1 / 25

Approaches to Event Prediction in Complex Environments

Approaches to Event Prediction in Complex Environments . Terence Tan (PhD Candidate) Advisors: Prof Christian Darken, PhD Prof Neil Rowe , PhD Prof Arnold Buss , PhD Prof Ralucca Gera , PhD Prof John Hiles. 831-656-7582 http:// movesinstitute.org. Scope of Presentation.

kamana
Download Presentation

Approaches to Event Prediction in Complex Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Approaches to Event Prediction in Complex Environments Terence Tan(PhD Candidate) Advisors: Prof Christian Darken, PhD Prof Neil Rowe , PhD Prof Arnold Buss , PhD Prof Ralucca Gera , PhD Prof John Hiles 831-656-7582http://movesinstitute.org

  2. Scope of Presentation • What is Relational Time Series? • Previous Approaches • New Learning and Prediction Approaches • Conclusions

  3. Network Intrusion Detection Alerts What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  4. Network Intrusion Detection Alerts What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  5. Network Intrusion Detection Alerts What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  6. Network Intrusion Detection Alerts What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  7. Time Series of Network Intrusion Detection Alerts What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  8. Relational Time Series: Time Series of Relational Atoms • P = (t, r(c1, c2, … cn)) • where • P: percept • t: time • r: relation • cx: constant • 0.0, lookA(spock84) • 0.0, place+(Paperville3) • 0.0, location+(pitchfork74, Paperville3) • 0.0, pitchfork+(pitchfork74) • 0.0, location+(spock84, Paperville3) • 0.0, spock+(spock84) • 2.75, getA(pitchfork74, spock84) • 2.75, getE(spock84, pitchfork74) • 2.75, location-(pitchfork74, Paperville3) • 2.75, location+(pitchfork74, spock84) • 5.5, wA(spock84) • 5.5, goE(spock84, west) • 5.5, location-(spock84, Paperville3) • 5.5, spock-(spock84) • 5.5, place-(Paperville3) What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  9. Relational Time Series: Time Series of Relational Atoms • P = (t, r(c1, c2, … cn)) • where • P: percept • t: time • r: relation • cx: constant • 0.0, lookA(spock84) • 0.0, place+(Paperville3) • 0.0, location+(pitchfork74, Paperville3) • 0.0, pitchfork+(pitchfork74) • 0.0, location+(spock84, Paperville3) • 0.0, spock+(spock84) • 2.75, getA(pitchfork74, spock84) • 2.75, getE(spock84, pitchfork74) • 2.75, location-(pitchfork74, Paperville3) • 2.75, location+(pitchfork74, spock84) • 5.5, wA(spock84) • 5.5, goE(spock84, west) • 5.5, location-(spock84, Paperville3) • 5.5, spock-(spock84) • 5.5, place-(Paperville3) What is the next percept? What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  10. Characteristics • No Background knowledge • Eg. In a unknown domain, we do not know the behaviors of any entity • Relational Atoms • Multi-dimension proposition • High variability in predicates & constants • Too many to predefine • Moving Context • Needs online Learning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  11. Motivations • Anticipation • Early Warning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  12. Previous Approaches • Production Rules • Finite State Machines • Bayesian Network • Markov Chain • Statistical Relational Learning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  13. Recent Interest in IDS Alerts Predictions • Recent Interests • 2011 Nexat a history-based approach to predict attacker actions • 2011 A Novel Probabilistic Matching Algorithm for Multi-Stage Attack Forecast • 2010 Multi stage attack Detection system for Network Administrators using Data Mining (UTN, Oak Ridge NL) • 2008 Alert Fusion Based on Cluster and Correlation • 2007 Using Network Attack Graph to Predict the Future Attacks • 2007 Discovering Novel Multistage Attack Strategies • Common Approaches • Mine Behavior from past data, such as DARPA challenge (1998, 1999 and 2000 • No Online learning What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  14. Situation Learning • Situation Learning (Darken, 2005) • A sliding time window identifies “Situations” • Forms a simple lookup table • Able to model trending and high variability • 0.0, lookA(spock84) • 0.0, place+(Paperville3) • 0.0, location+(pitchfork74, Paperville3) • 0.0, pitchfork+(pitchfork74) • 0.0, location+(spock84, Paperville3) • 0.0, spock+(spock84) • 2.75, getA(pitchfork74, spock84) • 2.75, getE(spock84, pitchfork74) • 2.75, location-(pitchfork74, Paperville3) • 2.75, location+(pitchfork74, spock84) • 5.5, wA(spock84) • 5.5, goE(spock84, west) • 5.5, location-(spock84, Paperville3) • 5.5, spock-(spock84) • 5.5, place-(Paperville3) Predictive atom What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  15. Situation Learning (SL) + Current Approaches What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  16. Conceptual Blending Constitution Principles Vital Relation Mapping Construct Generic Space Composition Completion Elaboration Back Projection (From Fauconnier & Turner, 2002) Projection Data, information, organizer Emergent Frame Optimality Principles Compression Topology Pattern Completion Integration Promoting Vital Relation Web Unpacking relevance ={?c/?d} Current Domain Previous Domains ={?a/?b} Outer Space Mappings Vital Relation Change, Cause-Effect, Time, Space, Identity, Change, Uniqueness, Part-Whole, Representation, Role, Analogy, Disanalogy, Property, Similarity, Category, and Intentionality Back projection Subst(,) Subst(,) What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  17. Single Scope Blending Example Previous Situation Dragon-1 Agent-1 • Dragon-1 in Location-1 • Agent-1 enter Location-1 • Dragon-1 Kill Agent-1 • … • … • Goblin-2 in location-2 • Dragon-2 in location-2 • Agent-2 enter location-2 • ? kill in Enter Analogy Location-1 Current Situation Dragon-2 Agent-2 One Possible Substitution: Dragon-1 to Goblin-2 Agent-1 to Agent-2 Prediction: Goblin-2 Kill Agent-2 in Enter in Location-2 Goblin-2 What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  18. Prediction Accuracies from a Agent Simulator What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  19. Network Intrusion Alerts Predictions What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  20. Why is SSB Better? • Dataset • 6482 alerts • 1590 unique alerts • Detection Rate • Effect of Frequency on Detection Rate What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  21. Complexity Reduction: From Exponential to Linear • Default Method: Backtracking • Subgraph Isomorphism • NP-Complete • 1st Improvement • Formulate the problem as graph search • Depth First Search to Greedy Best First Search • Best First Search to 2-tier ASTAR • 2nd Improvement • Attention Based Search What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  22. Attention Based Search Previous Situation Current Situation Dragon-1 Dragon-2 Agent-1 Agent-2 in Enter in Enter Location-1 Location-2 score = [Type, ExactNameMatch, BothExactDegreeMatch, AtLeastOneDegreeMatch, DegreeDiff]

  23. Scalability Test What is Relational Time Series? Previous Approaches New Learning and Prediction Approaches Conclusions

  24. Conclusions & Future Works • Conclusions • Single Scope Blending Prediction Approach predicts better • Reduces NP-Complete complexity to Linear through Greedy ASTAR and Attention based search • Future Works • 2-tier memory system (Short term and long term memory) • Flexible windows based on event segment theory • Letter prediction

  25. Thank you

More Related