Anomaly-based correlation of IDS alarms

Tjhai, Gina C.

January 2011

An Intrusion Detection System (IDS) is one of the major techniques for securing information systems and keeping pace with current and potential threats and vulnerabilities in computing systems. It is an indisputable fact that the art of detecting intrusions is still far from perfect, and IDSs tend to generate a large number of false IDS alarms. Hence human has to inevitably validate those alarms before any action can be taken. As IT infrastructure become larger and more complicated, the number of alarms that need to be reviewed can escalate rapidly, making this task very difficult to manage. The need for an automated correlation and reduction system is therefore very much evident. In addition, alarm correlation is valuable in providing the operators with a more condensed view of potential security issues within the network infrastructure. The thesis embraces a comprehensive evaluation of the problem of false alarms and a proposal for an automated alarm correlation system. A critical analysis of existing alarm correlation systems is presented along with a description of the need for an enhanced correlation system. The study concludes that whilst a large number of works had been carried out in improving correlation techniques, none of them were perfect. They either required an extensive level of domain knowledge from the human experts to effectively run the system or were unable to provide high level information of the false alerts for future tuning. The overall objective of the research has therefore been to establish an alarm correlation framework and system which enables the administrator to effectively group alerts from the same attack instance and subsequently reduce the volume of false alarms without the need of domain knowledge. The achievement of this aim has comprised the proposal of an attribute-based approach, which is used as a foundation to systematically develop an unsupervised-based two-stage correlation technique. From this formation, a novel SOM K-Means Alarm Reduction Tool (SMART) architecture has been modelled as the framework from which time and attribute-based aggregation technique is offered. The thesis describes the design and features of the proposed architecture, focusing upon the key components forming the underlying architecture, the alert attributes and the way they are processed and applied to correlate alerts. The architecture is strengthened by the development of a statistical tool, which offers a mean to perform results or alert analysis and comparison. The main concepts of the novel architecture are validated through the implementation of a prototype system. A series of experiments were conducted to assess the effectiveness of SMART in reducing false alarms. This aimed to prove the viability of implementing the system in a practical environment and that the study has provided appropriate contribution to knowledge in this field.

621.382

Context conditions drivers' disposition towards alarms

Lees, Monica

01 December 2010

Collision warning systems represent a promising means to reduce rear-end crash involvement. However, these systems experience failures in the real-world that may promote driver distrust and diminish drivers' willingness to comply with warnings. Recent research suggests that not all false alarms (FAs) are detrimental to drivers. However, very few studies have examined how different alarms influence different driving populations. The purpose of this research was to examine how younger, middle-aged, and older drivers (with and without UFOV impairments) evaluated and responded to four different alarm contexts - false alarm (FA), nuisance alarm (NA), unnecessary alarm (UA) and true alarm (TA) - when they did and did not receive warnings. FA contexts represent out-of-path conflict scenarios where it is difficult for the driver to identify the source of the alarm. NA contexts represent out-of-path conflict scenarios that occur in a predictable manner that allows drivers to identify the source of the alarm. UA contexts are transitioning host conflict scenarios where the system issues an alert but the situation resolves itself before the driver needs to intervene. TA contexts represent in-host conflict scenarios where the situation requires the driver to intervene to avoid a collision. The results suggest that alarm context does matter. Compared to response data that differentiates FA and NA from UA and TA, subjective data shows greater sensitivity and differentiates between all four alarm contexts (FA Younger drivers indicated a high degree of confidence in their own ability across the different conditions. While they adopted a similar response pattern as middle-aged drivers during the TA contexts, these drivers responded less frequently than middle-aged and older drivers during the UA context. Diminished hazard perception ability and the tendency to consider these situations less hazardous likely account for the fewer responses made during these situations by younger drivers. Older drivers with and without UFOV impairments indicated similar hazard ratings for UA and TA contexts, yet drivers with UFOV impairments responded less frequently in both alarm contexts. Diminished hazard perception ability, slower simple response times, and degraded contrast sensitivity likely account for the fewer and slower responses. Interestingly older drivers with impairments did respond more frequently when warned during the TA context. They also rated FAs and NAs more positively than the other driver groups. The results of this study suggest applying signal detection theory without concern for the alarm context and driver characteristics is insufficient for understanding how different alarms influence operators and that subjective data can inform design. Researchers are encouraged to combine multiple perspectives that incorporate of both an engineering and human perspective.

collision warning systems

False alarms

older drivers

trust

Industrial Engineering

Eye-tracking to Evaluate Trust in Human-ATR Interaction

Adelman, Samuel Francis

21 May 2020

No description available.

Engineering

Trust

Automation

Eye Tracking

ATR Algorithms

False Alarms

Alarm Safety in a Regional Neonatal Intensive Care Unit

Probst, Piper

01 January 2015

Alarm fatigue is a practice problem that applies to hospitalized patients and the nurses who care for them. Addressing alarm fatigue is important to promote alarm safety and to decrease the risk of patient harm or death. The purpose of this study was to decrease alarm fatigue and improve alarm safety in a regional neonatal intensive care unit (RNICU). Guided by the conceptual model for alarm fatigue and alarm safety, this study addressed whether or not alarm management protocols designed to decrease false and nuisance alarms in the physiological monitoring of neonates improve alarm safety via decreased alarm burden and alarm fatigue as evidenced by statistically significant reductions in false and nuisance alarms. A quantitative, time series quasi-experimental design was used with 4 waves of data collection. One wave was baseline data collected preintervention, and 3 waves of data were postprotocol implementation to obtain an initial indication of sustainability. Alarm observation data collection sheets were developed and used to track numbers and types of alarms pre- and post-protocol implementation. The data analysis showed statistically significant decreases in both false alarms and nuisance alarms related to the physiological monitoring protocol and lead changing protocol. Overall, high protocol adherence was noted, and the total number of alarms per hour per bed was reduced by 42% (p < .001), 46% (p < .001), and 50% (p < .001) from baseline at Weeks 2, 4, and 6, respectively. Implications from this study include impact on practice and policy, direction for future study, and a call for social change to promote alarm safety in the care of neonates.

alarm fatigue

alarm safety

clinical alarms

false alarms

nuisance alarms

relevant alarms

Nursing

Tornado outbreak false alarm probabilistic forecasts with machine learning

Snodgrass, Kirsten Reed

12 May 2023

Tornadic outbreaks occur annually, causing fatalities and millions of dollars in damage. By improving forecasts, the public can be better equipped to act prior to an event. False alarms (FAs) can hinder the public’s ability (or willingness) to act. As such, a probabilistic FA forecasting scheme would be beneficial to improving public response to outbreaks. Here, a machine learning approach is employed to predict FA likelihood from Storm Prediction Center (SPC) tornado outbreak forecasts. A database of hit and FA outbreak forecasts spanning 2010 – 2020 was developed using historical SPC convective outlooks and the SPC Storm Reports database. Weather Research and Forecasting (WRF) model simulations were done for each outbreak to characterize the underlying meteorological environments. Parameters from these simulations were used to train a support vector machine (SVM) to forecast FAs. Results were encouraging and may result in further applications in severe weather operations.

Tornado outrbeak

False alarms

Artificial intelligence

Machine learning

Artificial Intelligence and Robotics

Meteorology

Evaluation Of Multi Target Tracking Algorithms In The Presence Of Clutter

Guner, Onur

01 August 2005

ABSTRACT EVALUATION OF MULTI TARGET TRACKING ALGORITHMS IN THE PRESENCE OF CLUTTER G&uuml / ner, Onur M.S., Department of Electrical and Electronics Engineering Supervisor: Prof. Dr. Mustafa Kuzuoglu August 2005, 88 Pages This thesis describes the theoretical bases, implementation and testing of a multi target tracking approach in radar applications. The main concern in this thesis is the evaluation of the performance of tracking algorithms in the presence of false alarms due to clutter. Multi target tracking algorithms are composed of three main parts: track initiation, data association and estimation. Two methods are proposed for track initiation in this work. First one is the track score function followed by a threshold comparison and the second one is the 2/2 &amp / M/N method which is based on the number of detections. For data association problem, several algorithms are developed according to the environment and number of tracks that are of interest. The simplest method for data association is the nearest-neighbor data association technique. In addition, the methods that use multiple hypotheses like probabilistic data association and joint probabilistic data association are introduced and investigated. Moreover, in the observation to track assignment, gating is an important issue since it reduces the complexity of the computations. Generally, ellipsoidal gates are used for this purpose. For estimation, Kalman filters are used for state prediction and measurement update. In filtering, target kinematics is an important point for the modeling. Therefore, Kalman filters based on different target kinematic models are run in parallel and the outputs of filters are combined to yield a single solution. This method is developed for maneuvering targets and is called interactive multiple modeling (IMM). All these algorithms are integrated to form a multi target tracker that works in the presence (or absence) of clutter. Track score function, joint probabilistic data association (JPDAF) and interactive multiple model filtering are used for this purpose. Keywords: clutter, false alarms, track initiation, data association, gating, target kinematics, IMM, JPDAF

TK Electronics 7800-8360

Implementing an Intelligent Alarm System in Intensive Care Units

Kilinc, Derya, Ghattas, Mattias

January 2016

Today’s intensive care units monitor patients through the use of various medical devices, which generate a high ratio of false positive alarms due to a low alarm specificity. The false alarms have resulted in a stressful working environment for healthcare professionals that are getting more desensitized to triggered alarms and causing alarm fatigue. The patient safety is also compromised by having high noise levels in the patient room, which disturbs their sleep. This thesis has developed an intelligent alarm system with an improved alarm management and the use of 23 intelligent algorithms to minimize the number of false positive alarms. The suggested system is capable of improving the alarm situation and increasing the patient safety in critical care. The algorithms were modeled with fuzzy logics consisting of delays and multi parameter validation. The results were iteratively developed by having focus groups with various experts.

ICU

false alarms

alarm fatigue

intelligent alarm

smart alarm

fuzzy logic

delay

cross-check

Medical Engineering

Medicinteknik

Détection des changements de points multiples et inférence du modèle autorégressif à seuil / Detection of abrupt changes and autoregressive models

Elmi, Mohamed Abdillahi

30 March 2018

Cette thèse est composée de deux parties: une première partie traite le problème de changement de régime et une deuxième partie concerne le processusautorégressif à seuil dont les innovations ne sont pas indépendantes. Toutefois, ces deux domaines de la statistique et des probabilités se rejoignent dans la littérature et donc dans mon projet de recherche. Dans la première partie, nous étudions le problème de changements derégime. Il existe plusieurs méthodes pour la détection de ruptures mais les principales méthodes sont : la méthode de moindres carrés pénalisés (PLS)et la méthode de derivée filtrée (FD) introduit par Basseville et Nikirov. D’autres méthodes existent telles que la méthode Bayésienne de changementde points. Nous avons validé la nouvelle méthode de dérivée filtrée et taux de fausses découvertes (FDqV) sur des données réelles (des données du vent sur des éoliennes et des données du battement du coeur). Bien naturellement, nous avons donné une extension de la méthode FDqV sur le cas des variables aléatoires faiblement dépendantes.Dans la deuxième partie, nous étudions le modèle autorégressif à seuil (en anglais Threshold Autoregessive Model (TAR)). Le TAR est étudié dans la littérature par plusieurs auteurs tels que Tong(1983), Petrucelli(1984, 1986), Chan(1993). Les applications du modèle TAR sont nombreuses par exemple en économie, en biologie, l'environnement, etc. Jusqu'à présent, le modèle TAR étudié concerne le cas où les innovations sont indépendantes. Dans ce projet, nous avons étudié le cas où les innovations sont non corrélées. Nous avons établi les comportements asymptotiques des estimateurs du modèle. Ces résultats concernent la convergence presque sûre, la convergence en loi et la convergence uniforme des paramètres. / This thesis has two parts: the first part deals the change points problem and the second concerns the weak threshold autoregressive model (TAR); the errors are not correlated.In the first part, we treat the change point analysis. In the litterature, it exists two popular methods: The Penalized Least Square (PLS) and the Filtered Derivative introduced by Basseville end Nikirov.We give a new method of filtered derivative and false discovery rate (FDqV) on real data (the wind turbines and heartbeats series). Also, we studied an extension of FDqV method on weakly dependent random variables.In the second part, we spotlight the weak threshold autoregressive (TAR) model. The TAR model is studied by many authors such that Tong(1983), Petrucelli(1984, 1986). there exist many applications, for example in economics, biological and many others. The weak TAR model treated is the case where the innovations are not correlated.

Dérivées filtrées

Fausses alarmes

Changement de points

Taux de fausses découvertes

Modèles autorégressif

Série temporelle

Filtered Derivative

False alarms

Change points

False Discovery Rate

Autoressive models

Time series

510