Network intrusion detection systems (NIDs), which detect malicious activities in networks, are considered to be the last layer of defence in modern network security infrastructures. Many techniques have been proposed and implemented to detect network intrusions, however, the amount of alerts generated by current NIDs are overwhelmingly large. For example, NIDs employing a misuse detection technique cannot detect unknown attacks. On the other hand, those using an anomaly detection technique may miss intrusions by stealthy attacks. Both these give rise to false negatives. In addition, many of the alerts do not correspond to real malicious activities, resulting in false positives. These result in unmanageable operational burdens being placed on security analysts. To ease this burden, automatic alert processing tools are needed that can filter out false positives and negatives in an efficient and timely manner. Alert correlation is just such a technique, which focuses on discovering the relationships between alerts raised by NIDs, routers and firewalls. It also helps human users, or NIDs, to understand the corresponding attack strategies behind the alerts by building up a more comprehensive view of the attack scenarios, thereby allowing security analysts to make timely decisions and take appropriate actions.
To overcome the problems that arise with the number of low level alerts generated by traditional NIDs alert correlation has been proposed. A problem with current approaches to alert correlation is that they cannot provide information about the causality between the alert evidence and the current security state. The question needing answering for security analysts is, what does each piece of evidence imply about the security state? For example, in the presence of NIDs alerts, has the system been targeted by a DDoS attack? If so, which machine initiated the attack? Which hosts are compromised? And where has the attack been launched to?
In many application scenarios knowledge-based evidential network reasoning suffers from incomplete domain knowledge, lack of domain experts, and the intractability of inference. For example, it is impossible to make a perfect model of a DDoS attack because there are so many ways to perform it. Deep neural networks (DNNs) depend on large numbers of training examples to model the world, which can be potentially complementary to evidential network reasoning by enriching domain knowledge bases. Hybrid reasoning systems have to be built by combining learning/reasoning from both domain knowledge and data. In this proposed project, we aim to investigate the integration of evidential networks and DNNs in an effort to build a total network defence system.
- Evidential Neural Network Design: The first objective is to investigate mapping of an evidential network into a neural architecture from both a structural and behavioural viewpoint. During the 80s and the 90s, there were several efforts to combine the capabilities of neural networks with knowledge based reasoning tasks. Recently, interest in the application of machine learning to the field of knowledge representation and reasoning, or, more generally, in learning to reason over symbolic data has re-emerged. Deep learning, which refers to the use of neural networks with many layers, has been applied to a wide variety of problems with tremendous success, particularly in fields such as computer vision and natural language processing. Recently, there have been a few attempts to realise knowledge-based reasoning by means of DNNs, however, these mostly focus on knowledge representation and lack the ability to accurately capture the aspects of logic/semantic meaning that are necessary for interpretation or reasoning. Our first objective therefore, will involve a comparison of knowledge-based reasoning with DNN reasoning on a set of given structured representations.
- Event-driven neural reasoning: The second objective is to investigate event-driven neural reasoning. This will employ acyclic networks of neural objects derived from knowledge-based systems. The neural objects process information through a nonlinear combining function that is different from, and more complex than, typical neural network node processors. This will involve research into the design of a new learning algorithm, which offers automation of the knowledge acquisition task for belief functions, often the most difficult part of knowledge extraction.
- Evidential neural network adaptation: The third objective is to investigate expansions of an evidential neural network, guided by domain theory, the network, and the training data. Evidential neural networks are networks whose topology is determined by mapping the dependencies of a domain-specific evidential network into a neural network. However, existing network training methods lack the ability to add new evidential rules to the (reformulated) evidential networks. This is very much an open research issue in knowledge-based neural network research. On domain theories that are lacking rules, generalisation is poor, and training can corrupt the original rules, even those that were initially correct. Research into heuristic searching for possible expansions of an evidential neural network will be carried out in a manner analogous to adding rules and conjuncts to a symbolic rule-base.
Students entering the programme will normally be required to have a 2.1 BSc/BEng in Computer Science, Electrical and Electronic Engineering, or a maths based engineering or physical science degree, or equivalent qualification recognised by the University. Students holding an appropriate MEng or MSc (Software conversion) will normally be required to have a 2.1 or commendation (distinction) respectively. Furthermore, additional criteria may be applied. All applicants must have significant mathematical and programming experience.
This 3.5 year PhD studentship, potentially funded by NCSC, commences on 1 October 2019.
Eligibility for both fees and maintenance depends on the applicants being either an ordinary UK resident or those EU residents who have lived permanently in the UK for the 3 years immediately preceding the start of the studentship. Non UK residents who hold EU residency may also apply but if successful may receive fees only.
Applicants should apply electronically through the Queen’s online application portal at: https://dap.qub.ac.uk/portal/
Further information available at: http://www.qub.ac.uk/schools/eeecs/StudyattheSchool/PhDProgrammes
Principal Supervisor(s): Dr Paul Miller
Telephone: +44 (0)28 9097 1809, +44 (0)28 9097 4896