Process Detection
George Cybenko
Dartmouth
[email protected]
1
Acknowledgements
Current Members
George Bakos
Alumni
Alex Barsamian
Marion Bates
Naomi Fox (UMass, Ph.D. student)
Vincent Berk
Hrithik Govardhan (Rocket)
Chad Behre*
Robert Gray (BAE Systems)
Wayne Chung*
Diego Hernando (UIUC, Ph.D. student)
Valentino Crespi (Prof. Cal State LA) Guofei Jiang (NEC Research)
George Cybenko
Alex Jordan (BAE Systems)
Ian deSouza
Han Li (China Shipping Corp)
Annarita Giani*
Josh Peteet (Greylock Partners)
Doug Madory*
Chris Roblee (LLNL)
Glenn Nofsinger*
Robert Savell
Jan-Peter Schutt*
* graduate students
Yong Sheng*
William Stearns
Research Support: DHS, ARDA, AFOSR, NGA, DARPA
Cybenko
2
Overview of Lectures
1. Process modeling
2. Process detection, theory
3. Software and applications
3
Why be interested in this....
• Sensor networks
• Airborne plume detection
• Cyber security
• Autonomic server pool
management
• Dynamics of social networks
400000
• Genomics and biological
pathways*
Total Successful Requests
350000
300000
250000
200000
150000
100000
50000
0
0
• Human situation awareness*
*Possible applications.
Cybenko
100
200
300
400
500
Time (s)
4
Overview
• Lecture 1: Process models
– Notion of "state"
– Differential equations
– State Machines and Automata
– Probabilistic and quantum states
– Constructing state representations
– Some
5
Newton's Big Idea(s)
Calculus
Laws of Physics
Concept of "state"
Isaac Newton
6
Contrast with Aristotle
Nature consists of objects and “rules”
Examples
Ancient law (religious and civil)
Astronomical observations
Superstition
Crisis - could not explain the natural world
7
A Closer Look at F=ma
8
A Closer Look at F=ma
9
A Closer Look at F=ma
Previous state
Next state
Dynamics
Input
10
A Closer Look at F=ma
ua
Concept of state: the future
evolution of the system depends
only on the current state and
future inputs.
sm
IE, the past's influence on the
future is totally summarized by the
state.
si
ub
sn
The next state is determined by
the current state and the current
input (or control, etc).
11
Outputs/Observables
Inputs, u
Forces
Black Box:
States may not be
observable by an
external agent
x =(Position, Momentum)
Outputs, y
Position only
12
Automaton
Alan Turing
13
Graphical Depiction of Automata
0
Start State
a
v
u
v
u
d
c
b
u
1
1
1
v
u,v
Q = States = { a , b , c , d }, X = { u , v } , Y = { 0 , 1 }
d and b shown in graph
14
Caution/Nuisance
• Some models of automata have
observables generated by state
occupancy
• Other models have observables generated
by state transitions
• There are simple mechanisms for
transforming one to the other....they are
equivalent.
15
Automata and Languages
• The set of all possible finite length outputs of the
previous example are a "language"
• The language can be represented by a regular
expression - (0*1|0*11|0*111)*
• "Classical relationship" between regular
languages and nondeterministic finite automata ie, given one, construct the other (Kleene's
Theorem)
• How about constructing an automaton from the
input-output relationship?
16
Nerode Equivalence
• Theorem: Every causal, time-invariant system
has a state space description.
• "Constructive" proof:
– use the input-output description of a system
– two finite length input strings belong to the same
equivalence class if all the corresponding outputs
(beyond the inputs' lengths) are the same
– ie, if inputs w1w2 and w3w2 have outputs z1z2 and z3z2
for all w2 then w1 is equiv to w3
– the resulting equivalence classes are the states
17
Partial Differential Equations
18
Quantum Mechanical Systems
i
 x (t )
t
 Hx ( t )
19
Other process formalisms
• A Petri Net (PN) is given a state by marking its
places.
• Marking of a PN consists of assigning a
nonnegative integer to each place.
– Graphically, tokens are inserted in places of a PN
• Input place - arrow goes from the place to the
transition
• Output place - arrow goes from the transition to
the place
Concurrency Examples
R. Apcar, E. Chiu, H. Jerejian
20
Definitions
• A transition may have one or more Input and
Output places
• A transition is enabled if there is at least one
token in each of its input places.
• An Enabled transition may fire:
– one token is removed from each input place and one
token is inserted in each ouput place of the transition
Concurrency Examples
R. Apcar, E. Chiu, H. Jerejian
21
An example
Concurrency Examples
R. Apcar, E. Chiu, H. Jerejian
22
Example continued
Concurrency Examples
R. Apcar, E. Chiu, H. Jerejian
23
A “Process” has...
•
•
•
•
•
Hidden states (discrete or continuous)
State transitions (nondeterministic, probabilistic)
Observables/events
Relationship between observables and states
An algorithm to “score” observations/events to state
sequences assignments
• Examples:
–
–
–
–
–
–
Nondeterministic automata
Hidden Markov Models
Petri Nets
Linear Systems
Nonlinear Systems
etc
24
Models for Organizational Processes
(W. Chung, J.-P. Schutt, R. Savell, G. Cybenko)
Observables of the Process
A
A
B
B
A
B
A asks B to join
a project
ENRON,
Ebay,
etc
“Static” Analysis
B accepts
A adds B to a
list of
recipients
AB, C, …
Dynamics of the Process
“Dynamic” Analysis
25
Example of a Multistage Process Model
in Computer Security
Potential malicious activity
snort alerts
Potential normal activity
Scanned
Data Access
Samba
Start/Normal
Tripwire
Infected
ftp, covert channel, etc
Exfiltration
26
Cybenko
Real time Fish Tracking
• Objective:
Track several fish in the fish tank
• Why:
Very strong example of the power of PQS
– Fish swim very quickly and erratically
– Lots of missed observations
– Lots of noise
– Classical Kalman filters don’t work (non-linear
movement and acceleration)
– “Easier” than getting permission to track people
(we mistakenly thought)
Cybenko
27
Fish Tracking Details
• 5 Gallon tank with 2 red Platys
named Bubble and Squeak
• Camera generates a stream of
“centroids”:
For each frame a series of (X,Y) pairs
is generated.
• Model describes the
kinematics of a fish:
The model evaluates if new (X,Y)
pairs could belong to the same
fish, based on measured position,
momentum, and predicted next
position. This way, multiple
“tracks” are formed. One for each
object.
• Model was built in under 3
days!!!
Cybenko
28
Kinematic Tracking (2)
Model: the motion of a feature
moving at "human" speed:
The model evaluates if new (X,Y)
pairs could belong to the same
hot spot, based on measured
position, momentum, and
predicted next position. This
way, multiple “tracks” are
formed. One for each object.
Sensors: Infrared video camera
provides datastream
Camera generates a stream of
“centroids”
For each frame a series of
(X,Y) pairs is generated.
29
An Example of a Process
A “Process” Model
Two states - { 1 , 2 }
a
b
1
2
Two observables – { a , b }
Legal transitions between states are depicted by arrows.
When occupying a state, the process emits an observable.
All states are initial/start states and there are no terminal states.
Some legal sequences of observables: abbab , bababbb, abbb
Some illegal sequences of observables: aa , baab
Further reading: Automata Theory, Regular Languages, etc
30
A More Complex Process
Another “Process” Model
a,c
b
a,c
1
2
3
Three states - { 1 , 2 , 3 } Three observables – { a , b , c }
Some legal sequences of observables: abab , babaccab, ab
Some illegal sequences of observables: bb , baabb
Problem: Given a sequence of possible observations is it legal? What states?
Solution:
1 Read the first observable, mark states that emit that observable
2 Read an observable, z
3 New marked states = (states reachable from old marked states)
intersected with (states that could have emitted z )
4 If no new marked states, illegal sequence; else go to 2
31
Extensions: Hidden Markov Model (HMM)
p(a|1) = 0.8 , p(c|1) = 0.2
p(b|2) = 1
0.8
1
Add probabilities
1
p(a|3) = 0.8, p(c|3) = 0.2
3
2
0.2
0.5
0.5
Hidden Markov Models consist of two ingredients:
- the dynamics: state transition probabilities in a Markov chains
- the emissions: p(observation|state)
Given a sequence of observations of length t, what are the possible states at
time t? Unlike the case for a nondeterministic automaton, all we can say in
general for an HMM is what the probability distribution on states is.
32
Extensions: Hidden Markov Model (HMM)
p(a|1) = 0.8 , p(c|1) = 0.2
p(b|2) = 1
0.8
1
1
p(a|3) = 0.8, p(c|3) = 0.2
3
2
0.2
0.5
0.5
Probability distribution at time t+1 is obtained by combining:
- propagation of the distribution from time t using only the dynamics
- factoring in the observation observed at time t+1
33
Two Simple Processes
Model Instance A
Model Instance B
a
b
A1
A2
a
b
B1
B2
aabb is a legal observation sequence
A1 B1 A2 A2 , A1 B1 A2 B2 , B1 A1 B2 B2 , ... are all legal state sequences
A1 A2 A2
B1
, A1 A2
B1 B2
, A1
B1 B2 B2
We can reduce this to a single process....
a track
a hypothesis
34
Multiple Process Representation
A1 B1
Model Instance A
Model Instance A
Model Instance B
a
b
A1
A2
a
b
A1
A2
a
b
B1
B2
0
1
M=
MxM=
0
0
0
1
A1
B1
1
1
0 0
0 1
1 0
1 1
1
1
1
1
If the observation sequence is aaaaaa and multiple copies of the
model are allowed, then we get a product model of size 2n.
35
A Simple Example of Process Detection
a,b,c,d are events that can be observed
{a}
{b}
{b,c}
{c,d}
A
B
C
D
NETWORK WORM MODEL (NW)
(a,b,c,d ICMP traffic levels)
{a}
E
{b}
F
• a,b,c,d are events that can be observed
• states A, B, C, D, E, F are hidden
• observe a sequence of events
Sequence
Hypotheses
• ab
NW | RF
• abab
(NW & NW)|(RF&NW)...
E,F = 0
• ababc
(NW & RF)|(NW & NW)
repeat
• ababcc
read eventNW
e & NW
if e==a then E
• Which process
or combination
of
if E and e==b
then F
until F
processes
explains the observed events?
ROUTER FAILURE MODEL (RF)
Two models; states have different semantics;
sets of observables intersect – what is the “diagnosis”?36
Cybenko
Key Questions
• How is a process model built?
– from first principles
– from expert insights
– from data (lots)
• Given an event sequence, is it feasible or what
is its probability?
• Given an event sequence, estimate the current
state
• Given an event sequence, estimate the state
sequence
• How good are those estimates (ie variance)
37
Homework Problems
What are the states, dynamics and
observables of the following processes:
– intercontinental ballistic missile
– soccer, American football, baseball games
– Avian bird flu epidemic
– terrorist cell
– blogosphere
– US/global economy
– poker
– romance
38
39
40
41
42
43
44
45
Overview
• Lecture 2: Detecting processes
– What does detection of processes mean?
– Automata
– Hidden Markov Models
– Kalman filtering
– Particle filters
46
Process Detection Problems
• Given a sequence of observations...
• What is the current state of the process?
• What is the probability distribution on the
states?
• What are the most likely state sequences?
• What is the uncertainty/error of the
estimates?
47
Graphical Depiction of Automata
0
Start State
a
v
u
v
u
d
c
b
u
1
1
1
v
u,v
Q = States = { a , b , c , d }, X = { u , v } , Y = { 0 , 1 }
d and b shown in graph
48
Input-Output Description
0
Start State
a
v
u
v
u
d
c
b
u
1
1
1
v
u,v
uuuu
uuvu
vuuuu
vvuuuu
uvvuuuu
.....
01010
01001
001010
0001010
01101010
a
b
c
d
f  v = vv = uu = uvv = ...
u = vu = vuuu = ....
uv = vuv = vuuuv = ...
uvu = vuvu = vvuvu = ...
49
Estimating states in an automaton
a
1
a
Observe a
1
a
Observe ab
1
a
Observe ac
1
a
Observe acb
1
b
a,c
2
3
b
a,c
2
3
b
a,c
2
3
b
a,c
2
3
b
a,c
2
3
Sequences: 12, 32
Sequences: 33
Sequences: 332
50
Commentary
• Trivial algorithm....
• Interesting question: What is the worst
case growth of states sequences?
Tomorrow.
• No probabilities, only possibilities.
• What if we add probabilities?
51
Simplest Hidden Markov Model
b1(u) = 0.9, b1(v) = 0.1
a11 = 0.7
1
a21 = 0.1
a12 = 0.3
p(1)=0.5, p(2)=0.5 are initial probabilities
2
a22 = 0.9
b2(u) = 0.1, b2(v) = 0.9
52
Applications of HMM's
•
•
•
•
•
•
•
•
Speech recognition
Gene sequencing
Motion modeling and detection
Pattern recognition (OCR)
Darpa Grand Challenge (autonomic systems)
etc
etc
etc
53
Estimating States
b1(u) = 0.9, b1(v) = 0.1
a11 = 0.7
1
a21 = 0.1
a12 = 0.3
p(1)=0.5, p(2)=0.5 are initial probabilities
2
a22 = 0.9
b2(u) = 0.1, b2(v) = 0.9
54
Estimating Another State
b1(u) = 0.9, b1(v) = 0.1
a11 = 0.7
1
a21 = 0.1
a12 = 0.3
p(1)=0.5, p(2)=0.5 are initial probabilities
2
a22 = 0.9
b2(u) = 0.1, b2(v) = 0.9
Propagate using
dynamics
Factor in the observation
55
Sequences of Observations
Time 1
States
2
3
4
O 2= v
O 3= u
O 4= v
5
1
2
Observations
O1 = u
O 5= v
Problems: Given a sequence of observations O1O2O3 ...
1. What is the most likely state at time t ?
2. What is the most likely state sequence over all time ?
3. What is the probability of the observation sequence?
56
Best state vs best sequence
b1(u) = 0.9, b1(v) = 0.1
a11 = 0.7
1
a21 = 0
a12 = 0.3
p(1)=0.5, p(2)=0.5 are initial probabilities
2
a22 = 1
b2(u) = 0, b2(v) = 1
Observe v - most likely state is 2
Observe u next - must be in state 1 but no transition from 2 to 1 is possible
The sequence vu could only have been produced by starting and staying
in state 1
57
Probability of the Observations
Time 1
States
2
3
4
O 2= v
O 3= u
O 4= v
5
1
2
Observations
O 1= u
O 5= v
58
Optimal Sequences
Time 1
States
2
3
4
O 2= v
O 3= u
O4= v
5
1
2
Observations
O 1= u
O 5= v
59
Viterbi's Algorithm
• These computations were discovered by
A. Viterbi, a founder of Qualcomm.
• The algorithms are used in all modern cell
phones and telecom devices in general.
Noisy Channel
Source sequence
11221212122212
Decode
Receive
11221212222212
uvvuvuvvuvuvvv
60
Other issues for HMM
• Learning an HMM -ie. what are the
various probabilities?
– Baum/Welch Algorithm
– variational algorithms
• Finite, discrete state spaces
61
How about continuous state
spaces?
• Major challenge
– in the finite, discrete case (HMM), we can
represent and store the whole probability
distribution as an n-vector
– what continuous state probability distributions
have simple representations?
• Gaussians - mean and variance specify them
– what if the distribution is more general than a
Gaussian?
62
Madory's Goats
• Goat herder
• Herd state is the number of infant females, adult
females, infant males and adult females
• Dynamics are generation to generation: how many infant
females and males are born, how many infants of each
gender become adults and how many adults survive
• Observables are goat milk revenues and goat baby
inoculation costs - these are noisy
• Problem: estimate total number of goats and number of
adult females
(Example and code due to Doug Madory)
63
64
Quantification of the State
65
Quantification of the Dynamics
66
Quantification of Observations
67
68
Basic Concept in Kalman Filtering
• Use the fact that the sum of variables with
Gaussian distributions is also Gaussian
• Gaussian is characterized by mean and
variance
• Use dynamics to predict the next state
• Use measurement (observation) to correct
that prediction
• Update the error covariance (ie confidence
in the estimate)
69
70
71
Kalman Equations and Geometry
72
Extensions
• To nonlinear systems (linearize locally)
• Learn the system dynamics
• Use the estimates to control the state
(feedback)
• To non-Gaussian noise problems
– particle filter methods
73
Particle Filters
• Represent a probability distribution using a discrete
distribution of particles
• Sample the particles, propagate using dynamics and
correct using obervations
• This creates a new distribution for the next time step
74
Deep Connections to
Information Theory
• This is all part of a much larger problem
description - cybernetics ala N. Wiener
•
Noisy Channel
Environment
Decode
Receiver
Estimate
of Environment
Learning
Models of
Environment
Actions
75
Summary of Lecture 2
Process class
Distribution
Algorithm
Automaton
None
Simple marking
HMM
Discrete, finite
Viterbi
Linear, continuous
Gaussian
Kalman
Continous, nonlinear
Arbitrary
Particle filters
What are the observables?
What are the states?
What are the dynamics?
76
Overview of Lecture 3
Detecting multiple processes
– Instead of one process, we now have some
unknown number of them
– Multiple hypothesis tracking (MHT) framework
– The basic algorithms
– Complexity theory
– Process Query Systems
– Applications
77
Multiple Hidden Process Models
Observations missed,
noise added, unlabelled
(This is what we see)
abacfkhdcbgdbkhagda
Observations
are interleaved
a b c c f h d cc a b g d b a g d a
Observations
related to state
sequences
abcdabbada
cfhccgdg
f, g
a, c
a, b
Underlying
(hidden)
state spaces
c, d
e
Model 1
Cybenko
f, c
c, d
h
Model n
78
Why be interested in this....
• Sensor networks
• Airborne plume detection
• Cyber security
• Autonomic server pool
management
• Dynamics of social networks
400000
• Genomics and biological
pathways*
Total Successful Requests
350000
300000
250000
200000
150000
100000
50000
0
0
• Human situation awareness*
*Possible applications.
Cybenko
100
200
300
400
Time (s)
79
500
Basic Concepts of Process Query Systems (PQS)
An Operational Network
6
129.170.46.3 is at high risk
129.170.46.33 is a stepping stone
......
that
are
used
5
to
defend Hypotheses
the
network
consists of
Multiple Processes
l1  router failure
that detect
complex attacks
and anticipate
the next steps
Track 1
Track 1
Track 2
Track 2
Track 3
l2  worm
l3  scan
1
Track 30.8
Hypothesis 1
Hypothesis 2
2
that produce
Events
…….
Time
Real World
that
are
seen
as
4
Sample
Console
Track Score
1
Indictors and Warnings
that PQS resolves into
0.6
0.4
0.2
0
0
Unlabelled Sensor Reports
…….
Time
3
PQS
100
20
Service Degrada
Track
Scores
80
Discrete Source Separation Problem
(viz Blind Source Separation, “Cocktail Party” Problem)
Process/Model Example:
3 states + transition probabilities
n observable events: a,b,c,d,e,…
Pr( state | observable event ) given/known
Observed event sequence:
….abcbbbaaaababbabcccbdddbebdbabcbabe….
A Hypothesis
Catalog of
Processes/Models
A Track
Which combination of which process models “best” accounts
for the observations? This is what we want to compute. Events
not associated with a known process are “anomalies”.
Cybenko
81
Multiple Hypothesis Approach to the
"Discrete Source Separation Problem"
Obs1
Obs1
Obs2
Obs2
Hypothesis 1
.
.
.
Hypothesis 1a
Obs2
Obs1
Hypothesis 2
.
.
.
Observables at time t+1
"Solutions" at time t
Hypothesis 1b
82
Candidates at time t+1
Multiple Hypothesis Approach to the
"Discrete Source Separation Problem"
Score=79
Score=79
Obs1
Obs1
Obs1
Obs2
Obs2
Obs2
Hypothesis 1a
Hypothesis 1a
Hypothesis 1a
Score=43
Score=43
Obs2
Obs2
Obs2
Obs1
Obs1
Obs1
Hypothesis 1b
Hypothesis 1b
Hypothesis 1b
83
Candidates at time t+1
"Scores" at time t+1
Prune hypotheses
Terminology
Tracks are associations of observations to individual
processes.
Hypotheses are consistent tracks that explain all the
observables.
Hypothesis extension is the conjectural assignment of new
observations to existing hypotheses.
Track initiation is the instantiation of a new process in a
hypothesis' extension.
Handling missed detections means that an intermediate
observation may have been dropped.
84
Cybenko
A Simple Example of Process Detection
a,b,c,d are events that can be observed
{a}
{b}
{b,c}
{c,d}
A
B
C
D
NETWORK WORM MODEL (NW)
(a,b,c,d ICMP traffic levels)
{a}
E
{b}
F
• a,b,c,d are events that can be observed
• states A, B, C, D, E, F are hidden
• observe a sequence of events
Sequence
Hypotheses
• ab
NW | RF
• abab
(NW & NW)|(RF&NW)...
E,F = 0
• ababc
(NW & RF)|(NW & NW)
repeat
• ababcc
read eventNW
e & NW
if e==a then E
• Which process
or combination
of
if E and e==b
then F
until F
processes
explains the observed events?
ROUTER FAILURE MODEL (RF)
Two models; states have different semantics;
sets of observables intersect – what is the “diagnosis”?85
Cybenko
Add Rules for Missed Detections and
Disambiguation
{a}
{b}
{b,c}
{c,d}
A
B
C
D
WORM MODEL
(a,b,c,d ICMP traffic levels)
A,B,C,D = 0
repeat
read event e
if e==a then A
if A and e==b then B
if A and e==c then C,D
if A and e==d then D
if B and (e==b or e==c) then C
if C then (E=0, F=0)
if C and (e==c or e==d) then D
if D then (E=0, F=0)
until D
Blue statements handle
missed detections
Red statements handle
consistency
This clearly does not scale and does not lead to
manageable sets/systems of rules.
Cybenko
86
Approaches to Detecting Processes
• Aristotelian - Traditional information retrieval is based
on specification of a query in terms of Boolean
expressions based on record fields. IE. SQL ( name =
“smith” & age > 20 & age < 40 ) + rule-based logics +
decision trees, etc
• Newtonian - Next generation process detection
requires retrieval based on specification of a set of
discrete, dynamic processes. IE, descriptions of a
Hidden Markov Model, Hidden Petri Net, weak models,
FSMs, attack trees, etc.
Main Concept: Move from an Aristotelian to a
Newtonian Paradigm.
Cybenko
87
Process Query Systems (PQS)
• Process Query Systems solve the Discrete
Source Separation Problem in a generic way:
– inputs
• a sequence of unlabelled observations (stream, logfiles, etc)
• a collection of process models
– outputs
• estimates of which processes produced those observations
• estimates of which states those processes are in
• Basic theory and technology has been developed
by the PQS team at Dartmouth
• Now being applied to a variety of applications
88
Cybenko
Algorithms/Operations of PQS
2
Track
Track
Manage
Hypotheses
(MHT)
Subscribed
Data
Arrives
Hypothesis 1
4
Track
Track
Track
Track
Track
Tracks Track
Track
Tracks
Tracks
Track
Tra
cks
Tracks
Tracks
Track
Track
Tracks
Tra
cks
Hypothesis
Pool
Track
Tra
cks
Tra
cks
Tracks
Hypothesis n
Build or
Learn
Models
1
Recursive in Time
Cybenko
Track
Update Tracks Within
Hypotheses (Viterbi / Kalman /
NDFA,etc) and Create New Hypotheses
3
5
Evaluate
Solutions
and
Process
Outputs
89
The COBOL and pre-PQS Analogy
…
application logic statement 1;
application logic statement 2;
file management statement 1;
record management statement 1;
file management statement 2;
record management statement 2;
application logic statement 3;
record management statement 3;
file management statement 3;
application logic statement 4;
…
User responsibility
System responsibility
…
application logic statement 1;
application logic statement 2;
SQL statement 1;
application logic statement 3;
SQL statement 2;
application logic statement 4;
…
…
file management operation 1;
record management operation 1;
file management operation 2;
record management operation 2;
record management operation 3;
file management operation 3;
…
+
Application logic
Database management system
Interwoven logic
Post-SQL Programs
Pre-SQL Programs
…
model logic statement 1;
model logic statement 2;
sensor access statement 1;
state estimate statement 1;
sensor access statement 2;
state estimate statement 2;
model logic statement 3;
sensor access statement 3;
state estimate statement 3;
model logic statement 4;
…
User responsibility
System responsibility
…
model description statement 1;
model description statement 2;
model description statement 3;
model description statement 4;
…
…
sensor access statement 1;
state estimate statement 1;
sensor access statement 2;
state estimate statement 2;
sensor access statement 3;
state estimate statement 3;
…
Model description
Interwoven logic
Current Process Detection Programs
+
Process query system
90
PQS-based Programs
Network Security
(V. Berk, I. De Souza, A. Bersamian, A. Giani, M.
Bates, D. Madory, G. Bakos, et al)
• Objective:
Detect, disambiguate, and predict the course
of concerted network attacks in an
enterprise class network.
• Why:
Problem domain demands the power of PQS
– Hundreds of “processes” occurring at once
– Lots of missed observations and noise
– All commercial technology focuses on collection
and presentation of data
– Existing correlation efforts very weak at best
Cybenko
91
SENSORS INTEGRATED
SENSOR
DESCRIPTION
DIB:s
Dartmouth ICMP-T3 Bcc: System
CovChan
Timing Covert Channel Detection
Snort
Signature Matching IDS
IPtables
Linux Netfilter firewall, log based
Samba
SMB server - file access reporting
Weblog
IIS, Apache, SSL error logs, …
US-agent
Userspace host monitoring agent
Tripwire
Host filesystem integrity checker
SCOPE
Global
Network
Host
92
Cybenko
Example of a Multistage Process Model
Potential malicious activity
snort alerts
Potential normal activity
Scanned
Data Access
Samba
Start/Normal
Tripwire
Infected
ftp, covert channel, etc
Exfiltration
93
Cybenko
PQS-Net supply chain
Tier 1 Models
• Focus on individual host
status
• Report on status changes
Tier 2 Models
• Focus on correlating host
activity
• Report chains of events
Tier 1 Output
Tier 2 Output
Mon Feb 21 20:06:17 2005 000000 131.58.63.160
(hostile) recon on 100.10.20.4 SNORT 469
proto: 1
Hypothesis 1
Score: 0.8
Hypothesis 2
Score 0.2
A scans B
A scans B
Mon Feb 21 20:30:24 2005 000000 138.158.170.45
(hostile) attacked 100.10.20.4 ERRORLOG 400
proto: 6 dport: 443
B scans E
B attacks E
sensor data
sensors
Cybenko
Tier 1
Tracker
Attack steps
Tier 2
Tracker
Attack sequences
and scores
94
Analyst’s front-end
Example Scenario
Internet
A
C
D
B
E
Tier1 Alerts
Indicators
A scans B
Snort:
02/21-20:06:17.904500 [**] [1:469:1] ICMP PING NMAP [**] [Classification:
Attempted Information Leak] [Priority: 2] {ICMP} 131.58.63.160 -> 100.10.20.4
C attacks B
(success)
SSL error log (host 100.10.20.4):
[Mon Feb 21 20:30:24 2005] [error] mod_ssl: SSL handshake failed (server
www.osis.gov:443, client 138.185.170.45) (OpenSSL library error follows)
[Mon Feb 21 20:30:24 2005] [error] OpenSSL:
error:1406908F:lib(20):func(105):reason(143)
95
Cybenko
Example Cont’d
D
B
E
Tier1 Alerts
Indicators
B scans D
02/21-20:31:17.528602 [**] [1:1807:2] WEB-MISC Chunked-Encoding
transfer attempt [**] [Classification: Web Application Attack] [Priority: 1]
{TCP} 100.10.20.4:34074 -> 100.10.20.169:80
B attacks D (fails)
B scans E
B attacks E
(succeeds)
Cybenko
100.20.1.169 - - [21/Feb/2005:08:31:22 -0500] "GET
/default.idq?AAAAAAAAAAA………..AAAAAAA HTTP/1.1" 404 1287 "-" "-"
02/21-20:32:01.622465 [**] [1:1807:2] WEB-MISC Chunked-Encoding
transfer attempt [**] [Classification: Web Application Attack] [Priority: 1]
{TCP} 100.10.20.4:34076 -> 100.10.20.170:80
100.20.1.170 - - [21/Feb/2005:08:32:06 -0500] "GET
/default.idq?AAAAAAAAAAA………..AAAAAAA HTTP/1.1" 200 1287 "-" "-"
96
Results
Dataset:
3s8
3s26
3s28
3s29
22930
18391
12522
39270
4830
5959
1159
8168
11751
7284
7006
19866
Lines in weblogs (apache,
IIS)
6349
5148
4357
11236
Number of tracks produced
100
75
51
107
Attack Tracks not in ground
truth
1
0
0
0
Attackers identified
3 of 3
4 of 4
0 of 2
3 of 5
Decoys found
5 of 5
2 of 2
2 of 2
6 of 6
Victims identified
2 of 2
2 of 2
1 of 2
10 of 11
Stepping stones identified
1 of 1
1 of 1
1 of 2
297of 3
#Alerts
Lines in trunk_alert
Lines in snort files
generated from tcpdump
Autonomic Server Monitoring
(C. Roblee, V. Berk)
Funded by DHS
98
Cybenko
Autonomic Server Monitoring
• Objective:
Detect and predict deteriorating service
situations
• Why:
Another strong example of the power of PQS
– Software and hardware are buggy and vulnerable
– Hot market, large profits for “The ONE” application
– Very ambiguous observations
– Sys-admins also want vacation
99
Cybenko
The Environment
• Hundreds of servers and services
• Various non-intrusive sensors check for:
–
–
–
–
–
–
–
CPU load
Memory footprint
Process table (forking behavior)
Disk I/O
Network I/O
Service query response times
Suspicious network activities (i.e.. Snort)
• Models describe the kinematics of failures and
attacks:
The model evaluates load balancing problems, memory leaks,
suspicious forking behavior (like /bin/sh), service hiccups
correlated with network attacks…
Cybenko
100
Server Compromise Model:
Generic Attack Scenario
2.
Monitored host sensor output (system level)
3.
PQS Tracker Output
Current system record for host 10.0.0.24 (10 records):
Average memory over previous 10 samples: 251.000
Average CPU over previous 10 samples: 0.970
| time
| mem used | CPU load | num procs | flag |
---------------------------------------------------------------------------------| 1101094903 |
251
|
0.970
|
64
|
|
| 1101094911 |
252
|
0.820
|
64
|
|
| 1101094920 |
251
|
0.920
|
64
|
|
| 1101094928 |
251
|
0.930
|
64
|
|
| 1101094937 |
251
|
0.870
|
65
|
|
| 1101094946 |
251
|
0.970
|
65
|
|
| 1101094955 |
251
|
0.820
|
65
|
|
| 1101094964 |
253
|
1.220
|
65
| ! |
| 1101094973 |
255
|
1.810
|
65
| ! |
| 1101094982 |
258
|
2.470
|
65
| ! |
1.
Last Modified:
Mon Nov 21 21:01:03
Model Name:
server_compromise1
Likelihood:
0.9182
Target:
10.0.0.24
Optimal Response: SIGKILL proc 6992
o1 o2 o3
Snort NIDS sensor output
..
.
Nov 21 20:57:16 [10.0.0.6] snort: [1:613:7]
SCAN myscan [Classification: attempted-recon] [Priority: 2]:
{TCP} 212.175.64.248-> 10.0.0.24
..
.
Cybenko
o1
SIGKILL
t0
t4
101
Response
t 1 t2 t3
Observations
Experimental Results:
Tracking
400000
400000
350000
350000
Total Successful Requests
Total Successful Requests
No Tracking
300000
250000
200000
150000
100000
300000
250000
200000
150000
100000
50000
50000
0
0
0
100
200
300
400
500
0
100
200
300
400
500
Time (s)
Time (s)
100
100
90
90
80
80
% System Memory Used
% System Memory Used
Successful Requests
70
60
50
40
30
20
10
70
60
50
40
30
20
10
0
0
0
100
200
300
Time (s)
210,000 requests serviced
Cybenko
400
500
0
100
200
300
400
500
Time (s)
System Memory Consumed
380,000 requests serviced
102
Chemical Plume
Process Detection
Funded by DHS
Glenn Nofsinger
103
The Forward Problem
c( x, y, t )
Concentration in a 2D region as a function of time:
Ficks Law (diffusion) +
Concentration equation composed
of diffusion and advection
c
t
 c
2
 Dx
Forward model result:
• arbitrary initial sources
• pseudo-random wind
• includes diffusion and wind
x
2
Advection (wind)
 c
2
 Dy
y
2
 Vd (
c
x

c
y
104
)
Current technology on DC Mall.
Future sensors will be smaller and greater in number, with a need for
measurement correlation.
105
Multiple Source Case With Terrain:
Connectivity determined by wind and geography
Source 1
Connectivity
Source 2
source
high
low
Wind
sensor
106
Multiple Source Case With Terrain:
Connectivity determined by wind and geography
Source 1
Connectivity
Source 2
source
high
low
Wind
sensor
107
Inverse Source Likelihood
Estimating the probability that a sensor observation is
generated by a source at a given location. Based on wind
direction history and diffusion properties of agent.
wind
sensors
S
S
sources
108
Correlation Between Observations
at Different Locations
Forward Likelihood of Observations
100
Picking any two
sensors we evaluate
a probability that the
observation at that
sensor is connected
to observations at
different sensors in
the region. This is a
function of wind
history, distance,
and diffusion
properties.
90
wind
80
70
60
50
40
30
20
10
0
109
0
5
10
15
20
25
30
35
40
45
50
55
60
65
70
75
80
85
90
95
Source Estimation Compared to
True Source Location
Estimated Source based on inverse
correlation of plume observations
and tracks
Forward Simulation
159.4
182
170
111.0
98.7
160
150
74.0
61.7
49.3
37.0
24.7
12.3
0.0
140
130
120
110
100
90
80
70
60
50
40
30
20
110
10
0
0
10
20
30
40
50
60
70
80
90
100 110 120 130 140
150 160 170
182
Social Network Analysis
Comparison of Static vs Dynamic
(W. Chung, R. Savell, J.-P. Schuett)
Temporal sequence of transactions
Time
Analyze projected, non-temporal data
Projection
removes
temporal
relationships
Analysis
of
Static
Artifacts
Temporal sequence of transactions
Time
Analysis of
temporal
aspects of
transactions
Extraction
of
Dynamic
Processes
111
Process Primitives
Decay kernel correlates potentially related emails - eg. links
Functional roles based on conversation segments shown below
A. Initiator
B. Broker
C. Bridge
D. Triad
E. Terminator
112
Combining Primitives into
Processes
P(t'-t) > f
P(t''-t') > f
P(t'''-t'') < f
t'
t
t''
X
t'''
Probabilities of temporal
relationships are used to
grow tracks
113
Methodology Details
1. Crude Naïve Bayes Text
Classification w/ Temporal
Correlations to isolate coarse
2. Local structure via Process
Primitives on the Dynamic
Social Network.
thread.
114
Theory
• PQS offer a principled approach that
enables
– understanding how distinguishable models
(attack and failure) are
– developing a notion of processes that are
“trackable,” given models and sensing
infrastructure (ie a “sampling theory”)
115
Hypothesis Growth
A “hypothesis” is a consistent
assignment of events to
processes and/or states(ie,
each event assigned to only
one process instance).
Given a set of “hypotheses”
for an event stream of length
k-1, update the hypotheses to
length k to explain the new
event.
NP-Complete in general.
Need to prune the pool of
hypotheses, keeping the
most suitable.
time
Individual path is
a “track” – ie one
process instance
Consistent tracks
form a “hypothesis”
116
Models and Hypothesis Growth
“Weak” model
FSM with “emission”
vectors
Emission for state i = 0/1 vector of sensor reports
eg obs(i) = ( 0 , 1 , 1 , 0 , 0 , 1 , 1 )
Observation vector at time t collected by
sensors: eg sensors(t) = ( 0 , 1 , 1 , 1 , 1 , 1 , 0 )
Possible states at time t are determined by:
P = { i | Hamming_distance( obs(i) , sensors(t)) <= HD }
R = { i | j possible at time t - 1 and i is reachable from j }
U
P
R is the set of possible states at time t
Number of hypotheses at time t recursively computed as above.
Theorem: For a fixed value of HD, the worst-case number of hypotheses
at time t is either polynomial or exponential in t.
(Crespi, Cybenko, Jiang 2005)
117
Longer
tracking
time
More noise
(worse model)
Oh, %#&@!!
Nice Demo!!
118
Poor
Models
and
Sensor
Coverage
Longer
tracking
time
More noise
(worse model)
Excellent
Models
and
Sensor
Coverage
Acceptable
Models
and
Sensor
Coverage
119
Basic Idea Behind the Proof
N states
time t
time t+1
time t+2
time k
Process dynamics (ie what is reachable from each state in a time step)
+ observations + noise threshold determines a “trellis”. If there are two
distinct paths from one node to itself over some period of time, the
number of distinct paths grows exponentially by repeating the construct.
120
Basic Idea Behind the Proof
N states
time t
time t+1
time t+2
time k
If there are never two distinct paths from any node to itself over any
period of observation, there is a simple injective mapping (ie. unique
labeling) of the paths into {0, 1, ... , k} x {0, 1, ... , k} x {0, 1, ... , k} ... x
{0, 1, ... , k} 2N times. So the number of paths is < (k+1)2N. The label
for each path is the time it first occupies a state and the time it last
occupies that state.
121
Relationship to Joint Spectral Radius
122
New Ideas for Large-Scale Hypothesis
Management
• Data structures for maintaining one copy of many
hypotheses that are variants of one another
• Viewing the set of hypotheses as the solution (instead of
the highest ranked hypothesis eg)
– propagating the set can be done in linear space, constant time
– some properties of the set of hypotheses can be computed in
constant time, others in linear time, others seem to require
exponentially much time and/or space, etc.
• Development of a “nonparametric” approach to tracking
and Situational Awareness, not unlike nonparametric
statistical techniques (order statistics, etc)
• Reduce dependencies on probabilistic parameters and
model building
123
Distinguishability of models
(Yong Sheng)
• Given two “models”, how distinguishable
are they?
• Example: Model of router failure vs worm
attack?
• Do we need to build more refined models
or do we need to add additional
sensors/data sources?
124
Different degrees of distinguishability between
models given sensing capabilities (eg DDOS vs router failure)
Red: Prob of deciding model 2 given model 1
Blue: Prob of deciding model 1 given model 2
Entropy of the two ergodic models are different.
Decision rule is based on ML as determined by
the Viterbi algorithm
Shannon-MacMillan-Brieman Ergodic Theorem
states that “most” observation sequences
are “typical” and have probability
related to the entropy
125
Different degrees of distinguishability between
models given sensing capabilities (eg DDOS vs router failure)
However, nonmonotonic behaviors are possible
(in general) and without convergence to zero
(if the entropies are the same)
126
Different degrees of distinguishability between
models given sensing capabilities (eg DDOS vs router failure)
However, nonmonotonic behaviors are possible
(in general) and without convergence to zero
(if the entropies are the same)
127
Where do models come from?
• In practice, we build models of processes by:
– First principles – ie, symmetry, physical laws, etc.
– “Expert” models/rules/experience – ie, chess playing
computers, military tactics, etc
– Empirical analysis (from real or simulated data) – ie.
backgammon, stock market models, etc.
• Process Query Markup Language developed and
almost implemented – allows rapid insertion of
new attack models into PQS
128
PQS INPUTS: PROCESS MODEL SEMANTICS
AND SENSOR DATA REQUIREMENTS
Failed
Failed
A
A
0.03
0.05
alert icmp $EXTERNAL_NET any ->
$HOME_NET any (msg:"ICMP
Destination Unreachable (Host
Unreachable)"; itype: 3; icode: 1;
sid:399; classtype:misc-activity;
rev:4;)
Rules +
signatures, etc
Represent
Marginal
B
C
Normal
Reachability
(weak)
Models
Compile
Execute
Learn
Marginal
if (src_ip_new.equals(src_ip_track))
{
if (IPv4_in_CIDR_ints (208,253,154,0, 24,
src_ip_new) == true)
{
// local?
new_likelihood = new Likelihood ((0.90f +
likelihood.getProbability())/2.0f);
}
else
{
// Else don’t care
new_likelihood = new Likelihood (0.0);
}
B
0.2
C
Normal
0.9
Probabilistic Models
(HMM, Bayes Nets,
Fuzzy models, etc)
Compile
Code
129
More details....
[email protected]
See www.pqsnet.net
130
Descargar

Process Detection - Dartmouth College