Axel Tanner

Data mining and machine learning-Towards reducing false positives in intrusion detection

Intrusion Detection Systems (IDSs) are used to monitor computer systems for signs of security violations. Having detected such signs, IDSs trigger alerts to report them. These alerts are presented to a human analyst, who evaluates them and initiates an adequate response. In practice, IDSs have been observed to trigger thousands of alerts per day, most of which are mistakenly triggered by benign events (i.e., false positives). This makes it extremely difficult for the analyst to correctly identify alerts related to attacks (i.e., true positives). In this paper, we present two orthogonal and complementary approaches to reduce the number of false positives in intrusion detection using alert postprocessing by data mining and machine learning. Moreover, these two techniques, because of their complementary nature, can be used together in an alert-management system. These concepts have been verified on a variety of data sets, and achieved a significant reduction in the number of false positives in both simulated and real environments.

Using linked data for systems management

Integration of data from multiple sources makes it possible to build effective systems management solutions. Despite the expected benefits, data integration remains a challenge. Heterogeneity between data sources in terms of lack of an accepted common model, data semantics and access methods are among the difficulties. The goal of our research is to realize loosely coupled integration of data for systems management by building a lightweight mechanism to easily browse, search and query data across multiple sources without enforcing a common model across all sources. The approach is based on the emerging Semantic Web and Linked Data technologies proposed for the World Wide Web (WWW). The focus of this short paper is to report on our work on the transformation of management data sources into Linked Data providers.

Gaining an Edge in Cyberspace with Advanced Situational Awareness

Organizations that rely on cyberspace as a mission-critical asset require advanced situational awareness to maintain a tactical advantage over emerging threats. A new cyber-situational awareness framework relies on the OODA (observe, orient, decide, act) cycle to provide near real-time cognitive mapping for corporate environments.

From A to Z: Developing a Visual Vocabulary for Information Security Threat Visualisation

Security visualisation is a very difficult problem due to its inherent need to represent complexity and to be flexible for a wide range of applications. As a result, many current approaches are not particularly effective. This paper presents several novel approaches for visualising information security threats which aim to create a flexible and effective basis for creating semantically rich threat visualisation diagrams. By presenting generalised approaches, these ideas can be applied to a wide variety of situations, as demonstrated in two specific visualisations: one for visualising attack trees, the other for visualising attack graphs. It concludes by discussing future work and introducing a novel exploration of attack models.

Examining the Contribution of Critical Visualisation to Information Security

This paper examines the use of visualisations in the field of information security and in particular focuses on the practice of information security risk assessment. We examine the current roles of information security visualisations and place these roles in the wider information visualisation discourse. We present an analytic lens which divides visualisations into three categories: journalistic, scientific and critical visualisations. We then present a case study that uses these three categories of visualisations to further support information security practice. Two significant results emerge from this case study: (1) visualisations that promote critical thinking and reflection (a form of critical visualisation) support the multi-stakeholder nature of risk assessment and (2) a preparatory stage in risk assessment is sometimes needed by service designers in order to establish the service design before conducting a formal risk assessment. The reader is invited to explore the images in the digital version of this paper where they can zoom in to particular aspects of the images and view the images in colour.

Simplifying Correlation Rule Creation for Effective Systems Monitoring

Event correlation is a necessary component of systems management but is perceived as a difficult function to set up and maintain. We report on our work to develop a set of tools and techniques to simplify event correlation and thereby reduce overall operating costs. The tools prototyped are described and our current plans for future tool development outlined.

A search engine for systems management

This paper describes a search facility for systems management that was designed and implemented to simplify the management of large IT infrastructures. As the complexity of data centers or telecommunication networks increases, managing such infrastructures involves large amounts of data originating from many and diverse sources. In a typical IT management infrastructure, we find many management components such as commercial and open source products (e.g., for monitoring); custom, be-spoke software (e.g., a home-grown inventory database) as well as additional conventional (e.g., calendar) and unconventional (e.g., Web forums, blogs) data sources. The amount of information and the number of tools that are at the disposal of the system operator for management tasks are both wide-ranging and overwhelming. Finding the set of information and tools that is relevant to solve a given problem is a challenge, and typically requires expertise in how to extract data from the available data sources and how to use that extracted data effectively. A search facility that can locate data and tools is beneficial to systems management, but to maximize its impact, it needs to address the heterogeneity of data and data sources; provide task-focused, structured and enriched results, and be both scalable and cost-effective in the dynamic and changing environment of todays IT infrastructures. This paper describes such a system, called Fusio, that provides a search capability based on a loose coupling of heterogeneous, systems-management-related data in an IT environment. Fusio is based on the Semantic Web and traditional information-retrieval technologies. Tools such as Fusio are useful for system operators in carrying out tasks, such as problem resolution, where pointers to related information and tools can be quickly found to speed up the task. They are also useful for training purposes, e.g., as a reference to available data and tools. The paper describes the architecture of the search facility and the prototype implementation that is now being deployed in a test environment.

Tool-based risk assessment of cloud infrastructures as socio-technical systems

Assessing risk in cloud infrastructures is difficult. Typical cloud infrastructures contain potentially thousands of nodes that are highly interconnected and dynamic. Another important component is the set of human actors who get access to data and computing infrastructure. The cloud infrastructure therefore constitutes a socio-technical system. Attacks on socio-technical systems are still mostly identified through expert brainstorming. However, formal risk assessment for systems including human actors requires modeling human behavior, which is difficult at best. In this chapter, we present a modeling exercise for cloud infrastructures using the socio-technical model developed in the TRESPASS project; after showing how to model typical components of a cloud infrastructure, we show how attacks are identified on this model and discuss their connection to risk assessment. The technical part of the model is extracted automatically from the configuration of the cloud infrastructure, which is especially important for systems so dynamic and complex.

Policy-Based Automation to Improve Solution Engineering in IT Services

IT out sourcing service providers are increasingly being challenged to reduce costs while improving the quality of service implementation and delivery. A key contributor to those goals can be an improved methodology for services solution engineering - which involves analysis of the clients requirements and environment, mapping the information to the capabilities of the service provider, documenting the design and implementation of each service, and defining transformations of the customers environment to the target IT infrastructure defined by the overall design that facilitates more efficient service delivery. One such improved methodology leverages reuse, in the form of a taxonomy of standardized service offerings and a repository of standardized service designs they can be mapped to. In this paper, we describe a prototype system that provides automation for such a methodology by encoding design policies that are used to assist the services solution architect gather relevant information from the customer and cross check design decisions. The approach demonstrates how the notion of computer-aided design can be applied to the world of IT services and introduced in an incremental manner. This paper presents the system architecture, discusses the sources and models of knowledge, and illustrates how this knowledge can be used with specific examples from the services field.