1 / 22

Ceaseless Case-Based Reasoning

Ceaseless Case-Based Reasoning. Francisco J. Martin and Enric Plaza (2004). The problem.

leyna
Download Presentation

Ceaseless Case-Based Reasoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ceaseless Case-Based Reasoning Francisco J. Martin and Enric Plaza (2004)

  2. The problem Most existing CBR systems make assumptions that make them unsuitable for use in domains that contain the possibility for interleaved problems and where it is difficult to set boundries on the start and end of a case

  3. The assumptions that cause problems • Non-coincidental sources • Full-fledged problem descriptions • Individual cases independency

  4. Ceaseless CBR A model that does not make these assumptions

  5. Application domain: Intrusion detection Network manager Too many non-important alerts are sent ao the network manager ACC (Alba) Alerts from probes (Snort)

  6. The application domain • The input is a stream of alerts (unsegmented sequence) • More than one problem can appear at the time

  7. The goal • Enhance ACC performance by using the Ceaseless CBR model • More specifically: Segment the sequence of events to provide the best explanation of the current situation and suggest an action

  8. User Hm, what problems might be occuring here? Revised solutions Solutions List of events/alerts Case-base with existing problem descriptions Event Event Event Bla Bla Bla . . . Ceaseless CBR

  9. Alerts

  10. Sequential Cases • A sequential case is a compositional case where a temporal order is established among all the parts that comprise it • Sequential cases are represented by actionable trees

  11. Cases Roots: observable evidence (belonging to a sort)

  12. Serial case Looks for this sequence

  13. Parallel case Looks for these sequences in the event stream

  14. Looking for similarity • Much happens behind the scenes when looking for sequences yielded by actionable trees in the stream of alerts

  15. Case activations • Is a hypothesis • Case activations can be compounded together (NB constraints)

  16. Ceaseless Retrieve • The point of the process is to generate case activations • Note that case activations can persist over time steps

  17. Get cases Creates case activations Handles alerts not used in existing cases Removes old case activations Sends case activations to the Reuse process

  18. Ceaseless Reuse • Tries to find the combination of case activations that best explains the sequence of alerts

  19. How strongly do we believe the case activation (hypothesis)? Select alerts that need to be explained Generate explanations Find the probability of each of the explanations Send best explanation to Revise-process

  20. Revise • Explanation presented to user • User can make changes

  21. Retain • Updates sequential case base

More Related