Hidden Markov Models for Intrusion Detection Under Background Activity / Dolda Markovmodeller för intrångsdetektion under bakgrundsaktivitet

Siridol-Kjellberg, Robert

January 2023

Detecting a malicious hacker intruding on a network system can be difficult. This challenge is made even more complex by the network activity generated by normal users and by the fact that it is impossible to know the hacker’s exact actions. Instead, the defender of the network system has to infer the hacker’s actions by statistics collected by the intrusion detection system, IDS. This thesis investigates the performance of hidden Markov models, HMM, to detect an intrusion automatically under different background activities generated by normal users. Furthermore, background subtraction techniques with inspiration from computer vision are investigated to see if normal users’ activity can be filtered out to improve the performance of the HMMs.The results suggest that the performance of HMMs are not sensitive to the type of background activity but rather to the number of normal users present. Furthermore, background subtraction enhances the performance of HMMs slightly. However, further investigations into how background subtraction performs when there are many normal users must be done before any definitive conclusions. / Det kan vara svårt att upptäcka en hackare som gör intrång i ett nätverkssystem. Utmaningen blir ännu större genom nätverksaktiviteten som genereras av vanliga användare och av det faktum att det är omöjligt att veta hackarens exakta handlingar. Istället måste nätverkssystemets försvarare använda insamlad data från intrångsdetekteringssystemet, IDS, för att estimera hackarens handlingar. Detta arbete undersöker förmågan hos dolda Markovmodeller, HMM, att automatiskt upptäcka dataintrång under olika typer av bakgrundsaktiviteter som genereras av normala användare. Dessutom undersöks bakgrundssubtraktionstekniker med inspiration från datorseende för att se om normala användares aktivitet kan filtreras bort för att förbättra prestanda hos HMM. Resultaten tyder på att prestandan för HMM inte är känsliga för typen av bakgrundsaktivitet utan snarare för antalet närvarande normala användare. Dessutom förbättrar bakgrundssubtraktion prestandan hos HMM. Det krävs dock mer forskning för att dra definitiva slutsatser kring vilken effekt bakgrundssubstitution har när antalet normala användare är stort.

Hidden Markov models

Cyber security

Intrusion detection

Clustering

Background subtraction

Dolda Markovmodeller

Cybersäkerhet

Dataintrång

Klustring

Bakgrundssubtraktion

Other Mathematics

Annan matematik

Vers la sécurité des conteneurs : les comprendre et les sécuriser

Lapointe, Hugo B.

06 1900

To facilitate shorter modern development cycles, as well as the ephemeral nature of cloud computing, many organizations are now running their applications in containers, a form of operating system virtualization. These new environments are often referred to as containerized environments. However, these environments are not without risk. Recent studies have shown that containerized applications are, like all types of applications, prone to various attacks. Another problem for those working in IT security is that containerized applications are often very dynamic and short-lived, which compounds the problem because it is more difficult to audit their activities or even make an investigation. In case of intrusion. In this thesis, we propose an intrusion detection system based on machine learning for containerized environments. Containers provide isolation between the host system and the containerized environment by efficiently grouping applications and their dependencies. In this way, containers become a portable software environment. However, unlike virtual machines, containers share the same kernel as the host operating system. In order to be able to do anomaly detection, our system uses this feature to monitor system calls sent from a container to a host system. Thus, the monitored container does not have to be modified and our system is not required to know the nature of the container to monitor it. The results of our experiments show that it is indeed possible to use system calls to detect abnormal behaviour made by a containerized application without having to modify the container. / Afin de faciliter les cycles de développement moderne plus courts, ainsi que la nature éphémère de l’infonuagique, de nombreuses organisations exécutent désormais leurs applications dans des conteneurs, une forme de virtualisation du système d'exploitation. Ces nouveaux environnements sont souvent appelés environnements conteneurisés. Cependant, ces environnements ne sont pas sans risque. Des études récentes ont montré que les applications conteneurisées sont, comme tous les types d’applications, sujettes à diverses attaques. Un autre problème pour ceux qui travaillent dans le domaine de la sécurité informatique est que les applications conteneurisées sont souvent très dynamiques et de courte durée, ce qui aggrave le problème, car il est plus difficile d’auditer leurs activités ou encore de faire une enquête en cas d’intrusion. Dans ce mémoire, nous proposons un système de détection d’intrusion basé sur l’apprentissage machine pour les environnements conteneurisés. Les conteneurs assurent l'isolation entre le système hôte et l'environnement conteneurisé en regroupant efficacement, les applications ainsi que leurs dépendances. De cette façon, les conteneurs deviennent un environnement logiciel portable. Cependant, contrairement aux machines virtuelles, les conteneurs partagent le même noyau que le système d'exploitation hôte. Afin de pouvoir faire la détection d'anomalies, notre système utilise cette caractéristique pour surveiller les appels système envoyés d’un conteneur vers un système hôte. Ainsi, le conteneur surveillé n’a pas à être modifié et notre système n'est pas tenu de connaitre la nature du conteneur pour le surveiller. Les résultats de nos expériences montrent qu’il est en effet possible d’utiliser les appels système afin de détecter des comportements anormaux faits par une application conteneurisée et ce sans à avoir à modifier le conteneur.

Conteneur

Sécurité

Apprentissage Machine

Détection d’Intrusion

Container

Security

Machine learning

Intrusion detection

Investigating the security of a microservices architecture : A case study on microservice and Kubernetes Security

Muresu, Daniel

January 2021

The concept of breaking down a bigger application into smaller components is not a new idea, but it has been more commonly adopted in recent years due to the rise of the microservice application architecture. What has not been elaborated on enough however, is the security of the microservice architecture and how it differs from a monolithic application architecture. This leads to question what the most relevant security vulnerabilities of integrating and using a microservice architecture are, and what the correlating metrics that can be used to detect intrusions based on the vulnerabilities can be. In this report, the security of the microservice architecture is elaborated on in a case study of the system at Skatteverket, the Swedish tax agency, which is a microservice based architecture running on Kubernetes. Interviews are conducted with people that have experience in Kubernetes and microservices separately, both employed at Skatteverket and elsewhere. In the interviews, vulnerabilities and intrusion detection metrics are identified, which are then analyzed with respect to a use case in the Skatteverket system. A survey is also done on the existing technologies that can mitigate the identified vulnerabilities that are related to a microservice architecture. The vulnerabilities present in the use case are then concluded to be most relevant, the identified intrusion detection metrics are elaborated on and the service mesh technology Istio is found to mitigate largest number of the identified vulnerabilities. / Konceptet att bryta ner en större applikation i mindre komponenter är inte en ny idé, men den har blivit vanligare under de senaste åren på grund av växten i användning av mikrotjänstsarkitekturer. Vad som dock inte har utforskats tillräckligt är säkerheten för mikrotjänstarkitekturen och hur den skiljer sig från en monolitisk applikationsarkitektur. Detta leder till att fråga vilka de mest relevanta säkerhetsriskerna med att integrera och använda en mikrotjänstarkitektur är, och vilka mätvärden som kan användas för att upptäcka intrång baserat på riskerna kan vara. I denna rapport utforskas säkerheten för mikrotjänstarkitekturer genom en fallstudie av systemet hos Skatteverket, som är en mikrotjänstbaserad arkitektur som körs på Kubernetes. Intervjuer genomförs med personer som har erfarenhet av Kubernetes och mikrotjänster separat, både med anställda på Skatteverket och på annat håll. I intervjuerna identifieras risker och mätvärden för att märka av intrång som sedan analyseras med avseende på ett användningsfall i Skatteverketssystemet. En undersökning görs också om befintlig teknik som kan mildra de identifierade riskerna som är relaterade till en mikrotjänstarkitektur. De risker som förekommer i användningsfallet anses sedan till att vara mest relevanta i slutsatserna, de identifierade mätvärdena för att märka av intrång diskuteras och service mesh teknologin Istio anses mitigera störst antal av de identifierade riskerna.

Microservices

Security

Kubernetes

Intrusion detection

Security tools

Mikrotjänster

säkerhet

Kubernetes

upptäcka intrång

säkerhetsverktyg

Computer Sciences

Datavetenskap (datalogi)

Web-Based Intrusion Detection System

Ademi, Muhamet

January 2013

Web applications are growing rapidly and as the amount of web sites globallyincreases so do security threats. Complex applications often interact with thirdparty services and databases to fetch information and often interactions requireuser input. Intruders are targeting web applications specifically and they are ahuge security threat to organizations and a way to combat this is to haveintrusion detection systems. Most common web attack methods are wellresearched and documented however due to time constraints developers oftenwrite applications fast and may not implement the best security practices. Thisreport describes one way to implement a intrusion detection system thatspecifically detects web based attacks.

intrusion detection system

ids

web application security

web application

network security

web security

Engineering and Technology

Teknik och teknologier

Network Traffic Analysis and Anomaly Detection : A Comparative Case Study

Babu, Rona

January 2022

Computer security is to protect the data inside the computer, relay the information, expose the information, or reduce the level of security to some extent. The communication contents are the main target of any malicious intent to interrupt one or more of the three aspects of the information security triad (confidentiality, integrity, and availability). This thesis aims to provide a comprehensive idea of network traffic analysis, various anomaly or intrusion detection systems, the tools used for it, and finally, a comparison of two Network Traffic Analysis (NTA) tools available in the market: Splunk and Security Onion and comparing their finding to analyse their feasibility and efficiency on Anomaly detection. Splunk and Security Onion were found to be different in the method of monitoring, User Interface (UI), and the observations noted. Further scope for future works is also suggested from the conclusions made.

Computer security

Network Traffic Analysis (NTA)

SIEM

Splunk

Security Onion

Engineering and Technology

Teknik och teknologier

Anomalous Behavior Detection in Aircraft based Automatic Dependent Surveillance–Broadcast (ADS-B) system using Deep Graph Convolution and Generative model (GA-GAN)

Kenaudekar, Jayesh

January 2022

The Automatic Dependent Surveillance-Broadcast (ADS-B) is a key component of the Next Generation Air Transportation System (Next Gen) that manages the increasingly congested airspace and operation. From Jan 2020, the U.S. Federal Aviation Administration (FAA) mandated the use of (ADS-B) as a key component of Next Gen project. ADS-Bprovides accurate aircraft localization via satellite navigation and efficient air traffic management, and also improves the safety of thousands of passengers travelling worldwide. While the benefits of ADS-B are well known, the fact that ADS-B is an open protocol introduces various exploitable security vulnerabilities. One practical threat is the ADS-B spoofing attack that targets the ground station, in which the ground-based attacker manipulates the International Civil Aviation Organization (ICAO) address (which is a unique identifierfor each aircraft) in the ADS-B forwarded messages to fake the appearance of non-existent aircraft or masquerade as a trusted aircraft. As a result, this type of attack can confuseand misguide the aircraft pilots or the air traffic control personnel and cause dangerous maneuvers. In this project, we intend to build a robust Intrusion Detection System (IDS) to detectanomalous behavior and classify attacks in an aircraft ADS-B protocol in real time duringair-ground communication. The IDS system we propose is a 3 stage deep learning framework built using Spatial Graph Convolution Networks and Deep auto-regressive generative model. In stage 1 we use a Graph convolution network architecture to classify the dataas attacked or normal in the entire airspace of an operating aircraft. In stage 2 we analyze the sequences of air-space states to identify anomalies using a generative Wavenet modeland simultaneously output feature under attack. Final stage consist of aircraft (ICAO) classification module based on unique RF transmitter signal characteristics of an aircraft. This allows the ground station operator to examine each incoming message based on the Phylayer features as well as message data field (such as, position, velocity, altitude) and flagsuspicious messages. The model is trained in a supervised fashion using federated learning where the data remains private to the data owner, i.e.: aircraft-ground station without data being explicitly sent to the cloud server. The server only receives the learned parameters for inference, there by training the entire model on the edge, thus preserving data-privacyand potential adversarial attacks. We aim to achieve a high precision real-time IDS system, with very low false alarm rate for real world deployment

Computer Systems

Datorsystem

Intrusion Detection and Recovery of a Cyber-Power System

Zhu, Ruoxi

06 June 2024

The advent of Information and Communications Technology (ICT) in power systems has revolutionized the monitoring, operation, and control mechanisms through advanced control and communication functions. However, this integration significantly elevates the vulnerability of modern power systems to cyber intrusions, posing severe risks to the integrity and reliability of the power grid. This dissertation presents the results of a comprehensive study into the detection of cyber intrusions and restoration of cyber-power systems post-attack with a focus on IEC 61850 based substations and recovery methodologies in the cyber-physical system framework. The first step of this study is to develop a novel Intrusion Detection System (IDS) specifically designed for deployment in automated substations. The proposed IDS effectively identifies falsified measurements within Manufacturing Messaging Specification (MMS) messages by verifying the consistency of electric circuit laws. This distributed approach helps avoid the transfer of contaminated measurements from substations to the control center, ensuring the integrity of SCADA systems. Utilizing a cyber-physical system testbed and the IEEE 39-bus test system, the IDS demonstrates high detection accuracy and validates its efficacy in real-time operational environments. Building upon the intrusion detection methodology, this dissertation advances into cyber system recovery strategies, which are designed to meet the challenges of restoring a power grid as a cyber-physical system following catastrophic cyberattacks. A novel restoration strategy is proposed, emphasizing the self-recovery of a substation automation system (SAS) within the substation through dynamic network reconfiguration and collaborative efforts among Intelligent Electronic Devices (IEDs). This strategy, validated through a cyber-power system testbed incorporating SDN technology and IEC 61850 protocol, highlights the critical role of cyber recovery in maintaining grid resilience. Further, this research extends its methodology to include a cyber-physical system restoration strategy that integrates an optimization-based multi-system restoration approach with cyber-power system simulation for constraint checking. This innovative strategy developed and validated using an Software Defined Networking (SDN) network for the IEEE 39-bus system, demonstrates the capability to efficiently restore the cyber-power system and maximize restoration capability following a large-scale cyberattack. Overall, this dissertation makes original contributions to the field of power system security by developing and validating effective mechanisms for the detection of and recovery from cyber intrusions in the cyber-power system. Here are the main contributions of this dissertation: 1) This work develops a distributed IDS, specifically designed for the substation automation environment, capable of pinpointing the targets of cyberattacks, including sophisticated attacks involving multiple substations. The effectiveness of this IDS in a real-time operational context is validated to demonstrate its efficiency and potential for widespread deployment. 2) A novel recovery strategy is proposed to restore the critical functions of substations following cyberattacks. This strategy emphasizes local recovery procedures that leverage the collaboration of devices within the substation network, circumventing the need for external control during the initial recovery phase. The implementation and validation of this method through a cyber-physical system testbed—specifically, within an IEC 61850 based Substation Automation System (SAS)—underscores its practicality and effectiveness in real-world scenarios. 3) The dissertation results in a new co-restoration strategy that integrates mixed integer linear programming to sequentially optimize the restoration of generators, power components, and communication nodes. This approach ensures optimal restoration decisions within a limited time horizon, enhancing the recovery capabilities of the cyber-power system. The application of an SDN based network simulator facilitates accurate modeling of cyber-power system interactions, including communication constraints and dynamic restoration scenarios. The strategy's adaptability is further improved by real-time assessment of the feasibility of the restoration sequence incorporating power flow and communication network constraints to ensure an effective recovery process. / Doctor of Philosophy / Electricity is a critical service that supports the society and economy. Today, electric power systems are becoming smarter, using advanced Information and Communications Technology to manage and distribute electricity more efficiently. This new technology creates a smart grid, a network that not only delivers power but also uses computers and other tools to remotely monitor electricity flows and address any issues that may arise. However, these smart systems with high connectivity utilizing information and communication systems can be vulnerable to cyberattacks, which could disrupt the electricity supply. To protect against these threats, this study is focused on creating systems that can detect when an abnormal condition is taking place in the cyber-power grid. These detection systems are designed to detect and identify signs of cyberattacks at key points in the power network, particularly at substations, which play a vital role in the delivery of electricity. Substations control the power grid operating conditions to make sure that electricity service is reliable and efficient for the consumers Just like traffic lights help manage the flow of vehicles, substations manage the flow of electricity to make sure electric energy is delivered to where it needed. Once a cyberattack is detected, the next step is to stop the attack and mitigate the impact it may have made to ensure that the power grid returns to normal operations as quickly as possible. This dissertation is concerned with the development and validation of analytical and computational methods to quickly identify the cyberattacks and prevent the disruptions to the electricity service. Also, the focus of this work is also on a coordinated recovery of both the cyber system ( digital controls and monitoring) and power system (physical infrastructure including transformers and transmission and distribution lines). This co-restoration approach is key to sustain the critical electricity service and ensures that the grid is resilient against the cyber threats. By developing strategies that address both the cyber and physical aspects, the proposed methodology aims to minimize downtime and reduce the impact of large-scale cyberattacks on the electrical infrastructure. The impact of the results of this dissertation is the enhancement of security and resilience of the electric energy supply in an era where the risks of cyber threats are increasingly significantly. Overall, by developing new methodologies to detect and respond to cyberattacks, the cyber-power system's capability to withstand and recover from cyberattacks is enhanced in the increasingly technology-dependent power grid environment.

Intrusion Detection

Intrusion Mitigation

Cyber Resilience

Cyber-Physical System

Cyber System Recovery

SCADA

DNP3

Digital Substations

IEC 61850

Dynamic Redundancy Management of Multisource Multipath Routing Integrated with Voting-based Intrusion Detection in Wireless Sensor Networks

Al-Hamadi, Hamid Helal

24 April 2014

Wireless sensor networks (WSNs) are frequently deployed unattended and can be easily captured or compromised. Once compromised, intrusion prevention methods such as encryption can no longer provide any protection, as a compromised node is considered a legitimate node and possesses the secret key for decryption. Compromised nodes are essentially inside attackers and can perform various attacks to break the functionality of the system. Thus, for safety-critical WSNs, intrusion detection techniques must be used to detect and remove inside attackers and fault tolerance techniques must be used to tolerate inside attackers to prevent security failure. In this dissertation research, we develop a class of dynamic redundancy management algorithms for redundancy management of multisource multipath routing for fault and intrusion tolerance, and majority voting for intrusion detection, with the goal of maximizing the WSN lifetime while satisfying application quality-of-service and security requirements, for base station based WSNs, homogeneous clustered WSNs, and heterogeneous clustered WSNs. By means of a novel model-based analysis methodology based on probability theory, we model the tradeoff between energy consumption vs. reliability, timeliness and security gain, and identify the optimal multisource multipath redundancy level and intrusion detection settings for maximizing the lifetime of the WSN while satisfying application quality-of-service requirements. A main contribution of our research dissertation is that our dynamic redundancy management protocol design addresses the issues of "how many paths to use" and "what paths to use" in multisource multipath routing for intrusion tolerance. Another contribution is that we take an integrated approach combining intrusion detection and tolerance in the protocol design to address the issue of "how much intrusion detection is enough" to prevent security failure and prolong the WSN lifetime time. We demonstrate resiliency of our dynamic redundancy management protocol design for intrusion detection and tolerance against sophisticated attacker behaviors, including selective and random capture, as well as persistent, random, opportunistic and insidious attacks, by model-based performance analysis with results supported by extensive simulation based on ns3. / Ph. D.

Wireless sensor networks

multisource multipath routing

dynamic redundancy management

energy conservation

reliability

security

intrusion detection

intrusion tolerance

performance analysis.

Efficient Key Management, and Intrusion Detection Protocols for Enhancing Security in Mobile Ad Hoc Networks

Maity, Soumyadev

January 2014

Security of communications is a major requirement for Mobile Adhoc NETworks(MANETs) since they use wireless channel for communications which can be easily tapped, and physical capture of MANET nodes is also quite easy. From the point of view of providing security in MANETs, there are basically two types of MANETs, viz., authoritarian MANETs, in which there exist one or more authorities who decide the members of the network, and self-organized MANETs, in which there is no such authority. Ensuring security of communications in the MANETs is a challenging task due to the resource constraints and infrastructure-less nature of these networks, and the limited physical security of MANET nodes. Attacks on security in a MANET can be launched by either the external attackers which are not legitimate members of the MANET or the internal attackers which are compromised members of the MANET and which can hold some valid security credentials or both. Key management and authentication protocols(KM-APs)play an important role in preventing the external attackers in a MANET. However, in order to prevent the internal attackers, an intrusion detection system(IDS) is essential. The routing protocols running in the network layer of a MANET are most vulnerable to the internal attackers, especially to the attackers which launch packet dropping attack during data packet forwarding in the MANET. For an authoritarian MANET, an arbitrated KM-AP protocol is perfectly suitable, where trusts among network members are coordinated by a trusted authority. Moreover, due to the resource constraints of a MANET, symmetric key management protocols are more efficient than the public key management protocols in authoritarian MANETs. The existing arbitrated symmetric key management protocols in MANETs, that do not use any authentication server inside the network are susceptible to identity impersonation attack during shared key establishments. On the other hand, the existing server coordinated arbitrated symmetric key management protocols in MANETs do not differentiate the role of a membership granting server(MGS) from the role of an authentication server, and so both are kept inside the network. However, keeping the MGS outside the network is more secure than keeping it inside the network for a MANET. Also, the use of a single authentication server inside the network cannot ensure robustness against authentication server compromise. In self-organized MANETs, public key management is more preferable over symmetric key management, since the distribution of public keys does not require a pre-established secure channel. The main problem for the existing self-organized public key management protocols in MANETs is associated with the use of large size certificate chains. Besides, the proactive certificate chaining based approaches require each member of a MANET to maintain an updated view of the trust graph of the entire network, which is highly resource consuming. Maintaining a hierarchy of trust relationships among members of a MANET is also problematic for the same reason. Evaluating the strength of different alternative trust chains and restricting the length of a trust chain used for public key verification is also important for enhancing the security of self-organized public key management protocols. The existing network layer IDS protocols in MANETs that try to defend against packet dropping attack use either a reputation based or an incentive based approach. The reputation based approaches are more effective against malicious principals than the incentive based approaches. The major problem associated with the existing reputation based IDS protocols is that they do not consider the protocol soundness issue in their design objectives. Besides, most of the existing protocols incorporate no mechanism to fight against colluding principals. Also, an IDS protocol in MANETs should incorporate some secure and efficient mechanism to authenticate the control packets used by it. In order to mitigate the above mentioned problems in MANETs, we have proposed new models and designed novel security protocols in this thesis that can enhance the security of communications in MANETs at lesser or comparable cost. First, in order to perform security analysis of KM-AP protocols, we have extended the well known strand space verification model to overcome some of its limitations. Second, we have proposed a model for the study of membership of principals in MANETs with a view to utilize the concept for analyzing the applicability and the performance of KM-AP protocols in different types of MANETs. Third and fourth, we have proposed two novel KM-AP protocols, SEAP and CLPKM, applicable in two different types of MANET scenarios. The SEAP protocol is an arbitrated symmetric key management protocol designed to work in an authoritarian MANET, whereas the CLPKM protocol is a self-organized public key management protocol designed for self-organized MANETs. Fifth, we have designed a novel reputation based network layer IDS protocol, named EVAACK protocol, for the detection of packet dropping misbehavior in MANETs. All of the three proposed protocols try to overcome the limitations of the existing approaches in their respective categories. We have provided rigorous mathematical proofs for the security properties of the proposed protocols. Performance of the proposed protocols have been compared with those of the other existing similar approaches using simulations in the QualNet simulator. In addition, we have also implemented the proposed SEAP and CLPKM protocols on a real MANET test bed to test their performances in real environments. The analytical, simulation and experimentation results confirm the effectiveness of the proposed schemes.

Mobile Ad Hoc Networks (MANET)

Mobile Ad Hoc Network Security

Intrusion Detection Systems (IDSs)

Extended Strand Space Model

Intrusion Detection Protocols

MANETs

Strand Space Model

Intrusion Detection Systems (IDSs)

Communication Engineering

Visualising network security attacks with multiple 3D visualisation and false alert classification

Musa, Shahrulniza

January 2008

Increasing numbers of alerts produced by network intrusion detection systems (NIDS) have burdened the job of security analysts especially in identifying and responding to them. The tasks of exploring and analysing large quantities of communication network security data are also difficult. This thesis studied the application of visualisation in combination with alerts classifier to make the exploring and understanding of network security alerts data faster and easier. The prototype software, NSAViz, has been developed to visualise and to provide an intuitive presentation of the network security alerts data using interactive 3D visuals with an integration of a false alert classifier. The needs analysis of this prototype was based on the suggested needs of network security analyst's tasks as seen in the literatures. The prototype software incorporates various projections of the alert data in 3D displays. The overview was plotted in a 3D plot named as "time series 3D AlertGraph" which was an extension of the 2D histographs into 3D. The 3D AlertGraph was effectively summarised the alerts data and gave the overview of the network security status. Filtering, drill-down and playback of the alerts at variable speed were incorporated to strengthen the analysis. Real-time visual observation was also included. To identify true alerts from all alerts represents the main task of the network security analyst. This prototype software was integrated with a false alert classifier using a classification tree based on C4.5 classification algorithm to classify the alerts into true and false. Users can add new samples and edit the existing classifier training sample. The classifier performance was measured using k-fold cross-validation technique. The results showed the classifier was able to remove noise in the visualisation, thus making the pattern of the true alerts to emerge. It also highlighted the true alerts in the visualisation. Finally, a user evaluation was conducted to find the usability problems in the tool and to measure its effectiveness. The feed backs showed the tools had successfully helped the task of the security analyst and increased the security awareness in their supervised network. From this research, the task of exploring and analysing a large amount of network security data becomes easier and the true attacks can be identified using the prototype visualisation tools. Visualisation techniques and false alert classification are helpful in exploring and analysing network security data.

005.8