Adaptive CaseBased Reasoning Architectures for Critical Infrastructure Protection

1
Adaptive Case-Based Reasoning Architectures
for Critical Infrastructure Protection
Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil
Yilmaz Ms. Mimi Xu
Florida State University Department of Computer
Science
2
Table of Contents

• Case-Based Reasoning Defined
• General Problem
• Our Approach Specific Application Snort IDS
• Architectural Elements
• Advantages of Adaptive Architectures
• Future Work

3
Case-Based Reasoning
Formulate Problem/ Attack 1.0
Report Results 5.0
Search Archives 2.0
problem description
problem description
measure of success/failure
similar cases
similar cases
problem/attack
Case Archive
results
Select/ Adapt 3.0
solution/response
Environment
Generate Response to Problem/ Attack 4.0
generated response
4
Key Issues
CBR can be a valuable tool for the protection of
critical infrastructures in any of the eight CIP
domains

• Information and Communications
• Electrical Power Systems
• Gas and Oil Transportation and Storage
• Banking and Finance
• Transportation
• Water Supply Systems
• Emergency Services
• Government Services

even though each domain may have its own specific
cases, data, and reasoning requirements.
5
Key Issues
Reasoners should be easily adaptable in a cost
effective manner to new or rapidly changing
application environments.

• Case types and retrieval methods can change
  rapidly within any given application domain.
• Completely new applications domains, and types of
  domains, continue to appear.
• Modifying and/or building domain-specific
  case-based reasoners is costly since it requires
  substantial rewriting of code.

6
Our Approach

• Create an adaptive architecture employing a
  meta-model describing the domain features needed
  for the CIP CBR.
• Attributes, relationships, and reasoning rules
  are defined as instances from metadata.

7
What this means is THE SAME ADAPTIVE CBR
system can be used with different metadata to
solve different problems. Thus, rather than
writing separate CBRs for each problem within
each of the domains, WRITE ONE GENERIC CBR that
dynamically reacts to the meta description of the
domain problem. The adaptive CBR is a TOOL for
creating ARBITRARY DOMAIN-SPECIFIC CBRs.
8
To Illustrate
GENERALIZED CBR
Adaptive CBR System
problem description
solution/response
case description
similar cases
Snort CBR
Adaptive CBR System
Snort problem description
solution/response
case description
Similar cases
SnortCase Archive
9
Other IDS Applications
Behavioral CBR
Adaptive CBR System
Behavioral problem description
solution/response
case description
similar cases
Intrusion Event CBR
Adaptive CBR System
Intrusion Event problem description
solution/response
case description
similar cases
Intrusion Event Archive
10
Other CIP Applications
Person Identification CBR
Adaptive CBR System
Person description
Person id/non-id
case description
similar cases
Emergency Response CBR
Adaptive CBR System
Emergency description
solution/response
case description
similar cases
11
Domain Information and Communications Area
Intrusion DetectionOne CBR Framework Four Sets
of Metadata
Filter
Machine
packet
packet
CBR Behavior
suspect behavior
CBR Snort Like
snort-like messages
12
A First Step Snort CBR(Proof of Concept System)

• The Snort IDS uses rules to detect possible
  intrusions depending on particular features of an
  incoming packet such as protocol, source and
  destination IP addresses and ports, payload
  contents, etc. If each of the packet features
  match the feature specified by the rule then the
  rule is applied (fired) and the rule action is
  performed.
• Sample Snort rule
• alert tcp any any ? 192.168.1.0/24 !111
• (content 000186a5 msg mountd
  access)

13
Snort Rule as a Case

• Match features from foregoing rule
• Protocol tcp
• Source IP address any
• Source port any
• Destination IP address 192.168.1.0 to 255
• Destination port not gt 111
• Packet contents 000186a5 (hex code)
• Case action
• Output alert mountd access

14
Software System Overview Instance Snort
15
Snort CBR Data Abstraction
                           
MetaDataManager
Knowledge level
1
1..1
0..M
Comparator
Feature Type
1..1
MetaDataRecord
MetaDataVector
M..1
1
0..M
1..M
Operational level
Feature 
Case 

Exact 
Range 
ParsingExact
Data Dictionary
Meta Model
Feature Type DataType
Comparator
Meta Data
Protocol Protocol String
Exact PortIDIn PortID String
Exact PortNumIn PortNum Integer
Range PayLoadContent Content String
ParsingExact
16
Adaptive Architecture

• This Adaptive Architecture has an explicit object
  model that provides meta information which is
  interpreted at runtime to change behavior.
• Adaptive Architectures are especially suited for
  specific frameworks such as a CBR.
• References to similarity metrics are stored as
  descriptive metadata, thus adding flexibility.

17
Advantages of Architecture

• General meta-level architectures can more easily
  be implemented for the various CIP domains in
  many areas with many types of problems.
• Modification of a given CBR is easier and can be
  done by domain experts without major rewrites.
• New similarity metrics can easily be added.
• Shorter time-to-market
• can implement the changes quickly.
• can build new CBRs more quickly

18
Our Progress

• Explored existing CBR systems including NRLs
  NaCoDAE (Navy Conversational Decision Aids
  Environment).
• Designed Meta-Model for general cases and case
  features
• Built Case Library using the standard Snort rule
  set.
• Defined a simple similarity metric for Snort Case
  Retrieval.
• Created an elementary Prototype for Snort CBR

19
Publications/Patents

• Schwartz, D.G., Stoecklin, S., and Yilmaz, E.,
  A case-based approach to network intrusion
  detection, Fifth International Conference on
  Information Fusion, IF'02, Annapolis, MD, July
  7-11, 2002, to appear.
• A Generic Adaptive Case-Based Reasoner,
  disclosure and patent application in progress.

20
Future Work

• Extend the snort-like Adaptive CBR with new
  features, cases, and reasoning rules to enable
  network intrusion detection based on user
  behavior analysis. (Challenge Problem)
• Extend the Adaptive CBR with more features, cases
  and rules to allow detection using machine states
  and events.
• Explore each of the the other CIP Domains and
  create appropriate further applications of the
  Adaptive CBR.