Intrusion alert prioritisation and attack detection using post-correlation analysis

Event Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs. We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts. We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom Security Practice Team. In one scenario, our results show that false-positives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection. The proposed framework is also being developed and integrated into a pre-existing Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data

A New Metric for Prioritising Intrusion Alerts Using Correlation and Outlier Analysis

In a medium sized network, an Intrusion Detection System (IDS) could produce thousands of alerts a day many of which may be false positives. In the vast number of triggered intrusion alerts, identifying those to prioritise is highly challenging. Alert Correlation and prioritisation are both viable analytical methods which are commonly used to understand and prioritise alerts. However, to the author’s knowledge, very few dynamic prioritisation metrics exist. In this paper, a new prioritisation metric - OutMet, which is based on measuring the degree to which an alert belongs to anomalous behaviour is proposed. OutMet combines alert correlation and prioritisation analysis and in given attack scenarios, is capable of reducing false positives by upto 100%. The metric is tested and evaluated using the recently developed cyber-range dataset provided by Northrop Grumman

A survey of security issue in multi-agent systems

Multi-agent systems have attracted the attention of researchers because of agents' automatic, pro-active, and dynamic problem solving behaviors. Consequently, there has been a rapid development in agent technology which has enabled us to provide or receive useful and convenient services in a variety of areas such as banking, transportation, e-business, and healthcare. In many of these services, it is, however, necessary that security is guaranteed. Unless we guarantee the security services based on agent-based systems, these services will face significant deployment problems. In this paper, we survey existing work related to security in multi-agent systems, especially focused on access control and trust/reputation, and then present our analyses. We also present existing problems and discuss future research challenges. © Springer Science+Business Media B.V 2011

Synaptic connection autonomic networks

This paper proposes a novel approach to form weighted peer-to-peer networks in a self-organising and decentralised way, termed Synaptic Connection Autonomic Networks (SCAN). Distributed peers in SCAN establish and update their connections or associations based on resource sharing results by following Hebbian learning in a related manner to that in biological neural systems. The strengths of peer associations reflect the utility of one peer to another and continuously adapt over time. In operation SCAN constructs resilient peer-to-peer networks in real time. The result is a more efficient and effective resource sharing mechanism between distributed peers. Simulated experiments verified that SCAN successfully formed P2P networks with correct peer associations and the resource search based on it was continuously improving as the networks were correctly formed

A Hybrid Approach to Supervising Multiple Co-Operant Autonomous Mobile Robots

UK Robotics Ltd. have for some time been working in the area of multiple co-operant autonomous mobile robots. While there are a number of applications in the nuclear, chemical and off-shore industries that would benefit from such technology, the required science and engineering is only just beginning to be realised. The key issues are firstly, how to control the interaction of these robots with themselves and their environment? and secondly, how to interact with this group of robots from the point of view of an operator? What has emerged is a novel hybrid architecture that contains a reflective planning agent which is capable of translating high level operator goals into low level behaviour missions that can be executed by multiple autonomous robots. Two real robots have been used as part of our studies and this paper details our hybrid approach and the results obtained so far

Advance Access publication on September 12, 2007 doi:10.1093/comjnl/bxm063 Hyperion—Next-Generation Battlespace Information Services

The future digital battlespace will be a fast-paced and frenetic environment that stresses information communication technology systems to the limit. The challenges are most acute in the tactical and operational domains where bandwidth is severely limited, security of information is paramount, the network is under physical and cyber attack and administrative support is minimal. Hyperion is a cluster of research projects designed to provide an automated and adaptive information management capability embedded in defence networks. The overall system architecture is designed to improve the situational awareness of field commanders by providing the ability to fuse and compose information services in real time. The key technologies adopted to enable this include: autonomous software agents, self-organizing middleware, a smart data filtering system and a 3-D battlespace simulation environment. This paper reviews some of the specific techniques under development within the Hyperion sub-projects and the results achieved to date. 1

Many hands make light work? An investigation into behaviourally controlled co-operant autonomous mobile robots

The past ten years has seen a flurry of research activity into the behavioural control of autonomous mobile robots. Yet despite this effort, many researchers are of the opinion that behavioural robots are incapable of achieving tasks more complex than simple can collecting, box pushing, herding or moving in formation. If such robots are to gain industrial credibility, these criticisms must be addressed. To focus the research we have studied the application of multiple mobile robots to a complex nuclear plant decommissioning problem. We argue that it is possible for multiple mobile robots to co-operatively perform a complex task provided that solutions to a number of key issues are incorporated into a behavioural control architecture. These include: behaviour conflict resolution, behaviour adaptation and behaviour scheduling. Wehave designed behavioural control methods to address these issues and our work has resulted in the creation of a behaviour synthesis architecture..

doi:10.1093/comjnl/bxm063 Hyperion—Next-Generation Battlespace Information Services

The future digital battlespace will be a fast-paced and frenetic environment that stresses information communication technology systems to the limit. The challenges are most acute in the tactical and operational domains where bandwidth is severely limited, security of information is paramount, the network is under physical and cyber attack and administrative support is minimal. Hyperion is a cluster of research projects designed to provide an automated and adaptive information management capability embedded in defence networks. The overall system architecture is designed to improve the situational awareness of field commanders by providing the ability to fuse and compose information services in real time. The key technologies adopted to enable this include: autonomous software agents, self-organizing middleware, a smart data filtering system and a 3-D battlespace simulation environment. This paper reviews some of the specific techniques under development within the Hyperion sub-projects and the results achieved to date. 1