A Road Map of Knowledge Management for Network Security and ...

A Road Map of Knowledge Management for Network Security and Roles of Soft Computing Atsushi Inoue

Anca L. Ralescu

Department of Computer Science Eastern Washington University Cheney, WA 99004-2412 E-mail: [email protected]

ECECS Department University of Cincinnati Cincinnati, OH 45221-0030 E-mail: [email protected]

Abstract— This paper presents a road map of knowledge management for network security. To handle real-time manners and unpredictable distributions of network traffic, a sophisticated artificial intelligence needs to underlie a multi agent system architecture served as a middleware of knowledge management operations. To realize this, Soft Computing intrinsically plays the key roles in the most of primary knowledge management tasks.

I. I NTRODUCTION The last decade has witnessed an increase in efforts to built upon the advancement of information technologies, (especially that of artificial intelligence techniques for knowledge representation and reasoning, broadly called knowledge management) to ensure that experience and knowledge are accessed and used by the right people at right times in right format [34], [11], [29]. The premise of such efforts is that knowledgeempowered enterprises will achieve substantial improvement on effectiveness, productivity, and service quality by leveraging the collaborative knowledge of their people within a framework of knowledge management in real time. To realize this, the following technologies are necessary: (1) Knowledge Representation - for knowledge integration; (2) Just-In-Time Knowledge Delivery - for the real-time knowledge sharing; and (3) One-stop Search - for single interface to the search of knowledge. In the context of network security administration, knowledge management is indeed a powerful infrastructure for many of its tasks including, but not limited to: (1) profiling of computational activities, (2) sharing and/or updating of configurations for tools (e.g. snort and tcpdump) within selective criteria in real-time bases, (3) incident response (e.g. notification to certain people, change or hold of routing, and disabling services and/or hosts in order to protect them), (4) tracking and recording computational activities at the time of incident for forensic activities, and (5) tracking and recording configurations inconsistent with security policies for penetration testing. Such tasks can be performed efficiently and effectively by placing appropriate queries for the one-stop search of knowledge, which is accessible by just-in-time knowledge delivery and represented in a canonical knowledge representation. This paper presents a road map toward a framework for artificial intelligence underlying security knowledge manage-

ment in a way that assists security administrators to provide trustworthy services to their respective organizations. In particular, this is realized by development of a multi agent system for (1) data collection, (2) mining data relevant to network security, (3) query processing, and (4) embedding the query processing to security relevant tasks, such as tracking of suspicious activities, and assessment and auditing of security tools configurations. II. N ETWORK S ECURITY A DMINISTRATION A. Current Recently, the issue of network security has drawn significant attention from the public and research community [8], [26]. Practical tools [35], [38], [39], [13], [25], books [2],[33], [27],[28],[20] and training programs (e.g., short courses and their materials [32], [27],[28]) for network security have come out, and they are indeed making significant contributions on advancing the technology. Some efforts on using artificial intelligence (mainly for intrusion detection tasks) have also been made, although such efforts have not yet received much attention, mainly due to the lack of integrated knowledge of artificial intelligence and network security [3],[22]. Reflecting such trends, further sophistication of network administration tasks is needed in order to ensure maximum network security. At a minimum, network administrators are always imposed to gain additional knowledge on the top of their administrative tasks. B. Future This road map puts forward the idea that, AI and data management techniques can be called upon to create an environment for network security management without increasing the the burden on the network administrator. For a concrete illustration of network security tasks the following scenarios are considered: Scenario 1 - Detection of, and response to, a suspicious activity: Jim, a network administrator, is notified by an alert on his computer that an unusual increase in network traffic has taken place in the last five minutes. He then places the following query to an agent at his workstation and received the corresponding responses from remotely distributed agents:

Query> Count packets in all networks where time > now - 10min. NETWORK #packets --------------------Network A 50k Network B 5000k Network C 12k ... He forms the suspicion on the activity on network B, a subnet of a public wireless connection whose access point is placed at the student union building. He then places the query: Query> Count outgoing packets from all hosts in Network B where time > now - 10min. HOSTS@Network B #outgoing packets ------------------------------------dhcp-server3 5k access point 2@ 350 access point 3@ 4994k (@ -- router) It appears that access point 3 is the source of that unusual packet traffic increase. For further investigation, he places the query: Query> Count very high outgoing packets from all hosts in network routed thru access point 3 where host(name, id, mac, vendor, type) and time > now - 10min. Host name IP address MAC address Vendor Type packets -------------------------------------------------------------------dhcp122 192.168.23.35 xx:xx:xx:.. D-link 650 4357k ....

He grabs his PDA, copies this response, and goes to the student union building, looking for anyone who seems to have a particular wireless network PC card (D-link 650). At a cafe he finds a student using a laptop with a D-link wireless card. He approaches the student and asks him to show his wireless card. Its MAC address is indeed of his interest. He realizes that the student is playing a computer game using a highquality video stream with his friends. He instructs the student not to do this from the public wireless network and suggests that there is a multimedia laboratory dedicated for high-quality video streams. Notice in this scenario the natural (but fuzzy) concept very high used in the query that can be considered as a fuzzy set high defined over the number of packets (its the membership function can be determined by taking the response from the previous query into account, e.g. 0.0 for 350, 0.5 for 5k, and 1.0 for 5000k) modified by the (fuzzy) linguistic hedge very (one way to compute the membership function is µvery−high (x) = [µhigh (x)]2 ). Scenario 2 - E-mail bomb threat: Bob, a system administrator of a large E-mail server, receives a call from Jim that there may be a serious E-mail bomb threatening their organization. Bob successfully identifies the type of E-mail bomb which came with an attachment of MSWord file containing a macro

able to remove some important plug-ins. He immediately places the following query so that agents embedded within hosts respond and configure an action such that the message possible E-mail bomb!! Call Bob! pops-up to users: Query> Request all hosts list all files where type=msword and created >= Monday; action when open notify ’possible E-mail bomb!! Call Bob.’ Then he scans all suspicious attachment files located on the E-mail server and other accessible file servers within the next 1.5 hours. Consequently, the damage was managed minimum (those who opened the file prior to the notice and who do not have PCs without agents embedded). Scenario 3 - Assessment of snort rules: It is time for Jim to assess effectiveness of snort rules [35]. He put significant efforts to enhance snort rules so that his rule base became quite complex. He now desires to sort these rules in the order of usage (i.e. how often a rule is used). He writes an application that reads each and every one of the snort rules and performs the following query for each rule such that parameters within this query (marked by @) are determined from a translation of the rule: Query> Count @IN-OUT packets from @HOSTS in @NETWORKS where type = tcp and port > 128 .. Consequently, as a result of this assessment, he decides to eliminate the ten least used rules. Scenario 4 - Profiling for Investigations: The Department of Homeland Security requests profiles of student access to a certain home page. Jim performs the following query as a response: Query> Count outgoing packets from all hosts in network A and network B ... where 091103 < time < 123103 and interval of 6 hours and host(name, network) and type=http and destination is ... Interval Host Network number of packets -------------------------------------------------------0-6 091103 h1 network A 23 ...

Jim identifies a list of users who logged in on any one of those hosts during a listed interval. With a minor additional research, the authority came up with a list of interviewees based on this list by identifying current addresses and contact information of those users. Scenario 5 - Intrusion Detection and Tracking: Tripwire detects modifications of important files such as password files and various system configuration files and logs those events. Assume that a utility program is lunched (manually or automatically) in response to a new event caught by tripwire. This event indicates a modification on a file ’sys hardware’, a system hardware configuration file. First, the utility program determines users accessing that file as follows:

Query> list process where time > now - 10 min and process(command, owner, file) and file is @FILE Command Owner Files -------------------------------------------------ed bin sys_hardware list user login where time > now - 10 min. and user has privilege User ---It turns out that there are no such users who login within a certain duration. This is the definite indication of an intrusive access to that file. Consequently, the utility program notifies the incident at this time. As the first step of investigations, the following query is placed: Query> track sources of packets where time > now - 10 min. and type is tcp Sources ------many through network C few through network E 7 from domain bbb.ccc xxx.yy.zzzz ... Notice that fuzzy sets many and few defined over the number of hosts are used. Such responses eliminates a massively long list of sources (summarization). One should be able to identify specific suspicious users if they logged in from hosts in the same network. At the very least, one should be able to narrow down where and how the intrusion came from (when intrusions come from outside). III. K NOWLEDGE M ANAGEMENT FOR N ETWORK S ECURITY A. Roles of Artificial Intelligence and Soft Computing The challenges of studying artificial intelligence come not only from fundamental methodologies such as inference, association, and learning but also from deployment of artificial intelligence applications in such a way that artificial intelligence plays central roles. This can be observed from the contents of internationally recognized professional conferences such as the International Joint Conference on Artificial Intelligence (IJCAI) [16] and even more from the fact that starting with 1989 [15], the Innovative Applications of Artificial Intelligence Conference (IAAI) is held in conjunction with IJCAI. Fundamental questions underlying the development of such applications include: (1) How can sophisticated and the complex artificial intelligence be managed efficiently and effectively? (2) How can multiple methodologies in artificial

intelligence be integrated? A symposium focused on this issue is held in conjunction with AAAI starting from 2002 [36]. As it can be inferred from the scientific work published, three (among many proposals) main approaches have emerged in connection with (1): (a) Multi Agent Systems [31],[7],[19],[14] (decomposition and organization of constituents (i.e. agents) performing autonomous tasks), (b) Soft Computing [42], [6] (using uncertainty as the fundamental feature in such a way that it manages granularity and human perceptions by simple, hybrid approaches such as fuzzy logic and neural networks), and (c) Evolutionary Computing [21]: (a treatment analogous to the evolutionary process of biological species over a certain period (i.e. evolution)). In connection to question (2), it is ideal to identify a canonical representation such that any methodologies of artificial intelligence are consistently integrated on it. In fact, the above approaches are being successfully adopted among professionals mainly because of such a canonical representation supporting (a) protocol (i.e. language) of messages shared among multiple agents, (b) extensions of logic that allow representing various types of uncertainties, (c) the framework of representing problems as a collection of chromosomes and associated genetic operations. B. Architecture In general, a multi agent system architecture such that agents are distributed over network hosts is sought. The system consists of the following components: 1) Data Collection Agent (DCA): This agent collects data from configuration sensors such as process table and network packet dump through an application programming interface (API) within the operating system (OS) and saves them within the knowledge base (KB). 2) Data Mining Agent (DMA): This agent discovers relations from collected data and other knowledge stored in the knowledge base (KB) that might be useful for query processing. 3) Query Processing Agent (QPA): This agent receives a query from a user, broadcasts it, obtains responses from other agents and aggregates them in order to produce an overall response to the query. 4) Knowledge Base (KB):A knowledge base on the particular network and security data. On each network host, DCA with sensors for process tables, DMA, QPA and KB are embedded. They perform security knowledge management tasks on a single host. Network packets on a subnet are captured and processed by the network packet black box (NPBB). One NPBB is placed at each subnet that is to be managed within this security knowledge management. This does not transmit any packets other than responses to queries broadcasted from other hosts. Taking into consideration the nature of agents and KB residing within hosts (i.e. as embedded systems), it is very likely that the size of KB is limited. To compensate for this, a knowledge management query server (KMQS) can be placed at an arbitrary location in the entire network. The KMQS

usually is a high-performance machine with a large disk space, powerful CPUs (or a cluster of CPUs), and gigabit-Ethernet network interface. Any hosts can transfer its contents of KB to the KMQS during a period with low network traffic (e.g., midnight). The nature of multi agent system architecture naturally serves as an “add-on” to currently existing tools network security administrations (e.g., snort and tcpdump). This eliminates major overhead of system migration. C. Knowledge Representation and Reasoning In order to deploy agents for the intelligent tasks described above, a canonical framework for artificial intelligence is needed. Taking into consideration the data format (tabular) and knowledge (i.e. IF-THEN rules) used by these agents, the logic programming (LP) paradigm presents obvious advantages over object-oriented programming and functional programming[10]. In the LP paradigm, a program is represented as a collection of Horn clauses ((c)(h1 ) . . . (hn )) in which c, h1 , . . . , hn denote predicates, with the constraint that c must be positive. Such clauses can be viewed as a special case of IF-THEN rules (one consequence and multiple hypotheses connected conjunctively): “IF h1 ∧ · · · ∧ hn THEN c”, where ∧ denotes conjunction. In Support Logic Programming(SLP)[4], Horn clauses have been extended to include a certainty support, encoded as a support pair, which is in fact a probability interval. SLP is implemented in the artificial intelligence language called FRIL (Fuzzy Relational Inference Language) which also contains a pure PROLOG system and a true integration between this and the SLP component. The basic clause format in SLP is ((c)(h1 ) . . . (hn )) : ((l1 u1 )(l2 u2 )) to capture l1 ≤ P (h|h1 ∧ · · · ∧ hn )) ≤ u1 and l2 ≤ P (h|¬[h1 ∧ · · · ∧ hn )]) ≤ u2 . The pairs (li , ui ) are called support pairs. Particular values are used to capture different situations: 1) open world semantics: (li ui ) = (0 1), for one or both values of i = 1, 2; 2) PROLOG clause : (l1 = u1 = 1); 3) true negation (as opposed to the negation by failure): (l1 = u1 = 0); 4) if-and-only-if conditions: (l1 = u1 = 1; l2 = u2 = 0); Support Logic Programming supports representation of fuzzy sets as arguments of predicates. This representation relies on the Mass Assignment Theory [4] underlying Support Logic Programming according to which a fuzzy set is equivalent to a family of probability distributions. This representation has a two fold impact: (1) the family for a given fuzzy set can be selected so as to convey the intended meaning of the linguistic label attached to the fuzzy set in question; (2) inference with fuzzy sets can be converted into operations with probability distributions. With respect to (1) it can be said that this feature enables a learning component to the theory of fuzzy sets, such that, if so desired, a fuzzy set can be obtained directly from the data, without any subjectivity of the system designer; still the fuzzy

set so obtained is in a format that is more easily compatible with the one which would be provided by the designer (for example, the notion of high from high traffic can be captured by a fuzzy set based on history of actual traffic on the network, and expressed in a format comparable and compatible to that described by the system administrator). With respect to (2), expressing a fuzzy set in terms of probability distributions, allows for support pairs to be extracted from inference steps with fuzzy sets. Most important in this direction is the notion of semantic unification according to which fuzzy sets on the same domain can be unified: for example, considering the fuzzy sets for high, medium, low, etc. the semantic unification will produce support for any one of them given one or a combination (such as intersection or union) of others (e.g. high given medium, or for high given (medium and not low). D. Data Mining Data mining can be viewed as a collection of inductive processes on collected data stored within a KB in order to construct new knowledge. Such processes include well established clustering algorithms such as EM methods, k-means and fuzzy c-means [5] as well as algorithms to find various association rules [12], [9]. Such new knowledge can be represented in the uniform knowledge representation, i.e. Horn clauses whose consequences are specific events and hypotheses are attributes with configurations of point values, intervals or fuzzy sets. A useful knowledge concerning abnormal computational activities may be generated collaboratively such that DMAs embedded within hosts generate association rules of processes, DMAs within NPBBs generate association rules of network packets, and the DMA on the KMQS identifies the association rule among all of those association rules. Primary characteristics of network packet data are temporal, sparse, imbalanced, with multiple views in terms of OSI layer as well as various application protocols, and highly likely non-stationary. These characteristics bring challenges for data mining tasks, especially those performed on NPBBs. The following approaches are currently underway: 1) Learning from imbalanced data sets: The issue of learning from imbalanced data sets is currently drawing a lot of attention from the Machine Learning community (e.g., the second workshop in ICML-2003). This issue is currently being approached by a treatment of this problem in the framework of a fuzzy classifier. Initial promising results in this direction are already presented [41], or accepted for presentation [40]. Why a fuzzy classifier? The motivation for selecting the fuzzy set approach is as follows: 1) A fuzzy set can capture each class in a meaningful way reflecting the underlying distribution; 2) Since the construction of a fuzzy set takes into account the size of the training data per class, issues of imbalance do not occur: in fact, in [41] it was shown that imbalance alone affects very little (or not all) the classification results, whereas noise or its combination with imbalance affects more the classification; still, noise can be dealt

with using fuzzy sets which is very important, since if/when a re-balance of the classes is done, noise cannot be excluded; 3) The fuzzy set for each class can also be updated online, as new training data become available. In this setting, balance changes, and indeed examples may change classes (e.g. for the network security data, an increase in traffic may not always signify that attack on the system). 4) The fuzzy classifier both learns each class and discriminates between classes, so that classification results can be ranked, so that a given test data may belong to both classes with different degrees. This does not preclude a crisp decision. Instead, it gives the possibility to further investigate, and query the system. 5) Finally, using a fuzzy set for class representation allows for definition of new error models (while not ruling out any of the existing ones such as prediction error, Fmeasures, etc.) This answer will be sought in this direction and address the following issues: 1) On line learning from imbalanced data: an algorithm for incremental “tuning” of a fuzzy set as new data becomes available; 2) New error models for learning from imbalanced data: an algorithm for defining the prediction error taking into account the degree of class prediction for a given test data; 3) Data driven methods for re-balancing of training data: algorithms for up-sampling the positive class (the small class) based on the its current distribution and imbalance factor. Ways of detecting the reason for imbalance - truly rare class , or just few training examples - will also be explored. The basic methodology exploits the correspondence between fuzzy sets and probability distribution (the relative frequency distribution of the training data) mediated by MAT to obtain the best fuzzy classifier. 2) Reinforcement Learning for Network Security: Reinforcement adjusts currently existing knowledge when inconsistencies are encountered. Such inconsistencies include, but are not limited to, false positive samples (i.e. recognized as positive though negative - no intrusion) and false negative samples (i.e. recognized as negative though positive - intrusion). The following reinforcement processes will be performed as background processes within agents: 1) Adjustment of probabilities, supports (i.e. intervals of probabilities), and fuzzy probabilities associated with clauses. 2) Adjustment of fuzzy sets associated with fuzzy predicates within clauses. 3) Margin of multiple clauses (generalization). 4) Splitting a single clause into multiple clauses (specialization). Reinforcement can be viewed as an incremental optimization process aimed at minimizing false recognitions (both

false positive and false negative) [37]. Additional criteria include, the minimum amount of knowledge and the finest specification to avoid false negative. Preliminary study on support vector machines and reinforcement as optimization is currently underway [23] and will further be developed as part of this development. Margin and splitting of clauses can be performed within the framework of computational analogy[30] and extended with use of fuzzy sets[17], to identify structural similarities, i.e. analogy (a general clause) between two clauses (specific clauses) containing predicates. This corresponds to the identification of general-to-specific relation among knowledge items. E. Query Processing Query processing consists of (1) query language parsing to the equivalent LP query, (2) broadcasting the query to other agents and obtaining their responses, and (3) generating the final response to the query by summarizing and aggregation those responses from other agents. Queries are exchanged through an inter-process communication framework such as TCP/IP socket. Queries can be placed among agents as well as from system administrators to agents with the query language parsing. The proposed approach follows the the work aiming toward standardizations such as AgentLink (a European Network of Excellence) [10] and Foundation for Intelligent Physical Agents [1]. By nature, human beings prefer managing their knowledge linguistically. Reflecting this in the design of query language and its processing, a knowledge representation capable of managing consistencies between linguistic expressions and numeric expressions is advantageous. The canonical framework of artificial intelligence proposed here is very well suited for this purpose as all events are represented as predicates (both crisp and fuzzy) associated with probabilities, supports or fuzzy probabilities. Fuzzy sets have demonstrated their strength as the dual representational framework of linguistic and numeric expressions in many applications[43]. A computational framework of managing such mixture is extensively studied in the concept of Perceptual Information Processing (PIP) proposed in [18]. It offers a capability of processing a query containing a linguistic expression that may be interpreted differently in terms of definitions of fuzzy sets for the linguistic expression of multiple agents. IV. C ONCLUDING S UMMARY A road map of knowledge management for network security is presented. This suggested that Soft Computing plays the key roles within a unified framework of artificial intelligence underlying the multi agent system architecture. Various research projects concerning issues presented in this road map are pursued under the directions of the authors. ACKNOWLEDGMENT Atsushi Inoue is currently serving as the director of Cyber Security Program and the Inland Northwest Security System

Initiative (INSSI) within the Department of Computer Science at Eastern Washington University. His research is in part supported by EWU’s congressionally directed grant for Technology Initiative for New Economy Development (TINE). R EFERENCES [1] AgentLink Official website, http://www.agentlink.org/. [2] J. H. Allen, The CERT Guide to System and Network Security Practices, Addison Wesley, 2001. [3] S. Axelsson, Intrusion Detection Systems: A Survey and Taxonomy, Technical Report 99-15, Department of Computer Engineering, Chalmers University, 2000. [4] J. F. Baldwin, et. al., Fril: Fuzzy and Evidential Reasoning in Artificial Intelligence, Research Studies Press, 1995. [5] J. C. Bezdek, A Convergence Theorem for the Fuzzy ISODATA Clustering Algorithms, IEEE Trans. Pattern Anal. and Machine Intell., Vol. PAMI-2, No. 1, pp. 1-8, Jan. 1980. [6] BISC Web Site, http://www-bisc.cs.berkeley.edu/bisc/ bisc.memo.html\#what_is_sc [7] J.M. Bradshaw (Ed.), Software Agents, Menlo Park, Calif., AAAI Press, 1997. [8] CERT/CC Official Web Site, http://www.cert.org/ [9] U. M. Fayyad, et al (ed), Advances in Knowledge Discovery and Data Mining, MIT Press, 1996. [10] FIPA Official website, http://www.fipa.org/. [11] R. Gamble (eds.), Using AI for Knowledge Management and Business Process Reengineering, AAAI Workshop, Madison, WI, 1998. [12] D. J. Hand, H. Mannila, P. Smyth, Principles of Data Mining (Adaptive Computation and Machine Learning), MIT Press, 2001. [13] Honeyd Project Official Web Site, http://www.honeyd.org/ [14] Huhns, M.N. and Singh, M.P. (Eds.), Readings in Agents, San Francisco, Calif., Morgan Kaufmann Publishers, 1998. [15] IAAI Official Web Site, http://www.aaai.org/Conferences/IAAI/ [16] IJCAI Official Web Site, http://www.ijcai.org/ [17] A. Inoue, S. Tano, T. Iwatani, W. Okamoto, R. Fujioka, An Acquisition Method of Implicit Knowledge Using Fuzzy Analogy, IFES-95 and FUZZ/IEEE-95, vol. 3, pp. 1581 - 1588, 1995. [18] A. Inoue, A. L. Ralescu, Computational Model of Perceptual Information Processing, Proceedings of the 8th IEEE International Conference on Fuzzy Systems (FUZZ/IEEE99), Seoul, South Korea, pp. 824-829, 1999. [19] Jennings, N.R. and Wooldridge, M. Intelligent Agents: Theory and Practice, The Knowledge Engineering Review, Volume 10, Number 2, pages 115-152, 1995. [20] T. J. Klevinsky, et. al., Hack It: Security Through Penetration Testing, Addison Wesley, 2002. [21] John R. Koza, et. al., Genetic Programming IV: Routine HumanCompetitive Machine Intelligence, Kluwer Academic Publishers, 2003. [22] S. Manganaris, et. al., A Data Mining Analysis of RTID Alarms, RAID Workshop, 1999. [23] J. Mill, A. Inoue, Reinforcement of Support Vector Classifier, accepted to IPMU-2004, July 4-9, 2004. [24] P. Miller, J. Mill, A. Inoue, Synergistic and Perceptual Intrusion Detection and Reinforcement (SPIDER), Proceedings of the 14th Midwest Artificial Intelligence and Cognitive Science Conference (MAICS03), Cincinnati, OH, pp. 102-108, 2003. [25] D. Moore, et. al., The CoralReef Software Suite as a Tool for System and Network Administrators, Proceedings of LISA-2001, 2001. [26] National Security Agency Official Web Site, http://www.nsa.gov/ [27] S. Northcut, et. al., Inside Network Perimeter Security, New Riders, 2003. [28] S. Northcut, et. al., Intrusion Signatures and Analysis, New Riders, 2003. [29] M. J. Prietula, et. al., Simulating Organizations: Computational Methods of Institutions and Groups, MIT Press, 1998. [30] S. J. Russell, The Use of Knowledge in Analogy and Induction, Morgan Kaufmann, 1989. [31] S. J. Russell, P. Norvig, Artificial Intelligence: A Modern Approach (2nd ed.), Prentice Hall, 2003. [32] SANS Official Web Site, http://www.sans.org/ [33] D. Schweitzer, Incident Response: Computer Forensics Toolkit, Wiley, 2003. [34] R. G. Smith, A. Farquhar, The Road Ahead for Knowledge Management: An AI Perspective, pp. 17-40, AI Magazine, winter issue, 2000.

[35] Snort Official Web site, http://www.snort.org/ [36] G. S. Sukhatme, T. Balch (eds.), Intelligent Distributed and Embedded Systems, AAAI Spring Symposium, 2002. [37] R. S. Sutton, A. G. Barto, Reinforcement Learning - An Introduction, MIT Press, 1998. [38] tcpdump Official Web site, http://www.tcpdump.org/ [39] tripwire Official Web Site, http://www.tripwire.com/ [40] Sofia Visa and Anca Ralescu, Fuzzy Classifiers for Imbalanced, Complex Classes of Varying Size. Accepted for presentation to IPMU-2004, July 4-9 2004, Perugia, Italy. [41] Sofia Visa and Anca Ralescu, Learning from Imbalanced and Overlapped Data using Fuzzy Sets, Proceedings of the Twentieth International Conference on Machine Learning (ICML-2003), Washington DC, August 2003, (page numbers not yet available). [42] L. A. Zadeh, Toward a theory of fuzzy information granulation and its centrality in human reasoning and fuzzy logic, Fuzzy Sets and Systems 90, pp. 111-127, 1997. [43] L. A. Zadeh, From Computing with Numbers to Computing with Words: From Manipulation of Measurements to Manipulation of Perceptions, IEEE Transactions on Circuits and Systems I, vol. 45, No. 1, pp. 105-119, 1999.