Abstracting and correlating heterogeneous events to detect complex scenarios

The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.

Indoor environments : design, productivity and health

In a typical large office block, by far the largest lifetime expense is the salaries of the workers - 84% for salaries compared with : office rent (14%), total energy (1%), and maintenance (1%). The key drive for business is therefore the maximisation of the productivity of the employees as this is the largest cost. Reducing total energy use by 50% will not produce the same financial return as 1% productivity improvement? The aim of the project which led to this review of the literature was to understand as far as possible the state of knowledge internationally about how the indoor environment of buildings does influence occupants and the impact this influence may have on the total cost of ownership of buildings. Therefore one of the main focus areas for the literature has been identifying whether there is a link between productivity and health of building occupants and the indoor environment. Productivity is both easy to define - the ratio of output to input - but at the same time very hard to measure in a relatively small environment where individual contributions can influence the results, in particular social interactions. Health impacts from a building environment are also difficult to measure well, as establishing casual links between the indoor environment and a particular health issue can be very difficult. All of those issues are canvassed in the literature reported here. Humans are surprisingly adaptive to different physical environments, but the workplace should not test the limits of human adaptability. Physiological models of stress, for example, accept that the body has a finite amount of adaptive energy available to cope with stress. The importance of, and this projects' focus on, the physical setting within the integrated system of high performance workplaces, means this literature survey explores research which has been undertaken on both physical and social aspects of the built environment. The literature has been largely classified in several different ways, according to the classification scheme shown below. There is still some inconsistency in the use of keywords, which is being addressed and greater uniformity will be developed for a CD version of this literature, enabling searching using this classification scheme.

FM as a Business Enabler

As a functioning performing arts centre, commercial enterprise, tourist attraction and major national asset, Sydney Opera House must continue to demonstrate the optimal use and effectiveness of its facilities management (FM) to provide value for its stakeholders. To better achieve this, the Cooperative Research Centre for Construction Innovation focussed on the following three themes for investigation in the FM Exemplar Project — Sydney Opera House: digital modelling — developing a building information model capable of integrating information from disparate software systems and hard copy, and combining this with a spatial 3D computeraided design (CAD)/geographic information system (GIS) platform. This model offers a visual representation of the building and its component elements in 3D, and provides comprehensive information on each element. The model can work collaboratively through an open data exchange standard (common to all compliant software) in order to mine the data required to further FM objectives (such as maintenance) more efficiently and effectively. services procurement — developing a multi-criteria performance-based procurement framework aligned with organisational objectives for FM service delivery performance benchmarking — developing an FM benchmarking framework that enables facilities/ organisations to develop key performance indicators (KPIs) to identify better practice and improvement strategies. These three research stream outcomes were then aligned within the broader context of Sydney Opera House’s Total Asset Management (TAM) Plan and Strategic Asset Maintenance (SAM) Plan in arriving at a business framework aligned with, and in support of, organisational objectives. The Sydney Opera House is managed by the Sydney Opera House Trust on behalf of the Government of the State of New South Wales. Within the framework of the TAM Plan prepared in accordance with NSW Treasury Guidelines, the assimilation of these three themes provides an integrated FM solution capable of supporting Sydney Opera House’s business objectives and functional requirements. FM as a business enabler showcases innovative methods in improving FM performance, a better alignment of service and performance objectives and provides a better-practice model to support the business enterprise.

Comparing international television news : the case of violence presentation in Germany, Great Britain and Russia -- [in German : Gewalt in internationalen Fernsehnachrichten - eine komparative Analyse medialer Gewaltpräsentation in Deutschland, Großbritannien und Russland]

This is an important book that ought to launch a debate about how we research our understanding of the world, it is an innovative intervention in a vital public issue, and it is an elegant and scholarly hard look at what is actually happening. Jean Seaton, Prof of Media History, U of Westminster, UK & Official Historian of the BBC -- Summary: This book investigates the question of how comparative studies of international TV news (here: on violence presentation) can best be conceptualized in a way that allows for crossnational, comparative conclusions on an empirically validated basis. This book shows that such a conceptualization is necessary in order to overcome existing restrictions in the comparability of international analysis on violence presentation. Investigated examples include the most watched news bulletins in Great Britain (10o'clock news on the BBC), Germany (Tagesschau on ARD) and Russia (Vremja on Channel 1). This book highlights a substantial cross-national violence news flow as well as a cross-national visual violence flow (key visuals) as distinct transnational components. In addition, event-related textual analysis reveals how the historical rootedness of nations and its symbols of power are still manifested in televisual mediations of violence. In conclusion, this study lobbies for a conscientious use of comparative data/analysis both in journalism research and practice in order to understand what it may convey in the different arenas of today’s newsmaking.

A time-variant medical data trustworthiness assessment model

Electronic Health Record (EHR) systems are being introduced to overcome the limitations associated with paper-based and isolated Electronic Medical Record (EMR) systems. This is accomplished by aggregating medical data and consolidating them in one digital repository. Though an EHR system provides obvious functional benefits, there is a growing concern about the privacy and reliability (trustworthiness) of Electronic Health Records. Security requirements such as confidentiality, integrity, and availability can be satisfied by traditional hard security mechanisms. However, measuring data trustworthiness from the perspective of data entry is an issue that cannot be solved with traditional mechanisms, especially since degrees of trust change over time. In this paper, we introduce a Time-variant Medical Data Trustworthiness (TMDT) assessment model to evaluate the trustworthiness of medical data by evaluating the trustworthiness of its sources, namely the healthcare organisation where the data was created and the medical practitioner who diagnosed the patient and authorised entry of this data into the patient’s medical record, with respect to a certain period of time. The result can then be used by the EHR system to manipulate health record metadata to alert medical practitioners relying on the information to possible reliability problems.

The passionate critic

It's hard to be dispassionate about Reyner Banham. For me, and for the plethora of other people with strong opinions about Banham, his writing is compelling, and one’s connection to him as a figure quite personal. For me, frankly, he rocks. As a landscape architect, I gleaned most of my knowledge about Modern architecture from Banham. His Theory and Design in the First Machine Age, along with Rowe and Koetter’s Collage City and Venturi’s Complexity and Contradiction in Architecture were the most influential books in my library, by far. Later, as a budding “real scholar”, I was disappointed to find that, while these authors had serious credibility, the writings themselves were regarded as “polemical” – when in fact what I admired about them most was their ability and willingness to make rough groupings and gross generalizations, and to offer fickle opinions. It spoke to me of a real personal engagement and an active, participatory reading of the architectural culture they discussed. They were at their best in their witty, cutting, but generally pithy, creative prose, such as in Rowe’s extrapolation of the modern citizen as the latest “noble savage”, or Banham railing against conservative social advocates and their response to high density housing: “those who had just re-discovered ‘community’ in the slums would fear megastructure as much as any other kind of large-scale renewal program, and would see to it that the people were never ready.” Any reader of Banham will be able to find a gem that will relate, somehow, personally, to what they are doing right now. For Banham, it was all personal, and the gaps in his scholarship, rather, were the dispassionate places: “Such bias is essential – an unbiased historian is a pointless historian – because history is an essentially critical activity, a constant re-scrutiny and rearrangement of the profession.” Reyner Banham: Historian of the Immediate Future, Nigel Whiteley’s recent “intellectual biography” (the MIT Press, 2002), allowed me to revisit Banham’s passionate mode of criticism and to consider what his legacy might be. The book examines Banham’s body of work, grouped according to his various primary fascinations, as well as his relationship to contemporaneous theoretical movements, such as postmodernism. His mode of practice, as a kind of creative critic, is also considered in some depth. While there are points where the book delves into Banham’s personal life, on the whole Whiteley is very rigorous in considering and theorizing the work itself: more than 750 articles and twelve books. In academic terms, this is good practice. However, considering the entirely personal nature of Banham’s writing itself, this separation seems artificial. Banham, as he himself noted, “didn’t mind a gossip”, and often when reading the book I was curious about what was happening to him at the time. Banham’s was an amazing type of intellectual practice, and one that academics (a term he hated) could do well to learn from. While Whiteley spends a lot of time arguing for his practice to be regarded as such, and makes strong points about both the role of the critic, and the importance of journalism, rather than scholarly publishing, I found myself wondering what his study looked like. What books he had in his library. Did he smoke when he wrote? What sort of teaching load did he have? He is an inspiration to design writers and thinkers, and I, personally, wanted to know how he did it.