SLIP
SLIP
Technology Browser Exercise III
November 19, 2001
Obtaining Informational Transparency with Selective Attention
Dr. Paul S. Prueitt
President, OntologyStream Inc
November 19, 2001
{s_port, d_port}
November 19, 2001
One needs the WinZip file, dSLIP
Review:
Our analytic conjecture is established by setting the “b” values to source port and the “a” values to defensive port. In the SLIP Warehouse Browser, under development, the process of developing the analytic conjecture will be facilitated.
The conjecture is that the non-specific relationship, r, will gather the defensive port values into some categories that reveal something about the global events that where going on during the period that an IDS system is detecting intrusion events. The IDS event log is input into the Warehouse Browser to produce the source files needed by the Technology Browser.
Figure 1: The analytic conjecture
Formally we have:
( a1
, b ) + ( a2 , b ) ŕ
< a1 , r, a2
>
where r is the non-specific
relationship.
The “b” values are from one column in the intrusion
event log and the “a” values are from a second column in the intrusion
event log.
We call “b” the “first name” and “a” the
“second name”. The set { a } define the
sets of atoms that are categorized.
The set { b } provides means to define the incident
level events that result from the SLIP emergent computing
technique. Exercise II focused on this,
but the techniques related to automatically organizing event maps are still
under development. Exercise III
continues this focus.
The incident map is often incomplete but can
be used to begin the process of developing a model for each of a number of
currently occurring global incident events.
Taken together, automated means create small topic maps with specific
relationships that the domain experts (working within their security
environment) may use to profile the global events of interest.
Figure 2: A graphic depicting the construction and display of the event map
An event type is something that we can profile
because the events in the event record reoccur with sufficient similarity so as
to be recognized as being an instance of the event type.
SLIP generated events maps may in fact be
major components of complete incident events types – but not the complete event
type. The issue is that the emergent
computing is being asked to produce a fractionation (parcelation or
categorization) that is crisp, while the events themselves have inexact
boundaries and overlap each other.
There are “event fidelity”
issues to consider. The IDS event log
will have various degrees of completeness (having all aspects of the intrusions
detected) and consistency (having only those local events detected that are
related to a single global event.)
The Warehouse Browser is being designed to
take care of some of the fidelity issues.
However it must be understood that a complete system can be developed
for real time incident event monitoring only with all three of the browsers. The Enterprise Browser is needed to archive
the work product and allow the community to discuss the universe of global
event that are occurring over any one period of history and to anticipate new
kinds of event types based on vulnerability studies.
We need to look at the small clusters at the
bottom of a standard construction of a slip framework, where all of the major
clusters are removed on the first pass and then the re-cluster process works on
the remnants of what is left. What we
expect from this is a collection of partial events that can be put together by
domain specialists using a event map graph.
The computational machinery to enable a
domain expert to do develop event maps from partial event maps is being
developed. However, in Exercise III we
take a different approach and try to set get the complete event.
A categorical min max problem is worked out
in general terms, in formal theorems, and will be explored a bit more in this
exercise set. The formal theorems may
lead to a body of knowledge similar to that of rough set theory or fuzzy set
theory. (Currently there is one PhD
dissertation (at Swinburne University of Technology, Australia) being planned
based on the underlying theoretical work. )
The Example:
Let the first column, (b), be the port used
by the source of the attack (s_port) and the second column, (a), be the
defensive port (d_port). There are 764
atoms in the top-level category A1 of the associated SLIP Framework.
The set of paired d_port values has 32,927 paired values, each part of the pair being a port
value. The pairs are defined through
the analytic conjecture graph, Figure 1.
Pre-exercise:
Start the SLIP.exe in a folder with a folder named ‘data”. You need only have two text files to start
with.
1)
Paired.txt is
the file containing the 32,927 pairs of port values.
2)
Datawh.txt
(Data Warehouse) is the file containing the 14,475 RealSecure summary events
records.
However for this exercise we start with some
data that is contained in nested files.
Once starting the SLIP.exe one will see the structure in Figure 3a.
The idea is that some of the atoms are not
really part of the major events. We
might remove these atoms first. But
how?
a b
Figure 3: A1 and the Fourth Residue
a
b
Having completed the
above steps we can how delete the data structure and redevelop the SLIP
Framework.
B.1: Delete the A1
folder and all of its contents. There
are nested folders that are read by the Browser and all of these will be
deleted. You need only have Paired.txt, a file containing the 32,927 pairs of
port values and Datawh.txt (Data Warehouse).
B.2: Redevelop
several levels where the iterations are carried out long enough to remove
stationary regions that are outside of main clusters.
B.3: Produce three
Primes and generate the Reports. These
three primes will be almost (or exactly) the primes that where just deleted.
B.4: Inspect the
Report files using a work processor.