Presentation is loading. Please wait.

Presentation is loading. Please wait.

831-656-7582 Approaches to Event Prediction in Complex Environments Terence Tan (PhD Candidate) Advisors: Prof Christian Darken,

Published byReginald Rice Modified over 9 years ago

Similar presentations

Presentation on theme: "831-656-7582 Approaches to Event Prediction in Complex Environments Terence Tan (PhD Candidate) Advisors: Prof Christian Darken,"— Presentation transcript:

1 831-656-7582 http://movesinstitute.org Approaches to Event Prediction in Complex Environments Terence Tan (PhD Candidate) Advisors: Prof Christian Darken, PhD Prof Neil Rowe, PhD Prof Arnold Buss, PhD Prof Ralucca Gera, PhD Prof John Hiles

2 Scope of Presentation What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 2

3 Network Intrusion Detection Alerts 12/02/11-17:32:21.9841332924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 3

4 Network Intrusion Detection Alerts 12/02/11-17:32:21.9841332924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-17:32:24.7128672924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 4

5 Network Intrusion Detection Alerts 12/02/11-17:32:21.9841332924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-17:32:24.7128672924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-18:50:13.575037648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.70 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 5

6 Network Intrusion Detection Alerts 12/02/11-17:32:21.9841332924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-17:32:24.7128672924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-18:50:13.575037648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.70 12/02/11-18:50:13.575356648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.70 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 6

7 Time Series of Network Intrusion Detection Alerts 12/02/11-17:32:21.9841332924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-17:32:24.7128672924NETBIOS SMB-DS repeated logon failureTCP78.45.215.21063.205.26.80 12/02/11-18:50:13.575037648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.70 12/02/11-18:50:13.575356648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.70 12/02/11-18:50:13.5753563397NETBIOS DCERPC NCACN-IP-TCPTCP84.0.158.11063.205.26.70 12/02/11-18:50:15.443929648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.73 12/02/11-18:50:15.444255648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.73 12/02/11-18:50:15.4442553397NETBIOS DCERPC NCACN-IP-TCPTCP84.0.158.11063.205.26.73 12/02/11-18:50:19.048303648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.77 12/02/11-18:50:19.048624648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.77 12/02/11-18:50:19.0486243397NETBIOS DCERPC NCACN-IP-TCPTCP84.0.158.11063.205.26.77 12/02/11-18:50:20.346232648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.74 12/02/11-18:50:22.656974648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.79 12/02/11-18:50:22.657291648SHELLCODE x86 NOOPTCP84.0.158.11063.205.26.79 12/02/11-18:50:22.6572913397NETBIOS DCERPC NCACN-IP-TCPTCP84.0.158.11063.205.26.79 12/02/11-19:12:38.913940384ICMP PINGICMP66.235.66.23363.205.26.80 12/02/11-19:12:38.914642408ICMP Echo ReplyICMP63.205.26.8066.235.66.233 12/02/11-19:12:38.959461384ICMP PINGICMP66.235.66.23363.205.26.80 12/02/11-19:12:38.959672408ICMP Echo ReplyICMP63.205.26.8066.235.66.233 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 7

8 Relational Time Series: Time Series of Relational Atoms 0.0, lookA(spock84) 0.0, place+(Paperville3) 0.0, location+(pitchfork74, Paperville3) 0.0, pitchfork+(pitchfork74) 0.0, location+(spock84, Paperville3) 0.0, spock+(spock84) 2.75, getA(pitchfork74, spock84) 2.75, getE(spock84, pitchfork74) 2.75, location-(pitchfork74, Paperville3) 2.75, location+(pitchfork74, spock84) 5.5, wA(spock84) 5.5, goE(spock84, west) 5.5, location-(spock84, Paperville3) 5.5, spock-(spock84) 5.5, place-(Paperville3) P = (t, r(c 1, c 2, … c n )) where P: percept t: time r: relation c x : constant What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 8

9 Relational Time Series: Time Series of Relational Atoms 0.0, lookA(spock84) 0.0, place+(Paperville3) 0.0, location+(pitchfork74, Paperville3) 0.0, pitchfork+(pitchfork74) 0.0, location+(spock84, Paperville3) 0.0, spock+(spock84) 2.75, getA(pitchfork74, spock84) 2.75, getE(spock84, pitchfork74) 2.75, location-(pitchfork74, Paperville3) 2.75, location+(pitchfork74, spock84) 5.5, wA(spock84) 5.5, goE(spock84, west) 5.5, location-(spock84, Paperville3) 5.5, spock-(spock84) 5.5, place-(Paperville3) P = (t, r(c 1, c 2, … c n )) where P: percept t: time r: relation c x : constant What is the next percept? What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 9

10 Characteristics No Background knowledge – Eg. In a unknown domain, we do not know the behaviors of any entity Relational Atoms – Multi-dimension proposition High variability in predicates & constants – Too many to predefine Moving Context – Needs online Learning 10 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

11 Motivations Anticipation Early Warning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 11

12 Previous Approaches Production Rules Finite State Machines Bayesian Network Markov Chain Statistical Relational Learning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 12

13 Recent Interest in IDS Alerts Predictions Recent Interests – 2011 Nexat a history-based approach to predict attacker actions – 2011 A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecast – 2010 Multi stage attack Detection system for Network Administrators using Data Mining (UTN, Oak Ridge NL) – 2008 Alert Fusion Based on Cluster and Correlation – 2007 Using Network Attack Graph to Predict the Future Attacks – 2007 Discovering Novel Multistage Attack Strategies Common Approaches – Mine Behavior from past data, such as DARPA challenge (1998, 1999 and 2000 – No Online learning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 13

14 0.0, lookA(spock84) 0.0, place+(Paperville3) 0.0, location+(pitchfork74, Paperville3) 0.0, pitchfork+(pitchfork74) 0.0, location+(spock84, Paperville3) 0.0, spock+(spock84) 2.75, getA(pitchfork74, spock84) 2.75, getE(spock84, pitchfork74) 2.75, location-(pitchfork74, Paperville3) 2.75, location+(pitchfork74, spock84) 5.5, wA(spock84) 5.5, goE(spock84, west) 5.5, location-(spock84, Paperville3) 5.5, spock-(spock84) 5.5, place-(Paperville3) Situation Learning Situation Learning (Darken, 2005) – A sliding time window identifies “Situations” – Forms a simple lookup table – Able to model trending and high variability 14 Predictive atom What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

15 Situation Learning (SL) + Current Approaches 15 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

16 Conceptual Blending Outer Space Mappings Projection Emergent Frame (From Fauconnier & Turner, 2002) Constitution Principles Vital Relation Mapping Construct Generic Space Composition Completion Elaboration Back Projection Constitution Principles Vital Relation Mapping Construct Generic Space Composition Completion Elaboration Back Projection Optimality Principles Compression Topology Pattern Completion Integration Promoting Vital Relation Web Unpacking relevance Optimality Principles Compression Topology Pattern Completion Integration Promoting Vital Relation Web Unpacking relevance Vital Relation Change, Cause-Effect, Time, Space, Identity, Change, Uniqueness, Part-Whole, Representation, Role, Analogy, Disanalogy, Property, Similarity, Category, and Intentionality Vital Relation Change, Cause-Effect, Time, Space, Identity, Change, Uniqueness, Part-Whole, Representation, Role, Analogy, Disanalogy, Property, Similarity, Category, and Intentionality Data, information, organizer Previous Domains Current Domain Back projection  ={?c/?d} Subst( ,  )  ={?a/?b} Subst( ,  ) What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 16

17 Single Scope Blending Example Dragon-1 in Location-1 Agent-1 enter Location-1 Dragon-1 Kill Agent-1 … Goblin-2 in location-2 Dragon-2 in location-2 Agent-2 enter location-2 ? Dragon-1 Agent-1 Location-1 kill inEnter Dragon-2 Agent-2 Location-2 inEnter Previous Situation Current Situation in Goblin-2 One Possible Substitution: Dragon-1 to Goblin-2 Agent-1 to Agent-2 Prediction: Goblin-2 Kill Agent-2 Analogy What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 17

18 Prediction Accuracies from a Agent Simulator What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 18

19 Network Intrusion Alerts Predictions What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 19

20 Why is SSB Better? Dataset – 6482 alerts – 1590 unique alerts Detection Rate Effect of Frequency on Detection Rate FrequencyNumber of AlertsSSB DetectsMSB detectsVOMM detects 164316300 2751621230242 352342714 488807774 55000 6111088 73311 82222 94433 3333 SSBMSBVOMM Unique Alert Detected947379375 %59.56%23.84%23.58% What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 20

21 Complexity Reduction: From Exponential to Linear Default Method: Backtracking – Subgraph Isomorphism – NP-Complete 1 st Improvement – Formulate the problem as graph search – Depth First Search to Greedy Best First Search – Best First Search to 2-tier ASTAR 2 nd Improvement – Attention Based Search What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 21

22 Attention Based Search Dragon-1 Agent-1 Location-1 inEnter Dragon-2 Agent-2 Location-2 inEnter Previous Situation Current Situation node1node2Difference Dragon - 1Dragon - 2[1, 0, 1, 1, 0] Agent - 2[0, 0, 1, 1, 0] Location - 2[0, 0, 0, 0, -3] Agent - 1Dragon - 2[0, 0, 1, 1, 0] Agent - 2[1, 0, 1, 1, 0] Location - 2[0, 0, 0, 0, -3] Location - 1Dragon - 2[0, 0, 0, 0, -3] Agent - 2[0, 0, 0, 0, -3] Location - 2[1, 0, 1, 1, 0] nodesIn Degree Out Degree Type Dragon – 101D Agent – 101A Location – 120L Dragon – 201D Agent – 201A Location – 220L score = [Type, ExactNameMatch, BothExactDegreeMatch, AtLeastOneDegreeMatch, DegreeDiff] 22

23 Scalability Test What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions 23

24 Conclusions & Future Works Conclusions – Single Scope Blending Prediction Approach predicts better – Reduces NP-Complete complexity to Linear through Greedy ASTAR and Attention based search Future Works – 2-tier memory system (Short term and long term memory) – Flexible windows based on event segment theory – Letter prediction 24

25 Thank you 25

Download ppt "831-656-7582 Approaches to Event Prediction in Complex Environments Terence Tan (PhD Candidate) Advisors: Prof Christian Darken,"

Similar presentations

Recommender System A Brief Survey.

Recommender System A Brief Survey.
Autonomic Scaling of Cloud Computing Resources

Autonomic Scaling of Cloud Computing Resources
Dynamic Bayesian Networks (DBNs)

Dynamic Bayesian Networks (DBNs)
Integrating Bayesian Networks and Simpson’s Paradox in Data Mining Alex Freitas University of Kent Ken McGarry University of Sunderland.

Integrating Bayesian Networks and Simpson’s Paradox in Data Mining Alex Freitas University of Kent Ken McGarry University of Sunderland.
1 © Ramesh Jain Social Life Networks: Ontology-based Recognition Ramesh Jain Contact:

1 © Ramesh Jain Social Life Networks: Ontology-based Recognition Ramesh Jain Contact:
Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,

Probabilistic Aggregation in Distributed Networks Ling Huang, Ben Zhao, Anthony Joseph and John Kubiatowicz {hling, ravenben, adj,
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Anomaly Detection Using GAs Umer Khan 28-sept-2005.

1 Anomaly Detection Using GAs Umer Khan 28-sept-2005.
1 Department of Computer Science and Engineering, University of South Carolina 2007-01-05 Issues for Discussion and Work Jan 2007  Choose meeting time.

1 Department of Computer Science and Engineering, University of South Carolina Issues for Discussion and Work Jan 2007  Choose meeting time.
1 Unique identifiers for the Web Zoltan Miklos Joint work with Gleb Skobeltsyn, Saket Sathe, Nicolas Bonvin, Philippe Cudré-Mauroux, Ekaterini Ioannou,

1 Unique identifiers for the Web Zoltan Miklos Joint work with Gleb Skobeltsyn, Saket Sathe, Nicolas Bonvin, Philippe Cudré-Mauroux, Ekaterini Ioannou,
ANALYSIS OF GENETIC NETWORKS USING ATTRIBUTED GRAPH MATCHING.

ANALYSIS OF GENETIC NETWORKS USING ATTRIBUTED GRAPH MATCHING.
Data Mining – Intro.

Data Mining – Intro.
Causal Models, Learning Algorithms and their Application to Performance Modeling Jan Lemeire Parallel Systems lab November 15 th 2006.

Causal Models, Learning Algorithms and their Application to Performance Modeling Jan Lemeire Parallel Systems lab November 15 th 2006.
CS 60050 Machine Learning. What is Machine Learning? Adapt to / learn from data  To optimize a performance function Can be used to:  Extract knowledge.

CS Machine Learning. What is Machine Learning? Adapt to / learn from data  To optimize a performance function Can be used to:  Extract knowledge.
LLNL-PRES-671957 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

LLNL-PRES This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
Time Series Data Analysis - II

Time Series Data Analysis - II
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Technology Applicability for Prediction & Recognition of Piracy Efforts NATO ASI September 2011 Salamanca, Spain.

Technology Applicability for Prediction & Recognition of Piracy Efforts NATO ASI September 2011 Salamanca, Spain.
A Pragmatic Approach to Context and Meaning. Pragmatism ● Fosters highly inter-disciplinary work ● Discourages theory in isolation from application ●

A Pragmatic Approach to Context and Meaning. Pragmatism ● Fosters highly inter-disciplinary work ● Discourages theory in isolation from application ●
Water Contamination Detection – Methodology and Empirical Results IPN-ISRAEL WATER WEEK (I 2 W 2 ) Eyal Brill Holon institute of Technology, Faculty of.

Water Contamination Detection – Methodology and Empirical Results IPN-ISRAEL WATER WEEK (I 2 W 2 ) Eyal Brill Holon institute of Technology, Faculty of.

Similar presentations

Ads by Google