Abstracting and correlating heterogeneous events to detect complex scenarios

The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.

Literature review

There are many studies that reveal the nature of design thinking and the nature of conceptual design as distinct from detailed or embodiment design. The results can assist in our understanding of how the process of design can be supported and how new technologies can be introduced into the workplace. Existing studies provide limited information about the nature of collaborative design as it takes place on the ground and in the actual working context. How to provide appropriate and effective of support for collaborative design information sharing across companies, countries and heterogeneous computer systems is a key issue. As data are passed between designers and the computer systems they employ, many exchanges are made. These exchanges may be used to establish measures of the benefits that new support systems can bring. Collaboration support tools represent a fast growing section of the commercial software market place and a reasonable range of products are available. Many of them offer significant application to design for the support of distributed meetings by the provision of video and audio communications and the sharing of information, including collaborative sketching. The tools that specifically support 3D models and other very design specific features are less common and many of those are in prototype stages of development. A key question is to find viable ways of combining design information visualisation support with the collaboration support technologies that can be seen today. When collaborating, different views will need to be accessible at different times to all the collaborators. The architects may want to explain some ideas on their model, the structural engineers on their model and so on. However, there are issues of ownership when the structural engineer wants to manipulate the architect’s model and vice versa. The modes of working, synchronous or asynchronous may have a bearing as in a synchronous session there is control of what is happening.

Improved cryptanalysis of the Common Scrambling Algorithm Stream Cipher

This paper provides a fresh analysis of the widely-used Common Scrambling Algorithm Stream Cipher (CSA-SC). Firstly, a new representation of CSA-SC with a state size of only 89 bits is given, a significant reduction from the 103 bit state of a previous CSA-SC representation. Analysis of this 89-bit representation demonstrates that the basis of a previous guess-and-determine attack is flawed. Correcting this flaw increases the complexity of that attack so that it is worse than exhaustive key search. Although that attack is not feasible, the reduced state size of our representation makes it obvious that CSA-SC is vulnerable to several generic attacks, for which feasible parameters are given.

Anti-metabolic effects of Galanthus nivalis agglutinin and wheat germ agglutinin on nymphal stages of the common brown leafhopper using a novel artificial diet system

The common brown leafhopper, Orosius orientalis (Matsumura) (Homoptera: Cicadellidae), previously described as Orosius argentatus (Evans), is an important vector of several viruses and phytoplasmas worldwide. In Australia, phytoplasmas vectored by O. orientalis cause a range of economically important diseases, including legume little leaf (Hutton & Grylls, 1956), tomato big bud (Osmelak, 1986), lucerne witches broom (Helson, 1951), potato purple top wilt (Harding & Teakle, 1985), and Australian lucerne yellows (Pilkington et al., 2004). Orosius orientalis also transmits Tobacco yellow dwarf virus (TYDV; genus Mastrevirus, family Geminiviridae) to beans, causing bean summer death disease (Ballantyne, 1968), and to tobacco, causing tobacco yellow dwarf disease (Hill, 1937, 1941). TYDV has only been recorded in Australia to date. Both diseases result in significant production and quality losses (Ballantyne, 1968; Thomas, 1979; Moran & Rodoni, 1999). Although direct damage caused by leafhopper feeding has been observed, it is relatively minor compared to the losses resulting from disease (P Tr E bicki, unpubl.).

Synthesis of a heparan sulfate mimetic disaccharide with a conformationally locked residue from a common intermediate

A simple mimetic of a heparan sulfate disaccharide sequence that binds to the growth factors FGF-1 and FGF-2 was synthesized by coupling a 2-azido-2-deoxy-D-glucosyl trichloroacetimidate donor with a 1,6-anhydro-2-azido-2-deoxy--D-glucose acceptor. Both the donor and acceptor were obtained from a common intermediate readily obtained from D-glucal. Molecular docking calculations showed that the predicted locations of the disaccharide sulfo groups in the binding site of FGF-1 and FGF-2 are similar to the positions observed for co-crystallized heparin-derived oligosaccharides obtained from published crystal structures.

The correlation of pore morphology, interconnectivity and physical properties of 3D ceramic scaffolds with bone ingrowth

In the design of tissue engineering scaffolds, design parameters including pore size, shape and interconnectivity, mechanical properties and transport properties should be optimized to maximize successful inducement of bone ingrowth. In this paper we describe a 3D micro-CT and pore partitioning study to derive pore scale parameters including pore radius distribution, accessible radius, throat radius, and connectivity over the pore space of the tissue engineered constructs. These pore scale descriptors are correlated to bone ingrowth into the scaffolds. Quantitative and visual comparisons show a strong correlation between the local accessible pore radius and bone ingrowth; for well connected samples a cutoff accessible pore radius of approximately 100 microM is observed for ingrowth. The elastic properties of different types of scaffolds are simulated and can be described by standard cellular solids theory: (E/E(0))=(rho/rho(s))(n). Hydraulic conductance and diffusive properties are calculated; results are consistent with the concept of a threshold conductance for bone ingrowth. Simple simulations of local flow velocity and local shear stress show no correlation to in vivo bone ingrowth patterns. These results demonstrate a potential for 3D imaging and analysis to define relevant pore scale morphological and physical properties within scaffolds and to provide evidence for correlations between pore scale descriptors, physical properties and bone ingrowth.

Characterising anomalous events using change point correlation on unsolicited network traffic

Monitoring unused or dark IP addresses offers opportunities to extract useful information about both on-going and new attack patterns. In recent years, different techniques have been used to analyze such traffic including sequential analysis where a change in traffic behavior, for example change in mean, is used as an indication of malicious activity. Change points themselves say little about detected change; further data processing is necessary for the extraction of useful information and to identify the exact cause of the detected change which is limited due to the size and nature of observed traffic. In this paper, we address the problem of analyzing a large volume of such traffic by correlating change points identified in different traffic parameters. The significance of the proposed technique is two-fold. Firstly, automatic extraction of information related to change points by correlating change points detected across multiple traffic parameters. Secondly, validation of the detected change point by the simultaneous presence of another change point in a different parameter. Using a real network trace collected from unused IP addresses, we demonstrate that the proposed technique enables us to not only validate the change point but also extract useful information about the causes of change points.

Crowd Counting Using Multiple Local Features

In public venues, crowd size is a key indicator of crowd safety and stability. Crowding levels can be detected using holistic image features, however this requires a large amount of training data to capture the wide variations in crowd distribution. If a crowd counting algorithm is to be deployed across a large number of cameras, such a large and burdensome training requirement is far from ideal. In this paper we propose an approach that uses local features to count the number of people in each foreground blob segment, so that the total crowd estimate is the sum of the group sizes. This results in an approach that is scalable to crowd volumes not seen in the training data, and can be trained on a very small data set. As a local approach is used, the proposed algorithm can easily be used to estimate crowd density throughout different regions of the scene and be used in a multi-camera environment. A unique localised approach to ground truth annotation reduces the required training data is also presented, as a localised approach to crowd counting has different training requirements to a holistic one. Testing on a large pedestrian database compares the proposed technique to existing holistic techniques and demonstrates improved accuracy, and superior performance when test conditions are unseen in the training set, or a minimal training set is used.

Selecting, optimizing and fusing ‘salient’ Gabor features for facial expression recognition

This paper describes a novel framework for facial expression recognition from still images by selecting, optimizing and fusing ‘salient’ Gabor feature layers to recognize six universal facial expressions using the K nearest neighbor classifier. The recognition comparisons with all layer approach using JAFFE and Cohn-Kanade (CK) databases confirm that using ‘salient’ Gabor feature layers with optimized sizes can achieve better recognition performance and dramatically reduce computational time. Moreover, comparisons with the state of the art performances demonstrate the effectiveness of our approach.

Social networking : investigating the features of Facebook application

Research on social networking sites like Facebook is emerging but sparse. The exploratory study investigates the value users derive from self-described ‘cool’ Facebook applications, and explores the features that either encourage or discourage users to recommend application to their friends. Thus the concepts of value and cool are explored in a social networking setting. Our qualitative data shows that consumers derive a combination of functional value along with either social or emotional value from the applications. Female Facebook users indicated self-expression as important, while mates then to use Facebook application to socially compete. Three broad categories emerged for application features; symmetrical features can both encourage or discourage recommendation, asymmetrical features one encourage or discourage but not both, and polar features where different levels of the same feature encourage or discourage. Recommending or not recommending an application tends to be the result of a combination of features rather than one feature in isolation.