DocumentCode :
2719023
Title :
Self-organizing resilient network sensing (SornS) with very large scale anomaly detection
Author :
Dove, Rick
Author_Institution :
Paradigm Shift Int., Questa, NM, USA
fYear :
2011
fDate :
15-17 Nov. 2011
Firstpage :
487
Lastpage :
493
Abstract :
Anomaly detection promises to find elements of abnormality in a field of data. Computational barriers constrain anomaly detection to sparse subsets of total anomaly space. Barriers manifest in three ways - conserving both pattern memory capacity and pattern matching cycle time, while closing off scalability. The research reported here has discovered and analyzed a technology to eliminate two of these barriers, memory capacity and cycle time, and by targeting implementation at a new VLSI pattern processor, eliminate the third scalability barrier. An example shows how 10 to the 15 patterns integrated as a single gang detector can be stored in 193 bytes of memory, with much larger pattern magnitudes practical as well. The architecture of the gang detector enables complete processing of all 10 to the 15 patterns in time determined by the number of features in a single pattern, rather than the total number of patterns. Scalability is provided by a reconfigurable massively parallel VLSI pattern-matching processor chip that can accommodate a virtually unbounded number of such gang detectors. Anomalous behavior detection promises a way round the limitations of looking only for known attack patterns, but it raises new issues in the cyber domain of higher false positive rates and questionable normal-behavior stability. Work reported in this paper describes the nature and capability of gang detector employment, and suggests that the traditional issues of anomaly detection can be addressed with an architecture that engages in continuous learning and re-profiling of normal behavior, and employs a sensemaking hierarchy to reduce false positives. The architecture is based on process patterns from the biological immune system combined with process patterns of mammalian cortical hierarchical sensemaking.
Keywords :
VLSI; data analysis; pattern matching; reconfigurable architectures; self-organising feature maps; set theory; anomalous behavior detection; computational barrier; continuous learning; cyber domain; false positive rate; normal behavior reprofiling; pattern magnitude; pattern matching cycle time; pattern memory capacity; questionable normal-behavior stability; reconfigurable massively parallel VLSI pattern matching processor chip; self-organizing resilient network sensing; single gang detector employment; sparse subsets; total anomaly space; very large scale anomaly detection; virtually unbounded number; Computer architecture; Detectors; Feature extraction; Immune system; Pattern matching; Very large scale integration; anomalies; anomaly detection; artificial immune system; cortex; cortical hierarchy; packets; patterns; zero-day attacks;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Technologies for Homeland Security (HST), 2011 IEEE International Conference on
Conference_Location :
Waltham, MA
Print_ISBN :
978-1-4577-1375-0
Type :
conf
DOI :
10.1109/THS.2011.6107917
Filename :
6107917
Link To Document :
بازگشت