ceaseless case-based reasoning
DESCRIPTION
Ceaseless Case-Based Reasoning. Francisco J. Martin and Enric Plaza (2004). The problem. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/1.jpg)
Ceaseless Case-Based Reasoning
Francisco J. Martin and Enric Plaza
(2004)
![Page 2: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/2.jpg)
The problem
Most existing CBR systems make assumptions that make them unsuitable for use in domains
that contain the possibility for interleaved problems and where it is difficult to set boundries
on the start and end of a case
![Page 3: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/3.jpg)
The assumptions that cause problems
• Non-coincidental sources
• Full-fledged problem descriptions
• Individual cases independency
![Page 4: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/4.jpg)
Ceaseless CBR
A model that does not make these assumptions
![Page 5: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/5.jpg)
Alerts from probes (Snort)
ACC (Alba)
Network manager
Application domain: Intrusion detection
Too many non-important alerts are sentao the network manager
![Page 6: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/6.jpg)
The application domain
• The input is a stream of alerts (unsegmented sequence)
• More than one problem can appear at the time
![Page 7: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/7.jpg)
The goal
• Enhance ACC performance by using the Ceaseless CBR model
• More specifically: Segment the sequence of events to provide the best explanation of the current situation and suggest an action
![Page 8: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/8.jpg)
Case-base with existing problem descriptions
Case-base with existing problem descriptions
Ceaseless CBR
Event EventEventBlaBlaBla...
Hm, what problems might be
occuring here?
List of events/alerts
Solutions
Revised solutions
User
![Page 9: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/9.jpg)
Alerts
![Page 10: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/10.jpg)
![Page 11: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/11.jpg)
Sequential Cases
• A sequential case is a compositional case where a temporal order is established among all the parts that comprise it
• Sequential cases are represented by actionable trees
![Page 12: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/12.jpg)
Cases
Roots: observable evidence (belonging to a sort)
![Page 13: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/13.jpg)
Serial case
Looks for this sequence
![Page 14: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/14.jpg)
Parallel case
Looks for these sequences in the event stream
![Page 15: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/15.jpg)
Looking for similarity
• Much happens behind the scenes when looking for sequences yielded by actionable trees in the stream of alerts
![Page 16: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/16.jpg)
Case activations
• Is a hypothesis
• Case activations can be compounded together (NB constraints)
![Page 17: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/17.jpg)
Ceaseless Retrieve
• The point of the process is to generate case activations
• Note that case activations can persist over time steps
![Page 18: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/18.jpg)
Get cases
Handles alerts not used in existing cases
Creates case activations
Removes old case activations
Sends case activations to the Reuse process
![Page 19: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/19.jpg)
Ceaseless Reuse
• Tries to find the combination of case activations that best explains the sequence of alerts
![Page 20: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/20.jpg)
How strongly do we believe the case activation (hypothesis)?
Select alerts that need to be explained
Generate explanations
Find the probability of each of theexplanations
Send best explanation to Revise-process
![Page 21: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/21.jpg)
Revise
• Explanation presented to user
• User can make changes
![Page 22: Ceaseless Case-Based Reasoning](https://reader034.vdocuments.mx/reader034/viewer/2022042718/56813cdf550346895da686b2/html5/thumbnails/22.jpg)
Retain
• Updates sequential case base