200 likes | 366 Views
Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection. Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu. Florida State University Department of Computer Science. Table of Contents. Case-Based Reasoning Defined General Problem
E N D
Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection • Dr. Dan Schwartz • Dr. Sara Stoecklin • Mr. Erbil Yilmaz • Ms. Mimi Xu Florida State University Department of Computer Science
Table of Contents • Case-Based Reasoning Defined • General Problem • Our Approach: Specific Application: Snort IDS • Architectural Elements • Advantages of Adaptive Architectures • Future Work
Case-Based Reasoning Formulate Problem/ Attack 1.0 Report Results 5.0 Search Archives 2.0 problem description problem description measure of success/failure similar cases similar cases problem/attack Case Archive results Select/ Adapt 3.0 Environment solution/response Generate Response to Problem/ Attack 4.0 generated response
Key Issues CBR can be a valuable tool for the protection of critical infrastructures in any of the eight CIP domains: • Information and Communications • Electrical Power Systems • Gas and Oil Transportation and Storage • Banking and Finance • Transportation • Water Supply Systems • Emergency Services • Government Services even though each domain may have its own specific cases, data, and reasoning requirements.
Key Issues Reasoners should be easily adaptable in a cost effective manner to new or rapidly changing application environments. • Case types and retrieval methods can change rapidlywithin any given application domain. • Completely new applications domains, and types of domains, continue to appear. • Modifying and/or building domain-specific case-based reasoners is costly since it requires substantial rewriting of code.
Our Approach Create an adaptive architecture employing a meta-model describing the domain features needed for the CIP CBR. Attributes, relationships, and reasoning rules are defined as instances from metadata.
What this means is …… THE SAME ADAPTIVE CBR system can be used with different metadata to solve different problems. Thus, rather than writing separate CBR’s for each problem within each of the domains, WRITE ONE GENERIC CBR that dynamically reacts to the meta description of the domain problem. The adaptive CBR is a TOOL for creating ARBITRARY DOMAIN-SPECIFIC CBRs.
Snort MetaData MetaData Case Archive To Illustrate: GENERALIZED CBR Adaptive CBR System problem description solution/response case description similar cases Snort CBR Adaptive CBR System Snort problem description solution/response case description Similar cases SnortCase Archive
Intrusion Event MetaData Behavioral MetaData Behavioral Case Archive Other IDS Applications Behavioral CBR Adaptive CBR System Behavioral problem description solution/response case description similar cases Intrusion Event CBR Adaptive CBR System Intrusion Event problem description solution/response case description similar cases Intrusion Event Archive
Emergency Incident Archive Emergency Incident MetaData Person Archive Person Identification MetaData Other CIP Applications Person Identification CBR Adaptive CBR System Person description Person id/non-id case description similar cases Emergency Response CBR Adaptive CBR System Emergency description solution/response case description similar cases
machine events machine states CBR Events CBR States problem events problem states Domain: Information and CommunicationsArea: Intrusion DetectionOne CBR Framework – Four Sets of Metadata Filter Machine packet packet CBR Behavior suspect behavior CBR Snort Like snort-like messages
A First Step: Snort CBR(Proof of Concept System) • The Snort IDS uses rules to detect possible intrusions depending on particular features of an incoming packet such as protocol, source and destination IP addresses and ports, payload contents, etc. If each of the packet features match the feature specified by the rule then the rule is applied (fired) and the rule action is performed. • Sample Snort rule: alert tcp any any 192.168.1.0/24 !111: (content: “|000186a5|”; msg “mountd access”;)
Snort Rule as a Case • Match features from foregoing rule: Protocol: tcp Source IP address: any Source port: any Destination IP address: 192.168.1.0 to 255 Destination port: not > 111 Packet contents: 000186a5 (hex code) • Case action: Output alert: “mountd access”
Application Domain Source Compile Schema Application Domain Classes Compile Source Domain Metadata Inheritance DTD Inheritance Generic CBR Source Compile Source Comparator Source Binding Schema Domain Specific CBR Classes Compile Source Cases In XML Comparator Classes Convert Cases to XML Perform Adaptive CBR Metadata Dictionary Snort Rule Files Internet Packets Alerts Software System Overview Instance Snort
Snort CBR Data Abstraction Knowledge level MetaDataManager 1 1..1 0..M Comparator Feature Type 1..1 MetaDataRecord MetaDataVector M..1 1 0..M 1..M Operational level Feature Case … Exact Range ParsingExact Data Dictionary Meta Model Feature Type DataType Comparator Meta Data Protocol Protocol String Exact PortIDIn PortID String Exact PortNumIn PortNum Integer Range PayLoadContent Content String ParsingExact
Adaptive Architecture • This Adaptive Architecture has an explicit object model that provides “meta” information which is interpreted at runtime to change behavior. • Adaptive Architectures are especially suited for specific frameworks such as a CBR. • References to similarity metrics are stored as descriptive metadata, thus adding flexibility.
Advantages of Architecture • General meta-level architectures can more easily be implemented for the various CIP domains in many areas with many types of problems. • Modification of a given CBR is easier and can be done by domain experts without major rewrites. • New similarity metrics can easily be added. • Shorter time-to-market: • can implement the changes quickly. • can build new CBR’s more quickly
Our Progress • Explored existing CBR systems including NRL’s NaCoDAE (Navy Conversational Decision Aids Environment). • Designed Meta-Model for general cases and case features • Built Case Library using the standard Snort rule set. • Defined a simple similarity metric for Snort Case Retrieval. • Created an elementary Prototype for Snort CBR
Publications/Patents • Schwartz, D.G., Stoecklin, S., and Yilmaz, E., A case-based approach to network intrusion detection, Fifth International Conference on Information Fusion, IF'02, Annapolis, MD, July 7-11, 2002, to appear. • A Generic Adaptive Case-Based Reasoner, disclosure and patent application in progress.
Filter Machine CBR Red-Team machine activity packet packet red-team alerts machine events machine states CBR Snort Like CBR Events CBR States snort-like messages problem events CBR Behavior problem states suspect behavior Future Work • Extend the snort-like Adaptive CBR with new features, cases, and reasoning rules to enable network intrusion detection based on user behavior analysis. (Challenge Problem) • Extend the Adaptive CBR with more features, cases and rules to allow detection using machine states and events. • Explore each of the the other CIP Domains and create appropriate further applications of the Adaptive CBR.