an agent-based bayesian forecasting model for enhancing network security
DESCRIPTION
An Agent-based Bayesian Forecasting Model for Enhancing Network Security J. PIKOULAS, W.J. BUCHANAN , Napier University, Edinburgh, UK. M. MANNION, Glasgow Caledonian University, Glasgow, UK . K. TRIANTAFYLLOPOULOS, University of Warwick , UK. Hacking methods: IP spoofing. - PowerPoint PPT PresentationTRANSCRIPT
An Agent-based Bayesian Forecasting Model for Enhancing NetworkSecurity
J. PIKOULAS, W.J. BUCHANAN, Napier University, Edinburgh, UK.M. MANNION, Glasgow Caledonian University, Glasgow, UK.K. TRIANTAFYLLOPOULOS, University of Warwick, UK.
Networkgateway
Networkgateway
Computerallowed accessIP address: w.x.y.z
Disallowed accessIP address: w.x.y.z
Hacker steals the allowed IPaddress and uses itto get into the network
Internet/NetworkInternet/NetworkNetwork
gateway
Networkgateway
Computerallowed accessIP address: w.x.y.z
Disallowed accessIP address: w.x.y.z
Hacker steals the allowed IPaddress and uses itto get into the network
Internet/NetworkInternet/Network
Communicationwith a networkserver
Packetsniffer
Client
Hacker(opens all TCP/IP
packets addressed toClient)
Communicationwith a networkserver
Packetsniffer
Client
Hacker(opens all TCP/IP
packets addressed toClient)
Hacking methods:IP spoofing.Packet-sniffing. Password attack. Sequence number prediction attacks. Session hi-jacking attacks. Shared library attacks. Social Engineering attacks. Technological vulnerability attack. Trust-access attacks.
Hacking methods:IP spoofing.Packet-sniffing. Password attack. Sequence number prediction attacks. Session hi-jacking attacks. Shared library attacks. Social Engineering attacks. Technological vulnerability attack. Trust-access attacks.
‘Login:’
‘fred_b’
‘Password:’
‘’qwerty’
Hacker listens tothe TELNET connectionand determines the password as it is sent astext
‘TELNET sys.com’
User logs into aremote system, withoutknowing the hacker islistening to all communications
‘Login:’
‘fred_b’
‘Password:’
‘’qwerty’
Hacker listens tothe TELNET connectionand determines the password as it is sent astext
‘TELNET sys.com’
User logs into aremote system, withoutknowing the hacker islistening to all communications
IP spoofing
IP spoofing
Packetsniffing
Packetsniffing Packet
sniffing
Packetsniffing
Hacking methods:IP spoofing.Packet-sniffing. Password attack. Sequence number prediction attacks. Session hi-jacking attacks. Shared library attacks. Social Engineering attacks. Technological vulnerability attack. Trust-access attacks.
Hacking methods:IP spoofing.Packet-sniffing. Password attack. Sequence number prediction attacks. Session hi-jacking attacks. Shared library attacks. Social Engineering attacks. Technological vulnerability attack. Trust-access attacks.
Sharedlibrary
Sharedlibrary
Socialengineering
SocialengineeringPassword
attack
Passwordattack
Dynamic libraries, such as:•WINSOCK.DLL (PC)•USER32.DLL (PC)
Static libraries, such as:•WIN32API.LIB (PC)•X11.lib (UNIX)
Dynamic libraries, such as:•WINSOCK.DLL (PC)•USER32.DLL (PC)
Static libraries, such as:•WIN32API.LIB (PC)•X11.lib (UNIX)
User accesses dynamiclibraries when runningan application program
User accesses staticlibraries when compilingan application program
Mr Hackertampers with the localor networked libraries
Mr Hacker possibly receive all communicationssent, or even sees a mirror of the user’s screen
Dynamic libraries, such as:•WINSOCK.DLL (PC)•USER32.DLL (PC)
Static libraries, such as:•WIN32API.LIB (PC)•X11.lib (UNIX)
Dynamic libraries, such as:•WINSOCK.DLL (PC)•USER32.DLL (PC)
Static libraries, such as:•WIN32API.LIB (PC)•X11.lib (UNIX)
User accesses dynamiclibraries when runningan application program
User accesses staticlibraries when compilingan application program
Mr Hackertampers with the localor networked libraries
Mr Hacker possibly receive all communicationssent, or even sees a mirror of the user’s screen
What’s your login password?I’m just testing something.
E-mail MessageTo: FredFrom: Sys [email protected]
Message: For System Administrative purposes, please send me your password.
I’ll help you access your e-mail.What’s your e-mail password?
Ooh. It’s not working. Ah. There’s a cable disconnected here. Wonder who did that?
E-mail attacksor verbal social attacks
What’s your login password?I’m just testing something.
E-mail MessageTo: FredFrom: Sys [email protected]
Message: For System Administrative purposes, please send me your password.
I’ll help you access your e-mail.What’s your e-mail password?
Ooh. It’s not working. Ah. There’s a cable disconnected here. Wonder who did that?
E-mail attacksor verbal social attacks
Password?Password?Password?
Password?Password?Password?Is it Apple?
Is it Orange?Is it Banana?
Is it Apple?Is it Orange?Is it Banana?
Password?Password?Password?
Password?Password?Password?Is it Apple?
Is it Orange?Is it Banana?
Is it Apple?Is it Orange?Is it Banana?
Security programs:Security enhancement software. Enhances the operating system’s security.Authentication and encryption software. Such as Kerebos, RSA, and so on.Security monitoring software.Network monitoring software.Firewall software and hardware.
Security programs:Security enhancement software. Enhances the operating system’s security.Authentication and encryption software. Such as Kerebos, RSA, and so on.Security monitoring software.Network monitoring software.Firewall software and hardware.
Firewall Firewall
Encryption and authentication
Encryption and authenticationSecurity
enhancement
Securityenhancement
Publickey
Privatekey
Publickey
Privatekey
User’s public key isused to encrypt data
User’s private key isused to decrypt data
Encrypted data
INFOINFO ENCR
ENCRINFO
INFO
OperatingSystem
OperatingSystem
SecurityEnhancement
FirewallFirewall
IPIP TCP/UDPTCP/UDP
Source IP addressDestination IP address
Source Port
Destination Port
Protocol (TCP/UDP)
INCOMING OUTGOINGAllowed Disallowed Allowed Disallowed
FirewallFirewall
MonitoringSoftware
MonitoringSoftwareSite 2
Site 3 Site 1
FirewallFirewall
IPIP TCP/UDPTCP/UDP
Source IP addressDestination IP address
Source Port
Destination Port
Protocol (TCP/UDP)
INCOMING OUTGOINGAllowed Disallowed Allowed Disallowed
FirewallFirewall
MonitoringSoftware
MonitoringSoftwareSite 2
Site 3 Site 1
Problem with existing security methods:Centralized. They tends to be based on a central server, which can become the target of an attack.No real-time response. They tend not to be able to respond to events as they occur, and rely on expert filtering.No ability to foresee events.
Problem with existing security methods:Centralized. They tends to be based on a central server, which can become the target of an attack.No real-time response. They tend not to be able to respond to events as they occur, and rely on expert filtering.No ability to foresee events.
Denial-of-service
Denial-of-service
CentralizedCentralized
Many external accesses eventually reducethe accessibility of the server: such as with Yahoo.com, eBay, Amazon, CNN, ZDNet and Excite (Feb 2000).
Firewall
Centralserver
Centralstorage
Centralized security can lead to attacks as the central resource becomes the focusof attacks
Financial losses(2000/01)
Financial losses(2000/01)
Financial losses (2000/01):1. Virus (70%). 2. Net abuse (45%).3. Laptop theft (45%).4. Denial of service (21%)5. Unauthorized access (16%).6. System penetration (14%).7. Sabotage (12%).
Agent-based distributed security system:Agents work independently from the server. This reduces the workload on the server, and also the dependency on it.Agents download the user profile from the server. The agents can then learn the profile of the user and update it when they log-out.Agents can be responsible for security.
Agent-based distributed security system:Agents work independently from the server. This reduces the workload on the server, and also the dependency on it.Agents download the user profile from the server. The agents can then learn the profile of the user and update it when they log-out.Agents can be responsible for security.
Distributedagent-based
Distributedagent-based
CentralizedCentralized
CoreCoreCoreCoreAgent
CoreAgent
Agent compares usage with
forecast
Agent compares usage with
forecast
User agent updates the forecasting
model
User agent updates the forecasting
model
User agentreturns the updated modelto the user
Core agentsends forecastinginformation
Agent reportsany changes In behaviour
Agent monitorsCurrent usage
UserprofileUser
profileUserprofileUser
profile
UserAgent
UserAgent
User logsoff
Agent-based distributed security system with forecasting
Agent-based distributed security system with forecasting
Profilereader
Predictor
Sensor
Communicationthread
GUI
Transmitter
Comparator
Communicationthread
Core connection
engine
Communicationthread
Communicationthread
CommunicationthreadGUI
Profilereader
Predictor
Sensor
Communicationthread
GUI
Transmitter
Comparator
Communicationthread
Core connection
engine
Communicationthread
Communicationthread
CommunicationthreadGUI
Agent environment topologySensor. Monitors software applications.Transmitter. Sends information to the server.Profile reader. Reads the users historical profile.Comparator. Compares user’s history with the information read by the sensor.
Agent environment topologySensor. Monitors software applications.Transmitter. Sends information to the server.Profile reader. Reads the users historical profile.Comparator. Compares user’s history with the information read by the sensor.
t
t
t t tCurrentforecasted model
Currentuser profile
New userprofile
Usage overlogin period New user
profile
Requires large amountsof storage
Gaps in data reduces prediction
Less storage Faster processing
Traditional method of generating user profile for applications
Forecasting method of generating user profile for applications
Averaging
Userlogins t
tt
t t ttCurrentforecasted model
Currentuser profile
New userprofile
Usage overlogin period New user
profile
Requires large amountsof storage
Gaps in data reduces prediction
Less storage Faster processing
Traditional method of generating user profile for applications
Forecasting method of generating user profile for applications
Averaging
Userlogins
Traditional method of forecasting against Bayesian forecasting
Traditional method of forecasting against Bayesian forecasting
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Prediction number(z)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
,
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Prediction number(z)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
,
Prediction model:Observation stage.In this stage the model is monitoring the user and records its behaviour. Evaluation stage.In this stage the model makes a prediction and also monitors the user actual movements and calculates the result. This stage is critical, because the model modifies itself according to the environment that it operates in. One-step prediction.In this stage the model makes a single step prediction. For example, assume that the user is logged in for 15 times and the model is configured, and it is ready to start predicting user moves. Instead of making a five or ten step prediction, like other mathematical models, our model makes a prediction for the next step. When the user logs in and out of our model, it takes the actual behaviour of the user, compares it with the one step prediction that it has performed before and calculates the error. So the next time a prediction is made for this user it will include also the data of the last user behaviour. With this procedure we maximise the accuracy of the prediction system.
Prediction model:Observation stage.In this stage the model is monitoring the user and records its behaviour. Evaluation stage.In this stage the model makes a prediction and also monitors the user actual movements and calculates the result. This stage is critical, because the model modifies itself according to the environment that it operates in. One-step prediction.In this stage the model makes a single step prediction. For example, assume that the user is logged in for 15 times and the model is configured, and it is ready to start predicting user moves. Instead of making a five or ten step prediction, like other mathematical models, our model makes a prediction for the next step. When the user logs in and out of our model, it takes the actual behaviour of the user, compares it with the one step prediction that it has performed before and calculates the error. So the next time a prediction is made for this user it will include also the data of the last user behaviour. With this procedure we maximise the accuracy of the prediction system.
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Prediction number(z)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
,
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Prediction number(z)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
,
Prediction parameters:n –Window size.z – Prediction number.t – time unit.
Prediction parameters:n –Window size.z – Prediction number.t – time unit.
Sample parameters:n = 15z = 5t = 1 hr
Sample parameters:n = 15z = 5t = 1 hr
Forecasting calculationForecasting calculation
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
InterventionIntervention
Additional exceptional data(varies the sensitivity of system)
t,
Window size (n)
Bayesianmethod
Bayesianmethod
Time unit (i)
App
licat
ion
usag
e (%
)
Sample parameters:n = 15z = 5Time unit = 1 hour
Windowstored whenuser logs off
Windowstored whenuser logs off
InterventionIntervention
Additional exceptional data(varies the sensitivity of system)
t,
InterventionUseful in responding to exception data, such as when there is not enough data about a user.
InterventionUseful in responding to exception data, such as when there is not enough data about a user.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Invasion time (hours)
Realobservations
Learningphase
Usingpredictionmodel
Time (hours)
Prediction for Application 1 (using model) Parameters:n = 15z = 5Time unit = 1 hour
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Invasion time (hours)
Realobservations
Learningphase
Usingpredictionmodel
Time (hours)
Prediction for Application 1 (using model) Parameters:n = 15z = 5Time unit = 1 hour
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Invasion time (hours)
Time (hours)
Realobservations
Learningphase
UsingARIMA model
Prediction for Application 1 (using ARIMA)
Parameters:n = 15z = 5Time unit = 1 hour
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Invasion time (hours)
Time (hours)
Realobservations
Learningphase
UsingARIMA model
Prediction for Application 1 (using ARIMA)
Parameters:n = 15z = 5Time unit = 1 hour
ExperimentsExperimentsQuality ofprediction(variance vector)
Variation of prediction window(1 to 100)
Variation of time unit (10 min to 1 hour)
Variation of Window size (10 to 500)
User profile
ARIMAARIMAQuality ofprediction(variance vector)
Comparison
ExperimentsExperimentsQuality ofprediction(variance vector)
Variation of prediction window(1 to 100)
Variation of time unit (10 min to 1 hour)
Variation of Window size (10 to 500)
User profile
ARIMAARIMAQuality ofprediction(variance vector)
Comparison
Experimental specification
Bayesianmethod
Bayesianmethod
App
licat
ion
usag
e (%
)
InterventionIntervention
Additional exceptional data(varies the sensitivity of system)
t,
Variation of Window size(10 to 500)
Variation of prediction window(1 to 100)
Variation of time unit (10 min to 1 hour)
Experimental specification
Bayesianmethod
Bayesianmethod
App
licat
ion
usag
e (%
)
InterventionIntervention
Additional exceptional data(varies the sensitivity of system)
t,
Variation of Window size(10 to 500)
Variation of prediction window(1 to 100)
Variation of time unit (10 min to 1 hour)
Bayesian mathematics:Bayesian mathematics:
,'tttt vFY
],,0[~ Nvt ,1 tttt G
],,0[~ tt WN
,'''tttt vFY ],,0[~ Nvt
,1 ttt
As we see in the following equation we are introducing a parameter matrix, an random matrix with left variance matrix ,
right variance matrix.
0m : The mean of the influence of 11 ,Y from 0D, our initial info.
0C : Dispersion of the above influence.
0S : No meaning, and is an auxiliary quantity for tS.
0n : No meaning, and is an auxiliary quantity for tn .
: Factor of the influence of the data to the estimate tS.
: Factor of the influence of the data to the estimate tm .
tF: A basic quantity that expresses the linearity of the model and gives
different trends to the several values of tY
, both for time series analysis (what has happened in the past) and forecasting (what will happen in the future).
Conclusions:
Fast and simple model.It requires less preparation than other models.Provides good prediction results.Requires very little storage of user activity.Small increase in CPU processing.Only a 1-2% increase in CPU processing has been measured.Model learns with very little initial settings.Other models require some initial parameter settings to make them work well.
Conclusions:
Fast and simple model.It requires less preparation than other models.Provides good prediction results.Requires very little storage of user activity.Small increase in CPU processing.Only a 1-2% increase in CPU processing has been measured.Model learns with very little initial settings.Other models require some initial parameter settings to make them work well.