Object-oriented Case Representation and Its Application in IDS

Qian Quan, Zhang Rui, Che Hong-Yi School of Computer Engineering and Science, Shanghai University, Shanghai, China

Qqian@shu.edu.cn

Abstract

Case representation is a key issue in case-based reasoning (CBR). This paper introduces a novel object-oriented model to represent cases and applies this technology to intrusion detection system (IDS) in order to solve the over-sensitive alarm problem which remains in most of the commercial IDSs. In this model we try to represent the complex case structural information through class hierarchy. The new method not only overcomes limitations that traditional attribute-value case representation can not represent complex cases, but also combines domain knowledge and case representation through constraint rules. In the aspect of case similarity, we divide it into two categories: the intra- class similarity and the inter-class similarity, which shows more accurate and convenient. The object-oriented case representation has been used in our own IDS product and it plays a quite efficient role in mitigating over-sensitive alarm problems.

Keywords: Case-based Reasoning, Object oriented case representation, Intrusion detection 1. Introduction

Case-based reasoning (CBR), as a new similarity reasoning technology in artificial intelligence, grows up in late 1980s and the core of CBR is to utilize the past cases or experiences to solve new problems. Be different from the traditional reasoning technology: ①CBR just uses the significant features of cases, not explicit domain model; ② CBR has high solving performance and easiness of knowledge acquisition; ③CBR has self-learning ability through inserting new cases and establishing dynamic case base[1,2]. The CBR solving is a R4 procedure, that is case retrieving, case reusing, case revising and case retaining [3,4,5].

Among the procedure, the way to represent the cases is one of the most important factors. Traditionally, we adopt attribute-value style to represent a case. It is simple and suitable for describing

the problems that have poor domain knowledge. [6] linked the case reasoning to a psychological memory model, then proposed a case representation mode based on a semantic memory net. [7] proposed a representation mode based on the knowledge hierarchy, but gave no more details. Meanwhile, the object-oriented (OO) technology is a widely accepted way in programming languages. The advantageous feature of OO includes modularization, encapsulation, code sharing, good flexibility and maintainability. So the OO technology is also widely used in the knowledge representation in expert systems. This paper will adopt the object-oriented model to represent cases and let the restriction rules and hierarchy structures to imply the domain knowledge. In the aspect of case retrieving, the measurement of similarities among cases is the key point to CBR. This paper will also put forward a new way to analyze and get the similarity from a view of object-oriented representation.

As for IDS, it is a supplementary measure to the traditional security countermeasures (i.e. Firewall), which has been focused by researchers and more and more commercial IDSs have been emerged. But, from the practical point of view, almost every kind of IDSs are suffering from the over-sensitive alarm and high rate of false alarming. It is reported that nearly 99% alarms are false positive [8][9][10]. K.Julisch selected the top 16 different IDS products that work in different environments in the network (Intranet, DMZ, Extranet and Internet) and collected the monthly average alarms information in the wild for one year. The result is the maximum 668,154; the least 20178 and the average 186,244, nearly one alarm every 14 seconds[11]. Such a high alarming rate will submerge the real attacks and restrict the practical use of IDSs. If we handle these alarms by manual, it is a time-consuming work and may cause more mistakes.

K.Julisch has made use of data mining to analyze the alarm data [11]. Meanwhile, H.Debar has turned to the gathering and correlation algorithm to discover the relations among the alert data and tried to reduce the false positive rate [12]. Nowadays there comes many analyzers and identification tools to handle the alarm information automatically, but the effects are not so satisfactory [12][13][14].

2009 Eigth IEEE/ACIS International Conference on Computer and Information Science

978-0-7695-3641-5/09 $25.00 © 2009 IEEE

DOI 10.1109/ICIS.2009.186

301

2009 Eigth IEEE/ACIS International Conference on Computer and Information Science

978-0-7695-3641-5/09 $25.00 © 2009 IEEE

DOI 10.1109/ICIS.2009.186

301

This paper will represent the case in an object-oriented way. Address the way that we get the similarities among cases and how to apply this technology to represent the real IDS alarm data. This paper is organized as: part 2 gives the object-oriented model for specifying the cases; part 3 introduces the similarity measurement; part 4 is the IDS application and experimental results analysis; part 5 summarizes the whole paper.

2. Definition of Class and Object

The Class and object are two key concepts of the object-oriented technology. A class is a general abstract of a group of similar objects. It gathers the common features of the group ( operation features and storage features ), so that we can describe the nature of this group of objects. Class is a template to create objects which can be defined by a 4-tuple expression:

AS :: , , ,CL S ID DD OP INT= Where ID is the identification of the class; DD is

the data structure description; OP is the concrete implementation of operations, i.e., method set; and INT is the unified external interface. The advantage of this kind of structure of class and object can hide the inner implementation details.

In CBR, the structural information is described through the information hierarchy. The hierarchy is constructed according to the order from the object, object class, and the class hierarchy. Furthermore, this kind of hierarchy information also implies the similarities among the objects.

2.1 Class Definition

The class definition in BNF form is as follows: __________________________________________ CLASS ::= CLASS

<CLASS NAME><PARENT CLASS > <ATTRIBUTE><RESTRICTION RULE> <METHOD>

END CLASS NAME ::= <STRING> PARENT CLASS ::= EXTEND<NAME> ATTRIBUTE ::= SimpleAttr

<SIMPLE ATTRIBUTE> ComplexAttr

<COMPLEX ATTRIBUTE> END

SIMPLE ATTRIBUTE ::= {[<ATTRIBUTE NAME>:<TYPE>,

<INITIAL WEIGHT>]}n ATTRIBUT NAME ::= <STRING> TYPE ::= <STRING>

INITIAL WEIGHT ::= <REAL VALUE> COMPLEX ATTRIBUTE ::= <ATTRIBUTE NAME>:

CLASS<NAME> RESTRICTION RULE ::= RULE

<RULE NAME> <RULE BODY>

END RULE NAME ::= <STRING> RULE BODY ::= IF

< CAUSE> THEN

< EFFECT > END

CAUSE ::= {（<CAUSE ATTRIBUTE> <ORPERATOR> <VALUE> AND/OR <CAUSE ATTRIBUTE> <ORPERATOR><VALUE>）}n

CAUSE ATTRIBUTE ::= < STRING> OPERATOR ::= </>/=/>=/<=/!= METHOD ::= METHOD

<METHOD NAME> <PARAMETER> <METHOD BODY>

END METHOD NAME ::= <STRING> PARAMETER ::= <STRING> METHOD BODY ::= <STRING> __________________________________________

The Definition of a class includes the class name, its parent class, attribute set, restrictions on these attributes and operation methods of the class. The attributes can be divided into simple ones and complex ones. The simple attributes include the atomic attributes represented in the attribute-value form, while the complex attributes, represented by instances of the class, can be further divided into smaller items to express more complex knowledge for case's attributes.

Because of the fact that there is abundant domain knowledge in CBR, some of them exist in the hierarchy structure while others can be represented by the attribute restriction rules. The restriction rules are indicated by production knowledge which is composed of rule name and rule body. The rule body includes the rule cause and the rule effect. The cause is in quadruplet form. The rules can be viewed as the special methods of a class. They can be inherited from the parent class so that we don't need to define the rules for every class individually and make the maintenance easier. The resolution policy for rule conflicts is to activate the child class restriction rules in priority then the parent class. The reason why we adopt this policy is the fact that the child class may introduce new attributes and the child class is more practical and

302302

detail to actual problems while the parent class is more abstract. It is more accurate to express the domain knowledge if we assign high priority to the child class rules.

For example, supposing the parent class is IDS-Message, we can define a class of Alert-Message is as follows:

CLASS Alert-Message EXTEND IDS-Message SimpleAttr Identification: String, 0.1; ComplexAttr Location: CLASS LOCATION; END

2.2 Object Definition

A class is the abstract template of an object while an object is an instance of a class. The object can be defined as follows:

Object::=OBJECT <Object Name> FROM CLASS <Class Name>

Object Name::=<String> Class Name::=<String> For example, providing alert message A is an

instance of class Alert-Message, so message A can be described as:

OBJECT A-Message FROM CLASS Alert-Message.

3. The Similarity among Cases

The similarity measurement is the core of CBR. Generally, CBR, based on the attribute-value form of case representation, measures the similarities between two cases by the distance function. However, in an object-oriented system, it becomes more complicated. The simple distance function cannot obtain the accurate similarity between two cases. Because sometimes the queried case may have the same attributes as some of cases in the case base (for example, they may be the instances of the same class or inherited from the same parent class), and this part of similarity can be calculated by the distance function. But in the other situation, the two cases have different attributes absolutely, and we can't compute the similarity by a simple distance function. So we divide the similarity into two parts, the intra-class distance and the inter-class distance.

3.1 The Intra-class Distance

The intra-class distance is the distance between the queried case and other cases in case bases which have

same attributes. This kind of distance can be computed as:

∑∑

∪∈

∩∈=

)()(

)()(

))(),((

),(

BattrAattrai

BattrAattraiii

Intra

i

i

w

BaAaSimw

BASim

The ),( BASimIntra means the inner distance between case A and B; iw is the weight of the attribute ia ; )(Aai and )(Bai represent the attribute ia ’s values of case A and B.

The case attributes can be classified into the following categories: Binary, Nominal, Ordered Nominal, Item-set, Numerical, Interval, Bounded-From-Below, Bounded-From-Above and Situation. The detailed definition please refers to [15]. The hierarchical relations among the 9 kinds of attributes are demonstrated by Fig. 1.

Fig.1: The hierarchical structure of different kind of

attributes And the similarity of the 9 different categories

can be measured by: SIM(ai,aj)= (1)Binary： 0 1,, elsethenvvif ji =

(2)Nominal： 0 1,, elsethenvvif ji =

(3)Ordered Nominal：items

itemPositemPos )()(1 21 −

−

(4)Item-set：21

21

itemsetitemsetitemsetitemset

∪∩

(5)Numerical：

rn

i

rii vv∑

=

−+1

1

1

(6)Interval：lowerboundupperboundvv

−−

− 211

(7)Bounded-From-Below： 1 2

1 2

1max( , )

v vv v lowerbound

−−

−

(8)Bounded-From-Above： 1 2

1 2

1min( , )

v vupperbound v v

−−

−

Attribute

Binary

Nominal

Item-set

Ordered Nominal

Interval

Situation

Numerical

Bounded-From-Above

Bounded-From-Below

303303

(9)Situation： ),( 21 situationsituationϕ As for the above equations, the numerical attributes

are measured by Minkowski Distance, and the r indicates the indication index. When r =1, the Minkowski Distance is equivalent to the Hamming Distance; when r =2 it is equivalent to the Euclid Distance.

3.2 The Inter-Class Distance

When calculating the similarity between classes, [16] divided the hierarchy tree nodes into 2 kinds: internal nodes and leave nodes. And each internal node was given a value s to indicate the minimum node similarity in its child tree rooted on the current node. The inter-class similarity is calculated by s, the value of the common parent class node in the tree. The advantage of this method is its low computation complexity, but it requires people to give the value s by hand and the value should be updated when renewing the case base.

The abstract class hierarchy tree is as figure 2, the closer to the leave, the lower the class abstract level is; on the contrary, the closer to the root, the higher the class abstract level is. So, the similarity between two objects has a tight relation to their classes' position in a hierarchy tree. If they have the common parent classes near the root, they may have a bigger similarity; otherwise, a smaller similarity. Obviously, the bigger the similarity of two objects demonstrates that they have a larger amount of common parent classes. Thus we can use the ratio of the amount of the common parent classes to the amount of the total parent classes to represent the class similarity between two objects. The formulation is:

),(),(

),(),(),(

CcSuperCcSuper

CcSuperCcSuperccSim

ji

jiji

×

∩=

Where the ),( CcSuper indicates the total parent class amount of c in the class hierarchy C. It is computation efficient to use parent classes counting as the similarity between classes. And it is efficient to conduct a dynamic calculating when updating the case base and modifying the class hierarchy tree.

A b strac t deg ree

low er

h ig he r

cases

A b strac t c la ss

Fig2: Class Abstract Hierarchy Structure

3.3 Global Similarity Calculation

After we get the intra-class distance and inter-class distance between two cases, we can get the global similarity by using some kind of gathering function, such as:

)),(),,(( intint BASimBASimSim errafinal ϕ= In this paper, we multiply the two similarity values

as the global similarity. 4. IDS Application and Experiments This paper was extended from [17], because most current IDS are suffering from frequent alarming problems. In this section we will try to use the above case OO representation method to solve this problem.

In IDS, especially in a distributed IDS, the attack description, detection knowledge, alert messages can all be represented by the object-oriented model. Next, we will address how to represent the alert messages in an object-oriented way and make use of the similarity among these messages to reduce the over-sensitive alarming for our own IDS products(Net Detector 1 ).

4.1 The Object-Oriented Model for Alerts Representation

IDS messages can be classified into two types, alert message and state message. The alert messages are those that different analyzers send to the central manager when they detect the attack evidence. And the state messages are those that analyzers send to the central manager to tell its working situation. The alert message includes the information of analyzer, create time, attack detection time, current time of the analyzer, attack source, attack target, attack type and appendix data. If the analyzer can do some further analysis towards the attack, the alert message will also include the attack tool, buffer-overflow attack or not and other correlation alert. The state message includes the information of analyzer, create time, attack detection time and appendix data. The alert message is briefly displayed in figure 3.

1 "Net Detector" is a distributed IDS. The system is composed of two main parts: the network sensors and the central control manager. Each network sensor has an analysis engine inside. When detecting attacks, it can send alert messages to the control center. The control center is a coordinator for all these network sensors. Now the system has been qualified by the Ministry of Public Security and became a commercial IDS.

304304

IDS Message

State Message String:ident; …

Alert Message Str :ident; Str:att_impact; Str:res_action;

Location Class:Address; Class:Process; Class:Uer; Class:Service;

Time Int:year; Int:month; …;

Creation Time

Detect Time

Analyzer Time

ClassificationStr :ident; Str:att_name;Str:ref_url;

Tool Alert Str:command;…

Buf_overflow Str :program; int:sent_size; Str:buf_content;

Other Alert Str:name; …

Address Str :ip_address; Str:category; Str:netmask;

Process int:pid; Str:path; Str:arguments; Str:enviroment;

Service Str:name; int:port; Str:protocol;

User Str:name; Str:type;

WEB Service

SNMP Service

POP Service

Analyzer Str:ident; Str:manufact; Str:type(soft/hard); Str:version;Str:os_ver; Str:class(Net/host);

Source

Target

Fig3: Attack alert message class hierarchy structure

4.2 Message Similarity Measurement

Then we will give some examples of attack using several popular attack tools such as SSS(Shadow Security Scanner)，X-SCAN and Ping of Death (PoD). We use object-oriented model to represent the alert messages and adopt the message similarity measurement that we mentioned above to measure the similarity of these messages. If the similarity value exceeds a given threshold, we believe they are from same class and the sensor will not send the alarm to the control center. The test results are indicated in table 1. The IDS sensor (comparison) means that sensors send alarms to the control center without analyzing while the IDS sensor (analyzed) means that the sensor buffers the alert messages firstly and then filters out the message who has a high similarity.

Clearly, it is reasonable to say that representing alert messages in an object-oriented way and analyzing the similarities among cases can effectively mitigate the over-sensitive alarm problems. It gives great convenience for network administrators to check and audit the IDS log.

Table1: The over-sensitive alarm problem of the two kinds of IDS when using different attack tools

Attack Tools

IDS Sensor (Comparison)

IDS Sensor (Analyzed)

Over-sensitive

Alarm Rate to Cut (%)

SSS 299 11 96.3

X-SCAN 90 6 93

PoD 120/min 1/min 99

5. Conclusions

Most of the recent commercial IDSs are suffered from the deficit of high over-sensitive alarming rate which has become a serious limitation in popularizing and applying the IDS. Deeply understanding the attack mechanism and analyzing the internal relationship among alert messages as a whole can solve this problem to a large extent.

305305

This paper gives an object-oriented way for alert message representation according to features of CBR. In this way, we can obtain the complex structure information among different cases by referring to the class hierarchy. It overcomes the shortcoming of the fact that the simple attribute-value method cannot represent complex cases; on the other hand, we can combine the domain knowledge with case representation through restriction rules. When discussing the similarity among different cases, the intra-class and inter-class similarity will work together to accurately describe the total global similarity. [16] assigned the value of the node in the class hierarchy tree by hand, and then calculate the similarity between classes. It can reduce the calculation complexity, but need more human interference for node values modification while updating the case base. This paper provides a non-human-interference but automatic way to traverse the case base and dynamically calculate the similarity among cases. What we have put forward, the object-oriented representation and the way for similarity, has been applied to our own commercial intrusion detection system that performs quite well in alleviating the over-sensitive alarm problems. Acknowledgments: This work is supported by Shanghai Leading Academic Discipline Project(PN: J50103), the Innovation Project of Shanghai Municipal Education Committee (No.09YZ05).

6. References [1] J. L. Kolodner. Case-Based Reasoning. Morgan

Kaufmann Publishers, Inc., 1993. [2] I.Watson, F.Marir. Case-based reasoning: a review. The

Knowledge Engineering Review, 1994: 9(4),pages:327~354. Available at http://www.ai-cbr.org/classroom/cbr-review.html.

[3] A.Aamodt, E.Plaza. Case-Based Reasoning: Foundational Issues, Methodological Variations, and System Approaches. AICom- Artificial Intelligence Communications, 7(1), pages: 39~59, 1994.

[4] D.W.Aha, I.Watson. Case-based reasoning research and development. In Proceedings of ICCBR’ 2001, Springer, 2001.

[5] D.W.Aha, L.A.Breslow. Conversational case-based reasoning. Applied Intelligence, 2002(14), pages:9~23.

[6] Shi Zhong-zhi. High level Artificial Intelligence, Science Press. 1999, PP78~100.

[7] I.Watson, S. Perera. A hierarchical case representation using context guided retrieval.Knowledge-Based Systems, 1998, 11:285-292.

[8] E.Bloedorn, B.Hill, A.Christiansen,etc. Data Mining for Improving Intrusion Detection, 2000. In http://www.mitre.org/support/papers/tech_papers99_00.

[9] C. Clifton, G.Gengo. Developing Custom Intrusion Detection Filters Using Data Mining. In Military Communication International Symposium (MILCOM2000), October 2000.

[10] M. Klemettinen. A Knowledge Discovery Methodology for Telecommunication Network Alarm Data. Ph.D Thesis, University of Helsinky(Finland), 1999.

[11] K. Julisch, M. Dacier, Mining Intrusion Detection Alarms for Actionable Knowledge, In the 8th ACM International Conference on Knowledge Discovery and Data Mining, Edmonton, July 2002

[12] H. Debar, A. Wespi. Aggregation and Correlation of Intrusion-Detection Alerts. In 4th Workshop on Recent Advances in Intrusion Detection (RAID), LNCS, PP85~103, Springer Verlag, 2001.

[13] A. Valdes, K. Skinner. Probabilistic Alert Correlation. In 4th Workshop on Recent Advances in Intrusion Detection (RAID), LNCS, PP54~68, Springer Verlag,2001.

[14] O. Dain, R.K. Cunningham. Fusing Heterogeneous Alerts Streams into Scenarios. Applications of Data Mining in Computer Security. Kluwer Academic Publisher, Boston 2002.

[15] Angi Voß. Similarity concepts and retrieval methods. FABEL-Report13,GMD, Sankt Augustin, 1994.

[16] W.Pree, E.Gamma. Design Patterns for Object-Oriented Software Development. Addison-Wesley Pub Co., 1995.

[17] Qian Quan, Zhang Shuguang, Fang Jin, Cai Qingsheng. Object Oriented Case Representation in Case-based Reasoning. Proceedings of 2001 National Conference on Artificial Intelligence: Progress of Artificial Intelligence In China 2001.Beijing University of Posts and Telecommunications( BUPT ) Publishing House, 2001:p207-210.(In Chinese)

306306