An Agent-based Bayesian Forecasting Model for Enhancing Network Security

1. An Agent-based Bayesian Forecasting Model for Enhancing Network Security J. PIKOULAS, W.J. BUCHANAN, Napier University, Edinburgh, UK. M. MANNION, Glasgow Caledonian University, Glasgow, UK. K. TRIANTAFYLLOPOULOS, University of Warwick, UK.

2. Hacking methods: • IP spoofing. • Packet-sniffing. • Password attack. • Sequence number prediction attacks. • Session hi-jacking attacks. • Shared library attacks. • Social Engineering attacks. • Technological vulnerability attack. • Trust-access attacks. IP spoofing Packet sniffing Packet sniffing

3. Hacking methods: • IP spoofing. • Packet-sniffing. • Password attack. • Sequence number prediction attacks. • Session hi-jacking attacks. • Shared library attacks. • Social Engineering attacks. • Technological vulnerability attack. • Trust-access attacks. Shared library Social engineering Password attack

4. User’s public key is used to encrypt data Encrypted data ENCR INFO INFO User’s private key is used to decrypt data Private Private Public Public key key key key • Security programs: • Security enhancement software. Enhances the operating system’s security. • Authentication and encryption software. Such as Kerebos, RSA, and so on. • Security monitoring software. • Network monitoring software. • Firewall software and hardware. Firewall Encryption and authentication Security enhancement Operating System Security Enhancement

5. Problem with existing security methods: • Centralized. They tends to be based on a central server, which can become the target of an attack. • No real-time response. They tend not to be able to respond to events as they occur, and rely on expert filtering. • No ability to foresee events. Denial-of- service Many external accesses eventually reduce the accessibility of the server: such as with Yahoo.com, eBay, Amazon, CNN, ZDNet and Excite (Feb 2000). Financial losses (2000/01) Centralized Central storage Centralized security can lead to attacks as the central resource becomes the focus of attacks • Financial losses (2000/01): • Virus (70%). • Net abuse (45%). • Laptop theft (45%). • Denial of service (21%) • Unauthorized access (16%). • System penetration (14%). • Sabotage (12%). Central server Firewall

6. Agent-based distributed security system: • Agents work independently from the server. This reduces the workload on the server, and also the dependency on it. • Agents download the user profile from the server. The agents can then learn the profile of the user and update it when they log-out. • Agents can be responsible for security. Distributed agent-based Centralized

7. Agent-based distributed security system with forecasting Core Agent Core Core Core Agent monitors Current usage Core agent sends forecasting information User profile User profile User profile User Agent User profile Agent reports any changes In behaviour Agent compares usage with forecast User agent returns the updated model to the user User agent updates the forecasting model User logs off

8. Agent environment topology • Sensor. Monitors software applications. • Transmitter. Sends information to the server. • Profile reader. Reads the users historical profile. • Comparator. Compares user’s history with the information read by the sensor.

9. Traditional method of forecasting against Bayesian forecasting

10. Prediction model: • Observation stage. • In this stage the model is monitoring the user and records its behaviour. • Evaluation stage. • In this stage the model makes a prediction and also monitors the user actual movements and calculates the result. This stage is critical, because the model modifies itself according to the environment that it operates in. • One-step prediction. • In this stage the model makes a single step prediction. For example, assume that the user is logged in for 15 times and the model is configured, and it is ready to start predicting user moves. Instead of making a five or ten step prediction, like other mathematical models, our model makes a prediction for the next step. When the user logs in and out of our model, it takes the actual behaviour of the user, compares it with the one step prediction that it has performed before and calculates the error. So the next time a prediction is made for this user it will include also the data of the last user behaviour. With this procedure we maximise the accuracy of the prediction system.

11. Forecasting calculation • Prediction parameters: • n–Window size. • z–Prediction number. • t – time unit. • Sample parameters: • n = 15 • z = 5 • t = 1 hr

12. Intervention • Useful in responding to exception data, such as when there is not enough data about a user.

17. Bayesian mathematics: As we see in the following equation we are introducing a parameter matrix, an random matrix with left variance matrix , right variance matrix.

18. Conclusions: • Fast and simple model. • It requires less preparation than other models. • Provides good prediction results. • Requires very little storage of user activity. • Small increase in CPU processing. • Only a 1-2% increase in CPU processing has been measured. • Model learns with very little initial settings. • Other models require some initial parameter settings to make them work well.