an agent-based bayesian forecasting model for enhancing network security

An Agent-based Bayesian Forecasting Model for Enhancing NetworkSecurity

J. PIKOULAS, W.J. BUCHANAN, Napier University, Edinburgh, UK.M. MANNION, Glasgow Caledonian University, Glasgow, UK.K. TRIANTAFYLLOPOULOS, University of Warwick, UK.

Networkgateway

Networkgateway

Computerallowed accessIP address: w.x.y.z

Disallowed accessIP address: w.x.y.z

Hacker steals the allowed IPaddress and uses itto get into the network

Internet/NetworkInternet/NetworkNetwork

gateway

Networkgateway

Computerallowed accessIP address: w.x.y.z

Disallowed accessIP address: w.x.y.z

Hacker steals the allowed IPaddress and uses itto get into the network

Internet/NetworkInternet/Network

Communicationwith a networkserver

Packetsniffer

Client

Hacker(opens all TCP/IP

packets addressed toClient)

Communicationwith a networkserver

Packetsniffer

Client

Hacker(opens all TCP/IP

packets addressed toClient)

Hacking methods:IP spoofing.Packet-sniffing. Password attack. Sequence number prediction attacks. Session hi-jacking attacks. Shared library attacks. Social Engineering attacks. Technological vulnerability attack. Trust-access attacks.


‘Login:’

‘fred_b’

‘Password:’

‘’qwerty’

Hacker listens tothe TELNET connectionand determines the password as it is sent astext

‘TELNET sys.com’

User logs into aremote system, withoutknowing the hacker islistening to all communications

‘Login:’

‘fred_b’

‘Password:’

‘’qwerty’

Hacker listens tothe TELNET connectionand determines the password as it is sent astext

‘TELNET sys.com’

User logs into aremote system, withoutknowing the hacker islistening to all communications

IP spoofing

IP spoofing

Packetsniffing

Packetsniffing Packet

sniffing

Packetsniffing



Sharedlibrary

Sharedlibrary

Socialengineering

SocialengineeringPassword

attack

Passwordattack

Dynamic libraries, such as:•WINSOCK.DLL (PC)•USER32.DLL (PC)

Static libraries, such as:•WIN32API.LIB (PC)•X11.lib (UNIX)



User accesses dynamiclibraries when runningan application program

User accesses staticlibraries when compilingan application program

Mr Hackertampers with the localor networked libraries

Mr Hacker possibly receive all communicationssent, or even sees a mirror of the user’s screen





User accesses dynamiclibraries when runningan application program

User accesses staticlibraries when compilingan application program

Mr Hackertampers with the localor networked libraries

Mr Hacker possibly receive all communicationssent, or even sees a mirror of the user’s screen

What’s your login password?I’m just testing something.

E-mail MessageTo: FredFrom: Sys [email protected]

Message: For System Administrative purposes, please send me your password.

I’ll help you access your e-mail.What’s your e-mail password?

Ooh. It’s not working. Ah. There’s a cable disconnected here. Wonder who did that?

E-mail attacksor verbal social attacks

What’s your login password?I’m just testing something.

E-mail MessageTo: FredFrom: Sys [email protected]

Message: For System Administrative purposes, please send me your password.

I’ll help you access your e-mail.What’s your e-mail password?

Ooh. It’s not working. Ah. There’s a cable disconnected here. Wonder who did that?

E-mail attacksor verbal social attacks

Password?Password?Password?

Password?Password?Password?Is it Apple?

Is it Orange?Is it Banana?

Is it Apple?Is it Orange?Is it Banana?

Password?Password?Password?

Password?Password?Password?Is it Apple?

Is it Orange?Is it Banana?

Is it Apple?Is it Orange?Is it Banana?

Security programs:Security enhancement software. Enhances the operating system’s security.Authentication and encryption software. Such as Kerebos, RSA, and so on.Security monitoring software.Network monitoring software.Firewall software and hardware.

Security programs:Security enhancement software. Enhances the operating system’s security.Authentication and encryption software. Such as Kerebos, RSA, and so on.Security monitoring software.Network monitoring software.Firewall software and hardware.

Firewall Firewall

Encryption and authentication

Encryption and authenticationSecurity

enhancement

Securityenhancement

Publickey

Privatekey

Publickey

Privatekey

User’s public key isused to encrypt data

User’s private key isused to decrypt data

Encrypted data

INFOINFO ENCR

ENCRINFO

INFO

OperatingSystem

OperatingSystem

SecurityEnhancement

FirewallFirewall

IPIP TCP/UDPTCP/UDP

Source IP addressDestination IP address

Source Port

Destination Port

Protocol (TCP/UDP)

INCOMING OUTGOINGAllowed Disallowed Allowed Disallowed

FirewallFirewall

MonitoringSoftware

MonitoringSoftwareSite 2

Site 3 Site 1

FirewallFirewall

IPIP TCP/UDPTCP/UDP

Source IP addressDestination IP address

Source Port

Destination Port

Protocol (TCP/UDP)

INCOMING OUTGOINGAllowed Disallowed Allowed Disallowed

FirewallFirewall

MonitoringSoftware

MonitoringSoftwareSite 2

Site 3 Site 1

Problem with existing security methods:Centralized. They tends to be based on a central server, which can become the target of an attack.No real-time response. They tend not to be able to respond to events as they occur, and rely on expert filtering.No ability to foresee events.

Problem with existing security methods:Centralized. They tends to be based on a central server, which can become the target of an attack.No real-time response. They tend not to be able to respond to events as they occur, and rely on expert filtering.No ability to foresee events.

Denial-of-service

Denial-of-service

CentralizedCentralized

Many external accesses eventually reducethe accessibility of the server: such as with Yahoo.com, eBay, Amazon, CNN, ZDNet and Excite (Feb 2000).

Firewall

Centralserver

Centralstorage

Centralized security can lead to attacks as the central resource becomes the focusof attacks

Financial losses(2000/01)

Financial losses(2000/01)

Financial losses (2000/01):1. Virus (70%). 2. Net abuse (45%).3. Laptop theft (45%).4. Denial of service (21%)5. Unauthorized access (16%).6. System penetration (14%).7. Sabotage (12%).

Agent-based distributed security system:Agents work independently from the server. This reduces the workload on the server, and also the dependency on it.Agents download the user profile from the server. The agents can then learn the profile of the user and update it when they log-out.Agents can be responsible for security.

Agent-based distributed security system:Agents work independently from the server. This reduces the workload on the server, and also the dependency on it.Agents download the user profile from the server. The agents can then learn the profile of the user and update it when they log-out.Agents can be responsible for security.

Distributedagent-based

Distributedagent-based

CentralizedCentralized

CoreCoreCoreCoreAgent

CoreAgent

Agent compares usage with

forecast

Agent compares usage with

forecast

User agent updates the forecasting

model

User agent updates the forecasting

model

User agentreturns the updated modelto the user

Core agentsends forecastinginformation

Agent reportsany changes In behaviour

Agent monitorsCurrent usage

UserprofileUser

profileUserprofileUser

profile

UserAgent

UserAgent

User logsoff

Agent-based distributed security system with forecasting

Agent-based distributed security system with forecasting

Profilereader

Predictor

Sensor

Communicationthread

GUI

Transmitter

Comparator

Communicationthread

Core connection

engine

Communicationthread

Communicationthread

CommunicationthreadGUI

Profilereader

Predictor

Sensor

Communicationthread

GUI

Transmitter

Comparator

Communicationthread

Core connection

engine

Communicationthread

Communicationthread

CommunicationthreadGUI

Agent environment topologySensor. Monitors software applications.Transmitter. Sends information to the server.Profile reader. Reads the users historical profile.Comparator. Compares user’s history with the information read by the sensor.

Agent environment topologySensor. Monitors software applications.Transmitter. Sends information to the server.Profile reader. Reads the users historical profile.Comparator. Compares user’s history with the information read by the sensor.

t

t

t t tCurrentforecasted model

Currentuser profile

New userprofile

Usage overlogin period New user

profile

Requires large amountsof storage

Gaps in data reduces prediction

Less storage Faster processing

Traditional method of generating user profile for applications

Forecasting method of generating user profile for applications

Averaging

Userlogins t

tt

t t ttCurrentforecasted model

Currentuser profile

New userprofile

Usage overlogin period New user

profile

Requires large amountsof storage

Gaps in data reduces prediction

Less storage Faster processing

Traditional method of generating user profile for applications

Forecasting method of generating user profile for applications

Averaging

Userlogins

Traditional method of forecasting against Bayesian forecasting

Traditional method of forecasting against Bayesian forecasting

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)

Prediction number(z)

Sample parameters:n = 15z = 5Time unit = 1 hour

Windowstored whenuser logs off


,

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)





,

Prediction model:Observation stage.In this stage the model is monitoring the user and records its behaviour. Evaluation stage.In this stage the model makes a prediction and also monitors the user actual movements and calculates the result. This stage is critical, because the model modifies itself according to the environment that it operates in. One-step prediction.In this stage the model makes a single step prediction. For example, assume that the user is logged in for 15 times and the model is configured, and it is ready to start predicting user moves. Instead of making a five or ten step prediction, like other mathematical models, our model makes a prediction for the next step. When the user logs in and out of our model, it takes the actual behaviour of the user, compares it with the one step prediction that it has performed before and calculates the error. So the next time a prediction is made for this user it will include also the data of the last user behaviour. With this procedure we maximise the accuracy of the prediction system.

Prediction model:Observation stage.In this stage the model is monitoring the user and records its behaviour. Evaluation stage.In this stage the model makes a prediction and also monitors the user actual movements and calculates the result. This stage is critical, because the model modifies itself according to the environment that it operates in. One-step prediction.In this stage the model makes a single step prediction. For example, assume that the user is logged in for 15 times and the model is configured, and it is ready to start predicting user moves. Instead of making a five or ten step prediction, like other mathematical models, our model makes a prediction for the next step. When the user logs in and out of our model, it takes the actual behaviour of the user, compares it with the one step prediction that it has performed before and calculates the error. So the next time a prediction is made for this user it will include also the data of the last user behaviour. With this procedure we maximise the accuracy of the prediction system.

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)





,

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)





,

Prediction parameters:n –Window size.z – Prediction number.t – time unit.

Prediction parameters:n –Window size.z – Prediction number.t – time unit.

Sample parameters:n = 15z = 5t = 1 hr

Sample parameters:n = 15z = 5t = 1 hr

Forecasting calculationForecasting calculation

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)




InterventionIntervention

Additional exceptional data(varies the sensitivity of system)

t,

Window size (n)

Bayesianmethod

Bayesianmethod

Time unit (i)

App

licat

ion

usag

e (%

)






t,

InterventionUseful in responding to exception data, such as when there is not enough data about a user.

InterventionUseful in responding to exception data, such as when there is not enough data about a user.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

Invasion time (hours)

Realobservations

Learningphase

Usingpredictionmodel

Time (hours)

Prediction for Application 1 (using model) Parameters:n = 15z = 5Time unit = 1 hour

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5


Realobservations

Learningphase

Usingpredictionmodel

Time (hours)

Prediction for Application 1 (using model) Parameters:n = 15z = 5Time unit = 1 hour

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5


Time (hours)

Realobservations

Learningphase

UsingARIMA model

Prediction for Application 1 (using ARIMA)

Parameters:n = 15z = 5Time unit = 1 hour

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5


Time (hours)

Realobservations

Learningphase

UsingARIMA model

Prediction for Application 1 (using ARIMA)

Parameters:n = 15z = 5Time unit = 1 hour

ExperimentsExperimentsQuality ofprediction(variance vector)

Variation of prediction window(1 to 100)

Variation of time unit (10 min to 1 hour)

Variation of Window size (10 to 500)

User profile

ARIMAARIMAQuality ofprediction(variance vector)

Comparison

ExperimentsExperimentsQuality ofprediction(variance vector)



Variation of Window size (10 to 500)

User profile

ARIMAARIMAQuality ofprediction(variance vector)

Comparison

Experimental specification

Bayesianmethod

Bayesianmethod

App

licat

ion

usag

e (%

)



t,

Variation of Window size(10 to 500)



Experimental specification

Bayesianmethod

Bayesianmethod

App

licat

ion

usag

e (%

)



t,

Variation of Window size(10 to 500)



Bayesian mathematics:Bayesian mathematics:

,'tttt vFY

],,0[~ Nvt ,1 tttt G

],,0[~ tt WN

,'''tttt vFY ],,0[~ Nvt

,1 ttt

As we see in the following equation we are introducing a parameter matrix, an random matrix with left variance matrix ,

right variance matrix.

0m : The mean of the influence of 11 ,Y from 0D, our initial info.

0C : Dispersion of the above influence.

0S : No meaning, and is an auxiliary quantity for tS.

0n : No meaning, and is an auxiliary quantity for tn .

: Factor of the influence of the data to the estimate tS.

: Factor of the influence of the data to the estimate tm .

tF: A basic quantity that expresses the linearity of the model and gives

different trends to the several values of tY

, both for time series analysis (what has happened in the past) and forecasting (what will happen in the future).

Conclusions:

Fast and simple model.It requires less preparation than other models.Provides good prediction results.Requires very little storage of user activity.Small increase in CPU processing.Only a 1-2% increase in CPU processing has been measured.Model learns with very little initial settings.Other models require some initial parameter settings to make them work well.

Conclusions:

Fast and simple model.It requires less preparation than other models.Provides good prediction results.Requires very little storage of user activity.Small increase in CPU processing.Only a 1-2% increase in CPU processing has been measured.Model learns with very little initial settings.Other models require some initial parameter settings to make them work well.

an agent-based bayesian forecasting model for enhancing network security

Documents