Alex Healing scite author profile

Alex Healing

5Publications

44Citation Statements Received

99Citation Statements Given

How they've been cited

How they cite others

117

Affiliations

BT Research, BT Group (United Kingdom), Innovate UK

Publications

Order By: Most citations

Intrusion alert prioritisation and attack detection using post-correlation analysis

Shittu

Healing

Ghanea-Hercock

et al. 2015

Computers & Security

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version.Permanent repository link: http://openaccess.city.ac.uk/8680/ Link to published version: http://dx. AbstractEvent Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom SATURN programme. In one scenario, our results show that falsepositives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.The proposed framework is also being developed and integrated into a preexisting Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.

show abstract

Hyperion Next-Generation Battlespace Information Services

Ghanea-Hercock

Gelenbe

Jennings

et al. 2007

The Computer Journal

View full text Add to dashboard Cite

The future digital battlespace will be a fast-paced and frenetic environment that stresses information communication technology systems to the limit. The challenges are most acute in the tactical and operational domains where bandwidth is severely limited, security of information is paramount, the network is under physical and cyber attack and administrative support is minimal. Hyperion is a cluster of research projects designed to provide an automated and adaptive information management capability embedded in defence networks. The overall system architecture is designed to improve the situational awareness of field commanders by providing the ability to fuse and compose information services in real time. The key technologies adopted to enable this include: autonomous software agents, self-organizing middleware, a smart data filtering system and a 3-D battlespace simulation environment. This paper reviews some of the specific techniques under development within the Hyperion sub-projects and the results achieved to date.

show abstract

Entropy clustering approach for improving forecasting in DDoS attacks

Olabelurin

Veluru

Healing

et al. 2015

View full text Add to dashboard Cite

Volume anomaly such as distributed denial-of-service (DDoS) has been around for ages but with advancement in technologies, they have become stronger, shorter and weapon of choice for attackers. Digital forensic analysis of intrusions using alerts generated by existing intrusion detection system (IDS) faces major challenges, especially for IDS deployed in large networks. In this paper, the concept of automatically sifting through a huge volume of alerts to distinguish the different stages of a DDoS attack is developed. The proposed novel framework is purposebuilt to analyze multiple logs from the network for proactive forecast and timely detection of DDoS attacks, through a combined approach of Shannon-entropy concept and clustering algorithm of relevant feature variables. Experimental studies on a cyber-range simulation dataset from the project industrial partners show that the technique is able to distinguish precursor alerts for DDoS attacks, as well as the attack itself with a very low false positive rate (FPR) of 22.5%. Application of this technique greatly assists security experts in network analysis to combat DDoS attacks. Index Terms-alert management, distributed denial-of-service (DDoS) detection, k-means clustering analysis, network security, online anomaly detection, Shannon entropy.

show abstract

An intelligent agent approach for visual information structure generation

Duman

Healing

Ghanea-Hercock

2009

View full text Add to dashboard Cite

OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis

Shittu

Healing²,

Ghanea-Hercock³

et al. 2014

View full text Add to dashboard Cite

In a medium sized network, an Intrusion Detection System (IDS) could produce thousands of alerts a day many of which may be false positives. In the vast number of triggered intrusion alerts, identifying those to prioritise is highly challenging. Alert correlation and prioritisation are both viable analytical methods which are commonly used to understand and prioritise alerts. However, to the author's knowledge, very few dynamic prioritisation metrics exist. In this paper, a new prioritisation metric -OutMet, which is based on measuring the degree to which an alert belongs to anomalous behaviour is proposed. OutMet combines alert correlation and prioritisation analysis. We illustrate the effectiveness of OutMet by testing its ability to prioritise alerts generated from a 2012 red-team cyberrange experiment that was carried out as part of the BT Saturn programme. In one of the scenarios, OutMet significantly reduced the false-positives by 99.3%.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Alex Healing

Intrusion alert prioritisation and attack detection using post-correlation analysis

Hyperion Next-Generation Battlespace Information Services

Entropy clustering approach for improving forecasting in DDoS attacks

An intelligent agent approach for visual information structure generation

OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis

Contact Info

Product

Resources

About