Real-time fusion and projection of network intrusion activity

Intrusion Detection Systems (IDS) warn of suspicious or malicious network activity and are a fundamental, yet passive, defense-in-depth layer for modern networks. Prior research has applied information fusion techniques to correlate the alerts of multiple IDSs and group those belonging to the same multi-stage attack into attack tracks. Projecting the next likely step in these tracks potentially enhances an analyst’s situational awareness; however, the reliance on attack plans, complicated algorithms, or expert knowledge of the respective network is prohibitive and prone to obsolescence with the continual deployment of new technology and evolution of hacker tradecraft. This thesis presents a real-time continually learning system capable of projecting attack tracks that does not require a priori knowledge about network architecture or rely on static attack templates. Prediction correctness over time and other metrics are used to assess the system’s performance. The system demonstrates the successful real-time adaptation of the model, including enhancements such as the prediction that a never before observed event is about to occur. The intrusion projection system is framed as part of a larger information fusion and impact assessment architecture for cyber security

A Modelling approach for evaluating the ranking capability of Situational Awareness System in real time operation. Modelling, evaluating and quantifying different situational assessment in real time operation, using an analytical approach for measuring the ranking capability of SWA system

In a dynamically monitored environment the analyst team need timely and accurate information to conduct proactive action over complex situations. Typically, there are thousands of reported activities in a real time operation, therefore steps are taken to direct the analyst’s attention to the most important activity. The data fusion community have introduced the information fusion model, with multiple situational assessments. Each process lends itself to ranking the most important activities into a predetermined order. Unfortunately, the capability of a real time system can be hindered by the knowledge limitation problem, particularly when the underlying system is processing multiple sensor information. Consequently, the situational awareness domains may not rank the identified situation as perfect, as desired by the decision-making resources. This thesis presents advanced research carried out to evaluate the ranking capability of information from the situational awareness domains: perception, comprehension and projection. The Ranking Capability Score (RCS) has been designed for evaluating the prioritisation process. The enhanced (RCS) has been designed for addressing the knowledge representation problem in the user system relation under a situational assessment where the proposed number of tracking activities are dynamically shifted. Finally, the Scheduling Capability Score was designed for evaluating the scheduling capability of the situational awareness system. The proposed performance metrics have been successful in fulfilling their objectives. Furthermore, they have been validated and evaluated using an analytical approach, through conducting a rigorous analysis of the prioritisation and scheduling processes, despite any constraints related to a domain-specific configuration

Application of data and information fusion

Ph.DDOCTOR OF PHILOSOPH

Probabilistic Modeling and Inference for Obfuscated Network Attack Sequences

Prevalent computing devices with networking capabilities have become critical network infrastructure for government, industry, academia and every-day life. As their value rises, the motivation driving network attacks on this infrastructure has shifted from the pursuit of notoriety to the pursuit of profit or political gains, leading to network attack on various scales. Facing diverse network attack strategies and overwhelming alters, much work has been devoted to correlate observed malicious events to pre-defined scenarios, attempting to deduce the attack plans based on expert models of how network attacks may transpire. We started the exploration of characterizing network attacks by investigating how temporal and spatial features of attack sequence can be used to describe different types of attack sources in real data set. Attack sequence models were built from real data set to describe different attack strategies. Based on the probabilistic attack sequence model, attack predictions were made to actively predict next possible actions. Experiments through attack predictions have revealed that sophisticated attackers can employ a number of obfuscation techniques to confuse the alert correlation engine or classifier. Unfortunately, most exiting work treats attack obfuscations by developing ad-hoc fixes to specific obfuscation technique. To this end, we developed an attack modeling framework that enables a systematical analysis of obfuscations. The proposed framework represents network attack strategies as general finite order Markov models and integrates it with different attack obfuscation models to form probabilistic graphical model models. A set of algorithms is developed to inference the network attack strategies given the models and the observed sequences, which are likely to be obfuscated. The algorithms enable an efficient analysis of the impact of different obfuscation techniques and attack strategies, by determining the expected classification accuracy of the obfuscated sequences. The algorithms are developed by integrating the recursion concept in dynamic programming and the Monte-Carlo method. The primary contributions of this work include the development of the formal framework and the algorithms to evaluate the impact of attack obfuscations. Several knowledge-driven attack obfuscation models are developed and analyzed to demonstrate the impact of different types of commonly used obfuscation techniques. The framework and algorithms developed in this work can also be applied to other contexts beyond network security. Any behavior sequences that might suffer from noise and require matching to pre-defined models can use this work to recover the most likely original sequence or evaluate quantitatively the expected classification accuracy one can achieve to separate the sequences

Advanced Threat Intelligence: Interpretation of Anomalous Behavior in Ubiquitous Kernel Processes

Targeted attacks on digital infrastructures are a rising threat against the confidentiality, integrity, and availability of both IT systems and sensitive data. With the emergence of advanced persistent threats (APTs), identifying and understanding such attacks has become an increasingly difficult task. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. This thesis presents a multi-stage system able to detect and classify anomalous behavior within a user session by observing and analyzing ubiquitous kernel processes. Application candidates suitable for monitoring are initially selected through an adapted sentiment mining process using a score based on the log likelihood ratio (LLR). For transparent anomaly detection within a corpus of associated events, the author utilizes star structures, a bipartite representation designed to approximate the edit distance between graphs. Templates describing nominal behavior are generated automatically and are used for the computation of both an anomaly score and a report containing all deviating events. The extracted anomalies are classified using the Random Forest (RF) and Support Vector Machine (SVM) algorithms. Ultimately, the newly labeled patterns are mapped to a dedicated APT attacker–defender model that considers objectives, actions, actors, as well as assets, thereby bridging the gap between attack indicators and detailed threat semantics. This enables both risk assessment and decision support for mitigating targeted attacks. Results show that the prototype system is capable of identifying 99.8% of all star structure anomalies as benign or malicious. In multi-class scenarios that seek to associate each anomaly with a distinct attack pattern belonging to a particular APT stage we achieve a solid accuracy of 95.7%. Furthermore, we demonstrate that 88.3% of observed attacks could be identified by analyzing and classifying a single ubiquitous Windows process for a mere 10 seconds, thereby eliminating the necessity to monitor each and every (unknown) application running on a system. With its semantic take on threat detection and classification, the proposed system offers a formal as well as technical solution to an information security challenge of great significance.The financial support by the Christian Doppler Research Association, the Austrian Federal Ministry for Digital and Economic Affairs, and the National Foundation for Research, Technology and Development is gratefully acknowledged

A Leap In The Dark: Identity, Culture And The Trauma Of War Mediated Thorough The Visual Arts Of North-East European Migrants And Émigrés To Australia After 1945

This thesis explores the contribution to the cultural life of post-war Australia by migrant artists from north-eastern Europe. It researches the lives and work not only of displaced artists arriving in the mass exodus from Europe after the Second World War, but also second and third generation artists descended from original migrant families, and much later émigré artists. Art histories written to date about the post-war period provide little coverage of the contributionto the art and culture of Australia by migrant artists from north-eastern Europe. The coverage in the literature written about the visual art produced by established Australian artists is far greater than that given to the migrant artists also exhibiting at the same time. Insofar as the ‘gap’ in the literature is concerned, this research reveals a number of factors which appear to have influenced the non-recognition of migrant art—such as, poor reception of abstract art in Australia post-war and the protection of established Australian artists. The impact of European abstract expressionism that migrants introduced in the 1950s had a lasting effect on Australian modern art, together with the innovation of their contemporary sculpture, which changed the urban landscape of Australian cities. This research questions the possible long term repercussions emanating from colonial Anglocentric Australian government policies, which in turn leads to questions about the importance and location of cultural heritage, sense of identity, third space and cultural hybridity. With a focus on migrant artists from north-eastern Europe—the Baltic States and Poland—the research investigates how second and third generation artists locate their visual art in relation to their cultural environment and how they navigate between their cultural heritage and the cultural mosaic of an Australian context. The impact of war on artists from migrant families through the subjugated experience of those families is also addressed to ascertain any effect on the visual art currently being produced. Interviews were conducted with ten artists of north-east European ancestry, using an ethnographic qualitative research methodology incorporating in-depth interviews together with close analysis of artwork during interview or subsequent contact in the artists’ studios and at exhibitions of their work. Research revealed that, regarding a sense of belonging and identity, nine of the ten artists still retain a perception of living between cultures, which appears congruous with the importance of the retention of language and ‘home’ culture. Making art appears to strengthen their sense of living between cultures, and their creative praxis combines experiences passed down through the generations fused into their own Australian life-world, modified and shaped within a third space of meaning. The thesis argues that second and third generation Australian artists, whilst engaging with contemporary issues, make reference to cultural traditions interspersed with comment on contemporary conditions, resulting in a syncretic articulation which forms a third space of cultural transformation and unity. The investigation into the impact of war, particularly World War II, revealed that only five participating artists directly manifest war themes in their visual art. However, the repercussions of that war and the Cold War, which lasted for many years after the Second World War, appear to have been subconsciously imprinted on the artwork of all three categories of artist, i.e. second and third generation and émigré artists. The cultural aesthetics migrants introduced has had a long-lasting effect on Australian tastes generally and on art education in particular. This research underlines the particular contribution of migrant artists from north-east Europe, revealing the aesthetic value such cultural integration has produced. This research seeks to initiate dialogue and a growing understanding of the rich and complex history of art and culture which migration has stimulated in Australia since the 1950s