Faculty of Science and Technology
Bournemouth University
Project Summary
Aim: The overall aim of this project is to develop data driven intelligent and adaptive systems capable of analysing and correlating security events in intrusion detection.
Rationale: Obscure security events can be correlated from multiple logs, and in doing so provide the higher level of vision necessary for accurate and expeditious intrusion analysis. However, security device logging can be extensive and difficult to interpret. In this project, we will use novel approach to address this problem by combining methods from cyber security and data science, and develop an intelligent system that performs event correlation from the large-scale logs and alerts of multiple security technologies.
Methods:
1. In experiments, we will setup an entry point and monitor all the communications in and out of the darknet and collect streams of security device logs, which have not been investigated. In addition, a live database containing over 10 million real bad IP addresses (adding 27K entries each 24 hours) and other security descriptors from our industry partners will be used for the model validation.
2. We will then use methods from data science to investigate which changes of the multiple security device logs can be used to correlate the elements of the attack. We will design and develop two stages of clustering/classification algorithms. The first stage is essentially an anomaly detection exercise for modelling benign behaviour in order to highlight attack outliers. Once the offending events are identified, a feature-based attribution algorithm will run in order to establish the types of attacks but also to group them per specific attack activity. The latter essentially correlates the elements of the attack set to allow the potential identification of the attacker. This relates to the reduced discrimination problem: “given two attacks A1 and A2, do they belong to the same attacker?”. This step will allow future integration and correlation with additional sources of information such as Open Source Intelligence modules. To the best of our knowledge, these novel IDPS methodologies have never been attempted before, despite their significant benefits.
3. Finally, we will build an automated software framework capable of analysing and correlating security events in intrusion detection while efficiently interpreting large-scale security device logs.
The key outcomes of the project are:
1. The primary outcome of this project will be an anomaly detection exercise for modelling benign behaviour in order to highlight attack outliers.
2. As outlined above, such a system has the potential to establish the types of attacks but also to group them per specific attack activity.
3. Being able to statistically correlate the elements of the attack while efficiently interpreting large-scale security logs will not only have an academic impact by resulting to high impact publications, but also support practical live forensic investigations.
Academic Impact
This cross-disciplinary research will develop new knowledge that spans the gap between forensic investigations and data science, opening up new areas of research in both of these fields. In particular, researchers with expertise in forensic investigations will benefit from the proposed methodologies in finding out how security device log indicators change for the events of attack. Researchers with expertise in data science will benefit from the proposed methodologies for building and optimising the deep feature extractors as well as developing the predictive software framework that could assist attribution and correlation tasks in the cyber environment. It is expected that the project will result in a minimum of 3 high impact journal publications in both forensic investigations and data science fields with a potential for long term impact in assisting with cyber attribution and correlation for improving the completeness of existing IDPSs. Patents will also be developed and filed when applicable.
Societal Impact
As attribution is a non-trivial problem in cyberspace, the systematic research and progress of the state of the art is critical to the wellbeing of citizens who need to be protected by identification of potential attackers and perpetrators sent to justice. On a national level, any successful approach and solution striving to identify state actors in the case of a cyber attack against a nation has clear benefits. The techniques developed by this project will extend the usage of IDPS by an order of magnitude, which would justify their employment and facilitate significant security improvements.
Training Opportunities
The PhD student is encouraged not only to discuss their skills with his/her supervisors as well as asking peers and colleagues for feedback may also highlight areas of potential development but also to participate in the wider research culture of the Department and the Faculty. Beyond this, we offer a wide range of research-related training opportunities. These currently include but are not limited to: a) International Conferences (e.g. KDD, ICDE, ESORICS), b) Graduate Seminar Series, c) Lectures delivered within the Cyber-Security Unit and Data Science Institute, d) Bibliographical & Thesis Writing Training, etc. Particularly, the international conferences participation or attendance will support the dissemination of the research results and facilitate timely feedback from the experts in this area. Student will also be considered for secondment opportunities for both industry and academia. Student can spend some time in BRICA company where he/she will be able to process real-world data and test developed methods, and C&IS Lab at Korea Institute of Science and Technology (KAIST) where he/she will be able to exchange knowledge and expertise with world-class cyber-security experts. Currently, the first supervisor is affiliated with the C&IS Lab at KAIST as a visiting professor and running a few joint research projects, and was invited to give a talk in Nov. 2015. We believe these secondments can give him/her the opportunity to expand his/her skills and experience in an area outside his/her usual day-to-day role, building both a depth and breadth of knowledge particularly in cyber-security.
Supervisory Team
First Supervisor: Paul Yoo
Additional Supervisors: Vasilis Katos
Eligibility Criteria
All candidates must satisfy the University’s minimum doctoral entry criteria for studentships of an honours degree at Upper Second Class (2:1) and/or an appropriate Masters degree. An IELTS (Academic) score of 6.5 minimum (or equivalent) is essential for candidates for whom English is not their first language.
Additional Eligibility
Graduates in Computing, Engineering, Mathematics, or Physics that have demonstrated excellence at undergraduate or MSc level in a relevant subject.
Funding information
- Funding applies to:
- Open to applicants from a range of countries
Contacts and how to apply
- Academic contact:
- To discuss this opportunity further, please contact Paul Yoo via email: pyoo@bournemouth.ac.uk
- Administrative contact and how to apply:
- For further information and details of how to apply please see here
- Application deadline:
- 29 January 2016
No comments:
Post a Comment