Anomaly-based Correlation of IDS Alarms

An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure. The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge. The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison. The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field

Chapter A Framework for Learning System for Complex Industrial Processes

Due to the intense price-based global competition, rising operating cost, rapidly changing economic conditions and stringent environmental regulations, modern process and energy industries are confronting unprecedented challenges to maintain profitability. Therefore, improving the product quality and process efficiency while reducing the production cost and plant downtime are matters of utmost importance. These objectives are somewhat counteracting, and to satisfy them, optimal operation and control of the plant components are essential. Use of optimization not only improves the control and monitoring of assets, but also offers better coordination among different assets. Thus, it can lead to extensive savings in the energy and resource consumption, and consequently offer reduction in operational costs, by offering better control, diagnostics and decision support. This is one of the main driving forces behind developing new methods, tools and frameworks. In this chapter, a generic learning system architecture is presented that can be retrofitted to existing automation platforms of different industrial plants. The architecture offers flexibility and modularity, so that relevant functionalities can be selected for a specific plant on an as-needed basis. Various functionalities such as soft-sensors, outputs prediction, model adaptation, control optimization, anomaly detection, diagnostics and decision supports are discussed in detail

Artificial Intelligence and Cybersecurity: Building an Automotive Cybersecurity Framework Using Machine Learning Algorithms

Automotive technology has continued to advance in many aspects. As an outcome of such advancements, autonomous vehicles are closer to commercialization and have brought to life a complex automotive technology ecosystem [1]. Like every other technology, these developments bring benefits but also introduce a variety of risks. One of these risks in the automotive space is cybersecurity threats. In the case of cars, these security challenges can produce devastating results and tremendous costs, including loss of life. Therefore, conducting a clear analysis, assessment and detection of threats solves some of the cybersecurity challenges in the automotive ecosystem. This dissertation does just that, by building a three-step framework to analyze, assess,and detect threats using machine learning algorithms. First, it does an analysis of the connected vehicle threats while leveraging the STRIDE framework [2]. Second, it presents an innovative, Fuzzy based threat assessment model (FTAM). FTAM leverages threat characterizations from established threat assessment models while focusing on improving its assessment capabilities by using Fuzzy logic. Through this methodology, FTAM can improve the efficiency and accuracy of the threat assessment process by using Fuzzy logic to determine the “degree” of the threat over other existing methods. This differs from the current threat assessment models which use subjective assessment processes based on table look-ups or scoring. Thirdly, this dissertation proposes an intrusion detection system (IDS) to detect malicious threats while taking in consideration results from the previous assessment stage. This IDS uses the dataset provided from Wyoming Connected Vehicle Deployment program [3] and consists of a two-stage intrusion detection system based on supervised and unsupervised machine learning algorithms. The first stage uses unsupervised learning to detect whether there is an attack present and the second stage classifies these attacks in a supervised learning fashion. The second stage also addresses data bias and eliminates the number of false positives. The simulation of this approach results in an IDS able to detect and classify attacks at a 99.965% accuracy and lowers the false positives rate to 0%.Ph.D.College of Engineering & Computer ScienceUniversity of Michigan-Dearbornhttps://deepblue.lib.umich.edu/bitstream/2027.42/149467/1/Nevrus Kaja PhD Dissertation V24.pdfDescription of Nevrus Kaja PhD Dissertation V24.pdf : Dissertatio

Agrupamentos de dados em modelos de frustração celular

Cellular frustrated systems are models of interacting agents displaying complex dynamics which can be used for anomaly detection applications. In their simplest versions, these models consist of two agent types, called presenters and detectors. Presenters display information from data samples. Detectors read this information and perceive it in a binary signal, depending on its frequency of appearance. The type of signal perceived will have an impact on the agents' decision dynamics. In particular, the presence of anomalies leads to less frustrated dynamics, i.e., more stable. In this thesis it is questioned if the mapping in binary signals could not bene t from the knowledge of the existence of clusters in the data set. To this end, a clustering technique was developed that gives particular attention to the fact that cellular frustrated systems discriminate samples depending on the number of features displaying rare values. The clusters obtained with this technique are also compared with those obtained using k-means or hierarchical agglomerative clustering. It is shown that using a clustering technique prior to application of cellular frustration system can improve anomaly detection rates. However, it is also shown that depending on the type of anomalies, this may not be generally the case, and therefore simpler cellular frustration algorithms may have the advantage of being simpler. It is believed that this study proposes new directions on how to improve the cellular frustration technique in a broader context.Sistemas de frustração celular são modelos de interação de agentes que demonstram uma dinâmica complexa que pode ser utilizada para aplicações de deteção de anomalias. Na sua versão mais simples, estes modelos são compostos por dois tipos de agentes, designados de apresentadores e detetores. Os apresentadores exibem a informação das amostras. Os detetores leem essa informação e percecionam-na em sinais binários, dependendo da frequência com que são apresentados. O tipo de sinal percecionado terá impacto na dinâmica de decisões dos agentes. Em particular, a presença de anomalias produz uma dinâmica menos frustrada, i.e., mais estável. Nesta tese é questionado se este mapeamento em sinais binários não poderá bene ciar do conhecimento da existência de grupos (clusters) nas amostras. Com esta nalidade, foi desenvolvida uma técnica de clustering, que dá particular atenção ao facto que os sistemas de frustração celular detetam as amostras dependendo do número de características que exibem valores extremos. Os clusters obtidos com esta técnica também são comparados com aqueles obtidos com técnicas conhecidas, como o k-means ou o clus- tering hierárquico aglomerativo. Nesta tese demonstra-se que a utilização de uma técnica de clustering antes da aplicação do sistema de frustração celular pode melhorar as taxas de deteção de anomalias. Contudo, também é demonstrado que dependendo do tipo de anomalias, esta alteração pode não ser bené ca, podendo ser mais vantajoso utilizar a técnica de frustração celular original, uma vez que é mais simples. Acredita-se que este estudo propõe direções claras sobre como se poderá vir a melhorar a técnica da frustração celular num contexto mais geral.Mestrado em Engenharia Físic