Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida.

Published byMelissa Valerie Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida."— Presentation transcript:

1 1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida State University Department of Computer Science

2 2 Table of Contents Case-Based Reasoning Defined General Problem Our Approach: Specific Application: Snort IDS Architectural Elements Advantages of Adaptive Architectures Future Work

3 3 Case Archive measure of success/failure Case-Based Reasoning Formulate Problem/ Attack 1.0 problem description Search Archives 2.0 problem description similar cases Select/ Adapt 3.0 similar cases solution/response Generate Response to Problem/ Attack 4.0 Environment problem/attack Report Results 5.0 results generated response

4 4 Key Issues –Information and Communications –Electrical Power Systems –Gas and Oil Transportation and Storage –Banking and Finance –Transportation –Water Supply Systems –Emergency Services –Government Services CBR can be a valuable tool for the protection of critical infrastructures in any of the eight CIP domains: even though each domain may have its own specific cases, data, and reasoning requirements.

5 5 Key Issues –Case types and retrieval methods can change rapidly within any given application domain. –Completely new applications domains, and types of domains, continue to appear. –Modifying and/or building domain-specific case-based reasoners is costly since it requires substantial rewriting of code. Reasoners should be easily adaptable in a cost effective manner to new or rapidly changing application environments.

6 6 Our Approach Create an adaptive architecture employing a meta-model describing the domain features needed for the CIP CBR. Attributes, relationships, and reasoning rules are defined as instances from metadata.

7 7 What this means is …… THE SAME ADAPTIVE CBR system can be used with different metadata to solve different problems. Thus, rather than writing separate CBR’s for each problem within each of the domains, WRITE ONE GENERIC CBR that dynamically reacts to the meta description of the domain problem. The adaptive CBR is a TOOL for creating ARBITRARY DOMAIN-SPECIFIC CBRs.

8 8 To Illustrate: problem description Adaptive CBR System Case Archive case description similar cases solution/response MetaData GENERALIZED CBR Snort problem description Adaptive CBR System SnortCase Archive case description Similar cases solution/response Snort MetaData Snort CBR

9 9 Other IDS Applications Behavioral problem description Adaptive CBR System Behavioral Case Archive case description similar cases solution/response Behavioral MetaData Behavioral CBR Intrusion Event problem description Adaptive CBR System Intrusion Event Archive case description similar cases solution/response Intrusion Event MetaData Intrusion Event CBR

10 10 Other CIP Applications Person description Adaptive CBR System Person Archive case description similar cases Person id/non-id Person Identification MetaData Person Identification CBR Emergency description Adaptive CBR System Emergency Incident Archive case description similar cases solution/response Emergency Incident MetaData Emergency Response CBR

11 11 Domain: Information and Communications Area: Intrusion Detection One CBR Framework – Four Sets of Metadata packet FilterFilter Machine CBR Behavior snort-like messages machine states problem states CBR States suspect behavior CBR Snort Like problem events CBR Events machine events

12 12 A First Step: Snort CBR (Proof of Concept System) The Snort IDS uses rules to detect possible intrusions depending on particular features of an incoming packet such as protocol, source and destination IP addresses and ports, payload contents, etc. If each of the packet features match the feature specified by the rule then the rule is applied (fired) and the rule action is performed. Sample Snort rule: alert tcp any any  192.168.1.0/24 !111: (content: “|000186a5|”; msg “mountd access”;)

13 13 Snort Rule as a Case Match features from foregoing rule: Protocol: tcp Source IP address: any Source port: any Destination IP address: 192.168.1.0 to 255 Destination port: not > 111 Packet contents: 000186a5 (hex code) Case action: Output alert: “mountd access”

14 14 Inheritance Alerts Domain Metadata Domain Metadata DTD Binding Schema Generic CBR Source Generic CBR Source Snort Rule Files Cases In XML Cases In XML Internet Packets Compile Schema Compile Source Compile Source Perform Adaptive CBR Perform Adaptive CBR Convert Cases to XML Convert Cases to XML Compile Source Compile Source Application Domain Source Application Domain Source Application Domain Classes Application Domain Classes Metadata Dictionary Metadata Dictionary Domain Specific CBR Classes Domain Specific CBR Classes Compile Source Compile Source Comparator Source Comparator Source Comparator Classes Comparator Classes Inheritance Software System Overview Instance Snort

15 15 MetaDataManager MetaDataRecord 1 0..M Knowledge level Feature Type DataType Comparator Protocol Protocol String Exact PortIDInPortID String Exact PortNumInPortNum Integer Range PayLoadContentContent String ParsingExact MetaDataVector M..1 Feature Type Feature 1 0..M Operational level Snort CBR Data Abstraction 1..1 Case 1..M Data Dictionary Meta Model Meta Data 1..1 Comparator Exact Range ParsingExact …

16 16 Adaptive Architecture  This Adaptive Architecture has an explicit object model that provides “meta” information which is interpreted at runtime to change behavior.  Adaptive Architectures are especially suited for specific frameworks such as a CBR.  References to similarity metrics are stored as descriptive metadata, thus adding flexibility.

17 17 Advantages of Architecture General meta-level architectures can more easily be implemented for the various CIP domains in many areas with many types of problems. Modification of a given CBR is easier and can be done by domain experts without major rewrites. New similarity metrics can easily be added. Shorter time-to-market: –can implement the changes quickly. –can build new CBR’s more quickly

18 18 Our Progress Explored existing CBR systems including NRL’s NaCoDAE (Navy Conversational Decision Aids Environment). Designed Meta-Model for general cases and case features Built Case Library using the standard Snort rule set. Defined a simple similarity metric for Snort Case Retrieval. Created an elementary Prototype for Snort CBR

19 19 Publications/Patents Schwartz, D.G., Stoecklin, S., and Yilmaz, E., A case-based approach to network intrusion detection, Fifth International Conference on Information Fusion, IF'02, Annapolis, MD, July 7-11, 2002, to appear. A Generic Adaptive Case-Based Reasoner, disclosure and patent application in progress.

20 20 Future Work Extend the snort-like Adaptive CBR with new features, cases, and reasoning rules to enable network intrusion detection based on user behavior analysis. (Challenge Problem) Extend the Adaptive CBR with more features, cases and rules to allow detection using machine states and events. Explore each of the the other CIP Domains and create appropriate further applications of the Adaptive CBR. pa ck et FilterFilter packetpacket Machine CBR Snort Like snort -like mess ages CBR States machine states probl em state s CBR Red-Team red- team alert s CBR Behavior suspe ct beha vior CBR Events probl em event s machine events machine activity

Download ppt "1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida."

Similar presentations

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.

Software Frame Simulator (SFS) Technion CS Computer Communications Lab (236340) in cooperation with ECI telecom Uri Ferri & Ynon Cohen January 2007.
Dr Gordon Russell, Napier University Unit 5.3 - Data Dictionary 1 Data Dictionary Unit 5.3.

Dr Gordon Russell, Napier University Unit Data Dictionary 1 Data Dictionary Unit 5.3.
Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.
Object-Oriented Analysis and Design

Object-Oriented Analysis and Design
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Study Period Report: Metamodel for On Demand Model Selection (ODMS) Wang Jian, He Keqing, He Yangfan, Wang Chong State Key Lab of Software Engineering,

Study Period Report: Metamodel for On Demand Model Selection (ODMS) Wang Jian, He Keqing, He Yangfan, Wang Chong State Key Lab of Software Engineering,
1 MPEG-21 : Goals and Achievements Ian Burnett, Rik Van de Walle, Keith Hill, Jan Bormans and Fernando Pereira IEEE Multimedia, October-November 2003.

1 MPEG-21 : Goals and Achievements Ian Burnett, Rik Van de Walle, Keith Hill, Jan Bormans and Fernando Pereira IEEE Multimedia, October-November 2003.
Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.

Architecture & Data Management of XML-Based Digital Video Library System Jacky C.K. Ma Michael R. Lyu.
Case-based Reasoning System (CBR)

Case-based Reasoning System (CBR)
Soft. Eng. II, Spring 02Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 6 Title : The Software Reuse Reading: I. Sommerville, Chap. 20.

Soft. Eng. II, Spring 02Dr Driss Kettani, from I. Sommerville1 CSC-3325: Chapter 6 Title : The Software Reuse Reading: I. Sommerville, Chap. 20.
XML(EXtensible Markup Language). XML XML stands for EXtensible Markup Language. XML is a markup language much like HTML. XML was designed to describe.

XML(EXtensible Markup Language). XML XML stands for EXtensible Markup Language. XML is a markup language much like HTML. XML was designed to describe.
Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.
Mining Metamodels From Instance Models: The MARS System Faizan Javed Department of Computer & Information Sciences, University of Alabama at Birmingham.

Mining Metamodels From Instance Models: The MARS System Faizan Javed Department of Computer & Information Sciences, University of Alabama at Birmingham.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
C++ fundamentals.

C++ fundamentals.
An Architectural Framework for Supporting Distributed Object Based Routing Dhavy Gantsou Department of Computer Science University of Valenciennes France.

An Architectural Framework for Supporting Distributed Object Based Routing Dhavy Gantsou Department of Computer Science University of Valenciennes France.
Event-Driven Architecture Team 4 – Idris Callins, Jestin Keaton, Bill Pegg, Steven Ng.

Event-Driven Architecture Team 4 – Idris Callins, Jestin Keaton, Bill Pegg, Steven Ng.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

Similar presentations

Ads by Google