Use this URL to cite or link to this record in EThOS:
Title: Cyber security analytics with real-time event correlations and pattern mining
Author: Razaq, Abdul
ISNI:       0000 0004 7655 5299
Awarding Body: Glasgow Caledonian University
Current Institution: Glasgow Caledonian University
Date of Award: 2018
Availability of Full Text:
Access from EThOS:
The existing systems of cyber security analytics and event correlation of cyber security event correlation and analytics record and interpret individual or partial logs to construct an event for security analytics. These systems are incapable to address challenges posed by complex and diverse systems. This report presents Security Event Analysis (SEA) framework by introducing, understanding and correlating real-time data streams from various inputs to extract patterns of deviation from normal trends. The input data is obtained from various sensors; in forms of stream or batch with different format and velocity. The Data and Pattern Mining (DPM) techniques are developed to correlate and form an event. The event represents existing or foreseeing condition in a complex monitored system. The SEA and DPM techniques are proposed to adopt complex environments such as Smart Grid Cyber Security (SGCS). Cyber analytic with SEA is a method to detect or prevent threats, across computing devices or networks, with interpretation of logs. Intentional cyber attack or accidental disruption - resulting from software problem or faulty hardware - should be deterred with adequate measures of minimum degradation in functionality. A common security solution, either relies on rule based matching or probabilistic learning. These combination of statistical outcomes are obtained from various sensors; in forms of stream, batch or logs with different format and velocity: to correlate to form an event. The proposed SEA deploys rule based feature mining of various sensors with Machine Learning (ML) classifier to construct Temporal Differences (TD) and track evolving changes with Stochastic Modelling (SM). This report attempts to project a holistic view of observed system with behavioural references from aggregated records. Security analytics and event correlation, in general, relies on DPM techniques to interpret and associate collected data into meaningful format to construct a cyber-security incident. The fundamentals of DPM in cyber security analytic and event correlation are based on common practices of statistical and math ematical theories. Continuous data collection and pattern mining ensures to record every single activity occurring across the system or network, which results into enormous data over time. Therefore, data and pattern mining based analytic provide deeper analysis from a vast set of observations - collected in various formats with varying velocities. Data gathered from interconnected sensors and mined to transform into single decision console, with linked properties and associated rules, provide real-time live monitoring. Hence, data and pattern mining assist day-to-day risk analysis with current security-related information to authorize or deny certain developments. The proposed DPM deploys rule based feature mining of various sensors with machine learning classifier to construct temporal incidents and stochastic differences. There are huge growing concerns because of cyber threats targeting critical infrastructures all over the world. This report investigate SGCS as a model to understand cyber security challenges in complex and critical systems. The case study can be extended to Large-Scale Complex Information Technology (IT) Systems such as electricity generation and transmission, nuclear plants, satellite systems or enterprise networks. Complex systems face two major problems with respect to cyber security; complexity in architecture and big data. The vulnerabilities in architecture may allow attackers to penetrate a network or access critical control units, the unauthorized access to enormous data can lead to breach in privacy and unpredicted economic losses. These types of cyber attacks can further lead to serious consequences or disaster, for example temporarily power shutdown, catastrophic energy blackout or interruption of financial transaction
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available