified techniques in analyzing data secure by diagnostic tests which can easily be improved especially in the use modern day analytics based on quality control methods used in other disciplines

Improving Data Analytics during a Pandemic episode: A Review

By examination reporting methods to determine the effects of a pandemic on the health of the health of a nations’ or geographic entity’s’ population. Is a serious undertaking. The goal is to explain how measurement (or Metrics) can tend to be misleading which may lead to less than optimal decision making by health professionals and similar people in change of health decisions

Temporally adaptive monitoring procedures with applications in enterprise cyber-security

Due to the perpetual threat of cyber-attacks, enterprises must employ and develop new methods of detection as attack vectors evolve and advance. Enterprise computer networks produce a large volume and variety of data including univariate data streams, time series and network graph streams. Motivated by cyber-security, this thesis develops adaptive monitoring tools for univariate and network graph data streams, however, they are not limited to this domain. In all domains, real data streams present several challenges for monitoring including trend, periodicity and change points. Streams often also have high volume and frequency. To deal with the non-stationarity in the data, the methods applied must be adaptive. Adaptability in the proposed procedures throughout the thesis is introduced using forgetting factors, weighting the data accordingly to recency. Secondly, methods applied must be computationally fast with a small or fixed computation burden and fixed storage requirements for timely processing. Throughout this thesis, sequential or sliding window approaches are employed to achieve this. The first part of the thesis is centred around univariate monitoring procedures. A sequential adaptive parameter estimator is proposed using a Bayesian framework. This procedure is then extended for multiple change point detection, where, unlike existing change point procedures, the proposed method is capable of detecting abrupt changes in the presence of trend. We additionally present a time series model which combines short-term and long-term behaviours of a series for improved anomaly detection. Unlike existing methods which primarily focus on point anomalies detection (extreme outliers), our method is capable of also detecting contextual anomalies, when the data deviates from persistent patterns of the series such as seasonality. Finally, a novel multi-type relational clustering methodology is proposed. As multiple relations exist between the different entities within a network (computers, users and ports), multiple network graphs can be generated. We propose simultaneously clustering over all graphs to produce a single clustering for each entity using Non-Negative Matrix Tri-Factorisation. Through simplifications, the proposed procedure is fast and scalable for large network graphs. Additionally, this methodology is extended for graph streams. This thesis provides an assortment of tools for enterprise network monitoring with a focus on adaptability and scalability making them suitable for intrusion detection and situational awareness.Open Acces

Survey of Attack Projection, Prediction, and Forecasting in Cyber Security

This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation

ForChaos: Real Time Application DDoS detection using Forecasting and Chaos Theory in Smart Home IoT Network

Recently, D/DoS attacks have been launched by zombie IoT devices in smart home networks. They pose a great threat to to network systems with Application Layer DDoS attacks being especially hard to detect due to their stealth and seemingly legitimacy. In this paper, we propose we propose ForChaos, a lightweight detection algorithm for IoT devices, that is based on forecasting and chaos theory to identify flooding and DDoS attacks. For every time-series behaviour collected, a forecasting-technique prediction is generated, based on a number of features, and the error between the two values is calcualted. In order to assess the error of the forecasting from the actual value, the lyapunov exponent is used to detect potential malicious behaviour. In NS-3 we evaluate our detection algorithm through a series of experiments in Flooding and Slow-Rate DDoS attacks. The results are presented and discussed in detail and compared with related studies, demonstrating its effectiveness and robustness

INTRUSION PREDICTION SYSTEM FOR CLOUD COMPUTING AND NETWORK BASED SYSTEMS

Cloud computing offers cost effective computational and storage services with on-demand scalable capacities according to the customers’ needs. These properties encourage organisations and individuals to migrate from classical computing to cloud computing from different disciplines. Although cloud computing is a trendy technology that opens the horizons for many businesses, it is a new paradigm that exploits already existing computing technologies in new framework rather than being a novel technology. This means that cloud computing inherited classical computing problems that are still challenging. Cloud computing security is considered one of the major problems, which require strong security systems to protect the system, and the valuable data stored and processed in it. Intrusion detection systems are one of the important security components and defence layer that detect cyber-attacks and malicious activities in cloud and non-cloud environments. However, there are some limitations such as attacks were detected at the time that the damage of the attack was already done. In recent years, cyber-attacks have increased rapidly in volume and diversity. In 2013, for example, over 552 million customers’ identities and crucial information were revealed through data breaches worldwide [3]. These growing threats are further demonstrated in the 50,000 daily attacks on the London Stock Exchange [4]. It has been predicted that the economic impact of cyber-attacks will cost the global economy $3 trillion on aggregate by 2020 [5]. This thesis focused on proposing an Intrusion Prediction System that is capable of sensing an attack before it happens in cloud or non-cloud environments. The proposed solution is based on assessing the host system vulnerabilities and monitoring the network traffic for attacks preparations. It has three main modules. The monitoring module observes the network for any intrusion preparations. This thesis proposes a new dynamic-selective statistical algorithm for detecting scan activities, which is part of reconnaissance that represents an essential step in network attack preparation. The proposed method performs a statistical selective analysis for network traffic searching for an attack or intrusion indications. This is achieved by exploring and applying different statistical and probabilistic methods that deal with scan detection. The second module of the prediction system is vulnerabilities assessment that evaluates the weaknesses and faults of the system and measures the probability of the system to fall victim to cyber-attack. Finally, the third module is the prediction module that combines the output of the two modules and performs risk assessments of the system security from intrusions prediction. The results of the conducted experiments showed that the suggested system outperforms the analogous methods in regards to performance of network scan detection, which means accordingly a significant improvement to the security of the targeted system. The scanning detection algorithm has achieved high detection accuracy with 0% false negative and 50% false positive. In term of performance, the detection algorithm consumed only 23% of the data needed for analysis compared to the best performed rival detection method