Complete volume in PDF
Transcription
Complete volume in PDF
Advances in Soft Computing Editor-in-Chief: J. Kacprzyk 53 Advances in Soft Computing Editor-in-Chief Prof. Janusz Kacprzyk Systems Research Institute Polish Academy of Sciences ul. Newelska 6 01-447 Warsaw Poland E-mail: [email protected] Further volumes of this series can be found on our homepage: springer.com Bernd Reusch, (Ed.) Computational Intelligence, Theory and Applications, 2006 ISBN 978-3-540-34780-4 Jonathan Lawry, Enrique Miranda, Alberto Bugarín Shoumei Li, María Á. Gil, Przemysław Grzegorzewski, Olgierd Hryniewicz, Soft Methods for Integrated Uncertainty Modelling, 2006 ISBN 978-3-540-34776-7 Ashraf Saad, Erel Avineri, Keshav Dahal, Muhammad Sarfraz, Rajkumar Roy (Eds.) Soft Computing in Industrial Applications, 2007 ISBN 978-3-540-70704-2 Bing-Yuan Cao (Ed.) Fuzzy Information and Engineering, 2007 ISBN 978-3-540-71440-8 Patricia Melin, Oscar Castillo, Eduardo Gómez Ramírez, Janusz Kacprzyk, Witold Pedrycz (Eds.) Analysis and Design of Intelligent Systems Using Soft Computing Techniques, 2007 ISBN 978-3-540-72431-5 Oscar Castillo, Patricia Melin, Oscar Montiel Ross, Roberto Sepúlveda Cruz, Witold Pedrycz, Janusz Kacprzyk (Eds.) Theoretical Advances and Applications of Fuzzy Logic and Soft Computing, 2007 ISBN 978-3-540-72433-9 Katarzyna M. W˛egrzyn-Wolska, Piotr S. Szczepaniak (Eds.) Advances in Intelligent Web Mastering, 2007 ISBN 978-3-540-72574-9 Emilio Corchado, Juan M. Corchado, Ajith Abraham (Eds.) Innovations in Hybrid Intelligent Systems, 2007 ISBN 978-3-540-74971-4 Marek Kurzynski, Edward Puchala, Michal Wozniak, Andrzej Zolnierek (Eds.) Computer Recognition Systems 2, 2007 ISBN 978-3-540-75174-8 Van-Nam Huynh, Yoshiteru Nakamori, Hiroakira Ono, Jonathan Lawry, Vladik Kreinovich, Hung T. Nguyen (Eds.) Interval / Probabilistic Uncertainty and Non-classical Logics, 2008 ISBN 978-3-540-77663-5 Ewa Pietka, Jacek Kawa (Eds.) Information Technologies in Biomedicine, 2008 ISBN 978-3-540-68167-0 Didier Dubois, M. Asunción Lubiano, Henri Prade, María Ángeles Gil, Przemysław Grzegorzewski, Olgierd Hryniewicz (Eds.) Soft Methods for Handling Variability and Imprecision, 2008 ISBN 978-3-540-85026-7 Juan M. Corchado, Francisco de Paz, Miguel P. Rocha, Florentino Fernández Riverola (Eds.) 2nd International Workshop on Practical Applications of Computational Biology and Bioinformatics (IWPACBB 2008), 2009 ISBN 978-3-540-85860-7 Juan M. Corchado, Sara Rodriguez, James Llinas, Jose M. Molina (Eds.) International Symposium on Distributed Computing and Artificial Intelligence 2008 (DCAI 2008), 2009 ISBN 978-3-540-85862-1 Juan M. Corchado, Dante I. Tapia, José Bravo (Eds.) 3rd Symposium of Ubiquitous Computing and Ambient Intelligence 2008, 2009 ISBN 978-3-540-85866-9 Erel Avineri, Mario Köppen, Keshav Dahal, Yos Sunitiyoso, Rajkumar Roy (Eds.) Applications of Soft Computing, 2009 ISBN 978-3-540-88078-3 Emilio Corchado, Rodolfo Zunino, Paolo Gastaldo, Álvaro Herrero (Eds.) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS 2008, 2009 ISBN 978-3-540-88180-3 Emilio Corchado, Rodolfo Zunino, Paolo Gastaldo, Álvaro Herrero (Eds.) Proceedings of the International Workshop on Computational Intelligence in Security for Information Systems CISIS 2008 ABC Editors Prof. Dr. Emilio S. Corchado Área de Lenguajes y Sistemas Informáticos Departamento de Ingeniería Civil Escuela Politécnica Superior Universidad de Bugos Campus Vena C/ Francisco de Vitoria s/n E-09006 Burgos Spain E-mail: [email protected] Prof. Rodolfo Zunino DIBE–Department of Biophysical and Electronic Engineering University of Genova Via Opera Pia 11A 16145 Genova Italy E-mail: [email protected] ISBN 978-3-540-88180-3 Paolo Gastaldo DIBE–Department of Biophysical and Electronic Engineering University of Genova Via Opera Pia 11A 16145 Genova Italy E-mail: [email protected] Álvaro Herrero Área de Lenguajes y Sistemas Informáticos Departamento de Ingeniería Civil Escuela Politécnica Superior Universidad de Bugos Campus Vena C/ Francisco de Vitoria s/n E-09006 Burgos Spain E-mail: [email protected] e-ISBN 978-3-540-88181-0 DOI 10.1007/978-3-540-88181-0 Advances in Soft Computing ISSN 1615-3871 Library of Congress Control Number: 2008935893 c 2009 Springer-Verlag Berlin Heidelberg This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable for prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typeset & Cover Design: Scientific Publishing Services Pvt. Ltd., Chennai, India. Printed in acid-free paper 543210 springer.com Preface The research scenario in advanced systems for protecting critical infrastructures and for deeply networked information tools highlights a growing link between security issues and the need for intelligent processing abilities in the area of information systems. To face the ever-evolving nature of cyber-threats, monitoring systems must have adaptive capabilities for continuous adjustment and timely, effective response to modifications in the environment. Moreover, the risks of improper access pose the need for advanced identification methods, including protocols to enforce computersecurity policies and biometry-related technologies for physical authentication. Computational Intelligence methods offer a wide variety of approaches that can be fruitful in those areas, and can play a crucial role in the adaptive process by their ability to learn empirically and adapt a system’s behaviour accordingly. The International Workshop on Computational Intelligence for Security in Information Systems (CISIS) proposes a meeting ground to the various communities involved in building intelligent systems for security, namely: information security, data mining, adaptive learning methods and soft computing among others. The main goal is to allow experts and researchers to assess the benefits of learning methods in the data-mining area for information-security applications. The Workshop offers the opportunity to interact with the leading industries actively involved in the critical area of security, and have a picture of the current solutions adopted in practical domains. This volume of Advances in Soft Computing contains accepted papers presented at CISIS’08, which was held in Genova, Italy, on October 23rd–24th, 2008. The selection process to set up the Workshop program yielded a collection of about 40 papers. This allowed the Scientific Committee to verify the vital and crucial nature of the topics involved in the event, and resulted in an acceptance rate of about 60% of the originally submitted manuscripts. CISIS’08 has teamed up with the Journal of Information Assurance and Security (JIAS) and the International Journal of Computational Intelligence Research (IJCIR) for a suite of special issues including selected papers from CISIS’08. The extended papers, together with contributed articles received in response to subsequent open calls, will go through further rounds of peer refereeing in the remits of these two journals. We would like to thank the work of the Programme Committee Members who performed admirably under tight deadline pressures. Our warmest and special thanks go to the Keynote Speakers: Dr. Piero P. Bonissone (Coolidge Fellow, General Electric Global Research) and Prof. Marios M. Polycarpou (University of Cyprus). Prof. Vincenzo Piuri, former President of the IEEE Computational Intelligence Society, provided invaluable assistance and guidance in enhancing the scientific level of the event. VI Preface Particular thanks go to the Organising Committee, chaired by Dr. Clotilde Canepa Fertini (IIC) and composed by Dr. Sergio Decherchi, Dr. Davide Leoncini, Dr. Francesco Picasso and Dr. Judith Redi, for their precious work and for their suggestions about organisation and promotion of CISIS’08. Particular thanks go as well to the Workshop main Sponsors, Ansaldo Segnalamento Ferroviario Spa and Elsag Datamat Spa, who jointly contributed in an active and constructive manner to the success of this initiative. We wish to thank Prof. Dr. Janusz Kacprzyk (Editor-in-chief), Dr. Thomas Ditzinger (Senior Editor, Engineering/Applied Sciences) and Mrs. Heather King at Springer-Verlag for their help and collaboration in this demanding scientific publication project. We thank as well all the authors and participants for their great contributions that made this conference possible and all the hard work worthwhile. October 2008 Emilio Corchado Rodolfo Zunino Paolo Gastaldo Álvaro Herrero Organization Honorary Chairs Gaetano Bignardi – Rector, University of Genova (Italy) Giovanni Bocchetti – Ansaldo STS (Italy) Michele Fracchiolla – Elsag Datamat (Italy) Vincenzo Piuri – President, IEEE Computational Intelligence Society Gianni Vernazza – Dean, Faculty of Engineering, University of Genova (Italy) General Chairs Emilio Corchado – University of Burgos (Spain) Rodolfo Zunino – University of Genova (Italy) Program Committee Cesare Alippi – Politecnico di Milano (Italy) Davide Anguita – University of Genoa (Italy) Enrico Appiani – Elsag Datamat (Italy) Alessandro Armando – University of Genova (Italy) Piero Bonissone – GE Global Research (USA) Juan Manuel Corchado – University of Salamanca (Spain) Rafael Corchuelo – University of Sevilla (Spain) Andre CPLF de Carvalho – University of São Paulo (Brazil) Keshav Dehal – University of Bradford (UK) José Dorronsoro – Autonomous University of Madrid (Spain) Bianca Falcidieno – CNR (Italy) Dario Forte – University of Milano Crema (Italy) Bogdan Gabrys – Bournemouth University (UK) Manuel Graña – University of Pais Vasco (Spain) Petro Gopych – V.N. Karazin Kharkiv National University (Ukraine) Francisco Herrera – University of Granada (Spain) R.J. Howlett – University of Brighton (UK) Giacomo Indiveri – ETH Zurich (Switzerland) Lakhmi Jain – University of South Australia (Australia) Janusz Kacprzyk – Polish Academy of Sciences (Poland) VIII Organization Juha Karhunen – Helsinki University of Technology (Finland) Antonio Lioy – Politecnico di Torino (Italy) Wenjian Luo – University of Science and Technology of China (China) Nadia Mazzino – Ansaldo STS (Italy) José Francisco Martínez – INAOE (Mexico) Ermete Meda – Ansaldo STS (Italy) Evangelia Tzanakou – Rutgers University (USA) José Mira – UNED (Spain) José Manuel Molina – University Carlos III of Madrid (Spain) Witold Pedrycz – University of Alberta (Canada) Dennis K Nilsson – Chalmers University of Technology (Sweden) Tomas Olovsson – Chalmers University of Technology (Sweden) Carlos Pereira – Universidade de Coimbra (Portugal) Kostas Plataniotis – University of Toronto (Canada) Fernando Podio – NIST (USA) Marios Polycarpou – University of Cyprus (Cyprus) Jorge Posada – VICOMTech (Spain) Perfecto Reguera – University of Leon (Spain) Bernardete Ribeiro – University of Coimbra (Portugal) Sandro Ridella – University of Genova (Italy) Ramón Rizo – University of Alicante (Spain) Dymirt Ruta – British Telecom (UK) Fabio Scotti – University of Milan (Italy) Kate Smith-Miles – Deakin University (Australia) Sorin Stratulat – University Paul Verlaine – Metz (France) Carmela Troncoso – Katholieke Univ. Leuven (Belgium) Tzai-Der Wang – Cheng Shiu University (Taiwan) Lei Xu – Chinese University of Hong Kong (Hong Kong) Xin Yao – University of Birmingham (UK) Hujun Yin – University of Manchester (UK) Alessandro Zanasi – TEMIS (France) David Zhang – Hong Kong Polytechnic University (Hong Kong) Local Arrangements Bruno Baruque – University of Burgos Andrés Bustillo – University of Burgos Clotilde Canepa Fertini – International Institute of Communications, Genova Leticia Curiel – University of Burgos Sergio Decherchi – University of Genova Paolo Gastaldo – University of Genova Álvaro Herrero – University of Burgos Francesco Picasso – University of Genova Judith Redi – University of Genova Contents Computational Intelligence Methods for Fighting Crime An Artificial Neural Network for Bank Robbery Risk Management: The OS.SI.F Web On-Line Tool of the ABI Anti-crime Department Carlo Guazzoni, Gaetano Bruno Ronsivalle . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Secure Judicial Communication Exchange Using Softcomputing Methods and Biometric Authentication Mauro Cislaghi, George Eleftherakis, Roberto Mazzilli, Francois Mohier, Sara Ferri, Valerio Giuffrida, Elisa Negroni . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Identity Resolution in Criminal Justice Data: An Application of NORA Queen E. Booker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 PTK: An Alternative Advanced Interface for the Sleuth Kit Dario V. Forte, Angelo Cavallini, Cristiano Maruti, Luca Losio, Thomas Orlandi, Michele Zambelli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Text Mining and Intelligence Stalker, a Multilingual Text Mining Search Engine for Open Source Intelligence F. Neri, M. Pettoni . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Computational Intelligence Solutions for Homeland Security Enrico Appiani, Giuseppe Buslacchi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Virtual Weapons for Real Wars: Text Mining for National Security Alessandro Zanasi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 X Contents Hypermetric k-Means Clustering for Content-Based Document Management Sergio Decherchi, Paolo Gastaldo, Judith Redi, Rodolfo Zunino . . . . . . . . . 61 Critical Infrastructure Protection Security Issues in Drinking Water Distribution Networks Demetrios G. Eliades, Marios M. Polycarpou . . . . . . . . . . . . . . . . . . . . . . . . . 69 Trusted-Computing Technologies for the Protection of Critical Information Systems Antonio Lioy, Gianluca Ramunno, Davide Vernizzi . . . . . . . . . . . . . . . . . . . . 77 A First Simulation of Attacks in the Automotive Network Communications Protocol FlexRay Dennis K. Nilsson, Ulf E. Larson, Francesco Picasso, Erland Jonsson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Wireless Sensor Data Fusion for Critical Infrastructure Security Francesco Flammini, Andrea Gaglione, Nicola Mazzocca, Vincenzo Moscato, Concetta Pragliola . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Development of Anti Intruders Underwater Systems: Time Domain Evaluation of the Self-informed Magnetic Networks Performance Osvaldo Faggioni, Maurizio Soldani, Amleto Gabellone, Paolo Maggiani, Davide Leoncini . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Monitoring and Diagnosing Railway Signalling with Logic-Based Distributed Agents Viviana Mascardi, Daniela Briola, Maurizio Martelli, Riccardo Caccia, Carlo Milani . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 SeSaR: Security for Safety Ermete Meda, Francesco Picasso, Andrea De Domenico, Paolo Mazzaron, Nadia Mazzino, Lorenzo Motta, Aldo Tamponi . . . . . . . . 116 Network Security Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements Soutaro Matsumoto, Adel Bouhoula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Contents XI Automated Framework for Policy Optimization in Firewalls and Security Gateways Gianluca Maiolini, Lorenzo Cignini, Andrea Baiocchi . . . . . . . . . . . . . . . . . . 131 An Intrusion Detection System Based on Hierarchical Self-Organization E.J. Palomo, E. Domı́nguez, R.M. Luque, J. Muñoz . . . . . . . . . . . . . . . . . . . 139 Evaluating Sequential Combination of Two Genetic Algorithm-Based Solutions for Intrusion Detection Zorana Banković, Slobodan Bojanić, Octavio Nieto-Taladriz . . . . . . . . . . . . 147 Agents and Neural Networks for Intrusion Detection Álvaro Herrero, Emilio Corchado . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Cluster Analysis for Anomaly Detection Giuseppe Lieto, Fabio Orsini, Genoveffa Pagano . . . . . . . . . . . . . . . . . . . . . . 163 Statistical Anomaly Detection on Real e-Mail Traffic Maurizio Aiello, Davide Chiarella, Gianluca Papaleo . . . . . . . . . . . . . . . . . . 170 On-the-fly Statistical Classification of Internet Traffic at Application Layer Based on Cluster Analysis Andrea Baiocchi, Gianluca Maiolini, Giacomo Molina, Antonello Rizzi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Flow Level Data Mining of DNS Query Streams for Email Worm Detection Nikolaos Chatzis, Radu Popescu-Zeletin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Adaptable Text Filters and Unsupervised Neural Classifiers for Spam Detection Bogdan Vrusias, Ian Golledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification Riyad Alshammari, A. Nur Zincir-Heywood . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Dynamic Scheme for Packet Classification Using Splay Trees Nizar Ben-Neji, Adel Bouhoula . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 XII Contents A Novel Algorithm for Freeing Network from Points of Failure Rahul Gupta, Suneeta Agarwal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Biometry A Multi-biometric Verification System for the Privacy Protection of Iris Templates S. Cimato, M. Gamassi, V. Piuri, R. Sassi, F. Scotti . . . . . . . . . . . . . . . . . . 227 Score Information Decision Fusion Using Support Vector Machine for a Correlation Filter Based Speaker Authentication System Dzati Athiar Ramli, Salina Abdul Samad, Aini Hussain . . . . . . . . . . . . . . . . 235 Application of 2DPCA Based Techniques in DCT Domain for Face Recognition Messaoud Bengherabi, Lamia Mezai, Farid Harizi, Abderrazak Guessoum, Mohamed Cheriet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Fingerprint Based Male-Female Classification Manish Verma, Suneeta Agarwal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 BSDT Multi-valued Coding in Discrete Spaces Petro Gopych . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication Thi Hoi Le, The Duy Bui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 The Concept of Application of Fuzzy Logic in Biometric Authentication Systems Anatoly Sachenko, Arkadiusz Banasik, Adrian Kapczyński . . . . . . . . . . . . . . 274 Information Protection Bidirectional Secret Communication by Quantum Collisions Fabio Antonio Bovino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Semantic Region Protection Using Hu Moments and a Chaotic Pseudo-random Number Generator Paraskevi Tzouveli, Klimis Ntalianis, Stefanos Kollias . . . . . . . . . . . . . . . . . 286 Random r-Continuous Matching Rule for Immune-Based Secure Storage System Cai Tao, Ju ShiGuang, Zhong Wei, Niu DeJiao . . . . . . . . . . . . . . . . . . . . . . . 294 Contents XIII Industrial Perspectives nokLINK: A New Solution for Enterprise Security Francesco Pedersoli, Massimiliano Cristiano . . . . . . . . . . . . . . . . . . . . . . . . . . 301 SLA & LAC: New Solutions for Security Monitoring in the Enterprise Bruno Giacometti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 An Artificial Neural Network for Bank Robbery Risk Management: The OS.SI.F Web On-Line Tool of the ABI Anti-crime Department Carlo Guazzoni and Gaetano Bruno Ronsivalle* OS.SI.F - Centro di Ricerca dell'ABI per la sicurezza Anticrimine Piazza del Gesù 49 – 00186 Roma, Italy [email protected], [email protected] Abstract. The ABI (Associazione Bancaria Italiana) Anti-crime Department, OS.SI.F (Centro di Ricerca dell'ABI per la sicurezza Anticrimine) and the banking working group created an artificial neural network (ANN) for the Robbery Risk Management in Italian banking sector. The logic analysis model is based on the global Robbery Risk index of the single banking branch. The global index is composed by: the Exogenous Risk, related to the geographic area of the branch, and the Endogenous risk, connected to its specific variables. The implementation of a neural network for Robbery Risk management provides 5 advantages: (a) it represents, in a coherent way, the complexity of the "robbery" event; (b) the database that supports the AN is an exhaustive historical representation of Italian Robbery phenomenology; (c) the model represents the state of art of Risk Management; (d) the ANN guarantees the maximum level of flexibility, dynamism and adaptability; (e) it allows an effective integration between a solid calculation model and the common sense of the safety/security manager of the bank. Keywords: Risk Management, Robbery Risk, Artificial Neural Network, Quickprop, Logistic Activation Function, Banking Application, ABI, OS.SI.F., Anti-crime. 1 Toward an Integrated Vision of the “Risk Robbery” In the first pages of The Risk Management Standard1 - published by IRM2, AIRMIC3 and ALARM4 - the “risk” is defined as «the combination of the probability of an event and its consequences». Although simple and linear, this definition has many implications from a theoretical and pragmatic point of view. Any type of risk analysis shouldn't be limited to an evaluation of a specific event's probability without considering the effects, presumably negative, of the event. The correlation of these two concepts is not banal but, unfortunately, most Risk Management Models currently in use * Thanks to Marco Iaconis, Francesco Protani, Fabrizio Capobianco, Giorgio Corito, Riccardo Campisi, Luigi Rossi and Diego Ronsivalle for the scientific and operating support in the development of the theoretical model, and to Antonella De Luca for the translation of the paper. 1 http://www.theirm.org/publications/PUstandard.html 2 The Institute of Risk Management. 3 The Association of Insurance and Risk Managers. 4 The National Forum for Risk Management in the Public Sector. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 1–10, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 2 C. Guazzoni and G.B. Ronsivalle for banking security are characterized by low attention to these factors. In fact, they are often focused on the definition of methods and tools to foresee the “harmful event”' in probabilistic terms, without pay attention to the importance of a composed index considering the intensity levels of events that causally derive from this “harmful event”'. But then the little book of the above mentioned English Institutes, embraces an integrated vision of the Risk Management. It is related to a systemic and strategic meaning, giving a coherent description of data and defining the properties of the examined phenomenon. This wide vision provides explanatory hypothesis and, given a series of historical conditions, may foresee the probable evolutions of the system. Thanks to the joint effort of the inter-banking working group - coordinated by ABI and OS.SI.F -, the new support tool for the Robbery Risk Management takes into account this integrated idea of “risk”. In fact it represents the Risk Management process considering the strategic and organizational factors that characterize the phenomenon of robbery. Hence, it defines the role of the safety/security manager in the banking sector. The online software tool, indeed, integrates a general plan with a series of resources to attend the manager during the various phases of the decisional process scheduled by the standard IRM: 1. from the Robbery Risk mapping - articulated in analysis, various activities of identification, description and appraisal - to the risk evaluation; 2. from the Risk Reporting to the definition of threats and opportunities connected to the robbery; 3. from the decisional moment, supported by the simulation module (where we can virtually test the Risk Management and analyze the Residual Risk) to the phase of virtual and real monitoring5. The various functions are included in a multi-layers software architecture, composed by a database and a series of modules that elaborate the information to support the analysis of the risk and its components. In this way, the user can always retrace the various steps that gradually determine the Robbery Risk Global Index and its single relative importance, starting from the primary components of the risk, he/she can focus the attention on the minimum element of the organizational dimension. Thus, the analysis is focused on the complex relationship between the single banking branch that represents the system cell and unity of measurement - and the structure of relationships, connections, relevant factors from a local and national point of view. In this theoretical frame, the Robbery Risk is not completely identified with the mere probability that the event occurs. According with IRM standard, instead, it is also taken into account the possibility that the robbery may cause harms, as well as the combined probability that the event occurs and the possible negative consequences for the system may have a different intensity. 2 Exogenous Risk and Endogenous Risk According to the inter-banking working group, coordinated by OS.SI.F, which are the factors or the variables that compose and influence the robbery and its harmful effects? 5 ``The Risk Management Standard'', pp. 6-13. An Artificial Neural Network for Bank Robbery Risk Management 3 2.1 The Exogenous Risk The “Exogenous”' components include environment variables (from regional data to local detailed data), tied to the particular geographic position, population density, crime rate, number of general criminal actions in the area, as well as the “history”' and/or evolution of the relationship between the number of banking branches, the defense implementations and the Robbery Risk. So the mathematical function, that integrates these factors, must take into account the time variable. In fact it's essential to consider the influence of each variable according to the changes that occur at any time in a certain geographic zone. The analysis made up by the working group of ABI has shown that the composition of environment conditions is represented by a specific index of “Exogenous risk”. Its dynamic nature makes possible to define a probabilistic frame for in order to calculate the Robbery Risk. Such index of “Exogenous” risk allows considering the possibility of a dynamic computation regarding the variation rate of criminal actions density. This variation depends on the direct or indirect intervention of police or central/local administrations in a geographic area. The Exogenous risk could provide some relevant empirical bases in order to allow banks to share common strategies for the management/mitigation of the Robbery Risk. The aim is to avoid possible negative effects tied to activities connected to only one banking branch. 2.2 The Endogenous Risk A second class of components corresponds, instead, to material, organizational, logistic, instrumental, and technological factors. They characterize the single banking branch and determine its specific architecture in relation to the robbery. Such factors are the following: 1. the “basic characteristics”'6 2. the “services”'7 3. the “plants”'8 The interaction of these factors contributes to determine a significant part of the socalled “Endogenous” risk. It is calculated through a complex function of the number of robberies on a single branch, calculated during a unit of time in which any “event” has modified, in meaningful terms, the internal order of the branch. In other terms, a dynamic connection between the risk index and the various interventions planned by the safety/security managers has been created, both for the single cell and for whole system. The aim was to control the causal sequence between the possible variation of an Endogenous characteristic and its relative importance (%) to calculate the specific impact on the number of robberies. 2.3 The Global Risk Complying with the objectives of an exhaustive Robbery Risk management, the composition of the two risk indexes (Exogenous and Endogenous) defines the perimeter 6 E.g. the number of employees, the location, the cash risk, the target-hardening strategies, etc. E.g. the bank security guards, the bank surveillance cameras, etc. 8 E.g. the access control vestibules (man-catcher or mantraps), the bandit barriers, broad-band internet video feeds directly to police, the alarms, etc. 7 4 C. Guazzoni and G.B. Ronsivalle of a hypothetical “global” risk referred to the single branch. A sort of integrated index that includes both environment and “internal” factors. Thus the calculation of the Global Risk index derives from the normalization of the bi-dimensional vector obtained from the above mentioned functions. Let us propose a calculation model in order to support the definition of the various indexes. 3 Methodological Considerations about the Definition of “Robbery Risk” Before dealing with the computation techniques, however, it is necessary to clarify some issue. 3.1 Possible Extend of “Robbery Risk” First of all, the demarcation between the “Exogenous” and “Endogenous” dimensions cannot be considered absolute. In fact, in some specific case of “Endogenous” characteristics, an analysis that considers only factors that describe the branch isn't enough representative of the variables combination. In fact, the ponderation of each single element makes possible to assign a “weight” related to the Endogenous risk index. But it must be absolutely taken into account the variability rate of influence according to the geographic area. This produces an inevitable contamination, even though circumscribed, between the two dimensions of the Robbery Risk. Then, it must be taken into account that these particular elements of the single cell are the result of the permanent activity of comparison made by the inter-banking working group members coordinated by ABI and OS.SI.F. Given the extremely delicate nature of the theme, the architecture of the “Endogenous” characteristics of the branch must be considered temporary and in continuous evolution. The “not final” nature of the scheme that we propose, depends therefore, by the progressive transformation of the technological tools supporting security, as well as by the slow change - both in terms of national legislation, and in terms of reorganization of the safety/security manager role - regarding the ways in which the contents of Robbery Risk are interpreted. Finally it's not excluded, in the future, the possibility to open the theoretical scheme to criminological models tied to the description of the criminal behaviour and to the definition of indexes of risk perception. But, in both cases the problem is to find a shared theoretical basis, and to translate the intangible factors in quantitative variables that can be elaborated through the calculation model9. 3.2 The Robbery Risk from an Evolutionistic Point of View Most bank models consider the Robbery Risk index of a branch, as a linear index depending on the number of attempted and/or consumed robbery in a certain time interval. 9 On this topic, some researches are going on with the aim to define a possible evolution of this particular type of ``socio-psychological'' index of perceived risk. But it's not yet clear if and how this index can be considered as a category of risk distinguished both from the ``exogenous'' and ``endogenous'' risk. An Artificial Neural Network for Bank Robbery Risk Management 5 This index is usually translated into a value, with reference to a risk scale, and it is the criterion according to which for the Security Manager decide. These models may receive a series of criticisms: 1. they extremely simplify the relation between variables, not considering the reciprocal influences between Exogenous and Endogenous risk; 2. they represent the history of a branch inaccurately, with reference to very wide temporal criteria; 3. they don’t foresee a monitoring system of historical evolution related to the link between changes of the branch and number of robberies. To avoid these criticisms, the OS.SI.F team has developed a theoretical framework based on the following methodological principles: 1. the Robbery Global Risk is a probability index (it varies from 0 to 1) and it depends on the non-linear combination of Exogenous and Endogenous risk; 2. the Robbery Global Risk of a branch corresponds to the trend calculated by applying the Least Squares formula to the numerical set of Risk Robbery values (monthly) from January 2000 to March 2008 in the branch; 3. the monthly value of the Robbery Global Risk corresponds to the relation between the number of robberies per month and the number of days in which the branch is open to people. It is expressed in a value from 0 to 1. An consequence follows these principles: it is necessary to describe the history of the branch as a sequence of states of the branch itself, in relation to changes occurred in its internal structure (for example, the introduction of a new defending service or a new plant). Thus it is possible to create a direct relation between the evolution of branch and the evolution of Robbery Global Risk. In particular, we interpret the various transformations of the branch over time as “mutations” in a population of biological organisms (represented by isomorphic branches). The Robbery Global Risk, thus, becomes a kind of value suggesting how the “robbery market” rewards the activities of the security managers, even though without awareness about the intentional nature of certain choices10. This logical ploy foresees the possibility to analyze indirect strategies of the various banking groups in the management and distribution of risk into different regions of the country11. This methodological framework constitutes the logical basis for the construction of the Robbery Risk management simulator. It is a direct answer to criticisms of the 2nd and 3rd points (see above). It allows the calculation of the fluctuations referred to the Exogenous risk in relation to the increase - over certain thresholds - of the Robbery Global Risk (criticism of the 1st point). 10 11 This “biological metaphor”, inspired by Darwin’s theory, is the methodological basis to overcome a wrong conception of the term “deterrent” inside the security managers’ vocabulary. In many cases, the introduction of new safety services constitutes only an indirect deterrent, since the potential robber cannot know the change. The analysis per populations of branches allows, instead, to extend the concept of “deterrent” per large numbers. While analyzing data, we discovered a number of “perverse effects” in the Robbery Risk management, including the transfer of risk to branches of other competing groups as a result of corrective actions conceived for a branch and then extended to all branches in the same location. 6 C. Guazzoni and G.B. Ronsivalle 4 The Calculation Model for the Simulator The choice of a good calculation model as a support tool for the risk management is essentially conditioned from the following elements: 1. the nature of the phenomenon; 2. the availability of information and historical data on the phenomenon; 3. the quality of the available information; 4. the presence of a scientific literature and/or of possible applications on 5. the theme; 6. the type of tool and the output required; 7. the perception and the general consent level related to the specific model 8. adopted; 9. the degree of obsolescence of the results; 10.the impact of the results in social, economic, and political, terms. In the specific case of the Robbery Risk, 1. the extreme complexity of the “robbery” phenomenon suggests the adoption of analysis tools that take into account the various components, according to a non linear logic; 2. there is a big database on the phenomenon: it can represent the pillar for a historical analysis and a research of regularity, correlations and possible nomic and/or probabilistic connections among the factors that determine the “robbery” risk; 3. the actual database has recently been “normalized”, with the aim to guarantee the maximum degree of coherence between the information included in the archive and the real state of the system; 4. the scientific literature on the risk analysis models related to criminal events is limited to a mere qualitative analysis of the phenomenon, without consider quantitative models; 5. the inter-banking group has expressed the need of a tool to support the decisional processes in order to manage the Robbery Risk, through a decomposition of the fundamental elements that influence the event at an Exogenous and Endogenous level; 6. the banking world aims to have innovative tools founds and sophisticated calculation models in order to guarantee objective and scientifically founded results within the Risk Management domain; 7. given the nature of the phenomenon, the calculation model of the Robbery Risk must guarantee the maximum of flexibility and dynamism according to the time variable and the possible transformations at a local and national level; 8. the object of the analysis is matched with a series of ethics, politics, social, and economic topics, and requires, indeed, an integrated systemic approach. These considerations have brought the team to pursue an innovative way for the creation of the calculation model related to the Robbery Risk indexes: the artificial neural networks (ANN). An Artificial Neural Network for Bank Robbery Risk Management 7 5 Phases of ANN Design and Development for the Management of the Robbery Risk How did we come to the creation of the neural network for the management of the robbery Global Risk? The creation of the calculation model is based on the logical scheme above exposed. It is articulated in five fundamental phases: 1. 2. 3. 4. 5. Re-design OS.SI.F database and data analysis; Data normalization; OS.SI.F Network Design; OS.SI.F Network Training; Network testing and delivery. 5.1 First Phase: Re-design OS.SI.F Database and Data Analysis Once defined the demarcation between Exogenous and Endogenous risks, as well as the structure of variables concerning each single component of the Global Risk, some characteristic elements of OS.SI.F historical archive have been revised. The revision of the database allowed us to remove possible macroscopic redundancies and occasional critical factors, before starting the data analysis. Through a neural network based on genetic algorithms all possible incoherence and contradictions have been underlined. The aim was to isolate patterns that would have been potentially “dangerous” for the network and to produce a “clean” database, deprived of logical “impurities” (in limits of human reason). At this point, the team has defined the number of entry variables (ANN inputs) related to the characteristics above mentioned - and the exit variables (ANN output) representing the criteria for design the network. The structure of the dataset is determined, as well as the single field types (categorical or numerical) and the distinction among (a) information for the training of the ANN, (b) data to validate the neuronal architecture, and (c) dataset dedicated to testing the ANN after training. 5.2 Second Phase: Data Normalization The database cleaning allowed the translation of data in a new archive of information for the elaboration of an ANN. In other words, all the variables connected to the Exogenous risk (environment and geographic variables) and the Endogenous risk (basic characteristics, services and plants of each single branch) have been “re-write” and normalized. All this has produced the historical sequence of examples provided to the ANN with the aim to let it “discover” the general rules that govern the “robbery” phenomenon. The real formal “vocabulary” for the calculation of the Global Risk. 5.3 Third Phase: OS.SI.F Network Design This phase has been dedicated to determine the general architecture of the ANN and its mathematical properties. Concerning topology, in particular, after a series of unlucky attempts with a single hidden layer, we opted for a two hidden layers network: 8 C. Guazzoni and G.B. Ronsivalle Fig. 1. A schematic representation of the Architecture of OS.SI.F ANN This architecture was, in fact, more appropriate to solve a series of problems connected to the particular nature of the “robbery” phenomenon. This allowed us, therefore, to optimize the choice of the single neurons activation function and the error function. In fact, after a first disastrous implementation of the linear option, a logistic activation function with a sigmoid curve has been adopted. It was characterized by a size domain included between 0 and 1 and calculated through the following formula: F ( x) = 1 1 + e −x (1) Since it was useful for the evaluation of the ANN quality, an error function has been associated to logistic function. It was based on the analysis of differences among the output of the historical archive and the output produced by the neural network. In this way we reached to the definition of the logical calculation model. Even though it still doesn't have the knowledge necessary to describe, explain, and foresee the probability of the “robbery” event. This knowledge, in fact, derives only from an intense training activity. 5.4 Fourth Phase: OS.SI.F Network Training The ANN training constitutes the most delicate moment of the whole process of creation of the network. In particular with a Supervised Learning. In our case, in fact, the training consists in provide the network of a big series of examples of robberies associated to particular geographic areas and specific characteristics of the branches. From this data, the network has to infer the rule through an abstraction process. For the Robbery Risk ANN, we decided to implement a variation of the Back propagation. The Back propagation is the most common learning algorithm within the multi-layer networks. It is based on the error propagation and on the transformation of weights (originally random assigned) from the output layer in direction to the intermediate layers, up to the input neurons. In our special version, the “OS.SI.F Quickpropagation”, the variation of each weight of the synaptic connections changes according to the following formula: An Artificial Neural Network for Bank Robbery Risk Management ⎛ ⎞ s (t ) ∆w(t ) = ⎜⎜ ∆w(t − 1) ⎟⎟ + k ⎝ s (t − 1) − s (t ) ⎠ 9 (2) where k is a hidden variable to solve the numerical instability of this formula12. We can state that the fitness of the ANN-Robbery Risk has been subordinated to a substantial correspondence between the values of Endogenous and Exogenous risk (included in the historical archive), and the results of the network's elaboration after each learning iteration. 5.5 Fifth Phase: Network Testing and Delivery In the final phase of the process lot of time has been dedicated to verify the neural network architecture defined in the previous phases. Moreover a series of dataset previously not included in the training, have been considered with the aim to remove the last calculation errors and put some adjustments to the general system of weights. In this phase, some critical knots have been modified: they were related to the variations of the Exogenous risk according to the population density and to the relationship between Endogenous risk and some new plants (biometrical devices). Only after this last testing activity, the ANN has been integrated and implemented in the OS.SI.FWeb module, to allow users (banking security/safety managers), to verify the coherence of the tool through a module of simulation of new sceneries. 6 Advantages of the Application of the Neural Networks to the Robbery Risk Management The implementation of an ANN to support the Robbery Risk management has at least 5 fundamental advantages: 1. Unlike any linear system based on proportions and simple systems of equations, an ANN allows to face, in coherent way, the high complexity degree of the “robbery” phenomenon. The banal logic of the sum of variables and causal connections of many common models, is replaced by a more articulated design, that contemplates in dynamic and flexible terms, the innumerable connections among the Exogenous and Endogenous variables. 2. The OS.SI.F ANN database is based on a historical archive continually fed by the whole Italian banking system. This allows to overcome each limited local vision, according to the absolute need of a systemic approach for the Robbery Risk analysis. In fact, it's not possible to continue to face such a delicate topic through visions circumscribed to one's business dimension. 3. The integration of neural algorithms constitutes the state of the art within the Risk Management domain. In fact it guarantees the definition of a net of variables opportunely measured according to a probabilistic - and not banally linear - logic. 12 Moreover, during the training, a quantity of “noise” has been introduced (injected) into the calculation process. The value of the “noise” has been calculated in relation to the error function and has allowed to avoid the permanence of the net in critical situations of local minims. 10 C. Guazzoni and G.B. Ronsivalle The Robbery Risk ANN foresees a real Bayes network that dynamically determines the weight of each variable (Exogenous and Endogenous) in the probability of the robbery. This provides a higher degree of accuracy and scientific reliability to the definition of “risk” and to the whole calculation model. 4. A tool based on neural networks guarantees the maximum level of flexibility, dynamism and adaptability to contexts and conditions that are in rapid evolution. These are assured by (a) a direct connection of the database to the synaptic weights of the ANN, (b) the possible reconfiguration of the network architecture in cases of introduction of new types of plants and/or services, and/or basic characteristics of branches. 5. The ANN allows an effective integration between a solid calculation model (the historical archive of information related to the robberies of last years), and the professional and human experience of security/safety managers. The general plan of the database (and of the composition of the two risk indexes), takes into account the considerations, observations and indications of the greater representatives of the national banking safety/security sectors. The general plan of the database is based on the synthesis done by the inter-banking team, on the normalization of the robbery event descriptions, and on the sharing of some guidelines in relation to a common vocabulary for the description of the robbery event. The final result of this integration is a tool that guarantees the maximum level of decisional liberty, through the scientific validation of virtuous practices and, thanks to the simulator of new branches, an a priori evaluation of the possible effects deriving from future interventions. References 1. Corradini, I., Iaconis, M.: Antirapina. Guida alla sicurezza per gli operatori di sportello. Bancaria Editrice, Roma (2007) 2. Fahlman, S.E.: Fast-Learning Variations on Back-Propagation: An Empirical Study. In: Proceedings of the 1988 Connessionist Models Summer School, pp. 38–51. Morgan Kaufmann, San Francisco (1989) 3. Floreano, D.: Manuale sulle reti neurali. Il Mulino, Bologna (1996) 4. McClelland, J.L., Rumelhart, D.E.: PDP: Parallel Distributed Processing: Explorations in the Microstructure of Cognition: Psychological and Biological Models, vol. II. MIT PressBradford Books, Cambridge (1986) 5. Pessa, E.: Statistica con le reti neurali. Un’introduzione. Di Renzo Editore, Roma (2004) 6. Sietsma, J., Dow, R.J.F.: Neural Net Pruning – Why and how. In: Proceedings of the IEEE International Conference on Neural Networks, pp. 325–333. IEEE Press, New York (1988) 7. von Lehman, A., Paek, G.E., Liao, P.F., Marrakchi, A., Patel, J.S.: Factors Influencing Learning by Back-propagation. In: Proceedings of the IEEE International Conference on Neural Networks, vol. I, pp. 335–341. IEEE Press, New York (1988) 8. Weisel, D.L.: Bank Robbery. In: COPS, Community Oriented Policing Services, U.S. Department of Justice, No.48, Washington (2007), http://www.cops.usdoj.gov Secure Judicial Communication Exchange Using Soft-computing Methods and Biometric Authentication Mauro Cislaghi1, George Eleftherakis2, Roberto Mazzilli1, Francois Mohier3, Sara Ferri4, Valerio Giuffrida5, and Elisa Negroni6 1 Project Automation , Viale Elvezia, Monza, Italy {mauro.cislaghi,roberto.mazzilli}@p-a.it 2 SEERC, 17 Mitropoleos Str, Thessaloniki, Greece [email protected] 3 Airial Conseil, RueBellini 3, Paris, France [email protected] 4 AMTEC S.p.A., Loc. San Martino, Piancastagnaio, Italy [email protected] 5 Italdata, Via Eroi di Cefalonia 153, Roma, Italy [email protected] 6 Gov3 Ltd, UK [email protected] Abstract. This paper describes how “Computer supported cooperative work”, coped with security technologies and advanced knowledge management techniques, can support the penal judicial activities, in particular national and trans-national investigations phases when different judicial system have to cooperate together. Increase of illegal immigration, trafficking of drugs, weapons and human beings, and the advent of terrorism, made necessary a stronger judicial collaboration between States. J-WeB project (http://www.jweb-net.com/), financially supported by the European Union under the FP6 – Information Society Technologies Programme, is designing and developing an innovative judicial cooperation environment capable to enable an effective judicial cooperation during cross-border criminal investigations carried out between EU and Countries of enlarging Europe, having the Italian and Montenegrin Ministries of Justice as partners. In order to reach a higher security level, an additional biometric identification system is integrated in the security environment. Keywords: Critical Infrastructure Protection, Security, Collaboration, Cross border investigations, Cross Border Interoperability, Biometrics, Identity and Access Management. 1 Introduction Justice is a key success factors in regional development, in particular in areas whose development is lagging back the average development of the European Union. In the last years particular attention has been paid on judicial collaboration between Western Balkans and the rest of EU, and CARDS Program [1] is a suitable evidence of this cooperation. According to this program, funds were provided for the development of closer relations and regional cooperation among SAp (Stabilisation and Association E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 11–18, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 12 M. Cislaghi et al. process) countries and between them and all the EU member states to promote direct cooperation in tackling the common threats of organised crime, illegal migration and other forms of trafficking. The Mutual assistance [2] is subject to different agreements and different judicial procedures. JWeB project [3], [9], based on the experiences of e-Court [4] and SecurE-Justice [5] projects, funded by the European Commission in IST program, is developing an innovative judicial cooperation environment capable to enable an effective judicial cooperation during cross-border criminal investigations, having the Italian and Montenegrin Ministries of Justice as partners. JWeB (started in 2007 and ending in 2009) will experiment a cross-border secure cooperative judicial workspace (SCJW), distributed on different ICT platforms called Judicial Collaboration Platforms (JCP) [6], based on Web-based groupware tools supporting collaboration and knowledge sharing among geographically distributed workforces, within and between judicial organizations. 2 Investigation Phase and Cross-Border Judicial Cooperation The investigation phase includes all the activities carried out from crime notification to the trial. Cross-border judicial cooperation is one of them. It may vary from simple to complex judicial actions; but it has complex procedure and requirements, such as information security and non repudiation. A single investigation may include multiple cross-border judicial cooperation requests; this is quite usual when investigating on financial flows. Judicial cooperation develops as follows: 1) In the requesting country, the magistrate starts preliminary checks to understand if her/his requests to another country are likely to produce the expected results. Liaison magistrate support and contacts with magistrates in the other country are typical actions. 2) The “requesting” magistrate prepares and sends the judicial cooperation request (often referred to as “letter of rogatory”) containing the list of specific requests to the other country. Often the flow in the requesting country is named “active rogatory”, while the flow in the requested country is named “passive rogatory”. 3) The judicial cooperation request coming from the other country is evaluated, usually by a court of appeal that, in case of positive evaluation, appoints the prosecutors’ office in charge of the requested activities. This prosecutors’ office appoints a magistrate. The requesting magistrate, directly or via the office delegated to international judicial cooperation, receives back these information and judicial cooperation starts. 4) Judicial cooperation actions are performed. They may cover request for documents, request for evidences, request for interrogations, request for specific actions (for example interceptions, sequestration or an arrest), requests for joint investigation. Most of the activities are still paper based. The listed activities may imply complex actions in the requested country, involving people (magistrates, police, etc.) in different departments. The requesting country is interested on the results of the activities, Secure Judicial Communication Exchange Using Soft-computing Methods 13 not on the procedures followed by the judicial organisation fulfils the requests. The liaison magistrate can support the magistrate, helping her/him to understand how to address the judicial counterpart and, once judicial cooperation has been granted, in understanding and overcoming possible obstacles. Each national judicial system is independent from the other, both in legal and infrastructural terms. Judicial cooperation, on the ICT point of view, implies cooperation between two different infrastructures, the “requesting” one (“active”) and the “requested” (“passive”), and activities such as judicial cooperation setup, joint activities of the workgroups, secure exchange of not repudiable information between the two countries. These activities can be effectively supported by a secure collaborative workspace, as described in the next paragraph. 3 The Judicial Collaboration Platform (JCP) A workspace for judicial cooperation involves legal, organisational and technical issues, and requires a wide consensus in judicial organisations. It has to allow straightforward user interface, easy data retrieval, seamless integration with procedures and systems already in place. All that implemented providing top-level security standards. Accordingly, the main issues for judicial collaboration are: • • • • • A Judicial Case is a secure private virtual workspace accessed by law enforcement and judicial authorities, that need to collaborate in order to achieve common objectives and tasks; JCP services are on-line services, supplying various collaborative functionalities to the judicial authorities in a secure and non repudiable communication environment; User profile is a set of access rights assigned to a user. The access to a judicial case and to JCP services are based on predefined, as well as, customised role based user profiles; Mutual assistance during investigations creates a shared part of investigation folder. Each country will have its own infrastructure. The core system supporting judicial cooperation is the secure JCP [6]. It is part of a national ICT judicial infrastructure, within the national judicial space. Different JCPs in different countries may cooperate during judicial cooperation. The platform, organised on three layer (presentation, business, persistence) and supporting availability and data security, provides the following main services: • • Profiling: user details, user preferences Web Services o Collaboration: collaborative tools so that users can participate and discuss on the judicial cooperation cases. o Data Mining: customization of user interfaces based on users’ profile. o Workflow Management: design and execution of judicial cooperation processes 14 M. Cislaghi et al. Audio/Video Management: real time audio/video streaming of a multimedia file, videoconference support. o Knowledge Management: documents uploading, indexing, search. Security and non repudiation: Biometric access, digital certificates, digital signature, secure communication, cryptography, Role based access control. o • Services may be configured according to the different needs of the Judicial systems. The modelling of Workflow Processes is based on the Workflow Management Coalition specifications (WfMC), while software developments are based on Open-Source and the J2EE framework. Communications are based on HTTPS and SSL, SOAP, RMI, LDAP and XML. Videoconference is based on H323. 4 The Cross-Border Judicial Cooperation Via Secure JCPs 4.1 The Judicial Collaborative Workspace and Judicial Cooperation Activities A secure collaborative judicial workspace (SCJW) is a secure inter-connected environment related to a judicial case, in which all entitled judicial participants in dispersed locations can access and interact with each other just as inside a single entity. The environment is supported by electronic communications and groupware which enable participants to overcome space and time differentials. On the physical point of view, the workspace is supported by the JCP. The SCJW allows the actors to use communication and scheduling instruments (agenda, shared data, videoconference, digital signature, document exchange) in a secured environment. A judicial cooperation activity (JCA) is the implementation of a specific judicial cooperation request. It is a self contained activity, opened inside the SCJWs in the requesting and requested countries, supported by specific judicial workflows and by the collaboration tools, having as the objective to fulfil a number of judicial actions issued by the requesting magistrate. The SCJW is connected one-to-one to a judicial case and may contain multiple JCAs running in parallel. A single JCA ends when rejected or when all requests contained in the letter of rogatory have been fulfilled and the information collected have been inserted into the target investigation folder, external to the JCP. In this moment the JCA may be archived. The SCJW does not end when a JCA terminates, but when the investigation phase is concluded. Each JCA may have dedicated working teams, in particular in case of major investigations. The “owner” of the SCJW is the investigating magistrate in charge of the judicial case. SCJW is implemented in a single JCP, while the single JCA is distributed on two JCP connected via secure communication channels (crypto-routers, with certificate exchange), implementing a secured Web Service Interface via a collaboration gateway. Each SCJW has a global repository and a dedicated repository for each JCA. This is due to the following constraints: 1) the security, confidentiality and non repudiation constraints 2) each JCA is an independent entity, accessible only by the authorised members of the judicial workgroup and with a limited time duration. Secure Judicial Communication Exchange Using Soft-computing Methods 15 The repository associated to the single JCA contains: • • JCA persistence data 1) “JCA metadata” containing data such as: information coming from the national registry (judicial case protocol numbers, etc.), the users profiles and the related the access rights, the contact information, the information related to the workflows (state, transitions), etc. 2) “JCP semantic repository”. It will be the persistence tier for the JCP semantic engine, containing: ontology, entity identifiers, Knowledge Base (KB) JCA judicial information The documentation produced during the judicial cooperation will be stored in a configurable tree folder structure. Typical contents are: 1) “JCA judicial cooperation request”. It contains information related to the judicial cooperation request, including further documents exchanged during the set-up activities. 2) “JCA decisions”. It contains the outcomes of the formal process of judicial cooperation and any internal decision relevant to the specific JCA (for example letter of appointment of the magistrate(s), judicial acts authorising interceptions or domicile violation, etc.) 3) “JCA investigation evidences”. It contains the documents to be sent/ received (Audio/video recordings, from audio/video conferences and phone interceptions, Images, Objects and documents, Supporting documentation, not necessarily to be inserted in the investigation folder) 4.2 The Collaboration Gateway Every country has it own ICT judicial infrastructure, interfaced but not shared with other countries. Accordingly a SCJW in a JCP must support a 1:n relationships between judicial systems, including data communication, in particular when the judicial case implies more than one JCA. A single JCA has a 1:1 relationship between the JCA in the requesting country and the corresponding “requested” JCA. For example, a single judicial case in Montenegro may require cross-border judicial cooperation to Italy, Serbia, Switzerland, France and United Kingdom, and the JCP in Montenegro will support n cross border judicial cooperations. Since JCP platforms are hosted on different locations and countries, the architecture of the collaboration module is based on the mechanism of secured gateway. It is be based on a set of Web Services allowing one JWeB site, based on a JCP, to exchange the needed data with another JWeB site and vice and versa. The gateway architecture, under development in JWeB project, is composed by: • • • Users and Profiling module Judicial CASES and Profiling Module Calendar/Meeting Module Workflow engines exchange information about the workflows states through the collaboration gateway. 16 M. Cislaghi et al. 4.3 Communication Security, User Authentication and RBAC in JCP Security [7] is managed through the Security Module, designed to properly manage Connectivity Domains, to assure access rights to different entities, protecting information and segmenting IP network in secured domains. Any communication is hidden to third parties, protecting privacy, preventing unauthorised usage and assuring data integrity. The JCP environment is protected by the VPN system allowing the access only from authenticated and pre-registered user; no access is allowed without the credentials given by the PKI. User is authenticated in her/his access to any resource by means of his X.509v3 digital certificate issued by the Certification Authority, stored in his smart card and protected by biometry [7], [8]. The Network Security System is designed in order to grant the access to the networks and the resources only to authenticated users; it is composed by the following components: • • • Security Access Systems (Crypto-router). Crypto-routers prevent unauthorized intrusions, offers protection against external attacks and offer tunneling capabilities and data encryption. Security Network Manager. This is the core of security managing system that allows managing, monitoring and modifying configurations of the system, including accounting of new users. S-VPN clients (Secure Virtual Private Network Client). Software through which the users can entry in the IP VPN and so can be authenticated by the Security Access System. The Crypto-router supports routing and encryption functions with the RSA public key algorithm on standard TCP/IP networks in end to end mode. Inside JCP security architecture Crypto-router main task is to institute the secure tunnel to access JCP VPN (Virtual Private Network) and to provide both Network and Resources Authentication. In order to reach a higher security level, an additional biometric identification system is integrated in the security environment. The device integrates a smart card reader with a capacitive ST Microelectronics fingerprint scanner and an “Anti Hacking Module” that will made the device unusable in case of any kind of physical intrusion attempt. The biometric authentication device will entirely manage the biometric verification process. There is no biometric data exchange within the device and the workstation or any other device. Biometric personal data will remain in the user’s smart card and the comparison between the live and the smart card stored fingerprint will be performed inside the device. After biometric authentication, access control of judicial actors to JCP is rolebased. In Role Based Access Control [11] (RBAC), permissions are associated with roles, and users are made members of appropriate roles. This model simplifies access administration, management, and audit procedures. The role-permissions relationship changes much less frequently than the role-user relationship, in particular in the judicial field. RBAC allows these two relationships to be managed separately and gives much clearer guidance to system administrators on how to properly add new users and Secure Judicial Communication Exchange Using Soft-computing Methods 17 their associated permissions. RBAC is particularly appropriate in justice information sharing systems where there are typically several organizationally diverse user groups that need access, in varying degrees, to enterprise-wide data. Each JCP system will maintain its own Access Control List (ACL). Example of roles related to judicial cooperation are: • • • • • SCJW magistrate supervisor: Basically he/she has the capability to manage all JCAs. JCA magistrate: he/she has the capability to handle the cases that are assigned to him Liaison Magistrate: a magistrate located in a foreign country that supports the magistrate(s) in case of difficulties. Judicial Clerk: supporting the magistrate for secretarial and administrative tasks (limited access to judicial information). System Administrator: He is the technical administrator of the JCP platform (no access to judicial information) 5 Conclusions Council Decision of 12 February 2007 establishes for the period 2007-2013 the Programme ‘Criminal Justice’ (2007/126/JHA), with the objective to foster judicial cooperation in criminal matter. CARDS project [1] and IPA funds represent today a relevant financial support to regional development in Western Balkans, including justice as one of the key factors. This creates a strong EU support to JCP deployment, while case studies such as the ongoing JWeB and SIDIP [10] projects, demonstrated that electronic case management is now ready for deployment on the technological point of view. Judicial secure collaboration environment will be the basis for the future judicial trans-national cooperation, and systems such as the JCP may lead to a considerable enhancement of cross-border judicial cooperation. The experience in progress in JWeB project is demonstrating that features such as security, non repudiation, strong authentication can be obtained through integration of state of the art technologies and can be coped with collaboration tools, in order to support a more effective and straightforward cooperation between investigating magistrates in full compliance with national judicial procedures and practices. The JCP platform represents a possible bridge between national judicial spaces, allowing through secure web services the usage of the Web as a cost effective and the same time secured interconnection between judicial systems. While technologies are mature and ready to be used, their impact on the judicial organisations in cross-border cooperation is still under analysis. It is one of the main non technological challenges for deployment of solutions such as the one under development in JWeB project. The analysis conducted so far in the JWeB project gives a reasonable confidence that needed organisational changes will become evident through the pilot usage of the developed ICT solutions, so giving further contributions to the Ministries of Justice about the activities needed for a future deployment of ICT solutions in a delicate area such as the one of the international judicial cooperation. 18 M. Cislaghi et al. References 1. CARDS project: Support to the Prosecutors Network, EuropeAid/125802/C/ACT/Multi (2007), http://ec.europa.eu/europeaid/cgi/frame12.pl 2. Armone, G., et al.: Diritto penale europeo e ordinamento italiano: le decisioni quadro dell’Unione europea: dal mandato d’arresto alla lotta al terrorismo. Giuffrè edns. (2006) ISBN 88-14-12428-0 3. JWeB consortium (2007), http://www.jweb-net.com 4. European Commission, ICT in the courtroom, the evidence (2005), http://ec.europa.eu/information_society/activities/ policy_link/documents/factsheets/jus_ecourt.pdf 5. European Commission. Security for judicial cooperation (2006), http://ec.europa.eu/information_society/activities/ policy_link/documents/factsheets/just_secure_justice.pdf 6. Cislaghi, M., Cunsolo, F., Mazzilli, R., Muscillo, R., Pellegrini, D., Vuksanovic, V.: Communication environment for judicial cooperation between Europe and Western Balkans. In: Expanding the knowledge economy, eChallenges 2007 conference proceedings, The Hague, The Netherlands (October 2007); ISBN 978-1-58603-801-4, 757-764. 7. Italian Committee for IT in Public Administrations (CNIPA), Linee guida per la sicurezza ICT delle pubbliche amministrazioni. In: Quaderni CNIPA 2006 (2006), http://www.cnipa.gov.it/site/_files/Quaderno20.pdf 8. Italian Committee for IT in Public Administrations (CNIPA), CNIPA Linee guida per l’utilizzo della Firma Digitale, in CNIPA (May 2004), http://www.cnipa.gov.it/site/_files/LineeGuidaFD_200405181.pdf 9. JWeB project consortium (2007-2008), http://www.jweb-net.com/index.php? option=com_content&task=category§ionid=4&id=33&Itemid=63 10. SIDIP project (ICT system supporting trial and hearings in Italy) (2007), http://www.giustiziacampania.it/file/1012/File/ progettosidip.pdf, https://www.giustiziacampania.it/file/1053/File/ mozzillopresentazionesistemasidip.doc 11. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli: A proposed standard for rolebased access control. Technical report, National Institute of Standards & Technology (2000) Identity Resolution in Criminal Justice Data: An Application of NORA Queen E. Booker Minnesota State University, Mankato, 150 Morris Hall Mankato, Minnesota [email protected] Abstract. Identifying aliases is an important component of the criminal justice system. Accurately identifying a person of interest or someone who has been arrested can significantly reduce the costs within the entire criminal justice system. This paper examines the problem domain of matching and relating identities, examines traditional approaches to the problem, and applies the identity resolution approach described by Jeff Jonas [1] and relationship awareness to the specific case of client identification for the indigent defense office. The combination of identity resolution and relationship awareness offered improved accuracy in matching identities. Keywords: Pattern Analysis, Identity Resolution, Text Mining. 1 Introduction Appointing counsel for indigent clients is a complex task with many constraints and variables. The manager responsible for assigning the attorney is limited by the number of attorneys at his/her disposal. If the manager assigns an attorney to a case with which the attorney has a conflict of interest, the office loses the funds already invested in the case by the representing attorney. Additional resources are needed to bring the next attorney “up to speed.” Thus, it is in the best interest of the manager to be able to accurately identify the client, the victim and any potential witnesses to minimize any conflict of interest. As the number of cases grows, many times, the manager simply selects the next person on the list when assigning the case. This type of assignment can lead to a high number of withdrawals due to a late identified conflict of interest. Costs to the office increase due to additional incarceration expenses while the client is held in custody as well as the sunk costs of prior and repeated attorney representation regardless of whether the client is in or out of custody. These problems are further exacerbated when insufficient systems are in place to manage the data that could be used to make assignments easier. The data on the defendant is separately maintained by the various criminal justice agencies including the indigent defense service agency itself. This presents a challenge as the number of cases increases but without a concomitant increase in staff available to make the assignments. Thus those individuals responsible for assigning attorneys want not only the ability to better assign attorneys, but also to do so in a more expedient fashion. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 19–26, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 20 Q.E. Booker The aggregate data from all the information systems in the criminal justice process have been proven to improve the attorney assignment process [2]. Criminal justice systems have many disparate information systems, each with their own data sets. These include systems concerned with arrests, court case scheduling, the prosecuting attorneys office, to name a few. In many cases, relationships are nonobvious. It is not unusual for a repeat offender to provide an alternative name that is not validated prior to sending the arrest data to the indigent defense office. Likewise it is not unusual for potential witnesses to provide alternative names in an attempt to protect their identities. And further, it is not unusual for a victim to provide yet another name in an attempt to hide a previous interaction with the criminal justice process. Detecting aliases becomes harder as the indigent defense problem grows in complexity. 2 Problems with Matching Matching identities or finding aliases is a difficult process to perform manually. The process relies on institutional knowledge and/or visual stimulation. For example, if an arrest report is accompanied by a picture, the manager or attorney can easily ascertain the person’s identity. But that is not the case. Arrest reports sent generally are textual with the defendant’s name, demographic information, arrest charges, victim, and any witness information. With the institutional knowledge, the manager or an attorney can review the information on the report and identify the person by the use of a previous alias or by other pertinent information on the report. So essentially, it is possible to identify many aliases by humans, and hence possible for an information system because the enterprise contains all the necessary knowledge. But the knowledge and the process is trapped across isolated operational systems within the criminal justice agencies. One approach to improving the indigent defense agency problem is to amass information from as many different available data sources, clean the data, and find matches to improve the defense process. Traditional algorithms aren't well suited for this process. Matching is further encumbered by the poor quality of the underlying data. Lists containing subjects of interest commonly have typographical errors such as data from the defendants who intentionally misspell their names to frustrate data matching efforts, and legitimate natural variability (Mike versus Michael and 123 Main Street versus 123 S. Maine Street). Dates are often a problem as well. Months and days are sometimes transposed, especially in international settings. Numbers often have transposition errors or might have been entered with a different number of leading zeros. 2.1 Current Identity Matching Approaches Organizations typically employ three general types of identity matching systems: merge/purge and match/merge, binary matching engines, and centralized identity catalogues. Merge/purge and match/merge is the process of combining two or more lists or files, simultaneously identifying and eliminating duplicate records. This process was developed by direct marketing organizations to eliminate duplicate customer records in mailing lists. Binary matching engines test an identity in one data set for its Identity Resolution in Criminal Justice Data: An Application of NORA 21 presence in a second data set. These matching engines are also sometimes used to compare one identity with another single identity (versus a list of possibilities), with the output often expected to be a confidence value pertaining to the likelihood that the two identity records are the same. These systems were designed to help organizations recognize individuals with whom they had previously done business or, alternatively, recognize that the identity under evaluation is known as a subject of interest—that is, on a watch list—thus warranting special handling. [1] Centralized identity catalogues are systems collect identity data from disparate and heterogeneous data sources and assemble it into unique identities, while retaining pointers to the original data source and record with the purpose of creating an index. Each of the three types of identity matching systems uses either probabilistic or deterministic matching algorithms. Probabilistic techniques rely on training data sets to compute attribute distribution and frequency looking for both common and uncommon patterns. These statistics are stored and used later to determine confidence levels in record matching. As a result, any record containing similar, but uncommon data might be considered a record the same person with a high degree of probability. These systems lose accuracy when the underlying data's statistics deviate from the original training set and must frequently retrained to maintain its level of accuracy. Deterministic techniques rely on pre-coded expert rules to define when records should be matched. One rule might be that if the names are close (Robert versus Rob) and the social security numbers are the same, the system should consider the records as matching identities. These systems often have complex rules based on itemsets such as name, birthdate, zipcode, telephone number, and gender. However, these systems fail as data becomes more complex. 3 NORA Jeff Jonas introduced a system called NORA which stands for non-obvious relationship awareness. He developed the system specifically to solve Las Vegas casinos' identity matching problems. NORA accepts data feeds from numerous enterprise information systems, and builds a model of identities and relationships between identities (such as shared addresses or phone numbers) in real time. If a new identity matched or related to another identity in a manner that warranted human scrutiny (based on basic rules, such as good guy connected to very bad guy), the system would immediately generate an intelligence alert. The system approach for the Las Vegas casinos is very similar to the needs of the criminal justice system. The data needed to identify aliases and relationships for conflict of interest concerns comes from multiple data sources – arresting agency, probation offices, court systems, prosecuting attorney office, and the defense agency itself, and the ability to successfully identify a client is needed in real-time to reduce costs to the defenses office. The NORA system requirements were: • Sequence neutrality. The system needed to react to new data in real time. • Relationship awareness. Relationship awareness was designed into the identity resolution process so that newly discovered relationships could generate realtime intelligence. Discovered relationships also persisted in the database, which is essential to generate alerts to beyond one degree of separation. 22 Q.E. Booker • • • • • • Perpetual analytics. When the system discovered something of relevance during the identity matching process, it had to publish an alert in real time to secondary systems or users before the opportunity to act was lost. Context accumulation. Identity resolution algorithms evaluate incoming records against fully constructed identities, which are made up of the accumulated attributes of all prior records. This technique enabled new records to match to known identities in toto, rather than relying on binary matching that could only match records in pairs. Context accumulation improved accuracy and greatly improved the handling of low-fidelity data that might otherwise have been left as a large collection of unmatched orphan records. Extensible. The system needed to accept new data sources and new attributes through the modification of configuration files, without requiring that the system be taken offline. Knowledge-based name evaluations. The system needed detailed name evaluation algorithms for high-accuracy name matching. Ideally, the algorithms would be based on actual names taken from all over the world and developed into statistical models to determine how and how often each name occurred in its variant form. This empirical approach required that the system be able to automatically determine the culture that the name most likely came from because names vary in predictable ways depending on their cultural origin. Real time. The system had to handle additions, changes, and deletions from real-time operational business systems. Processing times are so fast that matching results and accompanying intelligence (such as if the person is on a watch list or the address is missing an apartment number based on prior observations) could be returned to the operational systems in sub-seconds. Scalable. The system had to be able to process records on a standard transaction server, adding information to a repository that holds hundreds of identities. [1] Like the gaming industry, the defense attorney’s office has relatively low daily transactional volumes. Although it receives booking reports on an ongoing basis, initial court appearances are handled by a specific attorney, and the assignments are made daily, usually the day after the initial court appearance. The attorney at the initial court appearance is not the officially assigned attorney, allowing the manager a window of opportunity from booking to assigning the case to accurately identify the client. But the analytical component of accurate identification involves numerous records with accurate linkages including aliases as well as past relationships and networks as related to the case. The legal profession has rules and regulations that constitute conflict of interest. Lawyers must follow these rules to maintain their license to practice which makes the assignment process even more critical. [3] NORA’s identity resolution engine is capable of performing in real time against extraordinary data volumes. The gaming industry's requirements of less than 1 million affected records a day means that a typical installation might involve a single Intelbased server and any one of several leading SQL database engines. This performance establishes an excellent baseline for application to the defense attorney data since the NORA system demonstrated that the system could handle multibillion-row databases Identity Resolution in Criminal Justice Data: An Application of NORA 23 consisting of hundreds of millions of constructed identities and ingest new identities at a rate of more than 2,000 identity resolutions per second; such ultra-large deployments require 64 or more CPUs and multiple terabytes of storage, and move the performance bottleneck from the analytic engine to the database engine itself. While the defense attorney dataset is not quite as large, the processing time on the casino data suggests that NORA would be able to accurately and easily handle the defense attorney’s needs in real-time. 4 Identity Resolution Identity resolution is an operational intelligence process, typically powered by an identity resolution engine, whereby organizations can connect disparate data sources with a view to understanding possible identity matches and non-obvious relationships across multiple data sources. It analyzes all of the information relating to individuals and/or entities from multiple sources of data, and then applies likelihood and probability scoring to determine which identities are a match and what, if any, nonobvious relationships exist between those identities. These engines are used to uncover risk, fraud, and conflicts of interest. Identity resolution is designed to assemble i identity records from j data sources into k constructed, persistent identities. The term "persistent" indicates that matching outcomes are physically stored in a database at the moment a match is computed. Accurately evaluating the similarity of proper names is undoubtedly one of the most complex (and most important) elements of any identity matching system. Dictionary- based approaches fail to handle the complexities of names such as common names such as Robert Johnson. The approaches fail even greater when cultural influences in naming are involved. Soundex is an improvement over traditional dictionary approaches. It uses a phonetic algorithm for indexing names by their sound when pronounced in English. The basic aim is for names with the same pronunciation to be encoded to the same string so that matching can occur despite minor differences in spelling. Such systems' attempts to neutralize slight variations in name spelling by assigning some form of reduced "key" to a name (by eliminating vowels or eliminating double consonants) frequently fail because of external factors—for example, different fuzzy matching rules are needed for names from different cultures. Jonas found that the deterministic method is essential for eliminating dependence on training data sets. As such, the system no longer needed periodic reloads to account for statistical changes to the underlying universe of data. However, he also asserts many common conditions in which deterministic techniques fail—specifically, certain attributes were so overused that it made more sense to ignore them than to use them for identity matching and detecting relationships. For example, two people with the first name of "Rick" who share the same social security number are probably the same person—unless the number is 111-11-1111. Two people who have the same phone number probably live at the same address—unless that phone number is a travel agency's phone number. He refers to such values as generic because the overuse diminishes the usefulness of the value itself. It's impossible to know all of these 24 Q.E. Booker generic values a priori—for one reason, they keep changing—thus probabilistic-like techniques are used to automatically detect and remember them. His identity resolution system uses a hybrid matching approach that combines deterministic expert rules with a probabilistic-like component to detect generics in real time (to avoid the drawback of training data sets). The result is expert rules that look something like this: If the name is similar AND there is a matching unique identifier THEN match UNLESS this unique identifier is generic In his system, a unique identifier might include social security or credit-card numbers, or a passport number, but wouldn't include such values as phone number or date of birth. The term "generic" here means the value has become so widely used (across a predefined number of discreet identities) that one can no longer use this same value to disambiguate one identity from another. [1] However, the approach for the study for the defense data included a merged itemset that combined date of birth, gender, and ethnicity code because of the inability or legal constraint of not being able to use the social security number for identification. Thus, an identifier was developed from a merged itemset after using the SUDA algorithm to identify infrequent itemsets based on data mining [4]. The actual deterministic matching rules for NORA as well as the defense attorney system are much more elaborate in practice because they must explicitly address fuzzy matching to scrub and clean the data as well as address transposition errors in numbers, malformed addresses, and other typographical errors. The current defense attorney agency model has thirty-six rules. Once the data is “cleansed” it is stored and indexed to provide user-friendly views of the data that make it easy for the user to find specific information when performing queries and ad hoc reporting. Then, a datamining algorithm using a combination of binary regression and logit models is run to update patterns for assigning attorneys based on the day’s outcomes [5]. The algorithm identifies patterns for the outcomes and tree structure for attorney and defendant combinations where the attorney “completed the case.” [6] Although matching accuracy is highly dependent on the available data, using the techniques described here achieves the goals of identity resolution, which essentially boil down to accuracy, scalability, and sustainability even in extremely large transactional environments. 5 Relationship Awareness According to Jonas, detecting relationships is vastly simplified when a mechanism for doing so is physically embedded into the identity matching algorithm. Stating the obvious, before analyzing meaningful relationships, the system must be able to resolve unique identities. As such, identity resolution must occur first. Jonas purported that it was computationally efficient to observe relationships at the moment the Identity Resolution in Criminal Justice Data: An Application of NORA 25 identity record is resolved because in-memory residual artifacts (which are required to match an identity) comprise a significant portion of what's needed to determine relevant relationships. Relevant relationships, much like matched identities, were then persisted in the same database. Notably, some relationships are stronger than others; a relationship score that's assigned with each relationship pair captures this strength. For example, living at the same address three times over 10 years should yield a higher score than living at the same address once for three months. As identities are matched and relationships detected, the NORA evaluates userconfigurable rules to determine if any new insight warrants an alert being published as an intelligence alert to a specific system or user. One simplistic way to do this is via conflicting roles. A typical rule for the defense attorney might be notification any time a client rule is associated to a role of victim, witness, co-defendant, or previously represented relative, for example. In this case, associated might mean zero degrees of separation (they're the same person) or one degree of separation (they're roommates). Relationships are maintained in the database to one degree of separation; higher degrees are determined by walking the tree. Although the technology supports searching for any degree of separation between identities, higher orders include many insignificant leads and are thus less useful. 6 Comparative Results This research is an ongoing process to improve the attorney assignment process in the defense attorney offices. As economic times get harder, crime increases and as crimes increase, so do the number of people who require representation by the public defense offices. The ability to quickly identify conflicts of interests reduces the amount of time a person stays in the system and also reduces the time needed to process the case. The original system built to work with the alias/identity matching as called the Court Appointed Counsel System or CACS. CACS identified 83% more conflicts of interests than the indigent defense managers during the initial assignments [2]. Using the merged itemset and an algorithm using NORA’s underlying technology, the conflicts improved from 83% to 87%. But the real improvement came in the processing time. The key to the success of these systems is the ability to update and provide accurate data at a moments notice. Utilizing NORA’s underlying algorithms improved the updating and matching process significantly, allowing for new data to be entered and analyzed within a couple of hours as opposed to the days it took to process using the CACS algorithms. Further, the merged itemset approach helped to provide a unique identifier in 90% of the cases significantly increasing automated relationship identifications. The ability to handle real-time transactional data with sustained accuracy will continue to be of "front and center" importance as organizations seek competitive advantage. The identity resolution technology applied here provides evidence that such technologies can be applied to more than simple fraud detection but also to improve business decision making and intelligence support to entities whose purpose are to make expedient decisions regarding individual identities. 26 Q.E. Booker References 1. Jonas, J.: Threat and Fraud Intelligence, Las Vegas Style. IEEE Security & Privacy 4(06), 28–34 (2006) 2. Booker, Q., Kitchens, F.K., Rebman, C.: A Rule Based Decision Support System Prototype for Assigning Felony Court Appointed Counsel. In: Proceedings of the 2004 Decision Sciences Annual Meeting, Boston, MA (2004) 3. Gross, L.: Are Differences Among the Attorney Conflict of Interest Rules Consistent with Principles of Behavioral Economics. Georgetown Journal of Legal Ethics 19, 111 (2006) 4. Manning, A.M., Haglin, D.J., Keane, J.A.: A Recursive Search Algorithm for Statistical Disclosure Assessment. Data Mining and Knowledge Discovery (accepted, 2007) 5. Kitchens, F.L., Sharma, S.K., Harris, T.: Cluster Computers for e-Business Applications. Asian Journal of Information Systems (AJIS) 3(10) (2004) 6. Forgy, C.: Rete: A Fast Algorithm for the Many Pattern/ Many Object Pattern Match Problem. Artificial Intelligence 19 (1982) PTK: An Alternative Advanced Interface for the Sleuth Kit Dario V. Forte, Angelo Cavallini, Cristiano Maruti, Luca Losio, Thomas Orlandi, and Michele Zambelli The IRItaly Project at DFlabs Italy www.dflabs.com Abstract. PTK is a new open-source tool for all complex digital investigations. It represents an alternative to the well-known but now obsolete front-end Autopsy Forensic Browser. This latter tool has a number of inadequacies taking the form of a cumbersome user interface, complicated case and evidence management, and a non-interactive timeline that is difficult to consult. A number of important functions are also lacking, such as an effective bookmarking system or a section for file analysis in graphic format. The need to accelerate evidence analysis through greater automation has prompted DFLabs to design and develop this new tool. PTK provides a new interface for The Sleuth Kit (TSK) suite of tools and also adds numerous extensions and features, one of which is an internal indexing engine that is capable of carrying out complex evidence pre-analysis processes. PTK was written from scratch using Ajax technology for graphic contents and a MySql database management system server for saving indexing results and investigator-generated bookmarks. This feature allows a plurality of users to work simultaneously on the same or different cases, accessing previously indexed contents. The ability to work in parallel greatly reduces analysis times. These characteristics are described in greater detail below. PTK includes a dedicated “Extension Management” module that allows existing or newly developed tools to be integrated into it, effectively expanding its analysis and automation capacity. Keywords: Computer Forensics, Open Source, SleuthKit, Autopsy Forensic, Incident Response. 1 Multi-investigator Management One of the major features of this software is its case access control mechanism and high level user profiling, allowing more than one investigator to work simultaneously on the same case. The administrator creates new cases and assigns investigators to them, granting appropriate access privileges. The investigators are then able to work in parallel on the same case. PTK user profiling may be used to restrict access to sensitive cases to a handpicked group of investigators or even a single investigator. The advantages of this type of system are numerous: above all, evidence analysis is speeded up by the ability of a team of investigators to work in parallel; secondly, the problem of case synchronization is resolved since all operations reference the same database. Each investigator is also able to save specific notes and references directly relating to his or her activities on a case in a special bookmark section. All user actions are logged in CSV format so that all application activity can be retraced. Furthermore, the administrator is able to manage PTK log files from the interface, viewing the contents in table format and exporting them locally. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 27–34, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 28 D.V. Forte et al. 2 Direct Evidence Analysis As a graphic interface for the TSK suite of tools, PTK inherits all the characteristics of this system, starting with the recognized evidence formats. PTK supports Raw (e.g., dd), Expert Witness (e.g., EnCase) and AFF evidence. Evidence may only be added to a case by the Administrator, who follows a guided three-step procedure: 1. 2. 3. Insertion of information relating to the disk image, such as type and place of acquisition; Selection of the image file and any partitions to be included in the analysis; File hashing (MD5 and SHA1) while adding the image. One important PTK function is automatic recognition of the disk file system and partitions during image selection. PTK also recognizes images in various formats that have been split up. Here the investigator needs only to select one split, since PTK is able to recognize all splits belonging to the same image. PTK and TSK interact directly for various analysis functions which therefore do not require preliminary indexing operations: • File analysis • Data unit analysis • Data export 2.1 File Analysis This section analyzes the contents of files (also deleted files) in the disk image. PTK introduces the important new feature of the tree-view, a dynamic disk directory tree which provides immediate evidence browsing capability. PTK allows multiple files to be opened simultaneously on different tabs to facilitate comparative analysis. The following information is made available to investigators: • • • • • Contents of file in ASCII format; Contents of file in hexadecimal format; Contents of file in ASCII string format; File categorization; All TSK output information: permissions, file name, MAC times, dimensions, UID, GID and inode. 3 Indexing Engine In order to provide the user with the greatest amount of information in the least time possible, an indexing system has been designed and developed for PTK. The objective is to minimize the time needed to recover all file information required in forensic analysis, such as hash values, timeline, type1, and keywords. For small files, indexing may not be necessary since the time required to recover information, such as the MD5 1 The file extension does not determine file type. PTK: An Alternative Advanced Interface for the Sleuth Kit 29 hash, may be negligible. However, if we begin to contemplate files of dimensions on the order of Megabytes these operations begin to slow down, and the wait time for the results becomes excessive. Hence a procedure was developed in which all files are processed into an image, just once, and the result saved in a database. The following indices have been implemented in PTK: • • • • • Timeline File type MD5 SHA1 Keyword search. 4 Indexed Evidence Analysis All analysis functions that require preliminary indexing are collected under the name “Indexed Analysis”, which includes timeline analysis, keyword search and hash comparison. 4.1 Timeline Analysis The disk timeline helps the investigator concentrate on the areas of the image where evidence may be located. It displays the chronological succession of actions carried out on allocated and non-allocated files. These actions are traced by means of analysis of the metadata known as MAC times (Modification, Access, and Creation, depending on file system2). PTK allows investigators to analyze the timeline by means of time filters. The time unit, in relation to the file system, is on the order of one second. The investigators have two types of timelines at their disposal: one in table format and one in graphic format. The former allows investigators to view each single timeline entry, which are organized into fields (time and date, file name, actions performed, dimension, permissions) and provide direct access to content analysis or export operations. The latter is a graphic representation plotting the progress of each action (MAC times) over a given time interval. This is a useful tool for viewing file access activity peaks. 4.2 Keyword Search The indexing process generates a database of keywords which makes it possible to carry out high performance searches in real time. Searches are carried out by means of the direct use of strings or the creation of regular expressions. The interface has various templates of regular expressions that the user can use and customize. The search templates described by regular expressions are memorized in text files and thus can be customized by users. 2 This information will have varying degrees of detail depending on file system type. For example, FAT32 does not record the time of last access to a file, but only the date. As a result, in the timeline analysis phase, this information will be displayed as 00:00:00. 30 D.V. Forte et al. 4.3 Hash Set Manager and Comparison Once the indexing process has been completed, PTK generates a MD5 or SHA1 hash value for each file present in the evidence: these values are used in comparisons with hash sets (either public or user-generated), making it possible to determine whether a file belongs to the “known good” or “known bad” category. Investigators can also use this section to import the contents of Rainbow Tables in order to compare a given hash, perhaps one recovered via a keyword search, with those in the hash set. 5 Data Carving Process Data carving seeks files or other data structures in an incoming data flow, based on contents rather than on the meta information that a file system associates with each file or directory. The initial approach chosen for PTK is based on the techniques of Header/Footer carving and Header/Maximum (file) size carving3. The PTK indexing step provides for the possibility of enabling data carving for the non-allocated space of evidence imported into the case. It is possible to directly configure the data carving module by adding or eliminating entries based on the headers and footers used in carving. However, the investigator can also set up custom search patterns directly from the interface. This way the investigator can search for patterns not only in order to find files, by means of new headers and footers, but also to find file contents. The particular structure of PTK allows investigators to run data carving operations also on evidence consisting of a RAM dump. Please note that the data carving results are not saved directly in the database, only the references to the data identified during the process are saved. The indexing process uses matching headers and footers also for the categorization of all the files in the evidence. The output of this process allows the analyzed data to be subdivided into different categories: • • • • Documents (Word, Excel, ASCII, etc.) Graphic or multimedia content (images, video, audio) Executable programs Compressed or encrypted data (zip, rar, etc.) 6 Bookmarking and Reporting The entire analysis section is flanked by a bookmarking subsystem that allows investigators to bookmark evidence at any time. All operations are facilitated by the backend MySql database, and so there is no writing of data locally in the client file system. When an investigator saves a bookmark, the reference to the corresponding evidence is written in the database, in terms of inodes and sectors, without any data being transferred from the disk being examined to the database. Each bookmark is also associated with a tag specifying the category and a text field for any user notes. Each investigator has a private bookmark management section, which can be used, at the investigator’s total discretion, to share bookmarks with other users. 3 Based on Simson, Garfinkel and Joachim Metz taxonomy. PTK: An Alternative Advanced Interface for the Sleuth Kit 31 Reports are generated automatically on the basis of the bookmarks saved by the user. PTK provides for two report formats: html and PDF. Reports are highly customizable in terms of graphics (header, footer, logos) and contents, with the option of inserting additional fields for enhanced description and documentation of the investigation results. 7 PTK External Modules (Extensions) This PTK section allows users to use external tools for the execution of various tasks. It is designed to give the application the flexibility of performing automatic operations on different operating systems, running data search or analysis processes and recovering deleted files. The “PTK extension manager” creates an interface between third-party tools and the evidence management system and runs various processes on them. The currently enabled extensions provide for: Memory dump analysis, Windows registry analysis, OS artifact recovery. The first extension provides PTK with the ability to analyze the contents of RAM dumps. This feature allows both evidence from long-term data storage media and evidence from memory dumps to be associated with a case, thus allowing important information to be extracted, such as a list of strings in memory, which could potentially contain passwords to be used for the analysis of protected or encrypted archives found on the disk. The registry analysis extension gives PTK the capability of recognizing and interpreting a Microsoft Windows registry file and navigating within it with the same facility as the regedit tool. Additionally, PTK provides for automatic search within the most important sections of the registry and generation of output results. The Artifact Recovery extension was implemented in order to reconstruct or recover specific contents relating to the functions of an operating system or its components or applications. The output from these automatic processes can be included among the investigation bookmarks. PTK extensions do not write their output to the database in order to prevent it from becoming excessively large. User-selected output from these processes may be included in the bookmark section in the database. If bookmarks are not created before PTK is closed, the results are lost. 8 Comparative Assessment The use of Ajax in the development of PTK has drastically reduced execution times on the server side and, while delegating part of the code execution to the client, has reduced user wait times by minimizing that amount of information loaded into pages. An assessment was carried out to obtain a comparison of the performance of PTK versus Autopsy Forensic Browser. Given that these are two web-based applications using different technologies, it is not possible to make a direct, linear comparison of performance. For these reasons, it is useful to divide the assessment into two parts: the first highlights the main differences in the interfaces, examining the necessary user procedures; the second makes a closer examination of the performance of the PTK indexing 32 D.V. Forte et al. Table 1. Action New case creation Investigator assignment Image addition Image integrity verification Evidence analysis Autopsy You click “New case” and a new page is loaded where you add the case name, description, and assigned investigator names (text fields). Pages loaded: 2 Investigators are assigned to the case when it is created. However, these are only text references. You select a case and a host and then click “Add image file”. A page is displayed where you indicate the image path (manually) and specify a number of import parameters. On the next page, you specify integrity control operations and select the partitions. Then you click “Add”. Pages loaded: 6 After selecting the case, the host and the image, you click “Image integrity”. The next page allows you to create an MD5 hash of the file and to verify it on request. Pages loaded: 4 After selecting the case, the host and the image, you click “Analyze” to access the analysis section. Pages loaded: 4 After selecting the case, the host and the image, you click “File activity time lines”. You then have to create a data Evidence timeline file by providing appropriate creation parameters and create the timeline file based on the file thus generated. Pages loaded: 8 After selecting the case, the host and the image, you click “Details”. On the next page you click “Extract String extraction strings” to run the process. Pages loaded: 5 PTK You click “Add new case” and a modal form is opened where it is sufficient to provide a case name and brief description. Pages loaded: 1 You click on the icon in the case table to access the investigator management panel. These assignments represent bona fide user profiles. In the case table, you click on the image management icon and then click “Add new image”. A modal form opens with a guided 3-step process for adding the image. Path selection is based on automatic folder browsing. Pages loaded: 1 You open image management for a case and click “Integrity check”. A panel opens where you can generate and/or verify both MD5 and SHA1 hashes. Pages loaded: 1 After opening the panel displaying the images in a case, you click the icon “Analyze image” to access the analysis section. Pages loaded: 1 You open image management for a case and click on the indexing icon. The option of generating a timeline comes up and the process is run. The timeline is saved in the database and is available during analyses. Pages loaded: 1 You open image management for a case and click on the indexing icon. The option of extracting strings comes up and the process is run. All ASCII strings for each image file are saved in the database. Pages loaded: 1 engine, providing a more technical comparison on the basis of such objective parameters as command execution, parsing, and output presentation times. 8.1 Interface The following comparative assessment of Autopsy and PTK (Table 1) highlights the difference on the interface level, evaluated in terms of number of pages loaded for the execution of the requested action. All pages (and thus the steps taken by the user) are counted starting from and excluding the home page of each application. PTK: An Alternative Advanced Interface for the Sleuth Kit 33 Table 2. Action Timeline generation Keyword extraction File hash generation Autopsy PTK 54” + 2” 18” 8’ 10” 8’ 33” Autopsy manages the hash values (MD5) for each file on the directory level. The hash generation operation must therefore be run from the file analysis page, however, this process does not save any of the generated hash values. PTK optimizes the generation of file hashes via indexing operations, eliminating wait time during analysis and making the hash values easy to consult. 8.2 Indexing Performance The following tests were performed on the same evidence: File system: FAT32; Dimension: 1.9 Gb; Acquisition: dd. A direct comparison (Table 2) can be made for timeline generation and keyword extraction in terms of how many seconds are required to perform the operations. 9 Conclusions and Further Steps The main idea behind the project was to provide an “alternative” interface to the TSK suite so as to offer a new and valid open source tool for forensic investigations. We use the term “alternative” because PTK was not designed to be a completely different software from its forerunner, Autopsy, but a product that seeks to improve the performance of existing functions and resolve any inadequacies. The strong point of this project is thus the careful initial analysis of Autopsy Forensic Browser, which allowed developers to establish the bases for a robust product that represents a real step forward. Future developments of the application will certainly include: • Integration of new tools as extensions of the application in order to address a greater number of analysis types within the capabilities of PTK. • Creation of customized installation packages for the various platforms. • Adaption of style sheets to all browser types in order to extend the portability of the tool. References 1. Carrier, Brian: File System Forensic Analysis. Addison Wesley, Reading (2005) 2. Carrier, Brian: Digital Forensic Tool Testing Images (2005), http://dftt.sourceforge.net 3. Carvey, Harlan: Windows Forensic Analysis. Syngress (2007) 34 D.V. Forte et al. 4. Casey, Eoghan: Digital Evidence and Computer Crime. Academic Press, London (2004) 5. Garfinkel, Simson: Carving Contiguous and Fragmented Files with Fast Object Validation. In: Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA (August 2007) 6. Jones, Keith, J., Bejtlich, Richard, Rose, Curtis, W.: Real Digital Forensics: Computer Security and Incident Response. Addison-Wesley, Reading (2005) 7. Schwartz, Randal, L., Phoenix, Tom: Learning Perl. O’Reilly, Sebastopol (2001) 8. The Sleuthkit documentation, http://www.sleuthkit.org/ 9. Forte, D.V.: The State of the Art in Digital Forensics. Advances in Computers 67, 254– 300 (2006) 10. Forte, D.V., Maruti, C., Vetturi, M.R., Zambelli, M.: SecSyslog: an Approach to Secure Logging Based on Covert Channels. In: SADFE 2005, 248–263 (2005) Stalker, a Multilingual Text Mining Search Engine for Open Source Intelligence F. Neri1 and M. Pettoni2 1 Lexical Systems Department, Synthema, Via Malasoma 24, 56121 Ospedaletto – Pisa, Italy [email protected] 2 CIFI/GE, II Information and Security Department (RIS), Stato Maggiore Difesa, Rome, Italy Abstract. Open Source Intelligence (OSINT) is an intelligence gathering discipline that involves collecting information from open sources and analyzing it to produce usable intelligence. The international Intelligence Communities have seen open sources grow increasingly easier and cheaper to acquire in recent years. But up to 80% of electronic data is textual and most valuable information is often hidden and encoded in pages which are neither structured, nor classified. The process of accessing all these raw data, heterogeneous in terms of source and language, and transforming them into information is therefore strongly linked to automatic textual analysis and synthesis, which are greatly related to the ability to master the problems of multilinguality. This paper describes a content enabling system that provides deep semantic search and information access to large quantities of distributed multimedia data for both experts and general public. STALKER provides with a language independent search and dynamic classification features for a broad range of data collected from several sources in a number of culturally diverse languages. Keywords: open source intelligence, focused crawling, natural language processing, morphological analysis, syntactic analysis, functional analysis, supervised clustering, unsupervised clustering. 1 Introduction Open Source Intelligence (OSINT) is an intelligence gathering discipline that involves collecting information from open sources and analyzing it to produce usable intelligence. The specific term “open” refers to publicly available sources, as opposed to classified sources. OSINT includes a wide variety of information and sources. With the Internet, the bulk of predictive intelligence can be obtained from public, unclassified sources. The revolution in information technology is making open sources more accessible, ubiquitous, and valuable, making open intelligence at less cost than ever before. In fact, monitors no longer need an expensive infrastructure of antennas to listen to radio, watch television or gather textual data from Internet newspapers and magazines. The availability of a huge amount of data in the open sources information channels leads to the well-identified modern paradox: an overload of information means, most of the time, a no usable knowledge. Besides, open source texts are - and will be - written in various native languages, but these documents are relevant even to non-native E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 35–42, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 36 F. Neri and M. Pettoni speakers. Independent information sources can balance the limited information normally available, particularly if related to non-cooperative targets. The process of accessing all these raw data, heterogeneous both for type (web pages, crime reports), source (Internet/Intranet, database, etc), protocol (HTTP/HTTPS, FTP, GOPHER, IRC, NNTP, etc) and language used, transforming them into information, is therefore inextricably linked to the concepts of textual analysis and synthesis, hinging greatly on the ability to master the problems of multilinguality. 1.1 State of Art Current-generation information retrieval (IR) systems excel with respect to scale and robustness. However, if it comes to deep analysis and precision, they lack power. Users are limited by keywords search, which is not sufficient if answers to complex problems are sought. This becomes more acute when knowledge and information are needed from diverse linguistic and cultural backgrounds, so that both problems and answers are necessarily more complex. Developments in the IR have mostly been restricted to improvements in link and click analysis or smart query expansion or profiling, rather than focused on a deeper analysis of text and the building of smarter indexes. Traditionally, text and data mining systems can be seen as specialized systems that convert more complex information into a structured database, allowing people to find knowledge rather than information. For some domains, text mining applications are well-advanced, for example in the domains of medicine, military and intelligence, and aeronautics [1], [15]. In addition to domain-specific miners, general technology has been developed to detect Named Entities [2], co-reference relations, geographical data [3], and time points [4]. The field of knowledge acquisition is growing rapidly with many enabling technologies being developed that eventually will approach Natural Language Understanding (NLU). Despite much progress in Natural Language Processing (NLP), the field is still a long way from language understanding. The reason is that full semantic interpretation requires the identification of every individual conceptual component and the semantic roles it play. In addition, understanding requires processing and knowledge that goes beyond parsing and lexical lookup and that is not explicitly conveyed by linguistic elements. First, contextual understanding is needed to deal with the omissions. Ambiguities are a common aspect of human communication. Speakers are cooperative in filling gaps and correcting errors, but automatic systems are not. Second, lexical knowledge does not provide background or world knowledge, which is often required for non-trivial inferences. Any automatic system trying to understand a simple sentence will require - among others - accurate capabilities for Named Entity Recognition and Classification (NERC), full Syntactic Parsing, Word Sense Disambiguation (WSD) and Semantic Role Labeling (SRL) [5]. Current baseline information systems are either large-scale, robust but shallow (standard IR systems), or they are small-scale, deep but ad hoc (Semantic-Web ontology-based systems). Furthermore, these systems are maintained by experts in IR, ontologies or languagetechnology and not by the people in the field. Finally, hardly any of the systems is multilingual, yet alone cross-lingual and definitely not cross-cultural. The next table gives a comparison across different state-of-the-art information systems, where we compare ad-hoc Semantic web solutions, wordnet-based information systems and tradition information retrieval with STALKER [6]. Stalker, a Multilingual Text Mining Search Engine for Open Source Intelligence 37 Table 1. Comparison of semantic information systems Features Semantic web Wordnet-based Traditional STALKER Information retrieval Large scale and multiple domains NO YES YES YES Deep semantics YES NO NO YES Automatic acquisition/indexing NO YES/NO YES YES Multi-lingual NO YES YES YES Cross-lingual NO YES NO YES Data and fact mining YES NO NO YES 2 The Logical Components The system is built on the following components: − a Crawler, an adaptive and selective component that gathers documents from Internet/Intranet sources. − a Lexical system, which identifies relevant knowledge by detecting semantic relations and facts in the texts. − a Search engine that enables Functional, Natural Language and Boolean queries. − a Classification system which classifies search results into clusters and sub-clusters recursively, highlighting meaningful relationships among them. 2.1 The Crawler In any large company or public administration the goal of aggregating contents from different and heterogeneous sources is really hard to be accomplished. Searchbox is a multimedia content gathering and indexing system, whose main goal is managing huge collections of data coming from different and geographically distributed information sources. Searchbox provides a very flexible and high performance dynamic indexing for content retrieval [7], [8], [9]. The gathering activities of Searchbox are not limited to the standard Web, but operate also with other sources like remote databases by ODBC, Web sources by FTP-Gopher, Usenet news by NNTP, WebDav and SMB shares, mailboxes by POP3-POP3/S-IMAP-IMAP/S, file systems and other proprietary sources. Searchbox indexing and retrieval system does not work on the original version of data, but on the “rendered version”. For instance, the features renedered and extracted from a portion of text might be a list of words/lemmas/ concepts, while the extraction of features from a bitmap image might be extremely sophisticated. Even more complex sources, like video, might be suitably processed so as to extract a textual-based labeling, which can be based on both the recognition of speech and sounds. All of the extracted and indexed features can be combined in the query language which is available in the user interface. Searchbox provides default plug-ins to extract text from most common types of documents, like HTML, XML, TXT, PDF, PS and DOC. Other formats can be supported using specific plugins. 38 F. Neri and M. Pettoni 2.2 The Lexical System This component is intended to identify relevant knowledge from the whole raw text, by detecting semantic relations and facts in texts. Concept extraction and text mining are applied through a pipeline of linguistic and semantic processors that share a common ground and a knowledge base. The shared knowledge base guarantees a uniform interpretation layer for the diverse information from different sources and languages. Fig. 1. Lexical Analysis The automatic linguistic analysis of the textual documents is based on Morphological, Syntactic, Functional and Statistical criteria. Recognizing and labeling semantic arguments is a key task for answering Who, When, What, Where, Why questions in all NLP tasks in which some kind of semantic interpretation is needed. At the heart of the lexical system is the McCord's theory of Slot Grammar [10]. A slot, explains McCord, is a placeholder for the different parts of a sentence associated with a word. A word may have several slots associated with it, forming a slot frame for the word. In order to identify the most relevant terms in a sentence, the system analyzes it and, for each word, the Slot Grammar parser draws on the word's slot frames to cycle through the possible sentence constructions. Using a series of word relationship tests to establish the context, the system tries to assign the context-appropriate meaning to each word, determining the meaning of the sentence. Each slot structure can be partially or fully instantiated and it can be filled with representations from one or more statements to incrementally build the meaning of a statement. This includes most of the treatment of coordination, which uses a method of ‘factoring out’ unfilled slots from elliptical coordinated phrases. The parser - a bottom-up chart parser - employs a parse evaluation scheme used for pruning away unlikely analyses during parsing as well as for ranking final analyses. By including semantic information directly in the dependency grammar structures, the system relies on the lexical semantic information combined with functional relations. The detected terms are then extracted, reduced to their Part Of Speech1 and 1 Noun, Verb, Adjective, Adverb, etc. Stalker, a Multilingual Text Mining Search Engine for Open Source Intelligence 39 Functional2 tagged base form [12]. Once referred to their synset inside the domain dictionaries, they are used as documents metadata [12], [13], [14]. Each synset denotes a concept that can be referred to by its members. Synsets are interlinked by means of semantic relations, such as the super-subordinate relation, the part-whole relation and several lexical entailment relations. 2.3 The Search Engine 2.3.1 Functional Search Users can search and navigate by roles, exploring sentences and documents by the functional role played by each concept. Users can navigate on the relations chart by simply clicking on nodes or arches, expanding them and having access to set of sentences/documents characterized by the selected criterion. Fig. 2. Functional search and navigation This can be considered a visual investigative analysis component specifically designed to bring clarity to complex investigations. It automatically enables investigative information to be represented as visual elements that can be easily analyzed and interpreted. Functional relationships - Agent, Action, Object, Qualifier, When, Where, How - among human beings and organizations can be searched for and highlighted, pattern and hidden connections can be instantly revealed to help investigations, promoting efficiency into investigative teams. Should human beings be cited, their photos can be shown by simple clicking on the related icon. 2.3.2 Natural Language Search Users can search documents by query in Natural Language, expressed using normal conversational syntax, or by keywords combined by Boolean operators. Reasoning over facts and ontological structures makes it possible to handle diverse and more complex types of questions. Traditional Boolean queries in fact, while precise, require strict interpretation that can often exclude information that is relevant to user interests. So this is the reason why the system analyzes the query, identifying the most relevant terms contained and their semantic and functional interpretation. By mapping a query 2 Agent, Object, Where, Cause, etc. 40 F. Neri and M. Pettoni to concepts and relations very precise matches can be generated, without the loss of scalability and robustness found in regular search engines that rely on string matching and context windows. The search engine returns as result all the documents which contain the query concepts/lemmas in the same functional role as in the query, trying to retrieve all the texts which constitute a real answer to the query. Fig. 3. Natural language query and its functional and conceptual expansion Results are then displayed and ranked by relevance, reliability and credibility. Fig. 4. Search results 2.4 The Clustering System The automatic classification of results is made by TEMIS Insight Discoverer Categorizer and Clusterer, fulfilling both the Supervised and Unsupervised Classification schemas. The application assigns texts to predefined categories and dynamically discovers the groups of documents which share some common traits. 2.4.1 Supervised Clustering The categorization model was created during the learning phase, on representative sets of training documents focused documents focused on news about Middle East North Africa, Balkans, East Europe, International Organizations and ROW (Rest Of the World). The bayesian method was used as the learning method: the probabilist classification model was built on around 1.000 documents. The overall performance Stalker, a Multilingual Text Mining Search Engine for Open Source Intelligence 41 measures used were Recall (number of categories correctly assigned divided by the total number of categories that should be assigned) and Precision (number of categories correctly assigned divided by total number of categories assigned): in our tests, they were 75% and 80% respectively. 2.4.2 Unsupervised Clustering Result documents are represented by a sparse matrix, where lines and columns are normalized in order to give more weight to rare terms. Each document is turned to a vector comparable to others. Similarity is measured by a simple cosines calculation between document vectors, whilst clustering is based on the K-Means algorithm. The application provides a visual summary of the clustering analysis. A map shows the different groups of documents as differently sized bubbles and the meaningful correlation among them as lines drawn with different thickness. Users can search inside topics, project clusters on lemmas and their functional links. Fig. 5. Thematic map, functional search and projection inside topics 3 Conclusions This paper describes a Multilingual Text Mining platform for Open Source Intelligence, adopted by Joint Intelligence and EW Training Centre (CIFIGE) to train the military and civilian personnel of Italian Defence in the OSINT discipline. Multilanguage Lexical analysis permits to overcome linguistic barriers, allowing the automatic indexation, simple navigation and classification of documents, whatever it might be their language, or the source they are collected from. This approach enables the research, the analysis, the classification of great volumes of heterogeneous documents, helping intelligence analysts to cut through the information labyrinth. References 1. Grishman, R., Sundheim, B.: Message Understanding Conference - 6: A Brief History. In: Proceedings of the 16th International Conference on Computational Linguistics (COLING), I, Kopenhagen, pp. 466–471 (1996) 42 F. Neri and M. Pettoni 2. Hearst, M.: Untangling Text Data Mining. In: ACL 1999. University of Maryland, June 20-26 (1999) 3. Miller, H.J., Han, J.: Geographic Data Mining and Knowledge Discovery. CRC Press, Boca Raton (2001) 4. Wei, L., Keogh, E.: Semi-Supervised Time Series Classification, SIGKDD (2006) 5. Carreras, X., Màrquez, L.: Introduction to the CoNLL-2005 Shared Task: Semantic Role Labeling. In: CoNLL 2005, Ann Arbor, MI, USA (2005) 6. Vossen, P., Neri, F., et al.: KYOTO: A System for Mining, Structuring, and Distributing Knowledge Across Languages and Cultures. In: Proceedings of GWC 2008, The Fourth Global Wordnet Conference, Szeged, Hungary, January 2008, pp. 22–25 (2008) 7. Baldini, N., Bini, M.: Focuseek searchbox for digital content gathering. In: AXMEDIS 2005 - 1st International Conference on Automated Production of Cross Media Content for Multi-channel Distribution, Proceedings Workshop and Industrial, pp. 24–28 (2005) 8. Baldini, N., Gori, M., Maggini, M.: Mumblesearch: Extraction of high quality Web information for SME. In: 2004 IEEE/WIC/ACM International Conference on Web Intelligence (2004) 9. Diligenti, M., Coetzee, F.M., Lawrence, S., Giles, C.L., Gori, M.: Focused Crawling Using Context Graphs. In: Proceedings of 26th International Conference on Very Large Databases, VLDB, September 2000, pp. 10–12 (2000) 10. McCord, M.C.: Slot Grammar: A System for Simpler Construction of Practical Natural Language Grammars Natural Language and Logic 1989, pp. 118–145 (1989) 11. McCord, M.C.: Slot Grammars. American Journal of Computational Linguistics 6(1), 31– 43 (1980) 12. Marinai, E., Raffaelli, R.: The design and architecture of a lexical data base system. In: COLING 1990, Workshop on advanced tools for Natural Language Processing, Helsinki, Finland, August 1990, p. 24 (1990) 13. Cascini, G., Neri, F.: Natural Language Processing for Patents Analysis and Classification. In: ETRIA World Conference, TRIZ Future 2004, Florence, Italy (2004) 14. Neri, F., Raffaelli, R.: Text Mining applied to Multilingual Corpora. In: Sirmakessis, S. (ed.) Knowledge Mining: Proceedings of the NEMIS 2004 Final Conference. Springer, Heidelberg (2004) 15. Baldini, N., Neri, F.: A Multilingual Text Mining based content gathering system for Open Source Intelligence. In: IAEA International Atomic Energy Agency, Symposium on International Safeguards: Addressing Verification Challenges, Wien, Austria, IAEA-CN148/192P, Book of Extended Synopses, October 16-20, 2006, pp. 368–369 (2006) Computational Intelligence Solutions for Homeland Security Enrico Appiani and Giuseppe Buslacchi Elsag Datamat spa, via Puccini 2, 16154 Genova, Italy {Enrico.Appiani,Giuseppe.Buslacchi}@elsagdatamat.com Abstract. On the basis of consolidated requirements from international Polices, Elsag Datamat has developed an integrated tool suite, supporting all the main Homeland Security activities like operations, emergency response, investigation and intelligence analysis. The last support covers the whole “Intelligence Cycle” along its main phases and integrates a wide variety of automatic and semi-automatic tools, coming from both original company developments and from the market (COTS), in a homogeneous framework. Support to Analysis phase, most challenging and computing-intensive, makes use of Classification techniques, Clustering techniques, Novelty Detection and other sophisticated algorithms. An innovative and promising use of Clustering and Novelty Detection, supporting the analysis of “information behavior”, can be very useful to the analysts in identifying relevant subjects, monitoring their evolution and detecting new information events who may deserve attention in the monitored scenario. 1 Introduction Modern Law Enforcement Agencies experiment challenging and contrasting needs: on one side, the Homeland Security mission has become more and more complex, due to many national and international factors such as stronger crime organization, asymmetric threats, the complexity of civil and economic life, the criticality of infrastructures, and the rapidly growing information environment; on the other side, the absolute value of public security is not translated in large resource availability for such Agencies, which must cope with similar problems as business organizations, namely to conjugate the results with the search of internal efficiency, clarity of roles, careful programming and strategic resource allocation. Strategic programming for security, however, is not a function of business, but rather of the evolution of security threats, whose prevision and prevention capability has a double target: externally to an Agency, improving the coordination and the public image to the citizen, for better enforcing everyone’s cooperation to civil security; internally, improving the communication between corps and departments, the individual motivation through better assignation of roles and missions, and ultimately the efficiency of Law Enforcement operations. Joining good management of resources, operations, prevention and decisions translates into the need of mastering internal and external information with an integrated approach, in which different tools cooperate to a common, efficient and accurate information flow, from internal management to external intelligence, from resource allocation to strategic security decisions. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 43–52, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 44 E. Appiani and G. Buslacchi The rest of the paper describes an integrated framework trying to enforce the above principles, called Law Enforcement Agency Framework (LEAF) by Elsag Datamat, whose tools are in use by National Police and Carabinieri, and still under development for both product improvement and new shipments to national and foreign Agencies. Rather than technical details and individual technologies, this work tries to emphasize their flexible integration, in particular for intelligence and decision support. Next sections focus on the following topics: LEAF architecture and functions, matching the needs of Law Enforcement Agencies; the support to Intelligence and Investigations, employing a suite of commercial and leading edge technologies; the role of Clustering and Semantic technology combination in looking for elements of known or novel scenarios in large, unstructured and noisy document bases; and some conclusions with future perspectives. 2 Needs and Solutions for Integrated Homeland Security Support Polices of advanced countries have developed or purchased their own IT support to manage their operations and administration. US Polices, facing their multiplicity (more than one Agency for each State), have focused on common standards for Record Management System (RMS) [1], in order to exchange and analyze data of Federal importance, such as criminal records. European Polices generally have their own IT support and are improving their international exchange and integration, also thanks to the Commission effort for a common European Security and Defense Policy [3], including common developments in the FP7 Research Program and Europol [2], offering data and services for criminal intelligence. At the opposite end, other Law Enforcement Agencies are building or completely replacing their IT support, motivated by raising security challenges and various internal needs, such as improving their organizations, achieving more accurate border control and fighting international crime traffics more effectively. Elsag Datamat’s LEAF aims at providing an answer to both Polices just improving their IT support and Polices requiring complete solutions, from base IT infrastructure to top-level decision support. LEAF architecture includes the following main functions, from low to high level information, as illustrated in Fig. 1: • • • • • Infrastructure – IT Information Equipments, Sensors, Network, Applications and Management; Administration – Enterprise Resource Planning (ERP) for Agency personnel and other resources; Operations – support to Law Enforcement daily activities through recording all relevant events, decisions and document; Emergency – facing and resolving security compromising facts, with real-time and efficient resource scheduling, with possible escalation to crises; Intelligence – support to crime prevention, investigation and security strategy, through a suite of tools to acquire, process, analyze and disseminate useful information, Computational Intelligence Solutions for Homeland Security 45 Fig. 1. LEAF Functional and Layered Architecture We can now have a closer look to each main function, just to recall which concrete functionalities lay behind our common idea of Law Enforcement. 2.1 Infrastructure The IT infrastructure of a Police can host applications of similar complexity to business ones, but with more critical requirements of security, reliability, geographical articulation and communication with many fixed and mobile users. This requires the capability to perform most activities for managing complex distributed IT systems: • Infrastructure management • Service management • Geographic Information System Common Geo-processing Service for the other applications in the system 2.2 Administration This has the same requirements of personnel, resource and budget administration of multi-site companies, with stronger needs for supporting mission continuity. • Enterprise Resource Planning (human resources, materials, vehicles, infrastructures, budget, procurement, etc.) 2.3 Operations The Operations Support System is based on RMS implementation, partly inspired to the American standard, recording all actors (such as people, vehicles and other objects), events (such as incidents, accidents, field interviews), activities (such as arrest, booking, wants and warrants) and documents (such as passports and weapon licenses) providing a common information ground to everyday tasks and to the operations of the upper level (emergency and intelligence). In other words, this is the fundamental database of LEAF, whose data and services can be split as follows: • Operational activity (events and actors) • Judicial activity (support to justice) • Administrative activity (support to security administration) 46 E. Appiani and G. Buslacchi 2.4 Emergencies This is the core Police activity for reaction to security-related emergencies, whose severity and implications can be very much different (e.g. from small robberies to large terrorist attacks). An emergency alarm can be triggered in some different ways: by the Police itself during surveillance and patrolling activity; by sensor-triggered automatic alarms; by citizen directly signaling events to Agents; and by citizen calling a security emergency telephone number, such as 112 or 113 in Italy. IT support to organize a proper reaction is crucial, for saving time and choosing the most appropriate means. • Call center and Communications • Emergency and Resource Management 2.5 Intelligence This is the core support to prevention (detecting threats before they are put into action) and investigation (detecting the authors and the precise modalities of committed crimes); besides, it provides statistical and analytical data for understanding the evolution of crimes and takes strategic decisions for next Law Enforcement missions. More accurate description is demanded to the next section. 3 Intelligence and Investigations Nowadays threats are asymmetric, international, aiming to strike more than to win, and often moved by individuals or small groups. Maintenance of Homeland Security requires, much more than before, careful monitoring of every information sources through IT support, with a cooperating and distributed approach, in order to perform the classical Intelligence cycle on two basic tasks: • Pursuing Intelligence targets – performing research on specific military or civil targets, in order to achieve timely and accurate answers, moreover to prevent specific threats before they are realized; • Monitoring threats – listening to Open, Specialized and Private Sources, to capture and isolate security sensitive information possibly revealing new threats, in order to generate alarms and react with mode detailed investigation and careful prevention. In addition to Intelligence tasks, • Investigation relies on the capability to collect relevant information on past events and analyze it in order to discover links and details bringing to the complete situation picture; • Crisis management comes from emergency escalation, but requires further capabilities to simulate the situation evolution, like intelligence, and understand what has just happened, like investigations. Computational Intelligence Solutions for Homeland Security 47 The main Intelligence support functions are definable as follows: • Information source Analysis and Monitoring – the core information collection, processing and analysis • Investigation and Intelligence – the core processes • Crisis, Main events and Emergencies Management – the critical reaction to large events • Strategies, Management, Direction and Decisions – understand and forecast the overall picture Some supporting technologies are the same across the supporting functions above. In fact, every function involves a data processing flow, from sources to the final report, which can have similar steps as other flows. This fact shows that understanding the requirements, modeling the operational scenario and achieving proper integration of the right tools, are much more important steps that just acquiring a set of technologies. Another useful viewpoint to focus on the data processing flow is the classical Intelligence cycle, modeled with similar approach by different military (e.g. NATO rules and practices for Open Source Analysis [4] and Allied Joint Intelligence [5]) and civil institutions, whose main phases are: • Management - Coordination and planning, including resource and task management, mission planning (strategy and actions to take for getting the desired information) and analysis strategy (approach to distil and analyze a situation from the collected information). Employs the activity reports to evaluate results and possibly reschedule the plan. • Collection - Gathering signals and raw data from any relevant source, acquiring them in digital format suitable for next processing. • Exploiting - Processing signals and raw data in order to become useful “information pieces” (people, objects, events, locations, text documents, etc.) which can be labeled, used as indexes and put into relation. • Processing - Processing information pieces in order to get their relations and aggregate meaning, transformed and filtered at light of the situation to be analyzed or discovered. This is the most relevant support to human analysis, although in many cases this is strongly based on analyst experience and intuition. • Dissemination - This does not mean diffusion to a large public, but rather aggregating the analysis outcomes in suitable reports which can be read and exploited by decision makers, with precise, useful and timely information. The Intelligence process across phases and input data types can be represented by a pyramidal architecture of contributing tools and technologies, represented as boxes in fig. 2, not exhaustive and not necessarily related to the corresponding data types (below) and Intelligence steps (on the left). The diagram provides a closer look to the functions supporting for the Intelligence phases, some of which are, or are becoming, commercial products supporting in particular Business Intelligence, Open Source analysis and the Semantic Web. An example of industrial subsystem taking part in this vision is called IVAS, namely Integrated Video Archiving System, capable to receive a large number of radio/TV channels (up to 60 in current configurations), digitize them with both Web 48 E. Appiani and G. Buslacchi Fig. 2. The LEAF Intelligence architecture for integration of supporting technologies stream and high quality (DVD) data rates, store them in a disk buffer, allow the operators to browse the recorded channels and perform both manual and automatic indexing, synthesize commented emissions or clips, and archive or publish such selected video streams for later retrieval. IVAS manages Collection and Exploiting phases with Audio/Video data, and indirectly supports the later processing. Unattended indexing modules include Face Recognition, Audio Transcription, Tassonomic and Semantic Recognition. IVAS implementations are currently working for the Italian National Command Room of Carabinieri and for the Presidency of Republic. In summary, this section has shown the LEAF component architecture and technologies to support Intelligence and Investigations. The Intelligence tasks look at future scenarios, already known or partially unknown. Support to their analysis thus requires a combination of explicit knowledge-based techniques and inductive, implicit information extraction, as it being studied with the so called Hybrid Artificial Intelligence Systems (HAIS). An example of such combination is shown in the next section. Investigation tasks, instead, aim at reconstruct past scenarios, thus requiring the capability to model them and look for their related information items through text and multimedia mining on selected sources, also involving explicit knowledge processing, ontology and conceptual networks. 4 Inductive Classification for Non-structured Information Open sources are heterogeneous, unstructured, multilingual and often noisy, in the sense of being possibly written with improper syntax, various mistakes, automatic translation, OCR and other conversion techniques. Open sources to be monitored include: press selections, broadcast channels, Web pages (often from variable and short-life sites), blogs, forums, and emails. All them may be acquired in form of Computational Intelligence Solutions for Homeland Security 49 documents of different formats and types, either organized in renewing streams (e.g. forums, emails) or specific static information, at most updated over time. In such a huge and heterogeneous document base, classical indexing and text mining techniques may fail in looking for and isolating relevant content, especially with unknown target scenarios. Inductive technologies can be usefully exploited to characterize and classify a mix of information content and behavior, so as to classify sources without explicit knowledge indexing, acknowledge them based on their style, discover recurring subjects and detect novelties, which may reveal new hidden messages and possible new threats. Inductive clustering of text documents is achieved with source filtering, feature extraction and clustering tools based on Support Vector Machines (SVM) [7], through a list of features depending on both content (most used words, syntax, semantics) and style (such as number of words, average sentence length, first and last words, appearance time or refresh frequency). Documents are clustered according to their vector positions and distances, trying to optimize the cluster number by minimizing a distortion cost function, so as to achieve a good compromise between the compactness (not high number of cluster with a few documents each) and representativeness (common meaning and similarity among the clustered documents) of the obtained clusters. Some clustering parameters can be tuned manually through document subsets. The clustered documents are then partitioned in different folders whose name include the most recurring words, excluding the “stop-words”, namely frequent words with low semantic content, such as prepositions, articles and common verbs. This way we can obtain a pseudo-classification of documents, expressed by the common concepts associated to the resulting keywords of each cluster. The largest experiment has been led upon about 13,000 documents of a press release taken from Italian newspapers in 2006, made digital through scanning and OCR. The document base was much noisy, with many words changed, abbreviated, concatenated with others, or missed; analyzing this sample with classical text processing, if not semantic analysis, would have been problematic indeed, since language technology is very sensitive to syntactical correctness. Instead, with this clustering technique, most of the about 30 clusters obtained had a true common meaning among the composing documents (for instance, criminality of specific types, economy, terrorist attacks, industry news, culture, fiction, etc.), with more specific situations expressed by the resulting keywords. Further, such keywords were almost correct, except for a few clusters grouping so noisy documents that it would have been impossible to find some common sense. In practice, the document noise has been removed when asserting the prevailing sense of the most representative clusters. Content Analysis (CA) and Behavior Analysis (BA) can support each other in different ways. CA applied before BA can add content features to the clustering space. Conversely, BA applied before CA can reduce the number of documents to be processed for content, by isolating relevant groups expressing a certain type of style, source and/or conceptual keyword set. CA further contributes in the scenario interpretation by applying reasoning tools to inspect clustering results at the light of domain-specific knowledge. Analyzing cluster contents may help application-specific ontologies discover unusual patterns in the observed domain. Conversely, novel information highlighted by BA might help dynamic ontologies to update their knowledge in a semi-automated way. Novelty Detection is obtained through the “outliers”, 50 E. Appiani and G. Buslacchi namely documents staying at a certain relative distance from their cluster centers, thus expressing a loose commonality with more central documents. Outliers from a certain source, for instance an Internet forum, can reveal some odd style or content with respect to the other documents. Dealing with Intelligence for Security, we can have two different operational solutions combining CA and BA, respectively supporting Prevention and Investigation [6]. This is still subject of experiments, the major difficulty being to collect relevant documents and some real, or at least realistic, scenario. Prevention-mode operation is illustrated in Fig. 3, and proceeds as follows. 1) Every input document is searched for basic terms, context, and eventually key concepts and relations among these (by using semantic networks and/or ontology), in order to develop an understanding of the overall content of each document and its relevance to the reference scenario. 2a) In the knowledge-base set-up phase, the group of semantically analyzed documents forming a training set, undergoes a clustering process, whose similarity metrics is determined by both linguistic features (such as lexicon, syntax, style, etc.) and semantic information (concept similarity derived from the symbolic information tools). 2b) At run-time operation, each new document is matched with existing clusters; outlier detection, together with a history of the categorization process, highlights possibly interesting elements and subsets of documents bearing novel contents. 3) Since clustering tools are not able to extract mission-specific knowledge from input information, ontology processing interprets the detected trends in the light of possible criminal scenarios. If the available knowledge base cannot explain the extracted information adequately, the component may decide to bring an alert to the analyst’s attention and possibly tag the related information for future use. Content Analysis Document(s) 1 Behaviour Analysis Annotated Docum. Corpus Set-up 2a Ref. clusters Run-time Ref. Dynamic Knowledge 3 Novelties 2b Analyzed novel scenario Fig. 3. Functional CA-BA combined dataflow for prevention mode Novelty detection is the core activity of this operation mode, and relies on the interaction between BA and CA to define a ‘normal-state scenario’, to be used for identifying interesting deviations. The combination between inductive clustering and explicit knowledge extraction is promising in helping analysts to perform both gross Computational Intelligence Solutions for Homeland Security 51 classification of large, unknown and noisy document bases, find promising content in some clusters and hence refine the analysis through explicit knowledge processing. This combination lies between the information exploitation and processing of the intelligence cycle, as recalled in the previous section; in fact, it contributes both to isolate meaningful information items and to analyze the overall results. Content Analysis Selected corpus 2 Annotated Docum. Corpus 4 Relevant Groups 1 Ref. Investigation Scenario Behaviour Analysis 3 Structured hypothesis Search strategy for missing information Fig. 4. Functional CA-BA combined dataflow for Investigation mode Investigation-mode operation is illustrated in Fig. 4 and proceeds as follows. 1) A reference criminal scenario is assumed as a basic hypothesis. 2) Alike prevention-mode operation, input documents are searched for to develop an understanding of the overall content of each document and its relevance to the reference scenario. 3) BA (re)groups the existing base of documents by embedding the scenariospecific conceptual similarity in the document- and cluster-distance criterion. The result is a grouping of documents that indirectly takes into account the relevance of the documents to the reference criminal scenario. 4) CA uses high-level knowledge describing the assumed scenario to verify the consistency of BA. The output is a confirmation of the sought-for hypothesis or, more likely, a structural description of the possibly partial match, which provides useful directives for actively searching missing information, which ultimately serves to validate or disclaim the investigative assumption. Elsag Datamat already uses CA with different tools within the LEAF component for Investigation, Intelligence and Decision Support. The combination with BA is being experimented in Italian document sets in order to set up a prototype for Carabinieri (one of the Italian security forces), to be experimented on the real field between 2009 and 2010. In parallel, multi-language CA-BA solutions are being studied for the needs of international Polices. 52 5 E. Appiani and G. Buslacchi Conclusions In this position paper we have described an industrial solution for integrated IT support to Law Enforcement Agencies, called LEAF, in line with the state of the art of this domain, including some advanced computational intelligence functions to support Intelligence and Investigations. The need for an integrated Law Enforcement support, realized by the LEAF architecture, has been explained. The key approach for LEAF computational intelligence is modularity and openness to different tools, in order to realize the most suitable processing workflow for any analysis needs. LEAF architecture just organizes such workflow to support, totally or partially, the intelligence cycle phases: acquisition, exploitation, processing and dissemination, all coordinated by management. Acquisition and exploitation involve multimedia data processing, while processing and dissemination work at conceptual object level. An innovative and promising approach to analysis of Open and Private Sources combines Content and Behavior Analysis, this last exploring the application of | clustering techniques to textual documents, usually subject to text and language processing. BA shows the potential to tolerate the high number, heterogeneity and information noise of large Open Sources, creating clusters whose most representative keywords can express an underlying scenario, directly to the analysts’ attention or with the help of knowledge models. References 1. Law Enforcement Record Management Systems (RMS) – Standard functional specifications by Law Enforcement Information Technology Standards Council (LEITSC) (updated 2006), http://www.leitsc.org 2. Europol – mission, mandates, security objectives, http://www.europol.europa.eu 3. European Security and Defense Policy – Wikipedia article, http://en.wikipedia.org/wiki/ European_Security_and_Defence_Policy 4. NATO Open Source Intelligence Handbook (November 2001), http://www.oss.net 5. NATO Allied Joint Intelligence, Counter Intelligence and Security Doctrine. Allied Joint Publication (July 2003) 6. COBASIM Proposal for FP7 – Security Call 1 – Proposal no. 218012 (2007) 7. Jing, L., Ng, M.K., Zhexue Huang, J.: An Entropy Weighting k-Means Algorithm for Subspace Clustering of High-Dimensional Sparse Data. IEEE Transactions on knowledge and data engineering 19(8) (August 2007) Virtual Weapons for Real Wars: Text Mining for National Security Alessandro Zanasi ESRIF-European Security Research and Innovation Forum University of Bologna Professor Temis SA Cofounder [email protected] Abstract. Since the end of the Cold War, the threat of large scale wars has been substituted by new threats: terrorism, organized crime, trafficking, smuggling, proliferation of weapons of mass destruction. The new criminals, especially the so called “jihadist” terrorists are using the new technologies, as those enhanced by Web2.0, to fight their war. Text mining is the most advanced knowledge management technology which allow intelligence analysts to automatically analyze the content of information rich online data banks, suspected web sites, blogs, emails, chat lines, instant messages and all other digital media detecting links between people and organizations, trends of social and economic actions, topics of interest also if they are “sunk” among terabytes of information. Keywords: National security, information sharing, text mining. 1 Introduction After the 9/11 shock, the world of intelligence is reshaping itself, since that the world is requiring a different intelligence: dispersed, not concentrated; open to several sources; sharing its analysis with a variety of partners, without guarding its secrets tightly; open to strong utilization of new information technologies to take profit of the information (often contradictory) explosion (information density doubles every 24 months and its costs are halved every 18 months [1]); open to the contributions of the best experts, also outside government or corporations [2], e.g. through a publicprivate partnership (PPP or P3: a system in which a government service or private business venture is funded and operated through a partnership of government and one or more private sector companies). The role of competitive intelligence has assumed great importance not only in the corporate world but also in the government one, largely due to the changing nature of national power. Today the success of foreign policy rests to a significant extent on energy production control, industrial and financial power, and energy production control, industrial and financial power in turn are dependent on science and technology and business factors and on the capacity of detecting key players and their actions. New terrorists are typically organized in small, widely dispersed units and coordinate their activities on line, obviating the need for central command. Al Qaeda and E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 53–60, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 54 A. Zanasi similar groups rely on the Internet to contact potential recruits and donors, sway public opinion, instruct would-be terrorists, pool tactics and knowledge, and organize attacks. This phenomenon has been called Netwar (a form of conflict marked by the use of network forms of organizations and related doctrines, strategies, and technologies) [3]. In many ways, such groups use Internet in the same way that peaceful political organizations do; what makes terrorists’ activity threatening is their intent. This approach reflects what the world is experiencing in the last ten years: a paradigm shift from an organization-driven threat architecture (i.e., communities and social activities focused around large companies or organizations) to an individual-centric threat architecture (increased choice and availability of opportunities focused around individual wants and desires). This is a home, local community, and virtual-communitycentric societal architecture: the neo-renaissance paradigm. This new lifestyle is due to a growing workforce composed of digitally connected free-agent (e.g. terrorists) able to operate from any location and to be engaged anywhere on the globe [4]. Due to this growing of virtual communities, a strong interest towards the capability of automatic evaluation of communications exchanged inside these communities and of their authors is also growing, directed to profiling activity, to extract authors personal characteristics (useful in investigative actions too). So, to counter netwar terrorists, intelligence must learn how to monitor their network activity, also online, in the same way it keeps tabs on terrorists in the real world. Doing so will require a realignment of western intelligence and law enforcement agencies, which lag behind terrorist organizations in adopting information technologies [5] and, at least for NSA and FBI, to upgrade their computers to better coordinate intelligence information [6]. The structure of the Internet allows malicious activity to flourish and the perpetrators to remain anonymous. Since it would be nearly impossible to identify and disable every terrorist news forum on the internet given the substantial legal and technical hurdles involved (there are some 4,500 web sites that disseminate the al Qaeda leadership’s messages [7]), it would make more sense to leave those web sites online but watch them carefully. These sites offer governments’ intelligence unprecedented insight into terrorists’ ideology and motivations. Deciphering these Web sites will require not just Internet savvy but also the ability to read Arabic and understand terrorists’ cultural backgrounds-skills most western counterterrorism agencies currently lack [5]. These are the reasons for which the text mining technologies, which allow the reduction of information overload and complexity, analyzing texts also in unknown, exotic languages (Arabic included: the screenshots in the article, as all the other ones, are Temis courtesy), have become so important in the government as in the corporate intelligence world. For an introduction to text mining technology and its applications to intelligence: [8]. The question to be answered is: once defined the new battle field (i.e. the Web) how to use the available technologies to fight the new criminals and terrorists? A proposed solution is: through an “Internet Center”. That is a physical place where to concentrate advanced information technologies (including Web 2.0, machine translation, crawlers, text mining) and human expertise, not only in information technologies but also in online investigations). Virtual Weapons for Real Wars: Text Mining for National Security 55 Fig. 1. Text mining analysis of Arabic texts We present here the scenarios into which these technologies, especially those regarding text mining are utilized, with some real cases. 2 New Challenges to the Market State The information revolution is the key enabler of economic globalization. The age of information is also the age of emergence of the so called market-state [9] which maximizes the opportunities of its people, facing lethal security challenges which dramatically change the roles of government and of private actors and of intelligence. Currently governments power is being challenged from both above (international commerce, which erodes what used to be thought of as aspects of national sovereignty) and below (terrorist and organized crime challenge the state power from beneath, by trying to compel states to acquiesce or by eluding the control of states). Tackling these new challenges is the role of the new government intelligence. From the end of Cold War there is general agreement about the nature of the threats that posed a challenge to the intelligence community: drugs, organized crime, and proliferation of conventional and unconventional weapons, terrorism, financial crimes. All these threats aiming for violence, not victory, may be tackled through the help of technologies as micro-robots, bio-sniffers, and sticky electronics. Information technology, applied to open sources analysis, is a support in intelligence activities directed to prevent these threats [10] and to assure homeland protection [11]. 56 A. Zanasi Since 2001 several public initiatives involving data and text mining appeared in USA and Europe. All of them shared the same conviction: information is the best arm against the asymmetric threats. Fig. 2. The left panel allows us to highlight all the terms which appear in the collected documents and into which we are interested in (eg: Hezbollah). After clicking on the term, in the right column appear the related documents. 3 The Web as a Source of Information Until some years ago the law enforcement officers were interested only in retrieving data coming from web sites and online databanks (collections of information, available online, dedicated to press surveys, patents, scientific articles, specific topics, commercial data). Now they are interested in analyzing the data coming from internet seen as a way of communication: e-mails, chat rooms, forums, newsgroups, blogs (obtained, of course, after being assured that data privacy rules have been safeguarded). Of course, this nearly unending stream of new information, especially regarding communications, also in exotic languages, created not only an opportunity but also a new problem. The information data is too large to be analyzed by human beings and the languages in which this data are written are very unknown to the analysts. Luckily these problems, created by technologies, may be solved thanks to other information technologies. Virtual Weapons for Real Wars: Text Mining for National Security 57 4 Text Mining The basic text mining technique is Information Extraction consisting in linguistic processing, where semantic models are defined according to the user requirements, allowing the user to extract the principal topics of interest to him. These semantic models are contained in specific ontologies, engineering artefacts which contain a specific vocabulary used to describe a certain reality, plus a set of explicit assumptions regarding the intended meaning of the vocabulary words. This technique allows, for example, the extraction of organization and people names, email addresses, bank account, phone and fax numbers as they appear in the data set. For example, once defined a technology or a political group, we can quickly obtain the list of organizations working with that technology or the journalists supporting that opinion or the key players for that political group. 5 Virtual Communities Monitoring A virtual community, whose blog and chats are typical examples, are communities of people sharing and communicating common interests, ideas, and feelings over the Internet or other collaborative networks. The possible inventor of this term was Howard Rheingold, who defines virtual communities as social aggregations that emerge from the Internet when enough people carry on public discussions long enough and with sufficient human feeling to form webs of personal relationships in cyberspace [12]. Most community members need to interact with a single individual in a one-to-one conversation or participate and collaborate in idea development via threaded conversations with multiple people or groups. This type of data is, clearly, an exceptional source to be mined [19]. 6 Accepting the Challenges to National Security 6.1 What We Need It is difficult for government intelligence to counter the threat that terrorists pose. To fight them we need solutions able to detect their names in the communications, to detect their financial movements, to recognize the real authors of anonymous documents, to put in evidence connections inside social structures, to track individuals through collecting as much information about them as possible and using computer algorithms and human analysis to detect potential activity. 6.2 Names and Relationships Detection New terrorist groups rise each week, new terrorists each day. Their names, often written in a different alphabet, are difficult to be caught and checked against other names already present in the databases. Text mining technology allows their detection, also with their connections to other groups or people. 58 A. Zanasi Fig. 3. Extraction of names with detection of connection to suspect terrorist names and the reason of this connection 6.3 Money Laundering Text mining is used in detecting anomalies in the fund transfer request process and in the automatic population of black lists. 6.4 Insider Trading To detect insider trading it is necessary to track the stock trading activity for every publicly traded company, plot it on a time line and compare anomalous peaks to company news: if there is no news to spur a trading peak, that is a suspected insider trading. To perform this analysis it is necessary to extract the necessary elements (names of officers and events, separated by category) from news text and then correlate them with the structured data coming from stock trading activity [13]. 6.5 Defining Anonymous Terrorist Authorship Frequently the only traces available after a terrorist attack are the emails or the communications claiming the act. The analyst must analyze the style, the concepts and feelings [14] expressed in a communication to establish connections and patterns between documents [15], comparing them with documents coming from known Virtual Weapons for Real Wars: Text Mining for National Security 59 authors: famous attackers (Unabomber was the most famous one) were precisely described, before being really detected, using this type of analysis. 6.6 Digital Signatures Human beings are habit beings and have some personal characteristics (more than 1000 “style markers” have been quoted in literature) that are inclined to persist, useful in profiling the authors of the texts. 6.7 Lobby Detection Analyzing connections, similarities and general patterns in public declarations and/or statements of different people allows the recognition of unexpected associations («lobbies») of authors (as journalists, interest groups, newspapers, media groups, politicians) detecting whom, among them, is practically forming an alliance. 6.8 Monitoring of Specific Areas/Sectors In business there are several examples of successful solutions applied to competitive intelligence. E.g. Unilever, text mining patents discovered that a competitor was planning new activities in Brazil which really took place a year later [16]. Telecom Italia, discovered that a competitor (NEC-Nippon Electric Company) was going to launch new services in multimedia [16]. Total (F), mines Factiva and Lexis-Nexis databases to detect geopolitical and technical information. 6.9 Chat Lines, Blogs and Other Open Sources Analysis The first enemy of intelligence activity is the “avalanche” of information that daily the analysts must retrieve, read, filter and summarize. The Al Qaeda terrorists declared to interact among them through chat lines to avoid being intercepted [17]: interception and analysis of chat lines content is anyway possible and frequently done in commercial situations [18], [19]. Using different text mining techniques it is possible to identify the context of the communication and the relationships among documents detecting the references to the interesting topics, how they are treated and what impression they create in the reader [20]. 6.10 Social Network Links Detection “Social structure” has long been an important concept in sociology. Network analysis is a recent set of methods for the systematic study of social structure and offers a new standpoint from which to judge social structures [21]. Text mining is giving an important help in detection of social network hidden inside large volumes of text also detecting the simultaneous appearance of entities (names, events and concepts) measuring their distance (proximity). 60 A. Zanasi References 1. Lisse, W.: The Economics of Information and the Internet. Competitive Intelligence Review 9(4) (1998) 2. Treverton, G.F.: Reshaping National Intelligence in an Age of Information. Cambridge University Press, Cambridge (2001) 3. Ronfeldt, D., Arquilla, J.: The Advent of Netwar –Rand Corporation (1996) 4. Goldfinger, C.: Travail et hors Travail: vers une societe fluide. In: Jacob, O. (ed.) (1998) 5. Kohlmann, E.: The Real Online Terrorist Threat – Foreign Affairs (September/October 2006) 6. Mueller, J.: Is There Still a Terrorist Threat? – Foreign Affairs (September/ October 2006) 7. Riedel, B.: Al Qaeda Strikes Back – Foreign Affairs (May/June 2007) 8. Zanasi, A. (ed.): Text Mining and its Applications to Intelligence, CRM and Knowledge Management. WIT Press, Southampton (2007) 9. Bobbitt, P.: The Shield of Achilles: War, Peace, and the Course of History, Knopf (2002) 10. Zanasi, A.: New forms of war, new forms of Intelligence: Text Mining. In: ITNS Conference, Riyadh (2007) 11. Steinberg, J.: In Protecting the Homeland 2006/2007 - The Brookings Institution (2006) 12. Rheingold, H.: The Virtual Community. MIT Press, Cambridge (2000) 13. Feldman, S.: Insider Trading and More, IDC Report, Doc#28651 (December 2002) 14. de Laat, M.: Network and content analysis in an online community discourse. University of Nijmegen (2002) 15. Benedetti, A.: Il linguaggio delle nuove Brigate Rosse, Erga Edizioni (2002) 16. Zanasi, A.: Competitive Intelligence Thru Data Mining Public Sources - Competitive Intelligence Review, vol. 9(1). John Wiley & Sons, Inc., Chichester (1998) 17. The Other War, The Economist March 26 (2003) 18. Campbell, D.: - World under Watch, Interception Capabilities in the 21st Century – ZDNet.co (2001) (updated version of Interception Capabilities 2000, A report to European Parlement - 1999) 19. Zanasi, A.: Email, chatlines, newsgroups: a continuous opinion surveys source thanks to text mining. In: Excellence in Int’l Research 2003 - ESOMAR (Nl) (2003) 20. Jones, C.W.: Online Impression Management. University of California paper (July 2005) 21. Degenne, A., Forse, M.: Introducing Social Networks. Sage Publications, London (1999) Hypermetric k-Means Clustering for Content-Based Document Management Sergio Decherchi, Paolo Gastaldo, Judith Redi, and Rodolfo Zunino Dept. Biophysical and Electronic Engineering, University of Genoa, 16145 Genova, Italy {sergio.decherchi,paolo.gastaldo,judith.redi, rodolfo.zunino}@unige.it Abstract. Text-mining methods have become a key feature for homeland-security technologies, as they can help explore effectively increasing masses of digital documents in the search for relevant information. This research presents a model for document clustering that arranges unstructured documents into content-based homogeneous groups. The overall paradigm is hybrid because it combines pattern-recognition grouping algorithms with semantic-driven processing. First, a semantic-based metric measures distances between documents, by combining a content-based with a behavioral analysis; the metric considers both lexical properties and the structure and styles that characterize the processed documents. Secondly, the model relies on a Radial Basis Function (RBF) kernel-based mapping for clustering. As a result, the major novelty aspect of the proposed approach is to exploit the implicit mapping of RBF kernel functions to tackle the crucial task of normalizing similarities while embedding semantic information in the whole mechanism. Keywords: document clustering, homeland security, kernel k-means. 1 Introduction The automated surveillance of information sources is of strategic importance to effective homeland security [1], [2]. The increased availability of data-intensive heterogeneous sources provides a valuable asset for the intelligence task; data-mining methods have therefore become a key feature for security-related technologies [2], [3] as they can help explore effectively increasing masses of digital data in the search for relevant information. Text mining techniques provide a powerful tool to deal with large amounts of unstructured text data [4], [5] that are gathered from any multimedia source (e.g. from Optical Character Recognition, from audio via speech transcription, from webcrawling agents, etc.). The general area of text-mining methods comprises various approaches [5]: detection/tracking tools continuously monitor specific topics over time; document classifiers label individual files and build up models for possible subjects of interest; clustering tools process documents for detecting relevant relations among those subjects. As a result, text mining can profitably support intelligence and security activities in identifying, tracking, extracting, classifying and discovering patterns, so that the outcomes can generate alerts notifications accordingly [6] ,[7]. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 61–68, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 62 S. Decherchi et al. This work addresses document clustering and presents a dynamic, adaptive clustering model to arrange unstructured documents into content-based homogeneous groups. The framework implements a hybrid paradigm, which combines a contentdriven similarity processing with pattern-recognition grouping algorithms. Distances between documents are worked out by a semantic-based hypermetric: the specific approach integrates a content-based with a user-behavioral analysis, as it takes into account both lexical and style-related features of the documents at hand. The core clustering strategy exploits a kernel-based version of the conventional k-means algorithm [8]; the present implementation relies on a Radial Basis Function (RBF) kernelbased mapping [9]. The advantage of using such a kernel consists in supporting normalization implicitly; normalization is a critical issue in most text-mining applications, and prevents that extensive properties of documents (such as length, lexicon, etc) may distort representation and affect performance. A standard benchmark for content-based document management, the Reuters database [10], provided the experimental domain for the proposed methodology. The research shows that the document clustering framework based on kernel k-means can generate consistent structures for information access and retrieval. 2 Document Clustering Text mining can effectively support the strategic surveillance of information sources thanks to automatic means, which is of paramount importance to homeland security [6], [7]. For prevention, text mining techniques can help identify novel “information trends” revealing new scenarios and threats to be monitored; for investigation, these technologies can help distil relevant information about known scenarios. Within the text mining framework, this work addresses document clustering, which is one of the most effective techniques to organize documents in an unsupervised manner. When applied to text mining, clustering algorithms are designed to discover groups in the set of documents such that the documents within a group are more similar to one another than to documents of other groups. As apposed to text categorization [5], in which categories are predefined and are part of the input information to the learning procedure, document clustering follows an unsupervised paradigm and partitions a set of documents into several subsets. Thus, the document clustering problem can be defined as follows. One should first define a set of documents D = {D1, . . . , Dn}, a similarity measure (or distance metric), and a partitioning criterion, which is usually implemented by a cost function. In the case of flat clustering, one sets the desired number of clusters, Z, and the goal is to compute a membership function φ : D → {1, . . . , Z} such that φ minimizes the partitioning cost with respect to the similarities among documents. Conversely, hierarchical clustering does not need to define the cardinality, Z, and applies a series of nested partitioning tasks which eventually yield a hierarchy of clusters. Indeed, every text mining framework should always be supported by an information extraction (IE) model [11], [12] which is designed to pre-process digital text documents and to organize the information according to a given structure that can be directly interpreted by a machine learning system. Thus, a document D is eventually reduced to a sequence of terms and is represented as a vector, which lies in a space Hypermetric k-Means Clustering for Content-Based Document Management 63 spanned by the dictionary (or vocabulary) T = {tj; j= 1,.., nT}. The dictionary collects all terms used to represent any document D, and can be assembled empirically by gathering the terms that occurs at least once in a document collection D ; by this representation one loses the original relative ordering of terms within each document. Different models [11], [12] can be used to retrieve index terms and to generate the vector that represents a document D. However, the vector space model [13] is the most widely used method for document clustering. Given a collection of documents D, the vector space model represents each document D as a vector of real-valued weight terms v = {wj; j=1,..,nT}. Each component of the nT-dimensional vector is a non-negative term weight, wj, that characterizes the j-th term and denotes the relevance of the term itself within the document D. 3 Hypermetric k-Means Clustering The hybrid approach described in this Section combines the specific advantages of content-driven processing with the effectiveness of an established pattern-recognition grouping algorithm. Document similarity is defined by a content-based distance, which combines a classical distribution-based measure with a behavioral analysis of the style features of the compared documents. The core engine relies on a kernelbased version of the classical k-means partitioning algorithm [8] and groups similar documents by a top-down hierarchical process. In the kernel-based approach, every document is mapped into an infinite-dimensional Hilbert space, where only inner products among elements are meaningful and computable. In the present case the kernel-based version of k-means [15] provides a major advantage over the standard kmeans formulation. In the following, D = {Du; u= 1,..,nD} will denote the corpus, holding the collection of documents to be clustered. The set T = {tj; j= 1,.., nT} will denote the vocabulary, which is the collection of terms that occur at least one time in D after the preprocessing steps of each document D ∈ D (e.g., stop-words removal, stemming [11]). 3.1 Document Distance Measure A novel aspect of the method described here is the use of a document-distance that takes into account both a conventional content-based similarity metric and a behavioral similarity criterion. The latter term aims to improve the overall performance of the clustering framework by including the structure and style of the documents in the process of similarity evaluation. To support the proposed document distance measure, a document D is here represented by a pair of vectors, v′ and v′′. Vector v′(D) actually addresses the content description of a document D; it can be viewed as the conventional nT-dimensional vector that associates each term t ∈ T with the normalized frequency, tf, of that term in the document D. Therefore, the k-th element of the vector v′(Du) is defined as: v′k ,u = tf k ,u nT ∑ tfl ,u , l =1 (1) 64 S. Decherchi et al. where tfk,u is the frequency of the k-th term in document Du. Thus v′ represents a document by a classical vector model, and uses term frequencies to set the weights associated to each element. From a different perspective, the structural properties of a document, D, are represented by a set of probability distributions associated with the terms in the vocabulary. Each term t ∈ T that occurs in Du is associated with a distribution function that gives the spatial probability density function (pdf) of t in Du. Such a distribution, pt,u(s), is generated under the hypothesis that, when detecting the k-th occurrence of a term t at the normalized position sk ∈ [0,1] in the text, the spatial pdf of the term can be approximated by a Gaussian distribution centered around sk. In other words, if the term tj is found at position sk within a document, another document with a similar structure is expected to include the same term at the same position or in a neighborhood thereof, with a probability defined by a Gaussian pdf. To derive a formal expression of the pdf, assume that the u-th document, Du, holds nO occurrences of terms after simplifications; if a term occurs more than once, each occurrence is counted individually when computing nO, which can be viewed as a measure of the length of the document. The spatial pdf can be defined as: p t ,u (s ) = ⎡ (s − s )2 ⎤ 1 nO 1 nO 1 k ⎥ , exp ⎢ − G sk,λ = ∑ ∑ A k =1 A k =1 2π λ ⎢⎣ λ 2 ⎥⎦ ( ) (2) where A is a normalization term and λ is regularization parameter. In practice one uses a discrete approximation of (2). First, the document D is segmented evenly into S sections. Then, an S-dimensional vector is generated for each term t ∈ T , and each element estimates the probability that the term t occurs in the corresponding section of the document. As a result, v′′(D) is an array of nT vectors having dimension S. Vector v′ and vector v′′ support the computations of the frequency-based distance, ∆(f), and the behavioral distance, ∆(b), respectively. The former term is usually measured according to a standard Minkowski distance, hence the content distance between a pair of documents (Du, Dv) is defined by: ⎡ T ∆( f ) ( Du , Dv ) = ⎢ ∑ v k′ ,u − v k′ ,v n ⎢⎣ k =1 p⎤ ⎥ ⎥⎦ 1 p . (3) The present approach adopts the value p = 1 and therefore actually implements a Manhattan distance metric. The term computing behavioral distance, ∆(b), applies an Euclidean metric to compute the distance between probability vectors v′′. Thus: ∆(b ) ( Du , Dv ) = ∑ ∆(tbk ) (Du , Dv ) = ∑ ∑ [v (′′k ) s,u − v (′′k ) s,v ]2 . nT nT S k =1 k =1 s =1 (4) Both terms (3) and (4) contribute to the computation of the eventual distance value, ∆(Du, Dv), which is defined as follows: ∆(Du,Dv) = α⋅ ∆(f) (Du,Dv) + (1 – α)⋅ ∆(b)(Du,Dv) , (5) Hypermetric k-Means Clustering for Content-Based Document Management 65 where the mixing coefficient α∈[0,1] weights the relative contribution of ∆(f) and ∆(b). It is worth noting that the distance expression (5) obeys the basic properties of non-negative values and symmetry that characterize general metrics, but does not necessarily satisfy the triangular property. 3.2 Kernel k-Means The conventional k-means paradigm supports an unsupervised grouping process [8], which partitions the set of samples, D = {Du; u= 1,..,nD}, into a set of Z clusters, Cj (j = 1,…, Z). In practice, one defines a “membership vector,” which indexes the partitioning of input patterns over the K clusters as: mu = j ⇔ Du ∈Cj, otherwise mu = 0; u = 1,…, nD. It is also useful to define a “membership function” δuj(Du,Cj), that defines the membership of the u-th document to the j-th cluster: δuj =1 if mu = j, and 0 otherwise. Hence, the number of members of a cluster is expressed as Nj = nD ∑ δ uj ; j = 1,…, Z ; (6) u =1 and the cluster centroid is given by: wj = 1 Nj nD ∑ x u δ uj ; j = 1,…, Z ; u =1 (7) where xu is any vector-based representation of document Du. The kernel based version of the algorithm is based on the assumption that a function, Φ, can map any element, D, into a corresponding position, Φ(D), in a possibly infinite dimensional Hilbert space. The mapping function defines the actual ‘Kernel’, which is formulated as the expression to compute the inner product: def K (Du , Dv ) = Kuv = Φ (Du ) ⋅ Φ (Dv ) = Φu ⋅ Φ v . (8) In our particular case we employ the largely used RBF kernel ⎡ ∆(Du , Dv ) ⎤ K (Du , Dv ) = exp ⎢− ⎥ . σ2 ⎣ ⎦ (9) It is worth stressing here an additional, crucial advantage of using a kernel-based formulation in the text-mining context: the approach (9) can effectively support the critical normalization process by reducing all inner products within a limited range, thereby preventing that extensive properties of documents (length, lexicon, etc) may distort representation and ultimately affect clustering performance. The kernel-based version of the k-means algorithm, according to the method proposed in [15], replicates the basic partitioning schema (6)-(7) in the Hilbert space, where the centroid positions, Ψ, are given by the averages of the mapping images, Φu: Ψj = 1 Nj nD ∑ Φ u δ uj ; u =1 j = 1,…, Z . (10) 66 S. Decherchi et al. The ultimate result of the clustering process is the membership vector, m, which determines prototype positions (7) even though they cannot be stated explicitly. As a consequence, for a document, Du, the distance in the Hilbert space from the mapped image, Φu, to the cluster Ψj as per (7) can be worked out as: ( ) d Φu , Ψ j = Φu − 1 Nj nD 2 ∑ Φv =1+ v =1 1 (N j ) 2 nD nD m ,v =1 j v =1 2 ∑ δ mjδ vj K mv − N ∑ δ vj Ku,v . (11) By using expression (11), which includes only kernel computations, one can identify the closest prototype to the image of each input pattern, and assign sample memberships accordingly. In clustering domains, k-means clustering can notably help separate groups and discover clusters that would have been difficult to identify in the base space. From this viewpoint one might even conclude that a kernel-based method might represent a viable approach to tackle the dimensionality issue. 4 Experimental Results A standard benchmark for content-based document management, the Reuters database [10], provided the experimental domain for the proposed framework. The database includes 21,578 documents, which appeared on the Reuters newswire in 1987. One or more topics derived from economic subject categories have been associated by human indexing to each document; eventually, 135 different topics were used. In this work, the experimental session involved a corpus DR including 8267 documents out of the 21,578 originally provided by the database. The corpus DR was obtained by adopting the criterion used in [14]. First, all the documents with multiple topics were discarded. Then, only the documents associated to topics having at least 18 occurrences were included in DR. As a result, 32 topics were represented in the corpus. In the following experiments, the performances of the clustering framework have been evaluated by using the purity parameter. Let Nk denote the number of elements lying in a cluster Ck and let Nmk be the number of elements of the class Im in the cluster Ck. Then, the purity pur(k) of the cluster Ck is defined as follows: pur (k ) = 1 max ( N mk ) . Nk m (12) Accordingly, the overall purity of the clustering results is defined as follows: purity = ∑ k Nk ⋅ pur (k ) , N (13) where N is the total number of element. The purity parameter has been preferred to other measures of performance (e.g. the F-measures) since it is the most accepted measure for machine learning classification problems [11]. The clustering performance of the proposed methodology was evaluated by analyzing the result obtained with three different experiments: the documents in the corpus DR were partitioned by using a flat clustering paradigm and three different settings for Hypermetric k-Means Clustering for Content-Based Document Management 67 the parameter α, which, as per (5), weights the relative contribution of ∆(f) and ∆(b) in the document distance measure. The values used in the experiments were α = 0.3, α = 0.7 and α = 0.5; thus, a couple of experiments were characterized by a strong preponderance of one of the two components, while in the third experiment ∆(f) and ∆(b) evenly contribute to the eventual distance measure. Table 1 outlines the results obtained with the setting α = 0.3. The evaluations were conducted with different number of clusters Z, ranging from 20 to 100. For each experiment, four quality parameters are presented: • • • • the overall purity, purityOV, of the clustering result; the lowest purity value pur(k) over the Z clusters; the highest purity value pur(k) over the Z clusters; the number of elements (i.e. documents) associated to the smallest cluster. Analogously, Tables 2 and 3 reports the results obtained with α = 0.5 and α = 0.7, respectively. Table 1. Clustering performances obtained on Reuters-21578 with α=0.3 Number of clusters 20 40 60 80 100 Overall purity 0.712108 0.77138 0.81154 0.799685 0.82666 pur(k) minimum 0.252049 0.236264 0.175 0.181818 0.153846 pur(k) maximum 1 1 1 1 1 Smallest cluster 109 59 13 2 1 Table 2. Clustering performances obtained on Reuters-21578 with α=0.5 Number of clusters 20 40 60 80 100 Overall purity 0.696383 0.782267 0.809121 0.817467 0.817467 pur(k) minimum 0.148148 0.222467 0.181818 0.158333 0.139241 pur(k) maximum 1 1 1 1 1 Smallest cluster 59 4 1 1 2 Table 3. Clustering performances obtained on Reuters-21578 with α=0.7 Number of clusters 20 40 60 80 100 Overall purity 0.690577 0.742833 0.798718 0.809483 0.802589 pur(k) minimum 0.145719 0.172638 0.18 0.189655 0.141732 pur(k) maximum 1 1 1 1 1 Smallest cluster 13 6 5 2 4 68 S. Decherchi et al. As expected, the numerical figures show that, in general, the overall purity grows as the number of clusters Z increases. Indeed, the value of the overall purity seems to indicate that clustering performances improve by using the setting α= 0.3. Hence, empirical outcomes confirm the effectiveness of the proposed document distance measure, which combines the conventional content-based similarity with the behavioral similarity criterion. References 1. Chen, H., Chung, W., Xu, J.J., Wang, G., Qin, Y., Chau, M.: Crime data mining: a general framework and some examples. IEEE Trans. Computer 37, 50–56 (2004) 2. Seifert, J.W.: Data Mining and Homeland Security: An Overview. CRS Report RL31798 (2007), http://www.epic.org/privacy/fusion/ crs-dataminingrpt.pdf 3. Mena, J.: Investigative Data Mining for Security and Criminal Detection. ButterworthHeinemann (2003) 4. Sullivan, D.: Document warehousing and text mining. John Wiley and Sons, Chichester (2001) 5. Fan, W., Wallace, L., Rich, S., Zhang, Z.: Tapping the power of text mining. Comm. of the ACM 49, 76–82 (2006) 6. Popp, R., Armour, T., Senator, T., Numrych, K.: Countering terrorism through information technology. Comm. of the ACM 47, 36–43 (2004) 7. Zanasi, A. (ed.): Text Mining and its Applications to Intelligence, CRM and KM, 2nd edn. WIT Press (2007) 8. Linde, Y., Buzo, A., Gray, R.M.: An algorithm for vector quantizer design. IEEE Trans. Commun. COM-28, 84–95 (1980) 9. Shawe-Taylor, J., Cristianini, N.: Kernel Methods for Pattern Analysis. Cambridge University Press, Cambridge (2004) 10. Reuters-21578 Text Categorization Collection. UCI KDD Archive 11. Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008) 12. Baeza-Yates, R., Ribiero-Neto, B.: Modern Information Retrieval. ACM Press, New York (1999) 13. Salton, G., Wong, A., Yang, L.S.: A vector space model for information retrieval. Journal Amer. Soc. Inform. Sci. 18, 613–620 (1975) 14. Cai, D., He, X., Han, J.: Document Clustering Using Locality Preserving Indexing. IEEE Transaction on knowledge and data engineering 17, 1624–1637 (2005) 15. Girolami, M.: Mercer kernel based clustering in feature space. IEEE Trans. Neural Networks. 13, 2780–2784 (2002) Security Issues in Drinking Water Distribution Networks Demetrios G. Eliades and Marios M. Polycarpou* KIOS Research Center for Intelligent Systems and Networks Dept. of Electrical and Computer Engineering University of Cyprus, CY-1678 Nicosia, Cyprus {eldemet,mpolycar}@ucy.ac.cy Abstract. This paper formulates the security problem of sensor placement in water distribution networks for contaminant detection. An initial attempt to develop a problem formulation is presented, suitable for mathematical analysis and design. Multiple risk-related objectives are minimized in order to compute the Pareto front of a set of possible solutions; the considered objectives are the contamination impact average, worst-case and worst-cases average. A multiobjective optimization methodology suitable for considering more that one objective function is examined and solved using a multiple-objective evolutionary algorithm. Keywords: contamination, water distribution, sensor placement, multi-objective optimization, security of water systems. 1 Introduction A drinking water distribution network is the infrastructure which facilitates delivery of water to consumers. It is comprised of pipes which are connected to other pipes at junctions or connected to tanks and reservoirs. Junctions represent points in the network where pipes are connected, with inflows and outflows. Each junction is assumed to serve a number of consumers whose aggregated water demands are the junction’s demand outflow. Reservoirs (such as lakes, rivers etc.) are assumed to have infinite water capacity which they outflow to the distribution network. Tanks are dynamic elements with finite capacity that fill, store and return water back to the network. Valves are usually installed to some of the pipes in order to adjust flow, pressure, or to close part of the network if necessary. Water quality monitoring in distribution networks involves manual sampling or placing sensors at various locations to determine the chemical concentrations of various species such as disinfectants (e.g. chlorine) or for various contaminants that can be harmful to the consumers. Distribution networks are susceptible to intrusions due to their open and uncontrolled nature. Accidental faults or intentional actions could cause a contamination, that may affect significantly the health and economic activities of a city. Contaminants are substances, usually chemical, biological or radioactive, which travel along the water flow, and may exhibit decay or growth dynamics. The concentration dynamics of a substance in a water pipe can be modelled by the first-order hyperbolic * This work is partially supported by the Research Promotion Foundation (Cyprus) and the University of Cyprus. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 69–76, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 70 D.G. Eliades and M.M. Polycarpou equations of advection and reaction [1]. When a contaminant reaches a water consumer node, it can expose some of the population served at risk, or cause economic losses. The issue of modelling dangerous contaminant transport in water distribution networks was examined in [2], where the authors discretized the equations of contaminant transport and simulated a network under contamination. Currently, in water research an open-source hydraulic and quality numerical solver, called EPANET, is frequently used for computing the advection and reaction dynamics in discrete-time [3]. The security problem of contaminant detection in water distribution networks was first examined in [4]. The algorithmic “Battle of the Water Sensor Networks” competition in 2006 boosted research on the problem and established some benchmarks [5]. While previous research focused on specific cases of the water security problem, there has not been a unified problem formulation. In this work, we present an initial attempt to develop such a problem formulation, suitable for mathematical analysis and design. In previous research the main solution approach has been the formulation of an integer program which is solved using either evolutionary algorithms [6] or mathematical programming [7]. Various groups have worked in an operational research framework in formulating the mathematical program as in the ‘p-median’ problem [8]. Although these formulations seek to minimize one objective, it is often the case the solutions are not suitable with respect to some other objectives. In this work we propose a multi-objective optimization methodology suitable for considering more that one objective function. Some work has been conducted within a multi-objective framework, computing the Pareto fronts for conflicting objectives and finding the sets of non-dominant feasible solutions [9], [10]. However some of the objectives considered did not capture the contamination risk. The most frequently used risk objective metric is the average impact on the network. Recently, other relevant metrics have also been applied [11], [7], such as the ‘Conditional Value at Risk’ (CVaR) which corresponds to the average impact of the worst case scenarios. In this work we present a security-oriented formulation and solution of the problem when the average, the worst-case (maximum impact) and the average of worst-cases (CVaR) impact is considered. For computing the solution, we examine the use of a multi-objective evolutionary algorithm. In Section 2 the problem is formulated; in Section 3, the solution methodology is described and an algorithmic solution is presented. In Section 4 simulation results are demonstrated using a realistic water distribution network. Finally, the results are summarized and future work is discussed in Section 5. 2 Problem Formulation We first express the network into a generic graph with nodes and edges. We consider nodes in the graph as locations in the distribution network where water consumption can occur, such as reservoirs, pipe junctions and tanks. Pipes that transport water from one node to another are represented as edges in the graph. Let V be the set of n nodes in the network, such that V={v1,…,vn} and E be the set of m edges connecting pairs of nodes, where for e∈E, e=(vi,vj). The two sets V and E capture the topology of the water distribution network. The function g(t), g:ℜ+ a ℜ + describes the rate of Security Issues in Drinking Water Distribution Networks 71 contaminant’s mass injection in time at a certain node. A typical example of this injection profile is a pulse signal of finite duration. A contamination event ψ i ( g v (t )) is the contaminant injection at node vi∈V with rate i g vi (t ) . A contamination scenario s={ψ1,…,ψn} is defined as the set of contamination events ψi at each node vi describing a possible “attack” on the network. Typically, the contamination event ψi at most nodes will be zero, since the injection will occur at a few specific nodes. The set of nodes where intrusion occurs for a scenario s is V*={vi | ψi≠0, ψi∈s}, so that V*⊆V. Let S be the set of all possible contamination scenarios w.r.t the specific water distribution system. We define the function ω̃(s,t), ω̃:S×ℜ+ a ℜ , as the impact of a contamination scenario s until time t, for s∈S. This impact is computed through ω~( s, t ) = ∑ ϕ (vi , s, t ), vi ∈V (1) where φ:V×S×ℜ+ a ℜ is a function that computes the impact of a specific scenario s at node vi until time t. The way to compute φ(⋅) is determined by the problem specifications; for instance it can be related to the number of people infected at each node due to contamination, or to the consumed volume of contaminated water. For edge (vi,vj)∈Ε, the function τ(vi,vj,t), τ:V×V×ℜ+ a ℜ , expresses the transport time between nodes vi and vj, when a particle departs node vi at time t. This is computed by solving the network water hydraulics with a numerical solver for a certain time-window and for a certain water demands, tank levels and hydraulic control actions. This corresponds to a time-varying weight for each edge. We further define the function τ*:S×V a ℜ so that when for a scenario s, τ*(s,vi) is the minimum transport time for the contaminant to reach node vi∈V. To compute this we consider τ * ( s, vi ) = min F (vi , v j , s ), where for each intrusion node vj∈V* during a scenario s, the v ∈V * j function F(·) is a shortest path algorithm for which the contaminant first reaches node vi. Finally we define function ω:S×V a ℜ , in order to express the impact of a contamination scenario s until it reaches node vi, such that ω(vi,s)= ω̃(s,τ*(s,vi)). This function will be used in the optimization formulation in the next section. 3 Solution Methodology Since the set of all possible scenarios S is comprised of infinite elements, an increased computational complexity is imposed to the problem; moreover, contaminations in certain nodes are unrealistic or have trivial impacts. We can relax the problem by considering S0 as a representative finite subset of S, such that S0⊂S. In the simulations that follow, we assume that a scenario s∈S0 has a non-zero element for ψi and zero elements for all ψj for which i≠j. We further assume that the non-zero contamination event is ψi=g0(t,θ), where g0(·) is a known signal structure and θ is a parameter vector in the bounded parameter space Θ, θ∈Θ. Since Θ has infinite elements, we perform grid sampling and the selected parameter samples constitute a finite set Θ0⊂Θ. We assume that the parameter vector θ of a contamination event ψi also belongs to Θ0, 72 D.G. Eliades and M.M. Polycarpou such that θ∈Θ0. Therefore, a scenario s∈S0 is comprised of one contamination event with parameter θ∈Θ0; the finite scenario set S0 is comprised of |V|·|Θ0| elements. 3.1 Optimization Problem In relation to the sensor placement problem, when there is more than one sensor in the network, the impact of a fault scenario s∈S0 is the minimum impact among all the impacts computed for each node/sensor; essentially it corresponds to the sensor that detects the fault first. We define three objective functions fi:X a ℜ , i={1,2,3}, that map a set of nodes X⊂V to a real number. Specifically, f1(X) is the average impact of S0, such that f1 ( X ) = 1 ∑ min ω ( x, s). | S 0 | s∈S0 x∈X (2) Function f2(X) is the maximum impact of the set of all scenarios, such that f 2 ( X ) = max min ω ( x, s). s∈S0 x∈X (3) Finally, function f3(X) corresponds to the CVaR risk metric and is the average impact * S 0 of the scenarios in the set ⊂S0 with impact larger that αf2(X), where α∈[0,1], ⎫⎪ ⎧⎪ 1 f3 ( X ) = ⎨ min ω ( x, s ) :s ∈ S 0* ⇔ min ω ( x, s ) ≥ αf 2 ( X ) ⎬ . ∑ x∈X ⎪⎭ ⎪⎩| S 0* | x∈S0* x∈X (4) The multi-objective optimization problem is formulated as min{ f1 ( X ), f 2 ( X ), f 3 ( X )} , X (5) subject to X⊂V' and |X|=N, where V'⊆V is the set of feasible nodes and N the number of sensors to be placed. Minimizing an objective function may result in maximizing others; it is thus not possible to find one optimal solution that satisfies all objectives at the same time. It is possible however to find a set of solutions, laying on a Pareto front, where each solution is no worse that the other. 3.2 Algorithmic Solution In general a feasible solution X is called Pareto optimal if for a set of objectives Γ and i,j∈Γ, there exists no other feasible solution X' such that fi(X')≤fi(X) with fj(X')<fj(X) for at least one j. Stated differently, a solution is Pareto optimal if there is no other feasible solution that would reduce some objective function without simultaneously causing an increase in at least one other objective function [15, p.779]. The solution space is extremely big, even for networks with a few nodes. The set of computed solutions may or may not represent the actual Pareto front. Heuristic searching [9] or computational intelligence techniques such as multi-objective evolutionary algorithms [16], [17], [6] have been applied for this problem. In this work we consider an algorithm suitable for the problem, the NSGA-II [18]. This algorithm is examined in the multi-objective sensor placement formulation for risk minimization. Security Issues in Drinking Water Distribution Networks 73 In summary, the algorithm randomly creates a set of possible solutions P; these solutions are examined for non-dominance and are separated in ranks. Specifically, the subset of solutions that are non-dominant in the set is P1⊂P. By removing P1, the subset of solutions that are non-dominant in the set is P2⊂{P-P1}, and so on. A ‘crowding’ metric is used to express the proximity of one solution to its neighbour solutions; this is used to achieve ‘better’ spreading of solutions on the Pareto front. A subset of P is selected for computing a new set of solutions, in a rank and crowding metric competition. The set of new solutions P' is computed through genetic algorithm operators such as crossover and mutation. The sets P are P' are combined and their elements are ranked with the non-dominance criterion. The best solutions in the mixed set are selected to continue to the next iteration. The algorithm was modified in order to accept discrete inputs, specifically the index number of nodes. 4 Simulation Results To illustrate the solution methodology we examine the sensor placement problem in a realistic distribution system. The network model is comprised by the topological information as well as the outflows for a certain period of time. A graphical representation of the network is shown in Fig. 1. Fig. 1. Spatial schematic of network. The Source represents a reservoir supplying water to the network and Tanks are temporary water storage facilities. Nodes are consumption points. The network has 126 nodes and 168 pipes; in detail it consists of two tanks, one infinite source reservoir, two pumps and eight valves. All nodes in the network are possible locations for placing sensors. The water demands across the nodes are not uniformly distributed; specifically, 20 of the nodes are responsible for more than 80% of all water demands. The network is in EPANET 2.0 format and was used in the ‘Battle of the Water Sensor Networks’ design challenge [5, 17]. The demands for a typical day are provided in the network. According to our solution methodology, we assumed that g0(·) is a pulse signal with three parameters: θ1=28.75 Kg/hr the rate of contaminant injection, θ2=2 hr the duration of the injection and 0≤θ3≤24 hr the injection start time (as in [5]). By performing 5 minute sampling on θ3, the finite set Θ0 is build with |Θ0|=288 parameters. All nodes 74 D.G. Eliades and M.M. Polycarpou were considered as possible intrusion locations, and it is assumed that only that only one node can be attacked at each contamination scenario. Therefore, the finite scenario set S0 has |S0|=126⋅288= 36,288 elements. Impact φ(⋅) is computed using a nonlinear function described in [5] representing the number of people infected due to contaminant consumption. Hydraulic and quality dynamics were computed using the EPANET software. (a) (b) Fig. 2. (a): Histogram of the maximum normalized impact affected in all contamination scenarios. (b): Histogram of the maximum normalized impact affected in all contamination scenarios, when 6 sensors are placed for minimizing average impact. For simplicity and without loss of generality, the impact metrics presented hereafter are normalized. Figure 2(a) depicts the histogram of the maximum normalized impact in all contamination scenarios. From Fig. 2(a) it appears that about 40% of all scenarios under consideration have impacts more that 10% w.r.t the maximum. The long tail in the distribution shows that there is subset of scenarios which have a large impact on the network. From simulations we identified two locations that on certain scenarios, they achieve the largest impact, specifically near the reservoir and at one tank (labelled with numbers ‘1’ and ‘2’ in Fig. 1). The worst possible outcome from all intrusions is for contamination at node ‘1’ at time 23:55, given that the contaminant propagates undetected in the network. The optimization problem is to place six sensors at six nodes in order to minimize the three objectives described in the problem formulation. For the third objective we use α=0.8. The general assumption is that the impact of a contamination is measured until a sensor has been triggered, i.e. a contaminant has reached at a sensor node; afterwards it is assumed that there are no delays in stopping the service. For illustrating the impact reduction by placing sensors, we choose one solution from the solution set computed with the smallest average impact; the proposed six sensor locations are indicated as nodes with circles in Fig. 1. Figure 2(b) shows the histogram of the maximum impact on the network when these six sensors are installed. We observe a reduction of the impact to the system, with worst case impact near 20% w.r.t. the unprotected worst case. We performed two experiments with the NSGA-II algorithm to solve the optimization problem. In the one experiment, the parameters were 200 solutions in population Security Issues in Drinking Water Distribution Networks 75 for 1000 generations; for the second experiment it was 400 and 2000 respectively. The Pareto fronts are depicted in Fig. 3, along with the results computed using a deterministic tree algorithm presented in [10]. The simulations have shown that for our example, the maximum impact objective was almost the same in all computed Pareto solutions and is not presented in the figures. Fig. 3. Pareto fronts computed by the NSGA-II algorithm, as well as from a deterministic algorithm for comparison. The normalized tail average and total average impact are compared. 5 Conclusions In this work we have presented the security problem of sensor placement problem in water distribution networks for contaminant detection. We have presented an initial attempt to formulate the problem in order to be suitable for mathematical analysis. Furthermore, we examined a multiple-objective optimization problem using certain risk metrics and demonstrated a solution on a realistic network using a suitable multiobjective evolutionary algorithm, the NSGA-II. Good results were obtained considering the stochastic nature of the algorithm and the extremely large solution search space. Security of water systems is an open problem where computational intelligence could provide suitable solutions. Besides sensor placement, other interesting aspects of the security problem are the fault detection based on telemetry signals, the identification and the accommodation of the problem. References 1. LeVeque, R.: Nonlinear Conservation Laws and Finite Volume Methods. In: LeVeque, R.J., Mihalas, D., Dor, E.A., Müller, E. (eds.) Computational Methods for Astrophysical Fluid Flow, pp. 1–159. Springer, Berlin (1998) 2. Kurotani, K., Kubota, M., Akiyama, H., Morimoto, M.: Simulator for contamination diffusion in a water distribution network. In: Proc. IEEE International Conference on Industrial Electronics, Control, and Instrumentation, vol. 2, pp. 792–797 (1995) 3. Rossman, L.A.: The EPANET Programmer’s Toolkit for Analysis of Water Distribution Systems. In: ASCE 29th Annual Water Resources Planning and Management Conference, pp. 39–48 (1999) 76 D.G. Eliades and M.M. Polycarpou 4. Kessler, A., Ostfeld, A., Sinai, G.: Detecting accidental contaminations in municipal water networks. ASCE Journal of Water Resources Planning and Management 124(4), 192–198 (1998) 5. Ostfeld, A., Uber, J.G., Salomons, E.: Battle of the Water Sensor Networks (BWSN): A Design Challenge for Engineers and Algorithms. In: ASCE 8th Annual Water Distibution System Analysis Symposium (2006) 6. Huang, J.J., McBean, E.A., James, W.: Multi-Objective Optimization for Monitoring Sensor Placement in Water Distribution Systems. In: ASCE 8th Annual Water Distibution System Analysis Symposium (2006) 7. Hart, W., Berry, J., Riesen, L., Murray, R., Phillips, C., Watson, J.: SPOT: A sensor placement optimization toolkit for drinking water contaminant warning system design. In: Proc. World Water and Environmental Resources Conference (2007) 8. Berry, J.W., Fleischer, L., Hart, W.E., Phillips, C.A., Watson, J.P.: Sensor Placement in Municipal Water Networks. ASCE Journal of Water Resources Planning and Management 131(3), 237–243 (2005) 9. Eliades, D., Polycarpou, M.: Iterative Deepening of Pareto Solutions in Water Sensor Networks. In: Buchberger, S.G. (ed.) ASCE 8th Annual Water Distibution System Analysis Symposium. ASCE (2006) 10. Eliades, D.G., Polycarpou, M.M.: Multi-Objective Optimization of Water Quality Sensor Placement in Drinking Water Distribution Networks. In: European Control Conference, pp. 1626–1633 (2007) 11. Watson, J.P., Hart, W.E., Murray, R.: Formulation and Optimization of Robust Sensor Placement Problems for Contaminant Warning Systems. In: Buchberger, S.G. (ed.) ASCE 8th Annual Water Distibution System Analysis Symposium (2006) 12. Rockafellar, R., Uryasev, S.: Optimization of Conditional Value-at-Risk. Journal of Risk 2(3), 21–41 (2000) 13. Rockafellar, R., Uryasev, S.: Conditional Value-at-Risk for General Loss Distributions. Journal of Banking and Finance 26(7), 1443–1471 (2002) 14. Topaloglou, N., Vladimirou, H., Zenios, S.: CVaR models with selective hedging for international asset allocation. Journal of Banking and Finance 26(7), 1535–1561 (2002) 15. Rao, S.: Engineering Optimization: Theory and Practice. Wiley-Interscience, Chichester (1996) 16. Preis, A., Ostfeld, A.: Multiobjective Sensor Design for Water Distribution Systems Security. In: ASCE 8th Annual Water Distibution System Analysis Symposium (2006) 17. Ostfeld, A., Uber, J.G., Salomons, E., Berry, J.W., Hart, W.E., Phillips, C.A., Watson, J.P., Dorini, G., Jonkergouw, P., Kapelan, Z., di Pierro, F., Khu, S.T., Savic, D., Eliades, D., Polycarpou, M., Ghimire, S.R., Barkdoll, B.D., Gueli, R., Huang, J.J., McBean, E.A., James, W., Krause, A., Leskovec, J., Isovitsch, S., Xu, J., Guestrin, C., VanBriesen, J., Andc, M.S., Andd, P.F., Preis, A., Propato, M., Piller, O., Trachtman, G.B., Wu, Z.Y., Walski, T.: The Battle of the Water Sensor Networks (BWSN): A Design Challenge for Engineers and Algorithms. ASCE Journal of Water Resources Planning and Management (to appear, 2008) 18. Deb, K., Pratap, A., Agarwal, S., Meyarivan, T.: A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Transactions on Evolutionary Computation 6(2), 182–197 (2002) Trusted-Computing Technologies for the Protection of Critical Information Systems Antonio Lioy, Gianluca Ramunno, and Davide Vernizzi* Politecnico di Torino Dip. di Automatica e Informatica c. Duca degli Abruzzi, 24 – 10129 Torino, Italy {antonio.lioy,gianluca.ramunno,davide.vernizzi}@polito.it Abstract. Information systems controlling critical infrastructures are vital elements of our modern society. Purely software-based protection techniques have demonstrated limits in fending off attacks and providing assurance of correct configuration. Trusted computing techniques promise to improve over this situation by using hardware-based security solutions. This paper introduces the foundations of trusted computing and discusses how it can be usefully applied to the protection of critical information systems. Keywords: Critical infrastructure protection, trusted computing, security, assurance. 1 Introduction Trusted-computing (TC) technologies have historically been proposed by the TCG (Trusted Computing Group) to protect personal computers from those software attacks that cannot be countered by purely software solutions. However these techniques are now mature enough to spread out to both bigger and smaller systems. Trusted desktop environments are already available and easy to setup. Trusted computing servers and embedded systems are just around the corner, while proof-ofconcept trusted environments for mobile devices have been demonstrated and are just waiting for the production of the appropriate hardware anchor (MTM, Mobile Trust Module). TC technologies are not easily understood and to many people they immediately evoke the “Big Brother” phantom, mainly due to their initial association with controversial projects from operating system vendors (to lock the owner into using only certified and licensed software components) and from providers of multimedia content (to avoid copyright breaches). However, TC is nowadays increasingly being associated with secure open environments, also thanks to pioneer work performed by various projects around the world, such as the Open-TC [1] one funded by the European Commission. On another hand, we have an increasing number of vital control systems (such as electric power distribution, railway traffic, and water supply) that heavily and almost exclusively rely on computer-based infrastructures for their correct operation. In the * This work has been partially funded by the EC as part of the OpenTC project (ref. 027635). It is the work of the authors alone and may not reflect the opinion of the whole project. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 77–83, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 78 A. Lioy, G. Ramunno, and D. Vernizzi following we will refer to these infrastructures with the term “Critical Information Systems” (CIS) because their proper behaviour in handling information is critical for the operation of some very important system. This paper briefly describes the foundations of TC and shows how they can help in creating more secure and trustworthy CIS. 2 Critical Information Systems (CIS) CIS are typically characterized by being very highly distributed systems, because the underlying controlled system (e.g. power distribution, railway traffic) is highly distributed itself on a geographic scale. In turn this bears an important consequence: it is nearly impossible to control physical access to all its components and to the communication channels that must therefore be very trustworthy. In other words, we must consider the likelihood that someone is manipulating the hardware, software, or communication links of the various distributed components. This likelihood is larger than in normal networked systems (e.g. corporate networks) because nodes are typically located outside the company’s premises and hosted in shelters easily violated. For example, think of the small boxes containing control equipment alongside railway tracks or attached to electrical power lines. An additional problem is posed by the fact that quite often CIS are designed, developed, and deployed by a company (the system developer), owned by a different one (the service provider), and finally maintained by yet another company (the maintainer) on a contract with one of the first two. When a problem occurs and it leads to an accident, it is very important to be able to track the source of the problem: is it due to a design mistake? or to a development bug? or to an incorrect maintenance procedure? The answer has influence over economical matters (costs for fixing the problem, penalties to be paid) and may be also over legal ones, in the case of damage to a third-party. Even if no damage is produced, it is nonetheless important to be able to quickly identify problems with components of a CIS, be them produced incidentally or by a deliberate act. For example, in real systems many problems are caused by mistakes made by maintainers when upgrading or replacing hardware or software components. Any technical solution that can help in thwarting attacks and detecting mistakes and breaches is of interest, but nowadays the solutions commonly adopted – such as firewall, VPN, and IDS – heavily rely on correct software configuration of all the nodes. Unfortunately this cannot be guaranteed in a highly distributed and physically insecure system as a CIS. Therefore better techniques should be adopted not only to protect the system against attacks and errors but also to provide assurance that each node is configured and operating as expected. This is exactly one of the possible applications of the TC paradigm, which is introduced in the next section. 3 Trusted Computing Principles In order to protect computer systems and networks from attacks we rely on software tools in the form of security applications (e.g. digital signature libraries), kernel Trusted-Computing Technologies 79 modules (e.g. IPsec) or firmware, as in the case of firewall appliances. However software can be manipulated either locally by privileged and un-privileged users, or remotely via network connections that exploit known vulnerabilities or insecure configurations (e.g. accepting unknown/unsigned Active-X components in your browser). It is therefore clear that is nearly impossible to protect a computer system from software attacks while relying purely on software defences. To progress beyond this state, the TCG [2], a not-for-profit group of ICT industry players, developed a set of specification to create a computer system with enhanced security named “trusted platform”. A trusted platform is based on two key components: protected capabilities and shielded memory locations. A protected capability is a basic operation (performed with an appropriate mixture of hardware and firmware) that is vital to trust the whole TCG subsystem. In turn capabilities rely on shielded memory locations, special regions where is safe to store and operate on sensitive data. From the functional perspective, a trusted platform provides three important features rarely found in other systems: secure storage, integrity measurement and reporting. The integrity of the platform is defined as a set of metrics that identify the software components (e.g. operating system, applications and their configurations) through the use of fingerprints that act as unique identifiers for each component. Considered as a whole, the integrity measures represent the configuration of the platform. A trusted platform must be able to measure its own integrity, locally store the related measurements and report these values to remote entities. In order to trust these operations, the TCG defines three so-called “root of trust”, components that must be trusted because their misbehaviour might not be detected: • the Root of Trust for Measurements (RTM) that implements an engine capable of performing the integrity measurements; • the Root of Trust for Storage (RTS) that securely holds integrity measures and protect data and cryptographic keys used by the trusted platform and held in external storages; • the root of trust for reporting (RTR) capable of reliably reporting to external entities the measures held by the RTS. The RTM can be implemented by the first software module executed when a computer system is switched on (i.e. a small portion of the BIOS) or directly by the hardware itself when using processors of the latest generation. The central component of a TCG trusted platform is the Trusted Platform Module (TPM). This is a low cost chip capable to perform cryptographic operations, securely maintain the integrity measures and report them. Given its functionalities, it is used to implement RTS and RTR, but it can also be used by the operating system and applications for cryptographic operations although its performance is quite low. The TPM is equipped with two special RSA keys, the Endorsement Key (EK) and the Storage Root Key (SRK). The EK is part of the RTR and it is a unique (i.e. each TPM has a different EK) and “non-migratable” key created by the manufacturer of the TPM and that never leaves this component. Furthermore the specification requires that a certificate must be provided to guarantee that the key belongs to a genuine TPM. The SRK is part of the RTS and it is a “non-migratable” key that protects the 80 A. Lioy, G. Ramunno, and D. Vernizzi other keys used for cryptographic functions1 and stored outside the TPM. Also SRK never leaves the TPM and it is used to build a key hierarchy. The integrity measures are held into the Platform Configuration Registers (PCR). These are special registers within the TPM acting as accumulators: when the value of a register is updated, the new value depends both on the new measure and on the old value to guarantee that once initialized it is not possible to fake the value of a PCR. The action of reporting the integrity of the platform is called Remote Attestation. A remote attestation is requested by a remote entity that wants evidence about the configuration of the platform. The TPM then makes a digital signature over the values of a subset of PCR to prove to the remote entity the integrity and authenticity of the platform configuration. For privacy reasons, the EK cannot be used to make the digital signature. Instead, to perform the remote attestation the TPM uses an Attestation Identity Key (AIK), which is an “alias” for the EK. The AIK is a RSA key created by the TPM whose private part is never released outside the chip; this guarantees that the AIK cannot be used by anyone except the TPM itself. In order to use the AIK for authenticating the attestation data (i.e. the integrity measures) it is necessary to obtain a certificate proving that the key was actually generated by a genuine TPM and it is managed in a correct way. Such certificates are issued by a special certification authority called Privacy CA (PCA). Before creating the certificate, the PCA must verify the genuineness of the TPM. This verification is done through the EK certificate. Many AIKs can be created and, to prevent the traceability of the platform operations, ideally a different AIK should be used for interacting with each different remote attester. Using trusted computing it is possible to protect data via asymmetric encryption in a way that only the platform’s TPM can access them: this operation is called binding. It is however possible to migrate keys and data to another platform, with a controlled procedure, if they were created as “migratable”. The TPM also offers a stronger capability to protect data: sealing. When the user seals some data, he must specify an “unsealing configuration”. The TPM assures that sealed data can be only be accessed if the platform is in the “unsealing configuration” that was specified at the sealing time. The TPM is a passive chip disabled at factory and only the owner of a computer equipped with a TPM may choose to activate this chip. Even when activated, the TPM cannot be remotely controlled by third entities: every operation must be explicitly requested by software running locally and the possible disclosure of local data or the authorisation to perform the operations depend on the software implementation. In the TCG architecture, the owner of the platform plays a central role because the TPM requires authorisation from the owner for all the most critical operations. Furthermore, the owner can decide at any time to deactivate the TPM, hence disabling the trusted computing features. The identity of the owner largely depends on the scenario where trusted computing is applied: in a corporate environment, the owner is usually the administrator of the IT department, while in a personal scenario normally the end-user is also the owner of the platform. 1 In order to minimize attacks, SRK is never used for any cryptographic function, but only to protect other keys. Trusted-Computing Technologies 81 Run-time isolation between software modules with different security requirement can be an interesting complementary requirement for a trusted platform. Given that memory areas of different modules are isolated and inter-module communication can occur only under well specified control flow policies, then if a specific module of the system is compromised (e.g. due to a bug or a virus), the other modules that are effectively isolated from that one are not affected at all. Today virtualization is an emerging technology for PC class platforms to achieve run-time isolation and hence is a perfect partner for a TPM-based trusted platform. The current TCG specifications essentially focus on protecting a platform against software attacks. The AMD-V [3] and the Intel TXT [4] initiatives, besides providing hardware assistance for virtualization, increase the robustness against software attacks and the latter also starts dealing with some basic hardware attacks. In order to protect the platforms also from physical attacks, memory curtaining and secure input/output should be provided: memory curtaining extends memory protection in a way that sensitive areas are fully isolated while secure input/output protects communication paths (such as the buses and input/output channels) among the various components of a computer system. Intel TXT focuses only on some so called “open box” attacks, by protecting the slow buses and by guaranteeing the integrity verification of the main hardware components on the platform. 4 The OpenTC Project The OpenTC project has applied TC techniques to the creation of an open and secure computing environment by coupling them with advanced virtualization techniques. In this way it is possible to create on the same computer different execution environments mutually protected and with different security properties. OpenTC uses virtualisation layers – also called Virtual Machine Monitors (VMM) or hypervisors – and supports two different implementations: Xen and L4/Fiasco. This layer hosts compartments, also called virtual machines (VM), domains or tasks, depending on the VMM being used. Some domains host trust services that are available to authorised user compartments. Various system components make use of TPM capabilities, e.g. in order to measure other components they depend on or to prove the system integrity to remote challengers. Each VM can host an open or proprietary operating environment (e.g. Linux or Windows) or just a minimal library-based execution support for a single application. The viability of the OpenTC approach has been demonstrated by creating two proof-of-concept prototypes, the so-called PET and CC@H ones, that are publicly available at the project’s web site The PET (for Private Electronic Transactions) scenario [5] aims to improve the trustworthiness of interactions with remote servers. Transactions are simply performed by accessing a web server through a standard web browser running in a dedicated trusted compartment. The server is assumed to host web pages related to a critical financial service, such as Internet banking or another e-commerce service. The communication setup between the browser compartment and the web server is extended by a protocol for mutual remote attestation tunnelled through an SSL/TLS channel. During the attestation phase, each side assesses the trustworthiness of the other. If this assessment is negative on either side, the SSL/TLS tunnel is closed, 82 A. Lioy, G. Ramunno, and D. Vernizzi preventing further end-to-end communication. If the assessment is positive, end-toend communication between browser and server is enabled via standard HTTPS tunnelled over SSL/TLS. In this way the user is reassured about having connected to the genuine server of its business provider and about its integrity, and the provider knows that the user has connected by using a specific browser and that the hosting environment (i.e. operating system and drivers) has not been tampered with, for example by inserting a key-logger. The CC@H (for Corporate Computing at Home) scenario [6] demonstrates the usage of the OpenTC solution to run simultaneously on the same computer different non-interfering applications. It reflects the situation where employers tolerate, within reasonable limits, the utilization of corporate equipment (in particular notebooks) for private purposes but want assurance that the compartment dedicated to corporate applications is not manipulated by the user. In turn the user has a dedicated compartment for his personal matters, included free Internet surfing which, on the contrary, is not allowed from the corporate compartment. The CC@H scenario is based on the following main functional components: • boot-loaders capable of producing cryptographic digests for lists of partitions and arbitrary files that are logged into PCRs of the TPM prior to passing on control of the execution flow to the virtual machine monitor (VMM) or kernel it has loaded into memory; • virtualization layers with virtual machine loaders that calculate and log cryptographic digests for virtual machines prior to launching them; • a graphical user interface enabling the user to launch, stop and switch between different compartments with a simple mouse click; • a virtual network device for forwarding network packets from and to virtual machine domains; • support for binding the release of keys for encrypted files and partitions to defined platform integrity metrics. 5 How TC Can Help in Building Better CIS TC can benefit the design and operations of a CIS in several ways. First of all, attestation can layer the foundation for better assurance in the systems operation. This is especially important when several players concur to the design, management, operation, and maintenance of a CIS and thus unintentional modification of software modules is possible, as well as deliberate attacks due to the distributed nature of these systems. TC opens also the door to reliable logging, where log files contain not only a list of events but also a trusted trace of the component that generated the event and the system state when the event was generated. Moreover the log file could be manipulated only by trusted applications if it was sealed against them, so for example no direct editing (for insertion or cancellation) would be possible. The security of remote operations could be improved by exploiting remote attestation, so that network connections are permitted only if requested by nodes executing specific software modules. Intruders would therefore be unable to connect to the other Trusted-Computing Technologies 83 nodes: as they could not even open a communication channel towards the application, they could not in any way try to exploit the software vulnerabilities that unfortunately plague most applications. This feature could also be used in a different way: a central management facility could poll the various nodes by opening network connection just to check via remote attestation the software status of the nodes. In this way it would be very easy to detect misconfigured elements and promptly reconfigure or isolate them. In general sealing protects critical data from access by unauthorized software because access can be bound to a well-defined system configuration. This feature allows the implementation of fine-grained access control schemes that can prevent agents from accessing data they are not authorized for. This is very important when several applications with different trust level are running on the same node and may be these applications have been developed by providers with different duties. In this way we can easily implement the well-known concept of “separation of duties”: even if a module can bypass the access control mechanisms of the operating system and directly access the data source, it will be unable to operate on it because the TPM and/or security services running on the system will not release to the module the required cryptographic credentials. Finally designers and managers of CIS should not be scared by the overhead introduced by TC. In our experience, the L4/Fiasco set-up is very lightweight and therefore suitable also for nodes with limited computational resources. Moreover, inside a partition we can execute a full operating system with all its capabilities (e.g. Suse Linux), a stripped-down OS (such as DSL, Damn Small Linux) with only the required drivers and capabilities, or just a mini-execution environment providing only the required libraries for small embedded single task applications. In case multiple compartments are not needed, the TC paradigm can be directly built on top of the hardware, with no virtualization layer, hence further reducing its footprint. 6 Conclusions While several technical problems are still to be solved before large-scale adoption of TC is a reality, we nonetheless think that it is ready to become a major technology of the current IT scenario, especially for critical information systems where its advantages in terms of protection and assurance far outweigh its increased design and management complexity. References 1. 2. 3. 4. Open Trusted Computing (OpenTC) project, IST-027635, http://www.opentc.net Trusted Computing Group, http://www.trustedcomputing.org AMD Virtualization, http://www.amd.com/virtualization Intel Trusted Execution Technology, http://www.intel.com/technology/security/ 5. OpenTC newsletter no.3, http://www.opentc.net/publications/OpenTC_Newsletter_03.html 6. OpenTC newsletter no.5, http://www.opentc.net/publications/OpenTC_Newsletter_05.html A First Simulation of Attacks in the Automotive Network Communications Protocol FlexRay Dennis K. Nilsson1 , Ulf E. Larson1 , Francesco Picasso2, and Erland Jonsson1 1 2 Department of Computer Science and Engineering Chalmers University of Technology SE-412 96 Gothenburg, Sweden Department of Computer Science and Engineering University of Genoa Genoa, Italy {dennis.nilsson,ulf.larson,erland.jonsson}@chalmers.se, [email protected] Abstract. The automotive industry has over the last decade gradually replaced mechanical parts with electronics and software solutions. Modern vehicles contain a number of electronic control units (ECUs), which are connected in an in-vehicle network and provide various vehicle functionalities. The next generation automotive network communications protocol FlexRay has been developed to meet the future demands of automotive networking and can replace the existing CAN protocol. Moreover, the upcoming trend of ubiquitous vehicle communication in terms of vehicle-to-vehicle and vehicle-to-infrastructure communication introduces an entry point to the previously isolated in-vehicle network. Consequently, the in-vehicle network is exposed to a whole new range of threats known as cyber attacks. In this paper, we have analyzed the FlexRay protocol specification and evaluated the ability of the FlexRay protocol to withstand cyber attacks. We have simulated a set of plausible attacks targeting the ECUs on a FlexRay bus. From the results, we conclude that the FlexRay protocol lacks sufficient protection against the executed attacks, and we therefore argue that future versions of the specification should include security protection. Keywords: Automotive, vehicle, FlexRay, security, attacks, simulation. 1 Introduction Imagine a vehicle accelerating and exceeding a certain velocity. At this point, the airbag suddenly triggers rendering the driver unable to maneuver the vehicle. This event leads to the vehicle crashing, leaving the driver seriously wounded. One might ask if this event was caused by a software malfunction or a hardware fault. In the near future, one might even ask if the event was the result of a deliberate cyber attack on the vehicle. In the last decade electronics and firmware have replaced mechanical components in vehicles at an unprecedented rate. Modern vehicles contain an in-vehicle network consisting of a number of electronic control units (ECUs) responsible E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 84–91, 2009. c Springer-Verlag Berlin Heidelberg 2009 springerlink.com A First Simulation of Attacks 85 for the functionality in the vehicle. As a result, the ECUs constitute a likely target for cyber attackers. An emerging trend for automotive manufacturers is to create an infrastructure for performing remote diagnostics and firmware updates over the air (FOTA) [1]. There are several benefits with this approach. It involves a minimum of customer inconvenience since there exists no need for the customer to bring the vehicle to a service station for a firmware update. In addition, it allows faster updates; it is possible to update the firmware as soon as it is released. Furthermore, this approach reduces the lead time from fault to action since it is possible to analyze errors and identify causes using diagnostics before a vehicle arrives at a service station. However, the future infrastructure allows external communication to interact with the in-vehicle network, which introduces a number of security risks. The previously isolated in-vehicle network is thus exposed to a whole new type of attacks, collectively known as cyber attacks. Since the ECUs connected to the FlexRay bus are used for providing control and maneuverability in the vehicle, this bus is a likely target for attackers. We have analyzed what an attacker can do once access to the bus is achieved. The main contributions of this paper are as follows. – We have analyzed the FlexRay protocol specification with respect to desired security properties and found that functionalities to achieve these properties are missing. – We have identified the actions an attacker can take in a FlexRay network as a result of the lack of security protection. – We have successfully implemented and simulated the previously identified attack actions in the CANoe simulator environment. – We discuss the potential safety effects of these attacks and emphasize the need for future security protection in in-vehicle networks. 2 Related Work Much research on the in-vehicle network has been on safety issues. Little research has been done on the security aspects in such networks. Only a few papers focusing on the security of those networks have been published. However, the majority of these papers have focused on the CAN protocol. These papers are described in more detail as follows. Wolf et al. [2] present several weaknesses in the CAN and FlexRay bus protocols. Weaknesses include confidentiality and authenticity problems. However, the paper does not give any specific attack examples. Simulated attacks have been performed on the CAN bus [3, 4, 5] and illustrate the severity of such attacks. Moreover, the notion of vehicle virus is introduced in [5] which describes more advanced attacks on the CAN bus. As a result, the safety of the driver can be affected. The Electronic Architecture and System Engineering for Integrated Safety Systems (EASIS) project has done work in embedded security for safety applications [6]. The work dicusses the need for safe and reliable communication for 86 D.K. Nilsson et al. external and internal vehicle communication. A security manager responsible for crypto operations and authentication management is described. In this paper, we focus on identifying possible attacker actions on the FlexRay bus and discussing the safety effects of such security threats. 3 Background Traditionally, in-vehicle networks are designed to meet reliability requirements. As such, they primarily address failures caused by non-malicious and inadvertent flaws, which are produced by chance or by component malfunction. Protection is realized by fault-tolerance mechanisms, such as redundancy, replication, and diversity. Since the in-vehicle network has been isolated, protection against intelligent attackers (i.e., security) has not been previously considered. However, recent wireless technology allow for external interaction with the vehicle through remote diagnostics and FOTA. To benefit from the new technology, the in-vehicle network needs to allow wireless communication with external parties, including service stations, business systems and fleet management. Since the network must be open for external access, new threats need to be accounted for and new requirements need to be stated and implemented. Consider for example an attacker using a compromised host in the business network to obtain unauthorized access to the in-vehicle network. Once inside the in-vehicle network, the attacker sends a malicious diagnostic request to trigger the airbag, which in turn could cause injury to the driver and the vehicle to crash. As illustrated by the example scenario, the safety of the vehicle is strongly linked to the security, and a security breach may well affect the safety of the driver. It is thus reasonable to believe that not only reliability requirements but also security requirements need to be fulfilled to protect the driver. Since security has yet not been required in the in-vehicle networks, it can be assumed that a set of successful attacks targeting the in-vehicle network should be possible to produce. To assess our assumption, we analyze the FlexRay protocol specification version 2.1 revision A [7]. We then identify a set of security properties for the network, evaluate the correspondence between the properties and the protocol specifications, and develop an attacker model. 3.1 In-Vehicle Network The in-vehicle network consists of a number of ECUs and buses. The ECUs and buses form networks, and the networks are connected through gateways. Critical applications, such as the engine management system and the antilock braking system (ABS) use the CAN bus for communication. To meet future application demands, CAN is gradually being replaced with FlexRay. A wireless gateway connected to the FlexRay bus allows access to external networks such as the Internet. A conceptual model of the in-vehicle network is shown in Fig. 1. A First Simulation of Attacks 87 External Network ECUs Wireless Gateway FlexRay Fig. 1. Conceptual model of the in-vehicle network consisting of a FlexRay network and ECUs including a wireless gateway 3.2 FlexRay Protocol The FlexRay protocol [7] is designed to meet the requirements of today’s automotive industry, including flexible data communications, support for three different topologies (bus, star, and mixed), fault-tolerant operation and higher data rate than previous standards. FlexRay allows both asynchronous transfer mode and real-time data transfer, and operates as a dual-channel system, where each channel delivers a maximum data bit rate of 10 Mbps. The FlexRay protocol belongs to the time-triggered protocol family which is characterized by a continuous communication of all connected nodes via redundant data buses at predefined intervals. It defines the specifics of a data-link layer independent of a physical layer. It focuses on real-time redundant communications. Redundancy is achieved by using two communications channels. Real time is assured by the adoption of a time division multiplexing communication scheme: each ECU has a given time slot to communicate but it cannot decide when since the slots are allocated at design time. Moreover, a redundant masterless protocol is used for synchronizing the ECU clocks by measuring time differences of arriving frames, thus implementing a fault-tolerant procedure. The data-link layer provides basic but strongly reliable communication functionality, and for the protocol to be practically useful, an application layer needs to be implemented on top of the link layer. Such an application layer could be used to assure the desired security properties. In FlexRay, this application layer is missing. 3.3 Desired Security Properties To evaluate the security of the FlexRay protocol, we use a set of established security properties commonly used for, e.g., sensor networks [8, 9, 10]. We believe that most of the properties are desirable in the vehicle setting due to the many similarities between the network types. The following five properties are considered. – Data Confidentiality. The contents of messages between the ECUs should be kept confidential to avoid unauthorized reads. 88 D.K. Nilsson et al. – Data Integrity. Data integrity is necessary for ensuring that messages have not been modified in transit. – Data Availability. Data availability is necessary to ensure that measured data from ECUs can be accessed at requested times. – Data Authentication. To prevent an attacker from spoofing packets, it is important that the receiver can verify the sender of the packets (authenticity). – Data Freshness. Data freshness ensures that communicated data is recent and that an attacker is not replaying old data. 3.4 Security Evaluation of FlexRay Specification We perform a security evaluation of the FlexRay protocol based on the presented desired security properties. We inspect the specification and look for functionalities that would address those properties. The FlexRay protocol itself does not provide any security features since it is a pure communication protocol. However, CRC check values are included to provide some form of integrity protection against transmission errors. The time division multiplexing assures availability since the ECUs can communicate during the allocated time slot. The security properties are at best marginally met by the FlexRay specification. We find some protection of data availability and data integrity, albeit the intention of the protection is for safety reasons. However, the specification does not indicate any assurance of confidentiality, authentication, or freshness of data. Thus, security has not been considered during the design of the FlexRay protocol specification. 3.5 Attacker Model The evaluation concluded that the five security properties were at best slightly addressed in the FlexRay protocol. Therefore, we can safely make the assumption that a wide set of attacks in the in-vehicle network should be possible to execute. We apply the Nilsson-Larson attacker model [5], where an attacker has access to the in-vehicle network via the wireless gateway and can perform the following actions: read, spoof, drop, modify, flood, steal, and replay. In the following section, we focus on simulating the read and spoof actions. 4 Cyber Attacks In this section, we define and discuss two attacker actions: read and spoof. The actions are derived from the security evaluation and the attacker model in the previous section. 4.1 Attacker Actions Read and spoof can be performed from any ECU in the FlexRay network. Read. Due to the lack of confidentiality protection, an attacker can read all data sent on the FlexRay bus, and possibly send the data to a remote location via A First Simulation of Attacks 89 the wireless gateway. If secret keys, proprietary or private data are sent on the FlexRay bus, an attacker can easily learn that data. Spoof. An attacker can create and inject messages since there exists no data authentication on the data sent on the FlexRay bus. Therefore, messages can be spoofed and target arbitrary ECUs claiming to be from any ECU. An attacker can easily create and inject diagnostics messages on the FlexRay bus to cause ECUs to perform arbitrary actions. 4.2 Simulation Environment We have used CANoe version 7.0 from Vector Informatik [11] to simulate the attacks. ECUs for handling the engine, console, brakes, and back light functionalities were connected to a FlexRay bus to simulate a simplified view of an in-vehicle network. 4.3 Simulated Attack Actions We describe the construction and simulation of the read and spoof attack actions. Read. Messages sent on the FlexRay bus can be recorded by an attacker who has access to the network. The messages are Time stamped, and the channel (Chn), identifier (ID), direction (Dir ), data length (DLC ), and any associated Data bytes are recorded. The log entries for a few messages are shown in Table 1. Also, we have included the corresponding message Name (interpreted from ID) for each message. Spoof. An attacker can create and inject a request on the bus to cause an arbitrary effect. For example, an attacker can create and inject a request to light up the brake light. The BreakLight message is spoofed with the data value 0x01 and sent on the bus resulting in the brake light being turned on. The result of the attack is shown in Fig. 2. The transmission is in the fifth gear, and the vehicle is accelerating and traveling with a velocity of 113 mph. At the same time, the brake light is turned on, as indicated by the data value 1 of the BreakLight message although no brakes are applied (BrakePressure has the value 0). 4.4 Effect on Safety Based on Lack of Proper Security Protection As noted in Section 3, safety and security are tightly coupled in the vehicle setting. From our analysis, it is evident that security-related incidents can affect Table 1. Log entries with corresponding names and values Time 15.540518 15.540551 15.549263 15.549362 15.549659 15.549692 Chn ID Dir DLC Name FR FR FR FR FR FR 1A 1A 1A 1A 1A 1A 51 52 13 16 25 26 Tx Tx Tx Tx Tx Tx 16 16 16 16 16 16 BackLightInfo GearBoxInfo ABSInfo BreakControl EngineData EngineStatus Data 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 160 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 59 0 0 0 31 0 0 0 0 0 0 0 0 0 0 0 0 64 31 0 0 0 0 0 0 0 0 0 0 0 0 0 73 8 81 44 140 10 152 58 0 0 0 0 0 0 0 0 0000000000000000 90 D.K. Nilsson et al. Fig. 2. Spoof attack where the brake lights are lit up while the vehicle is accelerating and no brake pressure is applied the safety of the driver. Our example with the spoofed brake light message could cause other drivers to react based on the false message. Even worse, spoofed control messages could affect the control and maneuverability of the vehicle and cause serious injury to the drivers, passengers, and other road-users. It is therefore imperative that proper security protection is highly prioritized in future development of the protocol. 5 Conclusion and Future Work We have created and simulated attacks in the automotive communications protocol FlexRay and shown that such attacks can easily be created. In addition, we have discussed how safety is affected by the lack of proper security protection. These cyber attacks can target control and maneuverability ECUs in the in-vehicle network and lead to serious injury for the driver. The attacker actions are based on weaknesses in the FlexRay 2.1 revision A protocol specification. The security of the in-vehicle network must be taken into serious consideration when external access to these previously isolated networks is introduced. The next step is to investigate other types of attacks and simulate such attacks on the FlexRay bus. Then, based on the various attacks identified, a set of appropriate solutions for providing security features should be investigated. The most pertinent future work to be further examined are prevention and detection mechanisms. An analysis of how to secure the in-vehicle protocol should be performed, and the possibility to introduce lightweight mechanisms for data integrity and authentication protection should be investigated. Moreover, to A First Simulation of Attacks 91 detect attacks in the in-vehicle network a lightweight intrusion detection system needs to be developed. References 1. Miucic, R., Mahmud, S.M.: Wireless Multicasting for Remote Software Upload in Vehicles with Realistic Vehicle Movement. Technical report, Electrical and Computer Engineering Department, Wayne State University, Detroit, MI 48202 USA (2005) 2. Wolf, M., Weimerskirch, A., Paar, C.: Security in Automotive Bus Systems. In: Workshop on Embedded IT-Security in Cars, Bochum, Germany (November 2004) 3. Hoppe, T., Dittman, J.: Sniffing/Replay Attacks on CAN Buses: A simulated attack on the electric window lift classified using an adapted CERT taxonomy. In: Proceedings of the 2nd Workshop on Embedded Systems Security (WESS), Salzburg, Austria (2007) 4. Lang, A., Dittman, J., Kiltz, S., Hoppe, T.: Future Perspectives: The car and its IP-address - A potential safety and security risk assessment. In: The 26th International Conference on Computer Safety, Reliability and Security (SAFECOMP), Nuremberg, Germany (2007) 5. Nilsson, D.K., Larson, U.E.: Simulated Attacks on CAN Buses: Vehicle virus. In: Proceedings of the Fifth IASTED Asian Conference on Communication Systems and Networks (ASIACSN) (2008) 6. EASIS. Embedded Security for Integrated Safety Applications (2006), http://www.car-to-car.org/fileadmin/dokumente/pdf/security 2006/ sec 06 10 eyeman easis security.pdf 7. FlexRay Consortium. FlexRay Communications System Protocol Specification 2.1 Revision A (2005) (Visited August, 2007), http://www.softwareresearch.net/site/teaching/SS2007/ds/ FlexRay-ProtocolSpecification V2.1.revA.pdf 8. Luk, M., Mezzour, G., Perrig, A., Gligor, V.: MiniSec: A secure sensor network communication architecture. In: IPSN 2007: Proceedings of the 6th International Conference on Information Processing in Sensor Networks, pp. 479–488. ACM Press, New York (2007) 9. Perrig, A., Szewczyk, R., Wen, V., Culler, D.E., Tygar, J.D.: SPINS: Security protocols for sensor networks. In: Mobile Computing and Networking, pp. 189–199 (2001) 10. Karlof, C., Sastry, N., Wagner, D.: TinySec: A link layer security architecture for wireless sensor networks. In: SenSys 2004: Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems, Baltimore, November 2004, pp. 162–175 (2004) 11. Vector Informatik. CANoe and DENoe 7.0 (2007) (Visited December, 2007), http://www.vector-worldwide.com/vi canoe en.html Wireless Sensor Data Fusion for Critical Infrastructure Security Francesco Flammini1,2, Andrea Gaglione2, Nicola Mazzocca2, Vincenzo Moscato2, and Concetta Pragliola1 1 ANSALDO STS - Ansaldo Segnalamento Ferroviario S.p.A. Business Innovation Unit Via Nuova delle Brecce 260, Naples, Italy {flammini.francesco,pragliola.concetta}@asf.ansaldo.it 2 Università di Napoli “Federico II” Dipartimento di Informatica e Sistemistica Via Claudio 21, Naples, Italy {frflammi,andrea.gaglione,nicola.mazzocca,vmoscato}@unina.it Abstract. Wireless Sensor Networks (WSN) are being investigated by the research community for resilient distributed monitoring. Multiple sensor data fusion has proven as a valid technique to improve detection effectiveness and reliability. In this paper we propose a theoretical framework for correlating events detected by WSN in the context of critical infrastructure protection. The aim is to develop a decision support and early warning system used to effectively face security threats by exploiting the advantages of WSN. The research addresses two relevant issues: the development of a middleware for the integration of heterogeneous WSN (SeNsIM, Sensor Networks Integration and Management) and the design of a model-based event correlation engine for the early detection of security threats (DETECT, DEcision Triggering Event Composer & Tracker). The paper proposes an overall system architecture for the integration of the SeNsIM and DETECT frameworks and provides example scenarios in which the system features can be exploited. Keywords: Critical Infrastructure Protection, Sensor Data Fusion, Railways. 1 Introduction Several methodologies (e.g. risk assessment [5]) and technologies (e.g. physical protection systems [4]) have been proposed to enhance the security of critical infrastructure systems. The aim of this work is to propose the architecture for a decision support and early warning system used to effectively face security threats (e.g. terrorist attacks) based on wireless sensors. Wireless sensors feature several advantages when applied to critical infrastructure surveillance [8], as they are: • Cheap, and this allows for fine grained and highly redundant configurations; • Resilient, due to their fault-tolerant mesh topology; • Power autonomous, due to the possibility of battery and photovoltaic energy supplies; E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 92–99, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Wireless Sensor Data Fusion for Critical Infrastructure Security 93 • Easily installable, due to their wireless nature and auto-adapting multi-hop routing; • Intelligent, due to the on-board processor and operating systems which allow for some data elaborations being performed locally. All these features support the use of WSN in highly distributed monitoring applications in critical environments. The example application we will refer to in this paper is railway infrastructure protection against external threats which can be natural (fire, flooding, landslide, etc.) or human-made malicious (sabotage, terrorism, etc.). Examples of useful sensors in this domain are listed in the following: smoke and heat – useful for fire detection; moisture and water – useful for flooding detection; Pressure – useful for explosion detection; movement detection (accelerometer or GPS based shifting measurement) – useful for theft detection or structural integrity checks; gas and explosive – useful for chemical or bombing attack detection; vibration and sound – useful for earthquake or crash detection. WSN could also be used for video surveillance and on-board intelligent video-analysis, as reported in [7]. Theoretically, any kind of sensor could be interfaced with a WSN, as it would just substitute the sensing unit of the so called “motes”. For instance, it would be useful (and apparently easy) to interface on WSN intrusion detection devices (like volumetric detectors, active infrared barriers, microphonic cables, etc.) in order to save on cables and junction boxes and exploit an improved resiliency and a more cohesive integration. With respect to traditional connections based on serial buses, wireless sensors are also less prone to tampering, when proper cryptographic protocols are adopted [6]. However, for some classes of sensors (e.g. radiation portals) some of the features of motes (e.g. size, battery power) would be lost. In spite of their many expected advantages, there are several technological difficulties (e.g. energy consumption) and open research issues associated with WSN. The issue addressed in this paper relates to the “data fusion” aspect. In fact, the heterogeneity of network topologies and measured data requires integration and analysis at different levels (see Fig. 1), as partly surveyed in reference [9]. As first, the monitoring of wide geographical areas and the diffusion of WSNs managed by different middlewares have highlighted the research problem of the integrated management of data coming from the various networks. Unfortunately such information is not available in a unique container, but in distributed repositories and the major challenge lies in the heterogeneity of repositories which complicates data management and retrieval processes. This issue is addressed by the SeNsIM framework [1], as described in Section 2. Secondly, there is the need for an on-line reasoning about the events captured by sensor nodes, in order to early detect and properly manage security threats. The availability of possibly redundant data allows for the correlation of basic events in order to increase the probability of detection, decrease the false alarm rate, warn the operators about suspect situations, and even automatically trigger adequate countermeasures by the Security Management System (SMS). This issue is addressed by the DETECT framework [2], as described in Section 3. The rest of the paper is organized as follows: Section 4 discusses about the SeNsIM and DETECT software integration; Section 5 introduces an example railway security application; Section 6 draws conclusions and hints about future developments. 94 F. Flammini et al. DB DETECT (reasoning) SeNsIM (integration) THREAT ROUTE SENSING POINTS WSN 1 ... SMS WSN N ... (a) (b) Fig. 1. (a) Distributed sensing in physical security; (b) Monitoring architecture 2 The SeNsIM Framework The main objectives of SeNsIM are: • To integrate information from distributed sensor networks managed by local middlewares (e.g. TinyDB); • To provide an unique interface for local networks by which a generic user can easily execute queries on specific sensor nodes; • To ensure system’s scalability in case of connection of new sensor networks. From an architectural point of view, the integration has been realized by exploiting the wrapper-mediator paradigm: when a sensor network is activated, an apposite wrapper agent aims at extracting its features and functionalities and to send (e.g. in a XML format) them to one or more mediator agents that are, in the opposite, responsible to drive the querying process and the communication with users. Thus, a query is first submitted through a user interface, and then analyzed by the mediator, converted in a standard XML format and sent to the apposite wrapper. The latter, in a first moment executes the translated query on its local network, by means of a low-layer middleware (TinyDB in the current implementation), and then retrieve the results to send (in a XML format) to the mediator, which show them to the user. According to the data model, the wrapper agent provides a local network virtualization in terms of objects, network and sensors. An object of the class Sensor can be associated to an object of Network type. Moreover, inside the same network one or more sensors can be organized into objects of Cluster or Group type. The state of a sensor can be modified by means of classical getting/setting functions, while the measured variables can be accessed using the sensing function. Fig.2 schematizes the levels of abstraction in the data management perspective provided by SeNsIM using TinyDB as low-level middleware layer and outlines the system architecture. The framework is described in more details in reference [1]. 3 The DETECT Framework Among the best ways to prevent attacks and disruptions is to stop any perpetrators before they strike. DETECT is a framework aimed at the automatic detection of threats Wireless Sensor Data Fusion for Critical Infrastructure Security 95 (a) (b) Fig. 2. (a) Levels of abstraction; (b) SeNsIM architecture against critical infrastructures, possibly before they evolve to disastrous consequences. In fact, non trivial attack scenarios are made up by a set of basic steps which have to be executed in a predictable sequence (with possible variants). Such scenarios must be precisely identified during the risk analysis process. DETECT operates by performing a model-based logical, spatial and temporal correlation of basic events detected by sensor networks, in order to “sniff” sequence of events which indicate (as early as possible) the likelihood of threats. In order to achieve this aim, DETECT is based on a real-time detection engine which is able to reason about heterogeneous data, implementing a centralized application of “data fusion”. The framework can be interfaced with or integrated in existing SMS systems in order to automatically trigger adequate countermeasures (e.g. emergency/crisis management). Attack scenarios are described in DETECT using a specific Event Description Language (EDL) and stored in a Scenario Repository. Starting from the Scenario Repository, one or more detection models are automatically generated using a suitable formalism (Event Graphs in the current implementation). In the operational phase, a 96 F. Flammini et al. model manager macro-module has the responsibility of performing queries on the Event History database for the real-time feeding of detection models according to predetermined policies. When a composite event is recognized, the output of DETECT consists of: the identifier(s) of the detected/suspected scenario(s); an alarm level, associated to scenario evolution (only used in deterministic detection as a linear progress indicator); a likelihood of attack, expressed in terms of probability (only used as a threshold in heuristic detection). DETECT can be used as an on-line decision support system, by alerting in advance SMS operators about the likelihood and nature of the threat, as well as an autonomous reasoning engine, by automatically activating responsive actions, including audio and visual alarms, unblock of exit turnstiles, air conditioned flow inversion, activation of sprinkles, emergency calls to first responders, etc. DETECT is depicted as a black-box in Fig. 3 and described in more details in [2]. Scenari o DETECT Engine Detected Attack Scenario Event History Criticality Level (1, 2, 3, ...) Fig. 3. The DETECT framework 4 Integration of SeNsIM and DETECT The SeNsIM and DETECT frameworks need to be integrated in order to obtain an online reasoning about the events captured by different WSNs. As mentioned above, the aim is to early detect and manage security threats against critical infrastructures. In this section we provide the description of the sub-components involved in the software integration of SeNsIM and DETECT. During the query processing task of SeNsIM, user queries are first submitted by means of a User Interface; then, a specific module (Query Builder) is used to build a query. The user queries are finally processed by means of a Query Processing module which sends the query to the appropriate wrappers. The partial and global query results are then stored in a database named Event History. All the results are captured and managed by a Results Handler, which implements the interface with wrappers. The Model Feeder is the DETECT component which performs periodic queries on the Event History to access primitive event occurrences. The Model Feeder instantiates the inputs of the Detection Engine according to the nature of the model(s). Therefore, the integration is straightforward and mainly consists in the management of the Event History as a shared database, written by the mediator and read by the Model Feeder according to an appropriate concurrency protocol. Wireless Sensor Data Fusion for Critical Infrastructure Security 97 In Figure 4 we report the overall software architecture as a result of the integration between SeNsIM and DETECT. The figure also shows the modules of SeNsIM involved in the query processing task. User interaction is only needed in the configuration phase, to define attack scenarios and query parameters. To this aim, a userfriendly unified GUIs will be available (as indicated in Fig.4). According to the query strategy, both SeNsIM and DETECT can access data from the lower layers using either a cyclic or event driven retrieval process. DETECT DETECTION MODEL(S) DETECTION ENGINE SMS MODEL FEEDER SCENARIO REPOSITORY USER EVENT HISTORY GUI QUERY BUILDER QUERY PROCESSING RESULTS HANDLER SeNsIM MEDIATOR TO WRAPPER(S) Notes: • Only modules used for integration are shown • Query Processing is a macro-module, containing several submodules • A GUI (Graphical User Interface) is used to: - edit DETECT scenarios using a graphical formalism translatable to EDL files - define SeNsIM queries for sensor data retrieval (cyclic polling or event-driven) FROM WRAPPER(S) Fig. 4. Query processing and software integration 5 Example Application Scenario In this section we report an example application of the overall framework to the casestudy of a railway transportation system, an attractive target for thieves, vandals and terrorists. Several application scenarios can be thought exploiting the proposed architecture and several wireless sensors (track line break detection, on-track obstacle detection, etc.) and actuators (e.g. virtual or light signalling devices) could be installed to monitor track integrity against external threats and notify anomalies. In the following we describe how to detect a more complex scenario, namely a terrorist strategic attack. Let us suppose a terrorist decides to attack a high-speed railway line, which is completely supervised by a computer-based control system. A possible scenario consisting in multiple train halting and railway bridge bombing is reported in the following: 1. Artificial occupation (e.g. by using a wire) of the track circuits immediately after the location in which the trains needs to be stopped (let us suppose a high bridge), in both directions. 2. Interruption of the railway power line, in order to prevent the trains from restarting using a staff responsible operating mode. 98 F. Flammini et al. 3. Bombing of the bridge shafts by remotely activating the already positioned explosive charges. Variants of this scenarios exist: for instance, trains can be (less precisely) stopped by activating jammers to disturb the wireless communication channel used for radio signaling, or starting the attack from point (2) (but this would be even less precise). The described scenario could be early identified by detecting the abnormal events reported in point (1) and activating proper countermeasures. By using proper on-track sensors it is possible to monitor the abnormal occupation of track circuits and a possible countermeasure consists in immediately sending an unconditional emergency stop message to the train. This would prevent the terrorist from stopping the train at the desired location and therefore halt the evolution of the attack scenario. Even though the detection of events in points (2) and (3) would happen too late to prevent the disaster, it could be useful to achieve a greater situational awareness about what is happening in order to rationalize the intervention of first responders. Now, let us formally describe the scenario using wireless sensors and detected events, using the notation “sensor description (sensor ID) :: event description (event ID)”: FENCE VIBRATION DETECTOR (S1) :: POSSIBLE ON TRACK INTRUSION (E1) TRACK CIRCUIT X (S2) :: OCCUPATION (E2) LINESIDE TRAIN DETECTOR (S3) :: NO TRAIN DETECTED (E3) TRACK CIRCUIT Y (S4) :: OCCUPATION (E4) LINESIDE TRAIN DETECTOR (S5) :: NO TRAIN DETECTED (E5) VOLTMETER (S6) :: NO POWER (E6) ON-SHAFT ACCELEROMETER (S7) :: STRUCTURAL MOVEMENT (E7) Due to the integration middleware made available by SeNsIM, these events are not required to be detected on the same physical WSN, but they just need to share the same sensor group identifier at the DETECT level. Event (a) is not mandatory, as the detection probability is not 100%. Please not that each of the listed events taken singularly would not imply a security anomaly or be a reliable indicator of it. The EDL description of the above scenario is provided in the following (in the assumption of unique event identifiers): (((E1 SEQ ((E2 AND E3) OR (E4 AND E5))) OR ((E2 AND E3) AND (E4 AND E5))) SEQ E6 ) SEQ E7 Top-down and left to right, using 4 levels of alarm severity: a) E1 can be associated a level 1 warning (alert to the security officer); b) The composite events determined by the first group of 4 operators and the second group of 3 operators can be both associated a level 2 warning (triggering the unconditional emergency stop message); c) The composite event terminating with E6 can be associated a level 3 warning (switch on back-up power supply, whenever available) d) The composite event terminating with E7 (complete scenario) can be associated a level 4 warning (emergency call to first responders). Wireless Sensor Data Fusion for Critical Infrastructure Security 99 In the design phase, the scenario is represented using Event Trees and stored in the Scenario Repository of DETECT. In the operational phase, SeNsIM records the sequence of detected events in the Event History. When the events corresponding to the scenario occur, DETECT provides the scenario identifier and the alarm level (with a likelihood index in case of non deterministic detection models). Pre-configured countermeasures can then be activated by the SMS on the base of such information. 6 Conclusions and Future Works Wireless sensors are being investigated in several applications. In this paper we have provided the description of a framework which can be employed to collect and analyze data measured by such heterogeneous sources in order to enhance the protection of critical infrastructures. One of the research threads points at connecting by WSN traditionally wired sensors and application specific devices, which can serve as useful information sources for a superior situational awareness in security critical applications (like in the example scenario provided above). The verification of the overall system is also a delicate issue which can be addressed using the methodology described in [3]. We are currently developing the missing modules of the software system and testing the already available ones in a simulated environment. The next step will be the interfacing with a real SMS for the on-the-field experimentation. References 1. Chianese, A., Gaglione, A., Mazzocca, N., Moscato, V.: SeNsIM: a system for Sensor Networks Integration and Management. In: Proc. Intl. Conf. on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP 2008) (to appear, 2008) 2. Flammini, F., Gaglione, A., Mazzocca, N., Pragliola, C.: DETECT: a novel framework for the detection of attacks to critical infrastructures. In: Proc. European Safety & Reliability Conference (ESREL 2008) (to appear, 2008) 3. Flammini, F., Mazzocca, N., Orazzo, A.: Automatic instantiation of abstract tests to specific configurations for large critical control systems. In: Journal of Software Testing, Verification & Reliability (Wiley) (2008), doi:10.1002/stvr.389 4. Garcia, M.L.: The Design and Evaluation of Physical Protection Systems. ButterworthHeinemann, USA (2001) 5. Lewis, T.G.: Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. John Wiley, New York (2006) 6. Perrig, A., Stankovic, J., Wagner, D.: Security in Wireless Sensor Networks. Communications of the ACM 47(6), 53–57 (2004) 7. Rahimi, M., Baer, R., et al.: Cyclops: In situ image sensing and interpretation in wireless sensor networks. In: Proc. 3rd ACM Conference on Embedded Networked Sensor Systems (SenSys 2005) (2005) 8. Roman, R., Alcaraz, C., Lopez, J.: The role of Wireless Sensor Networks in the area of Critical Information Infrastructure Protection. Inf. Secur. Tech. Rep. 12(1), 24–31 (2007) 9. Wang, M.M., Cao, J.N., Li, J., Dasi, S.K.: Middleware for Wireless Sensor Networks: A Survey. J. Comput. Sci. & Technol. 23(3), 305–326 (2008) Development of Anti Intruders Underwater Systems: Time Domain Evaluation of the Self-informed Magnetic Networks Performance Osvaldo Faggioni1, Maurizio Soldani1, Amleto Gabellone2, Paolo Maggiani3, and Davide Leoncini4 1 INGV Sez. ROMA2, Stazione di Geofisica Marina, Fezzano (SP), Italy {faggioni,soldani}@ingv.it 2 CSSN ITE, Italian Navy, Viale Italia 72, Livorno, Italy [email protected] 3 COMFORDRAG, Italian Navy, La Spezia, Italy [email protected] 4 DIBE, University of Genoa, Genova, Italy [email protected] Abstract. This paper shows the result obtained during the operative test of an anti-intrusion undersea magnetic system based on a magnetometers’ new self-informed network. The experiment takes place in a geomagnetic space characterized by medium-high environmental noise with a relevant human origin magnetic noise component. The system has two different input signals: the magnetic background field (natural + artificial) and a signal composed by the magnetic background field and the signal due to the target magnetic field. The system uses the first signal as filter for the second one to detect the target magnetic signal. The effectiveness of the procedure is related to the position of the magnetic field observation points (reference devices and sentinel devices). The sentinel devices must obtain correlation in the noise observations and de-correlations in the target signal observations. The system, during four tries of intrusion, has correctly detected all magnetic signals generated by divers. Keywords: Critical Systems, Port Protection, Magnetic Systems. 1 Introduction The recent evolution of the world strategic scenarios is characterized by a change of the first threat type: from the military high power attack to terrorist attack. In these new conditions our submarine areas control systems must redesigned to obtain the capability of detecting of very small targets closer to the objective. The acoustic systems, base for actual and, probably, future port protection option, has a very good results in the control of big volumes of water but they failure in the high definition controls as, for example, the control of port sea bottom and docks proximity water volumes. The magnetic detecting is a very interesting option to give more effectiveness to the Anti Intruders Port System. The magnetic method has very good performance in the proximity detecting and loses in the big water volumes controls while the acoustic method achieves good performances in the free water but fails in the sea bottom surface areas E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 100–107, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com Development of Anti Intruders Underwater Systems 101 and, more relevant in the docks proximity. The integration of these two methods is the MAC System (Magnetic Acoustic) class of underwater alert composed systems. Past studies about the magnetic method detecting shown a phenomenological limitation of its detecting effectiveness due to the very high interference between magnetic signal target (diver = low power source) and the environmental magnetic field. The geomagnetic field is a convolved field of several elementary contributes originated by sources external or internal to the planet, static and dynamic, and more, in the area with human activity, there is the presence of transient magnetic signals very large band with high amplitude variations. Classically the way of target signal detection is the classification of elementary signals of the magnetic field, tentative of the association of their hypothetic sources, and separation of the target signal to the noise: more or less the use of frequency filters numerical techniques (LP, HP, BP) based to empirical experiences in the C.O. frequency definition. The result is a subjective method depending to the decision of the operators (or of the array/chain designers) able of great successes or strong failures. The effectiveness of the method is low and so its develop was neglected for the detecting of little magnetic signals [1-3]. Of course also the increase of devices sensibility doesn’t solve the problem because our problem is related to the target signal informative capability of the magnetograms and not to the sensibility on the measures. In the present paper we show the results obtained by means of a new approach to this problem: we don’t use statistic-conjectural frequency filters, we use a reference magnetometer to inform the sentinel magnetometer of the noised field without the target signal, the system use the reference magnetogram RM as function TD (or FD) filter for the sentinel magnetogram SM. The result of de-convolution RM-SM is the target signal. The critical point of system is related to the design of the network: to obtain an effective magneto-detecting system the devices must be put at a distance to have amplitude correlation in the noise measures and de-correlation in the target measure. 2 On the System Design Options and Metrological Response To build the self-information mag-system we propose two design solutions for the geometry of devices network, the Referred Integrated MAgnetic Network (RIMAN) and the Self-referred Integrated MAgnetic Network (SIMAN) [4]. 2.1 RIMAN System The RIMAN system consists of a magnetometers array system and an identical standalone magnetometer (referring node) deployed within the protected area. The zero-level condition is obtained through the comparison of the signal measured by each of the array’s magnetometers with the signal measured by the referring magnetometer. If the protected area is confined we can assume the total background noise constant and therefore the difference between each array’s sensor and the referring one is around zero. The zero-level condition can be altered only in presence of a target approaching one or two (in case of middle-crossing) sensors of the array. Signal processing of the RIMAN system is accurate and the risk of numeric alteration of the registered rough signal is very low. A standard data-logger system has to measure the signals coming from each of the array’s magnetometers and respectively 102 O. Faggioni et al. compare to the reference signal. The comparison functions ∆F(1,0), ∆F(2,0), …., ∆F(N,0) are subsequently compared to the reference level 0 and then only the non-zero differential signal is taken. It means that the target is crossing a specific nodal magnetometer. For example, if the target is forcing the barrier between nodes 6 and 7, the only differential non-zero functions are ∆F(6,0) and ∆F(7,0) which will indicate the target’s position. A quantitative analysis of the differential signals can also show the target’s relative position to the two nodes. If the protected area is too wide to allow a stability condition of the total background noise, the RIMAN system can be divided in more subsystems, each of one using an intermediate reference node, which have to respect the stability condition among them. The intermediate reference nodes have finally to be related to a common single reference node. MAG1 MAG2 MAG3 MAG4 MAG0 C P U 'F10 2 'F40 'F20 1 4 0 0 'F30 3 Fig. 1. Scheme of Referred Integrated Magnetometers Array Network 2.2 SIMAN System In the SIMAN system all the array’s magnetometers are used to obtain the zero-level condition. The control unit has to check in sequence the zero-level condition between each pair of magnetometers and signal any non-zero differential function. MAG1 MAG2 MAG3 MAG4 MAG5 C P U 1 2 2 'F12 'F45 4 3 2 'F23 'F34 3 5 4 Fig. 2. Scheme of Referred Integrated Magnetometers Array Network Development of Anti Intruders Underwater Systems 103 2.3 Signal Processing Signal processing in the SIMAN system gives very good accuracy, too. The only issue is related on the ambiguity in case the target crosses a pair of magnetometers at the same distance from both. Such ambiguity can be solved through the evaluation of the differential functions between the adjacent nodes. The drawback is that a SIMAN system requires a continuous second-order check at all the nodes. The advantage of using a SIMAN system is the possibility to cover an unlimited area. The stability condition is requested only for each pair of the array’s magnetometers. 3 Results The experiment consists of recording the magnetic field variations during multiple runs performed by a diver’s team. The test system of magnetic control consists in the elementary cell of SIMAN class system [5, 6]. Devices are two tri-axial fluxgate magnetometers were positioned at a water depth of 12 meters at a respective start distance of 12 meters; the computational procedure is based on vector component Z (not variance in the vector direction on the time) measure (Fig. 3). MAG1 MAG2 C P U 'F12 Fig. 3. Experiment configuration The diver’s runs were performed at zero CPA (Closest Point of Approach) at about 1 meter from the bottom along 50 meters tracks centered on each magnetometer. The runs’ bearing was approximately E-W and W-E. The two magnetometers were cableconnected with their respective electronic control devices (deployed at 1 meter form the sensor) to a data-logger station placed on the beach coast at about 150 meters. The environmental noise of the geomagnetic space of the area of measure is classified as medium-high and it is characterized by contributes of human source coming from city noise, industrial noise (electrical power point of production), electrical railway noise, maritime commercial traffic, port activity traffic etc. (all far < 8 km). The target source for the experiment was a diver equipped with standard air bottles system. The result of the experiment is shows in the diagrams of figure 4. The magnetogram of the sentinel devices (Fig. 4A) is characterized by 5 points of magnetic impulsive anomaly. These signals are compatible with the magnetic signal of our target, the signal marked in figure 4 as 1, 2, 4 and 5 has very clear impulsive origin (mono or dipolar 104 O. Faggioni et al. geometry) while the signal 3 has geometrical characteristic not fully impulsive so the operator (human or automatic) proposes the classification in Table 1. The availability of the reference magnetogram and its preliminary and subjective observation well define the fatal error in the signal number 2. This signal appears in magnetogram A and B because it is not related to the diver cross in the sentinel devices proximity but it is has very large space coherence (noise). Table 1. Alarm classification table Signal 1 2 3 4 5 Geometry MONO MONO COMPLEX MONO DIPOLE Alarm YES YES YES YES YES Uncertain NO NO YES NO NO K 0 -K nT K 0 -K Fig. 4. Magnetograms obtained by the SIMAN elementary cell devices nT K/2 0 -K/2 s Fig. 5. SIMAN elementary cell self-informed magnetogram Development of Anti Intruders Underwater Systems 105 In the figure 5 we show the result obtained by the time de-convolution B-A. This is the numerical procedure to have the quantitative evaluation of the presence of impulsive signals in proximity of the sentinel devices. The magnetogram of SIMAN well define the real condition of diver crosses in proximity of the sentinel devices. The signal 2 is declassified and 3 is classified as dipolar target signal without uncertain because the procedure of de-convolution cleans the complex signal from the superimposed noise component. The table of classification became the Table 2. The SIMAN classification of impulsive signals (Table 2) has a fully correspondence to the 4 crosses of the diver first course (E.W, W-E directions) 1 and 3 signals and second course 4 and 5 signals (E-W, W-E directions). Table 2. Alarm classification table after the time de-convolution A-B Signal 1 3 4 5 Geometry MONO DIPOLE MONO DIPOLE Alarm YES YES YES YES Uncertain NO NO NO NO nT K/2 0 -K/2 Fig. 6. Comparison to self-referred system and classical techniques performances The effectiveness of the system (options RIMAN or SIMAN) is strongly depending to the position of the reference devices. The reference magnetometer must far from the sentinel to have a good de-correlation of the target signal but also closer to the sentinel to have a good correlation of the noise. This condition generates a reference magnetograms filter function that cut off the noise and it is transparent to the target signal. In effect the kernel of self-information procedure is the RD-SD distance. Now we analyzed the numerical quality of the self-informed system performance with reference to the performance of classical LP procedure of noise cleaning and to the variations of the distance RD-SD, reference devices – sentinel devices (Fig. 6). The diagrams in figure 6 show the elaboration of the same data subset (source magnetogram in figure 4): A diagram corresponds to the pure extraction of the subset from magnetograms in figure 4 (best distance RD-SD), B it is the LP filter (typical 106 O. Faggioni et al. informative approach), C self-informed response with too short RD-SD distance, D self informed response with too great RD-SD distance. 3.1 Comparison A/B The metrological and numerical procedure effectiveness of magnetic detection is defined with the increase of informative capability of the magnetogram with reference to the signal target. We define, in quantitative way, the Informative Capability IC of a composed signal, related to each its “i” harmonic elementary component to be the ratio i energy – composed signal total energy: ⎛ n ⎞ ICi = Ei ⎜ ∑ ( E1 + ... + En ) ⎟ ⎝ i =0 ⎠ −1 (1) In the A condition SIMAN produces a very high IC for the impulse 1 and the strong reduction of the IC of impulse 2; the SIMAN permits correct classification of impulse 1 as the target and impulse 2 as environmental noise. In the B graphics the classic technique of LP filter produces, in the best cut frequency choice, a good cleaning of high frequency component but the IC of impulse 1 is lose by the effect of impulse 2 energy (survived to the filter). The numerical value of the IC2 is, more or less, the same of the IC1; so the second impulse is classified as target: egregious false alarm. 3.2 Comparison A/C/D The comparison A/C/D (fig. 6) shows the distance RD-SD be the kernel for the selfinformed magnetic system detecting effectiveness. In the present case the A distance is 11 m, C distance 9 m, D distance 13 m (+/- 0.5 m). The C RD-SD distance produces a very good contrast of the high frequency noise but it loses also the target signal because this one is present in the sentinel magnetogram and also in the reference magnetograms (too closer). The Q of target is drastically reduced and SIMAN loses its detection capability. In D condition we have a too long distance. The noise in the reference devices geomagnetic position is not correlated from the noise in the sentinel devices; so SIMAN procedure adds the noise of reference magnetogram to the noise of sentinel magnetograms with an high increase of self-informed signal ETOT: also in this condition Q of target is loses. 4 Conclusion The field test of self-informed magnetic detecting system SIMAN shows a relevant growth of effectiveness in the low magnetic undersea sources (divers) detection respect to the classical techniques used in the magnetic port protection networks. The full success of defense magnetic network crossing SIMAN in the detecting of the diver crossing tries of our experimental devices barrier is due to the use of the magnetogram not perturbed by target magnetic signal as time domain filter of the perturbed magnetogram. This approach is quantitative and objective and it increases the target signal informative capability IC without empirical and subjective techniques of Development of Anti Intruders Underwater Systems 107 signal cleaning as the well known frequency LPF. This performance of SIMAN is related to the accuracy in the choice of distance between the points of acquisition of the magnetograms. The good definition of this distance produces the best condition of noise space correlation and target magnetic signal space de-correlation. One m of delocalization of the reference magnetometer respect to its best position can compromise, in the magnetic environment of our experiment, the results and it can cancel the effectiveness of SIMAN sensibility. The system of our test developed on sea bottom with a good geometry has produced very high detecting performance irrespective of the magnetic noise time variations. Acknowledgments. The study of the self-informed undersea magnetic networks was launched and developed by Ufficio Studi e Sviluppo of COMFORDRAG – Italian Navy. This experiment was supported by Nato Undersea Research Centre. References 1. Berti, G., Cantini, P., Carrara, R., Faggioni, O., Pinna, E.: Misure di Anomalie Magnetiche Artificiali, Atti X Conv. Gr. Naz. Geof. Terra Solida, Roma, pp. 809–814 (1991) 2. Faggioni, O., Palangio, P., Pinna, E.: Osservatorio Geomagnetico Stazione Baia Terra Nova: Ricostruzione Sintetica del Magnetogramma 01.00(UT)GG1.88:12.00(UT)GG18.88, Atti X Conv. Gr. Naz. Geof. Terra Solida, Roma, pp. 687–706 (1991) 3. Cowan, D.R., Cowan, S.: Separation Filtering Applied to Aeromagnetic Data. Exploration Geophysics 24, 429–436 (1993) 4. Faggioni, O.: Protocollo Operativo CF05EX, COMFORDRAG, Ufficio Studi e Sviluppo, Italian Navy, Official Report (2005) 5. Gabellone, A., Faggioni, O., Soldani, M.: CAIMAN (Coastal Anti Intruders MAgnetic Network) Experiment, UDT Europe – Naples, Topic: Maritime Security and Force Protection (2007) 6. Gabellone, A., Faggioni, O., Soldani, M., Guerrini, P.: CAIMAN (Coastal Anti Intruder MAgnetometers Network). In: RTO-MP-SET-130 Symposium on NATO Military Sensing, Orlando, Florida, USA, March 12-14 (classified, 2008) Monitoring and Diagnosing Railway Signalling with Logic-Based Distributed Agents Viviana Mascardi1, Daniela Briola1, Maurizio Martelli1, Riccardo Caccia2, and Carlo Milani 2 1 DISI, University of Genova, Italy {Viviana.Mascardi,Daniela.Briola, Maurizio.Martelli}@disi.unige.it 2 IAG/FSW, Ansaldo Segnalamento Ferroviario S.p.A., Italy {Caccia.Riccardo,Milani.Carlo}@asf.ansaldo.it Abstract. This paper describes an ongoing project that involves DISI, the Computer Science Department of Genova University, and Ansaldo Segnalamento Ferroviario, the Italian leader in design and construction of signalling and automation systems for railway lines. We are implementing a multiagent system that monitors processes running in a railway signalling plant, detects functioning anomalies, provides diagnoses for explaining them, and early notifies problems to the Command and Control System Assistance. Due to the intrinsic rule-based nature of monitoring and diagnostic agents, we have adopted a logic-based language for implementing them. 1 Introduction According to the well known definition of N. Jennings, K. Sycara and M. Wooldridge an agent is “a computer system, situated in some environment, that is capable of flexible autonomous action in order to meet its design objectives” [1]. Distributed diagnosis and monitoring represent one of the oldest application fields of declarative software agents. For example, ARCHON (ARchitecture for Cooperative Heterogeneous ON-line systems [2]) was Europe's largest ever project in the area of Distributed Artificial Intelligence and exploited rule-based agents. In [3], Schroeder et al. describe a diagnostic agent based on extended logic programming. Many other multiagent systems (MASs) for diagnosis and monitoring based on declarative approaches have been developed in the past [4] ,[5], [6], [7]. One of the most important reasons for exploiting agents in the monitoring and diagnosis application domain is that an agent-based distributed infrastructure can be added to any existing system with minimal or no impact over it. Agents look at the processes they must monitor, be they computer processes, business processes, chemical processes, by “looking over their shoulders” without interfering with their activities. The “no-interference” feature has an enormous importance, since changing the processes in order to monitor them would be often unfeasible. Also the increase of situational awareness, essential for coping with the situational complexity of most large real applications, motivates an agent-oriented approach. Situational awareness is a mandatory feature for the successful monitoring and decision-making in many scenarios. When combined with reactivity, situatedness may E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 108–115, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Monitoring and Diagnosing Railway Signalling 109 lead to the early detection of, and reaction to, anomalies. The simplest and most natural form of reasoning for producing diagnoses starting from observations is based on rules. This paper describes a joint academy-industry project for monitoring and diagnosing railway signalling with distributed agents implemented in Prolog, a logic programming language suitable for rule-based reasoning. The project involves the Computer Science Department of Genova University, Italy, and Ansaldo Segnalamento Ferroviario, a company of Ansaldo STS group controlled by Finmeccanica, the Italian leader in design and construction of railway signalling and automation systems. The project aims to develop a monitoring and diagnosing multiagent system implemented in JADE [8] extended with the tuProlog implementation of the Prolog language [9] by means of the DCaseLP libraries [10]. The paper is structured in the following way: Section 2 describes the scenario where the MAS will operate, Section 3 describes the architecture of the MAS and the DCaseLP libraries, Section 4 concludes and outlines the future directions of the project. 2 Operating Scenario The Command and Control System for Railway Circulation (“Sistema di Comando e Controllo della Circolazione Ferroviaria”, SCC) is a framework project for the technological development of the Italian Railways (“Ferrovie dello Stato”, FS), with the following targets: • introducing and extending automation to the command and control of railway circulation over the principal lines and nodes of the FS network; • moving towards innovative approaches for the infrastructure and process management, thanks to advanced monitoring and diagnosis systems; • improving the quality of the service offered to the FS customers, thanks to a better regularity of the circulation and to the availability of more efficient services, like delivery of information to the customers, remote surveillance, and security. The SCC project is based on the installation of centralized Traffic Command and Control Systems, able to remotely control the plants located in the railway stations and to manage the movement of trains from the Central Plants (namely, the offices where instances of the SCC system are installed). In this way, Central Plants become command and control centres for railway lines that represent the main axes of circulation, and for railway nodes with high traffic volumes, corresponding to the main metropolitan and intermodal nodes of the FS network. An element that strongly characterizes the SCC is the strict coupling of functionalities for circulation control and functionalities for diagnosis and support to upkeep activities, with particular regard to predictive diagnostic functionalities aimed to enable on-condition upkeep. The SCC of the node of Genova, which will be employed as a case-study for the implementation of the first MAS prototype, belongs to the first six plants developed by Ansaldo Segnalamento Ferroviario. They are independent one from the other, but networked by means of a WAN, and cover 3000 Km 110 V. Mascardi et al. of the FS network. The area controlled by the SCC of Genova covers 255 km, with 28 fully equipped stations plus 20 stops. The SCC can be decomposed, both from a functional and from an architectural point of view, into five subsystems. The MAS that we are implementing will monitor and diagnose critical processes belonging to the Circulation subsystem whose aims are to implement remote control of traffic and to make circulation as regular as possible. The two processes we have taken under consideration are Path Selection and Planner. The Planner process is the back-end elaboration process for the activities concerned with Railway Regulation. There is only one instance of the Planner process in the SCC, running on the server. It continuously receives information on the position of trains from sensors located in the stations along the railway lines, checks the timetable, and formulates a plan for ensuring that the train schedule is respected. A plan might look like the following: “Since the InterCity (IC) train 5678 is late, and IC trains have highest priority, and there is the chance to reduce the delay of 5678 if it overtakes the regional train 1234, then 1234 must stop on track 1 of Arquata station, and wait for 5678 to overtake it”. Plans formulated by the Planner may be either confirmed by the operators working at the workstations or modified by them. The process that allows operators to modify the Planner's decision is Path Selection. The Path Selection process is the front-end user interface for the activities concerned with Railway Regulation. There is one Path Selection process running on each workstation in the SCC. Each operator interacts with one instance of this process. There are various operators responsible for controlling portions of the railway line, and only one senior operator with a global view of the entire area controlled by the SCC. The senior operator coordinates the activities of the other operators and takes the final decisions. The Path Selection process visualizes decisions made by the Planner process and allows the operator to either confirm or modify them. For example, the Planner might decide that a freight train should stop on track 3 of Ronco Scrivia station in order to allow a regional train to overtake it, but the operator in charge for that railway segment might think that track 4 is a better choice for making the freight train stop. In this case, after receiving an “ok” from the senior operator, the operator may input its choice thanks to the interface offered by the Path Selection process, and this choice overcomes the Planner's decisions. The Planner will re-plan its decisions according to the new input given by the human operator. The SCC Assistance Centre, that provides assistance to the SCC operators in case of problems, involves a large number of domain experts, and is always contacted after the evidence of a malfunctioning. The cause of the malfunctioning, however, might have generated minutes, and sometimes hours, before that the SCC operator(s) experienced the malfunctioning. By integrating a monitoring and diagnosing MAS to the circulation subsystem, we aim to equip any operator of the Central Plant with the means for early detecting anomalies that, if reported in a short time, and before their effects have propagated to the entire system, may allow the prevention of more serious problems including circulation delays. When a malfunctioning is detected, the MAS, besides alerting the SCC operator, will always alert the SCC Assistance Centre in an automatic way. This will not only speed up the implementation of repair actions, but also allow the SCC Assistance Centre with recorded traces of what happened in the Central Plant. Monitoring and Diagnosing Railway Signalling 111 3 Logic-Based Monitoring Agents In order to provide the functionalities required by the operating scenario, we designed a MAS where different agents exist and interact. The MAS implementation is under way but its architecture has been completely defined, as well as the tools and languages that will be exploited for implementing a first prototype. The following sections provide a brief overview of DCaseLP, the multi-language prototyping environment that we are going to use, and of the MAS architecture and implementation. 3.1 DCaseLP: A Multi-language Prototyping Environment for MASs DCaseLP [10] stands for Distributed Complex Applications Specification Environment based on Logic Programming. Although initially born as a logic-based framework, as the acronym itself suggests, DCaseLP has evolved into a multi-language prototyping environment that integrates both imperative (object-oriented) and declarative (rule-based and logic-based) languages, as well as graphical ones. The languages and tools that DCaseLP integrates are UML and an XML-based language for the analysis and design stages, Java, JESS and tuProlog for the implementation stage, and JADE for the execution stage. Software libraries for translating UML class diagrams into code and for integrating JESS and tuProlog agents into the JADE platform are also provided. Both the architecture of the MAS, and the agent interactions taking place there, are almost simple. On the contrary, the rules that guide the behaviour of agents are sophisticated, leading to implement agents able to monitor running processes and to quickly diagnose malfunctions. For these reasons, among the languages offered by DCaseLP, we have chosen to use tuProlog for implementing the monitoring agents, and Java for implementing the agents at the lowest architectural level, namely those that implement the interfaces to the processes. In this project we will take advantage neither of UML nor of XML, which prove useful for specifying complex interaction protocols and complex system architectures. Due to space constraints, we cannot provide more details on DCaseLP. Papers describing its usage, as well as manuals, tutorials, and the source code of the libraries it provides for integrating JESS and tuProlog into JADE can be downloaded from http://www.disi.unige.it/person/MascardiV/Software/DCaseLP.html. 3.2 MAS Architecture The architecture of the MAS is depicted in Figure 1. There are four kinds of agent, organized in a hierarchy: Log Reader Agents, Process Monitoring Agents, Computer Monitoring Agents, and Plant Monitoring Agents. Agents running on remote computers are connected via a reliable network whose failures are quickly detected and solved by an ad hoc process (already existing, out of the MAS). If the network becomes unavailable for a short time, the groups of agents running on the same computer can go on with their local work. Messages directed to remote agents are saved in a local buffer, and are sent as soon as the network comes up again. The human operator is never alerted by the MAS about a network failure, and local diagnoses continue to be produced. 112 V. Mascardi et al. Fig. 1. The system architecture Log Reader Agent. In our MAS, there is one Log Reader Agent (LRA) for each process that needs to be monitored. Thus, there may be many LRAs running on the same computer. Once every m minutes, where m can be set by the MAS configurator, the LRA reads the log file produced by the process P it monitors, extracts information from it, produces a symbolic representation of the extracted information in a format amenable of logic-based reasoning, and sends the symbolic representation to the Process Monitoring Agent in charge of monitoring P. Relevant information to be sent to the Process Monitoring Agent include loss of connection to the net and life of the process. The parameters, and corresponding admissible values, that an LRA associated with the “Path Selection” process extracts from its log file, include connection_to_server (active, lost); answer_to_life (ready, slow, absent); cpu_usage (normal, high); memory_usage (normal, high); disk_usage (normal, high); errors (absent, present). The answer_to_life parameter corresponds to the time required by a process to answer a message. A couple of configurable thresholds determines the value of this paramenter: time < threshold1 implies answer_to_life ready; threshold1 <= time < threshold2 implies answer_to_life slow; time >= threshold2 implies answer_to_life absent. In a similar way, the parameters and corresponding admissible values that an LRA associated with the “Planner” process extracts from its log file include connection_to_client (active, lost); computing_time (normal, high); managed_conflicts (normal, high); managed_trains (normal, high); answer_to_life, cpu_usage, memory_usage, disk_usage, errors, in the same way as the “Path Selection” process. LRAs have a time-driven behaviour, do not perform any reasoning over the information extracted from the log file, and are neither proactive, nor autonomous. They may be considered very simple agents, mainly characterized by their social ability, employed to decouple the syntactic processing of the log files from their semantic Monitoring and Diagnosing Railway Signalling 113 processing, entirely demanded to the Process Monitoring Agents. In this way, if the format of the log produced by process P changes, only the LRA that reads that log needs to be modified, with no impact on the other MAS components. Process Monitoring Agent. Process Monitoring Agents (PMAs) are in a one-to-one correspondence with LRAs: the PMA associated with process P receives the information sent by the LRA associated with P, looks for anomalies in the functioning of P, provides diagnoses for explaining their cause, reports them to the Computer Monitoring Agent (CMA), and in case kills and restarts P if necessary. It implements a sort of social, context-aware, reactive and proactive expert system characterized by rules like: • if the answer to life of process P is slow, and it was slow also in the previous check, then there might be a problem either with the network, or with P. The PMA has to inform the CMA, and to wait for a diagnosis from the CMA. If the CMA answers that there is no problem with the network, then the problem concerns P. The action to take is to kill and restart P. • if the answer to life of process P is absent, then the PMA has to inform the CMA, and to kill and restart P. • if the life of process P is right, then the PMA has to do nothing. Computer Monitoring Agent. The CMA receives all the messages arriving from the PMAs that run on that computer, and is able to monitor parameters like network availability, CPU usage, memory usage, hard disk usage. The messages received from PMAs together with the values of the monitored parameters allow the CMA to make hypotheses on the functioning of the computer where it is running, and of the entire plant. For achieving its goal, the CMA includes rules like: • if only one PMA reported problems local to the process it monitors, then there might be temporary problems local to the process. No action needs to be taken. • if more than one PMA reported problems local to the process it monitors, and the CPU usage is high, then there might be problems local to this computer. The action to take is to send a message to the Plant Monitoring Agent and to make a pop-up window appear on the computer monitor, in order to alert the operator working with this computer. • if more than one PMA reported problems due either to the network, or to the server accessed by the process, and the network is up, then there might be problems to the server accessed by the process. The action to take is to send a message to the Plant Monitoring Agent to alert it and to make a pop-up window appear on the computer monitor. If necessary, the CMA may ask for more information to the PMA that reported the anomaly. For example, it may ask to send a detailed description of which hypotheses led to notify the anomaly, and which rules were used. Plant Monitoring Agent. There is one Plant Monitoring Agent (PlaMA) for each plant. The PlaMA receives messages from all the CMAs in the plant and makes diagnoses and decisions according to the information it gets from them. It implements rules like: 114 V. Mascardi et al. • if more than one CMA reported a problem related to the same server S, then the server S might have a problem. The action to take is to notify the SCC Assistance Centre in an automatic way. • if more than one CMA reported a problem related to a server, and the servers referred to by the CMAs are the different, then there might be a problem of network, but more information is needed. The action to take is to ask to the CMAs that reported the anomalies more information about them. • if more than one CMA reported a problem of network then there might be a problem of network. The action to take is to notify the SCC Assistance Centre in an automatic way. The SCC Assistance Centre receives notifications from all the plants spread around Italy. It may cross-relate information about anomalies and occurred failures, and take repair actions in a centralized, efficient way. As far as the MAS implementation is concerned, LRAs are being implemented as “pure” JADE agents: they just parse the log file and translate it into another format, thus there is no need to exploit Prolog for their implementation. PMAs, CMAs, and PlaMA are being implemented in tuProlog and integrated into JADE by means of the libraries offered by DCaseLP. Prolog is very suitable for implementing the agent rules that we gave in natural language before. 4 Conclusions The joint DISI-Ansaldo project confirms the applicability of MAS technologies for concrete industrial problems. Although the adoption of agents for process control is not a novelty, the exploitation of declarative approaches outside the boundaries of academia is not widespread. Instead, the Ansaldo partners consider Prolog a suitable language for rapid prototyping of complex systems: this is a relevant result. The collaboration will lead to the implementation of a first MAS prototype by the end of June 2008, to its experimentation and, in the long term perspective, to the implementation of a real MAS and its installation in both central plants and stations along the railway lines. The possibility to integrate agents that exploit statistical learning methods to classify malfunctions and agents that mine functioning reports in order to identify patterns that led to problems, will be considered. More sophisticated rules will be added in the agents in order to capture the situation where a process is killed and restarted a suspicious number of times in a time unit. In that case, the PlaMa will need to urgently inform the SCC Assistance. The transfer of knowledge that DISI is currently performing will allow Ansaldo to pursue its goals by exploiting internal competencies in a not-so-distant future. Acknowledgments. The authors acknowledge Gabriele Arecco who is implementing the MAS described in this paper, and the anonymous reviewers for their constructive comments. Monitoring and Diagnosing Railway Signalling 115 References 1. Jennings, N.R., Sycara, K.P., Wooldridge, M.: A roadmap of agent research and development. Autonomous Agents and Multi-Agent Systems 1(1), 7–38 (1998) 2. Jennings, N.R., Mamdani, E.H., Corera, J.M., Laresgoiti, I., Perriollat, F., Skarek, P., Zsolt Varga, L.: Using Archon to develop real-world DAI applications, part 1. IEEE Expert 11(6), 64–67 (1996) 3. Schroeder, M., De Almeida Mòra, I., Moniz Pereira, L.: A deliberative and reactive diagno-sis agent based on logic programming. In: Rao, A., Singh, M.P., Wooldridge, M.J. (eds.) ATAL 1997. LNCS, vol. 1365, pp. 293–307. Springer, Heidelberg (1998) 4. Leckie, C., Senjen, R., Ward, B., Zhao, M.: Communication and coordination for intelligent fault diagnosis agents. In: Proc. of 8th IFIP/IEEE International Workshop for Distributed Systems Operations and Management, DSOM 1997, pp. 280–291 (1997) 5. Semmel, G.S., Davis, S.R., Leucht, K.W., Rowe, D.A., Smith, K.E., Boloni, L.: Space shuttle ground processing with monitoring agents. IEEE Intelligent Systems 21(1), 68–73 (2006) 6. Weihmayer, T., Tan, M.: Modeling cooperative agents for customer network control using planning and agent-oriented programming. In: Proc. of IEEE Global Telecommunications Conference, Globecom 1992, pp. 537–543. IEEE, Los Alamitos (1992) 7. Balduccini, M., Gelfond, M.: Diagnostic reasoning with a-prolog. Theory Pract. Log. Program. 3(4), 425–461 (2003) 8. Bellifemine, F.L., Caire, G., Greenwood, D.: Developing Multi-Agent Systems with JADE. Wiley, Chichester (2007) 9. Denti, E., Omicini, A., Ricci, A.: Tuprolog: A lightweight prolog for internet applications and infrastructures. In: Ramakrishnan, I.V. (ed.) 3rd International Symposium on Practical Aspects of Declarative Languages, PADL 2001, Proc., pp. 184–198. Springer, Heidelberg (2001) 10. Mascardi, V., Martelli, M., Gungui, I.: DCaseLP: A prototyping environment for multilanguage agent systems. In: Dastani, M., El-Fallah Seghrouchni, A., Leite, J., Torroni, P. (eds.) 1st Int. Workshop on Languages, Methodologies and Development Tools for MultiAgent Systems, LADS 2007, Proc. LNCS. Springer, Heidelberg (to appear, 2008) SeSaR: Security for Safety Ermete Meda1, Francesco Picasso2, Andrea De Domenico1, Paolo Mazzaron1, Nadia Mazzino1, Lorenzo Motta1, and Aldo Tamponi1 1 Ansaldo STS, Via P. Mantovani 3-5, 16151 Genoa, Italy {Meda.Ermete,DeDomenico.Andrea,Mazzaron.Paolo,Mazzino.Nadia, Motta.Lorenzo,Tamponi.Aldo}@asf.ansaldo.it 2 University of Genoa, DIBE, Via Opera Pia 11-A, 16145 Genoa, Italy [email protected] Abstract. The SeSaR (Security for Safety in Railways) project is a HW/SW system conceived to protect critical infrastructures against cyber threats - both deliberate and accidental – arising from misuse actions operated by personnel from outside or inside the organization, or from automated malware programs (viruses, worms and spyware). SeSaR’s main objective is to strengthen the security aspects of a complex system exposed to possible attacks or to malicious intents. The innovative aspects of SeSaR are manifold: it is a non-invasive and multi-layer defense system, which subjects different levels and areas of computer security to its checks and it is a reliable and trusted defense system, implementing the functionality of Trusted Computing. SeSaR is an important step since it applies to different sectors and appropriately responds to the more and more predominant presence of interconnected networks, of commercial systems with heterogeneous software components and of the potential threats and vulnerabilities that they introduce. 1 Introduction The development and the organization of industrialized countries are based on an increasingly complex and computerized infrastructure system. The Critical National Infrastructures, such as Healthcare, Banking & Finance, Energy, Transportation and others, are vital to citizen security, national economic security, national public health and safety. Since the Critical National Infrastructures may be subject to critical events, such as failures, natural disasters and intentional attacks, capable to affect human life and national efficiency both directly and indirectly, these infrastructures need a an aboveaverage level of protection. In the transportation sector of many countries the introduction into their national railway signaling systems of the new railway interoperability system, called ERTMS/ETCS (European Rail Traffic Management System/European Train Control System) is very important: in fact the goal of ERTMS/ETCS is the transformation of a considerable part of the European - and not just European - railway system into an interoperable High Speed/High Capacity system. In particular, thanks to said innovative signaling system the Italian railways intend to meet the new European requirements and the widespread demand for higher speed and efficiency in transportation. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 116–122, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 SeSaR: Security for Safety 117 The development of ERTMS/ETCS has set the Italian railways and the Italian railway signaling industry among the world leaders, but it has introduced new risks associated with the use of information infrastructures, such as failures due to natural events and human-induced problems. The latter ones may be due to negligence and/or to malice and can directly and heavily affect ICT security. ICT security management is therefore becoming complex. Even for railway applications, where the safety of transport systems is still maintained, information threats and vulnerabilities can contribute to affect the continuity of operation, not only causing inconvenience to train traffic, but also financial losses and damage to the corporate image of the railway authorities and to the one of their suppliers. 2 Implementation of ICT Security To illustrate the main idea behind the SeSaR (Security of Safety in Railways) project, the concept of ICT security should be defined first: implementing security means developing the activities of prevention, detection and reaction to an accident. In particular the following definitions hold: • • • Prevention: All the technical defence and countermeasures enabling a system to avoid attacks and damages. Unfortunately, the drawback of this activity is that, in order to be effective, prevention must be prolonged indefinitely in time, thus requiring a constant organisational commitment, continuous training of personnel and adjustment/updating of the countermeasures. Detection: When prevention fails, detection should intervene, but the new malicious codes are capable of self-mutations and the "zero-day" attacks render the countermeasures adopted ineffective: so adequate defence architecture cannot be separated from the use of instruments capable of analyzing, in real-time, tracks and records that are stored in computers and in the defence network equipment. Reaction: The last activity that can be triggered either as a consequence of prompt detection or when the first two techniques were ineffective but some problems start to affect the system in an apparent way. Of course in the latter case it is difficult to guarantee the absence of inefficiency, breakdowns and malfunctions. The goal of SeSaR was to find a tool that could merge the Prevention and the Detection activities of security, in the belief that the effectiveness of the solution sought could be based on the ability to discover and communicate what is new, unusual and anomalous. The idea was to design a hardware/software platform that could operate as follows: • • Prevention: operate a real-time integrity control of the hardware and software assets. Detection: operate a real-time analysis of tracks and records stored in critical systems and in defence systems, seeking meaningful events and asset changes. Operator Interface: create a simple concise representation, which consists of a console and of a mimic panel overview, to provide the operator with a clear and comprehensive indication of anomalies identified and to enable immediate reaction. 118 E. Meda et al. 3 Architecture The scope of SeSaR is constituted by the ERTMS/ETCS signaling system infrastructure used for “Alta Velocità Roma-Napoli”, i.e. the Rome-Naples high-speed railway line. In summary, the Rome-Naples high speed system is constituted by the Central Post (PCS, acronym for “Posto Centrale Satellite”) located at the Termini station in Rome, and by 19 Peripheral Posts (PPF, acronym for “Posto Periferico Fisso”). The PPFs are distributed along the line and linked together and with the PCS by a WAN. SeSaR supplies hardware/software protection against ICT threats - deliberate and accidental - arising from undue actions operated by individuals external or internal to the ICT infrastructure or by automated malicious programs, such as viruses, worms, trojans and spyware. The distinctive and innovative features of SeSaR are: • • • • A non-invasive defence system. It works independently of the ICT infrastructure and Operating System (Unix, Linux or Windows). A multi-layer defence system, operating control over different levels and areas of computer security, such as Asset Control, Log Correlation and an integrated and interacting Honeynet. A reliable defence system with the capability to implement the functionality of Trusted Computing. In particular, SeSaR carries out the following main functions, as shown in Fig.1: Fig. 1. SeSaR: multi-level defence system • • • Real-time monitoring of the assets of the ICT infrastructure. Real-time correlation of the tracks and records collected by security devices and critical systems. Honeynet feature, to facilitate the identification of intrusion or incorrect behaviour by creating "traps and information bait". SeSaR: Security for Safety • 119 Forensic feature, which allows the records accumulated during the treatment of attacks to be accompanied by digital signature and marking time (timestamp) so that they can have probative value. This feature also contributes to create "confidence" on the system by constant monitoring of the system integrity. SeSaR protects both the Central Post network and the whole PPF network against malicious attacks by internal or external illicit actions. As already mentioned, three functional components are included: Asset Control Engine, Log Correlation Engine and Honeynet. 3.1 Asset Control Engine This component checks in real-time the network configuration of the system IP-based assets, showing any relevant modification, in order to detect the unauthorized intrusion or lack (also shut-down and Ethernet card malfunctioning) of any IP node. The principle of operation is based on: • • monitoring the real-time network configuration of all IP-devices by SNMP (Simple Network Management Protocol) queries to all the switches of the system. comparison of such information with the reference configuration known and stored in SeSaR database. Each variation found generates an alarm on the console and on a mimic panel. To get updated information from the switches, the SeSaR Asset Control Engine, (SACE, also called CAI, an acronym for Controllo Asset Impianto) uses MIB (Management Information Base) through the mentioned SNMP protocol. In a switch MIB is a kind of database containing information about the status of the ports and the IP – MAC addresses of the connected hosts. By interrogating the switches, CAI determines whether their ports are connected to IP nodes and the corresponding IP and MAC addresses. The CAI activities can be divided into the following subsequent phases: PHASE 1) Input Data Definition and Populating the SeSaR Reference Data-Base This phase includes the definition of a suitable database and the importation into it of the desired values for the following data, forming the initial specification of the network configuration: a) IP address and Netmask for each system switch and router; b) IP address, Netmask and Hostname for each system host; c) Each System subnet with the relevant Geographic name. Such operations can also be performed with SeSaR disconnected from the system. PHASE 2) Connecting SeSaR to the system and implementing the Discovery activity This phase is constituted by a Discovery activity, which consists in getting, for each switch of the previous phase, the Port number, MAC address and IP address of each node connected to it. The SeSaR reference database is thus verified and completed with MAC Address and Port number, obtaining the 4 network parameters which describe each node (IP address, Hostname, MAC address and Number of the switch port connected to the node). 120 E. Meda et al. Said research already lets the operator identify possible nodes which are missing or intruding and lets him/her activate alarms: an explicit operator acknowledge is required for each node corresponding to a modification and all refused nodes will be treated by SeSaR as alarms on the Operator Console (or GUI, Graphic User Interface) and appropriately signalled on the mimic panel. Of course whenever modifications are accepted the reference database is updated. PHASE 3) Asset Control fully operational activity In such phase CAI cyclically and indefinitely verifies in real-time the network configuration of all the system assets, by interrogating the switches and by getting, for each network node, any modification concerning not only the IP address or Port number, as in the previous phase, but also the MAC address; the alarm management is performed as in the said phase. 3.2 Log Correlation Engine Firewall and Antivirus devices set up the underlying first defence countermeasures and they are usually deployed to defend the perimeter of a network. Independently of how they are deployed, they discard or block data according to predefined rules: the rules are defined by administrators in the firewall case, while they are signature matching rules defined by the vendor in the antivirus case. Once set up, these devices operate without the need of human participation: it could be said that they silently defend the network assets. Recently new kinds of devices, such as intrusion detection/prevention systems, have become available, capable to monitor and to defend the assets: they supply proactive defence in addition to the prevention defence of firewalls and antiviruses. Even using ID systems it is difficult for administrators to get a global vision of the asset’s security state since all devices work separately from each other. To achieve this comprehensive vision there is a need of a correlation process of the information made available by security devices: moreover, given the great amount of data, this process should be an automatic or semi-automatic one. The SeSaR Log Correlation Engine (SLCE, also called CLI, an acronym for Correlazione Log Impianto) achieves this goal by operating correlations based on security devices’ logs. These logs are created by security devices while monitoring the information flow and taking actions: such logs are typically used to debug rules configurations and to investigate a digital incident, but they can be used in a log correlation process as well. It is important to note that the correlation process is located above the assets’ defence layer, so it is transparent to the assets it monitors. This property has a great relevance especially when dealing with critical infrastructures, where changes in the assets require a large effort – time and resources – to be developed. The SLCE’s objective is to implement a defensive control mechanism by executing correlations within each single device’s log and among multiple devices’ alerts (Fig. 2). The correlation process is set up in two phases: the Event Correlation phase (E.C.) named Vertical Correlation and the Alert Correlation (A.C.) phase named Horizontal Correlation. This approach rises from a normalization need: syntactic, semantic and numeric normalization. Every sensor (security device) either creates logs expressed in its own format or, when a common format is used, it gives particular meanings to its log fields. Moreover the number of logs created by different sensors may differ by several orders of magnitude: for example, the number of logs created by a firewall sensor is usually largely greater than the number of logs created by an antivirus sensor. SeSaR: Security for Safety 121 Fig. 2. Logs management by the SeSaR Log Correlation Engine So the first log management step is to translate the different incoming formats into a common one, but there is the need for a next step at the same level. In fact, by simply translating formats, the numeric problem is not taken into account: depending on the techniques used in the correlation processes, by mixing two entities, which greatly differ in size, the information carried by the smallest one could be lost. In fact, at higher level, it should be better to manage a complete new entity than working on different entities expressed in a common format. The Vertical Correlation takes into account these aspects by acting on every sensor in four steps: 1. 2. 3. 4. it extracts the logs from a device; it translates the logs from the original format into an internal format (metadata) useful to the correlation process; it correlates the metadata on-line and with real-time constraints by using sketches [3]; if anomalies are detected, it creates a new message (Alert), which will carry this information by using the IDMEF format [4]. The correlation process is called vertical since it is performed on a single sensor basis: the SensorAgent software manages a single device and implements E.C. (the Vertical Correlation) using the four steps described above. The on-line, real-time and fixed upper-bound memory usage constraints allow for the development of lightweight software SensorAgents which can be modified to fit the context and which could be easily embedded in special devices. The Alerts created by Sensor Agents (one for each security device) are sent to the Alert Correlator Engine (ACE) to be further investigated and correlated. Basically ACE works in two steps: the aggregation step, in which the alerts are aggregated based on content’s fields located at the same level in IDMEF, without taking into consideration the link between different fields; the matching scenario step, in which 122 E. Meda et al. the alerts are aggregated based on the reconstruction and match of predefined scenarios. In both cases multiple Alerts – or even a single Alert, if it represents a critical situation – form an Alarm which will be signalled by sending it to the Operator Interface (console and mimic panel). Alarms share the IDMEF format with Alerts but the former ones get an augmented semantic meaning given to them during the correlation processes: Alerts represent anomalies that must be verified and used to match scenarios, while Alarms represent threats. 3.3 Honeynet This SeSaR’s component identifies anomalous behaviours of users: not only operators, but also maintainers, inspectors, assessors, external attackers, etc... Honeynet is composed of two or more honeypots. Any honeypot simulates the behaviour of the real host of the critical infrastructure. The honeypot security level is lower than the real host security level, so the honeypot creates a trap both for malicious and negligent users. Data capturing (keystroke collection and capture traffic entering the honeypots), data controlling (monitoring and filtering permitted or unauthorised information) and data analysis (operating activities on the honeypots) the functionalities it performs. 4 User Console and Mimic Panel Any kind of alarms coming from Asset Control, Log Correlation and Honeynet are displayed to the operator both in textual and graphical format: the textual format by a web based GUI (Graphic User Interface), the graphical format by a mimic panel. The operators can manage the incoming alarms on the GUI. There are three kinds of alarm status: incoming (waiting to be processed by an operator), in progress and closed. The latter ones are the responsibility of operators. 5 Conclusion SeSaR works independently of the ICT infrastructure and Operative System. Therefore SeSaR can be applied in any other context, even if SeSaR is being designed for railway computerized infrastructure. SeSaR and its component are useful to improve any kind of existing security infrastructure and it can be a countermeasure for any kind of ICT infrastructure. References 1. Meda, E., Sabbatino, V., Doro Altan, A., Mazzino, N.: SeSaR: Security for Safety, AirPort&Rail, security, logistic and IT magazine, EDIS s.r.l., Bologna (2008) 2. Forte, D.V.: Security for safety in railways, Network Security. Elsevier Ltd., Amsterdam (2008) 3. Muthukrishnan, S.: Data Streams: Algorithms and Applications. Foundations and Trends in Theoretical Computer Science (2005) 4. RFC 4765, The Intrusion Detection Message Exchange Format (IDMEF)(March 2007) Automatic Verification of Firewall Configuration with Respect to Security Policy Requirements Soutaro Matsumoto1 and Adel Bouhoula2 1 Graduate School of System and Information Engineering University of Tsukuba – Japan [email protected] 2 Higher School of Communication of Tunis (Sup'Com) University of November 7th at Carthage – Tunisia [email protected] Abstract. Firewalls are key security components in computer networks. They filter network traffics based on an ordered list of filtering rules. Firewall configurations must be correct and complete with respect to security policies. Security policy is a set of predicates, which is a high level description of traffic controls. In this paper, we propose an automatic method to verify the correctness of firewall configuration. We have defined a boolean formula representation of security policy. With the boolean formula representations of security policy and firewall configuration, we can formulate the condition that ensures correctness of firewall configuration. We use SAT solver to check the validity of the condition. If the configuration is not correct, our method produces an example of packet to help users to correct the configuration. We have implemented a prototype verifier and had some experimental results. The first results were very promising. Keywords: Firewall Configuration, Security Policy, Automatic Verification, SAT Solver. 1 Introduction Firewalls are key security components in computer networks. They filter packets to control network traffics based on an ordered list of filtering rules. Filtering rules describe which packet should be accepted or rejected. Filtering rules consist of a pattern of packet and an action. Firewalls reject / accept packets if the first rule which matches the packet in their configurations rejects / accepts the packet. Security policies are high-level description of traffic controls. They define which connection is allowed. They are sets of predicates. Security policies reject / accept connections if the most specific predicate which matches the connection rejects / accepts the connection. Firewalls should be configured correctly with respect to security policies. Correct configurations reject / accept connections if and only if security policies reject / accept the connections. However, the correctness of firewall configurations is not obvious. Consider for example the following security policy. 1. All users in LAN can access Internet 2. All users in LAN1 cannot access youtube.com 3. All users in LAN2 can access youtube.com E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 123–130, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 124 S. Matsumoto and A. Bouhoula Fig. 1. Structure of the Network There are three predicates. Assume that we have a network LAN, two sub networks LAN1 and LAN2, and there is a website youtube.com in the Internet. The structure of the networks is shown in figure 1. The first predicate is the most general one that allows all users in LAN to access any web site in the Internet. The Second predicate is more specific than the first predicate which prohibits users in LAN1 to access youtube.com. Third predicate allows users in LAN2 to access youtube.com. Under this security policy, users in LAN1 cannot access youtube.com. Since the second predicate is the most specific for a connection from LAN1 to youtube.com, the connection will be rejected. Consider for example the following firewall configuration in Cisco’s format. access-list 101 permit tcp 192.168.0.0 any access-list 102 reject tcp 192.168.1.0 233.114.23.1 access-list 103 permit tcp 192.168.2.0 233.114.23.1 0.0.255.255 eq 80 0.0.0.255 0.0.0.0 0.0.0.255 0.0.0.0 eq 80 eq 80 There are three rules named 101, 102, and 103. Rule 101 permits connections from 192.168.*.* to any host. * is wildcard. Rule 102 rejects packets from 192.168.1.* to 233.114.23.1. Rule 103 permits packets from 192.168.2.* to 233.114.23.1. Assume that the network LAN has address 192.168.*.*, LAN1 and LAN2 have 192.168.1.* and 192.168.2.* respectively, and youtube.com has address 233.114.23.1. This configuration can read as a straightforward translation of the security policy. Unfortunately, this configuration is incorrect. Since the first rule that matches given connection will be applied, a connection from LAN1 matches the first rule and it will be accepted even if the destination is youtube.com. We propose a method to verify the correctness of firewall configurations with respect to security policies. Security policy P and firewall configuration F are translated into boolean formulae QP and QF. The correctness of firewall configuration is reduced to the equivalence of the two formulae. The equivalence of the two formulae is checked by satisfiability of QP ⇎ QF. If the formula is satisfiable, QP and QF are not equivalent and F is not correct. A counterexample of packet will be produced such that P and F will give different answers for the packet. The counterexample will help users to find and correct mistakes in their configurations. 1.1 Related Work There are a lot of works about development of formal languages for security policy description [1, 2]. Our formalization of security policy is very abstract, but essentially Automatic Verification of Firewall Configuration 125 equivalent to them. The works are so technical that we simplified the definition of security policy. There are some works for efficient testing of firewalls based on security policies [3, 4]. Their approaches generate test cases from security policy and then test networks with the test cases. Our method only verifies the correctness of the configuration of firewall. The simplification makes our method very simple and fast. The essence of our method is the definition of boolean formula representation. Other steps are applications of well-known logical operations. The fact that our method is performed on our computers makes verifications much faster and easier than testing with sending packet to real networks. This also makes possible to use SAT solvers to prove the correctness. Detecting anomalies in firewall configurations is also important issue [5]. Detection of anomalies helps to find mistakes in configuration, but it does not find mistakes by itself. Hazelhurst has presented a boolean formula representation of firewall configuration, which can be used to express filtering rule [6]. The boolean formula representation can be simplified with Binary Decision Diagram to improve the performance of filtering. In this paper, we use the boolean formula representations of firewall configuration and packets. 2 Security Policy and Firewall Configuration We present a formal definition of security policy and firewall configuration. The definitions are very abstract. We clarify the assumptions of our formalization about security policy. 2.1 Security Policy Security policy is a set of policy predicates. Policy predicates consist of action, source address, and destination address. Actions are accept or deny. The syntax of security policy is given in figure 2. policy is a set of predicate. A predicate consists of action K, source address, and destination address. Action K is accept A or deny D. A predicate A(s, d) reads Connection from s to d is accepted. A predicate D(s, d) reads Connection from s to d is denied. Network address is a set. Packets are pairs of source address and destination address. Packet p from source address s to destination address d will match with predicate K(s’, d’) if and only if s ⊆ s' ⋀ d ⊆ d' holds. We have a partial order relation ⊒ on policy predicates. K(s, d) ⊒ K’(s’, d’) ⇔ s ⊇ s’ ⋀ d ⊇ d’ If q ⊒ q’ holds, q is more general than q' or q' is more specific than q. Packet p is accepted by Security Policy P if the action of the most specific policy predicate that matches with p is A, and p is rejected by P if the action of the most specific policy predicate which matches with p is D. 126 S. Matsumoto and A. Bouhoula policy predicate address K ::= ::= ::= ::= | { predicate, …, predicate } K(address, address) Network Address A D Accept Deny Fig. 2. Syntax of Security Policy configuration rule address K ::= ::= ::= ::= | rule :: configuration | φ K(address, address) Network Address A D Accept Deny Fig. 3. Syntax of firewall configuration Example. The security policy we have shown in section 1 can be represented as P = { q1, q2, q3 } where q1, q2 and q3 are defined as follows: 1. q1 = A(LAN, Internet) 2. q2 = D(LAN1, youtube.com) 3. q3 = A(LAN2, youtube.com) We have ordering of policy predicates q1 ⊒ q2 and q1 ⊒ q3. Assumptions. To ensure the consistency of security policy, we assume that we can find the most specific policy predicate for any packet. We assume that the following formula holds for any two different predicates K(s, d) and K’(s’, d’). s × d ⊇ s’ × d’ ⋁ s × d ⊆ s’ × d’ ⋁ s × d ∩ s’ × d’ = φ Tree View of Security Policy. We can see security policies as trees, such that the root is the most general predicate and children of each node is set of more specific predicates. We define an auxiliary function CP(q) which maps predicate q in security policy P to the set of its children. CP(q) = { q’ | q’ ∈ P ⋀ q ⊒ q’ ⋀ ¬(∃q’’ ∈ P . q ⊒ q’’ ⋀ q’’ ⊒ q) } For instance, CP(q) = { q2, q3 } and CP(q2) = CP(q3) = φ for the previous example. 2.2 Firewall Configuration The syntax of firewall configuration is given in figure 3. Configurations of firewalls are ordered lists of rules. Rules consist of action, source address, and destination address. Actions are accept A or deny D. Automatic Verification of Firewall Configuration 127 A packet is accepted by a firewall configuration if and only if the action of the first rule in the configuration that matches with source and destination address of packet is A. The main difference between security policies and firewall configurations is that rules in firewalls form ordered list but predicates in security policies form trees. 3 Boolean Formula Representation We present a boolean formula representation of security policy and firewall configuration in this section. This section includes also a boolean formula representation of network address and packet. In the previous section, we did not define concrete representation of network addresses and packets.1 The boolean formula representations of network address and firewall configuration are proposed by Hazelhurst [6]. 3.1 Boolean Formula Representation of Network Addresses and Packets Network addresses are IPv4 addresses. Since IPv4 addresses are 32 bit unsigned integers, we need 32 logical variables to represent each address. IP addresses are represented as conjunction of 32 variables or their negations, so that each variable represents a bit in IP address. If the ith bit of the address is 1 then variable ai should evaluate true. For example an IP address 192.168.0.1 is represented as the following. a32 ⋀ a31 ⋀ ¬a30 ⋀ ¬a29 ⋀ ¬a28 ⋀ ¬a27 ⋀ ¬a26 ⋀ ¬a25 ⋀ a24 ⋀ ¬a23 ⋀ a22 ⋀ ¬a21 ⋀ a20 ⋀ ¬a19 ⋀ ¬a18 ⋀ ¬a17 ⋀ ¬a16 ⋀ ¬a15 ⋀ ¬a14 ⋀ ¬a13 ⋀ ¬a12 ⋀ ¬a11 ⋀ ¬a10 ⋀ ¬a9 ⋀ ¬a8 ⋀ ¬a7 ⋀ ¬a6 ⋀ ¬a5 ⋀ ¬a4 ⋀ ¬a3 ⋀ ¬a2 ⋀ a1 Here, a1 is the variable for the lowest bit and a32 is for the highest bit. «p» is an environment, which represents packet p. Packets consist of source address and destination address. We have two sets of boolean variables, s = { s1, …, s32} and d = { d1, …, d32 }. They represent source address and destination address of a packet respectively. If packet p is from address 192.168.0.1, «p»|s is the following. { s32 ↦ T, s31 ↦ T, s30 ↦ F, s29 ↦ F, s28 ↦ F, s24 ↦ T, s23 ↦ F, s22 ↦ T, s21 ↦ F, s20 ↦ T, s16 ↦ F, s15 ↦ F, s14 ↦ F, s13 ↦ F, s12 ↦ F, s8 ↦ F, s7 ↦ F, s6 ↦ F, s5 ↦ F, s4 ↦ F, s27 ↦ F, s26 ↦ F, s25 ↦ F, s19 ↦ F, s18 ↦ F, s17 ↦ F, s11 ↦ F, s10 ↦ F, s9 ↦ F, s3 ↦ F, s2 ↦ F, s1 ↦ T, } «p» also includes assignments of d for destination address of p. ‹a, b› is a boolean formula such that «p» ⊢ ‹a, b› holds if and only if packet p is from a to b. ‹192.168.0.1, b› is like the following boolean formula. s32 ⋀ s31 ⋀¬ s30 ⋀ ¬s29 ⋀ ¬s28 ⋀ ¬s27 ⋀ ¬s26 ⋀ ¬s25 ⋀ … 1 Without loss of generality, we have a simplified representation of network addresses. We can easily extend this representation to support net-masks, range of ports, or other features as proposed by Hazelhurst. 128 S. Matsumoto and A. Bouhoula This is the only eight components of the formula. They are the same as the highest eight components of boolean formula representation of IP address 192.168.0.1. 3.2 Boolean Formula Representation of Security Policy Security Policy P can be represented as boolean formula QP, such that ∀p : Packet . P accept p ⇔ «p» ⊢ QP holds. We define a translation BP(q, β) which maps a policy predicate q in security policy P to its boolean formula representation. BP(A(a, b), T) = BP(A(a, b), F) = BP(D(a, b), T) = BP(D(a, b), F) = ¬‹a, b› ⋁ (T ⋀ q∈C BP(q, T)) ‹a, b› ⋀ (⋀ q∈C BP(q, T)) ¬‹a, b› ⋁ (⋁q∈C BP(q, F)) ‹a, b› ⋀ (T ⋁ q∈C BP(q, F)) where C = CP(q) We can obtain the boolean formula representation of security policy P as BP(q, F) where q is the most general predicate in P. Example. The following is an example of transformation from security policy P in section 2 to its boolean formula representation. The boolean formula representation of P is obtained by BP(q1, F) since q1 is the most general predicate. BP(A(LAN, Internet), F) = ‹LAN.Internet› ⋀ BP(q2, T) ⋀ BP(q3,T) BP(D(LAN1, youtube.com), T) = ¬‹LAN1.youtube.com› BP(A(LAN2, youtube.com), T) = ‹LAN2.youtube.com› ⋁ T Finally we have the following formula after some simplifications. ‹LAN.Internet› ⋀ ¬‹LAN1.youtube.com› Consider a packet from LAN1 to youtube.com, the first component in the formula evaluates true, but the second component evaluates false. Whole expression evaluates false, so the packet is rejected. 3.3 Boolean Formula Representation of Firewall Configuration Firewall configuration F can be represented as boolean formula QF, such that ∀p: Packet . F accept p ⇔ «p» ⊢ QF holds. B(F) is a mapping from F to QF. B(φ) B(A(a, b) :: rules) = = B(D(a, b) :: rules) ‹a, b› ⋁ B(rules) = ¬‹a, b› ⋀ B(rules) F 4 Experimental Results We have implemented a prototype of verifier. The verifier reads a security policy and a firewall configuration, and verifies the correctness of the configuration. It supposes Automatic Verification of Firewall Configuration 129 that we have IPv4 addresses with net-masks and port numbers of 16 bit unsigned integer with range support. The verifier uses MiniSAT to solve SAT [7]. In our verifier packets consist of two network addresses and protocol. Network addresses are pair of a 32 bit unsigned integer which represents an IPv4 address and a 16 bit unsigned integer which represents a port number. The protocols are TCP, UDP, or ICMP. Thus, a formula for one packet includes up to 99 variables – two 32+16 variables for source and destination addresses and three variables for protocol. We have verified some firewall configurations. Our experiments were performed on an Intel Core Duo 2.16 GHz processor with 2 Gbytes of RAM. Table 1 summarizes our results. The first two columns show the size of inputs. It is the numbers of predicates in security policy and the numbers of filtering rules in firewall configuration. The third column shows the size of the input for SAT solver. The last column shows the running times of our verifier. It includes all processing time from reading the inputs to printing the results. All of the inputs were correct because it is the most time consuming case. These results show that our method verifies fast enough with not so big inputs. If configurations are not correct, then the verifier produces a counterexample packet. The following is an output of our verifier that shows a counterexample. % verifyconfig verify ../samples/policy.txt ../samples/rules.txt Loading policy ... ok Loading configuration ... ok Translating to CNF ... ok MiniSAT running ... ok Incorrect: for example [tcp - 192.168.0.0:0 - 111.123.185.1:80] The counterexample tells that the security policy and firewall configuration will give different answers for a packet from 192.168.0.0 of port 0 to 111.123.185.1 of port 80. Testing the firewall with the counterexample will help users to correct the configuration. Table 1. Experimental Results # of predicates 3 13 26 # of rules 3 11 21 size of SAT 9183 21513 112327 running time (s) 0.04 0.08 0.37 5 Conclusion In this paper, we have defined a boolean formula representation of security policy, which can be used in a lot of applications. We have also proposed an automatic method to verify the correctness of firewall configurations with respect to security policies. The method translates both of the two inputs into boolean formulae and then verifies the equivalence by checking satisfiability. We have had experimental results with some small examples using our prototype implementation. Our method can verify the configuration of centralized firewall. We are working for generalization of our method for distributed firewalls. 130 S. Matsumoto and A. Bouhoula References 1. Hamdi, H., Bouhoula, A., Mosbah, M.: A declarative approach for easy specification and automated enforcement of security policy. International Journal of Computer Science and Network Security 8(2), 60–71 (2008) 2. Abou El Kalam, A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miége, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks (Policy 2003) (June 2003) 3. Senn, D., Basin, D.A., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 226–241. Springer, Heidelberg (2005) 4. Darmaillacq, V., Fernandez, J.C., Groz, R., Mounier, L., Richier, J.L.: Test generation for network security rules. In: Uyar, M.Ü., Duale, A.Y., Fecko, M.A. (eds.) TestCom 2006. LNCS, vol. 3964, pp. 341–356. Springer, Heidelberg (2006) 5. Abbes, T., Bouhoula, A., Rusinowitch, M.: Inference System for Detecting Firewall Filtering Rules Anomalies. In: Proceedings of the 23rd Annual ACM Symposium on Applied Computing, Fortaleza, Ceara, Brazil, pp. 2122–2128 (March 2008) 6. Hazelhurst, S.: Algorithms for analysing firewall and router access lists. CoRR cs.NI/0008006 (2000) 7. Eén, N., Sörensson, N.: An extensible sat-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2003) Automated Framework for Policy Optimization in Firewalls and Security Gateways Gianluca Maiolini1, Lorenzo Cignini1, and Andrea Baiocchi2 1 Elsag Datamat – Divisione Automazione Sicurezza e Trasporti Rome, Italy {Gianluca.Maiolini, Lorenzo2.Cignini}@elsagdatamat.com 2 University of Roma “La Sapienza” Rome, Italy {Andrea.Baiocchi}@uniroma1.it Abstract. The challenge to address in multi-firewall and security gateway environment is to implement conflict-free policies, necessary to avoid security inconsistency, and to optimize, at the same time, performances in term of average filtering time, in order to make firewalls stronger against DoS and DDoS attacks. Additionally the approach should be real time, based on the characteristics of network traffic. Our work defines an algorithm to find conflict free optimized device rule sets in real time, by relying on information gathered from traffic analysis. We show results obtained from our test environment demonstrating for computational power savings up to 24% with fully conflict free device policies. Keywords: Firewall; Data mining; network management; security policy; optimization. 1 Introduction A key challenge of secure systems is the management of security policies, from those at high level down to the platform specific implementation. Security policy defines constraints, limitations and authorization on data handling and communications. The need for high speed links follows the increasing demand for improved packet filtering devices performance, such as firewall and S-VPN gateway. As hacking techniques evolves and routing protocols are becoming more complex there is a growing need of automated network management systems that can rapidly adapt to different and new environments. We assume that policies are formally stated according to a well defined formal language, so that the access lists of a security gateway can be reduced to an ordered list of predicates of the form: C Æ A, where C is a condition and A is an action. We refer to predicates implementing security policies as rules. For security gateway the condition of a filtering rule is composed of five selectors: <protocol> <src ip> <src port> <dst ip> <dst port>. The action that could be performed on the packet is allow, deny or process, where process imply that the packet has to be submitted to the IPSec algorithm. How to process that packet is described in a specific rule which details how to apply the security mechanism. Conditions are checked on each packet flowing through the device. The process of inspecting incoming packets and looking up the policy rule set for a match often results in CPU overload and traffic or application’s delay. Packets that match high rank rules require a small computation time compared to those one at the end of rule set. Shaping list of rules on traffic E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 131–138, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 132 G. Maiolini, L. Cignini, and A. Baiocchi flowing through devices could be useful to improve devices performance. This operation performed on all packet filtering devices give an improvement in global network performance. Our analysis shows how shaping access list based on network traffic can often results in conflicts between policies. As reported by many authors [1-6], conflicts in a policy can cause holes in security, and often they can be hard to find when performing only visual or manual inspection. In this paper we propose architecture based on our algorithm to automatically adapt packet filtering devices configuration to traffic behavior achieving the best performance ensuring conflict-free solution. The architecture retrieves traffic pattern from log information sent in real time from all devices deployed in the network. 2 Related Works In the last few years the critical role of firewall in the policy based network management led to a large amount of works. Many of these concern the correctness of implemented policies. In [1] the Authors only aim at detecting if firewall rules are correlated to each other, while in [2][3][4] a set of techniques and algorithms are defined to discover all of the possible policy conflicts. Along this line, [5] and [6] provide an automatic conflict resolution algorithm in single firewall environment and tuning algorithm in multi-firewall environment respectively. Recently great emphasis has been placed on how to optimize firewall performance. In [7] a simple algorithm based on rule re-ordering is presented. In [11] Authors present an algorithm to optimize firewall performance that order the rules according to their weights and consider two factors to determine the weight of a rule: rule frequency and recency which reflect the number and time of rule matching, respectively. Finally extracting rules from the “deny all” rule is another big problem to address. The few works on this issue [8] [10] do not define how many rules must be extracted, which combine values; how to define their priorities and they not check whether this process really improve the firewall packet filtering performance. In this paper we propose a fully automated framework composed by a log management infrastructure, policy compliance checking and a tool that, based on log messages collected from all device in the network, calculate rules’ rate related to traffic data, re-orders ranks guaranteeing conflict-free configuration and maximum performance optimization. Moreover our tool is able to extract a rule from the “deny all” rule if this leads to further improved performance. To make the framework automatic we are actually working to define a threshold to understand how many logs are needed to automatically start rule set update. 3 Adaptive Conflict-Free Optimization (ACO) Algorithm In the following we refer to a tagged device rule set, denoted by R = [R1,…,RN]. The index i of each rule in set R is also called rule rank. We let the following definitions: • Pi is the rule rate, i.e. the matching ratio of rule i, defined as the ratio on the number ni(T) of packets matching Ri out of the overall number n(T) of packets processed by the tagged device in the reference time interval T. Automated Framework for Policy Optimization • • 133 Ci is the rule weight, i.e. the computational cost of rule i; if the same processing complexity can be assumed for each rule in R, then Ci=i·Pi; C(R) is the device rule set overall computational cost, computed as the sum of the rule weights, C(R)=∑i Ci. Our aim is to minimize C(R) in all network devices, under the constraint of full rule consistency. The aim is to improve both device and global filtering operation. In the following paragraph we are going to describe phases for algorithm. To develop our algorithm we used two repository systems, in particular: DVDB: database storing devices configurations including security policy. LogDB: database designed to store all log messages coming from devices. Analysis and correlation among logs are performed in order to know how many times each device’s rule was matched. 3.1 Phase 1: Starting ACO ACO starts operation when: i) policy configurations (rule set) are retrieved to solve conflicts in all devices; ii) a sufficiently large amount of log for each device are collected, e.g. to allow reliable weight estimates (i.e. logs collected in a day). Since ACO is aimed at working in real time, we need to decide which events trigger its run. We monitor in real time all devices and decide to start optimization process when at least one of the following events occurs: • • rule set change (such as rule insertion, modification and removal); the number of logs received from a device in the last collection time interval (in our implementation set to 60 s) has grown more than 10% with respect to the previous collection interval. The first criterion is motivated mainly to check the policy consistency; the second one to optimize performance adapting to traffic load. Specifically, performance optimization is needed the more the higher the traffic load, i.e. as traffic load attains critical values. In fact, rule set processing time optimization is seen as a form of protection of secure networks from malicious overloads (DoS attacks by dummy traffic flooding). 3.2 Phase 2: Data Import The algorithm retrieves from Device DB (DVDB): • • the IP address of devices interfaces to the networks; devices rule set R. For each device algorithm retrieves all rules hit number (how many times a rule was applied to a packet) from Log DB (LogDB). Then it calculates rule match rate (Pi) and rule weight (Ci). 3.3 Phase 3: Rules Classification In this phase for each device a classifier analyzes one by one the rules in R and it determines the relations between Ri and all the rules previously analysed [R1,…,Ri–1]. A data structure called Complete Pseudo Tree (CPT) is built out of this analysis. 134 G. Maiolini, L. Cignini, and A. Baiocchi Definition. A pseudo tree is a hierarchically organized data structure that represents relations between each rule analysed. A pseudo tree might be formed by more than one tree. Each tree node represents a rule in R. The relation parent-children in the trees reflect the inclusion relation between the portions of traffic matched by the selectors of the rules: a rule will be a child node if the traffic matched by its selectors is included in the portion of traffic matched by the selectors of the parent node. Any two rules whose selectors match no overlapping portions of traffic will not be related by any inclusion relation. In each tree there will be a root node which represents a rule that includes all the rules in the tree and there will be one or more leaves which represent the most specific rules. When the classifier finds a couple of rules which are not related by an inclusion relation, it will split one of them into two or three new rules so as to obtain derived rules that can be classified in the pseudo tree. The output of this phase is a conflict-free tree where there remain only redundant rules that will be eliminated in the next phase. The pseudo code of the algorithm for the identification of the Complete Pseudo Tree is listed below. Algorithm 1: Create new Complete Pseudo Tree CPT 2: foreach rule r in Ruleset do 3: foreach ClassifiedRule cR in CPT do 4: classify(r,cR) 5: if r is to be fragmented then 6: fragment(r,classifiedRule) 7: remove(r, pseudoTree) 8: insert fragments at the bottom of the Ruleset 9: calculate statistic from LogDB (fragments) 10: else 11: insert(r,CPT). 3.4 Phase 4: Optimization In this phase core operations upon the single devices rule lists optimization will be performed. The aim of these operations is twofold: to restrict the number of rules in every rule list without changing the external behavior of the device and to optimize filtering performance. We ought to take into consideration the data structures introduced in previous section, namely the Device Pseudo Tree (DPT), one for each device, obtained from the CPT by considering only the rules belonging to one device. Each of these structures shows a hierarchical representation of the rules in the rule list of each device. Chances are that one rule might have the same action as a rule that directly includes it. This means that the child rule is in a way redundant because, if it was not in the rule list, the same portion of traffic would be matched by the parent rule which has got the same action. The child rule is indeed not necessary to describe the device behavior and could be eliminated simplifying the device rule list. Therefore, our algorithm will locate in every device pseudo tree all these cases, in which a child rule has got the same action as the father’s, and will delete the child rule. So the rule set obtained is composed by two kinds of rules: one completely disjoint that can be located in any rank of rule list, the other one characterized by dependencies constraints among rules. In addition we need to update the rate of the father rule when one or more child rules are deleted. At this point each device rule set R is re-ordered according to nonincreasing rule rates, i.e. so that Pi≥Pj for i≤j The resulting ordering minimizes the Automated Framework for Policy Optimization 135 overall cost C(R), yet it does not guarantee the correctness of the policies implemented. As a matter of fact, it may happen that one more specific rule is placed after a more general rule, so violating the constraints imposed by security policy consistency. For this reason, after re-ordering operation, relations father-child of the DPT are restored. It’s clear that the gain achieved by optimization heavily depends on the degree of dependencies of the rules. The two limit cases are: i) no rules dependencies (all disjoint rules), that yields the biggest optimization margin; ii) complete dependency (every rule depends on any other one), where the optimization process produces a near zero gain. The device rule set total cost C(R) is evaluated and fed as input for the next phase. The pseudo code of the optimization algorithm is listed below. Algorithm 1: foreach Node node in CPT do 2: get the id of the device the rule belongs to 3: if exist DPT.id = = id then 4: insert(node,DPT) 5: else 6: create(DPT,id) 7: insert(node,DPT) 8: foreach DPT do 9: foreach Rule rule in DPT do 10: if rule.action = = rule’s father.action then 11: update rule’s father.rate 12: delete(rule) 13: foreach Device dv do 14: sort the dv.ruleset except deny all in non-increasing order of rule.rate 15: foreach Rule rule do 16: if rule is a child 17: move rule just above father rule 18: calculate dv.cost 3.5 Phase 5: Extracting Rules from Deny all String The common idea about rules extraction from deny all rule is to obtain better optimization rate. It consists in selecting only heavily invoked rules and simply extract them in rule set according of their rates. However, this is a very delicate operation, since the inclusion of these rules often does not improve performance. In Table 1 we show this case: two new rules extracted and ordered according to their rates produce an Table 1. Rule list with two rules extracted (Rank = 2 and Rank = 7) Rank 1 2 3 4 5 6 7 8 9 10 Pi 0.18 0.10 0.02 0.07 0.17 0.12 0.05 0.03 0.01 0.25 C(R) = 5.47 Ci 0.18 0.20 0.06 0.28 0.85 0.72 0.35 0.24 0.09 2.5 136 G. Maiolini, L. Cignini, and A. Baiocchi increment of the starting value of C(R), that was 5.16. In addition extracted rules are always disjoint from all others in the rule sets, so it is impossible to introduce additional conflicts. Our algorithm extracts a new rule when its rate exceeds 20% of deny all rule rate. But this is not enough; in fact we perform an additional control to assess efficacy of the new rule in the process of optimization. Changing the position of rules implies cost changes so we will choose the position of rule that grants for the lowest overall cost C(R). The derived rule will be actually inserted in the rule list if the overall cost improves over the value it had before rule extraction. Detailed pseudo code of this phase is listed below. Algorithm 1: foreach Device dv 2: foreach denyall log record in LogDB 3: count log occurrence 4: if log.rate > 0.2 denyall.rate 5: extract new rule from log record 6: add rule to extracted_ruleset 7: foreach Rule rule in extracted_ruleset 8: calculate vector dv.costvector 9: if min(dv.costvector) < dv.cost 10: update dv.cost 11: update ruleset including rule. 3.6 Phase 6: Update Devices At this point we have obtained for each packet filtering device an optimized and conflict-free rules list, shaped on traffic flowed through the network. In this phase the algorithm updates devices configuration on device DB. Network management system manages configuration upload to deployed devices. 4 Performance Evaluations Our approach is based on real test scenario even if due to privacy issues we can’t provide reference and traffic contents. We have observed for traffic behaviour during a day in ten different devices deployed in a internal network. We analyzed configuration in order to detect and solve eventual conflict, results of this phase are not important because we are focused on log gathering and optimization. We have stored conflict free configurations in device DB. We have also configured devices for sending log to our machine where our tool is installed. We collected logs for 24 hour storing them in logDB. We started our tool based on the algorithm described in section 3, obtaining different level of optimization depending on devices configuration and traffic. For us optimization rate consists in calculate parameter C(R). In this section we are going to describe the results obtained in the most significant device deployed on the network, it could describe the concept of the algorithm. Table 2 shows the initial device rule set comprising access list for IP traffic and IPSec configuration. It’s easy to see that if we exchange rules 3, 6 and 7 shadowing conflicts occur. Table 3 shows the Pi and Ci values of the initial rule set calculated retrieving data stored in logDB. According to the metric used we obtain a value of Automated Framework for Policy Optimization 137 C(R) equal to 5.99. Re-ordering operation (line 14 of phase 4 algorithm) produces the best optimization gain (+22%) but adjustments are necessary to ensure a conflict-free configuration. At the end of phase 4 we obtained the order showed in Table 4. The value of C(R) obtained is 5.16, so the improvement is about 14%. Another good optimization is obtained by algorithm in phase 5. In this phase new rules are extracted because of packet flow matched with a specific denied rule (obviously included in deny all) a lot of time. Our algorithm calculates the best position to insert rule in the list to minimize cost C(R) so in this case it has been positioned at the top of rule-list. In Table 5 are shown the changing occurring in Pi and Ci values. The value of C(R) obtained is 4.56, so additional gain obtained in this phase is about 10 %. At the end of the process the total optimization gain is about 24%. Similar values (±2 %) were obtained in the remaining devices. Optimization is not always feasible. In the end, we have achieved a conflict-free configuration with a gain of 24%. These results depend on specific traffic behaviour and security policies applied on devices. Our work is continuing performing further traffic test looking for relations between number of rules and optimization rate also refining the extraction from deny all rules. A further issue is the fine tuning of heuristic parameters used in the algorithm, like time interval duration between two updates. Finally a device spends significant CPU time to send logs, especially when it has to be sent them for all packets flowing through it. Table 2. Rank Protocol Source IP 1 2 3 4 5 6 7 8 tcp tcp tcp udp udp tcp tcp any 192.168.10.* 192.168.10.* 10.1.1.23 192.168.3.5 192.168.3.5 10.1.1.* 10.1.*.* any Table 3. Rank 1 2 3 4 5 6 7 8 Pi 0.01 0.12 0.02 0.18 0.03 0.07 0.17 0.4 C(R) = 5.99 Source Port 80 21 any 53 any any any any Dest. IP 192.168.20.* 192.168.20.* 20.1.1.23 192.168.3.5 192.168.*.* 20.1.1.* 20.1.1.* any Table 4. Ci 0.01 0.24 0.06 0.72 0.15 0.42 1.19 3.2 Old Rank rank 4 1 3 2 6 3 7 4 2 5 5 6 1 7 8 8 C(R) = 5.16 Pi 0.18 0.02 0.07 0.17 0.12 0.03 0.01 0.40 Dest. port 80 21 80 any 80 80 80 any Action Deny Allow Allow Deny Allow Deny Allow Deny Table 5. Ci 0.18 0.04 0.21 0.68 0.60 0.18 0.07 3.20 + 14% Rank Pi 1 0.2 2 0.18 3 0.02 4 0.07 5 0.17 6 0.12 7 0.03 8 0.01 9 0.20 C(R) = 4.56 Ci 0.2 0.36 0.06 0.28 0.85 0.72 0.21 0.08 1.8 +10% 138 G. Maiolini, L. Cignini, and A. Baiocchi References 1. Hari, H.B., Suri, S., Parulkar, G.: Detecting and Resolving Packet Filter Conflicts. In: Proceedings of IEEE INFOCOM 2000, Tel Aviv (2000) 2. Al-Shaer, E., Hamed, H.: Modeling and Management of Firewall Policies. In: IEEE eTransactions on Network and Service Management, vol. 1-1 (2004) 3. Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict Classification and Analysis of Distributed Firewall Policies. IEEE Journal on Selected Areas in Communications 23(10) (2005) 4. Al-Shaer, E., Hamed, H.: Firewall Policy Advisor for Anomaly Detection and Rule Editing. In: Proceedings of IEEE/IFIP Integrated Management Conference (IM 2003), Colorado Springs (2003) 5. Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic Conflict Analysis and Resolution of Traffic Filtering Policy for Firewall and Security Gateway. In: IEEE International Conference on Communications 2007 (ICC 2007), Glasgow (2007) 6. Ferraresi, S., Francocci, E., Quaglini, A., Picasso, F.: Security Policy Tuning among IP Devices. In: Apolloni, B., Howlett, R.J., Jain, L. (eds.) KES 2007, Part II. LNCS (LNAI), vol. 4693. Springer, Heidelberg (2007) 7. Fulp, E.W.: Optimization of network firewall policies using directed acyclical graphs. In: Proceedings of the IEEE Internet Management Conference (2005) 8. Acharya, S., Wang, J., Ge, Z., Znati, T., Greenberg, A.: Simulation study of firewalls to aid improved performance. In: Proceedings of 39th Annual Simulation Symposium (ANSS 2006), Huntsville (2006) 9. Acharya, S., Wang, J., Ge, Z., Znati, T., Greenberg, A.: Traffic-aware firewall optimization Strategies. In: IEEE International Conference on Communications (ICC 2006), Istambul (2006) 10. Zhao, L., Inoue, Y., Yamamoto, H.: Delay reduction for linear-search based packet filters. In: International Technical Conference on Circuits/Systems, Computers and Communication (ITC-CSCC 2004), Japan (2004) 11. Hamed, H., Al-Shaer, E.: Dynamic rule ordering optimization for high speed firewall Filtering. In: ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 2006), Taipei (2006) An Intrusion Detection System Based on Hierarchical Self-Organization E.J. Palomo, E. Domínguez, R.M. Luque, and J. Muñoz Department of Computer Science E.T.S.I. Informatica, University of Malaga Campus Teatinos s/n, 29071 – Malaga, Spain {ejpalomo,enriqued,rmluque,munozp}@lcc.uma.es Abstract. An intrusion detection system (IDS) monitors the IP packets flowing over the network to capture intrusions or anomalies. One of the techniques used for anomaly detection is building statistical models using metrics derived from observation of the user's actions. A neural network model based on self organization is proposed for detecting intrusions. The selforganizing map (SOM) has shown to be successful for the analysis of high-dimensional input data as in data mining applications such as network security. The proposed growing hierarchical SOM (GHSOM) addresses the limitations of the SOM related to the static architecture of this model. The GHSOM is an artificial neural network model with hierarchical architecture composed of independent growing SOMs. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark are used for training the proposed GHSOM. Keywords: Network security, self-organization, intrusion detection. 1 Introduction Nowadays, network communications become more and more important to the information society. Business, e-commerce and other network transactions require more secured networks. As these operations increases, computer crimes and attacks become more frequents and dangerous, compromising the security and the trust of a computer system and causing costly financial losses. In order to detect and prevent these attacks, intrusion detection systems have been used and have become an important area of research over the years. An intrusion detection system (IDS) monitors the network traffic to detect intrusions or anomalies. There are two different approaches used to detect intrusions [1]. The first approach is known as misuse detection, which compares previously stored signatures of known attacks. This method is good detecting many or all known attacks, having a successful detection rate. However, they are not successful in detecting unknown attacks occurrences and the signature database has to be manually modified. The second approach is known as anomaly detection. First, these methods establish a normal activity profile. Thus, variations from this normal activity are considered anomalous activity. Anomaly-based systems assume that anomalous activities are intrusion attempts. Many of these anomalous activities are frequently normal E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 139–146, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 140 E.J. Palomo et al. activities, showing false positives. Many anomaly detection systems build statistical models using metrics derived from the user's actions [1]. Also, anomaly detection systems using data mining techniques such as clustering, support vector machines (SVM) and neural network systems have been proposed [2-4]. Several IDS using a self-organizing maps have been done, however they have many difficulties detecting a wide variety of attacks with low false positive rates [5]. The self-organizing map (SOM) [6] has been applied successfully in multiple areas. However, the network architecture of SOMs has to be established in advance and it requires knowledge about the problem domain. Moreover, the hierarchical relations among input data are difficult to represent. The growing hierarchical SOM (GHSOM) faces these problems. The GHSOM is an artificial neural network which consists of several growing SOMs [7] arranged in layers. The number of layers, maps and neurons of maps are automatically adapted and established during a training process of the GHSOM, according to a set of input patterns fed to the neural network. Applied to an intrusion detection system, the input patterns will be samples of network traffic, which can be classified as anomalous or normal activities. The data analyzed from network traffic can be numerical (i.e. number of seconds of the connection) or symbolic (i.e. protocol type used). Usually, the Euclidean distance has been used as metric to compare two input data. However, this is not suitable for symbolic data. Therefore, in this paper an alternative metric for GHSOMs where both symbolic and numerical data are considered is proposed. The implemented IDS using the GHSOM, was trained with the KDD Cup 1999 benchmark data set [8]. This data set has served as the first and only reliable benchmark data set that has been used for most of the research work on intrusion detection algorithms [9]. This data set includes a wide variety of simulated attacks. The remainder of this paper is organized as follows. Section 2 discusses the new GHSOM model used to build the IDS. Then, the training algorithm is described. In Section 3, we show some experimental results obtained from comparing our implementation of the Intrusion Detection System (IDS) with other related works, where data from the KDD Cup 1999 benchmark are used. Section 4 concludes this paper. 2 GHSOM for Intrusion Detection The IDS implemented is based on GHSOM. Initially, the GHSOM consists of a single SOM of 2x2 neurons. Then, the GHSOM adapts its very architecture depending on the input patterns, so that the GHSOM structure mirrors the structure of the input data getting a good data representation. This neural network structure is used to classify the input data in groups, where each neuron represents a data group with similar features. The level of data representation of each neuron is measured as the quantization error of the neuron ( ). The is a measure of the similarity of a data set, where the higher is the , the higher is the heterogeneity of the data. Usually the has been used in terms of the Euclidean distance between the input pattern and the weight vector of a neuron. However, in many real life problems not only numerical features are present, but also symbolic features can be found. To take an obvious example, among the features to analyze from data for building an IDS, three symbolic features are found: protocol type (UDP and ICMP), service (i.e. HTTP, SMTP, FTP, TELNET, An Intrusion Detection System Based on Hierarchical Self-Organization 141 etc.) and flag of the status of the connection (i.e. SF, S1, REJ, etc.). Unlike numerical data, symbolic data do not have an order associated and cannot be measured by a distance. It makes no sense to use the Euclidean distance between two symbolic values, for example the distance between HTTP and FTP protocol. It seems better to use a similarity measure rather than a distance measure for symbolic data. For that reason, in this paper we introduce the entropy as similarity measure of error in representation of a neuron for symbolic data together with the Euclidean distance for numerical data. Fig. 1. Sample architecture of a GHSOM Let be the th input pattern, where is the vector component of nu- is the component of symbolic features. The error of a unit merical features and ( ) in the representation is defined as follows: w x p x log p x , (1) and are the error components of numerical and symbolic features, rewhere is the probability spectively, is the set of patterns mapped onto the unit , and of the element in . The quantization error of the unit is given by expression (2). | |. (2) First of all, the quantization error at layer 0 map ( ) has to be computed as it is shown above. In this case, the error neuron is computed as specified in (1), but using inas the mean of the all input data , being the set of input patterns the set . stead The training of a map is done as the training of a single SOM [6]. An input pattern is randomly selected and each neuron determines its activation according to a similarity measure. In our case, since we take into account the presence of symbolic and 142 E.J. Palomo et al. numerical data, the neuron with the smallest similarity measure defined in (3), becomes the winner. 1, 2 . log (3) For numerical component, is the Euclidean distance between two vectors. For symbolic data, it checks whether the two vectors are the same or not, that is, the probability can just take the values 1, if the vectors are the same; or 0.5 if they are differand are equal; and ent. Therefore, for symbolic data the value of will be 0, if if they are not the same. By taking into account the new similarity measure, the index of the winner neuron is defined in (4). min| , |. (4) is adapted according to the expression (5). For The weight vector of a neuron numerical component, the winner and its neighbors, whose amount of adaptation follows a Gaussian neighborhood function , are adpated. For symbolic data, just the winner is adapted with the weight vector of the mode of the set of input patterns mapped onto the winner . 1 1 1 (5) The GHSOM growing and expansion is controlled by means of two parameters: , which is used to control the growth of a single map; and , which is used to control the expansion of each neuron of the GHSOM. Specifically, a map stops growing if ( ) reaches a certain fraction of the of the corthe mean of the map's responding neuron that was expanded in the map . Also, a neuron is not expanded of . Thus, the if its quantization error ( ) is smaller than a certain fraction larger the paremeter is chosen the deeper the hierarchy will be. Also, for large values, we will have large maps. This way, with these two paremeters, a control of the resulting hierarchical architecture is provided. Note that these parameters are the only ones that have to be established in advance. The pseudocode of the training algorithm of the proposed GHSOM is defined as follows. Step 1. Compute the mean of the all input data and then, the initial quantization error . Step 2. Create an initial map with 2x2 neurons. Step 3. Train the map during iterations as a single SOM, using the expressions (3), (4) and (5). Step 4. Compute the quantification errors of each neuron according to the expression (2). Step 5. Calculate the mean of all units’ quantization errors of the map ( . Step 6. If go to step 9, where is the of the corresponding unit in the upper layer that was expanded. For the first layer, this is . An Intrusion Detection System Based on Hierarchical Self-Organization Step 7. Select the neuron with the highest according to the expression (6). arg max| , | 143 and its most dissimilar neighbor Λ (6) Step 8. Insert a row or column of neurons between and , initializing their weight vectors as the means of their respective neighbors. Go to step 3. Step 9. If for all neurons in the map, go to step 11. Step 10. Select an unsatisfied neuron and expand it creating a new map in the lower layer. The parent of the new map is the expanded neuron and their weight vectors are initialized as the mean of their parent and neighbors. Go to step 2. Step 11. If exists remaining maps, select one and go to step 3. Otherwise, the algorithm ends. 3 Experimental Results Our IDS based on the new GHSOM model was trained with the pre-processed KDD Cup 1999 benchmark data set created by MIT Lincoln Laboratory. The purpose of this benchmark was to build a network intrusion detector capable of distinguishing between intrusions or attacks, and normal connections. We have used the 10% KDD Cup 1999 benchmark data set, which contains 494021 connection records, each of them with 41 features. Here, a connection is a sequence of TCP packets which flows between a source and a target IP addresses. Since some features alone cannot constitute a sign of an anomalous activity, it is better analyzes connection records rather than individual packets. Among the 41 features, three are symbolic: protocol type, service and status of the connection flag. In the training data set exist 22 attack types and in addition to normal records, which fall into four main categories [10]: Denial of Service (DoS), Probe, Remote-to-Local (R2L) and User-to-Root (U2R). In this paper, we have selected two data subsets for training the GHSOM from the total of 494021 connection records, SetA with 100000 connection records and SetB with 169000. Both SetA and SetB contain the 22 attack types. We try to select the data in such a way that there was the same distribution for all the record types. However, the distribution of the data in the 10% KDD Cup data set has an irregular distribution that finally was mirrored in our selection. The two data subsets were trained with 0.1 as value for parameters and , since with these values we achieved good results and a very simple architecture. In fact, each trained GHSOM generated just Table 1. Training results for SetA and SetB Training Set Detected (%) False Positive (%) Identified (%) SetA 99.98 3.03 94.99 SetB 99.98 5.74 95.09 two layers with 16 neurons, although with a different arrangement. The GHSOM trained with SetB is the same that we showed in Fig. 1. 144 E.J. Palomo et al. Many related works are only interested in classifying the input pattern just as one of two record types: anomalous or normal records. Taking into account just two groups, normal records that are classified as anomalous are known as false positives, whereas anomalous records that are classified as normal records are known as missed detections. However, we are also interested in classify an anomalous record into its attack type, that is, taking into account 23 groups (22 attack types plus normal records) instead 2 groups. Hence, we call identification rate to the connection records that are correctly identified as their respective record types. The training results of the two GHSOMs obtained with the subsets SetA and SetB are shown in Table 1. Both subsets achieve 99.98% attack detection rate and false positive rates of 3.03% and 5.74%, respectively. Attending to the identification of the attack type, around the 95% were correctly identified in both cases. We have simulated the trained GHSOMs with the 494021 connection records from the benchmark data set. This simulation consists of classifying these data with the trained GHSOMs without any modification of the GHSOMs, that is, without learning process. The simulation results of both GHSOMs are given in Table 2. Here, 99.9% detection rate is achieved. Also, the identification rate rises up to 97% in both cases. The false positive rate increases for SetA during the simulation, although it is lower for SetB compared with this rate after the training. Note that during both training and simulation, we used the 41 features and all the 22 existing attacks in the training data set. Moreover, the resulting number of neurons was much reduced. In fact, there are less neurons than groups, although this is due to the scarce amount of connection records from certain attack groups. Table 2. Simulating results with 494021 records for SetA and SetB Training Set Detected (%) False Positive (%) Identified (%) SetA 99.99 5.41 97.09 SetB 99.91 5.11 97.15 In Table 3, we compare the training results of SetA with the results obtained in [9, 10], where SOMs were used to build IDSs as well. In order to differentiate both IDS based on self-organization, we call them SOM and K-Map, respectively, using the author's notation, whereas our trained IDS is called GHSOM. From the first work, we chose the only one SOM trained on all the 41 features, which was composed of 20x20 neurons. Another IDS implementation was proposed in the second work. Here, a hierarchical Kohonen net (K-Map), composed of three layers, was trained with a subset of 169000 connection records, and taking into account the 41 features and 22 attack types. Their best result was 99.63% detection rate after testing the K-Map, although with several restrictions. This result was achieved using a pre-selected combination of 20 features, which were divided into three levels of features, where each features sub combination was fed to a different layer. Also, they used just three attack types during the testing, whereas we used the 22 attack types. Moreover, the architecture of the hierarchical K-Map was established in advance, using 48 neurons in each layer, that is, 144 neurons, when we used just 16 neurons that were generated during the training process without any human intervention. An Intrusion Detection System Based on Hierarchical Self-Organization 145 Table 3. Comparison results for different IDS implementations GHSOM SOM K-Map Detected (%) False Positive (%) 99.98 3.03 81.85 0.03 99.63 0.34 4 Conclusions This paper has presented a novel Intrusion Detection System based on growing hierarchical self-organizing maps (GHSOMs). These neural networks are composed of several SOMs arranged in layers, where the number of layers, maps and neurons are established during the training process mirroring the inherent data structure. Moreover, we have taken into account the presence of symbolic features in addition to numerical features in the input data. In order to improve the classification process of input data, we have introduced a new metric for GHSOMs based on entropy for symbolic data together with the Euclidean distance for numerical data. We have used the 10% KDD Cup 1999 benchmark data set to train our IDS based on GHSOM, which contains 494021 connection records, where 22 attack types in addition to normal records can be found. We trained and simulated two GHSOMs with two different subsets, SetA with 100000 connection records and SetB with 169000 connection records. Both SetA and SetB achieved 99.98% detection rate and false positives rates of 3.03% and 5.74%, respectively. The identification rate, that is, the connection records identified as their correct connection record types, was 94.99% and 95.09%, respectively. After the simulation of the two trained GHSOMs with the 494021 connection records, we achieved 99.9% detection rate and false positive rates between 5.11% and 5.41% in both subsets. The identification rate was around the 97%. Acknowledgements. This work is partially supported by the Spanish Ministry of Education and Science under contract TIN-07362. References 1. Denning, D.: An intrusion-detection model. Software Engineering. IEEE Transactions on SE 13(2), 222–232 (1987) 2. Lee, W., Stolfo, S., Chan, P., Eskin, E., Fan, W., Miller, M., Hershkop, S., Zhang, J.: Real time data mining-based intrusion detection. In: DARPA Information Survivability Conference & Exposition II, vol. 1, pp. 89–100 (2001) 3. Maxion, R., Tan, K.: Anomaly detection in embedded systems. IEEE Transactions on Computers 51(2), 108–120 (2002) 4. Tan, K., Maxion, R.: Determining the operational limits of an anomaly-based intrusion detector. IEEE Journal on Selected Areas in Communications 21(1), 96–110 (2003) 5. Ying, H., Feng, T.J., Cao, J.K., Ding, X.Q., Zhou, Y.H.: Research on some problems in the kohonen som algorithm. In: International Conference on Machine Learning and Cybernetics, vol. 3, pp. 1279–1282 (2002) 146 E.J. Palomo et al. 6. Kohonen, T.: Self-organized formation of topologically correct feature maps. Biological cybernetics 43(1), 59–69 (1982) 7. Fritzke, B.: Growing grid - a self-organizing network with constant neighborhood range and adaptation strength. Neural Processing Letters 2(5), 9–13 (1995) 8. Lee, W., Stolfo, S., Mok, K.: A data mining framework for building intrusion detection models. In: IEEE Symposium on Security and Privacy, pp. 120–132 (1999) 9. Sarasamma, S., Zhu, Q., Hu, J.: Hierarchical kohonenen net for anomaly detection in network security. IEEE Transactions on Systems Man and Cybernetics Part BCybernetics 35(2), 302–312 (2005) 10. DeLooze, L., DeLooze, A.F.: Attack characterization and intrusion detection using an ensemble of self-organizing maps. In: 7th Annual IEEE Information Assurance Workshop, pp. 108–115 (2006) Evaluating Sequential Combination of Two Genetic Algorithm-Based Solutions for Intrusion Detection Zorana Banković, Slobodan Bojanić, and Octavio Nieto-Taladriz ETSI Telecomunicación, Universidad Politécnica de Madrid, Ciudad Universitaria s/n, 28040 Madrid, Spain {zorana,slobodan,nieto}@die.upm.es Abstract. The paper presents a serial combination of two genetic algorithm-based intrusion detection systems. Feature extraction techniques are deployed in order to reduce the amount of data that the system needs to process. The designed system is simple enough not to introduce significant computational overhead, but at the same time is accurate, adaptive and fast. There is a large number of existing solutions based on machine learning techniques, but most of them introduce high computational overhead. Moreover, due to its inherent parallelism, our solution offers a possibility of implementation using reconfigurable hardware with the implementation cost much lower than the one of the traditional systems. The model is verified on KDD99 benchmark dataset, generating a solution competitive with the solutions of the state-of-the-art. Keywords: intrusion detection, genetic algorithm, sequential combination, principal component analysis, multi expression programming. 1 Introduction Computer networks are usually protected against attacks by a number of access restriction policies (anti-virus software, firewall, message encryption, secured network protocols, password protection). Since these solutions are proven to be insufficient for providing high level of network security, there is a need for additional support in detecting malicious traffic. Intrusion detection systems (IDS) are placed inside the protected network, looking for potential threats in network traffic and/or audit data recorded by hosts. IDS have three common problems that should be tackled when designing a system of the kind: speed, accuracy and adaptability. The speed problem arises from the extensive amount of data that needs to be monitored in order to perceive the entire situation. An existing approach to solving this problem is to split network stream into more manageable streams and analyze each in real-time using separate IDS. The event stream must be split in a way that covers all relevant attack scenarios, but this assumes that all attack scenarios must be known a priori. We are deploying a different approach. Instead of defining different attack scenarios, we extract the features of network traffic that are likely to take part in an attack. This provides higher flexibility since a feature can be relevant for more than one attack or is prone to be abused by an unknown attack. Moreover, we need only one IDS E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 147–154, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 148 Z. Banković, S. Bojanić, and O. Nieto-Taladriz to perform the detection. Finally, in this way the total amount of data to be processed is highly reduced. Hence, the amount of time spent for offline training of the system and afterwards the time spent for attacks detection are also reduced. Incorporation of learning algorithms provides a potential solution for the adaptation and accuracy issues. A great number of machine learning techniques have been deployed for intrusion detection in both commercial systems and state-of-the-art. These techniques can introduce certain amount of ‘intelligence’ in the process of detecting attacks, but are capable of processing large amount of data much faster than a human. However, these systems can introduce high computational overhead. Furthermore, many of them do not deal properly with so-called ‘rare’ classes [5], i.e. the classes that have significantly smaller number of elements then the rest of the classes. This problem occurs mostly due to the tendency for generalization that most of these techniques exhibit. Intrusions can be considered rare classes since the amount of intrusive traffic is considerably smaller then the amount of normal traffic. Thus, we need a machine learning technique that is capable of dealing with this issue. In this work we are presenting a genetic algorithm (GA) [9] approach for classifying network connections. GAs are robust, inherently parallel, adaptable and suitable for dealing with the classification of rare classes [5]. Moreover, due to its inherent parallelism, it offers possibility to implement the system using reconfigurable devices without the need of deploying a microprocessor. In this way, the implementation cost would be much lower than the cost of implementing traditional IDS offering at the same time higher level of adaptability. This work represents a continuation of our previous one [1] where we investigated the possibilities of applying GA to intrusion detection while deploying small subset of features. The experiments have confirmed the robustness of GA and inspired us to further continue experimenting on the subject. Here we further investigate a combination of two GA-based intrusion detection systems. The first system in the row is an anomaly-based IDS implemented as a simple linear classifier. This system exhibits high false-positive rate. Thus, we have added a simple system based on if-then rules that filters the decision of the linear classifier and in that way significantly reduces false-positive rate. We actually create a strong-classifier built upon weak-classifiers, but without the need to follow the process of boosting algorithm [15] as both of the created systems can be trained separately. For evolving our GA-based system KDD99Cup training and testing dataset was used [6]. KDD99Cup dataset was found to have quite drawbacks [7], [8], but it is still prevailing dataset used for training and testing of IDS due to its good structure and availability [3], [4]. Because of these shortcomings, the presented results do not illustrate the behavior of the system in a real-world environment, but it does reflect its possibilities. In general case, the performance of the implemented system highly depends on the training data. In the following text Sections 2 gives the survey and comparison of machine learning techniques deployed for intrusion detection. Section 3 details the implementation if the system. Section 4 presents the benchmark KDD99 training and testing dataset, Evaluating Sequential Combination of Two Genetic Algorithm-Based Solutions 149 evaluates the performance of the system using this dataset and discusses the results. Finally, the conclusions are drawn in Section 5. 2 Machine Learning Techniques for Intrusion Detection – Survey and Comparison In the recent past there has been a growing recognition of intelligent techniques for the construction of efficient and reliable intrusion detection systems. A complete survey of these techniques is hard to present at this point, since there are more than hundred IDS based on machine learning techniques. Some of the best-performed techniques used in the state-of-the-art apply GA [4], combination of neural networks and C4.5 [11], genetic programming (GP) ensemble [12], support vector machines [13] or fuzzy logic [14]. All of the named techniques have two steps: training and testing. The systems have to be constantly retrained using new data since new attacks are emerging every day. The advantage of all GA or GP-based techniques lies in their easy retraining. It’s enough to use the best population evolved in the previous iteration as initial population and repeat the process, but this time including new data. Thus, our system is inherently adaptive which is an imperative quality of an IDS. Furthermore, GAs are intrinsically parallel, since they have multiple offspring, they can explore the solution space in multiple directions at once. Due to the parallelism that allows them to implicitly evaluate many schemas at once, GAs are particularly well-suited to solving problems where the space of all potential solutions is too vast to search exhaustively in any reasonable amount of time, as network data. GA-based techniques are appropriate for dealing with rare classes. As they work with populations of candidate solutions rather than a single solution and employ stochastic operators to guide the search process, GAs cope well with attribute interactions and avoid getting stuck in local maxima, which together make them very suitable for dealing with classifying rare classes [5]. We have gone further by deploying standard F-measure as fitness function. F-value is proven to be very suitable when dealing with rare classes [5]. F-measure is a combination of precision and recall. Rare cases and classes are valued when using these metrics because both precision and recall are defined with respect to a rare class. None of the GA or GP techniques stated above considers the problem of rare classes. A technique that considers the problem of rare classes is given in [15]. Their solution is similar to ours in the sense that they deploy a boosting technique, which also assumes creating a strong classifier by combining several weak classifiers. Furthermore, they present the results in the terms of F-measure. The advantage of our system is that we can train the parts of our system independently, while boosting algorithm trains its parts one after another. Finally, if we want to consider the possibility of hardware implementation using reconfigurable hardware, not all the systems are appropriate due to their sequential nature or high computational complexity. Due to the parallelism of our algorithm a hardware implementation using reconfigurable devices is possible. This can lead to lower implementation cost with higher level of adaptability compared to the existing solutions and reduced amount of time for system training and testing. 150 Z. Banković, S. Bojanić, and O. Nieto-Taladriz In short, the main advantage of our solution lies in the fact that it includes important characteristics (high accuracy and performance, dealing with rare classes, inherent adaptability, feasibility of hardware implementation) in one solution. We are not familiar with any existing solution that would cover all the characteristics mentioned above. 3 System Implementation The implemented IDS is a serial combination of two IDSs. The complete system is presented in Fig. 1. The first part is a linear classifier that classifies connections into normal ones and potential attacks. Due to its very low false-negative rate, the decision that it makes on normal connections is considered correct. But, as it exhibits high false-positive rate, if it opts for an attack, it has to be re-checked. This re-checking is performed by a rule-based system whose rules are trained to recognize normal connections. This part of the system exhibits very low false-positive rate, i.e. the probability for an attack to be incorrectly classified as a normal connection is very low. In this way, the achieved false-positive rate of the entire system is significantly reduced while maintaining high detection rate. As our system is trained and tested on KDD99 dataset, the election of the most important features is performed once at the beginning of the process. Implementation for a real-world environment, however, would require performing the feature selection process before each process of training. Fig. 1. Block Diagram of the Complete System The linear classifier is based on a linear combination of three features. The features are identified as those that have the highest possibility to take part in an attack by deploying PCA [1]. The details of PCA algorithm are explained in [16]. The selected features and their explanations are presented in Table 1. Table 1. The features used to describe the attacks Name of the feature duration src_bytes dst_host_srv_serror_rate Explication length (number of seconds) of the connection number of data bytes from source to destination percentage of connections that have “SYN” errors The linear classifier is evolved using GA algorithm [9]. Each chromosome, i.e. potential solution to the problem, in the population consists of four genes, where the first Evaluating Sequential Combination of Two Genetic Algorithm-Based Solutions 151 three represent coefficients of the linear classifier and the fourth one the threshold value. The decision about the current connection is made according to the formula (1): gene(1)*con(duration)+gene(2)*con(src_bytes)+ gene(3)*con(dst_host_srv_serror_rate)<gene(4) (1) where con(duration), con(src_bytes) and con(dst_host_srv_serror_rate) are the values of the duration, src_bytes and dst_host_srv_serror_rate feature of the current connection. The linear classifier is trained using incremental GA [9]. The population contains 1000 individuals which were trained during 300 generations. The mutation rate was 0.1 while the crossover rate was 0.9. The previous numbers were chosen after number of experiments. Increasing the size of the population and the number of generations stopped when it not bring significant performance improvement. The type of crossover deployed was uniform crossover, i.e. a new individual had equal chances to contain either of the genes of both of its parents. The performance measurement, i.e. the fitness function, was the squared percentage of the correctly classified connections, i.e. according to the formula: ⎛ count ⎞ ⎟⎟ fitness = ⎜⎜ ⎝ numOfCon ⎠ 2 (2) where count is the number of correctly classified connections, while numOfCon is the number of connections in the training dataset. The squared percentage was chosen rather than the simple percentage value because the achieved results were better. The result of this GA was its best individual which forms the first part of the system presented in Fig.1. The second part of the system (Fig. 1) is a rule-based system, where simple if-then rules for recognizing normal connections are evolved. The most important features were taken over from the results obtained in [2] using Multi Expression Programming (MEP). The features and their explanations are listed in Table 2. Table 2. The features used to describe normal connections Name of the feature service hot logged in Explication Destination service (e.g. telnet, ftp) number of hot indicators 1 if successfully logged in; 0 otherwise An example of a rule can be the following one: if (service=”http” and hot=”0” and logged_in=”0”) then normal; The rules are trained using incremental GA with the same parameters used for the linear classifier. Each 3-gene chromosome represents a rule, where the value of each gene is the value of its corresponding feature. But, the population used in this case contained 500 individuals, as no improvements were achieved with larger populations. The result of the training was a set of 200 best-performing rules. The fitness function in this case was the F-value with the parameter 0.8: 152 Z. Banković, S. Bojanić, and O. Nieto-Taladriz fitness = 1.8 * recall * precision TP TP , precision = , recall = 0.8 * precision + recall TP + FP TP + FN (3) where TP, FP and FN stand for the number of true positives, false positives and false negatives respectively. The system presented here was implemented in C++ programming language. The software for this work used the GAlib genetic algorithm package, written by Matthew Wall at the Massachusetts Institute of Technology [10]. The time of training the implemented system is 185 seconds while the testing process takes 45 seconds. The reason for short time of training lies in deploying incremental GA whose population is not big all the time, i.e. it is growing after each iteration. The system was demonstrated on AMD Athlon 64 X2 Dual Core Processor 3800+ with 1GB RAM memory on its disposal. 4 Results 4.1 Training and Testing Datasets The dataset contains 5000000 network connection records. A connection is a sequence of TCP packets starting and ending at defined times, between which data flows from a source IP to a target IP under certain protocol [6]. The training portion of the dataset ( “kdd_10_percent”) contains 494021 connections of which 20% are normal (97277), and the rest (396743) are attacks. Each connection record contains 41 independent fields and a label (normal or type of attack). Attacks belong to the one of the four attack categories: user to root, remote to local, probe, and denial of service. The testing dataset (“corrected”) provides a dataset with a significantly different statistical distribution than the training dataset (250436 attacks and 60593 normal connections) and contains an additional 14 attacks not included in the training dataset. The most important flaws of the mentioned dataset are given in the following [7]. The dataset contains biases that may be reflected in the performance of the evaluated systems, for example the skewed nature of the attack distribution. None of the sources explaining the dataset contains any discussion of data rates, and its variation with time is not specified. There is no discussion of whether the quantity of data presented is sufficient to train a statistical anomaly system or a learning-based system. Furthermore, in [8] is demonstrated that the transformation model used for transforming raw DARPA’s network data to a well-featured data item set is ‘poor’. Here ‘poor’ refers to the fact that some attribute values are the same in different data items that have different class labels. Due to this, some of the attacks can’t be classified correctly. 4.2 Obtained Rates The system was trained using “kdd_10_percent” and tested on “corrected” dataset. The obtained results are summarized in Table 3. The last column gives the value of classical F-measure so that learning results could be easily compared with a unique feature for both recall and precision. The false-positive rate is reduced from 40.7% to Evaluating Sequential Combination of Two Genetic Algorithm-Based Solutions 153 1.4%, while the detection rate has reduced for only 0.15%. The increasing of F-value is also exhibited. Table 3. The performance of the whole system and its parts separately System Linear Classifier Rule-based Whole system Detection rate Num. Per.(%) 231030 92.25 45504 75.1 230625 92.1 False Positive Rate Num. Per.(%) 24628 40.7 5537 2.2 862 1.4 F-measure 0.913 0.815 0.96 The adaptability of the system was tested as well. At first, the system was trained with a subset of “kdd_10_percent” (250000 connections out of 491021). The generated rules were taken as the initial generation and re-trained with the remaining data of “kdd_10_percent” dataset. Both of the systems were tested on “corrected” dataset. The system exhibited improvements in both detection and false positive rate. The improvements are presented in the Table 4. Table 4. The performance of the system after re-training System Trained with a subset Re-trained with the rest of the training data Detection rate Num. Per.(%) 183060 73.1 231039 92.3 False Positive rate Num. Per.(%) 1468 2.4 862 1.4 Fmeasure 0.84 0.96 The drawbacks of the dataset have influenced the gained rates. As a comparison, the detection rate of the system tested on the same data that it was trained on, i.e. “kdd_10_percent”, is 99.2% comparing to the detection rate of 92.1% after testing the system using “corrected” dataset. Thus, the dataset deficiencies stated previously in this section had negative effects on the rates obtained in this work. 5 Conclusions In this work a novel approach consisting in a serial combination of two GA-based IDSes is introduced. The properties including adaptability of the resulting system were analyzed. The resulting system exhibits very good characteristics in the terms of both detection and false-positive rate and the F-measure. The implementation of the system has been performed in a way that corresponds well to the deployed dataset mostly in the terms of the chosen features. In a real system this does not have to be the case. Thus, an implementation of the system for a real-world environment has to be adjusted in the sense that the set of the chosen features has to be changed according to the environmental changing. Due to the inherent high parallelism of the presented system, there is a possibility of its implementation using reconfigurable hardware. This will result in a highperformance real-word implementation with considerably lower implementation cost, 154 Z. Banković, S. Bojanić, and O. Nieto-Taladriz size and power consumption compared to the existing solutions. Part of the future work will consist in pursuing hardware implementation of the presented system. Acknowledgements. This work has been partially funded by the Spanish Ministry of Education and Science under the project TEC2006-13067-C03-03 and by the European Commission under the FastMatch project FP6 IST 27095. References 1. Banković, Z., Stepanović, D., Bojanić, S., Nieto-Taladriz, O.: Improving Network Security Using Genetic Algorithm Approach. Computers & Electrical Engineering 33(5-6), 438–451 2. Grosan, C., Abraham, A., Chis, M.: Computational Intelligence for light weight intrusion detection systems. In: International Conference on Applied Computing (IADIS 2006), San Sebastian, Spain, pp. 538–542 (2006); ISBN: 9728924097 3. Gong, R.H., Zulkernine, M., Abolmaesumi, P.: A Software Implementation of a Genetic Algorithm Based Approach to Network Intrusion Detection. In: Proceedings of SNPD/SAWN 2005 (2005) 4. Chittur, A.: Model Generation for an Intrusion Detection System Using Genetic Algorithms (accessed in 2006), http://www1.cs.columbia.edu/ids/ publications/gaids-thesis01.pdf 5. Weiss, G.: Mining with rarity: A unifying framework. SIGKDD Explorations 6(1), 7–19 (2004) 6. http://kdd.ics.uci.edu/ (October 1999) 7. McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA IDS Evaluation as Performed by Lincoln Laboratory. ACM Trans. on Information and System security 3(4), 262–294 (2000) 8. Bouzida, Y., Cuppens, F.: Detecting known and novel network intrusion. In: IFIP/SEC 2006 21st International Information Security Conference, Karlstad, Sweden (2006) 9. Goldberg, D.E.: Genetic algorithms for search, optimization, and machine learning. Addison-Wesley, Reading (1989) 10. GAlib, A.: C++ Library of Genetic Algorithm Components, http://lancet.mit.edu/ga/ 11. Pan, Z., Chen, S., Hu, G., Zhang, D.: Hybrid Neural Network and C4.5 for Misuse Detection. In: Proceedings of the Second International Conference on Machine Learning and Cybernetics, November 2003, vol. 4, pp. 2463–2467 (2003) 12. Folino, G., Pizzuti, C., Spezzano, G.: GP Ensemble for Distributed Intrusion Detection Systems. In: Singh, S., Singh, M., Apte, C., Perner, P. (eds.) ICAPR 2005. LNCS, vol. 3686. Springer, Heidelberg (2005) 13. Laskov, P., Düssel, P., Schäfer, C., Rieck, K.: Learning Intrusion Detection: Supervised or Unsaupervised? In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 50–57. Springer, Heidelberg (2005) 14. Yao, J.T., Zhao, S.L., Saxton, L.V.: A Study on Fuzzy Intrusion Detection. Data mining, intrusion detection, information assurance and data networks security (2005) 15. Chawla, N.V., Lazarevic, A., Hall, L.O., Bowyer, K.: SMOTEBoost: Improving prediction of the minority class in boosting. In: Proceedings of Principles of Knowledge Discovery in Databases (2003) 16. Fodor, I.K.: A Survey of Dimension Reduction Techniques, http://llnl.gov/CASC/sapphire/pubs Agents and Neural Networks for Intrusion Detection Álvaro Herrero and Emilio Corchado Department of Civil Engineering, University of Burgos C/ Francisco de Vitoria s/n, 09006 Burgos, Spain {ahcosio, escorchado}@ubu.es Abstract. Up to now, several Artificial Intelligence (AI) techniques and paradigms have been successfully applied to the field of Intrusion Detection in Computer Networks. Most of them were proposed to work in isolation. On the contrary, the new approach of hybrid artificial intelligent systems, which is based on the combination of AI techniques and paradigms, is probing to successfully address complex problems. In keeping with this idea, we propose a hybrid use of three widely probed paradigms of computational intelligence, namely Multi-Agent Systems, Case Based Reasoning and Neural Networks for Intrusion Detection. Some neural models based on different statistics (such as the distance, the variance, the kurtosis or the skewness) have been tested to detect anomalies in packet-based network traffic. The projection method of Curvilinear Component Analysis has been applied for the first time in this study to perform packet-based intrusion detection. The proposed framework has been probed through anomalous situations related to the Simple Network Management Protocol and normal traffic. Keywords: Multiagent Systems, Case Based Reasoning, Artificial Neural Networks, Unsupervised Learning, Projection Methods, Computer Network Security, Intrusion Detection. 1 Introduction Firewalls are the most widely used tools for securing networks, but Intrusion Detection Systems (IDS’s) are becoming more and more popular [1]. IDS’s monitor the activity of the network with the purpose of identifying intrusive events and can take actions to abort these risky events. A wide range of techniques have been used to build IDS’s. On the one hand, there have been some previous attempts to take advantage of agents and Multi-Agent Systems (MAS) [2] in the field of Intrusion Detection (ID) [3], [4], [5], including the mobile-agents approach [6], [7]. On the other hand, some different machine learning models – including Data Mining techniques and Artificial Neural Networks (ANN) – have been successfully applied for ID [8], [9], [10], [11]. Additionally, some other Artificial Intelligence techniques (such as Genetic Algorithms and Fuzzy Logic, Genetic Algorithms and K-Nearest Neighbor (K-NN) or KNN and ANN among others) [12] [13] have been combined in order to face ID from a hybrid point of view. This paper employs a framework based on a dynamic multiagent architecture employing deliberative agents capable of learning and evolving with the environment [14]. These agents may incorporate different identification or projection algorithms depending on their goals. In this case, a neural model based on E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 155–162, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 156 Á. Herrero and E. Corchado the study of some statistical features (such as the variance, the interpoint distance or the skew and kurtosis indexes) will be embedded in such agents. One of the main novelties of this paper is the application of Curvilinear Component Analysis (CCA) for packet-based intrusion detection. The overall architecture of this paper is the following: Section 2 outlines the ID multiagent system, section 3 describes the neural models applied in this research, section 4 presents some experimental results and finally section 5 goes over some conclusions and future work. 2 Agent-Based IDS An ID framework, called Visualization Connectionist Agent-Based IDS (MOVICABIDS) [14] and based on software agents [2] and neural models, is introduced. This MAS incorporates different types of agents; some of the agents have been designed as CBR-BDI agents [15], [16] including an ANN for ID tasks, while some others are reactive agents. CBR-BDI agents use Case Based Reasoning (CBR) systems [17] as a reasoning mechanism, which allows them to learn from initial knowledge, to interact autonomously with the environment, users and other agents within the system, and to have a large capacity for adaptation to the needs of its surroundings. MOVICAB-IDS includes deliberative agents using a CBR architecture. These CBR-BDI agents work at a high level with the concepts of Believes, Desires and Intentions (BDI) [18]. CBR-BDI agents have learning and adaptation capabilities, what facilitates their work in dynamic environments. The extended version of the Gaia methodology [19] was applied, and some roles and protocols where identified after the Architectural Design Stage [14]. The six agent classes identified in the Detailed Design Stage were: SNIFFER, PREPROCESSOR, ANALYZER, CONFIGURATIONMANAGER, COORDINATOR and VISUALIZER. 2.1 Agent Classes The agent classes previously mentioned are described in the following paragraphs. Sniffer Agent This reactive agent is in charge of capturing traffic data. The continuous traffic flow is captured and split into segments in order to send it through the network for further process. As these agents are the most critical ones, there are cloned agents (one per network segment) ready to substitute the active ones when they fail. Preprocessor Agent After splitting traffic data, the generated segments are preprocessed to apply subsequent analysis. Once the data has been preprocessed, an analysis for this new piece of data is requested. Analyzer Agent This is a CBR-BDI agent embedding a neural model within the adaptation stage of its CBR system that helps to analyze the preprocessed traffic data. This agent is based on the application of different neural models allowing the projection of network data. In this paper, PCA [20], CCA [21], MLHL [22] and CHMLHL [23] (See Section 3) have Agents and Neural Networks for Intrusion Detection 157 been applied for comparison reasons. This agent generates a solution (getting an adequate projection of the preprocessed data) by retrieving a case and analyzing the new one using a neural network. Each case incorporates several features, such as segment length (in ms), total number of packets and neural model parameters among others. A further description of the CBR four steps for this agent can be found in [14]. ConfigurationManager Agent The processes of data capture, split, preprocess and analysis depends on the values of several parameters, as for example: packets to capture, segment length, features to extract... This information is managed by the CONFIGURATIONMANAGER reactive agent, which is in charge of providing this information to some other agents. Coordinator Agent There can be several instances (from 1 to m) of the ANALYZER class of agent. In order to improve the efficiency and perform a real-time processing, the preprocessed data must be dynamically and optimally assigned to ANALYZER agents. This assignment is performed by the COORDINATOR agent. Visualizer Agent At the very end of the process, this interface agent presents the analyzed data to the network administrator by means of a functional and mobile visualization interface. To improve the accessibility of the system, the administrator may visualize the results on a mobile device, enabling informed decisions to be taken anywhere and at any time. 3 Neural Projection Models Projection models are used as tools to identify and remove correlations between problem variables, which enable us to carry out dimensionality reduction, visualization or exploratory data analysis. In this study, some neural projection models, namely PCA, MLHL, CMLHL and CCA have been applied for ID. Principal Component Analysis (PCA) [20] is a standard statistical technique for compressing data; it can be shown to give the best linear compression of the data in terms of least mean square error. There are several ANN which have been shown to perform PCA [24], [25], [26]. It describes the variation in a set of multivariate data in terms of a set of uncorrelated variables each of which is a linear combination of the original variables. Its goal is to derive new variables, in decreasing order of importance, which are linear combinations of the original variables and are uncorrelated with each other. Curvilinear Component Analysis (CCA) [21] is a nonlinear dimensionality reduction method. It was developed as an improvement on the Self Organizing Map (SOM) [27], trying to circumvent the limitations inherent in some linear models such as PCA. CCA is performed by a self-organised neural network calculating a vector quantization of the submanifold in the data set (input space) and a nonlinear projection of these quantising vectors toward an output space. As regards its goal, the projection part of CCA is similar to other nonlinear mapping methods, as it minimizes a cost function based on interpoint distances in both input and output spaces. Quantization and nonlinear mapping are separately performed: firstly, the input vectors are forced to become prototypes of the distribution 158 Á. Herrero and E. Corchado using a vector quantization (VQ) method, and then, the output layer builds a nonlinear mapping of the input vectors. Cooperative Maximum Likelihood Hebbian Learning (CMLHL) [23] extends the MLHL model [22] that is a neural implementation of Exploratory Projection Pursuit (EPP). The statistical method of EPP [28] linearly project a data set onto a set of basis vectors which best reveal the interesting structure in data. MLHL identifies interestingness by maximising the probability of the residuals under specific probability density functions which are non-Gaussian. CMLHL extends the MLHL paradigm by adding lateral connections [23], which have been derived from the Rectified Gaussian Distribution [29]. The resultant model can find the independent factors of a data set but does so in a way that captures some type of global ordering in the data set. 4 Experiments and Results In this work, the above described neural models have been applied to a real traffic data set [11] containing “normal” traffic and some anomalous situations. These anomalous situations are related to the Simple Network Management Protocol (SNMP), known by its vulnerabilities [30]. Apart from “normal” traffic, the data set includes: SNMP ports sweeps (scanning of network hosts at different ports - a random port number: 3750, and SNMP default port numbers: 161 and 162), and a transfer of information stored in the Management Information Base (MIB), that is, the SNMP database. This data set contains only five variables extracted from the packet headers: timestamp (the time when the packet was sent), protocol, source port (the port of the source host that sent the packet), destination port (the destination host port number to which the packet is sent) and size: (total packet size in Bytes). This data set was generated in a medium-sized network so the “normal” and anomalous traffic flows were known in advance. As SNMP is based on UDP, only 5866 UDP-based packets were included in the dataset. In this work, the performance of the previously described projection models (PCA, CCA, MLHL and CMLHL) has been analysed and compared through this dataset (See Figs. 1 and 2.). PCA was initially applied to the previously described dataset. The PCA projection is shown in Fig. 1.a. After analysing this projection, it is discovered that the normal traffic evolves in parallel straight lines. According to the parallelism to normal traffic, PCA is only able to identify the port sweeps (Groups 3, 4 and 5 in Fig. 1.b). On the contrary, it fails to detect the MIB information transfer (Groups 1 and 2 in Fig. 1.b) because the packets in this anomalous situation evolve in a direction parallel to the “normal” one. Fig. 1.b shows the MLHL projection of the dataset. Once again, the normal traffic evolves in parallel straight lines. There are some other groups (Groups 1, 2, 3, 4 and 5 in Fig. 1.a) evolving in an anomalous way. In this case, all the anomalous situations contained in the dataset can be identified due to their non-parallel evolution to the normal direction. Additionally, in the case of the MIB transfer (Groups 1 and 2 in Fig. 1.b), the high concentration of packets must be considered as an anomalous feature. Agents and Neural Networks for Intrusion Detection 159 Normal direction Normal direction Group 1 Group 1 Group 3 Group 4 Group 3 Group 4 Group 5 Group 5 Group 2 Group 2 (a) (b) Group 4 Group 1 Group 5 Group 3 Group 3 Group 4 Group 2 Group 2 Group 1 Normal direction (c) (d) Fig. 1. (a) PCA projection. (b) MLHL projection. (c) CMLHL projection. (d) CCA (Euclidean dist.) projection. It can be seen in Fig. 1.c how the CMLHL model is able to identify the two anomalous situations contained in the data set. As in the case of MLHL, the MIB information transfer (Groups 1 and 2 in Fig. 1.a) is identified due to its orthogonal direction with respect to the normal traffic and to the high density of packets. The sweeps (Groups 3, 4 and 5 in Fig. 1.a) are identified due to their non-parallel direction to the normal one. Several experiments were conducted to apply CCA to the analysed data set; tuning the different options and parameters, such as type of initialization, epochs and distance criterion. The best (from a projection point of view) CCA result, based on the Standardized Euclidean Distance, is depicted on Fig. 2. There’s a marked contrast between the behavioral pattern shown by the normal traffic in previous projections and the evolution of normal traffic in the CCA projection. In the latter, some of the packets belonging to normal traffic do not evolve in parallel straight lines. That is the case of groups 1 and 2 in Fig. 2. The anomalous traffic shows an abnormal evolution once again (Groups 3 and 4 in Fig. 2), so it is not as clear as in previous projections to distinguish the anomalous traffic from the “normal” one. 160 Á. Herrero and E. Corchado Group 3 Group 1 Group 4 Group 2 Fig. 2. CCA projection (employing Standardized Euclidean distance) For comparison purposes, a different CCA projection for the same dataset is shown on Fig. 1.d. This projection is based on simple Euclidean Distance. The anomalous situations can not be identified in this case as the evolution of the normal and anomalous traffic is similar. Different distance criteria such as Cityblock, Humming and some others were tested as well. None of them surpass the Standardized Euclidean Distance, whose projection is shown on Fig. 2. 5 Conclusions and Future Work The use of embedded ANN in the deliberative agents of a dynamic MAS let us take advantage of some of the properties of ANN (such as generalization) and agents (reactivity, proactivity and sociability) making the ID task possible. It is worth mentioning that, as in other application fields, the tuning of the different neural models is of extreme importance. Although the neural model can get a useful projection, a wrong tuning of the model can lead to a useless outcome, as is the case of Fig 1.d. We can conclude as well that CMLHL outperforms MLHL, PCA and CCA. This probes the intrinsic robustness of CMLHL, which is able to properly respond to a complex data set that includes time as a variable. Further work will focus on the application of high-performance computing clusters. Increased system power will be used to enable the IDS to process and display the traffic data in real time. Acknowledgments. This research has been partially supported by the project BU006A08 of the JCyL. Agents and Neural Networks for Intrusion Detection 161 References 1. Chuvakin, A.: Monitoring IDS. Information Security Journal: A Global Perspective 12(6), 12–16 (2004) 2. Wooldridge, M., Jennings, N.R.: Agent theories, architectures, and languages: A survey. Intelligent Agents (1995) 3. Spafford, E.H., Zamboni, D.: Intrusion Detection Using Autonomous Agents. Computer Networks: The Int. Journal of Computer and Telecommunications Networking 34(4), 547– 570 (2000) 4. Hegazy, I.M., Al-Arif, T., Fayed, Z.T., Faheem, H.M.: A Multi-agent Based System for Intrusion Detection. IEEE Potentials 22(4), 28–31 (2003) 5. Dasgupta, D., Gonzalez, F., Yallapu, K., Gomez, J., Yarramsettii, R.: CIDS: An agentbased intrusion detection system. Computers & Security 24(5), 387–398 (2005) 6. Wang, H.Q., Wang, Z.Q., Zhao, Q., Wang, G.F., Zheng, R.J., Liu, D.X.: Mobile Agents for Network Intrusion Resistance. In: Shen, H.T., Li, J., Li, M., Ni, J., Wang, W. (eds.) APWeb Workshops 2006. LNCS, vol. 3842, pp. 965–970. Springer, Heidelberg (2006) 7. Deeter, K., Singh, K., Wilson, S., Filipozzi, L., Vuong, S.: APHIDS: A Mobile AgentBased Programmable Hybrid Intrusion Detection System. In: Karmouch, A., Korba, L., Madeira, E.R.M. (eds.) MATA 2004. LNCS, vol. 3284, pp. 244–253. Springer, Heidelberg (2004) 8. Laskov, P., Dussel, P., Schafer, C., Rieck, K.: Learning Intrusion Detection: Supervised or Unsupervised? In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 50–57. Springer, Heidelberg (2005) 9. Liao, Y.H., Vemuri, V.R.: Use of K-Nearest Neighbor Classifier for Intrusion Detection. Computers & Security 21(5), 439–448 (2002) 10. Sarasamma, S.T., Zhu, Q.M.A., Huff, J.: Hierarchical Kohonenen Net for Anomaly Detection in Network Security. IEEE Transactions on Systems Man and Cybernetics, Part B 35(2), 302–312 (2005) 11. Corchado, E., Herrero, A., Sáiz, J.M.: Detecting Compounded Anomalous SNMP Situations Using Cooperative Unsupervised Pattern Recognition. In: Duch, W., Kacprzyk, J., Oja, E., Zadrożny, S. (eds.) ICANN 2005. LNCS, vol. 3697, pp. 905–910. Springer, Heidelberg (2005) 12. Middlemiss, M., Dick, G.: Feature Selection of Intrusion Detection Data Using a Hybrid Genetic Algorithm/KNN Approach. In: Design and Application of Hybrid Intelligent Systems, pp. 519–527. IOS Press, Amsterdam (2003) 13. Kholfi, S., Habib, M., Aljahdali, S.: Best Hybrid Classifiers for Intrusion Detection. Journal of Computational Methods in Science and Engineering 6(2), 299–307 (2006) 14. Herrero, Á., Corchado, E., Pellicer, M., Abraham, A.: Hybrid Multi Agent-Neural Network Intrusion Detection with Mobile Visualization. In: Innovations in Hybrid Intelligent Systems. Advances in Soft Computing, vol. 44, pp. 320–328. Springer, Heidelberg (2007) 15. Corchado, J.M., Laza, R.: Constructing Deliberative Agents with Case-Based Reasoning Technology. International Journal of Intelligent Systems 18(12), 1227–1241 (2003) 16. Pellicer, M.A., Corchado, J.M.: Development of CBR-BDI Agents. International Journal of Computer Science and Applications 2(1), 25–32 (2005) 17. Aamodt, A., Plaza, E.: Case-Based Reasoning - Foundational Issues, Methodological Variations, and System Approaches. AI Communications 7(1), 39–59 (1994) 18. Bratman, M.E.: Intentions, Plans and Practical Reason. Harvard University Press, Cambridge (1987) 162 Á. Herrero and E. Corchado 19. Zambonelli, F., Jennings, N.R., Wooldridge, M.: Developing Multiagent Systems: the Gaia Methodology. ACM Transactions on Software Engineering and Methodology 12(3), 317–370 (2003) 20. Pearson, K.: On Lines and Planes of Closest Fit to Systems of Points in Space. Philosophical Magazine 2(6), 559–572 (1901) 21. Demartines, P., Herault, J.: Curvilinear Component Analysis: A Self-Organizing Neural Network for Nonlinear Mapping of Data Sets. IEEE Transactions on Neural Networks 8(1), 148–154 (1997) 22. Corchado, E., MacDonald, D., Fyfe, C.: Maximum and Minimum Likelihood Hebbian Learning for Exploratory Projection Pursuit. Data Mining and Knowledge Discovery 8(3), 203–225 (2004) 23. Corchado, E., Fyfe, C.: Connectionist Techniques for the Identification and Suppression of Interfering Underlying Factors. Int. Journal of Pattern Recognition and Artificial Intelligence 17(8), 1447–1466 (2003) 24. Oja, E.: A Simplified Neuron Model as a Principal Component Analyzer. Journal of Mathematical Biology 15(3), 267–273 (1982) 25. Sanger, D.: Contribution Analysis: a Technique for Assigning Responsibilities to Hidden Units in Connectionist Networks. Connection Science 1(2), 115–138 (1989) 26. Fyfe, C.: A Neural Network for PCA and Beyond. Neural Processing Letters 6(1-2), 33–41 (1997) 27. Kohonen, T.: The Self-Organizing Map. Proceedings of the IEEE 78(9), 1464–1480 (1990) 28. Friedman, J.H., Tukey, J.W.: A Projection Pursuit Algorithm for Exploratory DataAnalysis. IEEE Transactions on Computers 23(9), 881–890 (1974) 29. Seung, H.S., Socci, N.D., Lee, D.: The Rectified Gaussian Distribution. Advances in Neural Information Processing Systems 10, 350–356 (1998) 30. Cisco Secure Consulting. Vulnerability Statistics Report (2000) Cluster Analysis for Anomaly Detection Giuseppe Lieto, Fabio Orsini, and Genoveffa Pagano System Management, Inc. Italy [email protected], [email protected], [email protected] Abstract. This document presents a technique of traffic analysis, looking for attempted intrusion and information attacks. A traffic classifier aggregates packets in clusters by means of an adapted genetic algorithm. In a network with traffic homogenous over the time, clusters do not vary in number and characteristics. In the event of attacks or introduction of new applications the clusters change in number and characteristics. The set of data processed for the test are extracted from traffic DARPA, provided by MIT Lincoln Labs and commonly used to test effectiveness and efficiency of systems for Intrusion Detection. The target events of the trials are Denial of Service and Reconaissance. The experimental evidence shows that, even with an input of unrefined data, the algorithm is able to classify, with discrete accuracy, malicious events. 1 Introduction Anomaly detection techniques are based on traffic experience retrieval on the network to protect, so that abnormal traffic, both in quantity and in quality, can be detected. Almost all approaches are based on anti-intrusion system learning of what is normal traffic: anything different from the normal traffic is malicious or suspect. The normal traffic classification is made analyzing: • Application level content, with a textual characterization; • The whole connection and packet headers, usually using clustering techniques; • Traffic quantity and connections transition frequencies, by modelling the users behaviour in different hours, according to the services and the applications they use. 1.1 Anomaly Detection with Clustering on Header Data The most interesting studies are related to learning algorithms without human supervision. They classify the traffic in different clusters [3], each of them contains strongly correlated packets. Packets characterization is based on header fields, while the cluster creation can be realized with different algorithms. All the traffic that doesn’t belong to normal clusters, is classified as abnormal; the following step is to distinguish between abnormal and malicious traffic. Traffic characterization starts with data mining and creation of multidimensional vectors, called feature vectors, whose components represent the instance dimensions. The choice of relevant attributes for the instances is really important for the characterization and many studies focus on the evaluation of the best techniques for features choice. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 163–169, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 164 G. Lieto, F. Orsini, and G. Pagano The approach chosen in [4] considers the connections as an unique entity, containing several packets. In that way is possible to retrieve from network data information as the observing domain, the hosts number, the active applications, the number of users connected to a host or to a service. The approach introduced above is the most used one. Anyway there are classification trials based on raw data. An interesting study field is DoS attack detection: such attacks produce an undistinguishable traffic. [1] proposes a defence based on edge routers, that can create different queues for malicious packets and normal traffic. The distinction takes place through an anomaly detection algorithm that classifies the normal traffic using a kmeans clustering, based on observation of the statistic trend of the traffic. Experimental results state that, during a DoS attack, new denser, more populated and bigger clusters are created. Even the sudden increase in density of an existing cluster can mean an attach is ongoing, if it is observed together with an immediate variation of the single features mean values. The different queues allow to shorten up the normal connection time; moreover, without the need to stop the suspect connection, the band dedicated to DoS traffic decreases (because of long queues), together with the effects on resources management. In our approach, we choose a genetic clustering technique, Unsupervised Niche Clustering [2], to classify the network traffic. UNC uses an evolutionary algorithm with a niching strategy, allowing to maintain genetic niches as candidate clusters, rather than loosing awareness of little groups of strongly peculiar genetic individuals, that would end up extinguished using a traditional evolutionary algorithm. Analysing the traffic, we applied the algorithm to several groups of individuals, monitoring the formation of new clusters and the trend of the density in already existing clusters [1]. Moreover, we observed the trend in the number of clusters extracted from a fixed number of individuals. The two approaches were tested during normal network activities and then compared to the results obtained during a DoS attack or a reconnaissance activity. 2 Description of the Algorithm: Unsupervised Niche Clustering Unsupervised Niche Clustering aims at searching the solution space for any number of clusters. It maintains dense areas in the solution space using an evolutionary algorithm and a niching tecnique. As in nature, niches represent subspaces of the environment that support different types of individuals with similar genetic characteristics. 2.1 Encoding Scheme Each individual represents a candidate cluster: it is characterized by the center, an individual in n dimensions, a robust measure of the scale and its fitness. Table 1. Feature vector of each individual Genome Guyi= (gi1, gi2, … , gin) Scale Σ²i Fitness fi Cluster Analysis for Anomaly Detection 165 2.2 Genetic Operators and Scale At the very first step, scale is assigned to each individual in an empirical way: we assume i-th individual is the center, that is the mean value, of a cluster containing all the individuals in the solution space. For each generation parents and offspring, update their scale in a recursive manner, according to equation (1): (1) (2) where wij represents a robust weight measuring how much the j-th individual belongs to i-th cluster; dij is the Euclidean distance of j-th individual from the center of i-th cluster; N is the number of individuals in the solution space. At the moment of their birth, children inherit their closest parent’s scale. Generation of an offspring is made by two genetic operators: crossover and mutation. In our work we implemented one-point crossover to each dimension, combining the most significant bits of one parent with the least significant ones of the second parent. Mutation could modify each bit of the genome with a given probability: in our case, we chose the mutation probability was 0.001. Equation (1) maximizes fitness value (3) for i-th cluster. 2.3 Fitness Function Fitness, for i-th individual, is represented by the density of a hypotetical cluster, having i-th individual as its center (3) 2.4 Niching UNC uses Deterministic Crowding (DC) to create and maintain niches. DC steps are: 1. 2. 3. 4. choose the couple of parents apply crossover and mutation calculate the distance from each parent to each child couple one child with one parent, so that the sum of the two distances parentchild is minimized 5. in each couple parent-child, the one with the best fitness survives, and the other is discarded from the population 166 G. Lieto, F. Orsini, and G. Pagano Through DC, evaluation of child’s fitness for surviving is not simply obtained comparing it to the closest parent’s fitness: such an approach keeps the comparisons within a limited solution space. In addition, we analysed a conservative approach for step1. The parents where chosen so that their distance was under a fixed threshold, and their fitness had the same order of magnitude, in a way to maintain genetic diversity. Coupling between very far individuals, having highly different fitness values, would quickly extinguish the weakest individual, loosing notion of evolutionary niches. 2.5 Extraction of the Cluster Centers The final cluster centers are individuals in the final population with fitness greater than a given value: in our case, greater than the mean fitness of the entire population. 2.6 Cluster Characterization Assignment of each individual to a cluster does not follow a binary logic; fuzzy logic is applied instead. Clusters don’t have a radius, but we assigned to each individual a degree of belonging to each cluster. Member functions of the fuzzy set are Gaussian functions in equation (4) (4) where mean value in the center of the cluster, and the scale of the center coincides with the scale of the belonging Gaussian function. An individual will be considered as belonging to the cluster which maximizes the belonging function (4). 3 Data Set For the correct exploration of a solutions space, the genomes must correctly represent the physical reality under study. Our work can be divided according to the following phases: • We created an instrument to extract network traffic data. • We investigated the results of a genetic clustering without any data manipulation, in order to observe if header raw data could correctly represent the network traffic population, without any human understanding of attribute meaning. This approach proved to be completely different from the analytic one proposed in [4]. • We observed the clusters centres evolution to detect DoS and scanning attacks. • All data were extracted from tcpdump text files, obtained from a real network traffic; the packets have been studied starting from the third level of the TCP/IP stack. Cluster Analysis for Anomaly Detection 167 This choice causes the lack of the information of the link between Ip address and physical address, contained in ARP tables. • The headers values were extracted, separated, and converted in long integers. Ip addresses, were divided in two separated segments and later converted because of the maximum representation capacity of our computers. • From a single data set we implemented an object made up of the whole population under exam. The choice of the headers fields and the population size has been taken using a heuristic method. 4 Experimental Results We focused on attacks as denial of Service and scanning activities. Our data set was extracted from DARPA, build by Lincoln Lab in MIT in Boston., USA. 4.1 Experimentation 1 The first example is an IP sweep attack: the attacker sends an ICMP packet to each machine, in order to discover if they’re on at the moment of the attack. We applied the algorithm to an initial train of 5000 packets; then, we monitored the trend of the centers on following trains of 1000 packets. Fig. 1. Trends of clusters for Neptune attack 168 G. Lieto, F. Orsini, and G. Pagano As the number of clusters won’t be predefined, we related each cluster representative of a train with the closest belonging to the following train of packets. About not assigned centers, we calculated the minimum distance from the preceding clusters. We observed that ICMP clusters can never be assigned to a preceding train of packets, and their minimum distance is far larger than any other not assigned clusters. In figure 1, the evolution of normal clusters, and the isolated cluster created during the attack, the red one. The three dimensions are transport layer protocol, destination and source port. We identified the attack, when a not assigned cluster’s minimum distance was higher than a threshold value. We had the same results in a Port Sweep attack. Anyway, we faced some false positive, in presence of DNS requests: this could be avoided accurately assigning weight functions to balance the different kinds of normal traffic in the network. 4.2 Experimentation 2 The second case we analysed was a Neptune attack, it causes a denial of service, flooding the target machine with syn TCP packets, and never finalizing the three way handshake. Handling an attack producing a huge number of packets, we expected a Table 2. Evolution of the cluster centers during Neptune attack Train number Attack 1 2 3 4 5 6 No No No Yes Yes Yes Colour in fig. 2 1 2 Population Number of Clusters 5000 1000 1000 1000 1000 1000 18 13 13 21 2 2 3 4 5 6 Scale 6,00E+08 4,00E+08 2,00E+08 0,00E+00 1 2 3 4 5 6 Data set Fig. 2. Dispersion around the centers in each train of packets Average Scale of the Clusters in the Train 2.37E+08 4.35E+08 5.29E+08 5.95E+08 8.40E+07 1.70E+08 Cluster Analysis for Anomaly Detection 169 raise in the number of clusters calculated on the packet trains containing the attack, characterized by a density higher than the one observed during normal activities. In figure 2, we represent the clusters’ centers in each train of packets. We observed a strong contraction in the number of clusters. More over, the individuals in the population were very less dispersed around these centers than the normal centers. It’s evident that the center, though calculated from the same number of packets, diminish abruptly in number. More over, the dispersion around the centers diminishes as abruptly, as seen in figure 3. 5 Conclusions Experimental results show that our algorithm can identify new events happening in trains of packets of a given small number: its sensitivity applies to attacks producing a large number of homogenous packets. Evolutionary approach proved to be feasible, stressing a trend in traffic: thanks to the recombination of data and to the random component, the cluster centers can be identified in genomes not present in the initial solution space. Using a hill climbing procedure, UNC selects the fittest individuals, preserving evolutionary niches generation by generation; by monitoring the evolution of the centers, we had a robust approach against the noise, compared to a statistical approach to clustering: individuals not representative of an evolutionary niche have a low probability of surviving. The performance of the algorithm can be improved by separately processing the traffic incoming and outgoing the network under analysis: this would help to keep under control the false positive rate. Moreover, the process of data mining from packet headers can be refined and improved, so to build a feature vector containing not only raw data from the header, but more refined data, containing knowledge about the network and its hosts, the connections, the services and so on. A different approach of the same algorithm could be monitoring the traffic and evaluating it compared to the existing clusters, rather than observing the evolution of the clusters: once the clusters are formed, a score of abnormality can be assigned to each individual under investigation, according to how much it belongs to each cluster of the solution space. In a few empirical tests, we simulated a wide range of attacks using Nessus tool: although some trains of anomalous packets show substantially normal scores, and the number of false positive is quite relevant, we observed that abnormal traffic has got a sensitive higher abnormal score than the normal traffic has, if referring to the mean values. References 1. Rouil, Chevrollier, Golmie: Unsupervised anomaly detection system using next-generation router architecture (2005) 2. Leon, Nasraoui, Gomez: Anomaly detection based on unsupervised niche clustering with application to network intrusion detection 3. Cerbara, I.: Cenni sulla cluster analysis (1999) 4. Lee, S.: A framework for constructing features and models for intrusion detection systems (2001) Statistical Anomaly Detection on Real e-Mail Traffic Maurizio Aiello1, Davide Chiarella1,2, and Gianluca Papaleo1,2 1 2 National Research Council, IEIIT, Genoa, Italy University of Genoa, Department of Computer and Information Sciences, Italy {maurizio.aiello,davide.chiarella, gianluca.papaleo}@ieiit.cnr.it Abstract. There are many recent studies and proposal in Anomaly Detection Techniques, especially in worm and virus detection. In this field it does matter to answer few important questions like at which ISO/OSI layer data analysis is done and which approach is used. Furthermore these works suffer of scarcity of real data due to lack of network resources or privacy problem: almost every work in this sector uses synthetic (e.g. DARPA) or pre-made set of data. Our study is based on layer seven quantities (number of e-mail sent in a chosen period): we analyzed quantitatively our network e-mail traffic (4 SMTP servers, 10 class C networks) and applied our method on gathered data to detect indirect worm infection (worms which use e-mail to spread infection). The method is a threshold method and, in our dataset, it identified various worm activities. In this document we show our data analysis and results in order to stimulate new approaches and debates in Anomaly Intrusion Detection Techniques. Keywords: Anomaly Detection Techniques; indirect worm; real e-mail traffic. 1 Introduction Network security and Intrusion Detection Systems have become one of the research focus with the ever fast development of the Internet and the growing of unauthorized activities on the Net. Intrusion Detection Techniques are an important security barrier against computer intrusions, virus infections, spam and phishing. In the known literature there are two main approaches to worm detection [1], [2]: misuse intrusion detection and anomaly intrusion detection. The first one is based upon the signature concept, it is more accurate but it lacks the ability to identify the presence of intrusions that do not fit a pre-defined signature, resulting not adaptive [3], [4]. The second one tries to create a model to characterize a normal behaviour: the system defines the expected network behaviour and, if there are significant deviations in the short term usage from the profile, raises an alarm. It is a more adaptive system, ready to counterattack new threats, but it has a high rate of false positives [5], [6], [7], [8], 9]. Theoretically Misuse and Anomaly detection integrated together can get the holistic estimation of malicious situations on a network. Which kind of threats spread via e-mails? Primarily we can say that the main ones are worms and viruses, spam and phishing. Let’s try to summarize the whole situation. At present Internet surpasses one billion users [10] and we witness more and more cyber criminal activities originate and misuse this worldwide network by using different tools: one of the most important and relevant is the electronic-mail. In fact E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 170–177, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Statistical Anomaly Detection on Real e-Mail Traffic 171 nowadays Internet users are flooded by a huge amount of emails infected with worms and viruses: indeed the majority of mass-mailing worms employ a Simple Mail Transfer Protocol engine as infection delivery mechanism, so in the last years, a multitude of worm epidemics has affected millions of networked computing devices [11]. Are worms a real and growing threat? The answer is simple and we can find it in the virulent events of the last years: we have in fact thousands hosts infected and billion dollars in damage [12]. Moreover recently we witness a merge between worm and spam activities: it has been estimated that 80% of spam is sent by spam zombies [13]: an event which can make us think that future time hides bad news. How can we neutralize all these menaces? In Intrusion Detection Techniques many types of research have been developed during years. Proposed Network Intrusion Detection Systems worked and work on information available on different TCP stack layers: Datalink ( e.g. monitoring ARP [14] ), Network (e.g. monitoring IP, BGP and ICMP [15], [16] ), Transport (e.g. monitoring DNS MX query [17,18]) and Application (e.g. monitoring System Calls[19,20] ). Sometimes, because of enormous relative features available on different levels researcher correlate information gathered on each level in order to improve the effectiveness of the detection system. In a similar way we propose to work with e-mail focusing our attention on quantities considering that all the three above phenomena have something in common: they all use SMTP [21] as proliferation medium. In this paper our goal is to present a dataset analysis which reflects the complete SMTP traffic sent by seven /24 network in order to detect worm and virus infections given that no user in our network is a spammer. Moreover we want to stress that the dataset we worked on is genuine and not a synthetic one ( like KDD 99 [22] and DARPA [23] ) so we hope that it might be inspiring to other researcher and that probably in the near future our work might produce a genuine data set at everyone’s disposal. The paper is structured as following. Section 2 introduces the analysis’ scenario. Section 3 discusses the dataset we worked on. Our analysis’ theory and methods are described in section 4, and our experimental results using our tools to analyze mail activities discussed in section 5. In section 6, we give our conclusion. 2 Scenario Our approach is highly experimental. In fact we work on eleven local area network (C class) interconnected by a layer three switch and directly connected to Internet (no NAT [24] policies, all public IP). In this network we have five different mail-servers, varying from Postfix to Sendmail. As every system administrator knows every server has its own kind of log and the main problem with log files is that every transaction is merged with the other ones and they are of difficult reading by a human beings: for this reason we focused our anomaly detection on a single Postfix mail-server, optimizing our efforts. Every mail is checked by an antivirus server (Sophos). To circumvent spam we have SpamAssassin [25] and Greylisting [26]. SpamAssassin is a software which uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases to detect spam. A mail transfer agent which uses greylisting temporarily rejects email from 172 M. Aiello, D. Chiarella, and G. Papaleo unknown senders. If the mail is legitimate, the originating server will try again to send it later according to RFC, while a mail which is from a spammer, it will probably not be retried because very few spammers are RFC compliant. The few spam sources which re-transmit later are more likely to be listed in DNSBLs [27] and distributed signature systems. Greylisting and SpamAssassin reduced heavily our spam percentage. To make a complete description we must add that port 25 is monitored and filtered: in fact the hosts inside our network can’t communicate with a host outside our network on port 25 and an outsider can’t communicate with an our host on port 25. These restriction nullify two threats: the first one concerns the infected hosts which can become spam-zombie pc; the second one concerns the SMTP relaying misuse problem. In fact since we are a research institution almost all the hosts are used by a single person who detains root privileges, so she can eventually install a SMTP server. Only few of total hosts are shared among different people (students, fellow researcher etc.). We have a good balancing between Linux operating systems distribution and Windows ones. We focus our attention on one mail server which has installed a Postfix e-mail server. Every mail is checked by the antivirus server updated once an hour: this is an important fact because it assures that all the worms found during analysis are zero-day worm [28-30]. This server supplies service to 300 users with a wide international social network due to the research mission of our Institution [31]: this fact grant us a huge amount of SMTP traffic. 3 Dataset We analyze mail-server log of 1065 days length period (2 years and 11 months). To speed up the process we used LMA (Log Mail Analyzer [32]) to make the log more readable. LMA is a Perl program, open source, available on Sourceforge, which makes Postfix and Sendmail logs human readable. It reconstructs every single e-mail transaction spread across the mail server log and it creates a plain text file in a simpler format like. Every row represents a single transaction and it has the following fields: • Timestamp: it is the moment in which the e-mail has been sent: it is possible to have this information in Unix timestamp format or through the Julian format in standard date. • Client: it is the hostname of e-mail sender (HELO identifier). • Client IP: it is the IP of the sender’s host. • From: it is the e-mail address of the sender. • To: it is the e-mail address of the receiver. • Status: it is the server response (e.g. 450, 550 etc.). With this format is possible to find the moment in which the e-mail has been sent, the sender client name and IP, the from and to field of the e-mail and the server response. Lets make an example: if [email protected] send an e-mail on 23 march 2006 to [email protected] from X.X.2.235 and all the e-mail server transactions go successful we will have a record like this: 23/03/2006 X.X.2.235 [email protected] [email protected] 250 Statistical Anomaly Detection on Real e-Mail Traffic 173 As already said, we want to stress that our data is not synthetic and so it doesn’t suffer of bias of any form: it reflects the complete set of emails received by a single hightraffic e-mail server and it represents the overall view of a typical network operator. Furthermore, contrary to synthetic ones, it suffers of accidental hardware faults: can you say that a network topology is static and it is not prone to wanted and unwanted changes? Intrusion Detection evaluation dataset have some hypothesis, one of these is the never changing topology and immortal hardware health. As a matter of fact this is not true, this is not reality: Murphy’s Law holds true and strikes with extraordinary efficiency. In addition our data are only about SMTP flow and, due to the long-term monitoring, are a good snapshot of all-day life and, romantically, a silent witness of Internet growth and e-mail use growth. 4 Analysis Our analysis has been made on the e-mail traffic of ten C-class network in a period of 900 days, from January 2004 to November 2006. In our analysis, we work on the global e-mail flow in a given time interval. We use a threshold detection [33], like other software do (e.g. Snort ): if the traffic volume rises above a given threshold, the system triggers an alarm. The given threshold is calculated in a statistical way, where we determine the network normal e-mail traffic in selected slices of time: for example we take the activity of a month and we divide the month in five-minutes slices, calculating how many e-mails are normally sent in five minutes. After that, we check that the number of e-mails sent in a day during each interval don’t exceed the threshold. We call this kind of analysis base-line analysis. Our strategy is to study the temporal correlation between the present behaviour (maybe modified by the presence of a worm activity) of a given entity (pc, entire network) and its past behaviour (normal activity, no virus or worm presence). Before proceeding, however, we pre-process the data subtracting the mean to the values and cutting all the interval with a negative number of e-mails, because we wanted to obfuscate the no-activity and few activity periods, not interesting for our purposes. In other words we trashed all the time slices characterized by a number of e-mail sent below the month average, with the purpose of dynamically selecting activity periods (working hours, no holidays etc). If we didn’t perform this pre-processing we could have had an average which depended on night time, weekend or holidays duration. E-mails sent mean in 2004, before pre-processing, was 524 in a day for 339 activity day: after data pre-processing was 773 in a day for 179 activity day. After this we calculate the baseline activity of working hours according to the following: µ + 3σ. The mean and the variance are calculated for every month, modelling the network behaviour, taking into account every chosen time interval (e.g. we divide February in five-minutes slices, we count how many e-mails are sent in these periods and then we calculate the mean of these intervals). Values have been compared with the baseline threshold and if found greater than it they have been marked. Analyzing the first five months with a five minutes slice we found too many alerts and a lot of them exceeded the threshold only for few e-mails. So we thought to correlate the alerts found with a five minutes period with those found with an hour period, with the hypothesis that a worm which has infected a host sends a lot of e-mail both in a short period and in a bit 174 M. Aiello, D. Chiarella, and G. Papaleo longer period. To clarify the concept lets take the analysis for a month: April 2004 (see Fig. 1 and Fig. 2). The five minutes base-line resulted in 63 e-mails while the one hour base-line is 463. In five-minute analysis we found sixteen alerts, meanwhile in one-hour analysis only three. Why do we find a so big gap between the two approaches? In five-minutes analysis we have a lot of false alarms, due to the presence of e-mails sent to very large mailing lists while in one-hour analysis we find very few alarms, but these alarms result more significant because they represents a continuative violation of the normal (expected) activity. Correlating these results, searching the selected five-minutes periods in the five one-hour alert we detected that a little set of the five-minute alarms were near in the temporal line: after a deeper analysis, using our knowledge and experience on real user’s activity we concluded that it was a worm activity. Fig. 1. Example of e-mail traffic: hour base-line Fig. 2. Example of e-mail traffic: five minutes base-line 4.1 SMTP Sender Analysis Sometimes, peaks catch from flow analysis were e-mail sent to mailing list which are, as already said, bothersome hoaxes. This fact produced from analysis, where we analyze how many different e-mail address every host use: we look which from field is Statistical Anomaly Detection on Real e-Mail Traffic 175 used by every host. In fact an host, owned by a single person or few persons, is not likely to use a lot of different e-mail addresses in a short time and if it does so, it is highly considerable a suspicious behaviour. So we think that this analysis could be used to identify true positives, or to suggest suspect activity. Of course it isn’t so straight that a worm will change from field continuously, but it is a likely event. 4.2 SMTP Reject Analysis One typical feature of a malware is haste in spreading the infection. This haste leads indirect worms to send a lot of e-mail to unknown receivers or nonexistent e-mail address: this is a mistake that, we think, it is very important. In fact all e-mails sent to a nonexistent e-mail address are rejected by the mail-server, and they are tracked in the log. In this step of our work we analyze rejected e-mail flow: we work only on emails referred by internet server. By this approach we identified worm activity. Table 1. Experimental results Date Infected Host Analysis 28/01/04 18:00 X.X.6.24 Baseline, from, reject 29/01/04 10:30 X.X.4.24 From, reject 28/04/2004 14:58-15:03 X.X.7.20 Baseline, from, reject 28/04/2004 15:53-15:58 X.X.5.216 Baseline, from, reject 29/04/2004 09:08-10:03 X.X.6.36, X.X.7.20 Baseline, from, reject 04/05/2004 12:05-12:10 X.X.5.158 Baseline, from, reject 04/05/2004 13:15-13:25 X.X.5.158 Baseline, from, reject 31/08/04 14:51 X.X.3.234 Baseline, reject X.X.3.234 Baseline, reject X.X.3.101, X.X.3.200, X.X.3.234 X.X.5.123 Baseline, reject X.X.10.10 Baseline, from, reject X.X.10.10 Baseline, from, reject X.X.10.10 Baseline, from, reject X.X.10.10 Baseline, from, reject 31/08/04 17:46 23/11/04 11:38 22/08/05 17:13 22/08/05 17:43 22/08/05 20:18 22/08/05 22:08-22:13 176 M. Aiello, D. Chiarella, and G. Papaleo 5 Results The approach does detect 14 worms activity, mostly concentrated in 2004. We think that this fact is caused by new firewall policies introduced in 2005 and by the introduction of a second antivirus engine in our Mail Transfer Agent. Moreover in last years we haven’t got very large worm infection. The results we obtained are summarized in Table 1. 6 Conclusion Baseline analysis can be useful in identifying some indirect worm activity, but this approach need some integration by some other methods, because it lacks a complete vision of SMTP activity: this lack can be filled by methods which analyze some other SMTP aspects, like From and To e-mail field. In future this method can be integrated in an anomaly detection system to get more accuracy in detecting anomalies. Acknowledgments. This work was supported by National Research Council of Italy and University of Genoa. References 1. Axelsson, S.: Intrusion detection systems: A survey and taxonomy,Tech. Rep. 99-15, Chalmers Univ (March 2000) 2. Verwoerd, T., Hunt, R.: Intrusion detection techniques and approaches. Comput. Commun. 25(15), 1356–1365 (2002) 3. Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering 21(3), 181–199 (1995) 4. Kumar, S., Spafford, E.H.: A software architecture to support misuse intrusion detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995) 5. Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering (1987) 6. Estvez-Tapiador, J.M., Garcia-Teodoro, P., Diaz-Verdejo, J.E.: Anomaly detection methods in wired networks: A survey and taxonomy. Comput. Commun. 27(16), 1569–1584 (2004) 7. Du, Y., Wang, W.-q., Pang, Y.-G.: An intrusion detection method using average hamming distance. In: Proceedings of the Third International Conference on Machine Learning and Cybernetics, Shanghai, 26-29 August (2004) 8. Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES). Computer Science Laboratory (SRI Intemational, Menlo Park, CA): Technical reportSRI-CSL-95-07 (1995) 9. Wang, Y., Abdel-Wahab, H.: A Multilayer Approach of Anomaly Detection for Email Systems. In: Proceedings of the 11th IEEE Symposium on Computers and Communications (ISCC 2006) (2006) 10. http://www.internetworldstats.com/stats.htm 11. http://en.wikipedia.org/wiki/ Notable_computer_viruses_and_worms Statistical Anomaly Detection on Real e-Mail Traffic 177 12. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Magazine of Security and Privacy, 33–39 (July/August 2003) 13. Leyden, J.: Zombie PCs spew out 80% of spam. The Register (June 2004) 14. Yasami, Y., Farahmand, M., Zargari, V.: An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks. In: Second International Conference on Systems and Networks Communications (ICSNC 2007) (2007) 15. Berk, V., Bakos, G., Morris, R.: Designing a Framework for Active Worm Detection on Global Networks. In: Proceedings of the first IEEE International Workshop on Information Assurance (IWIA 2003), Darmstadt, Germany (March 2003) 16. Bakos, G., Berk, V.: Early detection of internet worm activity by metering icmp destination unreachable messages. In: Proceedings of the SPIE Aerosense 2002 (2002) 17. Whyte, D., Kranakis, E., van Oorschot, P.C.: DNS-based Detection of Scanning Worms in an Enterprise Network. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, USA, February 3-4 (2005) 18. Whyte, D., van Oorschot, P.C., Kranakis, E.: Addressing Malicious SMTP-based MassMailing Activity Within an Enterprise Network 19. Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection using Sequences of System Calls. Journal of Computer Security 6(3), 151–180 (1998) 20. Cha, B.: Host anomaly detection performance analysis based on system call of NeuroFuzzy using Soundex algorithm and N-gram technique. In: Proceedings of the 2005 Systems Communications (ICW 2005) (2005) 21. http://www.ietf.org/rfc/rfc0821.txt 22. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html 23. http://www.ll.mit.edu/IST/ideval/data/data_index.html 24. http://en.wikipedia.org/wiki/Network_address_translation 25. http://spamassassin.apache.org/ 26. Harris, E.: The Next Step in the Spam Control War: Greylisting 27. http://en.wikipedia.org/wiki/DNSBL 28. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: CCS 2005, Alexandria, Virginia, USA, November 7–11 (2005) 29. Portokalidis, G., Bos, H.: SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots 30. Akritidis, P., Anagnostakis, K., Markatos, E.P.: Efficient Content-Based Detection of Zero-DayWorms 31. http://www.cnr.it/sitocnr/home.html 32. http://lma.sourceforge.net/ 33. Behaviour-Based Network Security Goes Mainstream, David Geer, Computer (March 2006) On-the-fly Statistical Classification of Internet Traffic at Application Layer Based on Cluster Analysis Andrea Baiocchi1, Gianluca Maiolini2, Giacomo Molina1, and Antonello Rizzi1 1 INFOCOM Dept., University of Roma “Sapienza” Via Eudossiana 18 - 00184 Rome, Italy [email protected], [email protected], [email protected] 2 ELSAG Datamat – Divisione automazione sicurezza e trasporti, Via Laurentina 760 – 00143 Rome, Italy [email protected] Abstract. We address the problem of classifying Internet packet flows according to the application level protocol that generated them. Unlike deep packet inspection, which reads up to application layer payloads and keeps track of packet sequences, we consider classification based on statistical features extracted in real time from the packet flow, namely IP packet lengths and inter-arrival times. A statistical classification algorithm is proposed, built upon the powerful and rich tools of cluster analysis. By exploiting traffic traces taken at the Networking Lab of our Department and traces from CAIDA, we defined data sets made up of thousands of flows for up to five different application protocols. With the classic approach of training and test data sets we show that cluster analysis yields very good results in spite of the little information it is based on, to stick to the real time decision requirement. We aim to show that the investigated applications are characterized from a ”signature” at the network layer that can be useful to recognize such applications even when the port number is not significant. Numerical results are presented to highlight the effect of major algorithm parameters. We discuss complexity and possible exploitation of the statistical classifier. 1 Introduction As broadband communications widen the range of popular applications, there is an increasing demand of fast traffic classification means according to the services data is generated by. The specific meaning of service depends on the context and purpose of traffic classifications. In case of traffic filtering for security or policy enforcement purposes, service can be usually identified with application layer protocol. However, many kind of different services exploit http or ssh (e.g. file transfer, multimedia communications, even P2P), so that a simple header based filter (e.g. exploiting the IP address and TCP/UDP port numbers) may be inadequate. Traffic classification at application level can be therefore based on the analysis of the entire packets content (header plus payload), usually by means of finite state machine schemes. Although there are widely available software tools for such a classification approach (e.g. L7filter, BRO, Snort), they can hardly catch up with high speed links and are usually inadequate for backbone use (e.g. Gbps links). E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 178–185, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 On-the-fly Statistical Classification of Internet Traffic 179 The solution based on port analysis is becoming ineffective because of applications running on non-standard ports (e.g. peer-to-peer). Furthermore, traffic classification based on deep packet inspection is resource-consuming and hard to implement on high capacity links (e.g. Gbps OC links). For these reasons, different approaches to traffic classification have been developed, using all the information available at network layer. Some proposals ([4], [5]), however, need semantically complete TCP flows as input: we target a real-time tool, able to classify the application layer protocol of a TCP connection by observing just the first few packets of the connection (hereinafter referred to as a flow). A number of works [5], [6], [7] rely on unsupervised learning techniques. The only features they use is packets size and packets direction: they demonstrate the effectiveness of these algorithms even using a small number of packets (e.g. the first four of a TCP connection). We believe that even packets inter-arrival time contains pieces of information relevant to address the classification problem. We provide a way to exalt the information contained in inter-arrival times, preserving the real-time characteristic of the approach described in [7]: we try to clean the interarrival time (as better explained in section 3) assessing the contribution of network congestion, to exalt the time depending on the application layer protocol. The paper is organized as follows. In Section 2 the classification problem is defined and notation is introduced. Section 3 is devoted to the description of the traffic data sets used for the defined algorithm assessment and the numerical evaluation. The cluster analysis based statistical classifier is defined in Section 4. Numerical examples are given in Section 5 and final remarks are stated in Section 6. 2 Problem Statement In this paper, we focus on the classification of IP flows generated from network applications communicating through TCP protocol as HTTP, SMTP, POP3, etc. With this in mind, we define flow F as the unidirectional, ordered sequence of IP packets produced either by the client towards the server, or by the server towards the client during an application layer session. The server-client flow FServer will be composed of (NServer + 1) IP packets, from PK0 to PKNserver , where PKj represents the j-th IP packet sent by the server to the client; the corresponding client-server flow FClient will be composed by (NClient + 1) IP packets. At the IP layer, each flow F can be characterized as an ordered sequence of N pairs Pi = (Ti ; Li), with 1 < i < N, where Li represents the size of PKi (including TCP/IP Header) and Ti represents the inter-arrival time between PKi-1 and PKi. In our study we consider only semantically complete TCP flows, namely flows starting with SYN or SYN-ACK TCP segment (respectively for client-to-server and server-to-client direction). Because of the limited number of packets considered in this work, we don’t care about the FIN TCP segment to be observed. With this in mind, we aim to recognize a description of protocols (through clustering techniques): such a description should be based on the first few packets of the flows and should be able to strongly characterize each analyzed protocol. The purpose of this work is the definition of an algorithm that takes as input a traffic flow from an unknown application and that gives as output the (probable) application responsible of its generation. 180 A. Baiocchi et al. 3 Dataset Description In this work, we focus our attention on five different application layer protocols, namely HTTP, FTP-Control, POP3, SMTP and SSH, which are among the most used protocols on the INTERNET. As for HTTP and FTP-Control (FTP-C in the following), we collected traffic traces in the Networking Lab at our Department. By means of automated tools mounted on machines within the Lab, thousands of web pages carefully selected have been visited in a random order, over thousands of web sites distributed in various geographical areas (Italy, Europe, North America, Asia). FTP sites have been addressed as well and control FTP session established with thousands remote servers, again distributed in a wide area. The generated traffic has been captured on our LAN switch; we verified that the TCP connections bottleneck was never the link connecting our LAN to the big Internet to avoid the measured inter-arrival times to be too noisy. This experimental set up, while allowing the capture of artificial traffic that (realistically) emulates user activity, gives us traces with reliable application layer protocol classification. Traffic flows for the other protocols (POP3, SMTP, SSH) are extracted form backbone traffic traces made available by CAIDA. Precisely, we randomically extracted flows from the OC-48 traces of the days 2002-08-14, 2003-01-15 and 2003-04-24. Due to privacy reasons, only anonymized packet traces with no payloads are made available. Regarding to SSH, it can be configured as an encrypted tunnel to transport every kind of applications. Even in its ”normal” behavior (remote management), it would have to be difficult to recognize a specific behavioral pattern due to its humaninteractive nature. For these reasons we expect that the classification results involving SSH flows will be worse than those without them. Starting from these traffic traces, and focusing our attention only to semantically complete server-client flows, we created two different data sets with 1000 flows for each application. Each flow in a data set is described by the following fields: • • a protocol label coded as an integer from 1 to 5; P ≥ 1 couples (Ti ; Li), where Ti is the inter-arrival time (difference between timestamps) of the (i – 1)-th and i-th packet of the considered flow and Li is the IP packet length of the i-th packet of the flow, i = 1,…, P. Inter-arrival times are in seconds, packet lengths are in bytes. The 0-th packet of a flow, used as a reference for the first inter-arrival time, is conventionally defined as the one carrying the SYN-ACK TCP segment for the server-toclient direction. The label in the first field is used as the target class for flows in both the training and test sets. The other 2P quantities are normalized and define a 2P-dimensional array associated to the considered flow. Normalization has to be done carefully: we choose to normalize packet lengths between 40 to 1500 bytes, which is the minimun/maximum observed length. As for inter-arrival times, normalization is done over an entire data-set of M flows making up a training or a test set. Let (T i ( j ) , L i ( j ) ) be the i-th couple of the j-th flow (i = 1,…, P ; j = 1,…,M). Then we let: On-the-fly Statistical Classification of Internet Traffic Tˆi ( j ) = Ti ( j ) − min Ti ( k ) 1≤ k ≤ M max Ti ( k ) − min Ti ( k ) 1≤ k ≤ M L ( j ) − 40 Lˆi ( j ) = i 1500 − 40 181 i = 1,..., P 1≤ k ≤ M (1) i = 1,..., P In the following we assume P = 5. A different version of this data set has also been used, so called pre-processed data set. In this last case, inter-arrival times are modified to be the differential inter-arrival times, obtained as DTi = Ti ¡ T0; i = 1,…,P, where T0 is the time elapsing between the packet carrying the TCP SYN-ACK of the flow and the next packet, most of times a presentation message (as for FTP-C) or an ACK (as for HTTP). So, T0 approximates the first RTT of the connection, including only time depending on TCP computation (as we have seen during our experimental setup). The differential delay can therefore be expressed as DTi = Ti − T0 ≈ RTTi − RTT0 + TAi (2) Where we account for the fact that T0 ≈ RTT0 and that Ti comprises the i-th RTT and in general an application dependent time, TAi. Hence, we expect that application layer protocol features are more evident in the pre-processed data set as compared to theplain one, since the contribution of the applications to interarrival times is usually much smaller than the average RTT in a wide area network. On the other hand, in case of differential inter-arrival times, the noise affecting the application dependent inter-arrival times is reduced to the RTT variation (zero on the average). 4 A Basic Classification System Based on Cluster Analysis In this section some details about the adopted classification system are exploited. Basically a classification problem can be defined as follows. Let P : X → L be an unknown oriented process to be modeled, where X is the domain set and the codomain L is a label set, i.e. a set in which it is not possible (or misleading) to define an ordering function and hence any dissimilarity measure between its elements. If P is a single value function, we will call it classification function. Let Str and Sts be two sets of input-output pairs, namely the training set and the test set. We will call instance of a classification problem a given pair (Str , Sts) with the constrain Str ∩ Sts =Ø . A classification system is a pair (M , TAi), where TA is the training algorithm, i.e. the set of instructions responsible for generating, exclusively on the basis of Str, a particular instance M¯ of the classification model family M, such that the classification error of M¯ computed on Sts will be minimized. The generalization capability, i.e. the capability to correctly classify any pattern belonging to the input space of the oriented process domain to be modeled, is for sure the most important desired feature of a classification system. From this point of view, the mean classification error on Sts 182 A. Baiocchi et al. can be considered as an estimate of the expected behavior of the classifier over all the possible inputs. In the following, we describe a classification system trained by an unsupervised (clustering) procedure. When dealing with patterns belonging to the Rn vectorial space we can adopt a distance measure, such as the Euclidean distance; moreover, in this case we can define the prototype of the cluster as the centroid (the mean vector) of all the patterns in the cluster, thanks to the algebraic structure defined in Rn. Consequently, the distance between a given pattern xi and a cluster Ck can be easily defined as the Euclidean distance d(xi ; µ k) where µ k is the centroid of the pattern belonging to Ck: µk = 1 mk ∑x i (3) xi ∈Ck A direct way to synthesize a classification model on the basis of a training set Str consists in partitioning the patterns in the input space (discarding the class label information) by a clustering algorithm (in our case, by the K-means). Successively, each cluster is labeled by the most frequent class among its patterns. Thus, a classification model is a set of labeled clusters (centroids); note that more than one cluster can be associated with the same label, i.e. a class can be represented by more than one cluster. Assuming to represent a floating point number with four bytes, the amount of memory needed to store a classification model is K · (4 · n + 1) bytes, where n is the input space dimension and assuming to code class labels with one byte. An unlabeled pattern x is classified by determining the closest centroid µ i (and thus the closest cluster Ci) and by labeling x with the same class label associated with Ci. It is important to underline that, since the initialization step of the K-Means is not deterministic, in order to compute a precise estimation of the performance of the classification model on the test set Sts, the whole algorithm must be run several times, averaging the classification errors on Sts yielded by the different classification models obtained in each run. 5 Numerical Results In this section we provide numerical results of the classification algorithm. We investigated two groups of applications, the first containing HTTP, FTP-C, POP3 and SMTP, the second including also SSH. Using the non preprocessed data set (hereinafter referred as original) we obtain a classification accuracy on Sts comparable with that achievable with port-based classification. This happens because the effect of RTT almost completely covers the information carried from inter-arrival times. In Table 1 and 2 are listed the global results and the individual contributions of the protocols to the average value. Using the pre-processed data set we obtain much better results, in particular for the case with only 4 protocols as we can see in Table 3 and Table 4. An important thing to consider is the complexity of the classification model, namely the number of clusters used. The performance does not significantly increase after 20 clusters (Fig. 2 and Fig. 3): this means we can achieve good results with a simple model that requires On-the-fly Statistical Classification of Internet Traffic 183 Table 1. Average classification accuracy vs # Clusters, P=5, # flows (training+test)=1000, original data set Table 2. Average classification accuracy vs # Clusters, P=5, # flows (training+test) =1000, original data set Table 3. Average classification accuracy vs # Clusters, P=5, # flows (training+test)=1000, preprocessed data set not much computation. We can see from Table 4 the negative impact SSH has on the overall classification accuracy, mainly because it is a human-driven protocol, hard to characterize with few hundreds of flows. Moreover, we can see that SSH suffers of overfitting problems, as the probability of success decreases as the number of clusters increases. 184 A. Baiocchi et al. Table 4. Average classification accuracy vs # Clusters, P=5, # flows (training+test)=1000, preprocessed data set Extending the data sets with unknown traffic, the classification probability is significantly reduced. Although the performance of the overall classification accuracy decreases, we can see in Table 5 the effect of unknown traffic. This means that our classifier is not mistaking flows of the considered protocols, but is just raising the false positive classifications due to unknown traffic, erroneously labeled as known traffic. Table 5. Average classification accuracy vs # Clusters, P=5, # flows (training+test)=1000, preprocessed data set with HTTP, FTP-C, POP3, SMTP, SSH, Unknown 6 Concluding Remarks In this work we present a model that could be useful to address the problem of traffic classification. To this end, we use only (poor) information available at network layer, namely packets size and inter-arrival times. In the next future we plan to better test the performances of this model, mainly extending the data sets we use to a greater number of protocols. We are also planning to collect traffic traces from our Department link to be able to accurately classify all protocols we want to analyze through payload analysis. Moreover, we will have to enforce the C-means algorithm to automatically select the optimal number of clusters relatively to the used data set. The following step will On-the-fly Statistical Classification of Internet Traffic 185 be the use of more recent and powerful fuzzy-like algorithms to achieve better performances in a real environment. Acknowledgments. Authors thank Claudio Mammone for his development work of the software package used in the collection of part of traffic traces analysed in this work. References 1. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel traffic classification in the dark. In: Proc. of ACM SIGCOMM 2005, Philadelphia, PA, USA (August 2005) 2. Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Traffic Classification through Simple Statistical Fingerprinting. ACM SIGCOMM Computer Communication Review 37(1), 5–16 (2007) 3. Wright, C., Monrose, F., Masson, G.: On Inferring Application Protocol Behaviors in Encrypted Network Traffic. Journal of Machine Learning Research (JMLR): Special issue on Machine Learning for Computer Security 7, 2745–2769 (2006) 4. Moore, A.W., Zuev, D.: Internet traffic classification using Bayesian analysis techniques. In: ACM SIGMETRICS 2005, Banff, Alberta, Canada (June 2005) 5. McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: PAM 2004, Antibes Juan-les-Pins, France (April 2004) 6. Zander, S., Nguyen, T., Armitage, G.: Automated traffic classification and application identification using machine learning. In: LCN 2005, Sydney, Australia (November 2005) 7. Bernaille, L., Teixeira, R., Salamatian, K.: ’Early Application Identification. In: Proceedings of CoNEXT (December 2006) Flow Level Data Mining of DNS Query Streams for Email Worm Detection Nikolaos Chatzis and Radu Popescu-Zeletin Fraunhofer Institute FOKUS, Kaiserin-Augusta-Allee 31, 10589 Berlin, Germany {nikolaos.chatzis,radu.popescu-zeletin}@fokus.fraunhofer.de Abstract. Email worms remain a major network security concern, as they increasingly attack systems with intensity using more advanced social engineering tricks. Their extremely high prevalence clearly indicates that current network defence mechanisms are intrinsically incapable of mitigating email worms, and thereby reducing unwanted email traffic traversing the Internet. In this paper we study the effect email worms have on the flow-level characteristics of DNS query streams a user machine generates. We propose a method based on unsupervised learning and time series analysis to early detect email worms on the local name server, which is located topologically near the infected machine. We evaluate our method against an email worm DNS query stream dataset that consists of 68 email worm instances and show that it exhibits remarkable accuracy in detecting various email worm instances1. 1 Introduction Email worms remain an ever-evolving threat, and unwanted email traffic traversing the Internet steadily escalates [1]. This causes network congestion, which results in loss of service or degradation in the performance of network resources [2]. In addition, email worms populate almost exclusively the monthly top threat lists of antivirus companies [3,4], and are used to deliver Trojans, viruses, and phishing attempts. Email worms rely mainly on social engineering to infect a user machine, and then they exploit information found on the infected machine about the email network of the user to spread via email among social contacts. Social engineering is a nontechnical kind of intrusion, which depends on human interaction to break normal security procedures. This propagation strategy differs significantly from IP address scanning propagation; therefore, it renders network detection methods that look for high rates at which unique destination addresses are contacted [5], or high number of failed connections [6], or high self-similarity of packet contents [7] incapable of detecting this class of Internet worms. Likewise, Honeypot-based systems [8], which provide a reliable anti-scanning mechanism, are not effective against email worms. Commonly applied approaches like antivirus and antispam software and recipient or message based rules have two deficiencies. They suffer from poor detection time 1 The research leading to these results has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 216585 (INTERSECTION Project). E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 186–194, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com Flow Level Data Mining of DNS Query Streams for Email Worm Detection 187 against novel email worm instances because they entail non-trivial human labour in order to develop a signature or a rule, and go to no lengths to reducing the unwanted email traffic traversing the Internet, as their target is to detect abusive email traffic in the network of the potential victim. In the past much research effort has been devoted to analyzing the traffic email worm-infected user machines generate [9-13]. These studies share the positive contribution that email worm infection affects at application layer the Domain Name System (DNS) traffic of a user machine. Detection methods based on this observation focus on straightforward application layer detection, which makes them suitable for detecting few specific outdated email worms. In this work we go a step beyond earlier work, and identify anomalies in DNS traffic that are common for email spreading malicious software, and as such they can serve as a strong basis for detecting various instances of email worms in the long run. We show that DNS query streams that non-infected user machines generate share at flow level many of the same canonical behaviours, while email worms rely on similar spreading methods that generate DNS traffic that share common patterns. We present a detection method that builds on unsupervised learning and time series analysis, and uses the wavelet transform in a different way than this often proposed in the Internet traffic analysis literature. We experiment with 68 worm instances that appeared in the wild between April 2004 and July 2007 to show that flow-level characteristics remain unaltered in the long run, and that our method is remarkably accurate. Inspecting packets at flow level does not involve deep packet analysis. This ensures user privacy, renders our approach unaffected by encryption and keeps the processing overhead low, which is a strong requirement for busy, high-speed networks. Moreover, DNS query streams consist of significantly less data than the input of conventional network intrusion detection systems. This is advantageous, since high volumes of input data inevitably degrade the effectiveness of these systems [14]. Additionally, the efficiency and deployment ease of an in-network detection system increase as the topological proximity between the system and the user machines decreases. Local name servers are the first link of the chain of Internet connectivity. Moreover, detection at the local name server, which is located topologically near the infected machine, contributes to reducing unwanted traffic traversing the Internet. The paper is organized as follows. In Section 2, we discuss related work. In Section 3, we explain our method for detecting email worms by flow-level analysis of DNS query streams. In Section 4, we validate our approach by examining its detection capabilities over various worm instances. We conclude in Section 5. 2 Related Work Since our work builds on DNS traffic analysis for detecting email worms and security oriented time series analysis of Internet traffic signals using the wavelet transform we provide below the necessary background on these areas. Previously published work provides evidence that the majority of today’s open Internet operational security issues affect DNS traffic. In this section we concentrate solely on email worms and refer the interest reader to [15] for a thorough analysis. Wong et al. [11] analyze DNS traffic captured at the local name server of a campus 188 N. Chatzis and R. Popescu-Zeletin network during the outbreak of SoBig.F and MyDoom.A. Musashi et al. [12] present similar measurements for the same worms, and extend their work by studying Netsky.Q and Mydoom.S in [13]. Whyte et al. [9] focus on enterprise networks and measure the DNS activity of NetSky.Q. Despite, their positive contribution in proving that there exists a correlation between email worm infection and DNS traffic, the efficacy of the detection methods these studies propose would have been dwarfed, if the methods had been evaluated against various worm instances. Indeed, the methods presented in [9,11,12,13] are straightforward and focus on application layer detection. They propose that many queries for Mail eXchange (MX) resource records (RR) or the relative numbers of queries for pointer (PTR) RR, MX and address (A) RR a user machine generates give a telltale sign of email worm infection. Although this observation holds for the few email worm instances studied in each paper, it can not be generalized for detecting various email worm instances. Furthermore, these methods neglect that DNS queries carry user sensitive information, and due to the high processing overhead they introduce by analyzing packet payloads, they are not suitable for busy, high speed networks. Moreover, as any other volume based method they require an artificial boundary as threshold on which the decision whether a user machine is infected or not is taken. In [10] the authors argue that anomaly detection is a promising solution to detect email worm-infected user machines. They use Bayesian inference assuming a priori knowledge of worm signature DNS queries to detect email worm. However, such knowledge is not apparent, and if it was it would allow straightforward detection. The wavelet transform is a powerful tool, since its time and scale localization abilities make it ideally suited to detect irregular patterns in traffic traces. Although, many research papers appear that analyze Denial of Service (DoS) attack traffic [16,17] by means of wavelets, only a handful of papers deals with applying the wavelet transform on Internet worm signals [18,19]. Inspired by similar methodology, used to analyze DoS traffic, these papers concentrate solely on looking at worm traffic for repeating behaviors by means of the self-similarity parameter Hurst. In this work we present a method that accurately detects various email worms by analyzing DNS query streams at flow level. We show that flow-level characteristics remain unaltered in the long run. Flow-level analysis does not violate user privacy, renders our method unaffected by encryption, eliminates the need for not anonymized data; and makes our method suitable for high-speed network environments. In our framework, we see DNS query streams from different hosts as independent time series and use the wavelet transform as a dimensionality reduction tool rather than a tool for searching self-similar patterns on a single signal. 3 Proposed Approach Our approach is based on time series analysis of DNS query streams. Given the time series representation, we show by similarity search over time series using clustering that user machines’ DNS activity fall into two canonical profiles: legitimate user behaviour and email worm infected behaviour. DNS query streams generated by user machines share many of the same canonical behaviours. Likewise, email worms rely on similar spreading methods generating query streams that share common patterns. Flow Level Data Mining of DNS Query Streams for Email Worm Detection 189 3.1 Data Management As input, our method uses the complete set of DNS queries that a local name server received within an observation interval. Since we are not interested in application level information, we retain for each query the time of the query and the IP address of the requesting user machine. We group DNS queries per requesting user machine. For each user machine we consider successive time bins of equal width, and we count the DNS queries in each bin. Thereby, we get a set of univariate time series, where each one of them expresses the number of DNS queries of a user machine through time. The set of time series can be expressed as an n× p time series matrix; n is the number of user machines and p the number of time bins. 3.2 Data Pre-processing A time series of length p can be seen as a point in the p-dimensional space. This allows using multivariate data mining algorithms directly to time series data. However, most data mining algorithms, and in particular, clustering algorithms do not work well for time series. Working with each and every time point, makes the significance of distance metrics, which are used to measure the similarity between objects, questionable [20]. To attack this problem numerous time series representations have been proposed that facilitate extracting a feature vector from the time series. The feature vector is a compressed representation of the time series, which serves as input to the data mining algorithms. Although many representations have been proposed in the time series literature, only few of them are suitable for our framework. The fundamental requirement for our work is that clustering the feature vectors should result in clusters containing feature vectors of time series, which are similar in the time series space. The authors in [26] proved that in order for this requirement to hold the representation should satisfy the lower bounding lemma. In [21] the authors give an overview of the state of art in representations and highlight those that satisfy the lower bounding lemma. We opt to use the Discrete Wavelet Transform (DWT). Motivation for our choice is that the DWT representation is intrinsically multi-resolution and allows simultaneous time and frequency analysis. Furthermore, for time series typically found in practice, many of the coefficients in a DWT representation are either zero or very small, which allows for efficient compression. Moreover, DWT is applicable for analyzing non-stationary signals, and performs well in compressing sparse spike time series. We apply the DWT independently on each time series of the time series matrix using Mallat's algorithm [22]. The Mallat algorithm is of O(p) time complexity and decomposes a time series of length p, where p must be power of two, in log2p levels. The number of wavelet coefficients computed after decomposing a time series is equal to the number of time points of the original time series. Therefore, applying the DWT on each line of the time series matrix gives an n× p wavelet coefficient matrix. To reduce the dimensionality of the wavelet coefficient matrix, we apply a compression technique. In [23] the author gives a detailed description of four compression techniques. Two of them operate on each time series independently and suggest retaining the k first wavelet coefficients or the k largest coefficients in terms of absolute normalized value. Whereas the rest two are applicable to a set of n time series, so 190 N. Chatzis and R. Popescu-Zeletin directly to the wavelet coefficient matrix. The first suggests retaining the k columns of the matrix that have the largest mean squared value. The second suggests retaining for a given k the n × k largest coefficients of the wavelet coefficient matrix. In the interest of space, we present here experimental results only retaining the first k wavelet coefficients. This produces an n × k feature vector matrix. 3.3 Data Clustering We validate our hypothesis that DNS query streams generated by non-infected user machines share similar characteristics, and that these characteristics are dissimilar to those of email worm-infected user machines in two steps. First we cluster the rows of the feature vector matrix in two clusters. Then we examine if one cluster contains only feature vectors of non-infected user machines and the other only feature vectors of email worm-infected machines. We use hierarchical clustering, since it produces relatively good results, as it facilitates the exploration of data at different levels of granularity, and is robust to variations of cluster size and shape. Hierarchical clustering methods require the user to specify a dissimilarity measure. We use as dissimilarity measure the Euclidean distance, since it produces comparable results to more sophisticated distance functions [24]. Hierarchical clustering methods are categorized into agglomerative and divisive. Agglomerative methods start with each observation in its own cluster and recursively merge the less dissimilar clusters into a single cluster. By contrast, the divisive scheme starts with all observations in one cluster and subdivides them into smaller clusters until each cluster consists of only one observation. Since, we search for a small number of clusters we use the divisive scheme. The most commonly cited disadvantage of the divisive scheme is its computational cost. A divisive algorithm considers first all divisions of the entire dataset into two non-empty sets. There are 2(n-1) - 1 possibilities of dividing n observations in two clusters, which is intractable for many practical datasets. However, DIvisive ANAlysis (DIANA) [25] uses a splitting heuristic to limit the number of possible partitions, which results in O(n2). Given its quadratic time on the number of observations, DIANA scales poor with the number of observations, however we use it because it is the only divisive method generally available and in our framework it achieves clustering on a personal computer in computing time in the order of milliseconds. 4 Experimental Evaluation We set up an isolated computer cluster, and launch 68 out of a total of 164 email worms, which have been reported between April 2004 and July 2007 in the monthly updated top threat lists of Virus Radar [3] and Viruslist [4]. We capture over a period of eight hours the DNS query streams the infected machines generate to create – to the best of our knowledge – the largest email worm DNS dataset that has been up to date used to evaluate an in-network email worm detection method. As our isolated computer cluster has no real users, we merge the worm traffic with legitimate DNS traffic captured at the primary name server of our research institute, which serves daily between 350 and 500 users. We use three recent DNS log file fragments that we split in eight hour datasets and present here experiments with four datasets. Flow Level Data Mining of DNS Query Streams for Email Worm Detection 191 For each DNS query stream we consider a time series of length 512 with one minute time bins. We decompose the time series, compress the wavelet coefficient matrix, retain k wavelet coefficients to make the feature vector matrix, and cluster rows of the feature vector matrix in two clusters. In this paper we focus on showing that our method detects various instances of email worms; therefore, we assume that only one user machine is infected at each time. The procedure is shown in Fig.1. Time Series Wavelet Coef . Feature Vector Matrix Matrix 6444Matrix 74448 6444 4 74444 8 6444 74448 um −1 um −1 um −1 um −1 um −1 K ts512 ⎤ ⎡ wc1 K wc512 ⎤ ⎡ fv1 K fvkum −1 ⎤ ⎡ ts1 ⎥ ⎥ ⎢ ⎥ ⎢ ⎢ M ⎥ ⎢ M M ⎥ ⎢ M M ⎥ ⎢ M → → um − n ⎥ um − n ⎥ ⎢ fv1um − n K fvkum − n ⎥ ⎢ wc1um − n K wc512 ⎢ts1um − n K ts512 ⎥ ⎢ worm ⎥ ⎢ ⎥ ⎢ worm worm worm worm K ts512 K wc512 K fvkworm ⎦⎥ ts1 ⎥ ⎣⎢ fv1 ⎥ ⎣⎢ wc1 ⎦ ⎦ ⎣⎢1 44424443 1444 424444 3 144424443 ( n +1) × 512 ( n +1) × 512 ( n +1) × k k : 4 ,8 ,16 , 32 , 64 ,128 , 256 Fig. 1. We append one infectious time series to the non-infected user machines time series; decompose the time series to form the wavelet coefficient matrix, which we compress to get the feature vector matrix. This is input to the clustering analysis, which we repeat 4 Datasets × 7 Feature vector lengths × 68 Email Worms = 1904 times. We examine the resulting two-cluster scheme, and find that it comprises of one dense populated cluster and a low populated cluster. Our method detects an email worm, when its feature vector belongs to the low populated cluster. In Fig. 2 we present the false positive and false negative rates. Our method erroneously reports legitimate user activity as suspicious with less than 1% for every value of k, whereas worms are misclassified with less than 2%, if at least 16 wavelet coefficients are used. Fig. 2. False negative and false positive rates for detecting various instances of email worms over four different DNS datasets (DS1, DS2, DS3 and DS4), while retaining 4, 8, 16, 32, 64, 128 or 256 wavelet coefficients. With 16 or more wavelet coefficients both rates fall below 2%. 192 N. Chatzis and R. Popescu-Zeletin Fig. 3. Accuracy measures independently for each worm show that our method is remarkably accurate. Only k values lower or equal to the first that maximizes accuracy are plotted. With 16 or more wavelet coefficients only the Eyeveg.F email worm is not detected. In Fig. 3, using the accuracy statistical measure we look at the detection of each worm independently. Accuracy is defined as the proportion of true results – both true positives and true negatives – in the population, and measures the ability of our method to identify correctly email worm-infected and non-infected user machines. The accuracy is in the range between 0 and 1, where values close to 1 indicate good detection. In the interest of space we present here only results over one dataset. Our method fails to detect only one out of 68 total email worms i.e. Eyeveg.F for every k, while with more of 16 wavelet coefficients all other email worms are detected. 5 Conclusion Email worms and the high amount of email abusive traffic continue to be a serious security concern. This paper presented a method to early detect email worms in the local name server, which is topologically near the infected host by analyzing DNS query streams characteristics at flow level. By experimenting with various email worm instances we show that these characteristics remain unaltered in the long run. Our method builds on unsupervised learning and similarity search over time series using wavelets. Our experimental results show that our method identifies various email worm instances with remarkable accuracy. Future work calls for analysing DNS data from other networking environments to assess the detection efficacy of our method over DNS data that might have different flow-level characteristics, and investigating the actions that can be triggered at the local name server once an email worm-infected user machine has been detected to contain email worm propagation. References 1. Messaging Anti-Abuse Working Group: Email Metrics Report, http://www.maawg.org 2. Symantec: Internet Security Threat Report Trends (January-June 2007), http://www.symantec.com Flow Level Data Mining of DNS Query Streams for Email Worm Detection 193 3. ESET Virus Radar, http://www.virus-radar.com 4. Kaspersky Lab Viruslist, http://www.viruslist.com 5. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: LISA 1999, 13th USENIX Systems Administration Conference, pp. 229–238. USENIX (1999) 6. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. In: 7th Conference on USENIX Security Symposium. USENIX (1998) 7. Singh, S., Estan, C., Varghese, G., Savage, S.: The Earlybird System for Real-time Detection of Unknown Worms. Tech. Report CS2003-0761, University of California (2003) 8. Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison Wesley Professional, Reading (2007) 9. Whyte, D., van Oorschot, P., Kranakis, E.: Addressing Malicious SMTP-based Mass Mailing Activity within an Enterprise Network. Technical Report TR-05-06, Carleton University, School of Computer Science (2005) 10. Ishibashi, K., Toyono, T., Toyama, K., Ishino, M., Ohshima, H., Mizukoshi, I.: Detecting Mass-Mailing Worm Infected Hosts by Mining DNS Traffic Data. In: MineNet 2005 ACM SIGCOMM Workshop, pp. 159–164. ACM Press, New York (2005) 11. Wong, C., Bielski, S., McCune, J., Wang, C.: A Study of Mass-Mailing Worms. In: WORM 2004 ACM Workshop, pp. 1–10. ACM Press, New York (2004) 12. Musashi, Y., Matsuba, R., Sugitani, K.: Indirect Detection of Mass Mailing WormInfected PC Terminals for Learners. In: 3rd International Conference on Emerging Telecommunications Technologies and Applications, pp. 233–237 (2004) 13. Musashi, Y., Rannenberg, K.: Detection of Mass Mailing Worm-Infected PC Terminals by Observing DNS Query Access. IPSJ SIG Notes, pp. 39–44 (2004) 14. Schaelicke, L., Slabach, T., Moore, B., Freeland, C.: Characterizing the Performance of Network Intrusion Detection Sensors. In: Recent Advances in Intrusion Detection, 6th International Symposium, RAID. LNCS, pp. 155–172. Springer, Heidelberg (2003) 15. Chatzis, N.: Motivation for Behaviour-Based DNS Security: A Taxonomy of DNS-related Internet Threats. In: International Conference on Emerging Security Information Systems, and Technologies, pp. 36–41. IEEE, Los Alamitos (2007) 16. Dainotti, A., Pescape, A., Ventre, G.: Wavelet-based Detection of DoS Attacks. In: Global Telecommunications Conference, GLOBECOM 2006, pp. 1–6. IEEE, Los Alamitos (2006) 17. Li, L., Lee, G.: DDoS Attack Detection and Wavelets. In: 12th International Conference on Computer Communications and Networks, ICCCN 2003, pp. 421–427. IEEE, Los Alamitos (2003) 18. Chong, K., Song, H., Noh, S.: Traffic Characterization of the Web Server Attacks of Worm Viruses. In: Int. Conference on Computational Science, pp. 703–712. Springer, Heidelberg (2003) 19. Dainotti, A., Pescape, A., Ventre, G.: Worm Traffic Analysis and Characterization. In: International Conference on Communications, ICC 2007, pp. 1435–1442. IEEE, Los Alamitos (2007) 20. Aggarwal, C., Hinneburg, A., Keim, D.: On the Surprising Behavior of Distance Metrics in High Dimensional Space. In: 8th Int. Conf. on Database Theory. LNCS, pp. 420–434. Springer, Heidelberg (2001) 21. Bagnall, A., Ratanamahatana, C., Keogh, E., Lonardi, S., Janacek, G.: A Bit Level Representation for Time Series Data Mining with Shape Based Similarity. Data Min. and Knowl. Discovery 13(1), 11–40 (2006) 194 N. Chatzis and R. Popescu-Zeletin 22. Mallat, S.: A Theory for Multiresolution Signal Decomposition: The Wavelet Representation. IEEE Transactions on Pattern Analysis and Machine Intelligence 11(7), 674–693 (1989) 23. Mörchen, F.: Time Series Feature Extraction for Data Mining Using DWT and DFT. Technical Report No. 33, Dept. of Maths and CS, Philipps-U. Marburg (2003) 24. Keogh, E., Kasetty, S.: On the Need for Time Series Data Mining Benchmarks: A survey and empirical demonstration. Data Min. and Knowl. Discovery 7(4), 349–371 (2003) 25. Kaufman, L., Rousseeuw, P.: Finding Groups in Data: An Introduction to Cluster Analysis. Wiley, Chichester (1990) 26. Faloutsos, C., Ranganathan, M., Manolopoulos, Y.: Fast Subsequence Matching in Time Series Databases. In: ACM SIGMOD International Conference on Management of Data, pp. 419–429. ACM Press, New York (1994) Adaptable Text Filters and Unsupervised Neural Classifiers for Spam Detection Bogdan Vrusias and Ian Golledge Department of Computing, Faculty of Electronic and Physical Sciences, University of Surrey, Guildford, UK {b.vrusias,cs31ig}@surrey.ac.uk Abstract. Spam detection has become a necessity for successful email communications, security and convenience. This paper describes a learning process where the text of incoming emails is analysed and filtered based on the salient features identified. The method described has promising results and at the same time significantly better performance than other statistical and probabilistic methods. The salient features of emails are selected automatically based on functions combining word frequency and other discriminating matrices, and emails are then encoded into a representative vector model. Several classifiers are then used for identifying spam, and self-organising maps seem to give significantly better results. Keywords: Spam Detection, Self-Organising Maps, Naive Bayesian, Adaptive Text Filters. 1 Introduction The ever increasing volume of spam brings with it a whole series of problems to a network provider and to an end user. Networks are flooded every day with millions of spam emails wasting network bandwidth while end users suffer with spam engulfing their mailboxes. Users have to spend time and effort sorting through to find legitimate emails, and within a work environment this can considerably reduce productivity. Many anti-spam filter techniques have been developed to achieve this [4], [8]. The overall premise of spam filtering is text categorisation where an email can belong in either of two classes: Spam or Ham (legitimate email). Text categorisation can be applied here as the content of a spam message tends to have few mentions in that of a legitimate email. Therefore the content of spam belongs to a specific genre which can be separated from normal legitimate email. Original ideas for filtering focused on matching keyword patterns in the body of an email that could identify it as spam [9]. A manually constructed list of keyword patterns such as “cheap Viagra” or “get rich now” would be used. For the most effective use of this approach, the list would have to be constantly updated and manually tuned. Overtime the content and topic of spam would vary providing a constant challenge to keep the list updated. This method is infeasible as it would be impossible to manually keep up with the spammers. Sahami et al. is the first to apply a machine learning technique to the field of antispam filtering [5]. They trained a Naïve Bayesian (NB) classifier on a dataset of pre-categorised ham and spam. A vector model is then built up of Boolean values representing the existence of pre-selected attributes of a given message. As well as E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 195–202, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 196 B. Vrusias and I. Golledge word attributes, the vector model could also contain attributes that represent nontextual elements of a message. For example, this could include the existence of a nonmatching URL embedded in the email. Other non-textual elements could include whether an email has an attachment, the use of bright fonts to draw attention to certain areas of an email body and the use of embedded images. Metsis et al. evaluated five different versions of Naïve Bayes on particular dataset [3]. Some of these Naïve Bayesian versions are more common in spam filtering than others. The conclusion of the paper is that the two Naïve Bayes versions used least in spam filtering provided the best success. These are a Flexible Bayes method and a Multinomial Naïve Bayes (MNB) with Boolean attributes. The lower computational complexity of the MNB provided it the edge. The purpose of their paper is not only to contrast the success of five different Naïve Bayes techniques but to implement the techniques in a situation of a new user training a personalized learning anti-spam filter. This involved incremental retraining and evaluating of each technique. Furthermore, methods like Support Vector Machines (SVM) have also been used to identify spam [13]. Specifically, term frequency with boosting trees and binary features with SVM’s had acceptable test performance, but both methods used high dimensional (1000 - 7000) feature vectors. Another approach is to look into semantics. Youn & McLeod introduced a method to allow for machine-understandable semantics of data [7]. The basic idea here is to model the concept of spam in order to semantically identify it. The results reported are very encouraging, but the model constructed is static and therefore not adaptable. Most of the above proposed techniques struggled with changes in the email styles and words used on spam emails. Therefore, it made sense to consider an automatic learning approach to spam filtering, in order to adapt to changes. In this approach spam features are updated based on new coming spam messages. This, together with a novel method for training online Self-Organising Maps (SOM) [2] and retrieving the classification of a new email, indicated good performance. Most importantly the method proposed only misclassified very few ham messages as spam, and had correctly identified most spam messages. This exceeds the performance of other probabilistic approaches, as later proven in the paper. 2 Spam Detection Methods As indicated by conducted research one of the best ways so far to classify spam is to use probabilistic models, i.e. Bayesian [3], [5], [6], [8], [9]. For that reason, this paper is going to compare the approach of using SOMs to what appears to be best classifier for spam, the MNB Boolean classifier. Both approaches need to transform the text email message into a numerical vector, therefore several vector models have been proposed and are described later on. 2.1 Classifying with Multinomial NB Boolean The MNB treats each message d as a set of tokens. Therefore d is represented by a numerical feature vector model. Each element of the vector model represents a Adaptable Text Filters and Unsupervised Neural Classifiers for Spam Detection 197 Boolean value of whether that token exists in the message or not. The probability of P(x|c) can be calculated by trialling the probability of each token t occurring in a category c. The product of these trials, P(ti|c), for each category will result in the P(x|c) for the respective category. The equation is then [6]: P(cs ) ⋅ m ∏ P(ti | cs )xi i =1 m ∑c∈{c c } P(c ) ⋅ ∏ P(ti | cs ) s h >T (1) xi i =1 Each trial P(t|c) is estimated using a Laplacean prior: P(t | c ) = 1 + M t ,c 2 + Mc (2) Where Mt,c is the number of training messages of category c that contain the token t. Mc is the total number of training messages of category c. The outcomes of all these trials are considered independent given the category which is a naïve assumption. This simplistic assumption overlooks the fact that co-occurrences of words in a category should not be independent, however this technique still results in a very good performance of classification tasks. 2.2 Classifying with Self-Organising Maps Self-organising map (SOM) systems have been used consistently for classification and data visualisation in general [2]. The main function of a SOM is to identify salient features in the n-dimensional input space and squash that space into two dimensions according to similarity. Despite the popularity, SOMs are difficult to use after the training is over. Although visually some clusters emerge in the output map, computationally it is difficult to classify a new input into a formed cluster and be able to semantically label it. For the classification, an input weighted majority voting (WMV) method is used for identifying the label for the new unknown input [12]. Voting is based on the distance of each input vector from the node vector. For the proposed process for classifying an email and adapting it to new coming emails, the feature vector model is calculated based on the first batch of emails and then the SOM is trained on the first batch of emails with random weights. Then, a new batch of emails is appended, the feature vector model is recalculated, and the SOM is retrained from the previous weights, but on the new batch only. Finally, a new batch of emails inserted and the process is repeated until all batches are finished. For the purpose of the experiments, as described later, a 10x10 SOM is trained for 1000 cycles, where each cycle is a complete run of all inputs. The learning rate and neighbourhood value is started at high values, but then decreased exponentially towards the end of the training [12]. Each training step is repeated several times and results are averaged to remove any initial random bias. 198 B. Vrusias and I. Golledge 3 Identifying Salient Features The process of extracting salient features is probably the most important part of the methodology. The purpose here is to identify the keywords (tokens) that differentiate spam from ham. Typical approaches so far focused on pure frequency measures for that purpose, or the usage of the term frequency inverse document frequency (tf*idf) metric [10]. Furthermore, the weirdness metric that calculates the frequency ration of tokens used in special domains like spam, against the ratio in the British National Corpus (BNC), reported accuracy to some degree [1], [12]. This paper uses a combination function of the weirdness and TFIDF metrics, and both metrics are used in their normalised form. The ranking Rt of each token is therefore calculated based on: Rt = weirdness t × tf ∗ idf t (3) The weirdness metric compares the frequency of the token in the spam domain against the frequency of the same token in BNC. For tf*idf the “document” is considered as a category where all emails belonging to that same category are merged together, and document frequency is the total number of categories (i.e. 2 in this instance: spam and ham). The rating metric R is used to build a list of most salient features in order to encode emails into binary numerical input vectors (see Fig. 1). After careful examination a conclusion is drawn, that in total, the top 500 tokens are enough to represent the vector model. Furthermore, one more feature (dimension) is added in the vector, indicating whether there are any ham tokens present in an email. The binary vector model seemed to work well and has the advantage of the computational simplicity. SPAM EMAIL HAM EMAIL Subject: dobmeos with hgh my energy level has gone up ! stukm Introducing doctor – formulated hgh Subject: re : entex transistion thanks so much for the memo . i would like to reiterate my support on two key issues : 1 ) . thu - best of luck on this new assignment . howard has worked hard and done a great job ! please don ' t be shy on asking questions . entex is critical to the texas business , and it is critical to our team that we are timely and accurate . 2 ) . rita : thanks for setting up the account team . communication is critical to our success , and i encourage you all to keep each other informed at all times . the p & l impact to our business can be significant . additionally , this is high profile , so we want to assure top quality . thanks to all of you for all of your efforts . let me know if there is anything i can do to help provide any additional support . rita wynne … human growth hormone - also called hgh is referred to in medical science as the master hormone. it is very plentiful when we are young , but near the age of twenty - one our bodies begin to produce less of it . by the time we are forty nearly everyone is deficient in hgh , and at eighty our production has normally diminished at least 90 - 95 % . advantages of hgh : - increased muscle strength - loss in body fat - increased bone density - lower blood pressure - quickens wound healing - reduces cellulite - increased … sexual potency Fig. 1. Sample spam and ham emails. Large bold words indicate top ranked spam words and smaller words with low ranking, whereas normal black text indicate non spam words. In most cases of generating feature vectors, scientists usually concentrate on static models that require complete refactoring when information changes or when the user provides feedback. In order to cope with the demand of changes, the proposed model can automatically recalculate the salient features and appropriately adapt the vector Adaptable Text Filters and Unsupervised Neural Classifiers for Spam Detection 199 model to accommodate this. The method can safely modify/update the vector model every 100 emails in order to achieve best performance. Basically, the rank list is modified depending on the contents of the new coming emails. This is clearly visualised in Fig. 2 where is observable that as more email batches (of 100 emails) are presented, the tokens in the list get updated. New “important” tokens are quickly placed at the top of the rank, but the ranking changes based on other new entries. Rank Spam Key-Words Ranking 500 450 400 350 300 250 200 150 100 50 0 viagra hotlist xanax pharmacy vicodin pills sofftwaares valium prozac computron 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 20 30 40 50 Batch No Fig. 2. Random spam keyword ranking as it evolved through the training process for Enron1 dataset. Each batch contains 100 emails. The graph shows that each new keyword entry has an impact on the ranking list, and it then fluctuates to accommodate new-coming keywords. 4 Experimentation: Spam Detection In order to evaluate spam filters a dataset with a large volume of spam and ham messages is required. Gathering public benchmark datasets of a large size has proven difficult [8]. This is mainly due to privacy issues of the senders and receivers of ham emails with a particular dataset. Some datasets have tried to bypass the privacy issue by considering ham messages collected from freely accessible sources such as mailing lists. The Ling-Spam dataset consists of spam received at the time and a collection of ham messages from an archived list of linguist mails. The SpamAssassin corpus uses ham messages publicly donated by the public or collected from public mailing lists. Other datasets like SpamBase and PU only provide the feature vectors rather than the content itself and therefore are considered inappropriate for the proposed method. 4.1 Setup One of the most widely used datasets in spam filtering research is the Enron dataset From a set of 150 mailboxes with messages various benchmark datasets have been constructed. A subset as constructed by Androutsopoulos et al. [6] is used, containing mailboxes of 6 users within the dataset. To reflect the different scenarios of a personalised filter, each dataset is interlaced with varying amounts of spam (from a variety of sources), so that some had a ham-spam ratio of 1:3 and others 3:1. To implement the process of incremental retraining the approach suggested by Androutsopoulos et al. [6] is adapted, where the messages of each dataset are split into 200 B. Vrusias and I. Golledge batches b1,…,bl of k adjacent messages. Then for batch i=1 to l-1 the filter is trained on batch bi and tested on batch bi+1. The number of emails per batch k=100. The performance of a spam filter is measured on its ability to correctly identify spam and ham while minimising misclassification. NhÆh and nsÆs represent the number of correctly classified ham and spam messages. Nh->s represents the number of ham misclassified as spam (false positive) and nsÆh represents the number of spam misclassified as ham (false negative). Spam precision and recall is then calculated. These measurements are useful for showing the basic performance of a spam filter. However they do not take into account the fact that misclassifying a Ham message as Spam is an order of magnitude worse than misclassifying a Spam message to Ham. A user can cope with a number of false negatives, however a false positive could result in the loss of a potential important legitimate email which is unacceptable to the user. So, when considering the statistical success of a spam filter the consequence weight associated with false positives should be taken into account. Androutsopoulos et al. [6] introduced the idea of a weighted accuracy measurement (WAcc): WAccλ = λ ⋅ nh → h + ns → s λ ⋅ Nh + Ns (4) Nh and Ns represent the total number of ham and spam messages respectively. In this measurement each legitimate ham message nh is treated as λ messages. For every false positive occurring, this is seen as λ errors instead of just 1. The higher the value of λ the more cost there is of each misclassification. When λ=99, misclassifying a ham message is as bad as letting 99 spam messages through the filter. The value of λ can be adjusted depending on the scenario and consequences involved. 4.2 Results Across the six datasets the results show a variance in performance of the MNB and a consistent performance of the SOM. Across the first three datasets, with ratio 3:1 in favour of ham, the MNB almost perfectly classifies ham messages, however the recall of spam is noticeably low. This is especially apparent in Enron 1 which appears to be the most difficult dataset. The last three datasets have a 3:1 ratio in favour of spam and this change in ratio is reflected in a change in pattern of the MNB results. The recall of spam is highly accurate however many ham messages are missed by the classifier. The pattern of performance of the SOM across the 6 datasets is consistent. Recall of spam is notably high over each dataset with the exception of a few batches. The ratio of spam to ham in the datasets appears to have no bearing on the results of the SOM. The recall of ham messages in each batch is very high with a very low percentage of ham messages miss-classified. The resulting overall accuracy is very high for the SOM and consistently higher than the MNB. However the weighted accuracy puts a different perspective on the results. Fig. 3 (a), (b) and (c) show the MNB showing consistently better weighted accuracy than the SOM. Although the MNB misclassified a lot of spam, the cost of the SOM misclassifying a small number of ham results in the MNB being more effective on these datasets. Fig. 3 (d), (e) and (f) show the SOM outperforming the MNB on the spam heavy datasets. The MNB missed a large proportion of ham messages and consequently the weighted accuracy is considerably lower than the SOM. Adaptable Text Filters and Unsupervised Neural Classifiers for Spam Detection 1.02 201 1.02 1 1 0.98 0.98 0.96 0.94 0.96 0.92 0.94 0.9 0.92 0.88 0.86 0.9 0.84 0.82 0.88 1 3 5 7 9 11 13 15 17 19 21 23 25 27 1 29 3 5 7 9 (a) Enron 1 11 13 15 17 19 21 23 25 27 29 (b) Enron 2 1.02 1.2 1 1 0.98 0.96 0.8 0.94 0.92 0.6 0.9 0.4 0.88 0.86 0.2 0.84 0.82 0 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (c) Enron 3 (d) Enron 4 1.2 1.2 1 1 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 0 0 1 3 5 7 9 11 13 15 17 (e) Enron 5 19 21 23 25 27 29 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 (f) Enron 6 Fig. 3. WAcc results for all Enron datasets (1-6) for SOM and MNB and λ=99. Training / testing is conducted based on 30 batches of Spam and Ham, and a total number of 3000 emails. Y axes shows WAcc and the X axes indicates the batch number. 5 Conclusions This paper has discussed and evaluated two classifiers for the purposes of categorising emails into classes of spam and ham. Both MNB and SOM methods are incrementally trained and tested on 6 subsets of the Enron dataset. The methods are evaluated using a weighted accuracy measurement. The results of the SOM proved consistent over each dataset maintaining an impressive spam recall. A small percentage of ham emails are misclassified by the SOM. Each ham missed is treated as the equivalent of missing 99 spam emails. This lowered the overall effectiveness of the SOM. The MNB demonstrated a trade off between false positives and false negatives as it struggled to maintain high performance on both. Where it struggled to classify spam in the first three datasets, ham recall is impressive and consequently the WAcc is consistently better than the SOM. This pattern is reversed in the final three datasets as many ham messages are missed, and the SOM outperformed the MNB. 202 B. Vrusias and I. Golledge Further evaluations are currently being made into the selection of salient features and size of attribute set. This work aims to reduce the small percentage of misclassified ham by the SOM to improve its weighted accuracy performance. References 1. Manomaisupat, P., Vrusias, B., Ahmad, K.: Categorization of Large Text Collections: Feature Selection for Training Neural Networks. In: Corchado, E., Yin, H., Botti, V., Fyfe, C. (eds.) IDEAL 2006. LNCS, vol. 4224, pp. 1003–1013. Springer, Heidelberg (2006) 2. Kohonen, T.: Self-organizing maps, 2nd edn. Springer, New York (1997) 3. Metsis, V., Androutsopoulos, I., Paliouras, G.: Spam Filtering with Naïve Bayes – Which Naïve Bayes? In: CEAS, 3rd Conf. on Email and AntiSpam, California, USA (2006) 4. Zhang, L., Zhu, J., Yao, T.: An Evaluation of Statistical Spam Filtering Techniques. ACM Trans. on Asian Language Information Processing 3(4), 243–269 (2004) 5. Sahami, M., Dumais, S., Heckerman, D., Horvitz, E.: A Bayesian approach to filtering junk e-mail. In: Learning for Text Categorization – Papers from the AAAI Workshop, Madison, Wisconsin, pp. 55–62 (1998) 6. Androutsopoulos, I., Paliouras, G., Karkaletsi, V., Sakkis, G., Spyropoulos, C.D., Stamatopoulos, P.: Learning to Filter Spam E-Mail: A Comparison of a Naïve Bayesian and a Memory-Based Approach. In: Proceedings of the Workshop Machine Learning and Textual Information Access. 4th European Conf. on KDD, Lyon, France, pp. 1–13 (2000) 7. Youn, S., McLeod, D.: Efficient Spam Email Filtering using Adaptive Ontology. In: 4th International Conf. on Information Technology, ITNG 2007, pp. 249–254 (2007) 8. Hunt, R., Carpinter, J.: Current and New Developments in Spam Filtering. In: 14th IEEE International Conference on Networks, ICON 2006, vol. 2, pp. 1–6 (2006) 9. Peng, F., Schuurmans, D., Wang, S.: Augmenting Naive Bayes Classifiers with Statistical Language Models. Information Retrieval 7, 317–345 (2004) 10. Salton, G., Buckley, C.: Term-weighting approaches in automatic text retrieval. Information Processing & Management 24(5), 513–523 (1988) 11. Vrusias, B.: Combining Unsupervised Classifiers: A Multimodal Case Study, PhD thesis, University of Surrey (2004) 12. Drucker, H., Wu, D., Vapnik, V.N.: Support Vector Machines for Spam Categorization. IEEE Transactions on Neural Networks 10(5), 1048–1054 (1999) A Preliminary Performance Comparison of Two Feature Sets for Encrypted Traffic Classification Riyad Alshammari and A. Nur Zincir-Heywood Dalhousie University, Faculty of Computer Science {riyad,zincir}@cs.dal.ca Abstract. The objective of this work is the comparison of two types of feature sets for the classification of encrypted traffic such as SSH. To this end, two learning algorithms – RIPPER and C4.5 – are employed using packet header and flow-based features. Traffic classification is performed without using features such as IP addresses, source/destination ports and payload information. Results indicate that the feature set based on packet header information is comparable with flow based feature set in terms of a high detection rate and a low false positive rate. Keywords: Encrypted Traffic Classification, Packet, Flow, and Security. 1 Introduction In this work our objective is to explore the utility of two possible feature sets – Packet header based and Flow based – to represent the network traffic to the machine learning algorithms. To this end, we employed two machine learning algorithms – C4.5 and RIPPER [1] – in order to classify encrypted traffic, specifically SSH (Secure Shell). In this work, traffic classification is performed without using features such as IP addresses, source/destination ports and payload information. By doing so, we aim to develop a framework where privacy concerns of users are respected but also an important task of network management, i.e. accurate identification of network traffic, is achieved. Having an encrypted payload and being able to run different applications over SSH makes it a challenging problem to classify SSH traffic. Traditionally, one approach to classifying network traffic is to inspect the payload of every packet. This technique can be extremely accurate when the payload is not encrypted. However, encrypted applications such as SSH imply that the payload is opaque. Another approach to classifying applications is using well-known TCP/UDP port numbers. However, this approach has become increasingly inaccurate, mostly because applications can use non-standard ports to by-pass firewalls or circumvent operating systems restrictions. Thus, other techniques are needed to increase the accuracy of network traffic classification. The rest of this paper is organized as follows. Related work is discussed in section 2. Section 3 details the methodology followed. Aforementioned machine learning algorithms are detailed in Section 4, and the experimental results are presented in Section 5. Finally, conclusions are drawn and future work is discussed in Section 6. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 203–210, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 204 R. Alshammari and A.N. Zincir-Heywood 2 Related Work In literature, Zhang and Paxson present one of the earliest studies of techniques based on matching patterns in the packet payloads [2]. Early et al. employed a decision tree classifier on n-grams of packets for classifying flows [3]. Moore et al. used Bayesian analysis to classify flows into broad categories [4]. Karagiannis et al. proposed an approach that does not use port numbers or payload information [5], but their system cannot classify distinct flows. Wright et al. investigate the extent to which common application protocols can be identified using only packet size, timing and direction information of a connection [6]. They employed a kNN and HMM learning systems to compare the performance. Their performance on SSH classification is 76% detection rate and 8% false positive rate. Bernaille et al. employed first clustering and then classification to the first three packets in each connection to identify SSL connections [7]. Haffner et al. employed AdaBoost, Hidden Markov Models (HMM), Naive Bayesian and Maximum Entropy models to classify network traffic into different applications [8]. Their results showed AdaBoost performed the best on their data sets. In their work, the classification rate for SSH was 86% detection rate and 0% false positive rate but they employed the first 64 bytes of the payload. Recently, Williams et al. [9] compared five different classifiers – Bayesian Network, C4.5, Naive Bayes (two different types) and Naive Bayes Tree – using flows. They found that C4.5 performed better than the others. In our previous work [10], we employed RIPPER and AdaBoost algorithms for classifying SSH traffic. RIPPER performed better than AdaBoost by achieving 99% detection rate and 0.7% false positive rate. However, in that work, all tests were performed using flow based feature sets, whereas in this work we not only employ other types of classifiers but also investigate the usage of packet header based feature sets. 3 Methodology In this work, RIPPER and C4.5 based classifiers are employed to identify the most relevant feature set – Packet header vs. Flow – to the problem of SSH traffic classification. For packet header based features used, the underlying principle is that features employed should be simple and clearly defined within the networking community. They should represent a reasonable benchmark feature set to which more complex features might be added in the future. Given the above model, Table 1 lists the packet header Feature Set used to represent each packet to our framework. In the above table, payload length and inter-arrival time are the only two features, which are not directly obtained from the header information but are actually derived using the data in the header information. In the case of inter-arrival time, we take the Table 1. Packet Header Based Features Employed IP Header length IP Time to live TCP Header length Payload length (derived) IP Fragment flags IP Protocol TCP Control bits Inter-arrival time (derived) A Preliminary Performance Comparison of Two Feature Sets 205 difference in milliseconds between the current packet and the previous packet sent from the same host within the same session. In the case of payload length, we calculate it using Eq. 1 for TCP packets and using Eq. 2 for UDP packets. Payload length = IPTotalLength - (IPHeaderLength x 4) - (TCPHeaderLength x 4) (1) Payload length = IPTotalLength - (IPHeaderLength x 4) – 8 (2) For the flow based feature set, a feature is a descriptive statistic that can be calculated from one or more packets for each flow. To this end, NetMate [11] is employed to generate flows and compute feature values. Flows are bidirectional and the first packet seen by the tool determines the forward direction. We consider only UDP and TCP flows that have no less than one packet in each direction and transport no less than one byte of payload. Moreover, UDP flows are terminated by a flow timeout, whereas TCP flows are terminated upon proper connection teardown or by a flow timeout, whichever occurs first. The flow timeout value employed in this work is 600 seconds [12]. We extract the same set of features used in [9, 10] to provide a comparison environment for the reader, Table 2. Table 2. Flow Based Features Employed Protocol # Packets in forward direction Min forward inter-arrival time Std. deviation of forward inter-arrival times Mean forward inter-arrival time Max forward inter-arrival time Std. deviation of backward inter-arrival times Min forward packet length Max forward packet length Std deviation of forward packet length Mean backward packet length Duration of the flow # Bytes in forward direction # Bytes in backward direction # Packets in backward direction Mean backward inter-arrival time Max backward inter-arrival time Min backward inter-arrival time Mean forward packet length Min backward packet length Std. deviation of backward packet length Max backward packet length Fig. 1. Generation of network traffic for the NIMS data set In our experiments, the performance of the different machine learning algorithms is established on two different traffic sources: Dalhousie traces and NIMS traces. 206 R. Alshammari and A.N. Zincir-Heywood - Dalhousie traces were captured by the University Computing and Information Services Centre (UCIS) in January 2007 on the campus network between the university and the commercial Internet. Given the privacy related issues university may face, data is filtered to scramble the IP addresses and further truncate each packet to the end of the IP header so that all payload is excluded. Moreover, the checksums are set to zero since they could conceivably leak information from short packets. However, any length information in the packet is left intact. Thus the data sets given to us are anonymized and without any payload information. Furthermore, Dalhousie traces are labeled by a commercial classification tool (deep packet analyzer) called PacketShaper [13] by the UCIS. This provides us the ground truth for the training. PacketShaper labeled all traffic either as SSH or non-SSH. - NIMS traces consist of packets collected on our research test-bed network. Our data collection approach is to simulate possible network scenarios using one or more computers to capture the resulting traffic. We simulate an SSH connection by connecting a client computer to four SSH servers outside of our test-bed via the Internet, Figure 1.We ran the following six SSH services: (i) Shell login; (ii) X11; (iii) Local tunneling; (iv) Remote tunneling; (v) SCP; (vi) SFTP. We also captured the following application traffic: DNS, HTTP, FTP, P2P (limewire), and Telnet. These traces include all the headers, and the application payload for each packet. Since both of the traffic traces contain millions of packets (40 GB of traffic). We performed subset sampling to limit the memory and CPU time required for training and testing. Subset sampling algorithms are a mature field of machine learning in which it has already been thoroughly demonstrated that performance of the learner (classifier) is not impacted by restricting the learner to a subset of the exemplars during training [14]. The only caveat to this is that the subset be balanced. Should one samples without this constraint one will provide a classifier which maximizes accuracy, where this is known to be a rather poor performance metric. However, the balanced subset sampling heuristic here tends to maximize the AUC (measurements of the fraction of the total area that falls under the ROC curve) statistic, a much more robust estimator of performance [14]. Thus, we sub-sampled 360,000 packets from each aforementioned data source. The 360,000 packets consist of 50% in-class (application running over SSH) and 50% out-class. From the NIMS traffic trace, we choose the first 30000 packets of X11, SCP, SFTP, Remote-tunnel, Local-tunnel and Remote login that had payload size bigger than zero. These packets are combined together in the in-class. The out-class is sampled from the first 180000 packets that had payload size bigger than zero. The out-class consists of the following applications FTP, Telnet, DNS, HTTP and P2P (lime-wire). On the other hand, from the Dalhousie traces, we filter the first 180000 packets of SSH traffic for the in-class data. The out-class is sampled from the first 180000 packets. It consists of the following applications FTP, DNS, HTTP and MSN. We then run these data sets through NetMate to generate the flow feature set. We generated 30 random training data sets from both sub-sampled traces. Each training data set is formed by randomly selecting (uniform probability) 75% of the in-class and 75% of the out-class without replacement. In case of Packet header feature set, each training data set contains 270,000 packets while in case of NetMate feature set, each training data set contains 18095 flows (equivalent of 270,000 packets in terms of flows), Table 3. In this table, some applications have packets in the training sample A Preliminary Performance Comparison of Two Feature Sets 207 but no flows. This is due to the fact that we consider only UDP and TCP flows that have no less than one packet in each direction and transport no less than one byte of payload. Table 3. Private and Dalhousie Data Sets SSH FTP TELNET DNS HTTP P2P (limewire) NIMS Training Sample for IPheader (total = 270000) x 30 135000 14924 13860 17830 8287 96146 NIMS Training Sample for NetMate (total = 18095) x 30 1156 406 777 1422 596 13738 SSH FTP TELNET DNS HTTP MSN Dalhousie Training Sample for IPheader (total = 270000) x 30 135000 139 0 2985 127928 3948 Dalhousie Training Sample for NetMate (total = 12678) x 30 11225 2 0 1156 295 0 4 Classifiers Employed In order to classify SSH traffic; two different machine learning algorithms – RIPPER and C4.5 – are employed. The reason is two-folds: As discussed earlier Williams et al. compared five different classifiers and showed that a C4.5 classifier performed better than the others [9], whereas in our previous work [10], a RIPPER based classifier performed better than the AdaBoost, which was shown to be the best performing model in [8]. RIPPER, Repeated Incremental Pruning to Produce Error Reduction, is a rulebased algorithm, where the rules are learned from the data directly [1]. Rule induction does a depth-first search and generates one rule at a time. Each rule is a conjunction of conditions on discrete or numeric attributes and these conditions are added one at a time to optimize some criterion. In RIPPER, conditions are added to the rule to maximize an information gain measure [1]. To measure the quality of a rule, minimum description length is used [1]. RIPPER stops adding rules when the description length of the rule base is 64 (or more) bits larger than the best description length. Once a rule is grown and pruned, it is added to the rule base and all the training examples that satisfy that rule are removed from the training set. The process continues until enough rules are added. In the algorithm, there is an outer loop of adding one rule at a time to the rule base and inner loop of adding one condition at a time to the current rule. These steps are both greedy and do not guarantee optimality. C4.5 is a decision tree based classification algorithm. A decision tree is a hierarchical data structure for implementing a divide-and-conquer strategy. It is an efficient non-parametric method that can be used both for classification and regression. In nonparametric models, the input space is divided into local regions defined by a distance metric. In a decision tree, the local region is identified in a sequence of recursive splits in smaller number of steps. A decision tree is composed of internal decision nodes and terminal leaves. Each node m implements a test function fm(x) with discrete outcomes labeling the branches. This process starts at the root and is repeated until a leaf node is hit. The value of a leaf constitutes the output. A more detailed explanation of the algorithm can be found in [1]. 208 R. Alshammari and A.N. Zincir-Heywood 5 Experimental Results In this work we have 30 training data sets. Each classifier is trained on each data set via 10-fold cross validation. The results given below are averaged over these 30 data sets. Moreover, results are given using two metrics: Detection Rate (DR) and False Positive Rate (FPR). In this work, DR reflects the number of SSH flows correctly classified, whereas FPR reflects the number of Non-SSH flows incorrectly classified as SSH. Naturally, a high DR rate and a low FPR would be the desired outcomes. They are calculated as follows: DR = 1 − (#FNClassifications / TotalNumberSSHClassifications) FPR = #FPClassifications / TotalNumberNonSSHClassifications where FN, False Negative, means SSH traffic classified as non- SSH traffic. Once the aforementioned feature vectors are prepared, RIPPER, and C4.5, based classifiers are trained using WEKA [15] (an open source tool for data mining tasks) with its default parameters for both algorithms. Tables 4 and 6 show that the difference between the two feature sets based on DR is around 1%, whereas it is less than 1% for FPR. Moreover, C4.5 performs better than RIPPER using both feature sets, but again the difference is less than 1%. C4.5 achieves 99% DR and 0.4% FPR using flow based features. Confusion matrixes, Tables 5 and 7, show that the number of SSH packets/flows that are misclassified are notably small using C4.5 classifier. Table 4. Average Results for the NIMS data sets Classifiers Employed RIPPER for Non-SSH RIPPER for –SSH C4.5 for Non-SSH C4.5 for –SSH IP-header Feature DR FPR 0.99 0.008 0.991 0.01 0.991 0.007 0.993 0.01 NetMate Feature DR FPR 1.0 0.002 0.998 0.0 1.0 0.001 0.999 0.0 Table 5. Confusion Matrix for the NIMS data sets Classifiers Employed RIPPER for Non-SSH RIPPER for –SSH C4.5 for Non-SSH C4.5 for –SSH IP-header Feature Non-SSH SSH 133531 1469 1130 133870 133752 1248 965 134035 NetMate Feature Non-SSH SSH 16939 0 2 1154 16937 2 1 1155 Results reported above are averaged over 30 runs, where 10-fold cross validation is employed at each run. In average, a C4.5 based classifier achieves a 99% DR and almost 0.4% FPR using flow based features and 98% DR and 2% FPR using packet header based features. In both cases, no payload information, IP addresses or port numbers are used, whereas Haffner et al. achieved 86% DR and 0% FPR using the A Preliminary Performance Comparison of Two Feature Sets 209 Table 6. Average Results for the Dalhousie data sets Classifiers Employed RIPPER for Non-SSH RIPPER for –SSH C4.5 for Non-SSH C4.5 for –SSH IP-header Feature DR FPR 0.974 0.027 0.972 0.025 0.98 0.02 0.98 0.02 NetMate Feature DR FPR 0.994 0.0008 0.999 0.005 0.996 0.0004 0.999 0.004 Table 7. Confusion Matrix for the Dalhousie data sets Classifiers Employed RIPPER for Non-SSH RIPPER for –SSH C4.5 for Non-SSH C4.5 for –SSH IP-header Feature Non-SSH SSH 131569 3431 3696 131304 13239 2651 2708 132292 NetMate Feature Non-SSH SSH 1445 8 8 11217 1447 6 5 11220 first 64 bytes of the payload of the SSH traffic [8]. This implies that they have used the un-encrypted part of the payload, where the handshake for SSH takes place. On the other hand, Wright et al. achieved a 76% DR and 8% FPR using packet size, time and direction information only [6]. These results show that our proposed approach achieves better performance in terms of DR and FPR for SSH traffic than the above existing approaches in the literature. 6 Conclusions and Future Work In this work, we investigate the performance of two feature sets using C4.5 and RIPPER learning algorithms for classifying SSH traffic from a given traffic trace. To do so, we employ data sets generated at our lab as well as employing traffic traces captured on our Campus network. We tested the aforementioned learning algorithms using packet header and flow based features. We have employed WEKA (with default settings) for both algorithms. Results show that feature set based on packet header is compatible with the statistical flow based feature set. Moreover, C4.5 based classifier performs better than RIPPER on the above data sets. C4.5 can achieve a 99% DR and less than 0.5% FPR at its test performance to detect SSH traffic. It should be noted again that in this work, the objective of automatically identifying SSH traffic from a given network trace is performed without using any payload, IP addresses or port numbers. This shows that the feature sets proposed in this work are both sufficient to classify any encrypted traffic since no payload or other biased features are employed. Our results are encouraging to further explore the packet header based features. Given that such an approach requires less computational cost and can be employed on-line. Future work will follow similar lines to perform more tests on different data sets in order to continue to test the robustness and adaptability of the classifiers and the feature sets. We are also interested in defining a framework for generating good training data sets. Furthermore, investigating our approach for other encrypted applications such as VPN and Skype traffic is some of the future directions that we want to pursue. 210 R. Alshammari and A.N. Zincir-Heywood Acknowledgments. This work was in part supported by MITACS, NSERC and the CFI new opportunities program. Our thanks to John Sherwood, David Green and Dalhousie UCIS team for providing us the anonymozied Dalhousie traffic traces. All research was conducted at the Dalhousie Faculty of Computer Science NIMS Laboratory, http://www.cs.dal.ca/projectx. References [1] Alpaydin, E.: Introduction to Machine Learning. MIT Press, Cambridge; ISBN: 0- 26201211-1 [2] Zhang, Y., Paxson, V.: Detecting back doors. In: Proceedings of the 9th USENIX Security Symposium, pp. 157–170 (2000) [3] Early, J., Brodley, C., Rosenberg, C.: Behavioral authentication of server flows. In: Proceedings of the ACSAC, pp. 46–55 (2003) [4] Moore, A.W., Zuev, D.: Internet Traffic Classification Using Bayesian Analysis Techniques. In: Proceedings of the ACM SIGMETRICS, pp. 50–60 (2005) [5] Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel Traffic Classification in the Dark. In: Proceedings of the ACM SIGCOMM, pp. 229–240 (2006) [6] Wright, C.V., Monrose, F., Masson, G.M.: On Inferring Application Protocol Behaviors in Encrypted Network Traffic. Journal of Machine Learning Research 7, 2745–2769 (2006) [7] Bernaille, L., Teixeira, R.: Early Recognition of Encrypted Applications. In: Passive and Active Measurement Conference (PAM), Louvain-la-neuve, Belgium (April 2007) [8] Haffner, P., Sen, S., Spatscheck, O., Wang, D.: ACAS: Automated Construction of Application Signatures. In: Proceedings of the ACM SIGCOMM, pp. 197–202 (2005) [9] Williams, N., Zander, S., Armitage, G.: A Prelimenary Performance Comparison of Five Machine Learning Algorithms for Practical IP Traffic Flow Comparison. ACM SIGCOMM Computer Communication Review 36(5), 7–15 (2006) [10] Alshammari, R., Zincir-Heywood, A.N.: A flow based approach for SSH traffic detection, IEEE SMC, pp. 296–301 (2007) [11] NetMate (last accessed, January 2008), http://www.ip-measurement.org/tools/netmate/ [12] IETF (last accessed January 2008), http://www3.ietf.org/proceedings/97apr/ 97apr-final/xrtftr70.htm [13] PacketShaper (last accessed, January 2008), http://www.packeteer.com/products/packetshaper/ [14] Weiss, G.M., Provost, F.J.: Learning When Training Data are Costly: The Effect of Class Distribution on Tree Induction. Journal of Artificial Intelligence Research 19, 315–354 (2003) [15] WEKA Software (last accessed, January 2008), http://www.cs.waikato.ac.nz/ml/weka/ Dynamic Scheme for Packet Classification Using Splay Trees Nizar Ben-Neji and Adel Bouhoula Higher School of Communications of Tunis (Sup’Com) University November 7th at Carthage City of Communications Technologies, 2083 El Ghazala, Ariana, Tunisia [email protected], [email protected] Abstract. Many researches are about optimizing schemes for packet classification and matching filters to increase the performance of many network devices such as firewalls and QoS routers. Most of the proposed algorithms do not process dynamically the packets and give no specific interest in the skewness of the traffic. In this paper, we conceive a set of self-adjusting tree filters by combining the scheme of binary search on prefix length with the splay tree model. Hence, we have at most 2 hash accesses per filter for consecutive values. Then, we use the splaying technique to optimize the early rejection of unwanted flows, which is important for many filtering devices such as firewalls. Thus, to reject a packet, we have at most 2 hash accesses per filter and at least only one. Keywords: Packet Classification, Binary Search on Prefix Length, Splay Tree, Early Rejection. 1 Introduction In the packet classification problems we wish to classify incoming packets into classes based on predefined rules. Classes are defined by rules composed of multiple header fields, mainly source and destination IP addresses, source and destination port numbers, and a protocol type. On one hand, packet classifiers must be constantly optimized to cope with the network traffic demands. On the other hand, few of proposed algorithms process dynamically the packets and the lack of dynamic packet filtering solutions has been the motivation for this research. Our study shows that the use of a dynamic data structure is the best solution to take into consideration the skewness in the traffic distribution. In this case, in order to achieve this goal, we adapt the splay tree data structure to the binary search on prefix length algorithm. Hence, we have conceived a set of dynamic filters for each packet header-field to minimize the average matching time. On the other hand, discarded packets represent the most important part of the traffic treated then reject by a firewall. So, those packets might cause more harm than others if they are rejected by the default-deny rule as they traverse a long matching path. Therefore, we use the technique of splaying to reject the maximum number of unwanted packets as early as possible. This paper is organized as follows. In Section 2 we describe the previously published related work. In Section 3 we present the proposed techniques used to perform E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 211–218, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 212 N. Ben-Neji and A. Bouhoula the binary search on prefix length algorithm. In Section 4 we illustrate theoretical analysis of the proposed work. At the end, in Section 5 we present the conclusion and our plans for future work. 2 Previous Work Since our proposed work in this paper applies binary search on prefix length with splay trees, we describe the binary search on prefix length algorithm in detail, then we present a previous dynamic packet classification technique using splay trees called Splay Tree based Packet Classification (ST-PC). After that, we present an early rejection technique for maximizing the rejection of unwanted packets. Table 1. Example Rule Set Rule no. R1 R2 R3 R4 R5 R6 R7 R8 R9 Src Prefix 01001* 01001* 010* 0001* 1011* 1011* 1010* 110* * Dst Prefix 000111* 00001* 000* 0011* 11010* 110000* 110* 1010* * Src Port * * * * * * * * * Dst Port 80 80 443 443 80 80 443 443 * Proto. TCP TCP TCP TCP UDP UDP UDP UDP * 2.1 Binary Search on Prefix Length Waldvogel et al. [1] have proposed the IP lookup scheme based on binary search on prefix length Fig.1. Their scheme performs a binary search on hash tables that are organized by prefix length. Each hash table in their scheme contains prefixes of the same length together with markers for longer-length prefixes. In that case, IP Lookup can be done with O(log(Ldis)) hash table searches, where Ldis is the number of distinct prefix lengths and Ldis<W-1 where W is the maximum possible length, in bits, of a prefix in the filter table. Note that W=32 for IPv4, W=128 for IPv6. Many works were proposed to perform this scheme. For instance, Srinivasan and Varghese [3] and Kim and Sahni [4] have proposed ways to improve the performance of the binary search on lengths scheme by using prefix expansion to reduce the value of Ldis. On the other hand, an asymmetric binary search tree was proposed to reduce the average number of hash computations. This tree basically inserts values of higher occurrence probability (matching frequency) at higher tree levels then the values of less probability. In fact, we have to rebuild periodically the search tree based on the traffic characteristics. Also, a rope search algorithm was proposed to reduce the average number of hash computations but it increases the rebuild time of the search tree because it use precomputation to accomplish this goal. That is why we have O(NW) time complexity when we rebuild the tree after a rule insertion or deletion according to the policy. Dynamic Scheme for Packet Classification Using Splay Trees 213 Fig. 1. This shows a binary tree for the destination prefix field of Table 1 and the access order performing the binary search on prefix lengths proposed by Waldvogel [1]. (M: Marker) 2.2 Splay Tree Packet Classification Technique (ST-PC) The idea of the Splay Tree Packet Classification Technique [2] is to convert the set of prefixes into integer ranges as shown in Table 2 then we put all the lower and upper values of the ranges into a splay tree data structure. On the other hand, we need to store in each node of the data structure all the matching rules as shown in Fig.2. The same procedure is repeated for the filters of the other packet's header fields. Finally, all the splay trees are to be linked to each other to determine the corresponding action of the incoming packets. When we look for the list of the matching rules, we first convert the values of the packet’s header fields to integers then we find separately the matching rules for each field and finally we select a final set of matching rules for the incoming packet. Each newly accessed node has to become at root by the property of a splay tree (Fig.2). Table 2. Destination Prefix Conversion Rule no. R1 R2 R3 R4 R5 R6 R7 R8 R9 Dst Prefix 000111* 00001* 000* 0011* 11010* 110000* 110* 1010* * Lower Bound 00011100 00001000 00000000 00110000 11010000 11000000 11000000 10100000 00000000 Upper Bound 00011111 00001111 00011111 00111111 11010111 11000011 11011111 10101111 11111111 Start 28 8 0 48 208 192 192 160 0 Finish 31 15 31 63 215 195 223 175 255 2.3 Early Rejection Rules The technique of early rejection rules was proposed by Adel El-Atawy et al. [5], using an approximation algorithm that analyzes the firewall policy in order to construct a set of early rejection rules. This set can reject the maximum number of unwanted packets as early as possible. Unfortunately, the construction of the optimal set of rejection 214 N. Ben-Neji and A. Bouhoula Fig. 2. The figure (a) shows the destination splay tree constructed as shown in Table 2 with the corresponding matching rules. The newly accessed node becomes the root as shown in (b). rules is an NP-complete problem and adding them may increase the size of matching rules list. Early rejection works periodically by building a list of most frequently hit rejection rules. And then, starts comparing the incoming packets to that list prior to trying normal packet filters. 3 Proposed Filter Our basic scheme consists of a set of self-adjusting filters (SA-BSPL: Self-Adjusting Binary Search on Prefix Length). Our proposed filter can be applied to filter every packet's header field. Accordingly, it can easily assure exact matching for protocol field, prefix matching for IP addresses, and range matching for port numbers. 3.1 Splay Tree Filters Our work performs the scheme of Waldvogel et al [1] by conceiving splay tree filters to ameliorate the global average search time. A filter consists of a collection of hash tables and a splay tree with no need to represent the default prefix (with zero length). Prefixes are grouped by lengths in hash tables (Fig.3). Also, each hash table is augmented with markers for longer length prefixes (Fig.1 shows an example). We still use binary search on prefix length but with splaying operations to push every newly accessed node to the top of the tree and because of the search step starts at root and ends at the leaves of the search tree as described in [1], we have to splay also the successor of the best length to the root.right position (Fig4-a). Consequently, the tree is adequately adjusted to have at most 2 hash accesses for all repeated values. Fig. 3. This figure shows the collection of hash tables of the destination address filter according to the example in Table 1. We denote by M the marker and by P the prefix. Dynamic Scheme for Packet Classification Using Splay Trees 215 Fig. 4. This figure shows the operations of splaying to early accept the repeated packets (a) and to early reject the unwanted ones (b). Note that x+ is the successor of x, and M is the minimum item in the tree. Fig. 5. This figure shows the alternative operations of splaying when x+ appears after x in the search path (a) or before x (b) Therefore, we start the search from the root node and if we get a match, we update the best length value and the list of matching rules then we go for higher lengths and if nothing is matched, we go for lower lengths (Fig 6). We stop the search process if a leaf is met. After that, the best length value and its successor have to be splayed to the top of the tree (Fig.4-a). We can go faster since we use the top-down splay tree model because we are able to combine searching and splaying steps together. We have also conceived an alternative implementation of splaying that have slightly better amortized time bound. We look for x and x+, then we splay x or x+ until we obtain x+ as a right child of x. Then, these two nodes have to be splayed to the top of the tree, as a single node (Fig.5). Hence, we have a better amortized cost than given in Fig.4-a. 3.2 Early Rejection Technique In this section, we focus on optimizing matching of traffic discarded due to the default-deny rule because it has more profound effect on the performance of the firewalls. In our case, we have no need to represent the default prefix (with zero length) so if a packet don’t match any length it will be automatically rejected by the Min-node. Generally, rejected packets might traverse long decision path of rule matching before they are finally rejected by the default-deny rule. The left child of the Min-node is Null, hence if a packet doesn’t match the Min-node we go to its left child which is Null, so it means that this node is the end of the search path. 216 N. Ben-Neji and A. Bouhoula Fig. 6. The algorithm of binary search on prefix length combined with splaying operations In our case, in each filter, we have to traverse the entire tree until we arrive to the node with the minimum value. Subsequently, a packet might traverse a long path in the search tree before it is rejected by the Min-node. Hence, we have to rotate always the Min-node in the upper levels of the self-adjusting tree. We have to splay the Minnode to the root.left position as shown in (Fig.4-b). In our case, we can use either bottom-up or top-down splay trees. However, the top-down splay tree is much more efficient for the early rejection technique because we are able to maintain the Minnode fixed in the desired position when searching for the best matching value. 4 Complexity Analysis In this section, we first give the complexity analysis of the proposed operations used to adapt the splay tree data structure to the binary search on length algorithm and we also give the cost per filter of our early rejection technique. 4.1 Amortized Analysis On an n-node splay tree, all the standard search tree operations have an amortized time bound of O(log(n)) per operation. According to the analysis of Sleator and Tarjan [6], if each item of the splay tree is given a weight wx, with Wt denoting the sum of the weights in the tree t, then the amortized cost to access an item x have the following upper bounds (Let x+ denote the item following x in the tree t and x- denote the item preceding x): 3 log(Wt/wx) + O(1) . 3 log(Wt/min(wx-,wx+)) + O(1) . If x is in the tree t . (0) If x is not in the tree t . (1) Dynamic Scheme for Packet Classification Using Splay Trees 217 In our case, we have to rotate the best length value to the root position and its successor to the root.right position (Fig.4-a). We have a logarithmic amortized complexity to release these two operations and the time cost is calculated using (0) and (1): 3 log (Wt/wx) + 3 log(Wt-wx/wx+) + O(1) . (2) With the use of the alternative optimized implementation of splaying (Fig.5) we obtain slightly better amortized time bound than the one given in (2): 3 log(Wt-wx/min(wx,wx+)) + O(1) . (3) On the other hand, the cost of the early rejection step is 3 log(Wt-wx/wmin) + O(1), note that wmin is the weight of the Min-node. With the use of the proposed early rejection technique, we have at most 2 hash accesses before we reject a packet and at least only one. If we have m values to be rejected by the default deny rule, search time will be at most m+1 hash accesses per filter and at least m hash accesses. 4.2 Number of Nodes The time complexity is related with the number of nodes. For the ST-PC scheme, in the worst case, if we assume that all the prefixes are distinct, then we have at most 2W nodes per tree, note that W is the length of the longest prefix. Besides, if all bounds are distinct, then we have 2r nodes, note that r is the number of rules. So, the actual number of nodes in ST-PC in the worst case will be the minimum of these two values. Our self-adjusting tree structure is based on the binary search on hash tables organized by prefixes length. Hence, the number of nodes in our case is equal to the number of hash tables. If we consider W the length of the longest prefix, we have at most W nodes. Since the number of node in our self-adjusting tree is smaller than in the ST-PC especially with an important number of rules (Fig.7), we can say that our scheme is much more competitive in term of time and scalability. Fig. 7. (a) This figure shows the distribution of the number of nodes with respect to W and r, where W is the maximum possible length in bits and r the number of rules 218 N. Ben-Neji and A. Bouhoula 5 Conclusion The Packet classification optimization problem has received the attention of the research community for many years. Nevertheless, there is a manifested need for new innovative directions to enable filtering devices such as firewalls to keep up with high-speed networking demands. In our work, we have suggested a dynamic scheme, based on using collection of hash tables and splay trees for filtering each header field. We have also proved that our scheme is suitable to take advantage of locality in the incoming requests. Locality in this context is a tendency to look for the same element multiple times. Finally, we have reached this goal with a logarithmic time cost, and in our future works, we wish to optimize data storage and the other performance aspects. References 1. Waldvogel, M., Varghese, G., Turner, J., Plattner, B.: Scalable High-Speed IP Routing Lookups. ACM SIGCOMM Comput. Commu. Review. 27(4), 25–36 (1997) 2. Srinivasan, T., Nivedita, M., Mahadevan, V.: Efficient Packet Classification Using Splay Tree Models. IJCSNS International Journal of Computer Science and Network Security 6(5), 28–35 (2006) 3. Srinivasan, V., Varghese, G.: Fast Address Lookups using Controlled Prefix Expansion. ACM Trans. Comput. Syst. 17(1), 1–40 (1999) 4. Kim, K., Sahni, S.: IP Lookup by Binary Search on Prefix Length. J. Interconnect. Netw. 3, 105–128 (2002) 5. Hamed, H., El-Atawy, A., Al-Shaer, E.: Adaptive Statistical Optimization Techniques for Firewall Packet Filtering. In: IEEE INFOCOM, Barcelona, Spain, pp. 1–12 (2006) 6. Sleator, D., Tarjan, R.: Self Adjusting Binary Search Trees. Journal of the ACM 32, 652– 686 (1985) A Novel Algorithm for Freeing Network from Points of Failure Rahul Gupta and Suneeta Agarwal Department of Computer Science and Engineering, Motilal Nehru National Institute of Technology, Allahabad, India [email protected], [email protected] Abstract. A network design may have many points of failure, the failure of any of which breaks up the network into two or more parts, thereby disrupting the communication between the nodes. This paper presents a heuristic for making an existing network more reliable by adding new communication links between certain nodes. The algorithm ensures the absence of any point of failure after addition of addition of minimal number of communication links determined by the algorithm. The paper further presents theoretical proofs and results which prove the minimality of the number of new links added in the network. Keywords: Points of Failure, Network Management, Safe Network Component, Connected Network, Reliable Network. 1 Introduction A network consists of number of interconnected nodes communicating among each other through communication channels between them. A wired communication link between two nodes is more reliable [1]. Various topology designs have been proposed for various network protocols and applications [2][3] such as bus topology, star topology, ring topology and mesh topology. All these network designs leave certain nodes as failure points [4][5][6]. These nodes become very important and must remain working all the time. If one of these nodes is down for any reason, it breaks the network into segments and the communication among the nodes in different segments is disrupted. Hence these nodes make the network unreliable. In this paper, we have designed a heuristic which has the capability to handle a single failure of node. The algorithm adds minimal number of new communication links between the nodes so that a single node failure does not disrupt communication among communicating nodes. 2 Basic Outline The various network designs common in use are ring topology, star topology, mesh topology, bus topology [1][4][5]. All these topology designs have their own advantages and disadvantages. Ring topology does not contain any points of failure. Bus topology on the other hand, has many points of failure. Star topology contains a single E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 219–226, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 220 R. Gupta and S. Agarwal point of failure, the failure of which disrupts communication between any pair of communicating nodes. Points marked P in figure 2 are the points of failure in the network design. Star topology and bus topology are least reliable from the point of view of failure of a single communication node in the network. In star topology, there is always one point of failure, the failure of which breaks the communication between all pairs of nodes and no nodes can communicate further. In a network of n nodes connected by bus topology, there are (n-2) points of failure. Ring topology is most advantageous and has no points of failure. For a reliable network, there must be no point of failure in the network design. These points of failure can be made safe by adding new communication links between nodes in the network. In this paper, we have presented an algorithm which finds the points of failure in a given network design. The paper further presents a heuristic which adds minimal number of communication links in the network to make it reliable. This ensures the removal of points of failure with least possible cost. 3 Algorithm for Making Network Reliable In this paper, we have designed an algorithm to find the points of failure in the network and an algorithm for converting these failure points into non failure points by the addition of minimal number of communication links. 3.1 New Terms Coined We have coined the following terms which aid in the algorithm development and network design understanding. N – Nodes of the Network E – Links in the Network P – Set of Points of Failure S – Set of Safe Network Components Pi – Point of Failure Si – Safe Network Component Si(a) – Safe Network Component Attached to the Failure Point ‘a’ B – Set of all Safe Network Components each having a Single Point of Failure in the Original Network Bi – A Safe Network Component having a Single Point of Failure in the Original Network |B| - Cardinality of Set B Fi – Point of Failure Corresponding to the Original Network in the member ‘Bi’ NFi – Non Failure Point corresponding to the Original Network in the member ‘Bi’ L – Set of New Communication Links Added Li – A New Communication Link C – Matrix List for the Components Reachable dfn(i) – Depth First Number of the node ‘i’ low(i) – Lowest Depth First Number of the Node Reachable from ‘i’. A Novel Algorithm for Freeing Network from Points of Failure 221 The points of failure are the nodes in the network, the failure of any of which breaks the network into isolated segments which can not have any communication among each other. A safe network component is the maximal subset of the connected nodes from the complete network which do not contain any point of failure. The safe component can handle a single failure occurring at any of its node within the subset. We have developed an algorithm which finds the minimal number of communication links to be added to the network to make the network capable of handling a single failure of any node. A safe component may have more than one point of failure in the original network. The algorithm considers the components having only a single point of failure differently. ‘B’ is the set of all safe components having only a single point of failure in the original network. ‘Fi’ is the point of failure in the original network design. ‘C’ corresponds to the matrix having the reachable components. Each Row in the matrix corresponds to the components reachable through one outgoing link from the point of failure. All the components having single point of failure and occurring on one outgoing link corresponds to the representatives in each row. The new communication links added in the network are collected in the set ‘L’. The set contains the pairs of nodes between which links must be added to make network free of points of failure. Fig. 1. (a) An example network design, (b) Safe components in the design 3.2 Algorithm for Finding Points of Failure and Safe Components To find all the points of failure in the network, we use depth first search [7][8] technique starting from any node in the network. Nodes that are reachable through more than one path become part of the safe component and the ones which are connected through only one path are vulnerable and the communication can get disrupted because of any one node in the single path of communication available for the node. The network is represented by a matrix of nodes connected to each other with edges representing the communication links. Each node of the network is numbered sequentially in the depth first search order starting from 0. This forms the dfn of each node. The unmarked nodes reachable from a node are called the child of each node and the node itself becomes the parent of those child nodes. The algorithm finds the low of each node and the points of failure in the network design and all the safe components in the network. The algorithm finds the safe components and all points of failure in the network. The starting node is a pint of failure if some unmarked nodes remain even on fully exploring any one single path from the node. 222 R. Gupta and S. Agarwal 3.3 Algorithm for Finding Points of Failure and Safe Components In this section, we describe our algorithm for the conversion of points of failure into non failure points by the addition of new communication links. The algorithm adds minimal number of new links which ensures least possible cost to make the network reliable. The algorithm is based on the concept that the safe components having more than one point of failure are necessarily connected to a safe component having only one point of failure directly or indirectly. Thus this component can become a part of larger safe component through more than one path which originates from any of the points of failure in the original network present in the component. Thus if the component having only one point of failure in the original network is made a part of larger safe component, the component having more than one point of failure is made safe itself. The algorithm finds new links to be added for making the safe component larger and larger and thus finally including all the nodes of the network making the complete network safe. When the maximal component that is safe consists of all the nodes of the network, the whole network is made safe and all points of failure are removed. The following steps are followed in order. 1. Initially the set L = ∅ is taken. 2. P, the set of points of failure is found using algorithm described in section 3.2. The algorithm also finds all safe components of the network and adds them to the set S. Each of the Si has a copy of failure point within it. Hence, the failure points are replicated in each component. A Novel Algorithm for Freeing Network from Points of Failure 223 3. Find the subset B of safe components having only single point of failure in the original network by using set S and set P found in step 2. Let each of these component members be B1, B2, B3,…. , Bk. These Bi`s are mutually disjoint with respect to non failure points. 4. Each of the components Bi has at least one non failure point. Any non failure point node is named as NFi and taken as the representative of the component Bi. 5. The failure point present in maximum number of safe components is chosen i.e, the node, the failure of which creates maximum number of safe components is chosen. Let it be named ‘s’. 6. Let S1(s), S2(s), S3(s),…. Sm(s) be all the safe components having the failure point ‘s’. Each of these components may have one or more points of failure corresponding to the original network. If the component has more than one point of failure, other safe components are reachable from these safe components through points of failure other than ‘s’. 7. Now we create the lists of components reachable from point of failure‘s’. For each Sj(s), j=1, 2,… m, if the component contains only one point of failure, add the representative of this component to the list as the next row element and if the component contains more than one point of failure, then the reachable safe components having only one point of failure are taken and their representatives are added to the list C. These components are found by going using depth search from this component. All the components that are reachable from the same component are considered for the same row and their corresponding representatives are added in the same row in the matrix C. The number of elements in each row of matrix C corresponds to the number of components that are reachable from the point of failure ‘s’ through that one outgoing link. It is to be noted here that the components having one point of failure only are considered for the algorithm. Now we have a row for each Sj(s), j=1, 2,… m. Thus the number of rows in matrix C is m. 8. The number of elements in each row of matrix C corresponds to the number of components that are reachable from the point of failure ‘s’ through that one outgoing link. It is to be noted that each component is represented just by a non failure point representative. Arrange the matrix rows in non decreasing order based on the size of the row i.e, on the basis of the number of elements in each row. 9. If all Ci(s) `s are of size 1, pair the only member of each row with the only member of next row. Here pairing means adding a communication link between the non failure point members acting as representatives of their corresponding components. Thus giving (k-1) new communication links to be added to the network for ‘k’ members. Add all these edges to set L, the set of all new communication links and exit from the algorithm. If the size of some Ci(s) `s is greater than 1, start with the last list Ci ( the list of the maximum size). For every k>=2, pair the kth element of this row with the (k-1) th element of the preceding row (if it exists). Here again pairing means addition of a communication link between the representative nodes. Remove these paired up elements from the lists and the lists are contracted. 10.Now if more than one element is left in the second last list, shift the last element from this list to the last list and append to the last list. 11.If the number of non empty lists is greater than one, go to step 8 for further processing. If the size of the last and the only left row is one, pair its only member with any of the non failure points in the network and exit from the algorithm. If the 224 R. Gupta and S. Agarwal last and the only row left have only two elements left in it, then pair the two representatives and exit from the algorithm. If the size of the last and the only left row is greater than two, add the edges from set L into the network design and repeat the algorithm from step 2 on updated network design. Since in every iteration of the algorithm at least one communication link is added to set L and only finite number of edges are added, the algorithm will terminate in finite number of steps. The algorithm ensures that there are at least two paths between any pair of nodes in the network. Thus, because of multiple paths of communication between any pair of nodes, the failure of any one of the node does not effect the communication between any other pair of nodes in the network. Thus the algorithm makes the points of failure in the original network safe by adding minimal number of communication links. 4 Theoretical Results and Proofs In this section, we describe the theoretical proofs for the correctness of the algorithm and sufficiency of the number of the new communication links added. Further, the lower and upper bounds on the number of links added to the network are proved. Theorem 1. If | B | = k, i.e., there are only k safe network components having only one point of failure in the original network, then the number of new edges necessary to make all points of failure safe varies between ⎡k/2⎤ and (k-1) both inclusive. Proof: Each safe component Bi has only point of failure corresponding to the original network. Failure of this node will separate the whole component Bi from remaining part of the network. Thus, for having communication from any node of this component Bi with any other node outside of Bi, at least one extra communication link is required to be added with this component. This argument is valid for each Bi. Thus at least one extra edge is to be added from each of the component Bi. This needs at least ⎡k/2⎤ extra links to be added each being incident on a distinct pair of Bi’s. This forms the lower bound on the number of links to be added to make the points of failure safe in the network design. Fig. 2. (a) and (b) Two Sample Network Designs In figure 2(a), there are k = 6 safe components each having only one point of failure and thus requiring k/2 = 3 new links to be added to make all the points of failure safe. It is easy to see that k/2 = 3 new links are sufficient to make the network failure free. A Novel Algorithm for Freeing Network from Points of Failure 225 Now, we consider the upper bound on the number of new communication links to be added to the network. This occurs when | B | = | S | = k, i.e, when each safe components in the network contain only one point of failure. Since, there is no safe component which can become safe through more than one path. Thus all the safe components are to be considered by the algorithm. Thus, it requires the addition of (k1) new communication links to join ‘k’ safe components. Theorem 2. If the edges determined by the algorithm are added to the network, the nodes will keep on communicating even after the failure of any single node in the network. Proof: We arbitrarily take 2 nodes ‘x’ and ‘y’ from the set ‘N’ of the network. Now we show that ‘x’ and ‘y’ can communicate even after the failure of any single node from the network. CASE 1: If the node that fails is not a point of failure, ‘x’ and ‘y’ can continue to communicate with each other. CASE 2: If the node that fails is a point of failure and both ‘x’ and ‘y’ are in the same safe component of the network, then by the definition of safe component ‘x’ and ‘y’ can still communicate because the failure of this node has no effect on the nodes that are in the same safe component. CASE 3: If the node that fails is a point of failure and ‘x’ and ‘y’ are in different safe components and ‘x’ and ‘y’ both are members of safe components in set ‘B’. We know that the algorithm makes all members of set ‘B’ safe by using only non failure points of each component so the failure of any point of failure will not effect the communication of any node member of the safe component formed. This is because the algorithm has already created an alternate path for each of the node in any of the safe member. CASE 4: If the node that fails is a point of failure and ‘x’ and ‘y’ are in different safe components and ‘x’ is a member of component belonging to set ‘B’ and ‘y’ a member of component belonging to set ‘(S-B)’. Now we know that any node occurring in any member of set ‘(S-B)’ is connected to at least 2 points of failure in the safe component and through each of these points of failure we can reach to a member of set ‘B’. So even after deletion of any point of failure, ‘y’ will remain connected with at least one member of set B. The algorithm has already connected all the members of set ‘B’ by finding new communication links, hence ‘x’ and ‘y’ can still communicate with each other. CASE 5: If the node that fails is a point of failure and ‘x’ and ‘y’ are in different safe components and both ‘x’ and ‘y’ belong to components that are members of set ‘(S-B)’. Now each member of set ‘(S-B)’ has at least 2 points of failure. So after the failure of any one of the failure point, ‘x’ can send message to at least one component that is a member of set ‘B’. Similarly, ‘y’ can send message to at least one component that is a member of set ‘B’. Now, the algorithm has already connected all the components belonging to set ‘B’, so ‘x’ and ‘y’ can continue to communicate with each other after the failure of any one node. After the addition of links determined by the algorithm, there exist multiple paths of communication between any pair of communicating nodes. Thus, no node is dependent on just one path. 226 R. Gupta and S. Agarwal Theorem 3. The algorithm provides the minimal number of new communication links to be added to the network to make it capable of handling any single failure. Proof: The algorithm considers only the components having a single point of failure corresponding to the original network. Since | B | = k, thus it requires at least ⎡k/2⎤ new communication links to be added to pair up these k components and making them capable of handling single failure of any node in the network. Thus adding less than ⎡k/2⎤ new communication links can never result in safe network. Thus the algorithm finds minimal number of new communication links as shown by the example discussed in theorem 1. In all the steps of the algorithm, except the last, only one link is added to join 2 members of set ‘B’ and these members are not further considered for the algorithm and hence do not generate any further edge in set ‘L’. In the last step, when only one vertical column of x rows with each row having single member is left, then (x-1) new links are added. These members have the property that only single point of failure ‘s’ can separate these into x disjoint groups, hence addition of (x-1) links is justified. When only single row of just one element is left, this can only be made safe by joining it with any one of the non failure nodes. Hence, the algorithm adds minimal number of new communication links to make the network. 5 Conclusion and Future Research This paper described an algorithm for making points of failure safe in the network. The new communication links determined by the algorithm are minimal and guarantees to make the network capable of handling a single failure of any node. The algorithm guarantees at least two paths of communication between any pair of nodes in the network. References 1. Tanenbaum, A.S.: Computer Networks, 4th edn. Pearson Education, London (2004) 2. Pearlman, R.: Interconnections: Bridges, Routers, Switches, and Internetworking Protocols, 2nd edn. Pearson Education, London (2006) 3. Kamiyana, N.: Network Topology Design Using Data Envelopment Analysis. In: IEEE Global Telecommunications Conference (2007) 4. Dengiz, B., Altiparmak, F., Smith, A.E.: Efficient optimization of all-terminal reliable networks, using an evolutionary approach. IEEE Transactions on Reliability 46(1), 18–26 (1997) 5. Mandal, S., Saha, D., Mukherjee, R., Roy, A.: An efficient algorithm for designing optimal backbone topology for a communication network. In: International Conference on Communication Technology, vol. 1, pp. 103–106 (2003) 6. Ray, G.A., Dunsmore, J.J.: Reliability of network topologies. In: IEEE INFOCOM 1988 Networks, pp. 842–850 (1988) 7. Horowitz, E., Sahni, S., Anderson-Freed, S.: Fundamentals of Data Structures in C, 8th edn. Computer Science Press (1998) 8. Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 2nd edn. Prentice-Hall, India (2004) A Multi-biometric Verification System for the Privacy Protection of Iris Templates S. Cimato, M. Gamassi, V. Piuri, R. Sassi, and F. Scotti Dipartimento di Tecnologie dell’Informazione, Università di Milano, Via Bramante, 65 – 26013 Crema (CR), Italy {cimato,gamassi,piuri,sassi,fscotti}@dti.unimi.it Abstract. Biometric systems have been recently developed and used for authentication or identification in several scenarios, ranging from institutional purposes (border control) to commercial applications (point of sale). Two main issues are raised when such systems are applied: reliability and privacy for users. Multi-biometric systems, i.e. systems involving more than a biometric trait, increase the security of the system, but threaten users’ privacy, which are compelled to release an increased amount of sensible information. In this paper, we propose a multi-biometric system, which allows the extraction of secure identifiers and ensures that the stored information does not compromise the privacy of users’ biometrics. Furthermore, we show the practicality of our approach, by describing an effective construction, based on the combination of two iris templates and we present the resulting experimental data. 1 Introduction Nowadays, biometric systems are deployed in several commercial, institutional, and forensic applications as a tool for identification and authentication [1], [2]. The advantages of such systems over traditional authentication techniques, like the ones based on the possession (of a password or a token), come from the fact that identity is established on the basis of physical or behavioral characteristics of the subject taken into consideration and not on something he/she carries. In fact, biometrics cannot be lost or stolen, they are difficult to copy or reproduce, and in general they require the presence of the user when the biometric authentication procedure takes place. However, side to side with the widespread diffusion of biometrics an opposition grows towards the acceptance of the technology itself. Two main reasons might motivate such resistance: the reliability of a biometric system and the possible threatens to users’ privacy. In fact, a fault in a biometric system, due to a poor implementation or to an overestimation of its accuracy could lead to a security breach. Moreover since biometric traits are permanently associated to a person, releasing the biometric information acquired during the enrollment can be dangerous, since an impostor could reuse that information to break the biometric authentication process. For this reason, privacy agencies of many countries have ruled in favor of a legislation which limits the biometric information that can be centrally stored or carried on a personal ID. For example, templates, e.g. mathematical information derived from a fingerprint, are retained instead of the picture of the fingerprint itself. Also un-encrypted biometrics are discouraged. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 227–234, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 228 S. Cimato et al. A possible key to enhance the reliability of biometric systems might be that of simultaneously using different biometric traits. Such systems are termed in literature multi-biometric [3] and they usually rely on a combination of one of several of the followings: (i) multiple sensors, (ii) multiple acquisitions (e.g., different frames/poses of the face), (iii) multiple traits (e.g., an eye and a fingerprint), (iv) multiple instances of the same kind of trait (e.g., left eye, and right eye). As a rule of thumb, the performances of two of more biometric systems which each operate on a single trait might be enhanced when the same systems are organized in a single multimodal one. This is easy to understand if we refer to the risk of admitting an impostor: two or more different subsequent verifications are obviously more difficult to tamper with than a single one (AND configuration). But other less obvious advantages might occur. Population coverage might be increased, for example, in an OR configuration since some individuals could not have one biometric traits (illnesses, injuries, etc.). Or the global fault tolerance of the system might be enhanced in the same configuration, since, if one biometric subsystem is not working properly (e.g., a sensor problem occurred), the multimodal system can still keep working using the remaining biometric submodules. On the other hand, the usage of multimodal biometric systems has also some important drawbacks related to the higher cost of the systems, and user perception of larger invasiveness for his/her privacy. In the following, we will derive a multi-biometric authentication system which limits the threats posed to the privacy of users while still benefiting from the increase reliability of multiple biometrics. It was introduced in [4] and it is based on the secure sketch, a cryptographic primitive introduced by Dodis et al. in [5]. In fact, a main problem in using biometrics as cryptographic keys is their inherent variability in subsequent acquisitions. The secure sketch absorbs such variability to retrieve a fixed binary string from a set of similar biometric readings. In literature biometric authentication schemes based on secure sketches have been presented and applied to face and iris biometrics [6], [7]. Our proposal is generally applicable to a wider range of biometric traits and, compared to previous works, exploits multimodality in innovative way. In the following we describe the proposed construction and show its application to the case where two biometrics are used, the right and left iris. Iris templates are extracted from the iris images and used in the enrolment phase to generate a secure identifier, where the biometric information is protected and any malicious attempt to break the users’ privacy is prevented. 2 A Multimodal Sketch Based (MSB) Verification Scheme The MSB verification scheme we propose is composed of two basic modules: the first one (enroll module) creates an identifier (ID) for each user starting from the biometric samples. The ID can then be stored and must be provided during the verification phase. The second one, the (verification module) performs the verification process starting from the novel biometric readings and the information contained into the ID. Verification is successful if the biometric matching succeeds when comparing the novel reading with the stored biometrics, concealed into the ID. A Multi-biometric Verification System for the Privacy Protection of Iris Templates 229 2.1 Enrollment Module The general structure of the enroll module is depicted in Figure 1 in its basic configuration where the multimodality is restricted at two biometrics. The scheme can be generalized and we refer the reader to [5] for further details. First, two independent biometrics are acquired and processed with two feature extraction algorithms F1 and F2 to extract sets of biometric features. Each set of features is then collected into a template, a binary string. We refer to each template as I1 and I2. The feature extraction algorithms can be freely selected; they represent the single biometric systems which compose the multimodal one. Let us denote with ri the binary tolerable error rate of each biometric subsystem, i.e., the rate of bits in the templates which could be modified without affecting the biometric verification of the subject. The second biometric feature I2 is given as input to a pseudo random permutation block, which returns a bit string of the same length, having almost uniform distribution. δ I1 I2 Pseudo-Random Permutation Error Correction Encoding {H( ), δ} ID Hash Function H(I2) Fig. 1. The MSB Enroll Module The string is then encoded by using an error correcting code and the resulting codeword c is xored with the other biometric feature I1 to obtain δ. Given N1, the bitlength of I1, the code must be selected so that it corrects at most r1N1 single bit errors on codewords which are N1 bits long. Finally, I2 is given as input to a hash function and the digest H(I2), together with δ, and other additional information possibly needed (to invert the pseudo random permutation) are collected and published as the identifier of the enrolled person. 2.2 Verification Module Figure 2 shows the structure of the verification module. Let us denote with I’1 and I’2 the biometric features freshly collected. The ID provided by the subject is split into δ, the hash H(I2) and the key needed to invert the pseudo random permutation. A corrupted version of the codeword c, concealed at enrollment, is retrieved by xoring the fresh reading I’1 with δ. Under the hypothesis that both readings I1 and I’1 belong to the same subject, the corrupted codeword c’ and c should differ for at most r1 bits. Thus the subsequent application of the error correcting decoding and of the inverse pseudo random permutation, should allow the exact reconstruction of the original reading I2. 230 S. Cimato et al. Verification SubModule ID {H( ), δ} ==? H(I2) δ I 1’ Error Correction Decoding Inverse Pseudo-Random Permutation Hash Function Biometric matching I2’ Enable Yes/No Fig. 2. The MSB Verification Module The identity of the user is verified in two steps. First a check is performed to compare the hash of the retrieved value for I2 with the value H(I2) stored into the identifier. If the check succeeds it means that the readings of the first biometric trait did not differ more than what permitted by the biometric employed. Then a second biometric matching is performed using as input the retrieved value of I2 and the fresh biometric reading I’2. The authentication is successful when also this second match is positive. 3 Experimental Data and Results 3.1 Dataset Creation The proposed scheme has been tested by using the public CASIA dataset [8]. (version 1.0) which contains seven images of the same eye obtained from 108 subjects. The images were collected by the Chinese Academy of Science waiting at least one month between two capturing stages using near infrared light for illumination (3 images during the first session and 4 for the second one). We used the first 3 images in the enroll operations, and the last 4 images in the verification phase. At the best of our knowledge, there is no public dataset containing the left and right eyes sample of each individual with the sufficient iris resolution to be effectively used in identification tests. For this reason we synthetically created a new dataset by composing two irises of different individuals taken from the CASIA dataset. Table 1 shows the details of the composition method used to create the synthetic dataset from the CASIA samples. The method we used to create the dataset can be considered as a pessimistic estimation of real conditions, since the statistical independence of the features extracted from the iris samples coming from the left and right eye of the same individual is likely to be equal or lower than the one related to the eyes coming from different individuals. In the literature it has been showed that the similarities of the iris templates A Multi-biometric Verification System for the Privacy Protection of Iris Templates 231 Table 1. Creation of the synthetic dataset CASIA Individual Identifier 001 002 CASIA File Name Enroll/ Validation 001_1_1.bmp 001_1_2.bmp 001_1_3.bmp 001_2_1.bmp … 001_2_4.bmp 002_1_1.bmp 002_1_2.bmp 002_1_3.bmp 002_2_1.bmp … 002_2_4.bmp Enroll Enroll Enroll Validation … Validation Enroll Enroll Enroll Validation … Validation Synthetic DB Individual Identifier 01 Notes Right eye, Enroll, Sample 1 Right eye, Enroll, Sample 2 Right eye, Enroll, Sample 3 Right eye, Validation, Sample 1 … Right eye, Validation, Sample 4 Left eye, Enroll, Sample 1 Left eye, Enroll, Sample 2 Left eye, Enroll, Sample 3 Left eye, Validation, Sample 1 … Left eye, Validation, Sample 4 coming from the left and right eyes of the same individuals are negligible when Iriscodes templates are used [9]. 3.2 Template Creation The iris templates of the left and right eyes were computed using the code presented in [10] (a completely open implementation which builds over the original ideas of Daugman [9]). The code has been used to obtain the iris codes of the right and left eye of each individual present in the synthetic database. The primary biometric template I1 has been associated to the right eye of the individual by using a 9600 bits wide iris template. As suggested in [10], the 9600 bits have been obtained by processing the iris image with a radial resolution (the number of points selected along a radial line) of 20. The author suggested for the CASIA database a matching criterion with a separation point of r1 = 0.4 (Hamming distance between two different iris templates). Using such a threshold, we independently verified that the algorithm was capable of a false match rate (FMR, the probability of an individual not enrolled being identified) and false non-match rate (FNMR, the probability of an enrolled individual not being identified by the system) of 0.028% and 9.039%, respectively using the CASIA version 1.0 database. Such rates rise to 0.204% and 16.799% respectively if the masking bits are not used. The masking bits mark bits in the iris code which should not be considered when evaluating the Hamming distance between different patterns due to reflections, eyelids and eyelashes coverage, etc. Due to security issues, we preferred to not include the masking bits of the iris code in the final templates since the distribution of zero valued bits in the masks is far from being uniform. The higher FNMR compared with the work of [10] can be explained by considering that using the adopted code failed segmentations of the pupil were reported to happen in the CASIA database in 17.4% of the cases. 3.3 Enroll and Verification Procedures The enroll procedure for the right eye has been executed according to the following steps. The three iris codes available in the enroll phase (Table 1) of each individual 232 S. Cimato et al. (D) ROC Comparison (Linear scale) (A) Right Eye System: 9600 bits 1 20 0.8 10 0.6 0 FNMR Freq. 30 0 0.2 0.4 0.6 0.8 Match score (B) Left Eye System: 1920 bits 1 0.4 0.2 Freq. 15 0 0 10 0.2 0.4 0.6 0.8 1 FMR 5 0 (E) ROC Comparison (Logartimic scale) 0 0.2 0.4 0.6 Match score (C) Proposed Scheme 0.8 0 FNMR 20 Right Eye 9600 bits Left Eye 1920 bits Proposed Scheme 10 1 30 Freq. Right Eye 9600 bits Left Eye 1920 bits Proposed Scheme -1 10 10 0 0 0.2 0.4 0.6 Match score 0.8 1 -3 10 -2 -1 10 10 0 10 FMR Fig. 3. Impostor and genuine frequency distributions of the iris templates composed by 9600 bits (A) and 1920 bits (B) using the synthetic dataset and for the proposed scheme (C and D respectively). The corresponding FNMR versus FMR are plotted in linear (D) and logarithmic scale (E). were evaluated for quality, in term of number of masking bits. The iris code with the highest “quality” was retained for further processing. The best of three approach was devised to avoid that segmentation errors might further jeopardize the verification stage. Then, the remaining enroll phases were performed according to the description previously made. A Reed-Solomon [9600,1920,7681]m=14 correction code has been adopted with n1 = 9600 and r1 = 0.4. In such set up, the scheme allows for up to k = 1920 bits for storing the second biometric template. If list decoding is taken into consideration the parameters should be adapted to take into account the enhanced error correcting rate of the list decoding algorithm. The former has been chosen by selecting the available left iris template with highest quality (best of three method) in the same fashion adopted for the right eye. Using this approach, a single identifier ID has been created for every individual present in the synthetic dataset. In particular, the shorter iris code was first subjected to a pseudo random permutation (we used AES in CTR mode) and then it was encoded with the RS code and then xored with the first one to obtain δ. Note that the RS codewords are 14 bits long. The unusual usage of the RS code (here we didn’t pack the bits in the iris code to form symbols, as in typical industrial application) is due to the fact that here we want to correct “at most” a certain number of error (and not “at least”). Each bit of the iris code was then inserted in a separate symbol adding random bits to complete the symbols. Finally an hash value of the second biometric template was computed to get the final ID with δ. In the implementation we used the hash function SHA-1 (Java JDK 6). A Multi-biometric Verification System for the Privacy Protection of Iris Templates 233 In the verification procedure, the left eye related portion was processed only if one of the iris codes was able to unlock the first part of the scheme. Otherwise the matching was considered as failed, and a maximum Hamming distance of 1 was associated to the failed matching value. If the first part of the scheme was successful, the recovered left eye template was matched by using a classical biometric system with the left eye template selected for the validation. The Hamming distance between the two strings is used to measure the distance between the considered templates. The best of four strategy is applied using the four left eye images available in the validation partition of the synthetic dataset. 3.4 Experimental Results for the Proposed Scheme The performances of the proposed method are strictly related to the performance of the code that constructs the iris templates. As such, a fair comparison should be done by considering as reference the performances of the original iris code system working on the same dataset. If we adopt the original iris templates of 9600 and 1920 bits by using the same enroll and verification procedure in a traditional fashion (best of three in verification, best of four in verification, no masking bits), we obtain the system behaviors described in Figure 3. The right eye system (9600 bits) has good separation between the genuine and impostor distributions and it achieves an equal error rate (ERR, the value of the threshold used for matching at which FMR equals FNMR) that can be estimated to about 0.5% on the synthetic dataset. The left eye system is working only with 1920 bits and achieves a worst separation between the two populations. The corresponding EER has been estimated to be equal to 9.9%. On the other hand, our multimodal scheme achieves an EER that can be estimated to be equal to 0.96%, and shows then an intermediate behavior between the ROC curves of each single biometric system based on the right or on the left eye (Figure 3). For a wide portion of the ROC curve, the proposed scheme achieves a better performance with respect to the right eye biometric system. That behavior is common for traditional multimodal systems where, very often, the multimodal system can work better than the best single biometric sub-system. The proposed scheme seem to show this interesting property and the slightly worse EER with respect to the best single biometric system (right eye, 9600 bits) is balanced by the protection of the biometric template. We may suppose that the small worsening for the EER is related to the specific code we used to compute the iris code templates and that it might be ameliorated by selecting a different code. Further experiments with enlarged datasets, different coding algorithms and error correction codes will be useful to validate the generality of the discussed results. 4 Conclusions In this work we proposed a method based on the secure sketch cryptographic primitive to provide an effective and easily deployable multimodal biometric verification system. Privacy of user templates is guaranteed by the randomization transformations which avoid any attempt to reconstruct the biometric features from the public identifier, preventing thus any abuse of biometric information. We also showed the 234 S. Cimato et al. feasibility of our approach, by constructing a biometric authentication system that combines two iris biometrics. The experiments confirm that only the owner of the biometric ID can “unlock” her/his biometric templates, once fixed proper thresholds. More complex systems, involving several biometric traits as well as traits of different kinds will be object of further investigations. Acknowledgments. The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 216483. References 1. Jain, A.K., Ross, A., Pankanti, S.: Biometrics: A tool for information security. IEEE Trans. on information forensics and security 1(2), 125–143 (2006) 2. Uludag, U., Pankanti, S., Prabhakar, S., Jain, A.: Biometric cryptosystems: Issues and challenges. Proceedings of the IEEE, Special Issue on Enabling Security Technologies for Digital Rights Management 92, 948–960 (2004) 3. Snelick, R., Uludag, U., Mink, A., Indovina, M., Jain, A.K.: Large scale evaluation of multi-modal biometric authentication using state of the art systems. IEEE Trans. Pattern Analysis and Machine Intelligence 27(3), 450–455 (2005) 4. Cimato, S., Gamassi, M., Piuri, V., Sassi, R., Scotti, F.: A biometric verification system addressing privacy concerns. In: IEEE International Conference on Computational Intelligence and Security (CIS 2007), pp. 594–598 (2007) 5. Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, Cryptology Eprint Archive, Tech. Rep. 2006/235 (2006) 6. Bringer, J., Chabanne, H., Cohen, G., Kindari, B., Zemor, G.: An application of the goldwasser-micali cryptosystem to biometric authentication. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 96–106. Springer, Heidelberg (2007) 7. Sutcu, Y., Li, Q., Memon, N.: Protecting biometric templates with sketch: Theory and practice. IEEE Trans. on Information Forensics and Security 2(3) (2007) 8. Chinese Academy of Sciences: Database of 756 greyscale eye images; Version 1.0 (2003), http://www.sinobiometrics.com/IrisDatabase.htm 9. Daugman, J.G.: High confidence visual recognition of persons by a test of statistical independence. IEEE Trans. on Pattern Analysis and Machine Intelligence 15, 1148–1161 (1993) 10. Masek, L.: Recognition of human iris patterns for biometric identification. Bachelor’s Thesis, School of Computer Science and Software Engineering, University of Western Australia (2003) Score Information Decision Fusion Using Support Vector Machine for a Correlation Filter Based Speaker Authentication System Dzati Athiar Ramli, Salina Abdul Samad, and Aini Hussain Department of Electrical, Electronic and Systems Engineering, Faculty of Engineering, University Kebangsaan Malaysia, 43600 Bangi Selangor, Malaysia [email protected], [email protected], [email protected]. Abstract. In this paper, we propose a novel decision fusion by fusing score information from multiple correlation filter outputs of a speaker authentication system. Correlation filter classifier is designed to yield a sharp peak in the correlation output for an authentic person while no peak is perceived for the imposter. By appending the scores from multiple correlation filter outputs as a feature vector, Support Vector Machine (SVM) is then executed for the decision process. In this study, cepstrumgraphic and spectrographic images are implemented as features to the system and Unconstrained Minimum Average Correlation Energy (UMACE) filters are used as classifiers. The first objective of this study is to develop a multiple score decision fusion system using SVM for speaker authentication. Secondly, the performance of the proposed system using both features are then evaluated and compared. The Digit Database is used for performance evaluation and an improvement is observed after implementing multiple score decision fusion which demonstrates the advantages of the scheme. Keywords: Correlation Filters, Decision Fusion, Support Vector Machine, Speaker Authentication. 1 Introduction Biometric speaker authentication is used to verify a person’s claimed identity. Authentication system compares the claimant’s speech with the client model during the authentication process [1]. The development of a client model database can be a complicated procedure due to voice variations. These variations occur when the condition of the vocal tract is affected by the influence of internal problems such as cold or dry mouth, and also by external problems, for example temperature and humidity. The performance of a speaker authentication system is also affected by room and line noise, changing of recording equipment and uncooperative claimants [2], [3]. Thus, the implementation of biometric systems has to correctly discriminate the biometric features from one individual to another, and at the same time, the system also needs to handle the misrepresentations in the features due to the problems stated. In order to overcome these limitations, we improve the performance of speaker authentication systems by extracting more information (samples) from the claimant and then executing fusion techniques in the decision process. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 235–242, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 236 D.A. Ramli, S.A. Samad, and A. Hussain So far there are many fusion techniques in literature that have been implemented in biometric systems for the purpose of enhancing the system performance. These include the fusion of multiple-modalities, multiple-classifiers and multiple-samples [4]. Teoh et. al. in [5] proposed a combination of features of face modality and speech modality so as to improve the accuracy of biometric authentication systems. Person identification based on visual and acoustic features has also been reported by Brunelli and Falavigna in [6]. Suutala and Roning in [7] used Learning Vector Quantization (LVQ) and Multilayer Perceptron (MLP) as classifiers for footstep profile based person identification whereas in [8], Kittler et.al. utilized Neural Networks and Hidden Markov Model (HMM) for hand written digit recognition task. The implementation of multiple-sample fusion approach can be found in [4] and [9]. In general, these studies revealed that the implementation of the fusion approaches in biometric systems can improve system performance significantly. This paper focuses on the fusion of score information from multiple correlation filter outputs for a correlation filter based speaker authentication system. Here, we use scores extracted from the correlation outputs by considering several samples extracted from the same modality as independent samples. The scores are then concatenated together to form a feature vector and then Support Vector Machine (SVM) is executed to classify the feature vector as either authentic or imposter class. Correlation filters have been effectively applied in biometric systems for visual applications such as face verification and fingerprint verification as reported in [10], [11]. Lower face verification and lip movement for person identification using correlation filters have been implemented in [12], [13], respectively. A study of using correlation filters in speaker verification for speech signal as features can be found in [14]. The advantages of correlation filters are shift-invariance, ability to trade-off between discrimination and distortion tolerance and having a close-form expression. 2 Methodology The database used in this study is obtained from the Audio-Visual Digit Database (2001) [15]. The database consists of video and corresponding audio of people reciting digits zero to nine. The video of each person is stored as a sequence of JPEG images with a resolution of 512 x 384 pixels while the corresponding audio provided as a monophonic, 16 bit, 32 kHz WAV file. 2.1 Spectroghaphic Features A spectrogram is an image representing the time-varying spectrum of a signal. The vertical axis (y) shows frequency, the horizontal axis (x) represents time and the pixel intensity or color represents the amount of energy (acoustic peaks) in the frequency band y, at time x [16], [17]. Fig.1 shows samples of the spectrogram of the word ‘zero’ from person 3 and person 4 obtained from the database. From the figure, it can be seen that the spectrogram image contains personal information in terms of the way the speaker utters the word such as speed and pitch that is showed by the spectrum. 1 1 0.9 0.9 0.8 0.8 0.7 0.7 0.6 0.6 Frequency Frequency Score Information Decision Fusion Using Support Vector Machine 0.5 0.4 0.3 237 0.5 0.4 0.3 0.2 0.2 0.1 0.1 0 0 0 1000 2000 3000 4000 Time 5000 6000 7000 0 1000 2000 3000 4000 Time 5000 6000 7000 Fig. 1. Examples of the spectrogram image from person 3 and person 4 for the word ‘zero’ Comparing both figures, it can be observed that although the spectrogram image holds inter-class variations, it also comprises intra-class variations. In order to be successfully classified by correlation filters, we propose a novel feature extraction technique. The computation of the spectrogram is described below. a. Pre-emphasis task. By using a high-pass filter, the speech signal is filtered using the following equation: x (t ) = (s(t ) − 0.95) ∗ x (t − 1) (1) x ( t ) is the filtered signal, s( t ) is the input signal and t represents time. b. Framing and windowing task. A Hamming window with 20ms length and 50% overlapping is used on the signal. c. Specification of FFT length. A 256-point FFT is used and this value determines the frequencies at which the discrete-time Fourier transform is computed. d. The logarithm of energy (acoustic peak) of each frequency bin is then computed. e. Retaining the high energies. After a spectrogram image is obtained, we aim to eliminate the small blobs in the image which impose the intra-class variations. This can be achieved by retaining the high energies of the acoustic peak by setting an appropriate threshold. Here, the FFT magnitudes which are above a certain threshold are maintained, otherwise they are set to be zero. f. Morphological opening and closing. Morphological opening process is used to clear up the residue noisy spots in the image whereas morphological closing is the task used to recover the original shape of the image caused by the morphological opening process. 2.2 Cepstrumgraphic Features Linear Predictive Coding (LPC) is used for the acoustic measurements of speech signals. This parametric modeling is an approach used to match closely the resonant structure of the human vocal tract that produces the corresponding sounds [17]. The computation of the cepstrumgraphic features is described below. a. Pre-emphasis task. By using a high-pass filter, the speech signal is filtered using equation 1. b. Framing and windowing task. A Hamming window with 20ms length and 50% overlapping is used on the signal. c. Specification of FFT length. A 256-point FFT is used and this value determines the frequencies at which the discrete-time Fourier transform is computed. 238 D.A. Ramli, S.A. Samad, and A. Hussain d. Auto-correlation task. For each frame, a vector of LPC coefficients is computed from the autocorrelation vector using Durbin recursion method. The LPC-derived cepstral coefficients (cepstrum) are then derived that lead to 14 coefficients per vector. e. Resizing task. The feature vectors are then down sampled to the size of 64x64 in order to be verified by UMACE filters. 2.3 Correlation Filter Classifier Unconstrained Minimum Average Correlation Energy (UMACE) filters which evolved from Matched Filter are synthesized in the Fourier domain using a closed form solution. Several training images are used to synthesize a filter template. The designed filter is then used for cross-correlating the test image in order to determine whether the test image is from the authentic class or imposter class. In this process, the filter optimizes a criterion to produce a desired correlation output plane by minimizing the average correlation energy and at the same time maximizing the correlation output at the origin [10][11]. The optimization of UMACE filter equation can be summarized as follows, U mace = D −1m (2) D is a diagonal matrix with the average power spectrum of the training images placed along the diagonal elements while m is a column vector containing the mean of the Fourier transforms of the training images. The resulting correlation plane produce a sharp peak in the origin and the values at everywhere else are close to zero when the test image belongs to the same class of the designed filter [10][11]. Fig. 2 shows the correlation outputs when using a UMACE filter to determine the test image from the authentic class (left) and imposter class (right). 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 0 0 30 30 30 20 10 0 30 20 20 10 20 10 10 0 0 0 Fig. 2. Examples of the correlation plane for the test image from the authentic class (left) and imposter class (right) Peak-to-Sidelobe ratio (PSR) metric is used to measure the sharpness of the peak. The PSR is given by PSR = peak − mean σ (3) Here, the peak is the largest value of the test image yield from the correlation output. Mean and standard deviation are calculated from the 20x20 sidelobe region by excluding a 5x5 central mask [10], [11]. Score Information Decision Fusion Using Support Vector Machine 239 2.4 Support Vector Machine Support vector machine (SVM) classifier in its simplest form, linear and separable case is the optimal hyperplane that maximizes the distance of the separating hyperplane from the closest training data point called the support vectors [18], [19]. From [18], the solution of a linearly separable case is given as follows. Consider a problem of separating the set of training vectors belonging to two separate classes, {( ) ( )} D = x 1 , y1 ,... x L , y L , x ∈ ℜ n , y ∈ {− 1,−1} (4) with a hyperplane, w, x + b = 0 (5) The hyperplane that optimally separates the data is the one that minimizes φ( w ) = 1 w 2 2 (6) which is equivalent to minimizing an upper bound on VC dimension. The solution to the optimization problem (7) is given by the saddle point of the Lagrange functional (Lagrangian) φ( w , b, α) = L 1 2 w − ∑ α i ⎛⎜ y i ⎡ w , x i + b⎤ − 1⎞⎟ ⎢ ⎥⎦ ⎠ 2 i =1 ⎝ ⎣ (7) where α are the Lagrange multipliers. The Lagrangian has to be minimized with respect to w , b and maximized with respect to α ≥ 0 . Equation (7) is then transformed to its dual problem. Hence, the solution of the linearly separable case is given by, α* = arg min α L 1 L L ∑ ∑ αiα jyi y j xi , x j − ∑ αk 2 i =1 j=1 k =1 (8) with constrains, α i ≥ 0, i = 1,..., L and L ∑ α jy j = 0 j=1 (9) Subsequently, consider a SVM as a non-linear and non-separable case. Non-separable case is considered by adding an upper bound to the Lagrange multipliers and nonlinear case is considered by replacing the inner product by a kernel function. From [18], the solution of the non-linear and non-separable case is given as α* = arg min α ( ) L 1 L L ∑ ∑ α i α j yi y jK x i , x j − ∑ α k 2 i =1 j=1 k =1 (10) with constrains, 0 ≤ α i ≤ C, i = 1,..., L and L ∑ α j y j = 0 x (t ) = (s(t ) − 0.95) ∗ x (t − 1) j=1 (11) 240 D.A. Ramli, S.A. Samad, and A. Hussain Non-linear mappings (kernel functions) that can be employed are polynomials, radial basis functions and certain sigmoid functions. 3 Results and Discussion Assume that N streams of testing data are extracted from M utterances. Let s = {s1 , s 2 ,..., s N } be a pool of scores from each utterance. The proposed verification system is shown in Fig.3. a11 am1 ... Filter design 1 . . . . a1n amn ... Correlation filter Filter design n Correlation filter . . . . b1 FFT bn IFFT Correlation output psr1 . . . . . . . . FFT IFFT Correlation output psrn Support vector machine (polynomial kernel) (a11… am1 ) … (a1n … amn )– training data b1, b2 … bn – testing data m – number of training data n - number of groups (zero to nine) Decision Fig. 3. Verification process using spectrographic / ceptrumgraphic images For the spectrographic features, we use 250 filters which represent each word for the 25 persons. Our spectrographic image database consists of 10 groups of spectrographic images (zero to nine) of 25 persons with 46 images per group of size 32x32 pixels, thus 11500 images in total. For each filter, we used 6 training images for the synthesis of a UMACE filter. Then, 40 images are used for the testing process. These six training images were chosen based on the largest variations among the images. In the testing stage, we performed cross correlations of each corresponding word with 40 authentic images and another 40x24=960 imposter images from the other 24 persons. For the ceptrumgraphic features, we also have 250 filters which represent each word for the 25 persons. Our ceptrumgraphic image database consists of 10 groups of ceptrumgraphic images (zero to nine) of 25 persons with 43 images per group of size 64x64 pixels, thus 10750 images in total. For each filter, we used 3 training images for the synthesis of the UMACE filter and 40 images are used for the testing process. We performed cross correlations of each corresponding word with 40 authentic images and another 40x24=960 imposter images from the other 24 persons. Score Information Decision Fusion Using Support Vector Machine 241 For both cases, polynomial kernel has been employed for the decision fusion procedure using SVM. Table 1 below compares the performance of single score decision and multiple score decision fusions for both spectrographic and ceptrumgrapic features. The false accepted rate (FAR) and false rejected rate (FRR) of multiple score decision fusion are described in Table 2. Table 1. Performance of single score decision and multiple score decision fusion features spectrographic cepstrumgraphic single score 92.75% 90.67% multiple score 96.04% 95.09% Table 2. FAR and FRR percentages of multiple score decision fusion features spectrographic cepstrumgraphic FAR 3.23% 5% FRR 3.99% 4.91% 4 Conclusion The multiple score decision fusion approach using support vector machine has been developed in order to enhance the performance of a correlation filter based speaker authentication system. Spectrographic and cepstrumgraphic features, are employed as features and UMACE filters are used as classifiers in the system. By implementing the proposed decision fusion, the error due to the variation of data can be reduced hence further enhance the performance of the system. The experimental result is promising and can be an alternative method to biometric authentication systems. Acknowledgements. This research is supported by Fundamental Research Grant Scheme, Malaysian Ministry of Higher Education, FRGS UKM-KK-02-FRGS00362006 and Science Fund, Malaysian Ministry of Science, Technology and Innovation, 01-01-02-SF0374. References 1. Campbell, J.P.: Speaker Recognition: A Tutorial. Proceeding of the IEEE 85, 1437–1462 (1997) 2. Rosenberg, A.: Automatic speaker verification: A review. Proceeding of IEEE 64(4), 475– 487 (1976) 3. Reynolds, D.A.: An overview of Automatic Speaker Recognition Technology. Proceeding of IEEE on Acoustics Speech and Signal Processing 4, 4065–4072 (2002) 4. Poh, N., Bengio, S., Korczak, J.: A multi-sample multi-source model for biometric authentication. In: 10th IEEE on Neural Networks for Signal Processing, pp. 375–384 (2002) 5. Teoh, A., Samad, S.A., Hussein, A.: Nearest Neighborhood Classifiers in a Bimodal Biometric Verification System Fusion Decision Scheme. Journal of Research and Practice in Information Technology 36(1), 47–62 (2004) 242 D.A. Ramli, S.A. Samad, and A. Hussain 6. Brunelli, R., Falavigna, D.: Personal Identification using Multiple Cue. Proceeding of IEEE Trans. on Pattern Analysis and Machine Intelligence 17(10), 955–966 (1995) 7. Suutala, J., Roning, J.: Combining Classifier with Different Footstep Feature Sets and Multiple Samples for Person Identification. In: Proceeeding of International Conference on Acoustics, Speech and Signal Processing, pp. 357–360 (2005) 8. Kittler, J., Hatef, M., Duin, R.P.W., Matas, J.: On combining classifiers. Proceeding of IEEE Trans on Pattern Analysis and Machine Intelligence 20(3), 226–239 (1998) 9. Cheung, M.C., Mak, M.W., Kung, S.Y.: Multi-Sample Data-Dependent Fusion of Sorted Score Sequences for Biometric verification. In: IEEE Conference on Acoustics Speech and Signal Processing (ICASSP 2004), pp. 229–232 (2004) 10. Savvides, M., Vijaya Kumar, B.V.K., Khosla, P.: Face Verification using Correlation Filters. In: 3rd IEEE Automatic Identification Advanced Technologies, pp. 56–61 (2002) 11. Venkataramani, K., Vijaya Kumar, B.V.K.: Fingerprint Verification using Correlation Filters. In: System AVBPA, pp. 886–894 (2003) 12. Samad, S.A., Ramli, D.A., Hussain, A.: Lower Face Verification Centered on Lips using Correlation Filters. Information Technology Journal 6(8), 1146–1151 (2007) 13. Samad, S.A., Ramli, D.A., Hussain, A.: Person Identification using Lip Motion Sequence. In: Apolloni, B., Howlett, R.J., Jain, L. (eds.) KES 2007, Part I. LNCS (LNAI), vol. 4692, pp. 839–846. Springer, Heidelberg (2007) 14. Samad, S.A., Ramli, D.A., Hussain, A.: A Multi-Sample Single-Source Model using Spectrographic Features for Biometric Authentication. In: IEEE International Conference on Information, Communications and Signal Processing, CD ROM (2007) 15. Sanderson, C., Paliwal, K.K.: Noise Compensation in a Multi-Modal Verification System. In: Proceeding of International Conference on Acoustics, Speech and Signal Processing, pp. 157–160 (2001) 16. Spectrogram, http://cslu.cse.ogi.edu/tutordemo/spectrogramReading/spectrogram.html 17. Klevents, R.L., Rodman, R.D.: Voice Recognition: Background of Voice Recognition, London (1997) 18. Gunn, S.R.: Support Vector Machine for Classification and Regression. Technical Report, University of Southampton (2005) 19. Wan, V., Campbell, W.M.: Support Vector Machines for Speaker Verification and Identification. In: Proceeding of Neural Networks for Signal Processing, pp. 775–784 (2000) Application of 2DPCA Based Techniques in DCT Domain for Face Recognition Messaoud Bengherabi1, Lamia Mezai1, Farid Harizi1, Abderrazak Guessoum2, and Mohamed Cheriet3 1 Centre de Développement des Technologies Avancées- Algeria Division Architecture des Systèmes et MultiMédia Cité 20 Aout, BP 11, Baba Hassen, [email protected], [email protected], [email protected] 2 Université Saad Dahlab de Blida – Algeria Laboratoire Traitement de signal et d’imagerie Route De Soumaa BP 270 Blida [email protected] 3 École des Technologies Supérieur –Québec- CanadaLaboratoire d’Imagerie, de Vision et d’Intelligence Artificielle 1100, Rue Notre-Dame Ouest, Montréal (Québec) H3C 1K3 Canada [email protected] Abstract. In this paper, we introduce 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain for the aim of face recognition. The 2D DCT transform has been used as a preprocessing step, then 2DPCA, DiaPCA and DiaPCA+2DPCA are applied on the upper left corner block of the global 2D DCT transform matrix of the original images. The ORL face database is used to compare the proposed approach with the conventional ones without DCT under Four matrix similarity measures: Frobenuis, Yang, Assembled Matrix Distance (AMD) and Volume Measure (VM). The experiments show that in addition to the significant gain in both the training and testing times, the recognition rate using 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain is generally better or at least competitive with the recognition rates obtained by applying these three 2D appearance based statistical techniques directly on the raw pixel images; especially under the VM similarity measure. Keywords: Two-Dimensional PCA (2DPCA), Diagonal PCA (DiaPCA), DiaPCA+2DPCA, face recognition, 2D Discrete Cosine Transform (2D DCT). 1 Introduction Different appearance based statistical methods for face recognition have been proposed in literature. But the most popular ones are Principal Component Analysis (PCA) [1] and Linear Discriminate Analysis (LDA) [2], which process images as 2D holistic patterns. However, a limitation of PCA and LDA is that both involve eigendecomposition, which is extremely time-consuming for high dimensional data. Recently, a new technique called two-dimensional principal component analysis 2DPCA was proposed by J. Yang et al. [3] for face recognition. Its idea is to estimate the covariance matrix based on the 2D original training image matrices, resulting in a E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 243–250, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 244 M. Bengherabi et al. covariance matrix whose size is equal to the width of images, which is quite small compared with the one used in PCA. However, the projection vectors of 2DPCA reflect only the variations between the rows of images, while discarding the variations of columns. A method called Diagonal Principal Component Analysis (DiaPCA) is proposed by D. Zhang et al. [4] to resolve this problem. DiaPCA seeks the projection vectors from diagonal face images [4] obtained from the original ones to ensure that the correlation between rows and those of columns is taken into account. An efficient 2D techniques that results from the combination of DiaPCA and 2DPCA (DiaPCA+2DPCA) is proposed also in [4]. Discrete cosine transform (DCT) has been used as a feature extraction step in various studies on face recognition. This results in a significant reduction of computational complexity and better recognition rates [5, 6]. DCT provides excellent energy compaction and a number of fast algorithms exist for calculating it. In this paper, we introduce 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain for face recognition. The DCT transform has been used as a feature extraction step, then 2DPCA, DiaPCA and DiaPCA+2DPCA are applied only on the upper left corner block of the global DCT transform matrix of the original images. Our proposed approach is tested against conventional approaches without DCT under Four matrix similarity measures: Frobenuis, Yang, Assembled Matrix Distance (AMD) and Volume Measure (VM). The rest of this paper is organized as follows. In Section 2 we give a review of 2DPCA, DiaPCA and DiaPCA+2DPCA approaches and also we review different matrix similarity measures. In section 3, we present our contribution. In section 4 we report the experimental results and highlight a possible perspective of this work. Finally, in section 5 we conclude this paper. 2 Overview of 2DPCA, DiaPCA, DiaPCA+2DPCA and Matrix Similarity Measures 2.1 Overview of 2D PCA, DiaPCA and DiaPCA+2DPCA 2.1.1 Two-Dimensional PCA Given M training face images, denoted by m×n matrices Ak (k = 1, 2… M), twodimensional PCA (2DPCA) first uses all the training images to construct the image covariance matrix G given by [3] G= 1 M ∑ (A M k −A k =1 ) (A T k −A ) (1) Where A is the mean image of all training images. Then, the projection axes of 2DPCA, Xopt=[x1… xd] can be obtained by solving the algebraic eigenvalue problem Gxi=λixi, where xi is the eigenvector corresponding to the ith largest eigenvalue of G [3]. The low dimensional feature matrix C of a test image matrix A is extracted by C = AX opt (2) In Eq.(2) the dimension of 2DPCA projector Xopt is n×d, and the dimension of 2DPCA feature matrix C is m×d. Application of 2DPCA Based Techniques in DCT Domain 245 2.1.2 Diagonal Principal Component Analysis Suppose that there are M training face images, denoted by m×n matrices Ak(k = 1, 2, …, M). For each training face image Ak, we calculate the corresponding diagonal face image Bk as it is defined in [4]. Based on these diagonal faces, diagonal covariance matrix is defined as [4]: G DIAG = Where B = 1 M 1 M ∑ (B M k −B k =1 ) (B T k −B ) (3) M ∑B k is the mean diagonal face. According to Eq. (3), the projection k =1 vectors Xopt=[x1, …, xd] can be obtained by computing the d eigenvectors corresponding to the d biggest eigenvalues of GDIAG. The training faces Ak’s are projected onto Xopt, yielding m×d feature matrices. C k = Ak X opt (4) Given a test face image A, first use Eq. (4) to get the feature matrix C = AX opt , then a matrix similarity metric can be used for classification. 2.1.3 DiaPCA+2DPCA Suppose the n by d matrix X=[x1, …, xd] is the projection matrix of DiaPCA. Let Y=[y1, …, yd] the projection matrix of 2DPCA is computed as follows: When the height m is equal to the width n, Y is obtained by computing the q eigenvectors corresponding to the q biggest eigenvalues of the image covarinace matrix 1 M (A − A)T (A − A) . On the other hand, when the height m is not equal to the width M ∑ k k k =1 n, Y is obtained by computing the q eigenvectors corresponding to the q biggest ei- ∑ (A M genvalues of the alternative image covariance matrix 1 M k k =1 )( ) T − A Ak − A . Projecting training faces Aks onto X and Y together, yielding the q×d feature matrices (5) D k = Y T Ak X Given a test face image A, first use Eq. (5) to get the feature matrix D = Y T AX , then a matrix similarity metric can be used for classification. 2.2 Overview of Matrix Similarity Measures An important aspect of 2D appearance based face recognition approaches is the similarity measure between matrix features used at the decision level. In our work, we have used four matrix similarity measures. 2.2.1 Frobenius Distance Given two feature matrices A = (aij)m×d and B = (bij)m×d, the Frobenius distance [7] measure is given by: ⎛ m d F ( A, B ) = ⎜⎜ ∑ ⎝ i =1 ∑ (a 12 d j =1 ij 2⎞ − bij ) ⎟⎟ ⎠ (6) 246 M. Bengherabi et al. 2.2.2 Yang Distance Measure Given two feature matrices A = (aij)m×d and B = (bij)m×d, the Yang distance [7] is given by: 12 d ⎛ m 2⎞ dY ( A, B ) = ∑ ⎜ ∑ (aij − bij ) ⎟ j =1 ⎝ i =1 ⎠ (7) 2.2.3 Assembled Matrix Distance (AMD) A new distance called assembled matrix distance (AMD) metric to calculate the distance between two feature matrices is proposed recently by Zuo et al [7]. Given two feature matrices A = (aij)m×d and B = (bij)m×d, the assembled matrix distance dAMD(A,B) is defined as follows : (1 2 ) p ⎞ ⎛ d ⎛ m 2⎞ ⎟ d AMD ( A, B ) = ⎜ ∑ ⎜ ∑ (aij − bij ) ⎟ ⎟ ⎜ j =1 ⎝ i =1 ⎠ ⎠ ⎝ 12 ( p > 0) (8) It was experimentally verified in [7] that best recognition rate can be obtained when p≤0.125 while it decrease as p increases. In our work the parameter p is set equal to 0.125. 2.2.4 Volume Measure (VM) The VM similarity measure is based on the theory of high-dimensional geometry space. The volume of an m×n matrix of rank p is given by [8] ∑det Vol A = ( I ,J )∈N 2 A IJ (9) where AIJ denotes the submatrix of A with rows I and columns J, N is the index set of p×p nonsingular submatrix of A, and if p=0, then Vol A = 0 by definition. 3 The Proposed Approach In this section, we introduce 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain for the aim of face recognition. The DCT is a popular technique in imaging and video compression, which was first applied in image compression in 1974 by Ahmed et al [9]. Applying the DCT to an input sequence decomposes it into a weighted sum of basis cosine sequences. our methodology is based on the use of the 2D DCT as a feature extraction or preprocessing step, then 2DPCA, DiaPCA and DiaPCA+2DPCA are applied to w×w upper left block of the global 2D DCT transform matrix of the original images. In this approach, we keep only a sub-block containing the first coefficients of the 2D DCT matrix as shown in Fig.1, from the fact that, the most significant information is contained in these coefficients. 2D DCT c11 c12 … c1w . . cw1 cw2 … cww Fig. 1. Feature extraction in our approach Application of 2DPCA Based Techniques in DCT Domain 247 With this approach and inversely to what is presented in literature of DCT-based face recognition approaches, the 2D structure is kept and the dimensionality reduction is carried out. Then, the 2DPCA, DiaPCA and DiaPCA+2DPCA are applied to w×w block of 2D DCT coefficients. The training and testing block diagrams describing the proposed approach is illustrated in Fig.2. Training a lgorithm based on 92DPCA 9Dia PCA 9Dia PCA+2DPCA Block w*w of 2D DCT coefficients 2D DCT Tra ined Model Training data 2D DCT ima ge Projection of the DCT bloc of the test ima ge using the eigenvectors of 92DPCA 9Dia PCA 9Dia PCA+2DPCA Block w*w of 2D DCT coefficients 2D DCT Test ima ge 2D DCT Block Features 2D DCT ima ge Compa rison using 9Frobenius 9Yang 9AMD 9VM 2D DCT Block Fea tures Decision Fig. 2. Block diagram of 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain 4 Experimental Results and Discussion In this part, we evaluate the performance of 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain and we compare it to the original 2DPCA, DiaPCA and DiaPCA+2DPCA methods. All the experiments are carried out on a PENTUIM 4 PC with 3.2GHz CPU and 1Gbyte memory. Matlab [10] is used to carry out these experiments. The database used in this research is the ORL [11] (Olivetti Research Laboratory) face database. This database contains 400 images for 40 individuals, for each person we have 10 different images of size 112×92 pixels. For some subjects, the images captured at different times. The facial expressions and facial appearance also vary. Ten images of one person from the ORL database are shown in Fig.3. In our experiment, we have used the first five image samples per class for training and the remaining images for test. So, the total number of training samples and test samples were both 200. Herein and without DCT the size of diagonal covariance matrix is 92×92, and each feature matrix with a size of 112×p where p varies from 1 to 92. However with DCT preprocessing the dimension of these matrices depends on the w×w DCT block where w varies from 8 to 64. We have calculated the recognition rate of 2DPCA, DiaPCA, DiaPCA+2DPCA with and without DCT. In this experiment, we have investigated the effect of the matrix metric on the performance of the 2D face recognition approaches presented in section 2. We see from table 1, that the VM provides the best results whereas the Frobenius gives the worst ones, this is justified by the fact that the Frobenius metric is just the sum of the 248 M. Bengherabi et al. (a) (b) Fig. 3. Ten images of one subject in the ORL face database, (a) Training, (b) Testing Euclidean distance between two feature vectors in a feature matrix. So, this measure is not compatible with the high-dimensional geometry theory [8]. Table 1. Best recognition rates of 2DPCA, DiaPCA and DiaPCA+2DPCA without DCT Methods 2DPCA DiaPCA DiaPCA+2DPCA Frobenius 91.50 (112×8) 91.50 (112×8) 92.50 (16×10) Yang 93.00 (112×7) 92.50 (112×10) 94.00 (13×11) AMD p=0,125 95.00 (112×4) 91.50 (112×8) 93.00 (12×6) Volume Distance 95.00 (112×3) 94.00 (112×9) 96.00 (21×8) Tables 2, and Table 3 summarize the best performances under different 2D DCT block sizes and different matrix similarity measures. Table 2. 2DPCA, DiaPCA and DiaPCA+2DPCA under different DCT block sizes using the Frobenius and Yang matrix distance Best Recognition rate (feature matrix dimension) DiaPCA+2DPCA 2DPCA DiaPCA Yang 91.50 (6×6) 93.50 (8×6) 93.50 (8×5) 92.00 (9×5) 93.00 (9×6) 95.00 (9×9) 92.00 (10×5) 94.50 (10×6) 95.50 (10×9) 92.00 (9×5) 94.00 (11×6) 95.50 (11×5) 91.50 (9×5) 94.50 (12×6) 95.50 (12×5) 92.00 (12×11) 94.50 (13×6) 95.00 (13×5) 92.00 (12×7) 94.50 (14×6) 94.50 (14×5) 2D DCT block size 8×8 9×9 10×10 11×11 12×12 13×13 14×14 91.50 (8×8) 92.00 (9×9) 91.50 (10×5) 92.00 (11×8) 92.00 (12×8) 91.50 (13×7) 92.00 (14×7) DiaPCA Frobenius 91.50 (8×6) 92.00 (9×5) 92.00 (10×5) 91.50 (11×5) 91.50 (12×10) 92.00 (13×11) 91.50 (14×7) 15×15 16×16 32×32 91.50 (15×5) 92.50 (16×10) 92.00 (32×6) 91.50 (15×5) 91.50 (16×11) 91.50 (32×6) 92.00 (13×15) 92.00 (4×10) 92.00 (11×7) 94.00 (15×9) 94.00 (16×7) 93.00 (32×6) 94.50 (15×5) 94.50 (16×5) 93.50 (32×5) 95.50 (12×5) 95.00 (12×5) 95.00 (12×5) 64×64 91.50 (64×6) 91.00 (32×6) 92.00 (14×12) 93.00 (64×7) 93.50 (64×5) 95.00 (12×5) 2DPCA DiaPCA+2DPCA 93.50 (8×5) 95.00 (9×9) 95.50 (10×9) 95.50 (11×5) 95.50 (12×5) 95.00 (11×5) 95.00 (12×5) From these four tables, we notice that in addition to the importance of matrix similarity measures, by the use of DCT we have always better performance in terms of recognition rate and this is valid for all matrix measures, we have only to choose the DCT block size and appropriate feature matrix dimension. An important remark is that a block size of 16×16 or less is sufficient to have the optimal performance. So, this results in a significant reduction in training and testing time. This significant gain Application of 2DPCA Based Techniques in DCT Domain 249 Table 3. 2DPCA, DiaPCA and DiaPCA+2DPCA under different DCT block sizes using the AMD distance and VM similarity measure on the ORL database 2D DCT block size 2DPCA 8×8 9×9 10×10 11×11 12×12 13×13 14×14 15×15 16×16 32×32 64×64 94.00 (8×4) 94.50 (9×4) 94.50 (10×4) 95.50 (11×5) 95.50 (12×5) 96.00 (13×4) 96.00 (14×4) 96.00 (15×4) 96.00 (16×4) 95.50 (32×4) 95.00 (64×4) DiaPCA AMD 95.00 (8×6) 94.50 (9×5) 95.50 (10×5) 96.00 (11×5) 96.50 (12×7) 95.50 (13×5) 95.00 (14×5) 95.00 (15×5) 95.50 (16×5) 95.00 (32×9) 94.50 (64×9) Best Recognition rate (feature matrix dimension) DiaPCA+2DPCA 2DPCA DiaPCA VM 95.00 (7×5) 96.00 (8×3) 93.50 (8×4) 94.50 (9×5) 95.00 (9×4) 95.00 (9×5) 96.00 (9×7) 95.00 (10×3) 95.00 (10×4) 94.50 (11×3) 95.50 (11×3) 96.50 (9×6) 95.50 (12×5) 96.00 (12×5) 96.50 (9×7) 95.50 (12×5) 96.00 (13×9) 96.00 (13×5) 95.50 (10×5) 95.00 (14×3) 95.50 (14×5) 96.00 (9×7) 96.00 (15×8) 96.00 (15×5) 95.50 (16×8) 96.00 (16×5) 96.50 (12×5) 96.00 (11×5) 95.00 (32×3) 95.50 (32×5) 96.00 (12×5) 95.00 (64×3) 95.00 (64×5) DiaPCA+2DPCA 93.50 (8×4) 95.00 (9×5) 95.00 (10×4) 95.50 (11×3) 96.00 (11×5) 96.50 (10×5) 96.50 (10×5) 96.50 (10×5) 96.50 (10×5) 96.50 (9×5) 96.50 (21×5) in computation is better illustrated in table 4 and table 5, which illustrate the total training and total testing time of 200 persons -in seconds - of the ORL database under 2DPCA, DiaPCA and DiaPCA+2DPCA without and with DCT, respectively. We should mention that the computation of DCT was not taken into consideration when computing the training and testing time of DCT based approaches. Table 4. Training and testing time without DCT using Frobenius matrix distance Methods Training time in sec Testing time in sec 2DPCA 5.837 (112×8) 1.294 (112×8) DiaPCA 5.886 (112×8) 2.779 (112×8) DiaPCA+2DPCA 10.99 (16×10) 0.78 (16×10) Table 5. Training and testing time with DCT using the Frobenius distance and the same matrixfeature dimensions as in Table2 2D DCT block size 8×8 9×9 10×10 11×11 12×12 13×13 14×14 15×15 16×16 2DPCA 0.047 0.048 0.047 0.048 0.063 0.062 0.079 0.094 0.125 Training time in sec DiaPCA DiaPCA+2DPCA 0.047 0.047 0.048 0.124 0.048 0.094 0.047 0.063 0.046 0.094 0.047 0.126 0.062 0.14 0.078 0.173 0.141 0.219 2DPCA 0.655 0.626 0.611 0.578 0.641 0.642 0.656 0.641 0.813 Testing time in sec DiaPCA DiaPCA+2DPCA 0.704 0.61 0.671 0.656 0.719 0.625 0.734 0.5 0.764 0.657 0.843 0.796 0.735 0.718 0.702 0.796 0.829 0.827 We can conclude from this experiment, that the proposed approach is very efficient in weakly constrained environments, which is the case of the ORL database. 5 Conclusion In this paper, 2DPCA, DiaPCA and DiaPCA+2PCA are introduced in DCT domain. The main advantage of the DCT transform is that it discards redundant information and it can be used as a feature extraction step. So, computational complexity is significantly reduced. The experimental results show that in addition to the significant gain in both the training and testing times, the recognition rate using 2DPCA, DiaPCA and DiaPCA+2DPCA in DCT domain is generally better or at least competitive with the 250 M. Bengherabi et al. recognition rates obtained by applying these three techniques directly on the raw pixel images; especially under the VM similarity measure. The proposed approaches will be very efficient for real time face identification applications such as telesurveillance and access control. References 1. Turk, M., Pentland, A.: “Eigenfaces for Recognition. Journal of Cognitive Neurosicence 3(1), 71–86 (1991) 2. Belhumeur, P.N., Hespanha, J.P., Kriegman, D.J.: Eigenfaces vs. fisherfaces: Recognition using class specific linear projection. IEEETrans. on Patt. Anal. and Mach. Intel. 19(7), 711–720 (1997) 3. Yang, J., Zhang, D., Frangi, A.F., Yang, J.Y.: Two-Dimensional PCA: A New Approach to Appearance- Based Face Representation and Recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence 26(1), 131–137 (2004) 4. Zhang, D., Zhou, Z.H., Chen, S.: “Diagonal Principal Component Analysis for Face Recognition. Pattern Recognition 39(1), 140–142 (2006) 5. Hafed, Z.M., Levine, M.D.: “Face recognition using the discrete cosine transform. International Journal of Computer Vision 43(3) (2001) 6. Chen, W., Er, M.J., Wu, S.: PCA and LDA in DCT domain. Pattern Recognition Letters 26(15), 2474–2482 (2005) 7. Zuo, W., Zhang, D., Wang, K.: An assembled matrix distance metric for 2DPCA-based image recognition. Pattern Recognition Letters 27(3), 210–216 (2006) 8. Meng, J., Zhang, W.: Volume measure in 2DPCA-based face recognition. Pattern Recognition Letters 28(10), 1203–1208 (2007) 9. Ahmed, N., Natarajan, T., Rao, K.: Discrete cosine transform. IEEE Trans. on Computers 23(1), 90–93 (1974) 10. Matlab, The Language of Technical Computing, Version 7 (2004), http://www.mathworks.com 11. ORL. The ORL face database at the AT&T (Olivetti) Research Laboratory (1992), http://www.uk.research.att.com/facedatabase.html Fingerprint Based Male-Female Classification Manish Verma and Suneeta Agarwal Computer Science Department, Motilal Nehru National Institute of Technology Allahabad Uttar Pradesh India [email protected], [email protected] Abstract. Male-female classification from a fingerprint is an important step in forensic science, anthropological and medical studies to reduce the efforts required for searching a person. The aim of this research is to establish a relationship between gender and the fingerprint using some special features such as ridge density, ridge thickness to valley thickness ratio (RTVTR) and ridge width. Ahmed Badawi et. al. showed that male-female classification can be done correctly upto 88.5% based on white lines count, RTVTR & ridge count using Neural Network as Classifier. We have used RTVTR, ridge width and ridge density for classification and SVM as classifier. We have found male-female can be correctly classified upto 91%. Keywords: gender classification, fingerprint, ridge density, ridge width, RTVTR, forensic, anthropology. 1 Introduction For over centuries, fingerprint has been used for both identification and verification because of its uniqueness. A fingerprint contains three level of information. Level 1 features contain macro details of fingerprint such as ridge flow and pattern type e.g. arch, loop, whorl etc. Level 2 features refer to the Galton characteristics or minutiae, such as ridge bifurcation or ridge termination e.g. eye, hook, bifurcation, ending etc. Level 3 features include all dimensional attributes of ridge e.g. ridge path deviation, width, shape, pores, edge contour, ridges breaks, creases, scars and other permanent details [10]. Till now little work has been done in the field of male-female fingerprint classification. In 1943, Harold Cummnins and Charles Midlo in the book “Fingerprints, Palm and Soles” first gave the relation between gender and the fingerprint. In 1968, Sarah B Holt, Charles C. Thomas in the book “The Genetics of the Dermal Ridges” gave same theory with little modification. Both state the same fact that female ridges are finer/smaller and have higher ridge density than males. Acree showed that females have higher ridge density [9]. Kralik showed that males have higher ridge width [6]. Moore also carried out a study on ridge to ridge distance and found that mean distance is more in male compared to female [7]. Dr. Sudesh Gungadin showed that a ridge count of ≤13 ridges/25 mm2 is more likely to be of males and that of ≥14 ridges/25 mm2 is likely to be of females [2]. Ahmed Badawi et. al. showed that male-female can be correctly classified upto 88.5% [1] based on white lines count, RTVTR & ridge count using Neural Network as Classifier. According to the research of E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 251–257, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 252 M. Verma and S. Agarwal Cummnins and Midlo, A typical young male has, on an average, 20.7 ridges per centimeter while a young female has 23.4 ridges per centimeter [8]. On the basis of studies made in [6], [1], [2], ridge width, RTVTR and ridge density are significant features for male-female classification. In this paper, we studied the significance of ridge width, ridge density and ridge thickness to valley thickness ratio (RTVTR) for the classification purpose. For classification we have used SVM classifier because of its significant advantage. Artificial Neural Networks (ANNs) can suffer from multiple local minima, the solution with an SVM is global and unique. Unlike ANNs, the computational complexity of SVMs does not depend on the dimensionality of the input space. ANNs use empirical risk minimization, whilst SVMs use structural risk minimization. SVMs are less prone to overfitting [13]. 2 Materials and Methods In our Male-Female classification analysis with respect to fingerprints, we extracted three features from each fingerprint. The features are ridge width, ridge density and RTVTR. Male & Female are classified using these features with the help of SVM classifier. 2.1 Dataset We have taken 400 fingerprints (200 Male & 200 Female) of indian origin in the age group of 18-60 years. These fingerprint are divided into two disjoint set for training and testing, each set contains 100 male and 100 female fingerprints. 2.2 Fingerprint Feature Extraction Algorithm The flowchart of the Fingerprint Feature Extraction and Classification Algorithm is shown in Fig. 1. The main steps of the algorithm are: Normalization [4] Normalization is used to standardize the intensity values of an image by adjusting the range of its grey-level values so that they lie within a desired range of values e.g. zero mean and unit standard deviation. Let I(i,j) denotes the gray-level value at pixel (i,j), M & VAR denote the estimated mean & variance of I(i,j) respectively & N(i,j) denotes the normalized gray-level value at pixel (i,j). The normalized values is defined as follows: , , , , (1) , , Where M0 and VAR0 are desired mean and variance values respectively. Image Orientation [3] Orientation of a fingerprint is estimated by the least mean square orientation estimation algorithm given by Hong et. al. Given a normalized image, N, the main steps of Fingerprint Based Male-Female Classification 253 Fig. 1. Flow chart for Fingerprint Feature Extraction and Classification Algorithm the orientation estimation are as follows: Firstly, a block of size wXw (25X25) is centred at pixel (i, j) in the normalized fingerprint image. For each pixel in this block, compute the Gaussian gradients ∂x(i, j) and ∂y(i, j), which are the gradient magnitudes in the x & y directions respectively. The local orientation of each block centered at pixel (i, j) is estimated using the following equations [11]. i, j 2∂ . ∂ , , 1 tan 2 ∂ , , , , ∂ , , (2) (3) (4) 254 M. Verma and S. Agarwal where θ(i,j) is the least square estimate of the local orientation at the block centered at pixel (i,j). Now orient the block with θ degree around the center of the block, so that the ridges of this block are in vertical direction. Fingerprint Feature Extraction In the oriented image, ridges are in vertical direction. Projection of the ridges and valleys on the horizontal line forms an almost sinusoidal shape wave with the local minima points corresponding to ridges and maxima points corresponds to valleys of the fingerprint. Ridge Width R is defined as thickness of a ridge. It is computed by counting the number of pixels between consecutive maxima points of projected image, number of 0’s between two clusters of 1’s will give ridge width e.g. 11110000001111 in above example, ridge width is 6 pixels. Valley Width V is defined as thickness of valleys. It is computed by counting the number of pixels between consecutive minima points of projected image, number of 1’s between two clusters of 0’s will give valley width e.g. 00001111111000 in above example, valley width is 7 pixels. Ridge Density is defined as number of ridges in a given block. e.g. 001111100011111011 Above string contains 3 ridges in a block. So ridge density is 3. Ridge Thickness to Valley Thickness Ratio (RTVTR) is defined as the ratio of ridge width to the valley width and is given by RTVTR = R/V. Fig. 2. Segmented image is Oriented and then projected to line from its binary transform we got ridge and valley width Example 1. Fig. 2. shows a segment of normalized fingerprint, which is oriented so that the ridges are in vertical direction. Then these ridges are projected on horizontal line. In the projected image, black dots show a ridge and white show a valley. Fingerprint Based Male-Female Classification 255 Classification SVM’s are used for classification and regression. SVM’s are set of related supervised learning methods. A special property of SVMs is that they simultaneously minimize the empirical classification error and maximize the geometric margin; hence they are also known as maximum margin classifiers. For a given training set of instance-label pairs (Xi, yi), i=1..N, where N is any integer showing number of training sample, Xi ∈Rn (n denotes the dimension of input space) belongs to the two separating classes labeled by yi∈{-1,1}, This classification problem is to find an optimal hyperplane WTZ + b =0 in a high dimension feature space Z by constructing a map Z=φ(X) between Rn and Z. SVM determines this hyperplane by finding W and b which satisfy ∑ , 1,2, . . , . (5) Where ξ i ≥ 0 and yi[WTφ(Xi)+b] ≥ 1- ξ i holds. Coefficient c is the given upper bound and N is the number of samples. The optimal W and b can be found by solving the dual problem of Eqn. (5), namely ∑ max ∑ φX φX ∑ . (6) 00. Where 0 ≤ αi ≤ c (i = 1,….,N) is Lagrange multiplier and it satisfies ∑ α y Let K X , X φ X φ X ) and we adopt the RBF function to map the input vectors into the high dimensional space Z. The RBF Function is given by , exp γ| | , γ 0 . (7) Where γ= 0.3125,c=512.Values of c & γ are computed by grid search [5]. The decision function of the SVM classifier is presented as . , (8) Where K(.,.) is the kernel function, which defines an inner product in higher dimenW φ X . The decision func, sion space Z and it satisfies that ∑ α y . tion sgn(φ) is the sign function and if φ≥0 then sgn(φ)=1 otherwise sgn(φ)=-1 [12]. 3 Results Our experimental result showed that if we consider any single feature for Male– Female classification then the classification rate is very low. Confusion matrix for Ridge Density (Table 1), RTVTR (Table 2) and Ridge Width (Table 3) show that their classification rate is 53, 59.5 and 68 respectively for testing set. But by taking all these features together we obtained the classification rate 91%. Five fold cross validation is used for the evaluation of the model. For testing set, Combining all these features together classification rate is 88% (Table 4). 256 M. Verma and S. Agarwal Table 1. Confusion Matrix for Male-Female classification based on Ridge Density only for Testing set Actual\Estimated Male Female Total Male 47 41 88 Female 53 59 112 Total 100 100 200 For Ridge Density the classification rate is 53% Table 2. Confusion Matrix for Male-Female classification based on RTVTR only for Testing set Actual\Estimated Male Female Total Male 30 11 41 Female 70 89 159 Total 100 100 200 For RTVTR the classification rate is 59.5% Table 3. Confusion Matrix for Male-Female classification based on Ridge Width only for Testing set Actual\Estimated Male Female Total Male 51 15 66 Female 49 85 134 Total 100 100 200 For Ridge Width the classification rate is 68% Table 4. Confusion Matrix for Male-Female classification based on combining Ridge Density, Ridge Width and RTVTR only for Testing set Actual\Estimated Male Female Total Male 86 10 96 Female 14 90 104 Total 100 100 200 For Testing set the classification rate is 88% 4 Conclusion Accuracy of our model obtained by five fold cross validation method is 91%. Our results have shown that the ridge density, RTVTR and Ridge Width gave gave 53%, 59.5% and 68% classification rates respectively. Combining all these features together, we obtained 91% classification rate. Hence, our method gave 2.5 % better result than the method given by Ahmed Badawi et al. Fingerprint Based Male-Female Classification 257 References 1. Badawi, A., Mahfouz, M., Tadross, R., Jantz, R.: Fingerprint Based Gender Classification. In: IPCV 2006, June 29 (2006) 2. Sudesh, G.: Sex Determination from Fingerprint Ridge Density. Internet Journal of Medical Update 2(2) (July-December 2007) 3. Hong, L., Wan, Y., Jain, A.K.: Fingerprint Image Enhancement: Algorithms and Performance Evaluation. IEEE Trans. Pattern Analysis and Machine Intelligence 20(8), 777–789 (1998) 4. Raymond thai, Fingerprint Image Enhancement and Minutiae Extraction (2003) 5. Hsu, C.-W., Chang, C.-C., Lin, C.-J.: A practical guide to support vector classification, http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf 6. Kralik, M., Novotny, V.: Epidermal ridge breadth: an indicator of age and sex in paleodermatoglyphics. Variability and Evolution 11, 5–30 (2003) 7. Moore, R.T.: Automatic fingerprint identification systems. In: Lee, H.C., Gaensslen, R.E. (eds.) Advances in Fingerprint Technology, p. 169. CRC Press, Boca Raton (1994) 8. Cummins, H., Midlo, C.: Fingerprints, Palms and Soles. An introduction to dermatoglyphics, p. 272. Dover Publ., New York (1961) 9. Acree M.A.: Is there a gender difference in fingerprint ridge density? Federal Bureau of Investigation, Washington, DC 20535-0001, USA 10. Jain, A.K., Chen, Y., Demerkus, M.: Pores and Ridges: High-Resolution Fingerprint Matching Using Level 3 Fetures. IEEE Transaction on Pattern Analysis and Matching Intelligence 29 (January 2007) 11. Rao, A.: A Taxonomy for Texture Description and Identification. Springer, New York (1990) 12. Ji, L., Yi, Z.: SVM-based Fingerprint Classification Using Orientation Field. In: Third International Conference on Natural Computation (ICNC 2007) (2007) 13. Support Vector Machines vs Artificial Neural Networks, http://www.svms.org/anns.html BSDT Multi-valued Coding in Discrete Spaces Petro Gopych Universal Power Systems USA-Ukraine LLC, 3 Kotsarskaya Street, Kharkiv 61012 Ukraine [email protected] Abstract. Recent binary signal detection theory (BSDT) employs a 'replacing' binary noise (RBN). In this paper it has been demonstrated that RBN generates some related N-dimensional discrete vector spaces, transforming to each other under different network synchrony conditions and serving 2-, 3-, and 4-valued neurons. These transformations explain optimal BSDT coding/decoding rules and provide a common mathematical framework, for some competing types of signal coding in neurosciences. Results demonstrate insufficiency of almost ubiquitous binary codes and, in complex cases, the need of multi-valued ones. Keywords: neural networks, replacing binary noise, colored spaces, degenerate spaces, spikerate coding, time-rate coding, meaning, synchrony, criticality. 1 Introduction Data coding (a way of taking noise into account) is a problem whose solving depends essentially on the accepted noise model [1]. Recent binary signal detection theory (BSDT, [2-4] and references therein) employs an original replacing binary noise (RBN, see below) which is an alternative to traditional additive noise models. For this reason, BSDT coding has unexpected features, leading in particular to the conclusion that in some important cases almost ubiquitous binary codes are insufficient and multi-valued ones are essentially required. The BSDT defines 2N different N-dimensional vectors x with spin-like components i x = ±1, reference vector x = x0 representing the information stored in a neural network (NN), and noise vectors x = xr. Vectors x are points in a discrete N-dimensional binary vector space, N-BVS, where variables take values +1 and –1 only. As in the N-BVS additive noise is impossible, vectors x(d) in this space (damaged versions of x0) are introduced by using a 'replacing' coding rule based on the RBN, xr: ⎧ x i , if u i = 0, xi (d ) = ⎨ 0i d = ∑ u i / N , i = 1,..., N ⎩ x r , if u i = 1 (1) where ui are marks, 0 or 1. If m is the number of marks ui = 1 then d = m/N is a fraction of noise components in x(d) or a damage degree of x0, 0 ≤ d ≤ 1; q = 1 – d is a fraction of intact components of x0 in x(d) or an intensity of cue, 0 ≤ q ≤ 1. If d = m/N, the number of different x(d) is 2mCNm, CNm = N!/(N – m)!/m!; if 0 ≤ d ≤ 1, this number is ∑2mCNm = 3N (0 ≤ m ≤ N). If ui = 1 then, to obtain xi(d), the ith component of x0, xi0, is replaced by the ith component of noise, xir, otherwise xi0 remains intact (1). E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 258–265, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com BSDT Multi-valued Coding in Discrete Spaces 259 2 BSDT Binary, Ternary and Quaternary Vector Spaces With respect to vectors x, vectors x(d) have an additional range of discretion because their ±1 projections have the property to be a component of a noise, xr, or a signal message, x0. To formalize this feature, we ascribe to vectors x a new range of freedom ― a 'color' (meaning) of their components. Thus, within the N-BVS (Sect. 1), we define an additional two-valued color variable (a discrete-valued non-locality) labeling the components of x. Thanks to that extension, components of x become colored (meaningful), e.g. either 'red' (noise) or 'black' (signal), and each x transforms into 2N different vectors, numerically equivalent but colored in different colors (in column 3 of Table 1, such 2N vectors are underlined). We term the space of these items an Ndimensional colored BVS, N-CBVS. As the N-CBVS comprises 2N vectors x colored in 2N ways, the total number of N-CBVS items is 2N×2N = 4N. Table 1. Two complete sets of binary N-PCBVS(x0) vectors (columns 1-5) and ternary N-TVS vectors (columns 5-8) at N = 3. m, the number of noise ('red,' shown in bold face in column 3) components of x(d); sm = 2mCNm, the number of different x(d) for a given m; 3N = ∑sm, the same for 0 ≤ m ≤ N. In column 3, all the x(d) for a given x0 (column 1) are shown; 2N two-color vectors obtained by coloring the x = x0 are here underlined. n, the number of zeros among the – components of N-TVS vectors; sn = 2N nC NN – n, the number of N-TVS vectors for a given n; N 3 = ∑sn, the same for 0 ≤ n ≤ N. In columns 3 and 7, table cells containing complete set of 2N one-color N-BVS vectors are between the shaded cells m = 3 and sm = 8, sn = 8 and n = 0. Positive, negative and zero vector components are designated as +, – and 0, respectively. –+– x0 1 m 2 0 1 2 3 –++ 0 1 2 N-PCBVS(x0) vectors 3 – + –, – + –, + + –, – + –, – – –, – + –, – + +, – + –, + + –, + – –, – – –, – + –, – + +, – – –, – – +, – + –, – + +, + + –, + + +, – + –, + + –, – + +, – – +, + – –, + + +, – – –, + – +. – + +, – + +, + + +, – + +, – – +, – + +, – + –, – + +, + + +, + – +, – – +, – + +, – – +, – + –, – – –, – + +, + + +, – + –, + + –, sm 4 1 6 12 3N 5 27 8 1 6 12 – + –, + + –, – + +, – – +, 8 + – –, + + +, – – –, + – +. Complete set of N synchronized neurons, 'dense' spike-time coding 27 3 33 sn 6 1 6 N-TVS vectors 7 n 8 3 2 0 0 0, + 0 0, 0 0 +, 0 + 0, – 0 0, 0 0 –, 0 – 0, 12 + + 0, + 0 +, 0 + +, 1 – + 0, – 0 +, 0 – +, + – 0, + 0 –, 0 + –, – – 0, – 0 –, 0 – –, 8 – + –, + + –, – + +, – – +, 0 + – –, + + +, – – –, + – +. 1 0 0 0, 3 6 + 0 0, 0 0 +, 0 + 0, 2 – 0 0, 0 0 –, 0 – 0, 12 + + 0, + 0 +, 0 + +, 1 – + 0, – 0 +, 0 – +, + – 0, + 0 –, 0 + –, – – 0, – 0 –, 0 – –, 8 – + –, + + –, – + +, – – +, 0 + – –, + + +, – – –, + – +. Complete set of N unsynchronized neurons, 'sparse' spike-rate coding 260 P. Gopych Of 4N colored vectors x(d) constituting the N-CBVS, (1) selects a fraction (subspace, subset) of them specific to particular x = x0 and consisting of 3N x(d) only. We refer to such an x0-specific subspace as an N-dimensional partial colored BVS, NPCBVS(x0). An N-PCBVS(x0) consists of particular x0 and all its possible distortions (corresponding vectors x(d) have m colored in red components, see column 3 of Table 1). As an N-BVS generating the N-CBVS supplies 2N vectors x = x0, the total number of different N-PCBVS(x0) is also 2N. 2N spaces N-PCBVS(x0) each of which consists of 3N items contain in sum 2N×3N = 6N vectors x(d) while the total amount of different x(d) is only 4N. The intersection of all the spaces N-PCBVS(x0) (sets of corresponding space points) and the unity of them are I x0∈N -BVS N -PCBVS( x0 ) = N -BVS, U N -PCBVS( x0 ) = N -CBVS. x0 ∈N -BVS (2) The first relation means that any two spaces N-PCBVS(x0) contain at least 2N common space points, constituting together the N-BVS (e.g., 'red' vectors x(d) in Table 1 column 3 rows m = 3). The second relation reflects the fact that spaces N-PCBVS(x0) are overlapped subspaces of the N-CBVS. Spaces N-PCBVS(x0) and N-CBVS consist of 3N and 4N items what is typically for N-dimensional spaces of 3- and 4-valued vectors, respectively. Of this an obvious insight arises ― to consider an N-PCBVS(x0) as a vector space 'built' for serving 3valued neurons (an N-dimensional ternary vector space, N-TVS; Table 1 columns 58) and to consider an N-CBVS as a vector space 'built' for serving 4-valued neurons (an N-dimensional quaternary vector space, N-QVS; Table 3 column 2). After accepting this idea it becomes clear that the BSDT allows an intermittent three-fold (2-, 3-, and 4-valued) description of signal data processing. 3 BSDT Degenerate Binary Vector Spaces Spaces N-PCBVS(x0) and N-CBVS are devoted to the description of vectors x(d) by means of explicit specifying the origin or 'meaning' of their components (either signal or noise). At the stage of decoding, BSDT does not differ the colors (meanings) of x(d) components and reads out their numerical values only. Consequently, for BSDT decoding algorithm, all N-PCBVS(x0) and N-CBVS items are color-free. By means of ignoring the colors, two-color x(d) are transforming into one-color x and, consequently, spaces N-CBVS and N-PCBVS(x0) are transforming, respectively, into spaces N-DBVS (N-dimensional degenerate BVS) and N-DBVS(x0) (N-dimensional degenerate BVS given x0). The N-DBVS(x0) and the N-DBVS contain respectively 3N and 4N items, though only 2N of them (related to the N-BVS) are different. As a result, N-DBVS and N-DBVS(x0) items are degenerate, i.e. in these spaces they may exist in some equivalent copies. We refer to the number of such copies related to a given x as its degeneracy degree, τ (1 ≤ τ ≤ 2N, τ = 1 means no degeneracy). When N-CBVS vectors x(d) lose their color identity, their one-color counterparts, x, are 'breeding' 2N times. For this reason, all N-DBVS space points have equal degeneracy degree, τ = 2N. When N-PCBVS(x0) vectors x(d) lose their color identity, their one-color counterparts, x, are 'breeding' the number of times which is specified by (1) BSDT Multi-valued Coding in Discrete Spaces 261 given x0 and coincides with the number of x(d) related to particular x in the NPCBVS(x0). Consequently, all N-DBVS(x0) items have different in general degeneracy degrees, τ(x,x0), depending on x as well as x0. As the number of different vectors x in an N-DBVS(x0) and the number of different spaces N-DBVS(x0) are the same (and equal to 2N), discrete function τ(x,x0) is a square non-zero matrix. As the number of x in an N-DBVS(x0) and the number of x(d) in corresponding N-PCBVS(x0) is 3N, the sum of matrix element values made over each row (or over each column) is also the same and equals 3N. Remembering that ∑2mCNm = 3 N (m = 0, 1, …, N), we see that in each the matrix's row or column the number of its elements, which are equal to 2m, is CNm (e.g. in Table 2, the number of 8s, 4s, 2s and 1s is 1, 3, 3 and 1, respectively). If x (columns) and x0 (rows) are ordered in the same way (as in Table 2) then matrix τ(x,x0) is symmetrical with respect to its main diagonal; if x = x0, then in the column x and the row x0 τ(x,x0)-values are equally arranged (as in the column and the row shaded in Table 2: 4, 2, 8, 4, 1, 4, 2, 2; corresponding sets of two-colored N-PCBVS(x0) vectors x(d) are shown in column 3 of Table 1). Degeneracy degree averaged across all the x given N-DBVS(x0) or across all the N-DBVS(x0) given x does not depend on x and x0: τa = <τ(x,x0)> = (3/2)N (for the example presented in Table 2, τa = (3/2)3 = 27/8 = 3.375). x x0 –+– ∑τ(x,x0) given x –+– ++– –++ ––+ +–– +++ ––– +–+ ++– –++ ––+ +–– +++ ––– +–+ ∑τ(x,x0) given x0 Table 2. Degeneracy degree, τ(x,x0), for all the vectors x in all the spaces N-DBVS(x0), N = 3. 2N = 8, the number of different x (and different x0); 3N = 27, the total number of x in an NDBVS(x0) or the number of two-colored x(d) in corresponding N-PCBVS(x0); positive and negative components of x and x0 are designated as + and –, respectively. Rows provide τ(x,x0) for all the x given N-DBVS(x0) (the row x0 = – + + is shaded); columns show τ(x,x0) for all the spaces N-DBVS(x0) given x (the column x = – + + is shaded). 8 4 4 2 2 2 4 1 4 8 2 1 4 4 2 2 4 2 8 4 1 4 2 2 2 1 4 8 2 2 4 4 2 4 1 2 8 2 4 4 2 4 4 2 2 8 1 4 4 2 2 4 4 1 8 2 1 2 2 4 4 4 2 8 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 27 3N Of the view of the set theory, the N-DBVS consists of 2N equivalent N-BVS; the intersection and the unity of them are the N-BVS itself. Each N-DBVS(x0) includes all the 2N N-BVS vectors each of which is repeated in an x0-specific number of copies, as it is illustrated by rows (columns) of Table 2 (N + 1 of these numbers are only different). 262 P. Gopych 4 BSDT Multi-valued Codes and Multi-valued Neurons For the description of a network of the size N in spaces above discussed, the BSDT defines 2-, 3- and 4-valued N-dimensional (code) vectors each of which represents a set of N firing 2-, 3- and 4-valued neurons, respectively (see Tables 1 and 3). 23valued valued 3 –1, black –1, red +1, red +1, black –1, black/red no black/red +1, black/red –1, black/red +1, black/red 4 –1, signal –1, noise +1, noise +1, signal –1, signal/noise no signal/noise +1, signal/noise –1, signal/noise +1, signal/noise 5 inhibitory inhibitory excitatory excitatory inhibitory no spike excitatory inhibitory excitatory Space examples The target neuron's synapse Signal/noise numerical code, SNNC 2 –2 –1 +1 +2 –1 0 +1 –1 +1 Colored numerical code, CNC Numerical code, NC 1 4valued Type of neurons Table 3. Values/meanings of code vector components for BSDT neurons and codes. Shaded table cells display code items implementing the N-BVS (its literal implementation by 3- and 4valued neurons is possible under certain conditions only; parentheses in column 6 indicate this fact, see also process 6 in Fig. 1); in column 5 the content/meaning of each code item is additionally specified in neuroscience terms. 6 N-QVS, N-CBVS, N-PCBVS(x0), (N-BVS) N-TVS, (N-BVS) N-BVS, N-DBVS, N-DBVS(x0) In Table 3 numerical code (NC, column 2) is the simplest, most general, and meaning-irrelevant: its items (numerical values of code vector components) may arbitrary be interpreted (e.g., for 4-valued neurons, code values ±1 and ±2 may be treated as related to noise and signal, respectively). Colored numerical code (CNC, column 3) combines binary NC with binary color code; for 3- and 2-valued neurons, CNC vector components are ambiguously defined (they are either black or red, 'black/ red'). Signal/noise numerical code (SNNC, column 4) specifies the colors of the CNC with respect to a signal/noise problem: 'black' and 'red' units are interpreted as ones that represent respectively signal and noise components of SNNC vectors (marks 'signal' and 'noise' reflect this fact). As in the case of the CNC, for 3- and 2-valued neurons, SNNC code vector components say only that (with equal probability) they can represent either signal or noise (this fact reflects the mark 'signal/ noise'). Further code specification (by adding a neuroscience meaning to each signal, noise, or signal/noise numerical code item) is given in column 5: it is assumed [3] that vector components –1 designate signal, noise or signal/noise spikes, affecting the inhibitory synapses of target neurons, while vector components +1 designate spikes, affecting the excitatory synapses of target neurons (i.e. BSDT neurons are intimately embedded into their environment, as they always 'know' the type of synapses of their postsynaptic neurons); zero-valued components of 3-valued vectors designate 'silent' or 'dormant' BSDT Multi-valued Coding in Discrete Spaces 263 neurons generating no spikes at the moment and, consequently, not affecting on their target neurons at all (marks 'no signal/noise' and 'no spike' in columns 4 and 5 reflect this fact). BSDT spaces implementing different types of coding and dealing with different types of neurons are classified in column 6. The unity of mathematical description of spiking and silent neurons (see Table 3) explains why BSDT spin-like +1/–1 coding cannot be replaced by popular 1/0 coding. Ternary vectors with large fractions of zero components may also contribute to explaining the so-called sparse neuron codes (e.g., [5-6], Table 1 columns 5-8). Quaternary as well as binary vectors without zero components (and, perhaps, ternary vectors with small fractions of zero components) may contribute to explaining the so-called dense neuron codes (a reverse counterpart to sparse neuron codes, Table 1 columns 1-5). 5 Reciprocal Transformations of BSDT Vector Spaces The major physical condition explaining the diversity of BSDT vector spaces and the need of their transformations is the network's state of synchrony (Fig. 1). We understand synchrony as simultaneous (within a time window/bin ∆t ~ 10 ms) spike firing of N network neurons (cf. [7]). Unsynchronized neurons fire independently at instants t1, …, tN whose variability is much greater than ∆t. As the BSDT imposes no constraints on network neuron space distribution, they may arbitrary be arranged occupying positions even in distinct brain areas (within a population map [8]). Unsynchronized and synchronized networks are respectively described by BSDT vectors with and without zero-valued components and consequently each such an individual vector represents a pattern of network spike activity at a moment t ± ∆t. Hence, the BSDT deals with network spike patterns only (not with spike trains of individual neurons [9]) while diverse neuron wave dynamics, responsible in particular for changes in network synchrony [10], remains out of the consideration. For unsynchronized networks (box 2 in Fig. 1), spike timing can in principle not be used for coding; in this case signals of interest may be coded by the number of network spikes randomly emerged per a given time bin ― that is spike-rate or firingrate population coding [9], implementing the independent-coding hypothesis [8]. For partially ordered networks, firing of their neurons is in time to some extent correlated and such mutual correlations can already be used for spike-time coding (e.g., [1,9]) ― that is an implementation of the coordinated-coding hypothesis [8]. The case of completely synchronized networks (box 4 in Fig. 1) is an extreme case of spike-time coding describable by BSDT vectors without zero components. Time-to-first-spike coding (e.g., [11]) and phase coding (e.g., [12]) may be interpreted as particular implementations of such a consideration. Figure 1 shows also the transformations (circled dashed arrows) related to changes in network synchrony and accompanied by energy exchange (vertical arrows). BSDT optimal decoding probability (that is equal to BSDT optimal generalization degree) is the normalized number of N-DBVS(x0) vectors x for which their Hamming distance to x0 is smaller than a given threshold. Hence, the BSDT defines its coding/decoding [2,3] and generalization/codecorrection [2] rules but does not specify mechanisms implementing them: for BSDT applicability already synchronized/unsynchronized networks are required. 264 P. Gopych 1 The global network's environment Energy input 2 Energy dissipation N-TVS Unsynchronized neurons Entropy 1 'The edge of chaos' 5 N-PCBVS(x0) N-DBVS(x0) N-CBVS N-PCBVS(x0) N-DBVS(x0) 2 Synchronized neurons ... N-PCBVS(x0) 3 1 2 Complexity N-BVS N-BVS 6 3 4 N-TVS ... 4 N-DBVS(x0) N 2 Fig. 1. Transformations of BSDT vector spaces. Spaces for pools of synchronized (box 4) and unsynchronized (box 2) neurons are framed separately. In box 4, right-most numbers enumerate different spaces of the same type; framed numbers mark space transformation processes (arrows): 1, coloring all the components of N-BVS vectors; 2, splitting the N-CBVS into 2N different but overlapping spaces N-PCBVS(x0); 3, transformation of two-color N-PCBVS(x0) vectors x(d) into one-color N-TVS vectors (because of network desynchronization); 4, equalizing the colors of all the components of all the N-PCBVS(x0) vectors; 5, transformation of one-color NTVS vectors into two-color N-PCBVS(x0) vectors; 6, random coincident spiking of unsynchronized neurons. Vertical left/right-most arrows remind trends in entropy and complexity for a global network, containing synchronized and unsynchronized parts and open for energy exchange with the environment (box 1). Box 3 comprises rich and diverse neuron individual and collective nonlinear wave/oscillatory dynamics implementing synchrony/unsynchrony transitions (i.e. the global network is as a rule near its 'criticality'). In most behavioral and cognitive tasks, spike synchrony and neuron coherent wave/oscillatory activity are tightly entangled (e.g. [10,13]) though which of these phenomena is the prime mechanism, for dynamic temporal and space binding (synchronization) of neurons into a cell assembly, remains unknown. If gradual changes of the probability of occurring zero-valued components of ternary vectors is implied then the BSDT is consistent in general with scenarios of gradual synchrony/ unsynchrony transitions, but we are here interesting in such abrupt transitions only. This means that, for the BSDT biological relevance, it is needed to take the popular stance according to which the brain is a very large and complex nonlinear dynamic system having long-distant and reciprocal connectivity [14], being in a metastable state and running near its 'criticality' (box 3 in Fig. 1). If so, then abrupt unsynchronyto-synchrony transitions may be interpreted as the network's 'self-organization,' 'bifurcation,' or 'phase transition' (see ref. 15 for review) while abrupt synchrony decay may be considered as reverse phase transitions. This idea stems from statistical physics and offers a mechanism contributing most probably to real biological processes underlying BSDT space transformations shown in Fig. 1 (i.e. arrows crossing 'the edge of chaos' may have real biological counterparts). Task-related brain activity takes <5% of energy consumed by the resting human brain [16]; spikes are high energy-consuming and, consequently, rather seldom and important brain signals [17]. Of these follows that the BSDT, as a theory for spike computations, describes though rather small but perhaps most important ('high-level') fraction of brain activity responsible for maintaining behavior and cognition. BSDT Multi-valued Coding in Discrete Spaces 265 6 Conclusion A set of N-dimensional discrete vector spaces (some of which are 'colored' and some degenerate) has been introduced by using original BSDT coding rules. These spaces, serving 2-, 3- and 4-valued neurons, ensure optimal BSDT decoding/generalization and provide a common description of spiking and silencing neurons under different conditions of network synchrony. The BSDT is a theory for spikes/impulses and can describe though rather small but probably most important ('high-level') fraction of brain activity responsible for human/animal behavior and cognition. Results demonstrate also that for the description of complex living or artificial digital systems, where conditions of signal synchrony and unsynchrony coexist, binary codes are insufficient and the use of multi-valued ones is essentially required. References 1. Averbeck, B.B., Latham, P.E., Pouget, A.: Neural Correlations, Population Coding and Computation. Nat. Rev. Neurosci. 7, 358–366 (2006) 2. Gopych, P.M.: Generalization by Computation through Memory. Int. J. Inf. Theo. Appl. 13, 145–157 (2006) 3. Gopych, P.M.: Foundations of the Neural Network Assembly Memory Model. In: Shannon, S. (ed.) Leading Edge Computer Sciences, pp. 21–84. Nova Science, New York (2006) 4. Gopych, P.M.: Minimal BSDT Abstract Selectional Machines and Their Selectional and Computational Performance. In: Yin, H., Tino, P., Corchado, E., Byrne, W., Yao, X. (eds.) IDEAL 2007. LNCS, vol. 4881, pp. 198–208. Springer, Heidelberg (2007) 5. Kanerva, P.: Sparse Distributed Memory. MIT Press, Cambridge (1988) 6. Olshausen, B.A., Field, D.J.: Sparse Coding of Sensory Inputs. Curr. Opin. Neurobiol. 14, 481–487 (2004) 7. Engel, A.K., Singer, W.: Temporal Binding and the Neural Correlates of Sensory Awareness. Trends Cog. Sci. 5, 16–21 (2001) 8. de Charms, C.R., Zador, A.: Neural Representations and the Cortical Code. Ann. Rev. Neurosci. 23, 613–647 (2000) 9. Tiesinga, P., Fellous, J.-M., Sejnowski, T.J.: Regulation of Spike Timing in Visual Cortical Circuits. Nat. Rev. Neurosci. 9, 97–109 (2008) 10. Buzáki, G., Draghun, A.: Neuronal Oscillations in Cortical Networks. Science 304, 1926– 1929 (2004) 11. Johansson, R.S., Birznieks, I.: First Spikes in Ensemble of Human Tactile Afferents Code Complex Spatial Fingertip Events. Nat. Neurosci. 7, 170–177 (2004) 12. Jacobs, J., Kahana, M.J., Ekstrom, A.D., Fried, I.: Brain Oscillations Control Timing of Single-Neuron Activity in Humans. J. Neurosci. 27, 3839–3844 (2007) 13. Varela, F., Lachaux, J.-P., Rodriguez, E., Martinerie, J.: The Brainweb: Phase Synchronization and Large-Scale Integration. Nat. Rev. Neurosci. 2, 229–239 (2001) 14. Sporns, O., Chialvo, D.R., Kaiser, M., Hilgetag, C.C.: Organization, Development and Function of Complex Brain Networks. Trends Cog. Sci. 8, 418–425 (2004) 15. Werner, G.: Perspectives on the Neuroscience of Cognition and Consciousness. BioSystems 87, 82–95 (2007) 16. Fox, M.D., Raichle, M.E.: Spontaneous Fluctuations in Brain Activity Observed with Functional Magnetic Resonance Imaging. Nat. Rev. Neurosci. 8, 700–711 (2007) 17. Lennie, P.: The Cost of Cortical Computation. Curr. Biology 13, 493–497 (2003) A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication Thi Hoi Le and The Duy Bui Faculty of Information Technology Vietnam National University, Hanoi [email protected], [email protected] Abstract. Biometrics such as fingerprint, face, eye retina, and voice offers means of reliable personal authentication is now a widely used technology both in forensic and civilian domains. Reality, however, makes it difficult to design an accurate and fast biometric recognition due to large biometric database and complicated biometric measures. In particular, fast fingerprint indexing is one of the most challenging problems faced in fingerprint authentication system. In this paper, we present a specific contribution to advance the state of the art in this field by introducing a new robust indexing scheme that is able to fasten the fingerprint recognition process. Keywords: fingerprint hashing, fingerprint authentication, error correcting code, image authentication. 1 Introduction With the development of digital world, reliable personal authentication has become a big interest in human computer interface activity. National ID card, electronic commerce, and access to computer networks are some scenarios where declaration of a person’s identity is crucial. Existing security measures rely on knowledge-based approaches like passwords or token-based such as magnetic cards and passports are used to control access to real and virtual societies. Though ubiquitous, such methods are not very secure. More severely, they may be shared or stolen easily. Passwords and PIN numbers may be even stolen electronically. Furthermore, they cannot differentiate between authorized user and fraudulent imposter. Otherwise, biometrics has a special characteristic that user is the key; hence, it is not easily compromised or shared. Therefore, biometrics offers means of reliable personal authentication that can address these problems and is gaining citizen and government acceptance. Although significant progress has been made in fingerprint authentication system, there are still a number of research issues that need to be addressed to improve the system efficiency. Automatic fingerprint identification which requires 1-N matching is usually computationally demanding. For a small database, a common approach is to exhaustively match a query fingerprint against all the fingerprints in database [21]. For a large database, however, it is not desirable in practice without an effective fingerprint indexing scheme. There are two technical choices to reduce the number of comparisons and consequently to reduce the response time of the identification process: classification and E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 266–273, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication 267 indexing techniques. Traditional classification techniques (e.g. [5], [16]) attempt to classify fingerprint into five classes: Right Loop (R), Left Loop (L), Whorl (W), Arch (A), and Tented Arch (A). Due to the uneven natural distribution, the number of classes is small and real fingerprints are unequally distributed among them: over 90% of fingerprints fall in to only three classes (Loops and Whorl) [18]. This is resulted in the inability of reducing the search space enough of such systems. Indexing technique performs better than classification in terms of the size of space need to be searched. Fingerprint indexing algorithms select most probable candidates and sort them by the similarity to the query. Many indexing algorithms have been proposed recently. A.K. Jain et al [11] use the features around the core point of a Gabor filtered image to realize indexing. Although this approach makes use of global information (core point) but the discrimination power of just one core is limited. In [2], the singular point (SP) is used to estimate the search priority which is resulted in the mean search space below 4% the whole dataset. However, detecting singular point is a hard problem. Some fingerprints even do not have SPs and the uncertainty of SP location is large [18]. Besides, several attempts to account for fingerprint indexing have shown the improvement. R. Cappelli et al. [6] proposed an approach which reaches the reasonable performance and identification time. R.S Germain et al. [9] use the triplets of minutiae in their indexing procedure. J.D Boer et al. [3] make effort in combining multiple features (orientation field, FingerCode, and minutiae triplets). One of another key point is to make indexing algorithm more accurate, fingerprint distortion must be considered. There are two kinds of distortion: transformation distortion and system distortion. In particular, due to fingerprint scanners can only capture partial fingerprints; some minutiae – primary fingerprint features - are missing during acquisition process. These distortions of fingerprint including minutia missing cause several problems: (i) the number of minutia points available in such prints is few, thus reducing its discrimination power; (ii) loss of singular points (core and delta) is likely [15]. Therefore, a robust indexing algorithm independent of such global features is required. However, in most of existed indexing scheme mentioned above, they perform indexing by utilizing these global feature points. In this paper, we propose a hashing scheme that can achieve high efficiency in hashing performance by perform hashing on localized features that are able to tolerate distortions. This hashing scheme can perform on any localized features such as minutiae or triplet. To avoid alignment, in this paper we use the triplet feature introduced by Tsai-Yang Jea et. al. [15]. One of our main contributions is that we present a definition of codeword for such fingerprint feature points and our hashing scheme performs on those codewords. By producing codewords for feature points, this scheme can tolerate the distortion of each point. Moreover, to reduce number of candidates for matching stage more efficiently, a randomized hash function scheme is used to reduce the output collisions. The paper is organized as follows. Section 2 introduces some notions and our definition of codeword for fingerprint feature points. Section 3 presents our hashing scheme based on these codewords and a scheme to retrieve fingerprint from hashing results. We present experiment results of our scheme in Section 4. 268 T.H. Le and T.D. Bui 2 Preliminaries 2.1 Error Correction Code For a given choice of metric d, one can define error correction codes in the corresponding space M. A code is a subset C={w1,…,wk} ⊂ M. The set C is sometimes called codebook; its K elements are the codewords. The (minimum) distance of a code is the smallest distance d between two distinct codewords (according to the metric d). Given a codebook C, we can define a pair of functions (C,D). The encoding function C is an injective map for the elements of some domain of size K to the elements of C. The decoding function D maps any element w ∈ M to the pre-image C-1[wk] of the codeword wk that minimizes the distance d[w,wk]. The error correcting distance is the largest radius t such that for every element w in M there is at most one codeword in the ball of radius t centered on w. For integer distance functions we have t=(d-1)/2. A standard shorthand notation in coding theory is that of a (M,K,t)-code. 2.2 Fingerprint Feature Point Primary feature point of fingerprint is called minutia. Minutiae are the various ridge discontinuities of a fingerprint. There are two types of widely used minutiae which are bifurcations and endings (Fig.1). Minutia contains only local information of fingerprints. Each minutia is represented by its coordinates and orientation. Fig. 1. (left) Ridge bifurcation. (b) Ridge endings [15]. Secondary feature is a vector of five-elements (Fig.2). For each minutiae Mi(xi,yi,θi) and its two nearest neighbors N0(xn0,yn0,θn0) and N1(xn1,yn1,θn1), the secondary feature is constructed by form a vector Si(ri0 ,ri1,φi0,φi1,δi) in which ri0 and ri1 are the Euclidean distances between the central minutia Mi and its neighbors N0 and N1 respectively. φik is the orientation difference between Mi and Nk, where k is 0 or 1. δi represents the acute angle between the line segments MiN0 and MiN1. Note that N0 and N1 are the two nearest neighbors of the central minutia Mi and ordered not by their Euclidean distances but by satisfying the equation: N0MixN1Mi ≥ 0. A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication 269 Fig. 2. Secondary feature of Mi. Where ri0 and ri1 are the Euclidean distances between central minutia Mi and its neighbors N0 and N1 respectively. φik is the orientation difference between Mi and Nk where k is 0 or 1. δi represents the acute angle between MiN0 and MiN1 [15]. N0 is the first and N1 is the second minutia encountered while traversing the angle ∠N0MiN1. For the given matched reference minutiae pair pi and qj, it is said that minutiae pi(ri,i’,Φi,i’;,θi,i’) matches qj(rj,j’,Φj,j’,θj,j’), if qj is within the tolerance area of pi. Thus for given threshold functions Thldr(.), ThldΦ(.), and Thldθ(.), |ri,i’ – rj,j’| ≤ Thldr(ri,i’), |Φi,i’ – Φj,j’| ≤ ThldΦ(Φi,i’) and |θi,i’ – θj,j’| ≤ Thldθ(θi,i’). Note that the thresholds are not predefined values but are adjustable according to rii, and rjj. In this literature, we call this secondary fingerprint feature point as feature point. 2.3 Our Error Correction Code for Fingerprint Feature Point Most existing error correction schemes are respect to Hamming distance and used to correct the message at bit level (e.g. parity check bits, repetition scheme, CRC…). Therefore, we define a new error correction scheme for fingerprint feature point. In particular, we consider each feature x as a corrupted codeword and try to correct to the correct codeword by using an encoding function C(x). Definition 1. Let x ∈ RD, and C(x) is an encoding function of the error correction scheme. We define C(x) = (q(x-t)|q(x)|q(x+t)) where q(x) is a quantization function of x with quantization step t. We call the output of C(x) (cx-t,cx,cx+t) is the codeword set of x and cx=q(x) is the nearest codeword of x or codeword of x for short. Lemma 1. Let x ∈ R, given a tolerant threshold t ∈ R. For every y such that |x-y| ≤ t, then the codeword of y cy = q(y) takes one of three elements in the codeword set of x. Lemma 1 can be proved easily by some algebraic transformations. In our approach, we generate codeword set for every dimension of template fingerprint feature point q and only codeword for every dimension of query point p. Following lemma 1 and definition of two matched feature points, we can see that if p and q are corresponding 270 T.H. Le and T.D. Bui feature points of two versions from one fingerprint, codeword of q will be an element in codeword set of p. 3 Codeword-Based Hashing Scheme We present a fingerprint hash generation scheme based on the codeword of the feature point. The key idea is: first, “correct” the error feature point to its codeword, then use that codeword as the input of a randomized hash function which can scatter the input set and ensure that the probability of collision of two feature points is closely related to the distance between their corresponding coordinate pairs (refer to definition of two matched feature points). 3.1 Our Approach Informal description. Fingerprint features stored in database can be considered as a very large set. Moreover, the distribution of fingerprint feature points is not uniform and unknown. Therefore, we want to design a randomized hash scheme such that for the large input sets of fingerprint feature points, it is unlikely that elements collide. Fortunately, some standard hash functions (e.g. MD5, SHA) can be made randomized to satisfy the property of target collision resistance. Our scheme works as follows. First, the message bits are permuted by a random permutation and then the hash of resulting message is computed (by a compression function e.g. SHA). A permutation is a special kind of block cipher where the output and input have the same length. A random permutation is widely used in cryptography since it possesses two important properties: randomness and efficient computation if the key is random. The basic idea so far is for any given set of inputs, this algorithm will scatter the inputs among the range of the function well based on a random permutation so that the probabilistic expectation of the output will be distributed more randomly. To ensure the error tolerant property, we perform hashing on codeword (for query points) and on the whole codeword set (for template points) instead of the feature point itself. Follow the lemma 1 we have the query point y and the template point x are matched if and only if codeword of y is an element in codeword set of x . Formal description. We set up our hashing scheme as follows: 1. Choose random dimensions from (1,2,…,D); by this way, we adjust the trade off between the collision of hashing values and the space of our database. 2. Choose an tolerant threshold t and appropriate metric ld for selected dimensions. For each template point p: 1. Generate the codeword set for pd. These values are mapped to binary strings. Binary strings in the codeword set of selected dimensions are then concatenated to form L3 binary strings mt for i=1,…,L3 where L is the number of selected dimensions. 2. Each mi is padded with zero bits to form a n – bit message mi. 3. Generate a random key K for a permutation π of {0,1}n. 4. mi is permuted by π and the resulting message is hashed using a compression function such as SHA.. Let shi = SHA( π (mi)) for i=1,…,L3. A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication 271 5. There are at most L3 hash values for p. These values can be stored in the same hash table as well as separate ones. For query point q: 1. Compute the nearest codeword value for every selected dimension of q. Then map the value to a binary string. 2. Binary strings of selected dimensions are then concatenated. 3. Perform steps 2 and 4 as for template point. Note that there is only one binary string for query point q. 4. Return all the points which are sharing identical hash value with q. For query evaluation, all candidate matches are returned by our hashing for every query feature point. Hence, each query fingerprint is treated as a bag of points, simulating a multi-point query evaluation. To do this efficiently, we use an identical framework as Ke et al. [17], in that, we maintain two auxiliary index structure –File Table (FT) and Keypoint Table (KT) – to map feature points to their corresponding fingerprint; an entry in KT consists of the file ID (index location of FT) and feature point information. The template fingerprints that have points sharing identical hash values (collisions) with the query version are then ranked by the number of similarity points. Only top T templates are selected for identifying the query fingerprint by matching. Thus, the search space is greatly reduced. The candidate selection process requires only linear computational cost so that it can be applied for online interactive querying on large image collections. 3.2 Analysis Space complexity. For an automate fingerprint identification, we must allocate extra storage for the hash values of template fingerprints. Assume that the number of Ddimension feature points extracted from template version is N. With L selected dimensions, the total extra space required for one template is O(L3.N). Thus, the hashing scheme requires a polynomial-sized data structure that allows sub-linear time retrievals of near neighbors as shown in following section. Time complexity. On query fingerprint Y with N feature points in a database of M fingerprints, we must: compute the codeword for each feature point which takes O(N) due to quantization hashing functions required constant time complexity; compute the hash value which takes O(time(f,x)) where f is the hash function used and time(f,x) is the time required by function f with input x; and compute the similarity scores of templates that has any point sharing identical hash value with the query fingerprint, requiring time O(M.N/2m). Thus the key quantity is O(M.N/2n + time(f,x)) which is approximately equivalent to 1/2n computations of exhaustive search. 4 Experiments We evaluate our method by testing it on Database FVC2004 [19] which consists of 300 images, 3 prints each of 100 distinct fingers. DB1_A database contains the partial fingerprint templates of various sizes. These images are captured by a optical sensor with a resolution of 500dpi, resulting in images of 300x200 pixels in 8 bit gray scale. 272 T.H. Le and T.D. Bui The full original templates are used to construct the database, while the remaining 7 impressions are used to hashing. We use the feature extraction algorithm described in [15] in our system. However, the authors do not mention in detail how to determine the threshold of error tolerances. Therefore, in our experiments, we assume that the error correction distance t is fixed for all fingerprint feature points. This assumption makes the implementation not optimal so that two feature points are recognized as “match” by matching algorithm proposed in [15] may not share the same hash value in our experiments. The Euclidean distances between the corresponding dimensions of feature vectors are used in quantization hashing function. Table 1 shows the Correct Index Power (CIP) which is defined as the percentage of correctly indexed queries based on the percentage of hypotheses that need to be searched in the verification step. Although our implementation is not optimal, scheme still achieves good CIP result. As can be easily seen, the larger search percentage is, the better results are obtained. It indicates that the optimal implementation can improve the result performance. Table 1. Correct Indexing Power of our algorithm Correct Index Power Search Percentage CIP 5% 10% 15% 20% 80% 87% 94% 96% Compare with some published experiments in the literature, at the search percentage 10%, [13] comes up with 84.5% CIP and [23] reaches a result of 92.8% CIP. However, unlike previous works, our scheme is much simpler and by adjusting t carefully, it is promising that our scheme will reach 100% CIP with low search percentage. 5 Conclusion In this paper, we have presented a new robust approach to perform indexing on fingerprint which provides both accurate and fast indexing. However, there is still some works need to be done to in order to make the system more persuasive and to obtain the optimal result like studying optimal choices of t parameter. Moreover, to guarantee the privacy of fingerprint template in any indexing scheme is another important problem that must be considered. References [1] Bazen, A.M., Gerez, S.H.: Fingerprint matching by thin-plate spline modeling of elastic deformations. Pattern Recognition 36, 1859–1867 (2003) [2] Bazen, A.M., Verwaaijen, G.T.B., Garez, S.H., Veelunturf, L.P.J.: A correlation-based fingerprint verification system. In: ProRISC 2000 Workshops on Circuits, Systems and Signal Processing (2000) A Fast and Distortion Tolerant Hashing for Fingerprint Image Authentication 273 [3] Boer, J., Bazen, A., Cerez, S.: Indexing fingerprint database based on multiple features. In: ProRISC 2001 Workshop on Circuits, Systems and Singal Processing. (2001) [4] Brown, L.: A survey of image registration techniques. ACM Computing Surveys (1992) [5] Cappelli, R., Lumini, A., Maio, D., Maltoni, D.: Fingerprint Classification by Directional Image Partitioning. IEEE Trans. on PAMI 21(5), 402–421 (1999) [6] Cappelli, R., Maio, D., Maltoni, D.: Indexing fingerprint databases for efficicent 1: n matching. In: Sixth Int.Conf. on Control, Automation, Robotics and Vision, Singapore (2000) [7] Choudhary, A.M., Awwal, A.A.S.: Optical pattern recognition of fingerprints using distortion-invariant phase-only filter. In: Proc. SPIE, vol. 3805(20), pp. 162–170 (1999) [8] Fingerprint verification competition, http://bias.csr.unibo.it/fvc2002/ [9] Germain, R., Califano, A., Colville, S.: Fingerprint matching using transformation parameter clustering. IEEE Computational Science and Eng. 4(4), 42–49 (1997) [10] Gonzalez, Woods, Eddins: Digital Image Processing, Prentice Hall, Englewood Cliffs (2004) [11] Jain, A., Ross, A., Prabhakar, S.: Fingerprint matching using minutiae texture features. In: International Conference on Image Processing, pp. 282–285 (2001) [12] Jain, A., Prabhakar, S., Hong, L., Pankanti, S.: Filterbank-based fingerprint matching. Transactions on Image Processing 9, 846–859 (2000) [13] Jain, A.K., Prabhakar, S., Hong, L., Pankanti, S.: FingerCode: a filterbank for fingerprint representation and matching. In: CVPR IEEE Computer Society Conference (2), pp. 187– 193 (1999) [14] Jea, T., Chavan, V.K., Govindaraju, V., Schneider, J.K.: Security and matching of partial fingerprint recognition systems, pp. 39–50. SPIE (2004) [15] Tsai-Yang, J., Venu, G.: A minutia-based partial fingerprint recognition system. Pattern Recognition 38(10), 1672–1684 (2005) [16] Karu, K., Jain, A.K.: Fingerprint Classification. Pattern Recognition 18(3), 389–404 (1996) [17] Ke, Y., Sukthankar, R., Huston, L.: An efficient parts-based near duplicate and sub-image retrieval system. In: MM International Conference on Multimedia, pp. 869–876 (2004) [18] Liang, X., Asano, T.,, B.: Distorted Fingerprint indexing using minutiae detail and delaunay triangle. In: ISVD 2006, pp. 217–223 (2006) [19] Maio, D., Maltoni, D., Cappelli, R., Wayman, J.L., Jain, A.K.: FVC2004: Third Fingerprint Verification Competition. In: Proc. ICBA, Hong Kong, July 2004, pp. 1–7 (2004) [20] Nandakumar, K., Jain, A.K.: Local correlation-based fingerprint matching. In: Indian Conference on Computer Vision, Graphics and Image Processing, pp. 503–508 (2004) [21] Nist fingerprint vendor technology evaluation, http://fpvte.nist.gov/ [22] Ruud, B., Connell, J.H., Pankanti, S., Ratha, N.K., Senior, A.W.: Guide to Biometrics. Springer, Heidelberg (2003) [23] Liu, T., Zhang, G.Z.C., Hao, P.: Fingerprint Indexing Based on Singular Point Correlation. In: ICIP 2005 (2005) The Concept of Application of Fuzzy Logic in Biometric Authentication Systems Anatoly Sachenko, Arkadiusz Banasik, and Adrian Kapczyński Silesian University of Technology, Department of Computer Science and Econometrics, F. D. Roosevelt 26-28, 41-800 Zabrze, Poland [email protected], [email protected], [email protected] Abstract. In the paper the key topics concerning architecture and rules of working of biometric authentication systems were described. Significant role is played by threshold which constitutes acceptance or rejection given authentication attempt. Application of elements of fuzzy logic was proposed in order to define threshold value of authentication system. The concept was illustrated by an example. Keywords: biometrics, fuzzy logic, authentication systems. 1 Introduction The aim of this paper is to present on the basis of theoretical foundations of fuzzy logic and how to use it as a hypothetical, single-layered biometric authentication system. In the first part it will be provided biometric authentication systems primer and the fundamentals of fuzzy logic. On that basis the idea of use of fuzzy logic in biometric authentication systems was formulated. 2 Biometric Authentication Systems Primer Biometric authentication system is basically a system which identifies patterns and carries out the objectives of authentication by identifying the authenticity of physical or behavioral characteristics possessed by the user [5]. The logical system includes the following modules [1]: enrollment module and identification or verification module. The first module is responsible for the registration of user ID and the association of this identifier with the biometric pattern (called biometric template), which is understood as a vector of vales presented in an appropriate form, as a result of processing the collected by the biometric device, raw human characteristics. The identification Module (verification) is responsible for carrying out the collection and processing of raw biometric characteristics in order to obtain a biometric template, which is compared with patterns saved by the registration module. Those modules cooperate with each other and carry out the tasks related to the collection of raw biometric data, features extraction and comparison of features and finally decision making. The session with biometric systems begins with taking anatomical or behavioral features by the biometric reader. Biometric reader generates in n-dimensional biometric E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 274–279, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 The Concept of Application of Fuzzy Logic 275 data. Biometric data represented by the form of vector features are the output of signals processing algorithms. Then, vector features are identified, and the result is usually presented in the form of the match (called confidence degree). On the basis of their relevance and value of the threshold (called threshold value) the module responsible for decision making produce output considered as acceptance or rejection. The result of the work of biometric system is a confirmation of the identity of the user. In light of the existence of the positive population (genuine users) and negative population (impostors), there are four possible outcomes: • • • • Genuine user is accepted (correct response), Genuine user is rejected (wrong response), Impostor is accepted (wrong response), Impostor is rejected (correct response.). A key decision-making is based on the value of the threshold T, which determines the classification of the individual characteristics of vectors, leading to a positive class (the sheep population) and a negative class (the wolf population). When threshold is increased (decreased) the likelihood of false acceptance decreases (increases) and the probability of false rejection increases (decreases). It is not possible to minimize the likelihood of erroneous acceptance and rejection simultaneously. In empirical conditions it can be found that precise threshold value makes it clear that confidence scores which are very close to threshold level, but still lower than it, are rejected. It can be found that the use of fuzzy logic can be helpful mean of reducing identified problem. 3 Basics of Fuzzy Logic A fuzzy set is an object which is characterized by its membership function. That function is assigned to every object in the set and it is ranging between zero and one. The membership (characteristic) function is the grade of membership of that object in the mentioned set [4]. That definition allows to declare more adequate if the object is within a range of the set or not; to be more precise the degree of being in range. That is a useful feature for expressions in natural language, e.g. the price is around thirty dollars, etc. It is obvious that if we consider sets (not fuzzy sets) it is very hard to declare objects and their membership function. The visualization of the example membership function S is presented on fig. 1 and elaborated on eq. 1. 0 ⎧ 2 ⎪ ⎛ x−a⎞ ⎪1 − 2⎜ ⎟ ⎪ ⎝ c−a ⎠ s ( x; a, b, c) = ⎨ 2 ⎪1 − 2⎛⎜ x − c ⎞⎟ ⎪ ⎝c−a⎠ ⎪ 1 ⎩ for x≤a for a≤ x≤b (1) for b≤x≤c for x≥c 276 A. Sachenko, A. Banasik, and A. Kapczyński 1,2 1 µ(x) 0,8 0,6 0,4 0,2 0 0 a 2 4 6 b 8 c 10 Fig. 1. Membership function S applied to fuzzy set high level of security” It is necessary to indicate the meaning of membership function [4]. The first possibility is to indicate similarity between object and the standard. Another is to indicate level of preferences. In that case the membership function is concerned as level of acceptance of an object in order to declared preferences. And the last but not least possibility is to consider it as a level of uncertainty. In that case membership function is concerned as a level of validity that variable X will be equal to value x. Another important aspect of fuzzy sets and fuzzy logic is possibility of fuzzyfication – ability to change sharp values into fuzzy ones and defuzzyfication as a process of changing fuzzy values into crisp values. That approach is very useful in case of natural language problems and natural language variables. Fuzzyfication and defuzzyfication is also used in analysis of group membership. It is the best way of presenting average values in order to whole set of objects I ndimensional space. This space may be a multicriteria analysis of the problem. It is well known that there are a lot of practical applications of fuzzy techniques. In many applications, people start with fuzzy values and then propagate the original fuzziness all the way to the answer, by transforming fuzzy rules and fuzzy inputs into fuzzy recommendations. However, there is one well known exception to this general feature of fuzzy technique applications. One of the main applications of fuzzy techniques is intelligent control. In fuzzy control, the objective is not so much to provide an advise to the expert, but rather to generate a single (crisp) control value uc that will be automatically applied by the automated controller. To get this value it is necessary to use the fuzzy control rules to combine the membership functions of the inputs into a membership function µ(u) for the desired control u. This function would be a good output if the result will be an advise to a human expert. However, our point o concern is in generating a crisp value for the automatical controller, we must transform the fuzzy membership function µ(u) into a single value uc. This transformation from fuzzy to crisp is called defuzzification [3]. One of the most widely used defuzzification technique based on centroids is centroid defuzzification. It is based on minimizing the mean square difference between The Concept of Application of Fuzzy Logic 277 the actual (unknown) optimal control u and the generated control uc produced as a result. In this least square optimization it is possible to weigh each value u with the weight proportional to its degree of possibility µ(u). The resulting optimization problem [2]: ∫ µ (u ) ⋅ (u − u ) c 2 du → min uc (2) can be explicitly solved if there is a possibility of differentiation the corresponding objective function by uc and equate the resulting value to 0. The result of it is a formula [2]: uc = ∫ u ⋅ µ (u )du ∫ µ (u )du (3) This formula is called centroid defuzzification because it describes the ucoordinate of the center of mass of the region bounded by the graph of the membership function µ(u). As it was mentioned before fuzzy sets and fuzzy logic is a way to cope with qualitative and quantitative problems. That possibility is a great advantage of presented approach and it is very commonly used in different fields. That provides us a possibility of using its mechanisms in many different problems and it usually gives reasonable solutions. 4 The Use of Fuzzy Logic in Biometric Authentication Systems There are two main characteristics of biometric authentication system: false acceptance rate and false rejection rate. The false acceptance rate can be defined as relation of number of accepted authentication attempts to number of all attempts undertaken by impostors. Authentication attempt is successful only if confidence score resulted from comparison of template created during enrolment process with template created from current authentication attempts eqauls or is greater than specified threshold value. The threshold value can be specified apriori basing on theoretical estimations or can be defined based on requirements from given environment. For example for high security environments the importance of false acceptance errors is greater than of false rejection errors; for low security environments the situation is quite opposite. Threshold is the parameter which defines the levels of false acceptance and false rejection errors. One of the most popular approach assumes that threshold value is chosen at level were false acceptance rate equals false reject rate. In our paper we consider the theoretical biometric authentication system with five levels of security: very low, low, medium, high, very high and a main error considered is only a false acceptance error. The security level is associated with a given level of false acceptance error and the values of false acceptance rates are obtained emipirically from given set of biometric templates. Obtained false acceptance rates are function of threshold value which is expressed precisely as a value from range 0 to 100. 278 A. Sachenko, A. Banasik, and A. Kapczyński In biometric systems the threshold value can be set globally (for all users) or individually. From perspective of security officer responsible for effictient work of whole biometric system the choice of indivual thresholds requires setting as many thresholds as number of users enrolled in the system. We propose the use of fuzzy logic as a mean of more natural expression of accepted level of false acceptance errors. In our approach the first parameter considered is the value of false accept rate and basing on which we the level of security is determined which is finally transformed into threshold value. Step-by-step proposed procedure consists of three steps. In fist step for a given value of false acceptance rate we determine the value of the membership functions for given level of security. If we consider five levels of false acceptance rate, e.g. 5%, 2%, 1%, 0.5% and 0.1% than for each of those levels we can calculate the values of membership functions to one of five levels of security: very low, low, medium, high and very high (see fig. 2). µ Fig. 2. Membership functions for given security levels (S). Medium level was distinguished. In second step through appropriate application of fuzzy rules we receive a result of fuzzy request of the threshold value. Those rules are developed in order to obtain an answer to a question about the relationship between threshold (T) and the specified level of security (S): Rule Rule Rule Rule Rule 1: 2: 3: 4: 5: IF IF IF IF IF “S “S “S “S “S is very low” THEN “T is very low” level is low” THEN “T is low” is medium” THEN “T is medium” level is high” THEN “T is high” is very high” THEN “T is very high”. In third step we apply defuzzyfication during which the fuzzy values are transformed based on specified values of the membership functions and point a fuzzy centroid of given values. Our approach was depicted on fig. 3. For example if we assume that the false acceptance rate is 0.1 and is fuzzified and belongs to "S is high" with value of the membership function of 0.2 and belongs to "S is very high" with value of the membership function of 0.8. Then, based on rule 4 and rule 5 we can see that threshold value is high with the value of membership function equaled to 0.2 and threshold value is very high at the The Concept of Application of Fuzzy Logic 279 Fig. 3. Steps of fuzzy reasoning applied in biometric authentication system value of membership function equaled to 0.8. The modal established at the threshold value of membership functions shall be: 10 (very low level), 30 (low level), 50 (medium), 70 (high level), 90 (very high level). The calculation of fuzzy centroid is carried out by the following calculation: T = 90 ⋅ 0.8 + 70 ⋅ 0.2 = 86 (3) In this example, for the value of false acceptance rate of 0.1, the threshold value equals to 86. 5 Conclusions The development of this concept in the use of fuzzy logic to determine the threshold value associated with a given level of security provides an interesting alternative to the traditional concept to define threshold values in biometric authentication systems. References 1. Kapczyński, A.: Evaluation of the application of the method chosen in the process of biometric authentication of users, Informatica studies. Science series No. 1 (43), vol. 22. Gliwice (2001) 2. Kreinovich, V., Mouzouris, G.C., Nguyen, G.C., H.T.: Fuzzy rule based modeling as a universal approximation tool. In: Nguyen, H.T., Sugeno, M. (eds.) Fuzzy Systems: Modeling and Control, pp. 135–195. Kluwer, Boston (1998) 3. Mendel, J.M., Gang X.: Fast Computation of Centroids for Constant-Width Interval-Valued Fuzzy Sets. In: Fuzzy Information Processing Society. NAFIPS 2006, pp. 621–626. Annual meeting of the North American (2006) 4. Zadeh, L.A.: Fuzzy sets. Information and Control 8 (1965) 5. Zhang, D.: Automated biometrics. Kluwer Academic Publishers, Dordrecht (2000) Bidirectional Secret Communication by Quantum Collisions Fabio Antonio Bovino Elsag Datamat, via Puccini 2, Genova. 16154, Italy [email protected] Abstract. A novel secret communication protocol based on quantum entanglement is introduced. We demonstrate that Alice and Bob can perform a bidirectional secret communication exploiting the “collisions” on linear optical devices between partially shared entangled states. The protocol is based on the phenomenon of coalescence and anti-coalescence experimented by photons when they are incident on a 50:50 beam splitter. Keywords: secret communications, quantum entanglement. 1 Introduction Interference between different alternatives is in the nature of quantum mechanics [1]. For two photons, the best known example is the superposition on a 50:50 beamsplitter (Hong Ou Mandel –HOM– interferometer): two photons with the same polarization are subjected to a coalescence effect when they are superimposed in time [2]. HOM interferometer is used for Bell States measurements too, and it is the crucial element in the experiment of teleportation or entanglement swapping. Multi-particle entanglement has attracted much attention in these years. GHZ (Greemberger, Horne, Zeilinger) states showed stronger violation of locality. The generation of multi-particle entangled states is based on interference between independent fields generated by Spontaneous Parametric Down Conversion (SPDC) from non-linear crystals. As an example four photons GHZ states are created by two pairs emitted from two different sources. For most applications high visibility in interference is necessary to increase the fidelity of the produced states. Usually, high visibility can be reached in experiments involving only a pair of down-converted photons emitted by one source and quantum correlation between two particles is generally ascribed to the fact that particles involved are either generated by the same source or have interacted at some earlier time. In the case of two independent sources of down converted pairs stationary fields cannot be used, unless the bandwidth of the fields is much smaller than that of the detectors. In other words the coherent length of the down conversion fields must be so long that, within the detection time period, the phase of the fields is constant. This limitation can be overcome by using pulsed pump laser with sufficiently narrow temporal width. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 280–285, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Bidirectional Secret Communication by Quantum Collisions 281 2 Four-Photons Interference by SPDC We want to consider now the interference of two down-converted pairs generated by distinct sources that emit the same state. We take, as source, non-linear crystals, cut for a Type II emission, so that the photons are emitted in pairs with orthogonal polarizations, and they satisfy the well known phase-matching conditions, i.e. energy and momentum conservation. In the analysis we select two k-modes (1,3) for the first source and two k-modes for the second source (2,4), along which the emission can be considered degenerate, or in other words, the central frequency of the two photons is half of the central frequency of the pump pulse. We are interested to the case in which only four photons are detected in the experimental set-up, then we can reduce the total state to 2 ⊗2 Ψ1234 = η2 2 2 Ψ13 + η2 2 2 1 1 Ψ24 + η 2 Ψ13 Ψ24 (1) where |η|² is the probability of photon-conversion in a single pump pulse: η is proportional to the interaction time, to the χ⁽²⁾ non-linear susceptibility of the non-linearcrystal and to the intensity of the pump field, here assumed classical and un-depleted during the parametric interaction. Thus we have a coherent superposition of a double pair emission from the first source (eq. 2), or a double pair emission from the second source (eq. 3), or the emission of a pair in the first crystal and a pair in the second one (eq. 4): 2 Ψ13 = η2 2 ∫ ∫ ∫ ∫ dω1dω2dω3dω4 × Φ(ω1 + ω2 )Φ(ω3 + ω4 )e−i (ω1 +ω2 )ϕ e−i (ω3 +ω4 )ϕ [ × [aˆ ] (ω )] vac × aˆ1+e (ω1 )aˆ3+o (ω2 ) − aˆ3+e (ω1 )aˆ1+o (ω2 ) + 1e (ω3 )aˆ3+o (ω4 ) − aˆ3+e (ω3 )aˆ1+o 2 Ψ24 = η2 2 4 ∫ ∫ ∫ ∫ dω1dω2 dω3dω4 × Φ(ω1 + ω2 )Φ(ω3 + ω4 )e −i (ω1 +ω2 )ϕ [ × [aˆ ] (ω )] vac × aˆ 2+e (ω1 )aˆ 4+o (ω2 ) − aˆ2+e (ω1 )aˆ 4+o (ω2 ) + 2e (ω3 )aˆ4+o (ω4 ) − aˆ2+e (ω3 )aˆ4+o 1 1 Ψ13 Ψ24 = η2 2 4 ] × aˆ1+e (ω1 )aˆ3+o (ω2 ) − aˆ1+e (ω1 )aˆ3+o (ω2 ) + 2e (3) ∫ ∫ ∫ ∫ dω1dω2 dω3dω4 × Φ(ω1 + ω2 )Φ(ω3 + ω4 ) [ × [aˆ (2) (4) (ω3 )aˆ4+o (ω4 ) − aˆ2+e (ω3 )aˆ4+o (ω4 )] vac The function Φ (ω1 + ω2 ) contains the information about the pump field and the parametric interaction, and can be expanded in the form 282 Fabio Antonio Bovino Φ (ω1 + ω 2 ) = Ε p (ω1 + ω 2 )φ (ω1 + ω 2 , ω1 − ω 2 ) (5) where Ε p (ω1 + ω 2 ) describes the pump field spectrum and φ (ω1 + ω 2 , ω1 − ω 2 ) is the two photon amplitude for single frequency pumped parametric down-conversion. Without loss of generality, we impose a normalization condition on Φ (ω1 + ω 2 ) so that 2 ∫∫ dω1dω 2 Φ (ω1 + ω 2 ) = 1 (6) We want to calculate the probability to obtain Anti-Coalescence or Coalescence on the second Beam-splitter (BS) conditioned to Anti-coalescence at the first one. For Anti-Coalescence-Anti-Coalescence probability (AA) we obtain: AA = 5 + 3Cos(4Ω 0ϕ ) 20 (7) For Anti-Coalescence-Coalescence Probability (AC) we obtain: 3Sin 2 (2Ω 0ϕ ) 5 AC = (8) For Coalescence-Coalescence probability (CC) we obtain: CC = 5 3 + Cos(4Ω 0ϕ ) 20 (9) If the two sources emit different states, the result is different. In fact for AA probability we obtain: AA = 3 + Cos(4Ω 0ϕ ) 20 (10) 5 − Cos (4Ω 0ϕ ) 10 (11) 7 + Cos (4Ω 0ϕ ) 20 (12) For AC probability we obtain: AC = For CC probability we obtain: CC = 3 Four-Photons Interference: Ideal Case Now, let us consider the interference of two pairs generated by distinct ideal polarization entangled sources that emit the same state, for example two singlet states: 1 1 Ψ13 Ψ24 = ( )( ) 1 + + aˆ1e aˆ3o − aˆ1+e aˆ3+o aˆ 2+e aˆ 4+o − aˆ 2+e aˆ 4+o vac 2 For AA, AC, CC probabilities we obtain: (13) Bidirectional Secret Communication by Quantum Collisions 1 , 4 AC = 0, 283 AA = (14) 3 CC = 4 If the two distinct ideal polarization entangled sources emit different states, for example a singlet state the first one and a triplet state the second one, we have: 1 1 Ψ13 Ψ24 = ( )( ) 1 + + aˆ1e aˆ3o − aˆ1+e aˆ3+o aˆ 2+e aˆ 4+o + aˆ 2+e aˆ 4+o vac 2 (15) For AA, AC, CC Probabilities we obtain: AA = 0, 1 AC = , 2 1 CC = 2 (16) 4 Bidirectional Secret Communication by Quantum Collision The last result could be used for a quantum communication protocol to exchange secret messages between Alice and Bob. Alice has a Bell’s states synthesizer (i.e. an entangled states source, a phase shifter and a polarization rotator), a quantum memory and a 50:50 beam-splitter. Alice codifies binary classical information by two different Bell states, instead she codifies 1 with singlet state and 0 with triplet state. Then she sends one of the photons of the state to Bob, and maintains the second one in the quantum memory. Fig. 1. Set-up used by Alice and Bob to perform the bidirectional secret communication 284 Fabio Antonio Bovino Bob has the same set-up of Alice, so that he is able to codify a binary sequence by the same two Bell’s states used in the protocol. Bob sends one of the photons of the state to Alice, and maintains the second one in the quantum memory. Alice and Bob perform a Bell’s measurement on the two 50:50 beam-splitters. If Alice and Bob have exchanged the same bit, after the Bell’s measurements the probability of coalescence-coalescence will be ¾, and the probability of AntiCoalescence-Anti-Coalescence will be ¼. If Alice and Bob have exchanged a different bit, the probability to obtain Coalescence-Coalescence will be ½ and the probability to obtain Anti-CoalescenceCoalescence will be ½. After the measurements, Alice and Bob communicate on an authenticated classical channel the results of the measurements: if the result is Anti-Coalescence-AntiCoalescence, Alice and Bob understand that the same state has been used; if the result is Anti-Coalescence-Coalescence or Coalescence-Anti-Coalescence, they understand that they used a different state. In the case of Coalescence-Coalescence, they have to repeat the procedure until a useful result is obtained. If we assume that the probability to use the singlet and triplet states is equal to ½, Alice (Bob) can reconstruct the 37.5% of the message sent by Bob (Alice). Fig. 2. Possible outputs of a Bell’s measurement 5 Conclusion Sources emitting entangled states “on demand” do not exist and the protocol, for now, can not be exploited. The novelty is the use of quantum properties to encoding and decoding a message without exchange of a key and the protocol performs a really quantum cryptographic process. It seems that the fundamental condition is the authentication of the users: if the classical channel is authenticated it is not possible to extract information from the quantum communication channel. The analysis of security is not complete and comments are welcome. Bidirectional Secret Communication by Quantum Collisions References 1. Schrödinger, E.: Die Naturewissenschaften 48, 807 (1935) 2. Hong, C.K., Ou, Z.Y., Mandel, L.: Phys. Rev. Lett. 59, 2044 (1987) 285 Semantic Region Protection Using Hu Moments and a Chaotic Pseudo-random Number Generator Paraskevi Tzouveli, Klimis Ntalianis, and Stefanos Kollias National Technical University of Athens Electrical and Computer Engineering School 9, Heroon Polytechniou str. Zografou 15773, Athens, Greece [email protected] Abstract. Content analysis technologies give more and more emphasis on multimedia semantics. However most watermarking systems are frame-oriented and do not focus on the protection of semantic regions. As a result, they fail to protect semantic content especially in case of the copy-paste attack. In this framework, a novel unsupervised semantic region watermark encoding scheme is proposed. The proposed scheme is applied to human objects, localized by a face and body detection method that is based on an adaptive two-dimensional Gaussian model of skin color distribution. Next, an invariant method is designed, based on Hu moments, for properly encoding the watermark information into each semantic region. Finally, experiments are carried out, illustrating the advantages of the proposed scheme, such as robustness to RST and copy-paste attacks, and low overhead transmission. Keywords: Semantic region protection, Hu moments, Chaotic generator. pseudo-random number 1 Introduction Copyright protection of digital images and video is still an urgent issue of ownership identification. Several watermarking techniques have been presented in literature, trying to confront the problem of copyright protection. Many of them are not resistant enough to geometric attacks, such as rotation, scaling, translation and shearing. Several researchers [1]-[4] have tried to overcome this inefficiency by designing watermarking techniques resistant to geometric attacks. Some of them are based on the invariant property of the Fourier transform. Others use moment based image normalization [5], with a standard size and orientation or other normalization technique [6]. In most of the aforementioned techniques the watermark is a random sequence of bits [7] and it is retrieved by subtracting the original from the candidate image and choosing an experimental threshold value to determine when the cross-correlation coefficient denotes a watermarked image or not. On the other hand, the majority of the proposed techniques are frame-based and thus semantic regions such as humans, buildings, cars etc., are not considered. At the same time, multimedia analysis technologies give more and more importance to semantic content. However in several applications (such as TV news, TV weather E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 286–293, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Semantic Region Protection Using Hu Moments 287 forecasting, films) semantic regions, and especially humans, are addressed as independent video objects and thus should be independently protected. In this direction the proposed system is designed to provide protection of semantic content. To achieve this goal, a human object detection module is required both in watermark encoding and during authentication. Afterwards the watermark encoding phase is activated, where chaotic noise is generated and properly added to each human object, producing the watermarked human object. The watermark encoding procedure is guided by a feedback mechanism in order to satisfy an equality, formed as a weighted difference between Hu moments of the original and watermarked human objects. During authentication, initially every received image passes through the human object detection module. Then Hu moments are calculated for each detected region, and an inequality is examined. A semantic region is copyrighted only if the inequality is satisfied. Experimental results on real sequences indicate the advantages of the proposed scheme in cases of mixed attacks, affine distortions and the copypaste attack. 2 Semantic Region Extraction Extraction of human objects is a two-step procedure. In the first step the human face is detected and in the second step the human body is localized based on information of the position and size of human face. In particular human face detection is based on the distribution of chrominance values corresponding to human faces. These values occupy a very small region of the YCbCr color space [9]. Blocks of an image that are located within this small region can be considered as face blocks, belonging to the face class Ωf. According to this assumption, the histogram of chrominance values corresponding to the face class can be initially modeled by a Gaussian probability density function. Each Bi block of the image is considered to belong to the face class, if the respective probability P(x(Bi)|Ωf) is high. a) Initial Image b) Object Mask c) Object Extraction Fig. 1. Human Video Object Extraction Method On the other hand and in order to filter non-face regions with similar chrominance values, the aspect ratio R=Hf /Wf (where Hf is the height and Wf the width of the head) is adopted, which was experimentally found to lie within the interval [1.4 1.6] [9]. Using R and P, a binary mask, say Mf, is build containing the face area. Detection of the body area is then achieved using geometric attributes that relate face and body areas [9]. After calculating the geometric attributes of the face region, the human body can be localized by incorporating a similar probabilistic model. Finally the face 288 P. Tzouveli, K. Ntalianis, and S. Kollias and body masks are fused and human video objects are extracted. The phases of human object extraction are illustrated in Figure 1. This algorithm is an efficient method of finding face locations in a complex background when the size of the face is unknown. It can be used for a wide range of face sizes. The performance of the algorithm is based on the distribution of chrominance values corresponding to human faces providing 92% successful. 3 The Watermark Encoding Module Let us assume that human object O has been extracted from an image or frame, using the human object extraction module described in Section 2. Initially Hu moments of human object O are computed [6] providing an invariant feature of an object. Traditionally, moment invariants are computed based both on the shape boundary of the area and its interior object. Hu first introduced [19] the mathematical foundation of 2D moment invariants, based on methods of algebraic invariants and demonstrated their application to shape recognition. Hu’s method is based on nonlinear combinations of 2nd and 3rd order normalized central moments, providing a set of absolute orthogonal moment invariants, which can be used for RST invariant pattern identification. Hu [19] derived seven functions from regular moments, which are rotation, scaling and translation invariant. In [20], Hu’s moment invariant functions are incorporated and the watermark is embedded by modifying the moment values of the image. In this implementation, exhaustive search should be performed in order to determine the embedding strength. The method that is proposed in [20] provides an invariant watermark in both geometric and signal processing attacks based on invariant of moments. Hu moments are seven invariant values computed from central moments through order three, and are independent of object translation, scale and orientation. Let Φ= [φ1, φ2, φ3, φ4, φ5, φ6, φ7]Τ be a vector containing the Hu moments of O. In this paper, the watermark information is encoded into the invariant moments of the original human object. To accomplish this, let us define the following function: 7 ⎛ x − φi ⎞ f ( X , Φ ) = ∑ wi ⎜ i ⎟ i =1 ⎝ φi ⎠ . (1) where X is a vector containing the φ values of an object, Φ contains the φ invariants of object O and wi are weights that put different emphasis to different invariants. Each of the weights wi receives a value within a specific interval, based on the output of a chaotic random number generator. In particular chaotic functions, first studied in the 1960's, present numerous interesting properties that can be used by modern cryptographic and watermarking schemes. For example the iterative values generated from such functions are completely random in nature, although they are limited between some bounds. The iterative values are never seen to converge after any number of iterations. However the most fascinating aspect of these functions is their extreme sensitivity to initial conditions that make chaotic functions very important for applications in cryptography. One of the simplest chaotic functions that incorporated in our Semantic Region Protection Using Hu Moments 289 work is the logistic map. In particular, the logistic function is incorporated, as core component, in a chaotic pseudo-random number generator (C-PRNG) [8]. The procedure is triggered and guided by a secret 256-bit key that is split into 32 8bit session keys (k0, k1, …, k31). Two successive session keys kn and kn+1 are used to regulate the initial conditions of the chaotic map in each iteration. The robustness of the system is further reinforced by a feedback mechanism, which leads to acyclic behavior, so that the next value to be produced depends on the key and on the current value. In particular the first seven output values of C-PRNG are linearly mapped to the following intervals: [1.5 1.75] for w1, [1.25 1.5] for w2, [1 1.25] for w3, [0.75 1] for w4 and w5, and [0.5 0.75] for w6 and w7. These intervals have been experimentally estimated and are analogous to the importance and robustness of each of the φ invariants. Then watermark encoding is achieved by enforcing the following condition: 7 ⎛ φ * − φi ⎞ * f (Φ* , Φ) = ∑ wi ⎜ i ⎟=N i =1 ⎝ φi ⎠ (2) where Φ* is the moments vector of the watermarked human object O* and N* is a target value also properly determined by the C-PRNG, taking into consideration a tolerable content distortion. N*value expresses the weighted difference among the φ invariants of the original the watermarked human objects. The greater the value is, the larger perturbation should be added to the original video object and the higher visual distortion would be introduced. Fig. 2. Block diagram of encoding module This is achieved by generating a perturbation region ∆Ο of the same size as O such that, when ∆Ο is added to the original human object O, it produces a region O* = O + β∆Ο (3) that satisfies Eq. (2). Here, β is a parameter that controls the distortion introduced to O by ∆Ο. C-PRNG generates values until mask ∆Ο is fully filled. After generating all sensitive parameters of the watermark encoding module, a proper O* is iteratively produced using Eqs. (2) and (3). In this way, the watermark information is encoded into the φ values of O producing O*. An overview of the proposed watermark encoding module is presented in Figure 2. 290 P. Tzouveli, K. Ntalianis, and S. Kollias 4 The Decoding Module The decoding module is responsible for detecting copyrighted human objects. The decoding procedure is split into two phases (Figure 3). During the first phase, the received image passes through the human object extraction module described in Section 2. During the second phase each human object undergoes an authentication test to check whether it is copyrighted or not. Fig. 3. Block Diagram of decoding module In particular let us consider the following sets of objects and respective φ invariants: (a) (O, Φ) for the original human object, (b) (O*, Φ*) for the watermarked human object and (c) (O΄, Φ΄) for a candidate human object. Then O΄ is declared authentic if: f (Φ* , Φ) − f (Φ′, Φ) ≤ ε (4) where f(Φ*, Φ) is given by Eq.(2), while f(Φ΄, Φ) is given by: 7 ⎛ φ′ −φ ⎞ f (Φ′, Φ) = ∑ wi ⎜ i i ⎟ = N ' i =1 ⎝ φi ⎠ (5) Then Eq. (4) becomes Nd = N * − N ′ ≤ ε ⇒ 7 ⎛ φi* − φi′ ⎞ ⎟ ≤ε i ⎝ φi ⎠ ∑w ⎜ i =1 (6) where ε is an experimentally determined, case-specific margin of error and wi are the weights (see Section 3). Two observations need to be stressed at this point. It is advantageous that the decoder does not need the original image. It only needs wi, Φ, Φ* and the margin of error ε. Secondly, since the decoder only checks the validity of Eq. (6) for the received human object, the resulting watermarking scheme answers a yes/no, (i.e. copyrighted Semantic Region Protection Using Hu Moments 291 or not) question. As a consequence, this watermarking scheme belongs to the family of algorithms of 1-bit capacity. Now in order to determine ε, we should first observe that Eq. (6), delimits a normalized margin of error between Φ and Φ*. This margin depends on the severity of the attack, i.e., the more severe the attack, the larger the value of Nd will be. Thus, its value should be properly selected so as to keep false reject and false accept rates as low as possible (ideally zero). More specifically, the value of ε is not heuristically set, but depends on the content of each distinct human object. In particular, each watermarked human object, O*, undergoes a sequence of plain (e.g. compression, filtering etc.) and mixed attacks (e.g. cropping and filtering, noise addition and compression) of increasing strength. The strength of the attack increases until, either the SNR falls below a predetermined value, or a subjective criterion is satisfied. In the following the subjective criterion is selected, which is related to content’s visual quality. According to this criterion and for each attack, when the quality of the human object’s content is considered unacceptable for the majority of evaluators, an upper level of attack, say Ah, is set. This upper level of attack can also be automatically determined based on SNR, since a minimum value of SNR can be defined before any attack is performed. Let us now define an operator p(.) that performs attack i to O* (reaching upper level Ahi ) and producing an object Oi*: ( ) p O* , Ahi = Oi* , i = 1, 2, …, M (7) Then for each Oi*, N d is calculated according to Eq. (6). By gathering N d values, a i i vector is produced: r N d = ⎡⎣ N d1 , N d 2 ,..., N d M ⎤⎦ (8) Then the margin of error is determined as: r ε = max N d (9) r Since ε is the maximum value of N d , it is guaranteed that human objects should be visually unacceptable in order to deceive the watermark decoder. 5 Experimental Results Several experiments were performed to examine the advantages and open issues of the proposed method. Firstly, face and body detection is performed on different images. Afterwards, the watermark information is encoded to each human object, and the decoding module is tested under a wide class of geometric distortions, copy-paste and mixed attacks. When an attack of specific kind is performed to the watermarked human object (Fig. 3a), it leads to SNR reduction that is proportional to the severity of the attack. Firstly we examine JPEG compression for different quality factors in the range of 10 to 50. Result sets (N*, SNR, Nd) are provided in the first group of rows of Table I. It can be observed that Nd changes rapidly for SNR < 9.6 dB. Furthermore, 292 P. Tzouveli, K. Ntalianis, and S. Kollias the subjective visual quality is not acceptable for SNR < 10 dB. Similar behavior can be observed in the cases of Gaussian noise for SNR < 6.45 (using different means and deviations) and median filtering for SNR < 14.3 dB (changing the filter size). Again in these cases the subjective visual quality is not acceptable for SNR < 5.8 dB and SNR < 9.2 dB respectively. Furthermore, we examine some mixed attacks, by combining Gaussian noise and JPEG compression, scaling and JPEG compression and Gaussian noise and median filtering. Table 1. Watermark detection after different attacks In the following, we illustrate the ability of the method to protect content in case of copy-paste attacks. The encoding module receives an image which contains a weather forecaster and provides the watermarked human object (Fig 3a). In this case ε was automatically set equal to 0.65 according to Eq.(9), so as to confront even cropping inaccuracy of 6 %. It should be mentioned that, for larger ε, larger cropping inaccuracies can be addressed, however, the possibility of false alarms also increases. Now let us assume that a malicious user initially receives Fig.(3a) and then copies, modifies (cropping 2% inaccuracy, scaling 5%, rotation 10o) and pastes the watermarked human object in a new content (Fig 3b). Let us also assume that the decoding module receives Fig. (3b). Initially, the human object is extracted and then the decoder checks the validity of Eq. (6). In this case Nd=0.096, a value that is smaller than ε. As a result the watermark decoder certifies that the human object of Fig.(3b) is copyrighted. Semantic Region Protection Using Hu Moments 293 Fig. 4. Copy-paste attack. (a) Watermarked human object (b) Modified watermarked human object in new content. 6 Conclusions In this paper an unsupervised, robust and low complexity semantic object watermarking scheme has been proposed. Initially, human objects are extracted and the watermark information is properly encoded to their Hu moments. The authentication module needs only the moment values of the original and watermarked human objects and the corresponding weights. Consequently, both encoding and decoding modules have low complexity. Several experiments have been performed on real sequences, illustrating the robustness of the proposed watermarking method to various signal distortions, mixed processing and copy-paste attacks. References 1. Cox, J., Miller, M.L., Bloom, J.A.: Digital Watermarking, San Mateo. Morgan Kaufmann, San Francisco (2001) 2. Lin, C.Y., Wu, M., Bloom, J., Cox, I., Miller, M., Lui, Y.: Rotation, scale, and translation resilient watermarking for images. IEEE Trans. on Image Processing 10, 767–782 (2001) 3. Wu, M., Yu, H.: Video access control via multi-level data hiding. In: Proc. of the IEEE ICME, N.Y. York (2000) 4. Pereira, S., Pun, T.: Robust template matching for affine resistant image watermarks. IEEE Transactions on Image Processing 9(6) (2000) 5. Abu-Mostafa, Y., Psaltis, D.: Image normalization by complex moments. IEEE Trans. on Pattern Analysis and Machine Intelligent 7 (1985) 6. Hu, M.K.: Visual pattern recognition by moment invariants. IEEE Trans. on Information Theory 8, 179–187 (1962) 7. Alghoniemy, M., Tewfik, A.H.: Geometric Invariance in Image. Watermarking in IEEE Trans. on Image Processing 13(2) (2004) 8. Devaney, R.: An Introduction to Chaotic Dynamical Systems. Addison-Wesley, Redwood City (1989) 9. Yang, Huang, T.S.: Human Face Detection in Complex Background. Pattern Recognition 27(1), 53–63 (1994) Random r-Continuous Matching Rule for Immune-Based Secure Storage System Cai Tao, Ju ShiGuang, Zhong Wei, and Niu DeJiao* JiangSu University, Computer Department, ZhengJiang, China, 212013 [email protected] Abstract. On the basis of analyzing demand of secure storage system, this paper use the artificial immune algorithm to research access control system for the secure storage system. Firstly some current matching rules are introduced and analyzed. Then the elements in immune-based access control system are defined. To improve the efficiency of the artificial immune algorithm, this paper proposes the random r-continuous matching rule, and analyze the number of illegal access requests that one detector can check out. Implementing prototype of the random rcontinuous matching rule to evaluate and compare its performance with current matching rules. The result proves the random r-continuous matching rule is more efficient than current matching rules. At last, we use the random r-continuous matching rule to realize immune-based access control system for OST in Lustre. Evaluating its I/O performance, the result shows its I/O performance loss is below 8%, it proves that the random r-continuous matching rule can be used to realize the secure storage system that can keep high I/O performance. Keywords: matching rule; artificial immune algorithm; secure storage system. 1 Introduction The secure storage system is the hot topic in current researching. There are six directions in current researching. Firstly, encrypting file system to ensure security of storage system, it contains CFS[1], AFS[2], SFS[3,4] and Secure NAS [5]. Secondly, researching new disk structure to realize secure storage system, it contains NASD[6] and Self Securing Storage[7,8]. Thirdly, researching survivable strategy for storage system, it contains PASIS[9,10] and OceanStore[11]. Fourth, researching efficient key management strategy for secure storage system, it contains SNAD[12,13,14], PLUTUS[15] and iSCSI-Based Network Attached Storage Secure System[16]. Fifth, researching the secure middle-ware module to ensure security of storage system, it contains SiRiUS[17] and two-layered secure structure for storage system [18]. Sixth, using zone and mask code to ensure security of storage system. Encryption, authentication, data redundancy and intrusion detection are used in current researching of secure storage system. But large time and space consumption are needed to ensure security of enormous data stored in storage system, and the loss of I/O performance in the secure storage system is very large. High I/O performance is important character for storage system. We use the artificial immune algorithm to research fast access control strategy for the secure storage system. * Support by JiangSu Science Foundation of China No.2007086. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 294–300, 2009. springerlink.com © Springer-Verlag Berlin Heidelberg 2009 Random r-Continuous Matching Rule for Immune-Based Secure Storage System 295 The artificial immune algorithm simulates natural immune system, it has many good characters such as distributability, multi-layered, diversity, autonomy and adaptability and so on. It can protect system efficiently. The classic theory is the negative selection algorithm that presented by Forrest in 1994. It simulates selftolerance of T cells. We use the artificial immune algorithm to judge whether access request is legal in secure storage system and realize fast access control system, then ensure the security of the storage system. The matching rule used to select selftolerance detectors and judge whether detector matches access request, so it is important for efficiency and accuracy the secure storage system. When self, access request and detector are represented by binary string, matching rule is used to compare two binary strings. The remainder of this paper is organized as follows. Section 2 analyzes current matching rules. Section 3 gives definition of some elements and presents random rcontinuous matching rule. Section 4 analyzes the efficiency of random r-continuous matching rule and compare with current matching rules. Section 5 implements prototype of random r-continuous matching rule to evaluate its performance, then compares efficiency and accuracy with current matching rules. Section 6 use random r-continuous matching rule to realize access control system for object-based storage target in storage area network system named Lustre, and evaluate its I/O performance. 2 Related Works The matching rule used to judge whether two binary strings matches between detector and self or between detector and access request. Current matching rules contain rcontiguous matching rule, r-chunk matching rule, Hamming distance matching rule and Rogers and Tanimoto matching rule. Forrest presented r-contiguous matching rule in 1994[24]. r-contiguous matching rule can discriminate non-self accurately, but need large number of detectors. Every detector with l bits contains l-r+1 characteristic sub-string. Every characteristic subl −r string can detect 2 non-self. One detector can recognize (l − r + 1)2 non-self mostly. Balthrop presented r-chunk matching rule to improve accuracy and efficiency of rcontiguous matching rule in 2002[25]. r-chunk matching rule is to add condition to rcontiguous matching rule. Start position can improve the accuracy and restrict form ith to (i+r-1)th in detector are valid, i is special to one detector. One detector contains l -r l-r-i+1 characteristic sub-string and can recognize (l - r - i + 1)2 non-self mostly. The recognition capability of detector is smaller than r-contiguous matching rule. Hamming distance matching rule was proposed by Farmer in 1986[26]. Hamming distance matching rule check whether there are r counterpart and same bits, and it do not care whether these r bits are continuous. Every detector can recognize l-r (l - r - i + 1)2l -r non-self mostly. But it had less accuracy. Harmer analyzes different matching rules by calculating the signal-to-noise ratio and the function-value distribution of each matching rule when applied to a randomly generated data set[27]. But current matching rules are less efficiency. 296 C. Tao et al. 3 The Random r-Continuous Matching Rule We give definition of the elements and present the random r-continuous matching rule. 3.1 Definition of Elements Definition 1. Domain. U={0,1}l it is a set of all binary strings with l bits, it contains by self set and non-self set. Definition 2. Self set. S ∈ U it is a set of all legal strings in domain. Definition 3. Non-self set. NS ∈ U it is a set of all illegal strings in domain. Definition 4. Access request. x=x1x2…xl (xi ∈ {0,1}) it is betoken of one access request in storage system and it is one string in domain. Definition 5. Threshold. r is criterion to judge whether x matches d. ∈ Definition 6. Detector. d=(d1d2…dl,r) (di {0,1}) is binary string with l bits l. Definition 7. Characteristic sub-string. It is sub-string in detector that used to check access request. 3.2 Random r-Continuous Matching Rule When checking access request by the artificial immune algorithm, the characteristic sub-string is critical. So increasing the number of non-self that very characteristic substring can match is the important way to improve efficiency of matching rule. The rcontiguous matching rule and r-chunk matching rule check whether the length of identical and counterpart sub-string between antigen and detector is larger than threshold, detector matches antigen. This condition limits efficiency of matching rule. The Hamming distance matching rule check the number of counterpart and identical bits, the condition of identical and counterpart bits limits efficiency of matching rule also. We propose the random r-continuous matching rule to increase the number of illegal access request that one detector can match and improve efficiency. Given detector(d) and access request(x), its definition is as formula 1. Formula 1: d matches x ≡ ∃i ≤ l − r + 1 and ∃j ≤ l − r + 1 such that xk = d l for k = i, L , i + r − 1 and l = j , L , j + r − 1 If the length of identicial sub-string is larger than threshold between detector and access request, then d matches x. 4 Performance Analyze We analyze and compare the number of illegal access request that one detector can recognize using different matching rules. Random r-Continuous Matching Rule for Immune-Based Secure Storage System 297 Using random r-continuous matching rule, one detector with l bits contains l-r+1 characteristic sub-strings. One detector can matches (l − r + 1)2 l − r +1 illegal access request. Table 1 shows how many detectors one detector can match when using different matching rules. We can find the number of illegal access request that one detector can recognize is largest when using random r-continuous matching rule, it proves that random r-continuous matching rule can improve efficiency of artificial immune algorithm obviously. Table 1. Number of illegal access request one detector can recognize using different matching rules Matching rule random rcontinuous matching rule r-contiguous matching rule r-chunk matching rule Hamming distance matching rule The number of illegal access request that one detector can recognize (l − r + 1)2 l − r +1 (l − r + 1)2 l −r (l-r-i + 1)2 l-r (l − r + 1)2 l −r 5 Prototype of Random r-Continuous Matching Rule We implement the prototype of immune-based access control system using the random r-continuous matching rule and other matching rules on Linux. Access request and detector are betokened by string with eight bits. Self and access request are stored in two text file. Using the exhaustive detector generating algorithm to generate original detector and do not limit number of self-tolerance detector. Prototype output the result of detection and the number of detectors which are needed to check out all illegal access requests, then comparing with current matching rules. The minimum value of r is 1, maximal value is 8 and increment is 1. Firstly we use the exhaustive strategy to generate all 256 different strings with 8 number bits. We choose some strings as self sequence and other as access request. Then self and access request are complementary and all access requests are illegal. We create seven self files with 0, 8, 16, 32, 64, 128 and 192 access requests specially cne rae lo tlfe s fo re bm un 140 120 ro100 cte 80 etd 60 40 20 0 0 8 16 32 64 128 192 number of self prototype of random rcontinous matching rule prototype of r-contiguous matching rule prototype of r-chunk matching rule prototype of Hamming distance matching rule Fig. 1. Number of detectors needed to recognize all illegal access requests 298 C. Tao et al. and corresponding access request files. And evaluating how many detectors needed to check out all illegal access requests. The result shows in figure 1. From figure 1 we find that prototype can check out all illegal access requests with smallest number of detectors when using the random r-continuous matching rule. This result proves that the random r-continuous matching rule is more efficient than other matching rules. 6 Prototype of Immune-Based Secure Storage Lustre is an open source storage area network system. There are three modules such as client, MDS and OST in system. OST is an object-based storage target. We use the random r-continuous matching rule to realize immune-based access control system for OST. Using the Iozone to test I/O performance. We test writing performance of 1M file with different size block such as 4k, 8k, 16k, 32k, 64k, 128k, 256k, 512k and 1024k. The result shows in figure 2. It shows that the prototype of the secure storage system lose 8% writing performance of Lustre that can keep high I/O performance. writing performance /XVWUH 600000 500000 400000 b/s 300000 200000 100000 0 481632641282565121024 block size /XVWUH ZLWK LPPXQH EDVHG DFFHVV FRQWURO V\VWHP Fig. 2. Writing performance 7 Conclusion This paper presents the random r-continuous matching rule to improve the efficiency of the artificial immune algorithm. By analyzing the number of illegal access request that one detector can check out, evaluating and comparing with current matching rules. The result proves the random r-continuous matching rule is more efficient than current matching rules. At last we using the random r-continuous matching rule to realize immune-based access control system for OST in the Lustre, the I/O performance testing proves that random r-continuous matching rule can used to realize the secure storage system that can keep high I/O performance. Different detector will contain same characteristic sub-string that will increase consumption of detection. Next step we analyze characteristic sub-string in detector and research new detector generating algorithm to improve efficiency. Random r-Continuous Matching Rule for Immune-Based Secure Storage System 299 References 1. Blaze, M.: A cryptographic file system for UNIX. In: Proceedings of 1st ACM Conference on Communications and Computing Security (1993) 2. Howard, J., Kazar, M., Menees, S., Nichols, D., Satyanarayanan, M., Sidebotham, R., West, M.: Scale and performance in a distributed file system. ACM TOCS 6(1) (February 1988) 3. Fu, K., Kaashoek, M., Mazieres, D.: Fast and secure distributed read-only file system. OSDI (October 2000) 4. Mazieres, D., Kaminsky, M., Kaashoek, M., Witchel, E.: Separating key management from file system security. SOSP (December 1999) 5. Li, X., Yang, J., Wu, Z.: An NFSv4-Based Security Scheme for NAS, Parallel and Distributed Processing and Applications, NanJiang, China (2005) 6. Gobioff, H., Nagle, D., Gibson, G.: Embedded Security for Network-Attached Storage, CMU SCS technical report CMU-CS-99-154 (June 1999) 7. John, D., Strunk, G.R., Goodson, M.L., Sheinholtz, C.A.N., Soules, G.R.: Self-Securing Storage: Protecting Data in Compromised Systems. In: 4th Symposium on Operating System Design and Implementation, San Diego, CA (October 2000) 8. Craig, A.N., Soules, G.R., Goodson, J.D., Strunk, G.R.: Metadata Efficiency in Versioning File Systems. In: 2nd USENIX Conference on File and Storage Technologies, San Francisco, CA, March 31-April 2 (2003) 9. Wylie, J., Bigrigg, M., Strunk, J., Ganger, G., Kiliccote, H., Khosla, P.: Survivable information storage systems. IEEE Computer, Los Alamitos (2000) 10. Ganger, G.R., Khosla, P.K., Bakkaloglu, M., Bigrigg, M.W., Goodson, G.R., Oguz, S., Pandurangan, V., Soules, C.A.N., Strunk, J.D., Wylie, J.J.: Survivable Storage Systems. In: DARPA Information Survivability Conference and Exposition, Anaheim, CA, 12-14 June 2001, vol. 2, pp. 184–195. IEEE, Los Alamitos (2001) 11. Kubiatowicz, J., Bindel, D., Chen, Y., Czerwinski, S., Eaton, P., Geels, D., Gummadi, R., Rhea, S., Weatherspoon, H., Weimer, W., Wells, C., Zhao, B.: OceanStore: An Architecture for Global-Scale Persistent Storage. In: ASPLOS (December 2000) 12. Freeman, W., Miller, E.: Design for a decentralized security system for network-attached storage. In: Proceedings of the 17th IEEE Symposium on Mass Storage Systems and Technologies, College Park, MD, pp. 361–373 (March 2000) 13. Miller, E.L., Long, D.D.E., Freeman, W., Reed, B.: Strong security for distributed file systems. In: Proceedings of the 20th IEEE international Performance, Computing and Communications Conference (IPCCC 2001), Phoenix, April 2001, pp. 34–40. IEEE, Los Alamitos (2001) 14. Miller, E.L., Long, D.D.E., Freeman, W.E., Reed, B.C.: Strong Security for NetworkAttached Storage. In: Proceedings of the 2002 Conference on File and Storage Technologies (FAST), January 2002, pp. 1–13 (2002) 15. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: PLUTUS: Scalable secure file sharing on untrusted storage. In: Conference on File andStorage Technology (FAST 2003), San Francisco, CA, 31 March - 2 April 2003, pp. 29–42. USENIX, Berkeley (2003) 16. De-zhi, H., Xiang-lin, F., Jiang-zhong, H.: Study and Implementation of a iSCSI-Based Network Attached Storage Secure System. MINI-MICRO SYSTEMS 7, 1223–1227 (2004) 17. Goh, E.-J., Shacham, H., Modadugu, N., Boneh, D.: SiRiUS:Securing Remote Untrusted Storage. In: The proceedings of the Internet Society (ISOC) Network and Distributed Systems Security (NDSS) Symposium 2003(2003) 300 C. Tao et al. 18. Azagury, A., Cabetti, R., Factor, M., Halevi, S., Henis, E., Naor, D., Rinetzky, N., Rodeh, O., Satran, J.: A Two Layered Approach for Secuting an Object Store Network. In: SISW 2002 (2002) 19. Hewlett-Packard Company. HP OpenView storage allocator (October 2001), http://www.openview.hp.com 20. Brocade Communications Systems, Inc. Advancing Security in Storage Area Networks. White Paper (June 2001) 21. Hewlett-Packard Company. HP SureStore E Secure Manager XP (March 2001), http://www.hp.com/go/storage 22. Dasgupta, D.: An overview of artificial immune systems and their applications. In: Dasgupta, D. (ed.) Artificial immune systems and their applications, pp. 3–23. Springer, Heidelberg (1999) 23. de Castro, L.N., Timmis, J.: Artificial Immune Systems: A New Computational Approach. Springer, London (2002) 24. Forrest, S., Perelson, A., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings IEEE Symposium on Research in Security and Privacy, Los Alamitos, CA, pp. 202–212. IEEE Computer Society Press, Los Alamitos (1994) 25. Balthrop, J., Esponda, F., Forrest, S., Glickman, M.: Coverage and generalization in an artificial immune system. In: Langdon, W.B., Cantú-Paz, E., Mathias, K., Roy, R., Davis, D., Poli, R., Balakrishnan, K., Honavar, V., Rudolph, G., Wegener, J., Bull, L., Potter, M.A., Schultz, A.C., Miller, J.F., Burke, E., Jonoska, N. (eds.) Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), 9-13 July 2002, pp. 3–10. Morgan Kaufmann Publishers, San Francisco (2002) 26. Farmer, J.D., Packard, N.H., Perelson, A.S.: The immune system, adaptation, and machine learning. Physica D 22, 187–204 (1986) 27. Harmer, P., Williams, G., Gnusch, P.D., Lamont, G.: An Artificial Immune System Architecture for Computer Security Applications. IEEE Transactions on Evolutionary Computation 6(3), 252–280 (2002) 28. Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-Nonself Discrimination in a computer. In: Proceeding of IEEE Symposium on Research in Security and Privacy, pp. 202–212. IEEE Computer Society Press, Los Alamitos (1994) 29. Helman, P., Forrest, S.: An efficient algorithm for generating random antibody strings, Technical Report CS-94-07, The University of New Mexico, Albuquerque, NM (1994) 30. D’haeseleer, P., Forrest, S., Helman, P.: An immunological approach to change detection: algorithms, analysis and implications. In: McHugh, J., Dinolt, G. (eds.) Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy, USA, pp. 110–119. IEEE Press, Los Alamitos (1996) 31. D’haeseleer, P.: Further efficient algorithms for generating antibody strings, Technical Report CS95-3, The University of New Mexico, Albuquerque, NM (1995) nokLINK: A New Solution for Enterprise Security Francesco Pedersoli and Massimiliano Cristiano Spin Networks Italia, Via Bernardino Telesio 14, 00195 Roma, Italy {fpedersoli,mcristiano}@spinnetworks.com Abstract. The product nokLINK is a communication protocol carrier which transports data with greater efficiency and vastly greater security by encrypting, compressing and routing information between two or more end-points. nokLINK creates a virtual, “dark” application (port) specific tunnel which ensures protection of end-points by removing their exposure to the Internet. By removing the exposure of both end-points (Client and Server) to the Internet and LAN, you remove the ability for someone or something to attack either end-point. If both endpoint have not entry point, attack becomes extremely, if not impossible to succeed. nokLINK is Operating System independent and the protection level is applied starting from the application itself: advanced anti-reverse engineering technique are used, a full executable encryption and also the space memory used by nokLINK is encrypted. The MASTER-DNS like structure permit to be very resistant also to Denial of Service attack and the solution management is completely decoupled by the Admin or root rights: only nokLINK Administrator can access to security configuration parameters. 1 Overview The inherent makeup of nokLINK implies two purposes. The first is the name of a communications protocol that has the potential to work with or without TCP/IP. This protocol includes everything needed to encrypt, route, resolve names, and ensure the delivery of upper layer packets. The protocol itself is independent of any particular operating system. It has the potential of running on any OS or even be included in any hardware solutions as firmware. The second is “nokLINK The Product, a communication protocol carrier which transports data with greater efficiency and vastly greater security by encrypting, compressing and routing information between two or more end-points. nokLINK creates a virtual “dark” application [port] specific tunnel, which ensures protection of endpoints by removing their exposure to the Internet. By removing the exposure of both end-points to the internet and LAN, you remove the ability for someone or something to attack either end-point. If both end-point have not entry point, attack becomes extremely, if not impossible to succeed. If it can’t been seen, it can’t be attacked. In most scenarios, if you block inbound access to an end-point, then you loose the ability to communicate with that device, but with nokLINK any permitted application can communicate in a bi-directional (2-way) manner but contrary to typical communication, without exposing those applications to not-authorized devices. The result is increased security plus improved availability without inheriting security threats. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 301–308, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 302 F. Pedersoli and M. Cristiano nokLINK works similar to DNS by receiving client requests and resolving to a server but in addition to routing requests, nokLINK provides strong authentication. nokLINK provides this “DNS” like functionality without exposing in-bound connections to the internet through the use of an intermediate “Master Broker”. Communication routing is not possible without the nokLINK Master Broker authorizing each device’s permission. Once permission is granted, client and server can communicate via the Master without interruption. Conceptually, the nokLINK master is a smart router with built in encryption and authentication. If a system like nokLINK can be deployed without exposing both client and server end-point to inbound requests, then a device firewall can be used to ensure both endpoints are protected from potential intrusions. nokLINK includes a software firewall with equivalent to or better security than that of a hardware-based firewall to protect each machine from any other device. An increasing threat in corporate systems is LAN based attacks which are typically much harder to stop without losing productivity. By implementing nokLINK and the nokLINK firewall, an organization can maintain even higher levels of availability without exposure to attacks. Almost all systems today relay on Internet Protocol (IP) to communicate but even on the same LAN. nokLINK removes the dependency on Internet Protocol (to date IP is still utilized, but simply for convenience). In fact, nokLINK allows for the elimination of virtually all of the complex private communications lines, IP router configuration, and management. Given that it is protocol-independent, it means that almost any IP-based communication can benefit from the secure tunneling that nokLINK provide. nokLINK can be used for many IP-based applications. 2 Architecture There are four nokLINK components which make up the nokLINK architecture. A single device may contain: just the client, client + server, the master or master + authenticator in a single installation. 1. NOKLINK CLIENT: The nokLINK client is the component that allows a computer to access applications [ports] on another device with the nokLINK server component. This client component is part of all nokLINK installs in the form of an “Installation ID”. The Installation ID is associated with this component. The client itself may be context-less; this means that the nokLINK may have permission to connect to any server in any context (given proper permission configuration) without having to reinstall any software. In other words, any client could connect to http://company.vsx and http://other.vsx just by typing in the address in the browser. 2. NOKLINK SERVER: The nokLINK server component is the component that allows nokLINK clients to connect to local applications based on a vsx name. For instance, if a web server needed securing, a nokLINK server would be installed on the web server; then anyone with a nokLINK client and permission could access that server from anywhere in the world by its vsx name, i.e. http://company.vsx. The server and client together are the components that create the tunnel. No other component can “see” into the transmission tunnel of any other real time pair of communicating server and client. The encryption system used between client and nokLINK: A New Solution for Enterprise Security 303 server ensures that only the intended recipient has the ability to un-package the communication and read the data, this includes the master component. 3. NOKLINK MASTERCOMPONENT: The Master components has two main purposes: authenticating devices and routing communications. While the Master is responsible for routing communications between end points, it is not part of the communication tunnel and therefore cannot read data between them. This ensure that endpoint to endpoint security is always maintained. 4. NOKLINK MASTER AUTHENTICATOR (NA): The nokLINK Master Authenticator (NA) is the console for setting authentication and access rights for each nokLINK enabled device within each nokLINK vsx context. A web interface provides administrators a system to control nokLINK’s transport security via nokLINK names, nokLINK domains and nokLINK sub-domains. For example an administrator can allow a machine called webserver.sales.company.vsx to communicate only to xxx.sales.company.vsx or xxx.company.vsx or one specific nokLINK machine. Administrators can manage device security settings in a global manner or in a very specific manner depending on the companies objectives. Besides other main functions are: 1. nokLINK Communication Interceptor: The component that provides seamless use of nokLINK for the client and server is a “Shim” which intercepts .vsx communication and routes the requests to the nokLINK master. The nokLINK shim intercepts, compresses, encrypts and routes data including attaching the routing information required for the master to deliver. The data is wrapped by the nokLINK protocol, essentially transforming it from the original protocol to the nokLINK protocol. By wrapping nokLINK around the original protocol you can further ensure the privacy of the data and the privacy of the protocol in use. Packet inspection systems used to filter and block specific protocols are ineffective in identifying protocols secured by nokLINK. Upon arrival of the data at the endpoint, nokLINK unpacks the communication back to the original protocol and reintroduces the data to the local IP stack to ensure the data is presented transparently to the upper level applications. As a result, nokLINK can be introduced to virtually any application seamlessly. 2. Device Authorization: The node authorization and rules configuration is managed at the nokLINK Authenticator. The Master authenticates, thus it dictates which client can be a part of a specific nokLINK context. During install, a unique “DNA” signature (like TPM via software) is created along with a .vsx name which is registered with the nokLINK Authenticator (NA). The nokLINK device identifies itself to the Master and registers its name upon installation. The Master determines the authenticity of inquiring nokLINK device and its right to conduct the requested activity. When access is requested for a specific machine, the master authenticates the machine but does not interfere with authentication for the application in use. The Master is like a hall monitor; i.e. it does not know what the person will do in any particular room he has permission to visit but has full control of who can get to what room. 304 F. Pedersoli and M. Cristiano 3 Features and Functionality nokLINK provides many features and functionality depending on implementation, objectives and configuration including: • Secure communication protocol able to encrypting, compressing and routing information between end-points. • Virtual “Dark” network that ensures protection of end-points removing exposure to the Internet. • Seamless access to services from network to network without re-configuration of firewalls or IP addresses. • Communication between systems without those systems being visible to Internet. • Low level software firewall. • Protocol independent, which means that any communication can be secured. Most extra-net connectivity products today offer connectivity for clients to a LAN from within a LAN or from the internet. A simple client is installed on the users’ PC; this allows users access to the corporate network. Unfortunately this access is also available to anybody else who knows a user’s name and has time and/or the patience to guess passwords. nokLINK functions differently than a VPN. nokLINK is not network specific and does not attach clients to foreign networks. nokLINK install client software that identifies each PC individually and provide remote access to applications instead of remote access to VPNs. This, coupled with the nokLINK authenticator, ensures the identification of any device containing nokLINK attempting to get at company data. For further security, nokLINK opens only individual, user configured ports to individual nodes, thus protecting other assets to which access is not permitted from outside PCs. End-point to end-point security starts with the PC identification. At installation the nokLINK client creates a unique DNA signature based on many variables including hardware characteristics of the PC and time of installation. Every instance of nokLINK is unique regardless of the operating environment to further eliminate the possibility of spoofing. When communication is initiated, the nokLINK server receive a noklink name terminating in .vsx. This naming scheme is identical to DNS naming schemes. The difference is that only nokLINK clients understand .vsx extension. This name is used instead of standard DNS names when accessing nokLINK servers. For instance, if a web server is being protected by nokLINK than the nokLINK enabled end user would type http://webserver.mycomp.vsx into their browser. The nokKERNEL take the request, encrypts the information and sends it out to one or more nokLINK Master. This allow a workstation to communicate with a server without either of them being visible on the Internet, as it is shown in the Fig. 1. 4 Security Elements nokLINK is a multi-layered monolithic security solution. Using various techniques, it encloses everything needed to secure communications between any two nokLINK nokLINK: A New Solution for Enterprise Security 305 enabled nodes, using various techniques to do this. It impacts three different security areas: Encryption Security, Transport Security, End Point Security. 4.1 Encryption Security The strength of public algorithms is well-known. nokLINK uses state of the art encryption algorithm, but goes further than just the single level of encryption. The information traded between systems is not the actual key or algorithm. It is simply synchronization information which only the two end points understand, that is the equivalent of one end node telling the other “Use RNG (Random Number Generators) four to decode this message.” The strength of nokLINK’s encryption is based on a family of new Random Number Generators This RNG family is based on years of research in this area. The nokLINK encryption system encrypts three times before sending out the packet: once for the actual data going out, once for the packet header and finally both together. The upper-layer data is encrypted with a synchronization key. The key is not an actual key, it contains information for the system to synchronize the RNGs on the end points. This way the system stays as secure, but with much less overhead. The only two nodes that understand this encrypted data are the client and the server. The intermediate machines do not and cannot open this section of the packet. Fig. 1. 4.2 Transport Security This layer of security is an extra layer of security in comparison with other security solutions. It deals with permissions for communications and the dynamic format of the nokLINK packets and it is composed by: • TRAFFIC CONTROLLER: nokLINK affords a new control that eliminates this type of attack. While maintaining all the encryption security of other products, nokLINK includes controls to mandate which nodes can communicate with which 306 F. Pedersoli and M. Cristiano other nodes. The basic requirement is to get a hold of a particular nokLINK client using the same nokLINK context. Each nokLINK context uses a different family of encryption RNG’s and cannot be used to communicate with another context. Without that nokLINK client, the nokLINK server remains invisible to potential intruders, as it is shown in Fig. 2. In the nokLINK vsx name environment the attacker can’t see the server to attack because the name is sent to a DNS server for resolution. This makes it extremely difficult, if not impossible to break into a nokLINK server, while leaving it completely accessible to those who need it. In a nokLINK environment the nodes are identified uniquely. The master server uses this particular ID to determine which nodes are permitted to communicate with which servers; all controlled by the end user. In the unlikely event that someone comes up with a super crack in the next ten years that can read nokLINK packets, they still will not be able to communicate directly with another nokLINK node because of this level of security, as it is shown in Fig.3. Here you see users accessing exactly those services and applications they are allowed to access. There is redundancy in the security. A PC must have a nokLINK v2 client installed and permission must have been granted between the client and the server in the nokLINK Master Authenticator. Each PC generates an exclusive unique identifier at install time. The system recognizes this ID and uses it for control, i.e. nokLINK Client ID 456 can communicate with nokLINK Server ID 222. If the hard drive is removed from the PC, or is attempted to be cloned, it is likely that the ID will be corrupted because of the change of hardware. If not, as soon as one of the PCs [cloned or original] connects, all the device with the same ID [whether the original and/or cloned] will stop communicating, as the system will allow only one PC with a specific ID to operate in the nokLINK environment. • Dynamic Packet Format: the format of the nokLINK protocol is dynamic. The location of “header” information changes from packet to packet. The implication is that, in the unlikely event that a packet is broken, it will be absolutely useless to attempt to replicate it in efforts of breaking other packets. Entirely new efforts will have to be put forth to break a second and a third and a forth (and so on) packet. With other protocols, the header information is always in the same spot, making it easy to sniff, analyze and manipulate data. 4.3 End Point Security Another enhancement, and probably the most significant compared to other security solutions, is nokLINK’s end point security. A significant effort of this security is based on anti-reverse engineering techniques. There are many facets to anti-reverse engineering including: • • • • • All code in memory is encrypted. Each time the code passes from ring 0 to ring 3 it is encrypted to avoid monitoring. Each executable is generated individually. A unique identifier is generated at install time for each node. Protection versus cloning - if someone successfully clones it will stop working, thus alerting the system administrator of a problem. nokLINK: A New Solution for Enterprise Security 307 • There are certain features embedded in the software to allow it to detect the presence of debugging software. Once detected, nokLINK takes steps to avoid being hacked into. Fig. 2. Fig. 3. 4.4 nokLINK Firewall The nokLINK firewall is a low level firewall which blocks incoming and outgoing packets to and from the Network Interface Card (NIC). This would normally block all communications in and out of the PC. nokLINK still manages to communicate via standard ports to other vsx nodes through the permanent inclusion of an outgoing connection exception from port 14015 (the default nokLINK tunneling port). Any vsx name presented to the TCP/IP stack is treated well before it reaches the Internet card. 308 F. Pedersoli and M. Cristiano Once the system recognizes the vsx name, it diverts the packet to nokLINK. nokLINK encrypts and encapsulates the packet sending it out via port 14015, to the nokLINK Master. In this way, any applications utilizing the vsx name can communicate from “behind” the nokLINK firewall. The following graphic shows the internal configuration of a PC. This machine would be able to open a browser and access a site using a vsx name (i.e http://webserver.noklink.vsx). It would not be able to access a site without a vsx name. In addition to nokLINK traffic, this machine would only be capable of SMTP traffic for outgoing mail and POP3 for incoming mail, as it is shown in Fig. 4. Fig. 4. References 1. Gleeson, B., Lin, A., Heinane, J., Armitage, G., Malis, A.: A Framework for IP based Virtual Private Networks. Internet Engineering Task Force, RFC 2764 (2000) 2. Herrero, Á., Corchado, E., Gastaldo, P., Leoncini, D., Picasso, F., Zunino, R.: Intrusion Detection at Packet Level by Unsupervised Architectures. In: Yin, H., Tino, P., Corchado, E., Byrne, W., Yao, X. (eds.) IDEAL 2007. LNCS, vol. 4881, pp. 718–727. Springer, Heidelberg (2007) 3. Kaufman, C., Perlman, R., Speciner, M.: Network Security: Private Communication in a Public World, 2nd edn. Prentice Hall, Englewood Cliffs (2002) SLA and LAC: New Solutions for Security Monitoring in the Enterprise Bruno Giacometti IFINET s.r.l., Via XX Settembre 12, 37129 Verona, Italy [email protected] Abstract. SLA and LAC are the solutions developed by IFInet to better analyze firewalls logs and monitor network accesses respectively. SLA collects the logs generated by several firewalls and consolidates them; by means of SLA all the logs are analyzed, catalogued and related based on rules and algorithms defined by IFInet. LAC allows IFInet to identify and isolate devices that access to a LAN in an unauthorized manner, its operation is totally non-intrusive and its installation does not require any change neither to the structure of the network nor to single hosts that compose it. 1 Overview As of today most organizations use firewalls and monitor their networks. The ability to screening firewall logs to determine suspicious traffic is the key to an efficient utilization of firewall and IDS/IPS systems. Anyway this is a difficult task, particularly if there is the need to analyze a great amount of log. SLA is IFInet approach to solve this problem. In the same way it’s fundamental to monitor internal networks, but monitoring alone is not sufficient: it’s necessary a proactive control on internal networks to prevent unauthorized accesses. 2 SLA: Security Log Analyzer In order to make more effective monitoring firewalls activities log, IFInet has created a proprietary application, called Security Log Analyzer (SLA), which collects the logs generated by firewalls and consolidates them into a SQL database. With this application all the logs are analysed, catalogued and related based on rules and algorithms defined by IFInet to identify the greatest possible number of types of traffic. SLA points out to technicians any anomaly or suspicious activity detected and automatically recognizes and catalos most traffic (about 90%) detected by the firewall, allowing the technical staff of IFInet to focus on analysis and correlation of the remaining logs. Through the use of SLA, control of perimeter security system is done by analyzing data relating to traffic, used ports and services and also through a great variety of charts that allow IFInet technicians to monitor security events through the analysis of traffic in a given timeframe, the comparison with the volume of traffic on a significant period of reference (egg the previous month) and detection of possible anomalies. The chart in Fig. 1, for example, highlights the outgoing traffic, divided by service. E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 309–315, 2009. © Springer-Verlag Berlin Heidelberg 2009 springerlink.com 310 B. Giacometti Fig. 1. The outgoing traffic, divided by service SLA shall record in a Black List all IP addresses that are running illegal or potentially intrusive activities, on the basis of the rules implemented by the IFInet technicians: from the moment an IP address is added to the Black List, any successive activity is detected in real time by IFInet technicians that analyze the event and take immediate actions. With the use of SLA, IFInet technicians can do extremely detailed queries on the database logs and have the ability to view in real-time only logs relating to events that have a critical relevance and represent, therefore, a danger to the integrity of Customer networks and systems. In Fig. 2 is listed how for a customer SLA highlights many IP scans to its network and, in particular, indicates that part of this potentially intrusive activity passed through the firewall, taking advantage of traffic permitted by security policies. I.e. thanks to the highlighted event the technical staff is able to instantly detect if a particular external address, which previously made a host scan system (and incorporated in the Blacklist by SLA), has managed to cross the perimeter security system through a port and achieve a system (e.g. Web server) within the network of Customer. Selecting the event of interest, (line highlighted in red rectangle), the technician can see the detail of abnormal activity. SLA reports the number of Host Scan attempts to the public IP addresses assigned to a particular customer: as a further example we can see a Host Scan made towards a range of 18 addresses. The technician, selecting the relevant line, can analyze the details of this anomalous activity and, for example, define that Host Scan is caused by the Sesser worm, present on the 151.8.35.67. By means of SLA all intrusive events or events that otherwise may pose a danger to the integrity of the customer's network are promptly notified by email (or telephone). SLA and LAC: New Solutions for Security Monitoring in the Enterprise 311 Fig. 2. Example of SLA report This service provides a constant and effective control of all events recorded by the firewall and allows for a timely intervention in case of critical events. 3 LAC: LAN Access Control LAC - LAN Access Control - is the solution that allows IFInet to identify and isolate devices (PC and other network equipment) that access to a LAN in an unauthorized manner. Unlike many systems currently on the market, the operation of LAC is totally nonintrusive and its installation does not require any amendment neither to the structure of the network nor to single hosts that compose it. LAC therefore prevents unauthorized devices to access the corporate network. Access is allowed only after certification by an authorized user (egg network administrator). LAC can operate in two modes: active and passive. In passive mode (the default) all the hosts on the network segment in which LAC is connected are detected. In active mode the hosts that are unauthorised are virtually isolated from the corporate network. LAC therefore enforces the following rules: • The organization host and equipment are allowed to use the network without any kind of limitation; • Guests are allowed to access the network after authorization but only for a limited amount of time and using certain services (e.g. Internet navigation and e-mail); • All other hosts should not be able to connect because they are not authorized. Finally LAC has the following key aspects: 312 B. Giacometti • Safety: identifies and isolates devices (PC and other network equipment) that access to a LAN in an unauthorized manner • Ease of management: LAC act entirely non-intrusive and does not require any changes nor the structure of the network or to individual host that make up the network itself • Guests users management: total control on how and what guests are allowed to do • Important features: census of the nodes of one or more networks LAN / WLAN or wireless, isolation of unauthorised host, control of professional services, reporting tools and alerting Main features of LAC are: 1. Census of the LAN nodes. When LAC runs in passive mode, it records al hosts detected on the network in a database. In particular, keeps track of hosts IP addresses and MAC. In order to detect all the host it is necessary that LAC keeps on running for a variable amount of time, depending on how often hosts access the network. An example of this detection is shown in Fig. 3. 2. Isolation host unauthorized. Used in active mode, LAC performs a virtual isolation of all not authorized hosts: once isolated, a host can no longer send / receive data to any other host except LAC. 3. Host detection. One interesting piece of information about a detected host is its physical location within the organization. LAC detects the switch port to which the unauthorized host is physically connected. This feature works only if in the network switches that support the SNMP are in use. In fact, all the network switches (included in LAC configuration) are interrogated using special SNMP query. 4. Managing guest users. Usually an organization is often visited by external staffs that require a network connection to their notebook and to use certain services (i.e. Internet navigation and e-mail). In the case of network access without any authorization, LAC detects the new host and considers it unauthorized from the network. The guest, however, if in possession of appropriate credentials (e.g. Supplied by staff at the reception) can authenticate to unlock the pc and use the services enabled. When proceeding with a new host registration, you can ask LAC to generate a new user (or to edit an existing one), to generate access credentials (username and password) and set the time of their validity. Using this information the staff, through a specific web interface, can enable or unlock the desired location. Guests only connect their pc to the network, browse to the LAC web page and insert the provided credentials. As optional feature, the system administrator can choose from a list the protocols that the host can use once authenticated. This makes it possible to limit the resources available to the network and thus have effective control over allowed activities. 5. Reports. LAC provides a series of reports that allow the administrator to analyze, also with graphs, network access data, based on several criteria: i.e. MAC address, IP address, usernames, denied accesses, enabled accesses, average duration of accesses, etc. 6. Alerting. LAC records in a database all the collected events and it is able to send all the information (necessary to control access to the network) to the network administrator via email, SMS or administrative GUI, as it is shown in Fig. 4. SLA and LAC: New Solutions for Security Monitoring in the Enterprise 313 Fig. 3. Census of the LAN nodes 3.1 Sure to Be Safe? The organisations with an information system, whether public or private, have certainly network infrastructure that enables the exchange of information and teamwork. The corporate network is realized in most cases according to the Ethernet standard, which combines speed and reliability with very limited cost. It’s very easy, in fact, to attach a device to an Ethernet network. For the same reasons, however, this network is exposed to a kind of "violation" very common, definable "physical intrusion" and this can be through a spare RJ45 plug, a network cable from a detached device, a switch or hub port, etc. If an attacker hooks his laptop to an access point in an Ethernet network, the PC becomes part of the network and can therefore access to resources and even to compromise the data security and corporate information. It becomes therefore extremely important to recognise immediately the moment when an unauthorized host access to the network, preventing use the resources of the network itself. At the same time it is important to ensure the normal operation of the network to all allowed hosts: i.e. a commercial agent or an external consultant ("guest" user), who have the need to connect your notebook to the network to use its resources. 3.2 LAC Architecture LAC takes care of, therefore, ensuring compliance with the rules of network access and protecting the integrity and safety of corporate data. LAC is a software solution that consists of a set of applications running on a Linux-based system, composed of the following elements: Web administration interface, Core program (LAC), Database for users management, Database for information 314 B. Giacometti Fig. 4. Alerting recovery, appliance equipped with 3 / 6 interfaces to manage up to 3 / 6 LAN / VLAN (optional). 3.3 LAC Operational Modes LAC can operate in two modes: active and passive. In passive mode (the default) are all the hosts on the network segment to which LAC is connected are detected. In active mode, however, the unauthorised hosts are virtually isolated from the network. Each node on the network can be in one of the following status: unauthorized, authorized, approved by authentication, address mismatch. In the unauthorized status, a host is virtually isolated from the network. This prevents the host from transmitting and receiving data. In the authorized status a host suffers no treatment by LAC and its operation is normal. A user, who uses an unauthorized host, may authenticate to LAC; if successful, it revokes the status of non-authorisation and provides a status of authorization for a limited amount of time. This status is called "authorized with authentication". When the authorization time expires, the host reverts to the unauthorized access status. LAC is able to detect changes in the IP address of a host and addresses the potential anomaly assigning the address mismatch status to that host. The management of status and time validity of users is entrusted with LAC, which is responsible for allocating status to host and change the status of a host at any times. The credentials to authenticate a user (in case the administrator should unlock a client enabling its access to the network) are generated from the LAC on behalf of the Administrator. SLA and LAC: New Solutions for Security Monitoring in the Enterprise 315 3.4 LAC Requirements Below are listed briefly the requirements for the operation of LAC: • Ethernet Network • Protocol network IP version 4 • A network access for the LAC on segment network (LAN or VLAN) to monitor/control 4 Conclusion We have analyzed how a network can be proactively protected and the results have been used to implement SLA and LAC. With SLA and LAC it is possible to identify and block suspicious and potentially dangerous network traffic. Future development of SLA will focus on two major area: real time analysis of monitored device in order to identify suspicious traffic as soon as it enters the perimeter and correlation of firewalls log with logs originated from other security devices, i.e. antivirus. Also LAC will correlate information from Ethernet network with information from other devices, i.e. 802.1x switches or network scanner in order to enforce a finer grained control on the network. References 1. Abad, C., Taylor, J., Sengul, C., Yurcik, W., Zhou, Y., Rowe, K.: Log correlation for intrusion detection: a proof of concept. In: Proc. 19th Annual Computer Security Applications Conference, pp. 255–264. IEEE Press, New York (2003) 2. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. 2002 IEEE Symposium on Security and Privacy, pp. 202–215. IEEE Press, New York (2002) 3. Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Proc. 4th Int. Symp. Recent Advances in Intrusion Detection, RAID 2001, pp. 85–103. Springer, Berlin (2001) 4. Corchado, E., Herrero, A., Sáiz, J.M.: Detecting compounded anomalous SNMP situations using cooperative unsupervised pattern recognition. In: Duch, W., Kacprzyk, J., Oja, E., Zadrożny, S. (eds.) ICANN 2005. LNCS, vol. 3697, pp. 905–910. Springer, Heidelberg (2005) 5. Herrero, A., Corchado, E., Gastaldo, P., Zunino, R.: A comparison of neural projection techniques applied to Intrusion Detection Systems. In: Sandoval, F., Gonzalez Prieto, A., Cabestany, J., Graña, M. (eds.) IWANN 2007. LNCS, vol. 4507, pp. 1138–1146. Springer, Heidelberg (2007) 6. Ridella, S., Rovetta, S., Zunino, R.: Circular back-propagation networks for classification. IEEE Trans. on Neural Networks 8, 84–97 (1997) Author Index Agarwal, Suneeta 219, 251 Aiello, Maurizio 170 Alshammari, Riyad 203 Appiani, Enrico 43 Faggioni, Osvaldo 100 Ferri, Sara 11 Flammini, Francesco 92 Forte, Dario V. 27 Baiocchi, Andrea 131, 178 Banasik, Arkadiusz 274 Banković, Zorana 147 Ben-Neji, Nizar 211 Bengherabi, Messaoud 243 Bojanić, Slobodan 147 Booker, Queen E. 19 Bouhoula, Adel 123, 211 Bovino, Fabio Antonio 280 Briola, Daniela 108 Bui, The Duy 266 Buslacchi, Giuseppe 43 Gabellone, Amleto 100 Gaglione, Andrea 92 Gamassi, M. 227 Gastaldo, Paolo 61 Giacometti, Bruno 309 Giuffrida, Valerio 11 Golledge, Ian 195 Gopych, Petro 258 Guazzoni, Carlo 1 Guessoum, Abderrazak 243 Gupta, Rahul 219 Caccia, Riccardo 108 Cavallini, Angelo 27 Chatzis, Nikolaos 186 Cheriet, Mohamed 243 Chiarella, Davide 170 Cignini, Lorenzo 131 Cimato, S. 227 Cislaghi, Mauro 11 Corchado, Emilio 155 Cristiano, Massimiliano 301 De Domenico, Andrea Decherchi, Sergio 61 DeJiao, Niu 294 Domı́nguez, E. 139 116 Eleftherakis, George 11 Eliades, Demetrios G. 69 Harizi, Farid 243 Herrero, Álvaro 155 Hussain, Aini 235 Jonsson, Erland 84 Kapczyński, Adrian 274 Kollias, Stefanos 286 Larson, Ulf E. 84 Le, Thi Hoi 266 Leoncini, Davide 100 Lieto, Giuseppe 163 Lioy, Antonio 77 Losio, Luca 27 Luque, R.M. 139 Maggiani, Paolo 100 Maiolini, Gianluca 131, 178 Martelli, Maurizio 108 318 Author Index Maruti, Cristiano 27 Mascardi, Viviana 108 Matsumoto, Soutaro 123 Mazzaron, Paolo 116 Mazzilli, Roberto 11 Mazzino, Nadia 116 Mazzocca, Nicola 92 Meda, Ermete 116 Mezai, Lamia 243 Milani, Carlo 108 Mohier, Francois 11 Molina, Giacomo 178 Moscato, Vincenzo 92 Motta, Lorenzo 116 Muñoz, J. 139 Negroni, Elisa 11 Neri, F. 35 Nieto-Taladriz, Octavio Nilsson, Dennis K. 84 Ntalianis, Klimis 286 147 Orlandi, Thomas 27 Orsini, Fabio 163 Pagano, Genoveffa 163 Palomo, E.J. 139 Papaleo, Gianluca 170 Pedersoli, Francesco 301 Pettoni, M. 35 Picasso, Francesco 84, 116 Piuri, V. 227 Polycarpou, Marios M. 69 Popescu-Zeletin, Radu 186 Pragliola, Concetta 92 Ramli, Dzati Athiar 235 Ramunno, Gianluca 77 Redi, Judith 61 Rizzi, Antonello 178 Ronsivalle, Gaetano Bruno 1 Sachenko, Anatoly 274 Samad, Salina Abdul 235 Sassi, R. 227 Scotti, F. 227 ShiGuang, Ju 294 Soldani, Maurizio 100 Tamponi, Aldo 116 Tao, Cai 294 Tzouveli, Paraskevi 286 Verma, Manish 251 Vernizzi, Davide 77 Vrusias, Bogdan 195 Wei, Zhong 294 Zambelli, Michele 27 Zanasi, Alessandro 53 Zincir-Heywood, A. Nur Zunino, Rodolfo 61 203