-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintro.tex
149 lines (139 loc) · 7.41 KB
/
intro.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
\section{Introduction}
\label{sec:introduction}
We experimentally analyze the accuracy of the \zplus qualitative
probability scheme when used for diagnosis and information fusion.
In cyber defense, an ``\ldots intrusion detection system (IDS) is a device or
software application that monitors network or system activities for malicious
activities or policy violations''~\cite{wiki:ids}.
In previous work we developed a technique for IDS
fusion, deployed in the Scyllarus system~\anoncite{goldman:09Scyllarus} and its
successor MIFD~\anoncite{stratus:saso12}.
These systems fuse together reports from multiple, heterogeneous IDSes,
hypothesizing underlying events to explain those reports, and assessing the events'
likelihood, to detect cyber attacks.
Their likelihood assessment is based on \zplus, a qualitative
abstraction of probability theory~\cite{Goldszmidt:96}.
Scyllarus has been extensively tested in real networks, using both
real and synthetic data, and has shown its ability to accurately fuse reports
from extremely noisy sensors.
We also
dramatically reduce false alarm rates, the bane of intrusion
detection systems, reducing the flood of incoming reports by multiple
orders of magnitude.
Unfortunately, we cannot draw crisp, \emph{general} conclusions based on
field evaluations alone.
We need to demonstrate that the results are due to features of the algorithm,
not simply artifacts of details of the test network, traffic, and
attacks. This problem is particularly acute in the area of intrusion detection,
as we explain below.
% This is a general problem of evaluating IDSes, which we discuss
% further below.
%
In this paper, we analyze the underlying reasoning machinery to
complement earlier field studies.
%
% In particular we explore the suitability of qualitative
% probabilistic techniques --- and \zplus in particular ---
% for information fusion, especially in areas where
% standard probabilistic methods cannot be applied because statistics are not
% available, and machine learning techniques are not appropriate.
\zplus models uncertain phenomena as falling into a small set of
\emph{qualitatively distinct} levels of likelihood, similar to the way that
big-$O$ methods abstract computational effort.
% In our experiments, we show that our abstraction supports accurate event
% detection, and explore the robustness of our techniques as
% the qualitative abstraction fits the world less well.
To use the big-$O$ analogy again, we check to make sure that our results degrade
gracefully as the orders of magnitude become less important compared to the
constant factors.
% For example, we examine how our qualitative approach degrades when
% modeling probability distributions in which the probabilities corresponding to the
% qualitative strata get closer together.
%
% %%% Can we remove this? It's a bit early for future work, so maybe
% %%% push to back if necessary and space allows?
%
%Additionally, our original work was in the context of an open system that fused
%a set of ``take them or leave them'' \idses. We are moving to incorporate our
%fusion system in an integrated system that will perform computer network
%defense. In this new framework, we have the opportunity to make decisions about
%what sorts of sensors to deploy, possibly developing new sensors in the process,
%and where to deploy these sensors. The results here will help inform such
%decisions.
The experimental results we report show that \zplus{}'s accuracy degrades
gracefully as the qualitative abstraction fits less and less well. We also show
that the accuracy of our system degrades gracefully with decreasing sensor
precision. Finally, MIFD is accurate even when detecting very rare events,
not only when sensors fail independently, but also in
the face of correlated false positives.
These results confirm the results of our
earlier field tests, and help explain why the
qualitative scheme works so well.
% Our experimental analyses use simulated sensors and events,
% allowing us to precisely control stimuli to the system,
% and so allow us to draw general conclusions about the applicability of our
% approach.
% %, to identify when it will behave well or poorly, show that it degrades
% % gracefully, rather than suddenly, etc.
% The experiments are very encouraging, confirm the results of our
% earlier field tests, and help to explain why it is that the
% qualitative scheme has been found to work so well.
% % They show that under very weak assumptions,
% We show that
% MIFD's sensor fusion approach provides good detection rates with a low
% rate of false positives even when the underlying assumption that the
% likelihoods of events do qualitatively differ is violated. The
% experiments further show that MIFD functions correctly even when the
% connection of sensors to events is ambiguous. MIFD achieves
% acceptable false positive rates even when detecting very rare events,
% and can do so not only when sensors fail independently, but also in
% the face of correlated false positives (represented as \emph{benign}
% events).
Our results are generally
relevant to qualitative probabilistic reasoning for
information and sensor fusion.
Our fusion problems are modeled as problems of causal explanation, or abduction:
what are the events most likely to have caused the observations (the IDS
reports) given certain causal relations?
Therefore our results are also of interest to researchers in diagnosis.
Qualitative probability systems like $Z+$ offer an attractive middle point between
purely disjunctive reasoning in diagnosis, and full probabilistic reasoning.
To the best of our knowledge, ours is the only empirical work to explore the
\emph{accuracy} of reasoning with \zplus.
Of about 250 works citing Goldszmidt and Pearl's 1996
work~\cite{google-scholar-query}, none of the few which detail
applications of \zplus\ reasoning (as opposed to theoretical investigations of
the logic) conduct such investigations.
%
Minock and Kraus~\shortcite{minock-kraus-LIAI02} investigate the
\emph{efficiency} of an implementation of \zplus\hide{\ restricted to specific classes of
Horn theories},
but not its accuracy.
% Minock and Kraus compile queries over Horn and q-Horn clauses to an
% implementation of \zplus, but they report only ``initial performance
% results'' for partition construction to illustrate the tractability of
% their approach~\shortcite{minock-kraus-LIAI02}.
%
% Fujimoto and Matsuzawa use qualitative rankings similar to \zplus\ to
% categorize subjective evaluations in
% text~\shortcite{fujimoto-matsuzawa-newgencomp99,fujimoto-WIIAT2010};
% their system predicts reactions to advertising messages. Fujimoto's
% experiment~\shortcite{fujimoto-WIIAT2010} is directed towards a
% regression analysis, examining prediction accuracy on a set of survey
% responses.
%
% We do not question the correctness of those experiments, but
% the substitution of qualitative probabilities for actual values should
% not be made without confirming the appropriateness of the
% approximation for the particular domain. We believe that the
% experiments we report here are the first such rigorous investigation
% of the suitability of \zplus\ for a specific application.
In the next section we introduce the problem of \ids fusion
and its challenges. Then we describe our approach to the
problem, as implemented in the Scyllarus and MIFD systems. We describe our
experimental designs, present the results, and conclude with some proposals for
future work.
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "main"
%%% End: