SAGE is a deterministic and unsupervised learning pipeline that can generate attack graphs from intrusion alerts without input knowledge from a security analyst. Using a suffix-based probabilistic deterministic finite automaton (S-PDFA), the system compresses over 1 million alerts into less than 500 attack graphs (AGs), which are concise and manageable. Unlike other frequency analysis methods, SAGE does not discard infrequent high-severity alerts, which are crucial for learning the penetration strategies of attackers. This paper compares the baseline algorithm (i.e. S-PDFA) with a modelling assumption generated by swapping the S-PDFA with a PDFA. The aim is to validate the quality of SAGE and propose possible solutions for PDFA usage, allowing the algorithm to generate AGs in real-time. We compare them both quantitatively and qualitatively using size, complexity, completeness and interpretability metrics. Our findings show that AGs generated by the PDFA are more readable and as complete while being slightly larger (i.e. 16% larger) than the baseline S-PDFA. In certain cases, it can also better capture different attack strategies, proving that, if further optimized, it can perform better than the baseline.

SAGE is an unsupervised sequence learning pipeline that generates alert-driven attack graphs (AGs) without the need for prior expert knowledge about existing vulnerabilities and network topology. Using a suffix-based probabilistic deterministic finite automaton (S-PDFA), it accentuates infrequent high-severity alerts without discarding frequent low-severity alerts. It also captures the context of the alerts with identical signatures and it is an interpretable model. In order to deal with infrequent data, SAGE utilises sink states which are not merged during the S-PDFA learning process. However, this could result in unnecessarily larger AGs. In this study, we have looked at the AGs resulting from merging sink states with other sinks and the core of the S-PDFA after the main merging process. Data from Collegiate Penetration Testing Competitions has been used to compare AGs based on the four metrics: size, complexity, interpretability and completeness. We have shown that the resulting graphs are, on average, slightly smaller, with about the same complexity and the same completeness, but with worse interpretability due to losses of context of attack episodes, which cannot be compensated by the slightly smaller size of the AGs.

The interpretability of an attack graph is a key principle as it reflects the difficulty of a specialist to take insights into attacker strategies. However, the quantification of interpretability is considered to be a subjective manner and complex attack graphs can be challenging to read and interpret. In this research paper, we propose a new metric for quantifying the interpretability of attack graphs, aiming for comparable results between attack graphs regardless of the chosen drawing configuration or generation method. We address the gap in existing metrics by combining elements from the theory of cognitive chunks of information and user-experience-related fields to measure interpretability in terms of cognitive load. Our metric leverages Gestalt principles to formalize the quantification of interpretability based on cognitive overload. Compared to a similar approach, the proposed metric reveals a high level of similarity with the baseline, however, qualitative analysis revealed the proposed metric eliminates certain discrepancies with the expert's opinion that the baseline metric presented. Furthermore, a use case of the metric is presented and we evaluate our metric by comparing attack graphs generated using different methods, such as deterministic finite automaton (S-PDFA), Markov chain, and suffix tree. Finally, further work is proposed toward the goal of completing the metric by incorporating the remaining Gestalt principles.

This research paper focuses on the complex domain of alert-driven attack graphs. SAGE is a tool which generates such attack graphs (AGs) by using a suffix-based probabilistic deterministic finite automaton (S-PDFA). One of the substantial properties of this algorithm is to detect infrequent severe alerts while maintaining the context of attacks via the help of sink states and state IDs. This is a modelling assumption that we validate by answering the question driving this research: How does allowing the sink states to merge with other sink states affect the generated alert-driven attack graphs? Our research used a transparent methodology to obtain size, complexity and completeness statistics of the two algorithms. Afterwards, outstanding values in size and complexity allow us to filter insightful attack graphs, subject to head-to-head comparisons concerning their interpretability. We discovered that many remarkable changes happen in the outputted attack graphs, leading to an evident decrease in interpretability and increased loss of context. Concurrently, we do not detect substantial changes in size, complexity and completeness, leading us to believe that it is possible to unlock SAGE's full potential by adding specific thresholds for merging sink states. One proposed constraint is allowing only the merges of sinks at equal distance to the victim node. This alteration leads to similar results in all metrics, including interpretability, where some AGs show improvements.

Intrusion Detection Systems (IDSes) detect malicious traffic in computer networks and generate a large volume of alerts, which cannot be processed manually. SAGE is a deterministic algorithm that works without a priori network/expert knowledge and can compress these alerts into attack graphs (AGs), modelling intruders’ paths in the network. These AGs are too high in quantity/complexity for manual analysis, creating the necessity for prioritising individual attack stages (ASes). The existing prioritisation metric does not take into account graph
properties and is not granular enough to function on a node level. We propose PICA, an urgency metric inspired by the CIA triad (Confidentiality, Integrity and Availability) and the graph properties. It works on a node level and an attack-stage level. PICA is evaluated by comparison with the current implementation, based on AGs generated by SAGE using open-source intrusion alert datasets. The evaluation is based on the number and the type of the discovered attack stages. Results show that PICA manages to discover ASes that contain nodes with a high
in-degree but fails at discovering urgent ASes that contain many nodes with low in-degrees. Compared to the baseline, the ASes are distributed more evenly over the different urgency levels. Analysis of urgent node positioning revealed that sub-AGs lose information when objectives (final goal in a path) are also starting nodes. Changing the weights of the CIA triad showed a clear bias in results
towards the larger weights, as was intended. Finally, further work is proposed for PICA and in the generation process of SAGE’s AGs.

In an era where cyber threats evolve with alarming speed and sophistication, the role of Security Operation Centers (SOCs) has become increasingly pivotal in safeguarding digital infrastructures. SOCs serve as the frontline defence against malicious entities, where they continuously monitor and analyze network traffic, as well as the activity of users and systems for potential threats. The rapid growth of advanced cyber-attacks has amplified the reliance on Intrusion Detection Systems (IDS) to generate alerts for anomalous activities, and on SOC analysts to analyze those alerts. However, these systems often yield an overwhelming number of alerts, many of which are false positives, leading to alert fatigue among analysts. The scarcity of effective visualization tools, coupled with the analysts' dependence on manual investigation and correlation of events aggravates this issue, resulting in extended alert analysis times. Moreover, the number of attack scenarios keeps increasing daily, making it difficult to understand the possible next actions of an attacker and apply preventive measures.

This thesis introduces an innovative approach to aid SOC analysts in managing the large influx of alerts, mitigating alert fatigue, and enhancing the efficiency of threat identification and response. We present an attack prediction tool with alert visualization capabilities that produces real-time attack graphs, summarizing the alerts associated with a specific host. Our method utilizes a Suffix-based Probabilistic Deterministic Finite Automaton (SPDFA) to predict future attacker actions, promoting a proactive defence strategy, and achieving an accuracy of 33.71 %. We validate the practicality and relevance of our contributions through interviews with six security experts, confirming the utility of our methods in a live SOC context. Furthermore, we demonstrate the applicability of our approach by testing it with three datasets collected in the real world. Our work stands apart by simultaneously addressing alert correlation, attack visualization, and predictive modelling of attacker behaviour.

MalPaCa is a novel, unsupervised clustering algorithm, which creates based on the network flow of a software a behavioral profile representing its actual capabilities. One of the key variables affecting is performance and usability is the sequence length or how many packets it analyzes in order to group a connection to a cluster. This article explore different sequence length amounts as well as different positions from where to extract the packets from. The findings indicate that the current default sequence length of 20 is too high, leading in many cases to no clusters being found. 8 has been determined to be the optimal length for both performance and efficiency. Additionally, it has been established that using a windowed approach whereby a connection is being sliced into multiple, smaller connections could make MalPaCa more usable in situations where connection lengths are unequally distributed. Furthermore, MalPaCas usability as a tool has been improved by automating the clustering error metric determination, thereby providing the user with a valuable, visual measure as to how well MalPaCa has fared in creating the clusters. Lastly, MalPaCas definition of behavior was compared to the "Netflow v5" behavior definition, however no substantial performance improvements could be obtained from this change.

Clustering is a group of (unsupervised) machine learning algorithms used to categorize data into clusters. The most popular clustering algorithm is k-means clustering. K-means clustering clusters the data into k clusters where a cluster is represented by the mean of the data points called a centroid. Instead of using the mean as a centroid, a data point (medoid) can be used instead. This algorithm is called k-medoids algorithm. Both the algorithms work in an offline setting where all the data is known beforehand and usually use Euclidean distance to calculate the distance between any two points. SeqClu is another clustering algorithm for sequential data that works in an online setting and uses Dynamic Time Warping as its distance measure. It is based on k-medoids where it uses p sequences called prototypes, to represent a cluster. It assigns an incoming sequence to the cluster that has the lowest average distance between its prototypes and the incoming sequence. The issue in this approach is that many Dynamic Time Warping distance calculations need to be made which affects the clustering speed and using the average distance affects the clustering accuracy due to outliers being assigned as prototypes. This paper proposes an alternative algorithm with three variants for the cluster assignment process. This algorithm iterates through the prototypes in search for the closest prototype while excluding clusters that are deemed too far. It assigns the incoming sequence to the cluster of the closest prototype that it has found. Experiments on the UJI Pen Characters and UCR Synthetic Control datasets show an improvement in clustering speed and accuracy.

Real-time sequence clustering is the problem of clustering an infinite stream of sequences in real time with limited memory. A variant of the k-medoids algorithm called SeqClu is the suggested approach, representing a cluster with p most representative sequences of the cluster, called prototypes, to solve the problem of maintaining a high-quality representation of a cluster that requires little memory throughout time. However, the computational cost of this algorithm is considerable due to many distance computations that use Dynamic Time Warping (DTW), which is a computationally expensive distance measure that can be applied to sequences and is proven to be robust to noise and
delays. Therefore, this paper proposes an extension of SeqClu called SeqClu-PV, characterised by a decision-making mechanism for updating prototypes that improves the balance between the number of distance computations and the cost incurred due to incorrect clustering and reviews its performance.

MalPaCA makes use of unsupervised machine learning to provide malware capability assessment by clustering the temporal behaviour of malware network packet traces. A comparative analysis was performed on various clustering algorithms to determine the best clustering algorithm in terms of network behaviour discovery. The clustering algorithms included in the analysis were HDBSCAN, OPTICS, Agglomerative Hierarchical Clustering and K-medoids. Metrics that capture cluster separation, cohesion, purity and completeness were used to determine the performance of the clustering algorithms. Agglomerative Hierarchical Clustering had the lowest total error of 0.950 in the comparative analysis compared to the baseline HDBScan with an error of 1.381.

Identifying novel malware and their behaviour enables security engineers to prevent and protect users with devices on the network from attackers. MalPaCA is an algorithm that helps to understand the behaviours of the network traffic by clustering uni-directional network connections which can be analyzed further to interpret which label suites the malicious connection. When clustering connections, features extracted from the packet information were chosen manually based on the generalizability of information and research of common malware characteristics. The feature set can be extracted automatically with an autoencoder to increase the representation of each packets in network traffics. A comparison with an autoencoder generated feature set to the hand-crafted feature set shows that the hand-crafted feature set represents the malicious traffics with higher accuracy and more insightful explainability. A comparative experiment is run on the IoT-23 dataset, a network traffic capture from Avast’s AIC laboratory.

Malware Packet-sequence Clustering and Analysis (MalPaCA) is a unsupervised clustering application for malicious network behavior, it currently uses solely sequential features to characterize network behavior. In this paper an extensive comparison between those features and statistical features is performed. During the comparison a better clustering performance achievable with statistical features for longer connection sequences is shown and advice on which features can be added to MalPaCA.

Clustering data is a classic topic in the academic community and in the industry. It is by and large one of the most popular unsupervised classification techniques. It is fast and flexible as it can accommodate all kinds of data when a suitable similarity metric is found. SeqClu is an online k-medoids prototype based clustering algorithm designed to handle large quantities of sequence data. Our main focus is the role initialization plays in the performance of SeqClu. In this paper we show that Greedy Heuristics perform significantly better than K-medoids heuristics. In the context of Greedy Heuristics we show that these can be combined together to achieve potentially better accuracy if a proper metric to choose the initialization results is elected.

The usage of Internet of Things (IoT) devices has been exponentially increasing and their security is often overlooked. Hackers exploit the vulnerabilities present to perform large scale attacks as well as to obtain privacy-sensitive information. Resource constraints combined with a lack of incentives for manufacturers makes it harder to implement security solutions part of these devices. This thesis aims at developing a system that monitors the behaviour of these IoT devices. Network traffic is captured and analysed as part of a network middle-box to model the behaviour of an IoT device. This traffic shows the interactions of the IoT device with other devices and hosts. By modelling the normal behaviour of a device, we can detect anomalies exhibited. Denial of Service attack was performed to evaluate the effectiveness of state machines in detecting anomalies. To verify the validity of state machines built based on network traffic in a laboratory setup, a test environment with a different setting was used. Traffic was captured from a smart home setting and used to validate the state machines. We show that state machines can be effectively used to model the behaviour of IoT devices at the packet level and can also be used to uniquely identify commands issued from smartphone to IoT device. They can also effectively distinguish attack traffic from normal traffic.