Imperishable Networks

1
Imperishable Networks

• FTN Principal Investigator Meeting
• July 23-26 2002
• Newport, RI

2
Project Information

• Start Date Aug, 2001 Late start in 2002
  (Jan-May)
• Thanks to Doug for alleviating thisand extending
  our end-date to December or how about until
  DISCEX 03?
• Contract Administrator Scott Shyne, Rome Labs
• Project Investigators
• Stephen F Bush bushsf_at_research.ge.com
• Scott C Evans
• Amit B Kulkarni
• John E Hershey
• Project Goal A Universal Information Assurance
  Metric Via Complexity-Theory (Kolmogorov
  Complexity)

3
Outline

• Introduction
• Advances in Complexity Theory
• Complexity Estimation Techniques
• Detect Fault/Attack
• Experimental implementation verification
• Self-Composition
• In-line Genetic Programming
• Summary and Future Work

4
Introduction
Why Complexity Theory?
Entropy on Steroids
Understanding Optimal Algorithm Versus Data
Size Critical for Active Networks and also a
fundamental property with many other applications
5

• Complexity/Information Theory
• K Complexity Estimation
• Sophistication

• Communications
• Networking
• Active Networks

Imperishable Networks

• Biology/Bioinformatics
• In-line Genetic Programming
• Evolution

6
Thermodynamics Comparison
What are the Temperature/Heat/Density parameters
for Information?
7
What Is Kolmogorov Complexity?

• A measure of descriptive complexity
• Bounded by the length of the string
• Related to Entropy

A Fundamental Measure of Information Content
8
Example Consider a 128 bit String
000000000000..000 000000000000..001 000000000000..
010 000000000000..011 1111111111111..10 11111111
11111..11
1010101010
128 bit strings
9
Minimum Description Length
K(x)
101010 010101
128 bit strings alternating 1 and 0
Model Size (Sophistication)
Data Size
The Smallest Combination of Data Code Wins
10
Complexity Estimation
Progressing Up Hierarchy with Two-Part Codes
11
1,10,101,1011,10110,101100,1011000
1,0,10,11,01,00,100,101,110,111,000,001
Min LZ78 Compression
Max LZ78 Compression
12
Variation in LZ78 Compression
13
Optimal Symbol Compression Ratio
Accurate, Computationally Efficient Two-Part
Complexity Estimator
14

• Normal Session
• Incorrect login
• Connected, search, leave
• Connected, looked for a file
• Put/Retrieved files

• Attack Sessions
• Buffer Overflow
• DDoS
• Unauthorized Access
• Trojan Horse

15
Attack Detection Via Complexity
He Who Owns the Best K Estimator Wins!
Detect Fault/Attack
16
Complexity Maps (K-Maps)

• Provide complexity gradients in system
• Provides measurable metrics, for strings x and y
• K(x)
• K(xy)
• K(yx)
• Process complexity
• Represent data represented in forms
• Sort by application or layer
• Enable multiple views (layer-wise, node/system)

Measures Network Health and Security in Single
Framework
Detect Fault/Attack
17
Magician Probes

• Probe Data
• Incoming/outgoing ANEP packets
• ANEP header only
• Class bytecode
• Data in/out

Scheduler
SPObject(f,rd)
SPObject (f,r)
Packetizer
Packetizer
ANEP(f,jd)
ANEP (f,j)
Transmitter
Demultiplexer
ANEP(a,j)
UDP(a,j)
Port Manager
UDP(a,j)
fflow, aall, ddifferencex-y, jjointx.y,
rrelativeyx
Detect Fault/Attack
18
Process Complexity

• Theoretical foundation
• Given program p with input x and output y
• K(y) ? K(x) l(p) C
• Uses
• Data integrity
• Node integrity (intrusion detection)
• Genetic Programming Fitness Function
• Implementation
• Measure data and class bytecode
• Difficulties
• Class hierarchy
• In-line computation

Detect Fault/Attack
19
Data Complexity

• Multiple estimators implemented

• Java (Zlib) Compress

• Empirical Entropy

• LZ Estimator

Provide Framework for Fault Mitigation via
Self-Composition
Detect Fault/Attack
20
Complexity- Controlled Self-Composition
Self-Composition
21
Complexity Facilitates Automated Generation of
Solutions
Lots of FTN model building going on
K Estimator (MDL, etc)
Fault Models
Healthy Models
System
Fault

• K Estimator
• Identifies most likely model
• Guides evolution
• Helps generate smallest solution

Fitness Function
Solution Entities
Self-Composition
22
Self-Composition/Self-Healing
Fitness K as Solutions Compose

• Self-Composition Algorithmic Fault
  Representation
• Smallest algorithmic representation of a fault
  indicates its complexity
• Compact algorithmic representation travels faster
  alerting system management

Fitness and complexity tend To have opposing
extrema
Self-Composition
23
Potential Self-Composing Applications

• Jitter Control Delay(Join/Split)
• Vulnerability reduction Encrypt L1 Encrypt L2
• Multicast ForwardSplit/Join
• Service migration CacheForward

• Generic Fitness functions can be injected
• Generic Functional units can be added
• SNMP values are used for standard operation
  within fitness function

Self-Composition
24
Nucleus Injected at Startup
Genetic Material
Active EE
Active EE
Active EE
Active EE
Active EE
Active EE
Fitness Functions
Fitness functions (ff) are either manually
injected (later to be automatically created upon
occurrence of faults).
Self-Composition
25
Single Node Active Evolutionary Control
Architecture
Active Execution Environment
Evolutionary Control Packet
SmallState Chain Element
SmallState Chain Element
Port
Port
Port
Port
Self-Composition
26
Chromosome Variance 100 times better than non-GP
variance
Chromosomes initially worse than actual, but
better in long run
Self-Composition
27
Summary/Conclusion
28
Complexity Theory Summary/Direction
A Potential Universal IA Metric for FTN
Point-Solution Safeguards

• Complexity Theory
• Bound/Develop Better Complexity/Sophistication
  Estimators
• Tradeoff/Optimize Computational Requirements
• Detect Fault/Attack
• Refine K-Map Probes To Use New estimators
• Re-run DDoS Detection Experiment With New
  Estimators
• Detect New Attack Types
• Self Composition
• System Level MDL Concepts
• Active Network Genetic Program Experimentation
• Technical Transitions
• Lockheed Martin ATL, Owego, Mission Systems
• GE Industrial Systems Self Organizing
  Networks/Anomaly Detection

29
Imperishable Networks
Impact
Schedule

• Security evolves to thwart attacks
• Complexity managed to benefit the system
• Integration of computation and communication
• Self-management and reconstitution

2001
2002
DETECT FAULT/ATTACK
EVALUATE FAULT/ATTACK
SELF-COMPOSITION FOR ACTIVE NETWORK SERVICES
30
Additional slides only presented if requested
31
Why Complexity?

• Answers to Frequently Asked Questions
• K-Complexity is Incomputable
• Yes, we know that thanks anyway! -)
• Estimators
• Complexity relates to the accepted security
  paradigm
• People simplify system design to improve security
  
• Complexity does not directly relate to design and
  implementation code of the system! It pertains to
  actual data flowing through the system.
• Proofs of security properties already exist
  (Yes, we know. Security properties are attempts
  to make systems more complex to the attacker)
• Subjectivity vs. Objectivity
• Complexity varies with the scope of what is
  knowable and viewable, both to the attacker and
  the defender. If there is flaw in your design,
  you may not know it but the attacker may.
• But always, the best model (best complexity
  estimator) wins. (Any better ideas for a
  universal security metric can be emailed to
  bushsf_at_crd.ge.com!)

32
Complexity Estimators
33
OSCR
0011001001000010100101001100100110011001 001 ? A
? 1AA00A01A01A1AA1A1A
34
Detection
Detect Fault/Attack
35
Detecting DDoS Attacks

• Variations exist in DDoS attacks smurf,
  reflectors etc
• Explicit detection schemes become complicated and
  too specific
• Exploit Attack shares common features/patterns
• Large decrease in complexity implies correlated
  packets in burst mode
• K(xy) lt K(x) K(y) c

Time sampling window (seconds)
K(x1)
K(x2)
K(x3)
K(x4)
- K(x1.x2.x3.x4)
ANEP Packets
Kolmogorov Complexity recognizes regularity to
detect attack
Detect Fault/Attack
36
Experimental Validation

• Audio traffic provides constant background load
• Attack flow increases in intensity
• Dominated by regularity
• Metrics compared
• Packets thru AN-1
• Complexity differential thru AN-1

Detect Fault/Attack
37
Comparison
Complexity Metric
Complexity metric less sensitive to background
traffic and always detects attack (no threshold
sensitivity)
K decreases K Differential increases
Packet Metric
False alarm raised by packet metric due to
background flow
Detect Fault/Attack
38
Computing K(yx)

• From Thm 3.9.1 Li-Vitanyi, pp.232-3
• Using subadditive property
• K(x,y) K(x) K(yx) O(1) K(x) K(y)
  O(1)
• º K(x,y) K(x) K(yx) O(1) K(y) O(1)
• Bounds on K-distance metric

Detect Fault/Attack
39
Estimator Comparison
Zlib is fastest
Pattern data all zeros
40
Self-Composition
Self-Composition
41
Network Traffic and Evolution
(functional units1 functional units2
functional units3 )
Set rcv_time
Set xmit_time
(chromosome1)
(chromosome2)
(functional units1)
(chromosome3)
(functional units3)
Set xmit_time
Traffic Sample
A traffic sample is run through several
chromosomes to determine the most fit
Set xmit_time
Set rcv_time
Self-Composition
42
Effective Chromosome Based Upon Route
(functional units1 functional units2
functional units3 )
(functional units2)
(functional units1)
(functional units3)
t1
tl1 t1 - t
Jitter Control Example
(functional units4)
t2
tl2 t2 - t1
(functional units1
functional units4
functional units3 )
Self-Composition
43
Evolution Hierarchies
(functional units1 functional units2
functional units3 )
(functional units2)
Inter-node Recombination
Nucleus
(functional units1)
(functional units3)
Intra-node Recombination
Nucleus
Nucleus
(functional units4)
Recombination can occur between adjacent nodes
Genes within nodes mutate and recombine
Nucleus
Self-Composition
44
Multi-Level Fitness Functions
(functional units1 functional units2
functional units3 )
(functional units2)
Nucleus
(functional units1)
(functional units3)
Nucleus
Jitter Control Example
Nucleus
(functional units4)
Fitness per node and end-to-end
Nucleus
Self-Composition
45
Jitter Control Fitness Example
Packet Contents

• (Link) Reduce hop variance
• (Transport) Reduce end-to-end variance
• (Network) Ensure feasible route

Packet received?
Self-Composition
46
Pathways
Packet and Functional Unit are the same thing.
Dualism in genetic world (Gene as information
and code) first noted by von Neumann.
Dualism
DNA Strand
DNA
Transcription Control
Information
Introns, Extrons
Functional Unit Chain
Symbolic list manipulated in the code
((Delay, Join)(Join, Split) (Delay, Delay)(Join,
Split))
Self-Composition
47
Evaluation
Evaluate Fault/Attack
48
Evaluating Fault/Attack (C)
Data Complexity
Applying MDL

• Non-Algorithmic Data Size (huge)

• Attacker As Algorithm Size (large)

• Attacker Bs Algorithm Size (small)

Complexity-Based Vulnerability Metric K/L
Active network transmission same information,
different densities
Evaluate Fault/Attack
49
Evaluating Fault/Attack (D)
Demonstration of system K-Map on 3 node system
observer
Logical architecture of K-Map tool
Topographical Map of System Vulnerability
Paths of low network density clearly identified
Mathematica? complexity package developed
Evaluate Fault/Attack
50
Evaluating Fault/Attack (A)
Recent Example Parasitic Computing
--Albert-Laszlo Barabasi, Vincent W. Freeh,
Hawoong Jeong Jay B. Brockman, Parasitic
Computing, Nature, Vol. 412, 30 August
2001. Checksums rigged to perform computation
within the network
Vulnerability analysis must account for
innovation of attacker
Evaluate Fault/Attack
51
Evaluating Fault/Attack (B)
Component/Process Complexity
Attacker As poor hypothesis ( ) of
component operation
Attacker Bs better hypothesis ( ) of same
component
Who understands your data/system better Attacker
A or Attacker B?
Goal is to keep attackers view as complex as
possible.
A Dispersed (Low Density) DFA
Approaching Actual Complexity
DFA accept same input, different size
information density
Evaluate Fault/Attack
52
Complexity Impacts System Evolution
Fitness versus complexity in Genetic Material
53
Tree Partition 1,0,11,01,00,10,011,010,0100,111,0
1001,001,100,010
54
Current Architecture
In Port
Out Port
Guides direction of evolution
Split
Forward
Compress
Delay
Encrypt
Basic Building Blocks
Join
Error Corr.


User Defined
Cache
Self-Composition
55
Jitter Control Fitness Example
Fitness function can be tricky Be careful what
you pray for you may get it!

• Self-Composition Summary
• Generic Fitness functions can be injected
• Generic Functional units can be added
• SNMP values are used for standard operation
  within fitness function

Self-Composition