A scalable SIEM correlation engine and its application to the Olympic Games IT infrastructure

The security event correlation scalability has become a major concern for security analysts and IT administrators when considering complex IT infrastructures that need to handle gargantuan amounts of events or wide correlation window spans. The current correlation capabilities of Security Information and Event Management (SIEM), based on a single node in centralized servers, have proved to be insufficient to process large event streams. This paper introduces a step forward in the current state of the art to address the aforementioned problems. The proposed model takes into account the two main aspects of this ?eld: distributed correlation and query parallelization. We present a case study of a multiple-step attack on the Olympic Games IT infrastructure to illustrate the applicability of our approach.

Abstracting and correlating heterogeneous events to detect complex scenarios

The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.

Reconstruction of falsified computer logs for digital forensics investigations

Digital forensics investigations aim to find evidence that helps confirm or disprove a hypothesis about an alleged computer-based crime. However, the ease with which computer-literate criminals can falsify computer event logs makes the prosecutor's job highly challenging. Given a log which is suspected to have been falsified or tampered with, a prosecutor is obliged to provide a convincing explanation for how the log may have been created. Here we focus on showing how a suspect computer event log can be transformed into a hypothesised actual sequence of events, consistent with independent, trusted sources of event orderings. We present two algorithms which allow the effort involved in falsifying logs to be quantified, as a function of the number of `moves' required to transform the suspect log into the hypothesised one, thus allowing a prosecutor to assess the likelihood of a particular falsification scenario. The first algorithm always produces an optimal solution but, for reasons of efficiency, is suitable for short event logs only. To deal with the massive amount of data typically found in computer event logs, we also present a second heuristic algorithm which is considerably more efficient but may not always generate an optimal outcome.

Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies.

CAT Detect (Computer Activity Timeline Detection) : a tool for detecting inconsistency in computer activity timelines

The construction of timelines of computer activity is a part of many digital investigations. These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the results of these experiments, we discuss techniques which can be employed to deal with such temporal inconsistencies.

Lake level reconstructions at Laguna Potrok Aike (southern Patagonia, Argentina) for the last 49 ka

Four seismic surveys and a stratigraphic record from southernmost Patagonia (Argentina) based on 51 AMS-14C dates obtained in the framework of ICDP expedition 5022 "Potrok Aike Maar Lake Sediment Archive Drilling Project" (PASADO) provide a database to compare the 106 m composite profile from the lake centre with piston cores from the littoral and outcrops in the catchment area. Based on event correlation using distinct volcanic ash layers with unique geochemical composition and optically stimulated luminescence (OSL) dates on feldspars, sediment records are firmly linked. This approach allows to match the sediment record with water levels during the past ca. 49 ka providing evidence for lake level variations. Reconstructed lake levels were 20 m higher than today during the last Glacial until the early Holocene. With the migration of the Southern Hemispheric Westerlies over this site the lake level dropped ca. 55 m for a period of two millennia. Thereupon the water balance was more positive again causing a stepwise rise of the lake level until the maximum was reached during the Little Ice Age with a subsequent lowering since the 20th century. We suggest that the mid- to late-Holocene lake level variation is caused by intensity changes of the Southern Hemispheric Westerlies.

Sensoriamento automático e participativo em cidades.

As cidades estão a seu tempo e a seu modo, modernizando os serviços prestados à população. Entre os diversos fatores que estão contribuindo para esta evolução estão a diversificação e proliferação de sensores, nos diversos domínios de serviços das cidades, e os novos canais de comunicação com os munícipes, entre eles, as redes sociais e mais recentemente os sistemas crowdsensing, motivados pelos anseios sociais, por melhores serviços públicos e pela popularização dos dispositivos móveis. Nesta direção, a eficiência administrativa é um fator essencial, uma vez que as cidades estão se mostrando mais complexas na medida em que cresce a população nas áreas urbanas. A utilização de técnicas de sistemas distribuídos para que múltiplos domínios de serviços usufruam da mesma infraestrutura computacional, pode auxiliar na eficiência das cidades, evitando gastos administrativos duplicados e até mesmo, possibilitando a correlação de eventos entre os serviços, favorecendo a identificação de fatores de causalidades e assim, a tomada de decisões administrativas mais objetivas e precisas. Neste contexto, este trabalho concentra-se na análise de um middleware direcionado à gestão de cidades para coleta, integração e interpretação dos dados de sensores, pertencentes aos serviços disponíveis da própria cidade, junto com os dados do sensoriamento colaborado pelos cidadãos. Para avaliação do conceito foi investigado o cenário de monitoração da conservação de vias públicas. Após 3 meses de coletas de dados por um sistema de sensoriamento automático, totalizando mais de 360 mil pontos e também mais de 90 relatórios pelo sensoriamento participativo, verificou-se que um sistema distribuído pode realizar a interpretação de séries históricas, engajar os munícipes apoiar a manutenção dos serviços da cidade e também indicar objetivamente aos gestores públicos os pontos que devem ser prioritariamente atendidos. Aliar ferramentas pelas quais o cidadão pode, de acordo com sua necessidade, convicção e altruísmo, exercer influência nos gestores públicos com o suporte de informação contínua e critérios objetivos das redes de sensores, pode estimular a continua excelência dos serviços públicos.

An epistemic event -based correlation scheme for pervasive network management

Computer networks produce tremendous amounts of event-based data that can be collected and managed to support an increasing number of new classes of pervasive applications. Examples of such applications are network monitoring and crisis management. Although the problem of distributed event-based management has been addressed in the non-pervasive settings such as the Internet, the domain of pervasive networks has its own characteristics that make these results non-applicable. Many of these applications are based on time-series data that possess the form of time-ordered series of events. Such applications also embody the need to handle large volumes of unexpected events, often modified on-the-fly, containing conflicting information, and dealing with rapidly changing contexts while producing results with low-latency. Correlating events across contextual dimensions holds the key to expanding the capabilities and improving the performance of these applications. This dissertation addresses this critical challenge. It establishes an effective scheme for complex-event semantic correlation. The scheme examines epistemic uncertainty in computer networks by fusing event synchronization concepts with belief theory. Because of the distributed nature of the event detection, time-delays are considered. Events are no longer instantaneous, but duration is associated with them. Existing algorithms for synchronizing time are split into two classes, one of which is asserted to provide a faster means for converging time and hence better suited for pervasive network management. Besides the temporal dimension, the scheme considers imprecision and uncertainty when an event is detected. A belief value is therefore associated with the semantics and the detection of composite events. This belief value is generated by a consensus among participating entities in a computer network. The scheme taps into in-network processing capabilities of pervasive computer networks and can withstand missing or conflicting information gathered from multiple participating entities. Thus, this dissertation advances knowledge in the field of network management by facilitating the full utilization of characteristics offered by pervasive, distributed and wireless technologies in contemporary and future computer networks.

An Epistemic Event-based Correlation Scheme for Pervasive Network Management

Computer networks produce tremendous amounts of event-based data that can be collected and managed to support an increasing number of new classes of pervasive applications. Examples of such applications are network monitoring and crisis management. Although the problem of distributed event-based management has been addressed in the non-pervasive settings such as the Internet, the domain of pervasive networks has its own characteristics that make these results non-applicable. Many of these applications are based on time-series data that possess the form of time-ordered series of events. Such applications also embody the need to handle large volumes of unexpected events, often modified on-the-fly, containing conflicting information, and dealing with rapidly changing contexts while producing results with low-latency. Correlating events across contextual dimensions holds the key to expanding the capabilities and improving the performance of these applications. This dissertation addresses this critical challenge. It establishes an effective scheme for complex-event semantic correlation. The scheme examines epistemic uncertainty in computer networks by fusing event synchronization concepts with belief theory. Because of the distributed nature of the event detection, time-delays are considered. Events are no longer instantaneous, but duration is associated with them. Existing algorithms for synchronizing time are split into two classes, one of which is asserted to provide a faster means for converging time and hence better suited for pervasive network management. Besides the temporal dimension, the scheme considers imprecision and uncertainty when an event is detected. A belief value is therefore associated with the semantics and the detection of composite events. This belief value is generated by a consensus among participating entities in a computer network. The scheme taps into in-network processing capabilities of pervasive computer networks and can withstand missing or conflicting information gathered from multiple participating entities. Thus, this dissertation advances knowledge in the field of network management by facilitating the full utilization of characteristics offered by pervasive, distributed and wireless technologies in contemporary and future computer networks.

Visualising security incidents through event aggregation

Extracting and aggregating the relevant event records relating to an identified security incident from the multitude of heterogeneous logs in an enterprise network is a difficult challenge. Presenting the information in a meaningful way is an additional challenge. This paper looks at solutions to this problem by first identifying three main transforms; log collection, correlation, and visual transformation. Having identified that the CEE project will address the first transform, this paper focuses on the second, while the third is left for future work. To aggregate by correlating event records we demonstrate the use of two correlation methods, simple and composite. These make use of a defined mapping schema and confidence values to dynamically query the normalised dataset and to constrain result events to within a time window. Doing so improves the quality of results, required for the iterative re-querying process being undertaken. Final results of the process are output as nodes and edges suitable for presentation as a network graph.

Intrinsic correlation between fragility and bulk modulus in metallic glasses

A systematic study on the available data of 26 metallic glasses shows that there is an intrinsic correlation between fragility of a liquid and bulk modulus of its glass. The underlying physics can be rationalized within the formalism of potential energy landscape thermodynamics. It is surprising to find that the linear correlation between the fragility and the bulk-shear modulus ratio exists strictly at either absolute zero temperature or very high frequency. Further analyses indicate that a real flow event in bulk metallic glasses is shear dominant, and fragility is in inverse proportion to shear-induced bulk dilatation. Finally, extension of these findings to nonmetallic glasses is discussed.

Three-Particle Coincidence of the Long Range Pseudorapidity Correlation in High Energy Nucleus-Nucleus Collisions

We report the first three-particle coincidence measurement in pseudorapidity (Delta eta) between a high transverse momentum (p(perpendicular to)) trigger particle and two lower p(perpendicular to) associated particles within azimuth |Delta phi| < 0.7 in root s(NN) = 200 GeV d + Au and Au + Au collisions. Charge ordering properties are exploited to separate the jetlike component and the ridge (long range Delta eta correlation). The results indicate that the correlation of ridge particles are uniform not only with respect to the trigger particle but also between themselves event by event in our measured Delta eta. In addition, the production of the ridge appears to be uncorrelated to the presence of the narrow jetlike component.

Naive Physics, Event Perception, Lexical Semantics, and Language Acquisition

This thesis proposes a computational model of how children may come to learn the meanings of words in their native language. The proposed model is divided into two separate components. One component produces semantic descriptions of visually observed events while the other correlates those descriptions with co-occurring descriptions of those events in natural language. The first part of this thesis describes three implementations of the correlation process whereby representations of the meanings of whole utterances can be decomposed into fragments assigned as representations of the meanings of individual words. The second part of this thesis describes an implemented computer program that recognizes the occurrence of simple spatial motion events in simulated video input.

A regional chemostratigraphically-defined correlation framework for the late Triassic TAG-I Formation in Blocks 402 and 405a, Algeria

The Triassic Argilo-Gréseux Inférieur Formation (TAG-I) is one of the principal hydrocarbon reservoirs in the Berkine Basin of Algeria. Sedimentological studies have shown that it exhibits marked spatial and temporal facies variations on both a local field scale and a regional basinal scale. This variability, combined with a lack of diagnostic flora and fauna, makes regional correlation within the unit difficult. In turn, the lack of a consistent regional stratigraphic framework hampers the comparison of the various correlation schemes devised by operators in the basin. Contrasting the TAG-I in Blocks 402 and 405a exemplifies the problems encountered when attempting regionally to define a correlation framework for the interval. Between these two blocks, a distance of approximately 200 km, there are marked changes in the style of deposition from sand-dominated, proximal fluvial systems in the SW (Block 405a, MLN, MLC, KMD and MLNW fields) to a more distal, more clay-prone system in the NE (Block 402, ROD/BRSE/BSFN, SFNE and BSF fields). A chemostratigraphic study of the TAG-I in these two blocks has allowed a four-fold correlation framework to be defined, where each chemostratigraphic package has distinctive geochemical features. Chemostratigraphic Package 10, the oldest unit, lies above the Hercynian Unconformity, but beneath a geochemically identifiable hiatal surface. Chemostratigraphic Package 20 lies above the hiatal surface but is separated from the overlying packages by a mineralogical change identifiable in both claystone and sandstone geochemistry. Chemostratigraphic Packages 30 and 40 are chemically somewhat similar, but are separated by a regional event interpreted as a period of dolocrete and lacustrine development. By combining the geochemical differentiation of the units and recognition of their stratal boundaries, it is possible to define a correlation for the TAG-I between Blocks 402 and 405a. The proposed correlation between the two blocks suggests that the northern parts of Block 405a may have been occupied by a spur or subsidiary channel from the main SW–NE-trending fluvial system, resulting in one of the chemically defined packages being demonstrably absent in the MLNW, MLN, KMD and MLC fields when compared with the other areas of the study.