Anomaly detection using pattern-of-life visual metaphors by Happa, J, Bashford-Rogers, T, Agrafiotis, I, Goldsmith, M, Creese, S

“…Similar to other anomaly-detection techniques, false positives do exist in our general approach as well. …”

Modeling Advanced Persistent Threats to enhance anomaly detection techniques by Atapour, C, Agrafiotis, I, Creese, S

“…We find that attributes from the Command and Control phase of these attacks provide unique features that can be used by any anomaly detection systems. We further validate how expressive our abstract models are by formalizing a fifth APT and examining the behavior that was not captured.…”

A state machine system for insider threat detection by Zhang, H, Agrafiotis, I, Erola, A, Creese, S, Goldsmith, M

“…Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. …”

A Tripwire Grammar for Insider Threat Detection by Agrafiotis, I, Erola, A, Goldsmith, M, Creese, S

“…We then orchestrate these tripwires in conjunction with an anomaly detection system and present an approach to formalising tripwires of both categories. …”

Reflecting on the use of sonification for network monitoring by Axon, L, Creese, S, Goldsmith, M, Nurse, J

“…In Security Operations Centres (SOCs), computer networks are generally monitored using a combination of anomaly detection techniques, Intrusion Detection Systems (IDS) and data presented in visual and text-based forms. …”

Insider-threat detection: Lessons from deploying the CITD tool in three multinational organisations by Erola, A, Agrafiotis, I, Goldsmith, M, Creese, S

“…In order to fill this gap, we collaborated with three multinational commercial organisations who trialled our anomaly detection system, and worked with us to understand performance constraints for insider threat detection deployment and innate weaknesses in their operational contexts. …”

A formalised approach to designing sonification systems for network-security monitoring by Axon, L, Nurse, J, Goldsmith, M, Creese, S

“…Security analysts working in SOCs generally monitor networks using a combination of anomaly-detection techniques, Intrusion Detection Systems and data presented in visual and text-based forms. …”

Formalising policies for insider-threat detection: A tripwire grammar by Agrafiotis, I, Erola, A, Goldsmith, M, Creese, S

“…We then orchestrate these tripwires in conjunction with an anomaly detection system. We present a review of the security policies organisation apply and a grammar to describe tripwires. …”

Data presentation in security operations centres: exploring the potential for sonification to enhance existing practice by Axon, L, Alahmadi, B, Nurse, J, Goldsmith, M, Creese, S

“…Participants saw potential value in using sonification systems to aid in anomaly detection tasks in SOCs (such as retrospective hunting), as well as in situations in which peripheral monitoring is desirable: while multitasking with multiple work tasks, or while outside of the SOC. …”

Sonification for network-security monitoring by Axon, L

“…Sonification has been shown to have advantages for presenting data to humans in other fields, such as medicine and astronomy, for monitoring data and for anomaly detection. In theory, some of the known properties of sonification make it a promising data-presentation approach for SOCs. …”