Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida State University Department of Computer Science 1 Table of Contents • • • • • • Case-Based Reasoning Defined General Problem Our Approach: Specific Application: Snort IDS Architectural Elements Advantages of Adaptive Architectures Future Work 2 Case-Based Reasoning Formulate Problem/ Attack 1.0 problem/attack Environment problem description Report Results 5.0 Search Archives 2.0 problem description similar cases similar cases Select/ Adapt 3.0 measure of success/failure Case Archive results solution/response generated response Generate Response to Problem/ Attack 4.0 3 Key Issues CBR can be a valuable tool for the protection of critical infrastructures in any of the eight CIP domains: – – – – – – – – Information and Communications Electrical Power Systems Gas and Oil Transportation and Storage Banking and Finance Transportation Water Supply Systems Emergency Services Government Services even though each domain may have its own specific cases, data, and reasoning requirements. 4 Key Issues Reasoners should be easily adaptable in a cost effective manner to new or rapidly changing application environments. – Case types and retrieval methods can change rapidly within any given application domain. – Completely new applications domains, and types of domains, continue to appear. – Modifying and/or building domain-specific case-based reasoners is costly since it requires substantial rewriting of code. 5 Our Approach Create an adaptive architecture employing a meta-model describing the domain features needed for the CIP CBR. Attributes, relationships, and reasoning rules are defined as instances from metadata. 6 What this means is …… THE SAME ADAPTIVE CBR system can be used with different metadata to solve different problems. Thus, rather than writing separate CBR’s for each problem within each of the domains, WRITE ONE GENERIC CBR that dynamically reacts to the meta description of the domain problem. The adaptive CBR is a TOOL for creating ARBITRARY DOMAIN-SPECIFIC CBRs. 7 To Illustrate: GENERALIZED CBR MetaData problem description Adaptive CBR System solution/response case description similar cases Case Archive Snort CBR Snort MetaData Snort problem description Adaptive CBR solution/response case description System Similar cases SnortCase Archive 8 Other IDS Applications Behavioral CBR Behavioral MetaData Behavioral problem description Adaptive CBR System solution/response case description similar cases Behavioral Case Archive Intrusion Event CBR Intrusion Event MetaData Intrusion Event problem description Adaptive CBR System solution/response case description similar cases Intrusion Event Archive 9 Other CIP Applications Person Identification CBR Person Identification MetaData Person description Adaptive CBR System Person id/non-id case description similar cases Person Archive Emergency Response CBR Emergency Incident MetaData Emergency description Adaptive CBR System solution/response case description similar cases Emergency Incident Archive 10 Domain: Information and Communications Area: Intrusion Detection One CBR Framework – Four Sets of Metadata packet F i l t e r packet Machine machine events CBR machine states Events problem events CBR Behavior suspect behavior CBR Snort Like snort-like messages CBR States problem states 11 A First Step: Snort CBR (Proof of Concept System) • The Snort IDS uses rules to detect possible intrusions depending on particular features of an incoming packet such as protocol, source and destination IP addresses and ports, payload contents, etc. If each of the packet features match the feature specified by the rule then the rule is applied (fired) and the rule action is performed. • Sample Snort rule: alert tcp any any 192.168.1.0/24 !111: (content: “|000186a5|”; msg “mountd access”;) 12 Snort Rule as a Case • Match features from foregoing rule: Protocol: tcp Source IP address: any Source port: any Destination IP address: 192.168.1.0 to 255 Destination port: not > 111 Packet contents: 000186a5 (hex code) • Case action: Output alert: “mountd access” 13 Compile Schema Software System Overview Instance Snort Application Domain Source Application Domain Classes Compile Source Domain Metadata Inheritance DTD Inheritance Binding Schema Generic CBR Source Compile Source Comparator Source Domain Specific CBR Classes Cases In XML Compile Source Comparator Classes Convert Cases to XML Snort Rule Files Perform Adaptive CBR Internet Packets Metadata Dictionary Alerts 14 Snort CBR Data Abstraction MetaDataManager Knowledge level 1 Comparator 1..1 Feature Type 1..1 0..M MetaDataRecord M..1 MetaDataVector 1 0..M Feature Exact Range ParsingExact 1..M Case Operational level … Meta Data Dictionary Model Feature Type Protocol PortIDIn PortNumIn PayLoadContent Protocol PortID PortNum Content DataType String String Integer String Comparator Exact Exact Range ParsingExact Meta Data 15 Adaptive Architecture This Adaptive Architecture has an explicit object model that provides “meta” information which is interpreted at runtime to change behavior. Adaptive Architectures are especially suited for specific frameworks such as a CBR. References to similarity metrics are stored as descriptive metadata, thus adding flexibility. 16 Advantages of Architecture • General meta-level architectures can more easily be implemented for the various CIP domains in many areas with many types of problems. • Modification of a given CBR is easier and can be done by domain experts without major rewrites. • New similarity metrics can easily be added. • Shorter time-to-market: – can implement the changes quickly. – can build new CBR’s more quickly 17 Our Progress • Explored existing CBR systems including NRL’s NaCoDAE (Navy Conversational Decision Aids Environment). • Designed Meta-Model for general cases and case features • Built Case Library using the standard Snort rule set. • Defined a simple similarity metric for Snort Case Retrieval. • Created an elementary Prototype for Snort CBR 18 Publications/Patents • Schwartz, D.G., Stoecklin, S., and Yilmaz, E., A case-based approach to network intrusion detection, Fifth International Conference on Information Fusion, IF'02, Annapolis, MD, July 7-11, 2002, to appear. • A Generic Adaptive Case-Based Reasoner, disclosure and patent application in progress. 19 Future Work • Extend the snort-like Adaptive CBR with new features, cases, and reasoning rules to enable network intrusion detection based on user behavior analysis. (Challenge Problem) • Extend the Adaptive CBR with more features, cases and rules to allow detection using machine states and events. • Explore each of the the other CIP Domains and create appropriate further applications of the Adaptive CBR. pa ck et F i l t e r CBR Snort Like CBR Behavior suspe ct beha vior p a c k e t Machine snort -like mess ages machine activity CBR Red-Team machine events machine states CBR CBR Events States probl em state s redteam alert s probl em event s 20