May Report - FSU Computer Science Department

advertisement
Adaptive Case-Based Reasoning
Architectures for Critical
Infrastructure Protection
Dr. Dan Schwartz
Dr. Sara Stoecklin
Mr. Erbil Yilmaz
Ms. Mimi Xu
Florida State University
Department of Computer Science
1
Table of Contents
•
•
•
•
•
•
Case-Based Reasoning Defined
General Problem
Our Approach: Specific Application: Snort IDS
Architectural Elements
Advantages of Adaptive Architectures
Future Work
2
Case-Based Reasoning
Formulate
Problem/
Attack
1.0
problem/attack
Environment
problem
description
Report
Results
5.0
Search
Archives
2.0
problem
description
similar cases
similar
cases
Select/
Adapt
3.0
measure of
success/failure
Case Archive
results
solution/response
generated response
Generate
Response to
Problem/
Attack
4.0
3
Key Issues
CBR can be a valuable tool for the protection of critical
infrastructures in any of the eight CIP domains:
–
–
–
–
–
–
–
–
Information and Communications
Electrical Power Systems
Gas and Oil Transportation and Storage
Banking and Finance
Transportation
Water Supply Systems
Emergency Services
Government Services
even though each domain may have its own specific cases,
data, and reasoning requirements.
4
Key Issues
Reasoners should be easily adaptable in a cost effective manner
to new or rapidly changing application environments.
– Case types and retrieval methods can change rapidly
within any given application domain.
– Completely new applications domains, and types of
domains, continue to appear.
– Modifying and/or building domain-specific case-based
reasoners is costly since it requires substantial rewriting of
code.
5
Our Approach
Create an adaptive architecture
employing a meta-model describing the
domain features needed for the CIP
CBR.
Attributes, relationships, and reasoning
rules are defined as instances from
metadata.
6
What this means is ……
THE SAME ADAPTIVE CBR system can be used
with different metadata to solve different problems.
Thus, rather than writing separate CBR’s for each problem
within each of the domains, WRITE ONE GENERIC CBR
that dynamically reacts to the meta description of the
domain problem.
The adaptive CBR is a TOOL for creating ARBITRARY
DOMAIN-SPECIFIC CBRs.
7
To Illustrate:
GENERALIZED CBR
MetaData
problem
description
Adaptive
CBR
System
solution/response
case description
similar cases
Case Archive
Snort CBR
Snort MetaData
Snort problem
description
Adaptive
CBR
solution/response
case description
System
Similar cases
SnortCase Archive
8
Other IDS Applications
Behavioral CBR
Behavioral MetaData
Behavioral problem
description
Adaptive
CBR
System
solution/response
case description
similar cases
Behavioral Case Archive
Intrusion Event CBR
Intrusion Event MetaData
Intrusion Event problem
description
Adaptive
CBR
System
solution/response
case description
similar cases
Intrusion Event Archive
9
Other CIP Applications
Person Identification CBR
Person Identification MetaData
Person
description
Adaptive
CBR
System
Person id/non-id
case description
similar cases
Person Archive
Emergency Response CBR
Emergency Incident MetaData
Emergency
description
Adaptive
CBR
System
solution/response
case description
similar cases
Emergency Incident Archive
10
Domain: Information and Communications
Area: Intrusion Detection
One CBR Framework – Four Sets of Metadata
packet
F
i
l
t
e
r
packet
Machine
machine events
CBR
machine states
Events
problem
events
CBR
Behavior
suspect
behavior
CBR
Snort Like
snort-like
messages
CBR
States
problem
states
11
A First Step: Snort CBR
(Proof of Concept System)
• The Snort IDS uses rules to detect possible intrusions
depending on particular features of an incoming packet
such as protocol, source and destination IP addresses
and ports, payload contents, etc. If each of the packet
features match the feature specified by the rule then the
rule is applied (fired) and the rule action is performed.
• Sample Snort rule:
alert tcp any any  192.168.1.0/24 !111:
(content: “|000186a5|”; msg “mountd access”;)
12
Snort Rule as a Case
• Match features from foregoing rule:
Protocol: tcp
Source IP address: any
Source port: any
Destination IP address: 192.168.1.0 to 255
Destination port: not > 111
Packet contents: 000186a5 (hex code)
• Case action:
Output alert: “mountd access”
13
Compile
Schema
Software
System
Overview
Instance
Snort
Application
Domain
Source
Application
Domain
Classes
Compile
Source
Domain
Metadata
Inheritance
DTD
Inheritance
Binding
Schema
Generic
CBR
Source
Compile
Source
Comparator
Source
Domain
Specific
CBR
Classes
Cases
In
XML
Compile
Source
Comparator
Classes
Convert
Cases to
XML
Snort
Rule Files
Perform
Adaptive
CBR
Internet
Packets
Metadata
Dictionary
Alerts
14
Snort CBR Data Abstraction
MetaDataManager
Knowledge level
1
Comparator
1..1
Feature
Type
1..1
0..M
MetaDataRecord
M..1
MetaDataVector
1
0..M
Feature
Exact
Range
ParsingExact
1..M
Case
Operational level
…
Meta
Data
Dictionary
Model
Feature
Type
Protocol
PortIDIn
PortNumIn
PayLoadContent
Protocol
PortID
PortNum
Content
DataType
String
String
Integer
String
Comparator
Exact
Exact
Range
ParsingExact
Meta
Data
15
Adaptive Architecture
 This Adaptive Architecture has an explicit
object model that provides “meta” information
which is interpreted at runtime to change
behavior.
 Adaptive Architectures are especially suited for
specific frameworks such as a CBR.
 References to similarity metrics are stored as
descriptive metadata, thus adding flexibility.
16
Advantages of Architecture
• General meta-level architectures can more easily
be implemented for the various CIP domains in
many areas with many types of problems.
• Modification of a given CBR is easier and can be
done by domain experts without major rewrites.
• New similarity metrics can easily be added.
• Shorter time-to-market:
– can implement the changes quickly.
– can build new CBR’s more quickly
17
Our Progress
• Explored existing CBR systems including NRL’s
NaCoDAE (Navy Conversational Decision Aids
Environment).
• Designed Meta-Model for general cases and case
features
• Built Case Library using the standard Snort rule
set.
• Defined a simple similarity metric for Snort Case
Retrieval.
• Created an elementary Prototype for Snort CBR
18
Publications/Patents
• Schwartz, D.G., Stoecklin, S., and Yilmaz, E., A
case-based approach to network intrusion detection,
Fifth International Conference on Information
Fusion, IF'02, Annapolis, MD, July 7-11, 2002, to
appear.
• A Generic Adaptive Case-Based Reasoner,
disclosure and patent application in progress.
19
Future Work
• Extend the snort-like Adaptive CBR with
new features, cases, and reasoning rules to
enable network intrusion detection based
on user behavior analysis. (Challenge
Problem)
• Extend the Adaptive CBR with more
features, cases and rules to allow detection
using machine states and events.
• Explore each of the the other CIP
Domains and create appropriate further
applications of the Adaptive CBR.
pa
ck
et
F
i
l
t
e
r
CBR
Snort Like
CBR
Behavior
suspe
ct
beha
vior
p
a
c
k
e
t
Machine
snort
-like
mess
ages
machine
activity
CBR
Red-Team
machine
events
machine
states
CBR
CBR
Events
States
probl
em
state
s
redteam
alert
s
probl
em
event
s
20
Download