AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

Metaheuristic-Based Neural Network Training And Feature Selector For Intrusion Detection

Intrusion Detection (ID) in the context of computer networks is an essential technique in modern defense-in-depth security strategies. As such, Intrusion Detection Systems (IDSs) have received tremendous attention from security researchers and professionals. An important concept in ID is anomaly detection, which amounts to the isolation of normal behavior of network traffic from abnormal (anomaly) events. This isolation is essentially a classification task, which led researchers to attempt the application of well-known classifiers from the area of machine learning to intrusion detection. Neural Networks (NNs) are one of the most popular techniques to perform non-linear classification, and have been extensively used in the literature to perform intrusion detection. However, the training datasets usually compose feature sets of irrelevant or redundant information, which impacts the performance of classification, and traditional learning algorithms such as backpropagation suffer from known issues, including slow convergence and the trap of local minimum. Those problems lend themselves to the realm of optimization. Considering the wide success of swarm intelligence methods in optimization problems, the main objective of this thesis is to contribute to the improvement of intrusion detection technology through the application of swarm-based optimization techniques to the basic problems of selecting optimal packet features, and optimal training of neural networks on classifying those features into normal and attack instances. To realize these objectives, the research in this thesis follows three basic stages, succeeded by extensive evaluations

Optimization of parameters for binary genetic algorithms.

In the GA framework, a species or population is a collection of individuals or chromosomes, usually initially generated randomly. A predefined fitness function guides selection while operators like crossover and mutation are used probabilistically in order to emulate reproduction.Genetic Algorithms (GAs) belong to the field of evolutionary computation which is inspired by biological evolution. From an engineering perspective, a GA is an heuristic tool that can approximately solve problems in which the search space is huge in the sense that an exhaustive search is not tractable. The appeal of GAs is that they can be parallelized and can give us "good" solutions to hard problems.One of the difficulties in working with GAs is choosing the parameters---the population size, the crossover and mutation probabilities, the number of generations, the selection mechanism, the fitness function---appropriate to solve a particular problem. Besides the difficulty of the application problem to be solved, an additional difficulty arises because the quality of the solution found, or the sum total of computational resources required to find it, depends on the selection of the parameters of the GA; that is, finding a correct fitness function and appropriate operators and other parameters to solve a problem with GAs is itself a difficult problem. The contributions of this dissertation, then, are: to show that there is not a linear correlation between diversity in the initial population and the performance of GAs; to show that fitness functions that use information from the problem itself are better than fitness functions that need external tuning; and to propose a relationship between selection pressure and the probabilities of crossover and mutation that improve the performance of GAs in the context of of two extreme schema: small schema, where the building block in consideration is small (each bit individually can be considered as part of the general solution), and long schema, where the building block in consideration is long (a set of interrelated bits conform part of the general solution).Theoretical and practical problems like the one-max problem and the intrusion detection problem (considered as problems with small schema) and the snake-in-the-box problem (considered as a problem with long schema) are tested under the specific hypotheses of the Dissertation.The Dissertation proposes three general hypotheses. The first one, in an attempt to measure the impact of the input over the output, study that there is not a linear correlation between diversity in the initial population and performance of GAs. The second one, proposes the use of parameters that belong to the problem itself to joint objective and constraint in fitness functions, and the third one use Holland's Schema Theorem for finding an interrelation between selection pressure and the probabilities of crossover and mutation that, if obeyed, is expected to result in better performance of the GA in terms of the solution quality found within a given number of generations and/or the number of generations to find a solution of a given quality than if the interrelation is not obeyed

Intelligent Systems Supporting the Use of Energy Systems and Other Complex Technical Objects, Modeling, Testing and Analysis of Their Reliability in the Operation Process

The book focuses on a novel application of Intelligent Systems for supporting the operation and maintenance of power systems or other technical facilities within wind farms. Indicating a different perception of the reliability of wind farm facilities led to the possibility of extending the operation lifetime and operational readiness of wind farm equipment. Additionally, the presented approach provides a basis for extending its application to the testing and analysis of other technical facilities

An Evolutionary Algorithm to Generate Ellipsoid Detectors for Negative Selection

Negative selection is a process from the biological immune system that can be applied to two-class (self and nonself) classification problems. Negative selection uses only one class (self) for training, which results in detectors for the other class (nonself). This paradigm is especially useful for problems in which only one class is available for training, such as network intrusion detection. Previous work has investigated hyper-rectangles and hyper-spheres as geometric detectors. This work proposes ellipsoids as geometric detectors. First, the author establishes a mathematical model for ellipsoids. He develops an algorithm to generate ellipsoids by training on only one class of data. Ellipsoid mutation operators, an objective function, and a convergence technique are described for the evolutionary algorithm that generates ellipsoid detectors. Testing on several data sets validates this approach by showing that the algorithm generates good ellipsoid detectors. Against artificial data sets, the detectors generated by the algorithm match more than 90% of nonself data with no false alarms. Against a subset of data from the 1999 DARPA MIT intrusion detection data, the ellipsoids generated by the algorithm detected approximately 98% of nonself (intrusions) with an approximate 0% false alarm rate

Principles for Consciousness in Integrated Cognitive Control

In this article we will argue that given certain conditions for the evolution of bi- \ud ological controllers, these will necessarily evolve in the direction of incorporating \ud consciousness capabilities. We will also see what are the necessary mechanics for \ud the provision of these capabilities and extrapolate this vision to the world of artifi- \ud cial systems postulating seven design principles for conscious systems. This article \ud was published in the journal Neural Networks special issue on brain and conscious- \ud ness

World Without a Fourth Amendment

The subject of this Article is suggested by a single question: How would we regulate searches and seizures if the Fourth Amendment did not exist? This question is a useful one to ask even leaving aside the possibility of amending the amendment. Starting on a blank slate, as it were, should free us from current preconceptions about the law of search and seizure, ingrained after years of analyzing current dogma. Viewed from this fresh perspective, we might gain a better understanding of the values at stake when the state seeks to obtain evidence or detain suspects. This new understanding in turn should invigorate criticism of current law, and might even lead to fundamental reinterpretations of the Fourth Amendment\u27s language. Starting from scratch, this Article develops an approach to search and seizure regulation that is very different from current law promulgated by the United States Supreme Court, yet at the same time is reconcilable with the amendment\u27s wording

Self Organized Multi Agent Swarms (SOMAS) for Network Security Control

Computer network security is a very serious concern in many commercial, industrial, and military environments. This paper proposes a new computer network security approach defined by self-organized agent swarms (SOMAS) which provides a novel computer network security management framework based upon desired overall system behaviors. The SOMAS structure evolves based upon the partially observable Markov decision process (POMDP) formal model and the more complex Interactive-POMDP and Decentralized-POMDP models, which are augmented with a new F(*-POMDP) model. Example swarm specific and network based behaviors are formalized and simulated. This paper illustrates through various statistical testing techniques, the significance of this proposed SOMAS architecture, and the effectiveness of self-organization and entangled hierarchies