1 / 130

Process Detection

Process Detection. George Cybenko Dartmouth gvc@dartmouth.edu. Acknowledgements. Current Members George Bakos Alex Barsamian Marion Bates Vincent Berk Chad Behre* Wayne Chung* Valentino Crespi (Prof. Cal State LA) George Cybenko Ian deSouza Annarita Giani* Doug Madory*

wallacev
Download Presentation

Process Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Process Detection George Cybenko Dartmouth gvc@dartmouth.edu

  2. Acknowledgements Current Members George Bakos Alex Barsamian Marion Bates Vincent Berk Chad Behre* Wayne Chung* Valentino Crespi (Prof. Cal State LA) George Cybenko Ian deSouza Annarita Giani* Doug Madory* Glenn Nofsinger* Robert Savell Jan-Peter Schutt* Yong Sheng* William Stearns Alumni Naomi Fox (UMass, Ph.D. student) Hrithik Govardhan (Rocket) Robert Gray (BAE Systems) Diego Hernando (UIUC, Ph.D. student) Guofei Jiang (NEC Research) Alex Jordan (BAE Systems) Han Li (China Shipping Corp) Josh Peteet (Greylock Partners) Chris Roblee (LLNL) * graduate students Research Support: DHS, ARDA, AFOSR, NGA, DARPA Cybenko

  3. Overview of Lectures • Process modeling • Process detection, theory • Software and applications

  4. Why be interested in this.... • Sensor networks • Airborne plume detection • Cyber security • Autonomic server pool management • Dynamics of social networks • Genomics and biological pathways* • Human situation awareness* *Possible applications. Cybenko

  5. Overview • Lecture 1: Process models • Notion of "state" • Differential equations • State Machines and Automata • Probabilistic and quantum states • Constructing state representations • Some

  6. Newton's Big Idea(s) Calculus Laws of Physics Concept of "state" Isaac Newton

  7. Contrast with Aristotle Nature consists of objects and “rules” Examples Crisis - could not explain the natural world Ancient law (religious and civil) Astronomical observations Superstition

  8. A Closer Look at F=ma

  9. A Closer Look at F=ma

  10. A Closer Look at F=ma Previous state Next state Input Dynamics

  11. A Closer Look at F=ma Concept of state: the future evolution of the system depends only on the current state and future inputs. IE, the past's influence on the future is totally summarized by the state. The next state is determined by the current state and the current input (or control, etc). sm ua si sn ub

  12. Outputs/Observables Black Box: States may not be observable by an external agent Inputs, u Outputs, y Forces x =(Position, Momentum) Position only

  13. Automaton Alan Turing

  14. Graphical Depiction of Automata 1 1 0 1 Start State v u u d c a b v u v u,v Q = States = { a , b , c , d }, X = { u , v } , Y = { 0 , 1 } d and b shown in graph

  15. Caution/Nuisance • Some models of automata have observables generated by state occupancy • Other models have observables generated by state transitions • There are simple mechanisms for transforming one to the other....they are equivalent.

  16. Automata and Languages • The set of all possible finite length outputs of the previous example are a "language" • The language can be represented by a regular expression - (0*1|0*11|0*111)* • "Classical relationship" between regular languages and nondeterministic finite automata - ie, given one, construct the other (Kleene's Theorem) • How about constructing an automaton from the input-output relationship?

  17. Nerode Equivalence • Theorem: Every causal, time-invariant system has a state space description. • "Constructive" proof: • use the input-output description of a system • two finite length input strings belong to the same equivalence class if all the corresponding outputs (beyond the inputs' lengths) are the same • ie, if inputs w1w2 andw3w2 have outputs z1z2 and z3z2 for all w2 then w1 is equiv to w3 • the resulting equivalence classes are the states

  18. Partial Differential Equations

  19. Quantum Mechanical Systems

  20. Other process formalisms • A Petri Net (PN) is given a state by marking its places. • Marking of a PN consists of assigning a nonnegative integer to each place. • Graphically, tokens are inserted in places of a PN • Input place - arrow goes from the place to the transition • Output place - arrow goes from the transition to the place Concurrency Examples R. Apcar, E. Chiu, H. Jerejian

  21. Definitions • A transition may have one or more Input and Output places • A transition is enabled if there is at least one token in each of its input places. • An Enabled transition may fire: • one token is removed from each input place and one token is inserted in each ouput place of the transition Concurrency Examples R. Apcar, E. Chiu, H. Jerejian

  22. An example Concurrency Examples R. Apcar, E. Chiu, H. Jerejian

  23. Example continued Concurrency Examples R. Apcar, E. Chiu, H. Jerejian

  24. A “Process” has... • Hidden states (discrete or continuous) • State transitions (nondeterministic, probabilistic) • Observables/events • Relationship between observables and states • An algorithm to “score” observations/events to state sequences assignments • Examples: • Nondeterministic automata • Hidden Markov Models • Petri Nets • Linear Systems • Nonlinear Systems • etc

  25. Models for Organizational Processes (W. Chung, J.-P. Schutt, R. Savell, G. Cybenko) A B Observables of the Process A A B B A asks B to join a project B accepts A adds B to a list of recipientsAB, C, … Dynamics of the Process ENRON, Ebay, etc “Static” Analysis “Dynamic” Analysis

  26. Scanned Data Access Start/Normal Exfiltration Infected Example of a Multistage Process Model in Computer Security Potential malicious activity snort alerts Potential normal activity Samba Tripwire ftp, covert channel, etc Cybenko

  27. Real time Fish Tracking • Objective: Track several fish in the fish tank • Why: Very strong example of the power of PQS • Fish swim very quickly and erratically • Lots of missed observations • Lots of noise • Classical Kalman filters don’t work (non-linear movement and acceleration) • “Easier” than getting permission to track people (we mistakenly thought) Cybenko

  28. Fish Tracking Details • 5 Gallon tank with 2 red Platys named Bubble and Squeak • Camera generates a stream of “centroids”: For each frame a series of (X,Y) pairs is generated. • Model describes the kinematics of a fish: The model evaluates if new (X,Y) pairs could belong to the same fish, based on measured position, momentum, and predicted next position. This way, multiple “tracks” are formed. One for each object. • Model was built in under 3 days!!! Cybenko

  29. Kinematic Tracking (2) Model: the motion of a feature moving at "human" speed: The model evaluates if new (X,Y) pairs could belong to the same hot spot, based on measured position, momentum, and predicted next position. This way, multiple “tracks” are formed. One for each object. Sensors: Infrared video camera provides datastream Camera generates a stream of “centroids” For each frame a series of (X,Y) pairs is generated.

  30. An Example of a Process a b A “Process” Model 1 2 Two states - { 1 , 2 } Two observables – { a , b } Legal transitions between states are depicted by arrows. When occupying a state, the process emits an observable. All states are initial/start states and there are no terminal states. Some legal sequences of observables: abbab , bababbb, abbb Some illegal sequences of observables: aa , baab Further reading: Automata Theory, Regular Languages, etc

  31. A More Complex Process a , c b a , c Another “Process” Model 3 1 2 Three states - { 1 , 2 , 3 } Three observables – { a , b , c } Some legal sequences of observables: abab , babaccab, ab Some illegal sequences of observables: bb , baabb Problem: Given a sequence of possible observations is it legal? What states? Solution: 1 Read the first observable, mark states that emit that observable 2 Read an observable, z 3 New marked states = (states reachable from old marked states) intersected with (states that could have emitted z ) 4 If no new marked states, illegal sequence; else go to 2

  32. Extensions: Hidden Markov Model (HMM) p(a|1) = 0.8 , p(c|1) = 0.2 p(b|2) = 1 p(a|3) = 0.8, p(c|3) = 0.2 0.8 1 0.5 Add probabilities 3 1 2 0.5 0.2 Hidden Markov Models consist of two ingredients: - the dynamics: state transition probabilities in a Markov chains - the emissions: p(observation|state) Given a sequence of observations of length t, what are the possible states at time t? Unlike the case for a nondeterministic automaton, all we can say in general for an HMM is what the probability distribution on states is.

  33. Extensions: Hidden Markov Model (HMM) p(a|1) = 0.8 , p(c|1) = 0.2 p(b|2) = 1 p(a|3) = 0.8, p(c|3) = 0.2 0.8 1 0.5 3 1 2 0.5 0.2 Probability distribution at time t+1 is obtained by combining: - propagation of the distribution from time t using only the dynamics - factoring in the observation observed at time t+1

  34. Two Simple Processes a b Model Instance A A1 A2 a b Model Instance B B1 B2 aabb is a legal observation sequence A1 B1 A2 A2 , A1 B1 A2 B2 , B1 A1 B2 B2 , ... are all legal state sequences A1 A2 A2 , A1 A2 , A1 B1 B1 B2 B1 B2 B2 We can reduce this to a single process.... a track a hypothesis

  35. Multiple Process Representation A1 B1 a b A1 B1 0 1 1 1 Model Instance A A1 A2 M = a b Model Instance A A1 A2 0 1 1 1 0 0 0 0 M x M = 0 1 1 1 0 1 1 1 a b Model Instance B B1 B2 If the observation sequence is aaaaaa and multiple copies of the model are allowed, then we get a product model of size 2n.

  36. A Simple Example of Process Detection • a,b,c,d are events that can be observed • states A, B, C, D, E, F are hidden • observe a sequence of events • Sequence Hypotheses • ab NW | RF • abab (NW & NW)|(RF&NW)... • ababc (NW & RF)|(NW & NW) • ababcc NW & NW • Which process or combination of • processes explains the observed events? a,b,c,d are events that can be observed { a } { b } { b , c } { c , d } A B C D NETWORK WORM MODEL (NW) (a,b,c,d ICMP traffic levels) E,F = 0 repeat read event e if e==a then E if E and e==b then F until F { a } { b } E F ROUTER FAILURE MODEL (RF) Two models; states have different semantics; sets of observables intersect – what is the “diagnosis”? Cybenko

  37. Key Questions • How is a process model built? • from first principles • from expert insights • from data (lots) • Given an event sequence, is it feasible or what is its probability? • Given an event sequence, estimate the current state • Given an event sequence, estimate the state sequence • How good are those estimates (ie variance)

  38. Homework Problems What are the states, dynamics and observables of the following processes: • intercontinental ballistic missile • soccer, American football, baseball games • Avian bird flu epidemic • terrorist cell • blogosphere • US/global economy • poker • romance

  39. Overview • Lecture 2: Detecting processes • What does detection of processes mean? • Automata • Hidden Markov Models • Kalman filtering • Particle filters

  40. Process Detection Problems • Given a sequence of observations... • What is the current state of the process? • What is the probability distribution on the states? • What are the most likely state sequences? • What is the uncertainty/error of the estimates?

  41. Graphical Depiction of Automata 1 1 0 1 Start State v u u d c a b v u v u,v Q = States = { a , b , c , d }, X = { u , v } , Y = { 0 , 1 } d and b shown in graph

  42. Input-Output Description 1 1 0 1 Start State v u u d c a b v u v u,v uuuu 01010 uuvu 01001 vuuuu 001010 vvuuuu 0001010 uvvuuuu 01101010 ..... f = v = vv = uu = uvv = ... u = vu = vuuu = .... uv = vuv = vuuuv = ... uvu = vuvu = vvuvu = ... a b c d

  43. Estimating states in an automaton a b a , c 3 1 2 a b a , c Observe a 3 1 2 a b a , c Sequences: 12, 32 Observe ab 3 1 2 a b a , c Observe ac 3 1 2 Sequences: 33 a b a , c Observe acb 3 1 2 Sequences: 332

More Related