1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida.

Slides:



Advertisements
Similar presentations
TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Advertisements

Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.
Dr Gordon Russell, Napier University Unit Data Dictionary 1 Data Dictionary Unit 5.3.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Object-Oriented Analysis and Design
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Study Period Report: Metamodel for On Demand Model Selection (ODMS) Wang Jian, He Keqing, He Yangfan, Wang Chong State Key Lab of Software Engineering,
1 MPEG-21 : Goals and Achievements Ian Burnett, Rik Van de Walle, Keith Hill, Jan Bormans and Fernando Pereira IEEE Multimedia, October-November 2003.
Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.
Case-based Reasoning System (CBR)
Soft. Eng. II, Spring 02Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 6 Title : The Software Reuse Reading: I. Sommerville, Chap. 20.
XML(EXtensible Markup Language). XML XML stands for EXtensible Markup Language. XML is a markup language much like HTML. XML was designed to describe.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Mining Metamodels From Instance Models: The MARS System Faizan Javed Department of Computer & Information Sciences, University of Alabama at Birmingham.
Course Instructor: Aisha Azeem
C++ fundamentals.
An Architectural Framework for Supporting Distributed Object Based Routing Dhavy Gantsou Department of Computer Science University of Valenciennes France.
Event-Driven Architecture Team 4 – Idris Callins, Jestin Keaton, Bill Pegg, Steven Ng.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.
INTRODUCTION TO WEB DATABASE PROGRAMMING
Software Engineering Muhammad Fahad Khan
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
1 A Flexible and Secure Deployment Framework for Distributed Applications Alan Dearle, Graham Kirby, Andrew McCarthy and Juan Carlos Diaz y Carballo School.
Penetration Testing Security Analysis and Advanced Tools: Snort.
A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.
Introduction to the Mobile Security (MD)  Chaitanya Nettem  Rawad Habib  2015.
1 Introduction to databases concepts CCIS – IS department Level 4.
SWE 316: Software Design and Architecture – Dr. Khalid Aljasser Objectives Lecture 11 : Frameworks SWE 316: Software Design and Architecture  To understand.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Introduction to XML. XML - Connectivity is Key Need for customized page layout – e.g. filter to display only recent data Downloadable product comparisons.
Networks – Network Architecture Network architecture is specification of design principles (including data formats and procedures) for creating a network.
Introduction to MDA (Model Driven Architecture) CYT.
Professor OKAMURA Laboratory. Othman Othman M.M. 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Key Challenges for Modeling Language Creation by Demonstration Hyun Cho, Jeff Gray Department of Computer Science University of Alabama Jules White Bradley.
Indo-US Workshop, June23-25, 2003 Building Digital Libraries for Communities using Kepler Framework M. Zubair Old Dominion University.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Interfacing Registry Systems December 2000.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
XML and Digital Libraries M. Zubair Department of Computer Science Old Dominion University.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Lecture2: Database Environment Prepared by L. Nouf Almujally & Aisha AlArfaj 1 Ref. Chapter2 College of Computer and Information Sciences - Information.
Chapter 7 System models.
Storing Organizational Information - Databases
Internet Protocol B Bhupendra Ratha, Lecturer School of Library and Information Science Devi Ahilya University, Indore
Pertemuan 19 PEMODELAN SISTEM Matakuliah: D0174/ Pemodelan Sistem dan Simulasi Tahun: Tahun 2009.
Sommerville 2004,Mejia-Alvarez 2009Software Engineering, 7th edition. Chapter 8 Slide 1 System models.
Overview Of Expert System Tools Expert System Tools : are all designed to support prototyping. Prototype : is a working model that is functionally equivalent.
Object-Oriented Modeling: Static Models. Object-Oriented Modeling Model the system as interacting objects Model the system as interacting objects Match.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
User Profiling using Semantic Web Group members: Ashwin Somaiah Asha Stephen Charlie Sudharshan Reddy.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.
A modular metadata-driven statistical production system The case of price index production system at Statistics Finland Pekka Mäkelä, Mika Sirviö.
Foundations of Information Systems in Business. System ® System  A system is an interrelated set of business procedures used within one business unit.
What is Java? Object Oriented Programming Language Sun Microsystems “Write Once, Run Everywhere” Bytecode and Virtual Machine Java Platform (Java VM and.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
© Geodise Project, University of Southampton, Integrating Data Management into Engineering Applications Zhuoan Jiao, Jasmin.
1 Domain Management in a Hierarchical Generic Models Library University Pascal Paoli of Corsica SPE Laboratory Fabrice BERNARDI, Jean-François SANTUCCI.
Lecture 21: Component-Based Software Engineering
ASET 1 Amity School of Engineering & Technology B. Tech. (CSE/IT), III Semester Database Management Systems Jitendra Rajpurohit.
SQL Server 2012 Session: 1 Session: 4 SQL Azure Data Management Using Microsoft SQL Server.
PROWIND (Positioning Relay over Wirelessly Networked Devices) Team Members: Alexander Smithson, Dian Ding, Yeh Cheng Yuan Graduate Advisor: Eric Liao Faculty.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
XML and Distributed Applications By Quddus Chong Presentation for CS551 – Fall 2001.
Wrap up. Structures and views Quality attribute scenarios Achieving quality attributes via tactics Architectural pattern and styles.
Architecture Components
XML Based Interoperability Components
CIS16 Application Development – Programming with Visual Basic
Presentation transcript:

1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida State University Department of Computer Science

2 Table of Contents Case-Based Reasoning Defined General Problem Our Approach: Specific Application: Snort IDS Architectural Elements Advantages of Adaptive Architectures Future Work

3 Case Archive measure of success/failure Case-Based Reasoning Formulate Problem/ Attack 1.0 problem description Search Archives 2.0 problem description similar cases Select/ Adapt 3.0 similar cases solution/response Generate Response to Problem/ Attack 4.0 Environment problem/attack Report Results 5.0 results generated response

4 Key Issues –Information and Communications –Electrical Power Systems –Gas and Oil Transportation and Storage –Banking and Finance –Transportation –Water Supply Systems –Emergency Services –Government Services CBR can be a valuable tool for the protection of critical infrastructures in any of the eight CIP domains: even though each domain may have its own specific cases, data, and reasoning requirements.

5 Key Issues –Case types and retrieval methods can change rapidly within any given application domain. –Completely new applications domains, and types of domains, continue to appear. –Modifying and/or building domain-specific case-based reasoners is costly since it requires substantial rewriting of code. Reasoners should be easily adaptable in a cost effective manner to new or rapidly changing application environments.

6 Our Approach Create an adaptive architecture employing a meta-model describing the domain features needed for the CIP CBR. Attributes, relationships, and reasoning rules are defined as instances from metadata.

7 What this means is …… THE SAME ADAPTIVE CBR system can be used with different metadata to solve different problems. Thus, rather than writing separate CBR’s for each problem within each of the domains, WRITE ONE GENERIC CBR that dynamically reacts to the meta description of the domain problem. The adaptive CBR is a TOOL for creating ARBITRARY DOMAIN-SPECIFIC CBRs.

8 To Illustrate: problem description Adaptive CBR System Case Archive case description similar cases solution/response MetaData GENERALIZED CBR Snort problem description Adaptive CBR System SnortCase Archive case description Similar cases solution/response Snort MetaData Snort CBR

9 Other IDS Applications Behavioral problem description Adaptive CBR System Behavioral Case Archive case description similar cases solution/response Behavioral MetaData Behavioral CBR Intrusion Event problem description Adaptive CBR System Intrusion Event Archive case description similar cases solution/response Intrusion Event MetaData Intrusion Event CBR

10 Other CIP Applications Person description Adaptive CBR System Person Archive case description similar cases Person id/non-id Person Identification MetaData Person Identification CBR Emergency description Adaptive CBR System Emergency Incident Archive case description similar cases solution/response Emergency Incident MetaData Emergency Response CBR

11 Domain: Information and Communications Area: Intrusion Detection One CBR Framework – Four Sets of Metadata packet FilterFilter Machine CBR Behavior snort-like messages machine states problem states CBR States suspect behavior CBR Snort Like problem events CBR Events machine events

12 A First Step: Snort CBR (Proof of Concept System) The Snort IDS uses rules to detect possible intrusions depending on particular features of an incoming packet such as protocol, source and destination IP addresses and ports, payload contents, etc. If each of the packet features match the feature specified by the rule then the rule is applied (fired) and the rule action is performed. Sample Snort rule: alert tcp any any  /24 !111: (content: “|000186a5|”; msg “mountd access”;)

13 Snort Rule as a Case Match features from foregoing rule: Protocol: tcp Source IP address: any Source port: any Destination IP address: to 255 Destination port: not > 111 Packet contents: a5 (hex code) Case action: Output alert: “mountd access”

14 Inheritance Alerts Domain Metadata Domain Metadata DTD Binding Schema Generic CBR Source Generic CBR Source Snort Rule Files Cases In XML Cases In XML Internet Packets Compile Schema Compile Source Compile Source Perform Adaptive CBR Perform Adaptive CBR Convert Cases to XML Convert Cases to XML Compile Source Compile Source Application Domain Source Application Domain Source Application Domain Classes Application Domain Classes Metadata Dictionary Metadata Dictionary Domain Specific CBR Classes Domain Specific CBR Classes Compile Source Compile Source Comparator Source Comparator Source Comparator Classes Comparator Classes Inheritance Software System Overview Instance Snort

15 MetaDataManager MetaDataRecord 1 0..M Knowledge level Feature Type DataType Comparator Protocol Protocol String Exact PortIDInPortID String Exact PortNumInPortNum Integer Range PayLoadContentContent String ParsingExact MetaDataVector M..1 Feature Type Feature 1 0..M Operational level Snort CBR Data Abstraction 1..1 Case 1..M Data Dictionary Meta Model Meta Data 1..1 Comparator Exact Range ParsingExact …

16 Adaptive Architecture  This Adaptive Architecture has an explicit object model that provides “meta” information which is interpreted at runtime to change behavior.  Adaptive Architectures are especially suited for specific frameworks such as a CBR.  References to similarity metrics are stored as descriptive metadata, thus adding flexibility.

17 Advantages of Architecture General meta-level architectures can more easily be implemented for the various CIP domains in many areas with many types of problems. Modification of a given CBR is easier and can be done by domain experts without major rewrites. New similarity metrics can easily be added. Shorter time-to-market: –can implement the changes quickly. –can build new CBR’s more quickly

18 Our Progress Explored existing CBR systems including NRL’s NaCoDAE (Navy Conversational Decision Aids Environment). Designed Meta-Model for general cases and case features Built Case Library using the standard Snort rule set. Defined a simple similarity metric for Snort Case Retrieval. Created an elementary Prototype for Snort CBR

19 Publications/Patents Schwartz, D.G., Stoecklin, S., and Yilmaz, E., A case-based approach to network intrusion detection, Fifth International Conference on Information Fusion, IF'02, Annapolis, MD, July 7-11, 2002, to appear. A Generic Adaptive Case-Based Reasoner, disclosure and patent application in progress.

20 Future Work Extend the snort-like Adaptive CBR with new features, cases, and reasoning rules to enable network intrusion detection based on user behavior analysis. (Challenge Problem) Extend the Adaptive CBR with more features, cases and rules to allow detection using machine states and events. Explore each of the the other CIP Domains and create appropriate further applications of the Adaptive CBR. pa ck et FilterFilter packetpacket Machine CBR Snort Like snort -like mess ages CBR States machine states probl em state s CBR Red-Team red- team alert s CBR Behavior suspe ct beha vior CBR Events probl em event s machine events machine activity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.