A Data Driven Framework for Attribution and Correlation in Intrusion

advertisement
PROJECT DETAILS
Project Title
A Data Driven Framework for Attribution and Correlation in Intrusion Detection
Project Summary
Aim: The overall aim of this project is to develop data driven intelligent and adaptive systems capable of analysing
and correlating security events in intrusion detection.
Rationale: Obscure security events can be correlated from multiple logs, and in doing so provide the higher level of
vision necessary for accurate and expeditious intrusion analysis. However, security device logging can be extensive
and difficult to interpret. In this project, we will use novel approach to address this problem by combining methods
from cyber security and data science, and develop an intelligent system that performs event correlation from the
large-scale logs and alerts of multiple security technologies.
Methods:
1. In experiments, we will setup an entry point and monitor all the communications in and out of the darknet and
collect streams of security device logs, which have not been investigated. In addition, a live database containing
over 10 million real bad IP addresses (adding 27K entries each 24 hours) and other security descriptors from our
industry partners will be used for the model validation.
2. We will then use methods from data science to investigate which changes of the multiple security device logs can
be used to correlate the elements of the attack. We will design and develop two stages of clustering/classification
algorithms. The first stage is essentially an anomaly detection exercise for modelling benign behaviour in order to
highlight attack outliers. Once the offending events are identified, a feature-based attribution algorithm will run in
order to establish the types of attacks but also to group them per specific attack activity. The latter essentially
correlates the elements of the attack set to allow the potential identification of the attacker. This relates to the
reduced discrimination problem: “given two attacks A1 and A2, do they belong to the same attacker?”. This step will
allow future integration and correlation with additional sources of information such as Open Source Intelligence
modules. To the best of our knowledge, these novel IDPS methodologies have never been attempted before,
despite their significant benefits.
3. Finally, we will build an automated software framework capable of analysing and correlating security events in
intrusion detection while efficiently interpreting large-scale security device logs.
The key outcomes of the project are:
1. The primary outcome of this project will be an anomaly detection exercise for modelling benign behaviour in order
to highlight attack outliers.
2. As outlined above, such a system has the potential to establish the types of attacks but also to group them per
specific attack activity.
3. Being able to statistically correlate the elements of the attack while efficiently interpreting large-scale security logs
will not only have an academic impact by resulting to high impact publications, but also support practical live
forensic investigations.
Academic Impact
This cross-disciplinary research will develop new knowledge that spans the gap between forensic investigations and
data science, opening up new areas of research in both of these fields. In particular, researchers with expertise in
forensic investigations will benefit from the proposed methodologies in finding out how security device log indicators
PhD Project Description
July 2015
change for the events of attack. Researchers with expertise in data science will benefit from the proposed
methodologies for building and optimising the deep feature extractors as well as developing the predictive software
framework that could assist attribution and correlation tasks in the cyber environment. It is expected that the project
will result in a minimum of 3 high impact journal publications in both forensic investigations and data science fields
with a potential for long term impact in assisting with cyber attribution and correlation for improving the
completeness of existing IDPSs. Patents will also be developed and filed when applicable.
Societal Impact
As attribution is a non-trivial problem in cyberspace, the systematic research and progress of the state of the art is
critical to the wellbeing of citizens who need to be protected by identification of potential attackers and perpetrators
sent to justice. On a national level, any successful approach and solution striving to identify state actors in the case
of a cyber attack against a nation has clear benefits. The techniques developed by this project will extend the usage
of IDPS by an order of magnitude, which would justify their employment and facilitate significant security
improvements.
Training Opportunities
The PhD student is encouraged not only to discuss their skills with his/her supervisors as well as asking peers and
colleagues for feedback may also highlight areas of potential development but also to participate in the wider
research culture of the Department and the Faculty. Beyond this, we offer a wide range of research-related training
opportunities. These currently include but are not limited to: a) International Conferences (e.g. KDD, ICDE,
ESORICS), b) Graduate Seminar Series, c) Lectures delivered within the Cyber-Security Unit and Data Science
Institute, d) Bibliographical & Thesis Writing Training, etc. Particularly, the international conferences participation or
attendance will support the dissemination of the research results and facilitate timely feedback from the experts in
this area. Student will also be considered for secondment opportunities for both industry and academia. Student can
spend some time in BRICA company where he/she will be able to process real-world data and test developed
methods, and C&IS Lab at Korea Institute of Science and Technology (KAIST) where he/she will be able to
exchange knowledge and expertise with world-class cyber-security experts. Currently, the first supervisor is
affiliated with the C&IS Lab at KAIST as a visiting professor and running a few joint research projects, and was
invited to give a talk in Nov. 2015. We believe these secondments can give him/her the opportunity to expand
his/her skills and experience in an area outside his/her usual day-to-day role, building both a depth and breadth of
knowledge particularly in cyber-security.
SUPERVISORY TEAM
First Supervisor
Paul Yoo
Additional Supervisors
Vasilis Katos
Recent publications by
supervisors relevant to this
project
K. Taha, P. D. Yoo, SIIMCO: A Forensic Investigation Tool for Identifying the
Influential Members of a Criminal Organization, IEEE Trans. on Information
Forensics & Security, 2016 (accepted)
O, Al-Jarrah, P. D. Yoo, S. Muhaidat, Data Randomization and Cluster-Based
Partitioning for Botnet Intrusion Detection, IEEE Trans. on Cybernetics, Oct.
2015, DOI: 10.1109/TCYB.2015.2490802.
K. Huseynov, P. D. Yoo, K. Kim, Scalable P2P Botnet Detection with Threshold
Setting in Hadoop Framework, Journal of The Korea Institute of Information
Security & Cryptology, Vol 25, No 4, Aug 2015, DOI:
10.13089/JKIISC.2015.25.4.807.
Tsochataridou, C., Arampatzis, A. and Katos, V., 2014. Improving Digital
Forensics Through Data Mining. In: 4th International Conference on Advances in
Information Mining and Management (IMMM 2014) 20-25 July 2014 Paris.
Psaroudakis, I., Katos, V., Saragiotis, P. and Mitrou, L., 2014. A method for
PhD Project Description
July 2015
forensic artefact collection, analysis and incident response in environments
running session initiation protocol and session description protocol. International
Journal of Electronic Security and Digital Forensics, 6 (4), 241-267.
Shiaeles, S.N., Katos, V., Karakos, A.S. and Papadopoulos, B.K., 2012. Real
time DDoS detection using fuzzy estimators. Computers and Security, 31 (6),
782-790.
INFORMAL ENQUIRIES
To discuss this opportunity further, please contact Paul Yoo via email: pyoo@bournemouth.ac.uk
ELIGBILITY CRITERIA
All candidates must satisfy the University’s minimum doctoral entry criteria for studentships of an honours degree at
Upper Second Class (2:1) and/or an appropriate Masters degree. An IELTS (Academic) score of 6.5 minimum (or
equivalent) is essential for candidates for whom English is not their first language.
Additional Eligibility
Graduates in Computing, Engineering, Mathematics, or Physics that have demonstrated excellence at
undergraduate or MSc level in a relevant subject.
HOW TO APPLY
Please complete the BU Research Degree Application 2015 and submit it via email to the Postgraduate Research
Administrator for Admissions - pgradmissions@bournemouth.ac.uk by 29 January 2016. Further information on
the application process can be found at www.bournemouth.ac.uk/phd-2015
PhD Project Description
July 2015
Download