Research Student Profile

Home People Profile...

Dr Nor Badrul Anuar Jumaat PhD

Research Student

Brief biographical information

Access thesis on-line

Incident Prioritisation for Intrusion Response Systems

The landscape of security threats continues to evolve, with attacks becoming more serious and the number of vulnerabilities rising. To manage these threats, many security studies have been undertaken in recent years, mainly focusing on improving detection, prevention and response efficiency. Although there are security tools such as antivirus software and firewalls available to counter them, Intrusion Detection Systems and similar tools such as Intrusion Prevention Systems are still one of the most popular approaches. There are hundreds of published works related to intrusion detection that aim to increase the efficiency and reliability of detection, prevention and response systems. Whilst intrusion detection system technologies have advanced, there are still areas available to explore, particularly with respect to the process of selecting appropriate responses.

Supporting a variety of response options, such as proactive, reactive and passive responses, enables security analysts to select the most appropriate response in different contexts. In view of that, a methodical approach that identifies important incidents as opposed to trivial ones is first needed. However, with thousands of incidents identified every day, relying upon manual processes to identify their importance and urgency is complicated, difficult, error-prone and time-consuming, and so prioritising them automatically would help security analysts to focus only on the most critical ones. The existing approaches to incident prioritisation provide various ways to prioritise incidents, but less attention has been given to adopting them into an automated response system. Although some studies have realised the advantages of prioritisation, they released no further studies showing they had continued to investigate the effectiveness of the process.

This study concerns enhancing the incident prioritisation scheme to identify critical incidents based upon their criticality and urgency, in order to facilitate an autonomous mode for the response selection process in Intrusion Response Systems. To achieve this aim, this study proposed a novel framework which combines models and strategies identified from the comprehensive literature review. A model to estimate the level of risks of incidents is established, named the Risk Index Model (RIM). With different levels of risk, the Response Strategy Model (RSM) dynamically maps incidents into different types of response, with serious incidents being mapped to active responses in order to minimise their impact, while incidents with less impact have passive responses. The combination of these models provides a seamless way to map incidents automatically; however, it needs to be evaluated in terms of its effectiveness and performances. To demonstrate the results, an evaluation study with four stages was undertaken; these stages were a feasibility study of the RIM, comparison studies with industrial standards such as Common Vulnerabilities Scoring System (CVSS) and Snort, an examination of the effect of different strategies in the rating and ranking process, and a test of the effectiveness and performance of the Response Strategy Model (RSM). With promising results being gathered, a proof-of-concept study was conducted to demonstrate the framework using a live traffic network simulation with online assessment mode via the Security Incident Prioritisation Module (SIPM); this study was used to investigate its effectiveness and practicality.

Through the results gathered, this study has demonstrated that the prioritisation process can feasibly be used to facilitate the response selection process in Intrusion Response Systems. The main contribution of this study is to have proposed, designed, evaluated and simulated a framework to support the incident prioritisation process for Intrusion Response Systems.

Dr Nor Badrul Anuar Jumaat

Director of studies: Prof. Steven Furnell
Other supervisors: Dr Maria Papadaki, Dr Nathan Clarke

Journal papers

AndroDialysis: Analysis of Android Intent Effectiveness in Malware Detection
Feizollah A, Anuar NB, Salleh R, Suarez-Tangil G, Furnell SM
Computers & Security, Volume 65, Pages 121-134, 2017
More details | External link available

D-FICCA: A Density-based Fuzzy Imperialist Competitive Clustering Algorithm for Intrusion Detection in Wireless Sensor Networks
Shamshirband S, Amini A, Anuar NB, Kiah LM, Wah TY, Furnell SM
Measurement, Volume 55, September, pp212–226, 2014
More details | External link available

A response selection model for intrusion response systems: Response Strategy Model (RSM)
Anuar NB, Papadaki M, Furnell SM, Clarke NL
Security and Communication Networks, 2013
More details | External link available

Incident prioritisation using analytic hierarchy process (AHP): Risk Index Model (RIM)
Anuar NB, Papadaki M, Furnell SM, Clarke NL
Security and Communication Networks, 2012
More details | External link available

4 Journal papers

Conference papers

A Response Strategy Model for Intrusion Response Systems
Anuar NB, Papadaki M, Furnell SM, Clarke NL
27th IFIP International Information Security and Privacy Conference - SEC2012, Heraklion, Crete, Greece, 4-6 June, pp573-578, 2012
More details

A Risk Index Model for Security Incident Prioritisation
Anuar NB, Furnell SM, Papadaki M, Clarke NL
Proceedings of the 9th Australian Information Security Management Conference (ASIM 2011), Perth, Australia, 5-7 December, 2011
More details

An investigation and survey of response options for Intrusion Response Systems (IRSs)
Anuar NB, Papadaki M, Furnell SM, Clarke NL
Proceedings of the 9th Annual Information Security South Africa Conference, Sandton, South Africa, 2 - 4 August, pp1-8, ISBN: 978-1-4244-5493-8, 2010
More details | External link available

3 Conference papers

Internal publications

Response Mechanisms for Intrusion Response Systems (IRSs)
Anuar NB, Furnell SM, Papadaki M, Clarke NL
Proceedings of the Fifth Collaborative Research Symposium on Security, E-learning, Internet and Networking (SEIN 2009), Darmstadt, Germany, ISBN: 978-1-84102-236-9, pp3-14, 2009
Can be ordered on-line.
More details | Download PDF

1 Internal publications

8 publication(s) - all categories.