220 likes | 323 Views
Ceaseless Case-Based Reasoning. Francisco J. Martin and Enric Plaza (2004). The problem.
E N D
Ceaseless Case-Based Reasoning Francisco J. Martin and Enric Plaza (2004)
The problem Most existing CBR systems make assumptions that make them unsuitable for use in domains that contain the possibility for interleaved problems and where it is difficult to set boundries on the start and end of a case
The assumptions that cause problems • Non-coincidental sources • Full-fledged problem descriptions • Individual cases independency
Ceaseless CBR A model that does not make these assumptions
Application domain: Intrusion detection Network manager Too many non-important alerts are sent ao the network manager ACC (Alba) Alerts from probes (Snort)
The application domain • The input is a stream of alerts (unsegmented sequence) • More than one problem can appear at the time
The goal • Enhance ACC performance by using the Ceaseless CBR model • More specifically: Segment the sequence of events to provide the best explanation of the current situation and suggest an action
User Hm, what problems might be occuring here? Revised solutions Solutions List of events/alerts Case-base with existing problem descriptions Event Event Event Bla Bla Bla . . . Ceaseless CBR
Sequential Cases • A sequential case is a compositional case where a temporal order is established among all the parts that comprise it • Sequential cases are represented by actionable trees
Cases Roots: observable evidence (belonging to a sort)
Serial case Looks for this sequence
Parallel case Looks for these sequences in the event stream
Looking for similarity • Much happens behind the scenes when looking for sequences yielded by actionable trees in the stream of alerts
Case activations • Is a hypothesis • Case activations can be compounded together (NB constraints)
Ceaseless Retrieve • The point of the process is to generate case activations • Note that case activations can persist over time steps
Get cases Creates case activations Handles alerts not used in existing cases Removes old case activations Sends case activations to the Reuse process
Ceaseless Reuse • Tries to find the combination of case activations that best explains the sequence of alerts
How strongly do we believe the case activation (hypothesis)? Select alerts that need to be explained Generate explanations Find the probability of each of the explanations Send best explanation to Revise-process
Revise • Explanation presented to user • User can make changes
Retain • Updates sequential case base