Available online at www.sciencedirect.com Available online at www.sciencedirect.com

Procedia Engineering

Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 3313 – 3317 www.elsevier.com/locate/procedia

Advanced in Control Engineering and Information Science

Security Situation Prediction Based on Dynamic BP Neural with Covariance Chenghua Tanga, Yi Xieb, Baohua Qiang a, Xin Wanga, Ruixia Zhanga,a* a

School of Computer Science and Engineering, Guilin University of Electronic Technology, Guilin 541004, China b Department of Information Science and Technology, Sun Yat-Sen University, Guangzhou 510275, China

Abstract Situation prediction is the advanced purpose of situation assessment. In order to resolve the limitations of depending on experts giving weight, lacking of self-learning on data processing in situation assessment, a method of network security situation prediction based on dynamic BP neural with covariance is proposed. The traditional error function is replaced by the maximum likelihood error function. The impact of sample covariance and noise on the network training is considered. The situation sequences established through the situation assessment model are used as the training input sequences, and the self-learning dynamic adjustment of the appointed parameters’ values is implemented in the process of back propagation training. The new method can make full use of the characteristics of the network more complex, finer grain size, the higher the efficiency. Experimental results show that the method has better approximation effect situation, and provides an effective way of network security strategic early warning.

© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and/or peer-review under responsibility of [CEIS 2011] Keywords: situation prediction; netwoek security; dynamic BP neural; covariance

1. Introduction As a prerequisite for network security warning, situation prediction technology is still a problem. Most of these current techniques are a part of situation assessment technology, which make reference on whether to the early warning after the situation evaluation. Main methods used in Multi-sensor data fusion * Corresponding author. Tel.: +0-086-773-2295160; fax: +0-086-773-2290305. E-mail address: [email protected].

1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2011.08.621

3314 2

Chenghua Tang / Procedia Engineering 15 (2011) 3313 – 3317 Chenghua Tang et et al/al. Procedia Engineering 00 (2011) 000–000

[1], AHP [2], flow analysis [3], etc., these methods rely on specialists than those given the initial elements of the security situation beginning weights, required during operation of man-made changes to the weights, some algorithm do not have the self-learning ability. Kijewski studied for early warning and attack of a prototype system identification framework [4]. Honeynet Project proposed to predict the invasion of hacker’s intent and possible future theoretical methods using moving average models and other statistical theory [5]. Securityfocus Organization provided network security warning products ARIS firstly, by getting data from the IDS sensor in more than 160 countries around the world to achieve safety prediction, but over-reliance on the passive detection of data in the process. In China, HU Wei proposed an improved model for prediction of Grey Verhulst [6]. Xiang ZHANG vector machine is proposed based on prediction of network attack methods [7]. WEI Yong proposed hierarchical nodes and network security posture correction algorithm and the trend curve prediction chart based on the audit log [8]. This paper presents a security situation prediction method based on dynamic BP neural with covariance, introduced the concept of state sequences, and the back propagation process to achieve the right value for the specified parameter self-learning adjustment. 2. Situation prediction control Application of BP neural network can predict the future of the dynamic development trend about the network security situation index, through the error analysis and comparison between the situation actual output and prediction output, then get the predicted error value, and its feedback to the network security situation prediction model as the training signal for the situation index weights adjustment, seeing Fig 1.

Fig. 1. the training process of situation prediction

Successful application of system identification using BP algorithm depends on the quality of training samples, because the BP training algorithm does not consider the error of training samples, using the least square error to get the best value of the error function only when the deviation submit to the Gaussian distribution. The error function guides the learning process, and the ultimate goal is to make all the opportunity to sample the fitting error tends to zero balance, that approximate the network output for each sample by the noise pollution output, rather than real output, so in the sample case with noise will lead to the practical application of the more iterations, the smaller the training error, and generalization capability is worse, but significantly lower efficiency. The error function based on dynamic covariance considers the sample error. The training can also consider the network approach acts and estimate the noise distribution in order to offset pollution from the noise data, resulting in more efficient approximation results. 3. Dynamic BP neural with covariance According to the sample of data set ( X i , Yi m )，(i=1,2,…, Nm), given the network output vector yˆ and a set of weights W, if the sample is independent between the statistics, the continuous application of the Bayesian formula to get all the joint probability density of the sample: m i

Chenghua Tang et al. Engineering 15 00 (2011) 3313 – 3317 Chenghua Tang et /alProcedia / Procedia Engineering (2011) 000–000

L(W) = P( yˆ1 , yˆ 2 ,…, yˆ Nm |W) = m

m

m

Nm

∏ p( yˆ i =1

m i

|W )

3315 3

(1)

All the differences between the samples output and the actual output mainly derive from the samples noise, therefore the fitting error must to be mainly considered. Assuming the sample output error obeys the Gaussian distribution, the density function of the network output vector: m ˆm T m ˆm P ( yˆ im | W , μ ,σ ) = (2π | Cyi |) −1 / 2 exp{− ( y i − y i ) m( y i m− y i )}

2 cov[ yˆ i | y i −1 ]

(2)

According to maximum likelihood theory, the parameters μ ， σ determining conditions, so that the W * for the largest value of likelihood function L(W) is the most optimal estimation of W, and it is equivalent to the minimum value of the following error function: E(W , μ , σ ) = -2lnL(W , μ , σ )

(3)

Put the equation (1) and equation (2) into equation (3), and omit the constant term: E(W , μ , σ ) =

( yim − yˆ im )T ( yim − yˆ im ) ∑ Cyi i =1 Nm

(4)

The cov[ yˆ i | yi −1 ] in the equation (2) is the condition covariance matrix of the output sample. m

m

4. Situation prediction model based on dynamic BP neural 4.1. Modeling situation assessment Depending on the data, service, host, loophole, and so on, the situation assessment model can be established, and the function of FH is said the host security situation of the network is denoted as:

FH ( H , V , FS , t ) = V ⋅ Fs (t ) = V ⋅ N (t ) ⋅ 10 D ( t )

(5)

Where H represents the target hosts on the network; V indicates that the service’s weight of all opened services on the host, and FS indexes the security situation in the target network service status which related the types of services, the times of attacks, etc. [2] 4.2. Modeling situation prediction In assessing the current network security situation, the situation prediction model based on dynamic BP neural can be established for nonlinear time series prediction about state sequences. According to the equation (1), the services available for the target network security situation prediction function model: FS(t+(n+1))=f(

n

∑ F (t + i) )

(6)

S

i =1

n

∑

The parameters FS(t+(n+1)) and FS (t + i ) can be recognized the existence of a nonlinear i =1 relationship. Similarly, the security situation in the host can be predicted function model, no further explanation. According to Kolmogorov mapping existence theorem of multi-layer neural network, the nonlinear mapping relationship can be three layers feed-forward artificial neural network approximation

3316 4

Chenghua Tang / Procedia Engineering 15 (2011) 3313 – 3317 Chenghua Tang et et al/al. Procedia Engineering 00 (2011) 000–000

achieved. Then the known time situation series act as network input, and the network output is to identify the situation prediction. Based on the history and current values of situation, the service and the host of multi-input single-output prediction of BP artificial neural network model can be established:

P ( yˆ im | W ) = (2π | Cyi |) −1 / 2 exp{−

( y im − yˆ im ) T ( y im − yˆ im ) } 2Cyi

(7)

Where yˆ i and yi , respectively, for the actual output and expected output of the m layer i neurons, m corresponding to the situation prediction value. Then training the neural network for the fit error ( yi m yˆ i ) tending to zero, the weights of self-learning adjustment, to find the optimal parameters, and output the prediction model finally. The network output is what we want recognition the next moment on the service or host situation prediction values. m

m

5. Experiments and results Experimental environment is configured with Ubuntu 10.04 LTS, and multi-layer routers, IDS, firewall to construct more complex Network. Using Domain 3.5 and Trinity V3 to attack the server, collect all log information and assess the service or host situation every 10 hours. The value of each assessment with the previous are to be established the time series, input into the BP neural, then output the situation prediction value each, and calculate the actual value in the next time point for comparison. Table 1. comparison of two kinds of BP algorithm Algorithm

Running time (s)

Iterations

Convergence error

Covariance BP algorithm

27.625

5874

0.0001

Traditional BP algorithm

144.273

10321

0.0012

Experiment gets the number of attacks on the www service by equation (1) assesses its security situation. Trial of 60 consecutive made the security situation in the value of www service, as with the previous 45 training samples, and after 15 testing samples, after pretreatment, input into BP neural to train. Pre-set training speed factor = 0.6, target error goal = 0.0001, after running about 27.625s, achieve the target error for the 5874 iterations. At the same time using traditional BP network to test security situation prediction for comparison. It is found that after iteration 10321 times the error has not reached the goal, and time has been occupied 144.273 seconds, as is shown in Table 1.

Fig. 2. (a) prediction of www service security situation; (b) prediction of host security situation

Chenghua Tang et al. Engineering 15 00 (2011) 3313 – 3317 Chenghua Tang et /alProcedia / Procedia Engineering (2011) 000–000

Fig.2. (a) shows the situation prediction results about www service security situation based on dynamic BP neural with covariance. Finally, considering the various services on the server, evaluate the value of the server host's security situation, the same method draw BP network prediction on the host, as is shown in Fig.2. (b). The two figures show that the value of the BP neural with covariance prediction can better approximate the true assessed value. 6. Conclusions Network security situation prediction for the discovery of potential, malicious attacks and reducing the harm caused by attacks, developing an appropriate policy for network security, improving emergency response capacity is all of great significance. This paper introduces BP neural and studied its improvements to establish a security situation prediction model based on dynamic BP neural with covariance, results show this method can effectively predict network security situation. Should be noted that the experiment time interval is 10 hours, the size is larger, and measuring point is less. In fact, the BP neural, the less input information, the slower the convergence, therefore, the method for fine-grained security and prediction of time there will be a better performance. Acknowledgements This work was supported by the National Natural Science Foundation of China under Grant No.60970146, the Doctoral Fund of Ministry of Education of China under Grant No. 20090171120001, and the Department of Education research project in Guangxi, P.R. China under Grant No.201012MS088. References [1] Onwubiko C. Functional requirements of Situational Awareness in Computer Network Security. Proc of the IEEE International Conference on Intelligence and Security Informatics, June 2009, p.209-213. [2] CHEN Xiu-Zhen, ZHENG Qing-Hua, GUAN Xiao-Hong, et al. Quantitative Hierarchical Threat Evaluation Model for Network Security. Journal of Software, 2006, Vol.17, No.4, p.885-897. [3] Bearavolu R, Lakkaraju K, Yurcik W. NVisionIP: An animated state analysis tool for visualizing netFlows. http://www. cert.org/flocon/2005/presentations/NVisionIPFlocon2005.pdf,2005 [4] Piotr Kijewski. ARAKIS-An early warning and attack identification system. Proc of the 16th Annual First Conference, Dudapest, Hungary, 2004. [5] Das S, Lawless D. Trustworthy Situation Assessment via Belief Networks. Proc of the 5th International Conference on Information Fusion, 2002, Vol.1, p.543-549. [6] HU Wei, LI Jian-hua, CHEN Xiu-zhen, et al. Network Security Situation Prediction Based on Improved Adaptive Grey Verhulst Model. Journal of Shanghai Jiaotong University (Science), 2010, Vol.15, No.4, p.408-413. [7] Xiang ZHANG, Shuping YAO, Chenghua TANG. Assessing the Risk Situation of Network Security for Active Defense. Wuhan University Journal of Natural Sciences, 2006, Vol.11, No.16, p.1718-1722. [8] WEI Yong, LIAN Yi-Feng. A Network Security Situational Awareness Model Based on Log Audit and Performance Correction. Chinese Journal of Computers, 2009, Vol.32, No.4, p.763-772.

3317 5

Procedia Engineering

Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 3313 – 3317 www.elsevier.com/locate/procedia

Advanced in Control Engineering and Information Science

Security Situation Prediction Based on Dynamic BP Neural with Covariance Chenghua Tanga, Yi Xieb, Baohua Qiang a, Xin Wanga, Ruixia Zhanga,a* a

School of Computer Science and Engineering, Guilin University of Electronic Technology, Guilin 541004, China b Department of Information Science and Technology, Sun Yat-Sen University, Guangzhou 510275, China

Abstract Situation prediction is the advanced purpose of situation assessment. In order to resolve the limitations of depending on experts giving weight, lacking of self-learning on data processing in situation assessment, a method of network security situation prediction based on dynamic BP neural with covariance is proposed. The traditional error function is replaced by the maximum likelihood error function. The impact of sample covariance and noise on the network training is considered. The situation sequences established through the situation assessment model are used as the training input sequences, and the self-learning dynamic adjustment of the appointed parameters’ values is implemented in the process of back propagation training. The new method can make full use of the characteristics of the network more complex, finer grain size, the higher the efficiency. Experimental results show that the method has better approximation effect situation, and provides an effective way of network security strategic early warning.

© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and/or peer-review under responsibility of [CEIS 2011] Keywords: situation prediction; netwoek security; dynamic BP neural; covariance

1. Introduction As a prerequisite for network security warning, situation prediction technology is still a problem. Most of these current techniques are a part of situation assessment technology, which make reference on whether to the early warning after the situation evaluation. Main methods used in Multi-sensor data fusion * Corresponding author. Tel.: +0-086-773-2295160; fax: +0-086-773-2290305. E-mail address: [email protected].

1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2011.08.621

3314 2

Chenghua Tang / Procedia Engineering 15 (2011) 3313 – 3317 Chenghua Tang et et al/al. Procedia Engineering 00 (2011) 000–000

[1], AHP [2], flow analysis [3], etc., these methods rely on specialists than those given the initial elements of the security situation beginning weights, required during operation of man-made changes to the weights, some algorithm do not have the self-learning ability. Kijewski studied for early warning and attack of a prototype system identification framework [4]. Honeynet Project proposed to predict the invasion of hacker’s intent and possible future theoretical methods using moving average models and other statistical theory [5]. Securityfocus Organization provided network security warning products ARIS firstly, by getting data from the IDS sensor in more than 160 countries around the world to achieve safety prediction, but over-reliance on the passive detection of data in the process. In China, HU Wei proposed an improved model for prediction of Grey Verhulst [6]. Xiang ZHANG vector machine is proposed based on prediction of network attack methods [7]. WEI Yong proposed hierarchical nodes and network security posture correction algorithm and the trend curve prediction chart based on the audit log [8]. This paper presents a security situation prediction method based on dynamic BP neural with covariance, introduced the concept of state sequences, and the back propagation process to achieve the right value for the specified parameter self-learning adjustment. 2. Situation prediction control Application of BP neural network can predict the future of the dynamic development trend about the network security situation index, through the error analysis and comparison between the situation actual output and prediction output, then get the predicted error value, and its feedback to the network security situation prediction model as the training signal for the situation index weights adjustment, seeing Fig 1.

Fig. 1. the training process of situation prediction

Successful application of system identification using BP algorithm depends on the quality of training samples, because the BP training algorithm does not consider the error of training samples, using the least square error to get the best value of the error function only when the deviation submit to the Gaussian distribution. The error function guides the learning process, and the ultimate goal is to make all the opportunity to sample the fitting error tends to zero balance, that approximate the network output for each sample by the noise pollution output, rather than real output, so in the sample case with noise will lead to the practical application of the more iterations, the smaller the training error, and generalization capability is worse, but significantly lower efficiency. The error function based on dynamic covariance considers the sample error. The training can also consider the network approach acts and estimate the noise distribution in order to offset pollution from the noise data, resulting in more efficient approximation results. 3. Dynamic BP neural with covariance According to the sample of data set ( X i , Yi m )，(i=1,2,…, Nm), given the network output vector yˆ and a set of weights W, if the sample is independent between the statistics, the continuous application of the Bayesian formula to get all the joint probability density of the sample: m i

Chenghua Tang et al. Engineering 15 00 (2011) 3313 – 3317 Chenghua Tang et /alProcedia / Procedia Engineering (2011) 000–000

L(W) = P( yˆ1 , yˆ 2 ,…, yˆ Nm |W) = m

m

m

Nm

∏ p( yˆ i =1

m i

|W )

3315 3

(1)

All the differences between the samples output and the actual output mainly derive from the samples noise, therefore the fitting error must to be mainly considered. Assuming the sample output error obeys the Gaussian distribution, the density function of the network output vector: m ˆm T m ˆm P ( yˆ im | W , μ ,σ ) = (2π | Cyi |) −1 / 2 exp{− ( y i − y i ) m( y i m− y i )}

2 cov[ yˆ i | y i −1 ]

(2)

According to maximum likelihood theory, the parameters μ ， σ determining conditions, so that the W * for the largest value of likelihood function L(W) is the most optimal estimation of W, and it is equivalent to the minimum value of the following error function: E(W , μ , σ ) = -2lnL(W , μ , σ )

(3)

Put the equation (1) and equation (2) into equation (3), and omit the constant term: E(W , μ , σ ) =

( yim − yˆ im )T ( yim − yˆ im ) ∑ Cyi i =1 Nm

(4)

The cov[ yˆ i | yi −1 ] in the equation (2) is the condition covariance matrix of the output sample. m

m

4. Situation prediction model based on dynamic BP neural 4.1. Modeling situation assessment Depending on the data, service, host, loophole, and so on, the situation assessment model can be established, and the function of FH is said the host security situation of the network is denoted as:

FH ( H , V , FS , t ) = V ⋅ Fs (t ) = V ⋅ N (t ) ⋅ 10 D ( t )

(5)

Where H represents the target hosts on the network; V indicates that the service’s weight of all opened services on the host, and FS indexes the security situation in the target network service status which related the types of services, the times of attacks, etc. [2] 4.2. Modeling situation prediction In assessing the current network security situation, the situation prediction model based on dynamic BP neural can be established for nonlinear time series prediction about state sequences. According to the equation (1), the services available for the target network security situation prediction function model: FS(t+(n+1))=f(

n

∑ F (t + i) )

(6)

S

i =1

n

∑

The parameters FS(t+(n+1)) and FS (t + i ) can be recognized the existence of a nonlinear i =1 relationship. Similarly, the security situation in the host can be predicted function model, no further explanation. According to Kolmogorov mapping existence theorem of multi-layer neural network, the nonlinear mapping relationship can be three layers feed-forward artificial neural network approximation

3316 4

Chenghua Tang / Procedia Engineering 15 (2011) 3313 – 3317 Chenghua Tang et et al/al. Procedia Engineering 00 (2011) 000–000

achieved. Then the known time situation series act as network input, and the network output is to identify the situation prediction. Based on the history and current values of situation, the service and the host of multi-input single-output prediction of BP artificial neural network model can be established:

P ( yˆ im | W ) = (2π | Cyi |) −1 / 2 exp{−

( y im − yˆ im ) T ( y im − yˆ im ) } 2Cyi

(7)

Where yˆ i and yi , respectively, for the actual output and expected output of the m layer i neurons, m corresponding to the situation prediction value. Then training the neural network for the fit error ( yi m yˆ i ) tending to zero, the weights of self-learning adjustment, to find the optimal parameters, and output the prediction model finally. The network output is what we want recognition the next moment on the service or host situation prediction values. m

m

5. Experiments and results Experimental environment is configured with Ubuntu 10.04 LTS, and multi-layer routers, IDS, firewall to construct more complex Network. Using Domain 3.5 and Trinity V3 to attack the server, collect all log information and assess the service or host situation every 10 hours. The value of each assessment with the previous are to be established the time series, input into the BP neural, then output the situation prediction value each, and calculate the actual value in the next time point for comparison. Table 1. comparison of two kinds of BP algorithm Algorithm

Running time (s)

Iterations

Convergence error

Covariance BP algorithm

27.625

5874

0.0001

Traditional BP algorithm

144.273

10321

0.0012

Experiment gets the number of attacks on the www service by equation (1) assesses its security situation. Trial of 60 consecutive made the security situation in the value of www service, as with the previous 45 training samples, and after 15 testing samples, after pretreatment, input into BP neural to train. Pre-set training speed factor = 0.6, target error goal = 0.0001, after running about 27.625s, achieve the target error for the 5874 iterations. At the same time using traditional BP network to test security situation prediction for comparison. It is found that after iteration 10321 times the error has not reached the goal, and time has been occupied 144.273 seconds, as is shown in Table 1.

Fig. 2. (a) prediction of www service security situation; (b) prediction of host security situation

Chenghua Tang et al. Engineering 15 00 (2011) 3313 – 3317 Chenghua Tang et /alProcedia / Procedia Engineering (2011) 000–000

Fig.2. (a) shows the situation prediction results about www service security situation based on dynamic BP neural with covariance. Finally, considering the various services on the server, evaluate the value of the server host's security situation, the same method draw BP network prediction on the host, as is shown in Fig.2. (b). The two figures show that the value of the BP neural with covariance prediction can better approximate the true assessed value. 6. Conclusions Network security situation prediction for the discovery of potential, malicious attacks and reducing the harm caused by attacks, developing an appropriate policy for network security, improving emergency response capacity is all of great significance. This paper introduces BP neural and studied its improvements to establish a security situation prediction model based on dynamic BP neural with covariance, results show this method can effectively predict network security situation. Should be noted that the experiment time interval is 10 hours, the size is larger, and measuring point is less. In fact, the BP neural, the less input information, the slower the convergence, therefore, the method for fine-grained security and prediction of time there will be a better performance. Acknowledgements This work was supported by the National Natural Science Foundation of China under Grant No.60970146, the Doctoral Fund of Ministry of Education of China under Grant No. 20090171120001, and the Department of Education research project in Guangxi, P.R. China under Grant No.201012MS088. References [1] Onwubiko C. Functional requirements of Situational Awareness in Computer Network Security. Proc of the IEEE International Conference on Intelligence and Security Informatics, June 2009, p.209-213. [2] CHEN Xiu-Zhen, ZHENG Qing-Hua, GUAN Xiao-Hong, et al. Quantitative Hierarchical Threat Evaluation Model for Network Security. Journal of Software, 2006, Vol.17, No.4, p.885-897. [3] Bearavolu R, Lakkaraju K, Yurcik W. NVisionIP: An animated state analysis tool for visualizing netFlows. http://www. cert.org/flocon/2005/presentations/NVisionIPFlocon2005.pdf,2005 [4] Piotr Kijewski. ARAKIS-An early warning and attack identification system. Proc of the 16th Annual First Conference, Dudapest, Hungary, 2004. [5] Das S, Lawless D. Trustworthy Situation Assessment via Belief Networks. Proc of the 5th International Conference on Information Fusion, 2002, Vol.1, p.543-549. [6] HU Wei, LI Jian-hua, CHEN Xiu-zhen, et al. Network Security Situation Prediction Based on Improved Adaptive Grey Verhulst Model. Journal of Shanghai Jiaotong University (Science), 2010, Vol.15, No.4, p.408-413. [7] Xiang ZHANG, Shuping YAO, Chenghua TANG. Assessing the Risk Situation of Network Security for Active Defense. Wuhan University Journal of Natural Sciences, 2006, Vol.11, No.16, p.1718-1722. [8] WEI Yong, LIAN Yi-Feng. A Network Security Situational Awareness Model Based on Log Audit and Performance Correction. Chinese Journal of Computers, 2009, Vol.32, No.4, p.763-772.

3317 5