PROJECT DETAILS Project Title A Data Driven Framework for Attribution and Correlation in Intrusion Detection Project Summary Aim: The overall aim of this project is to develop data driven intelligent and adaptive systems capable of analysing and correlating security events in intrusion detection. Rationale: Obscure security events can be correlated from multiple logs, and in doing so provide the higher level of vision necessary for accurate and expeditious intrusion analysis. However, security device logging can be extensive and difficult to interpret. In this project, we will use novel approach to address this problem by combining methods from cyber security and data science, and develop an intelligent system that performs event correlation from the large-scale logs and alerts of multiple security technologies. Methods: 1. In experiments, we will setup an entry point and monitor all the communications in and out of the darknet and collect streams of security device logs, which have not been investigated. In addition, a live database containing over 10 million real bad IP addresses (adding 27K entries each 24 hours) and other security descriptors from our industry partners will be used for the model validation. 2. We will then use methods from data science to investigate which changes of the multiple security device logs can be used to correlate the elements of the attack. We will design and develop two stages of clustering/classification algorithms. The first stage is essentially an anomaly detection exercise for modelling benign behaviour in order to highlight attack outliers. Once the offending events are identified, a feature-based attribution algorithm will run in order to establish the types of attacks but also to group them per specific attack activity. The latter essentially correlates the elements of the attack set to allow the potential identification of the attacker. This relates to the reduced discrimination problem: “given two attacks A1 and A2, do they belong to the same attacker?”. This step will allow future integration and correlation with additional sources of information such as Open Source Intelligence modules. To the best of our knowledge, these novel IDPS methodologies have never been attempted before, despite their significant benefits. 3. Finally, we will build an automated software framework capable of analysing and correlating security events in intrusion detection while efficiently interpreting large-scale security device logs. The key outcomes of the project are: 1. The primary outcome of this project will be an anomaly detection exercise for modelling benign behaviour in order to highlight attack outliers. 2. As outlined above, such a system has the potential to establish the types of attacks but also to group them per specific attack activity. 3. Being able to statistically correlate the elements of the attack while efficiently interpreting large-scale security logs will not only have an academic impact by resulting to high impact publications, but also support practical live forensic investigations. Academic Impact This cross-disciplinary research will develop new knowledge that spans the gap between forensic investigations and data science, opening up new areas of research in both of these fields. In particular, researchers with expertise in forensic investigations will benefit from the proposed methodologies in finding out how security device log indicators PhD Project Description July 2015 change for the events of attack. Researchers with expertise in data science will benefit from the proposed methodologies for building and optimising the deep feature extractors as well as developing the predictive software framework that could assist attribution and correlation tasks in the cyber environment. It is expected that the project will result in a minimum of 3 high impact journal publications in both forensic investigations and data science fields with a potential for long term impact in assisting with cyber attribution and correlation for improving the completeness of existing IDPSs. Patents will also be developed and filed when applicable. Societal Impact As attribution is a non-trivial problem in cyberspace, the systematic research and progress of the state of the art is critical to the wellbeing of citizens who need to be protected by identification of potential attackers and perpetrators sent to justice. On a national level, any successful approach and solution striving to identify state actors in the case of a cyber attack against a nation has clear benefits. The techniques developed by this project will extend the usage of IDPS by an order of magnitude, which would justify their employment and facilitate significant security improvements. Training Opportunities The PhD student is encouraged not only to discuss their skills with his/her supervisors as well as asking peers and colleagues for feedback may also highlight areas of potential development but also to participate in the wider research culture of the Department and the Faculty. Beyond this, we offer a wide range of research-related training opportunities. These currently include but are not limited to: a) International Conferences (e.g. KDD, ICDE, ESORICS), b) Graduate Seminar Series, c) Lectures delivered within the Cyber-Security Unit and Data Science Institute, d) Bibliographical & Thesis Writing Training, etc. Particularly, the international conferences participation or attendance will support the dissemination of the research results and facilitate timely feedback from the experts in this area. Student will also be considered for secondment opportunities for both industry and academia. Student can spend some time in BRICA company where he/she will be able to process real-world data and test developed methods, and C&IS Lab at Korea Institute of Science and Technology (KAIST) where he/she will be able to exchange knowledge and expertise with world-class cyber-security experts. Currently, the first supervisor is affiliated with the C&IS Lab at KAIST as a visiting professor and running a few joint research projects, and was invited to give a talk in Nov. 2015. We believe these secondments can give him/her the opportunity to expand his/her skills and experience in an area outside his/her usual day-to-day role, building both a depth and breadth of knowledge particularly in cyber-security. SUPERVISORY TEAM First Supervisor Paul Yoo Additional Supervisors Vasilis Katos Recent publications by supervisors relevant to this project K. Taha, P. D. Yoo, SIIMCO: A Forensic Investigation Tool for Identifying the Influential Members of a Criminal Organization, IEEE Trans. on Information Forensics & Security, 2016 (accepted) O, Al-Jarrah, P. D. Yoo, S. Muhaidat, Data Randomization and Cluster-Based Partitioning for Botnet Intrusion Detection, IEEE Trans. on Cybernetics, Oct. 2015, DOI: 10.1109/TCYB.2015.2490802. K. Huseynov, P. D. Yoo, K. Kim, Scalable P2P Botnet Detection with Threshold Setting in Hadoop Framework, Journal of The Korea Institute of Information Security & Cryptology, Vol 25, No 4, Aug 2015, DOI: 10.13089/JKIISC.2015.25.4.807. Tsochataridou, C., Arampatzis, A. and Katos, V., 2014. Improving Digital Forensics Through Data Mining. In: 4th International Conference on Advances in Information Mining and Management (IMMM 2014) 20-25 July 2014 Paris. Psaroudakis, I., Katos, V., Saragiotis, P. and Mitrou, L., 2014. A method for PhD Project Description July 2015 forensic artefact collection, analysis and incident response in environments running session initiation protocol and session description protocol. International Journal of Electronic Security and Digital Forensics, 6 (4), 241-267. Shiaeles, S.N., Katos, V., Karakos, A.S. and Papadopoulos, B.K., 2012. Real time DDoS detection using fuzzy estimators. Computers and Security, 31 (6), 782-790. INFORMAL ENQUIRIES To discuss this opportunity further, please contact Paul Yoo via email: pyoo@bournemouth.ac.uk ELIGBILITY CRITERIA All candidates must satisfy the University’s minimum doctoral entry criteria for studentships of an honours degree at Upper Second Class (2:1) and/or an appropriate Masters degree. An IELTS (Academic) score of 6.5 minimum (or equivalent) is essential for candidates for whom English is not their first language. Additional Eligibility Graduates in Computing, Engineering, Mathematics, or Physics that have demonstrated excellence at undergraduate or MSc level in a relevant subject. HOW TO APPLY Please complete the BU Research Degree Application 2015 and submit it via email to the Postgraduate Research Administrator for Admissions - pgradmissions@bournemouth.ac.uk by 29 January 2016. Further information on the application process can be found at www.bournemouth.ac.uk/phd-2015 PhD Project Description July 2015