Dr. Maxwell G. Dondo Profile

Dr. Maxwell G. Dondo

at DRDC

SPIE Involvement:

Author

Publications (3)

Proceedings Article | 22 May 2014 Paper

Characterization of computer network events through simultaneous feature selection and clustering of intrusion alerts

Siyue Chen, Henry Leung, Maxwell Dondo

Proceedings Volume 9121, 912107 (2014) https://doi.org/10.1117/12.2052852

KEYWORDS: Expectation maximization algorithms, Feature selection, Computer networks, Data modeling, Sensors, Autoregressive models, Data transmission, Network security, Chlorine, Computer security

Read Abstract +

Proceedings Article | 9 April 2007 Paper

AutoCorrel II: a neural network event correlation approach

Maxwell Dondo, Peter Mason, Nathalie Japkowicz, Reuben Smith

Proceedings Volume 6570, 65700H (2007) https://doi.org/10.1117/12.707922

KEYWORDS: Expectation maximization algorithms, Computer intrusion detection, Neural networks, Detection and tracking algorithms, Sensors, Error analysis, Statistical analysis, Selenium, Data storage, Cerium

Read Abstract +

Proceedings Article | 18 April 2006 Paper

AutoCorrel: a neural network event correlation approach

Maxwell Dondo, Nathalie Japkowicz, Reuben Smith

Proceedings Volume 6241, 62410N (2006) https://doi.org/10.1117/12.665041

KEYWORDS: Neural networks, Sensors, Computer intrusion detection, Data storage, Neodymium, Inspection, Systems modeling, Detection and tracking algorithms, Reconstruction algorithms, Artificial neural networks

Read Abstract +

Intrusion detection analysts are often swamped by multitudes of alerts originating from installed intrusion detection systems (IDS) as well as logs from routers and firewalls on the networks. Properly managing these alerts and correlating them to previously seen threats is critical in the ability to effectively protect a network from attacks. Manually correlating events can be a slow tedious task prone to human error. We present a two-stage alert correlation approach involving an artificial neural network (ANN) autoassociator and a single parameter decision threshold-setting unit. By clustering closely matched alerts together, this approach would be beneficial to the analyst. In this approach, alert attributes are extracted from each alert content and used to train an autoassociator. Based on the reconstruction error determined by the autoassociator, closely matched alerts are grouped together. Whenever a new alert is received, it is automatically categorised into one of the alert clusters which identify the type of attack and its severity level as previously known by the analyst. If the attack is entirely new and there is no match to the existing clusters, this would be appropriately reflected to the analyst. There are several advantages to using an ANN based approach. First, ANNs acquire knowledge straight from the data without the need for a human expert to build sets of domain rules and facts. Second, once trained, ANNs can be very fast, accurate and have high precision for near real-time applications. Finally, while learning, ANNs perform a type of dimensionality reduction allowing a user to input large amounts of information without fearing an effciency bottleneck. Thus, rather than storing the data in TCP Quad format (which stores only seven event attributes) and performing a multi-stage query on reduced information, the user can input all the relevant information available and instead allow the neural network to organise and reduce this knowledge in an adaptive and goal-oriented fashion.

View contact details

UPDATE YOUR PROFILE

Is this your profile? Update it now.

Sign into your SPIE.org account

Don’t have a profile and want one?

Create an account on SPIE.org

Keywords/Phrases

Search In:

Publication Years