Threat Prevention using Artificial Intelligence

Abstract
The limitations of each security technology
combined with the growth of cyber attacks
impact the efficiency of information security
management and increase the activities to be
performed by network administrators and
security staff. There is a need for the
increase of automated auditing the cyber trust.
Intelligent systems are emerging computing
systems based on intelligent techniques that
support continuous monitoring and controlling
plant activities The
base of the research is the Artificial Intelligence
coming in a help to build a modern Intelligent
Threat Prevention and Sensing Engine where
two factors form the critical points one
is intelligent packet inspection because of lack of
time for full packet inspection in nowadays huge
data flow. And second is intelligent first reaction
against the hacker activities, because later
would be too late.
1. Introduction
. Making the learning process
invisible and continuous further adds to the
difficulty of this task. The most difficult task for
the AI would be figuring out the connections
between different events. There are several ways
to achieve this, neural networks being the most
prominent.
2. Artificial Intelligence Techniques
AI techniques such as data mining, artificial
neural networks, fuzzy logic, and expert systems
can be integrated with traditional procedural and
statistical methods to analyze the collected data
by sensors, recognize reconnaissance patterns,
filter and correlate events to support security
event management and prevention of intrusions.
These techniques improve the ability of threat
prevention and sensing system to correlate
events generated by a diversified suite of modern
tools used for network management and security
monitoring. Statistical methods have been used
Ayna Ramesh Jangid
S.E. ( Comp)
{ Gangamai College of Engg., Nagaon, Dhule M.S. }
for building intrusion and fault detection models
but these models lack the capability to learn and
adapt in time. Also false positive alarming is a
major problem with them.
2.1. Expert system
Expert systems are the most common form of
AI applied today in manufacturing,
telecommunications, business, and other areas.
The systems, which are based on expert system
and inference techniques, are not efficient and
scalable because they mainly rely on human
expertise, known facts and statistics implemented
in rules for a specific host or network
and their capability is limited. However, the
expert systems evolved to a new trend of
integration with the traditional information
processing such that in the early nineties, the
First International Conference on Emerging Trends in Engineering and Technology
978-0-7695-3267-7/08 $25.00 © 2008 IEEE
DOI 10.1109/ICETET.2008.52
304
expert systems merged to a new infrastructure
based on knowledge-based technology.
Knowledge-based systems, artificial neural
networks, and fuzzy logic are the most promising
approaches of AI for applications such as faults
and events monitoring, detection, isolation,
diagnosis, supervisory and adaptive control,
direct control.
An expert system handles problems using a
computer model of expert human reasoning.
However, most expert systems must undergo
continuous maintenance to perform well.
2.2 Rule Based Induction
In contrast to expert systems rule-based
systems automatically develop rules to explain
the historical data they collect. Rules are
modified over the lifetime of a system in order to
keep the rule set accurate and manageable. In
Wisdom Sense rules are generated which specify
legal values of features conditioned on the values
of other features. Legality is determined from the
history of data for each feature. Rules can
overlap in specificity due to incomplete
information in the history. Rule pruning occurs if
there are too many legal values for a feature, too
few historical values, the rule is too deep, if rules
overlap or a rule is conditioned on a previously,
in the forest of rules, determined anomalous
value. All rules can either be used to signal
anomalies or the most appropriate rules to use
may be determined. TIM’s rules remain in the
rule base only if they are highly predictive or
confirmed by many observations.
An example of a system that can be used as a
classifier is a Neural Network.
2.3. Neural Network
As described above neural networks posses
unique properties, which do not only make them
attractive but also a qualified tool. First of all,
the threat detection systems operate by making
results in the sense of predictions based on
known as well as unknown patterns. With the
use of neural network models it is possible to
comply with this process, since these models
offer the option to train a custom network and
use it as some sort of a strainer for new incoming
network connection and thereby detect abnormal
behaviors. Several neural network algorithms are
capable of fulfilling this requirement.
Furthermore, when working with threat
detections one will realize that the dimension of
the data of a network connection is high. There
are many different protocols on different layers
of the internet with different services and with
destinations and sources and etc. The property of
dimensionality reduction and data visualization
in neural networks can be very useful to reduce
the many dimensions of a network connection to
2-dimension. By doing so the features can be
represented with 2-dimension and easily
visualized on a (X,Y) coordinate system. This
will help to visually discover connections which
do not fall into the same category or group
(clusters) with the trained and trusted ones.[2]
3. ITPSE Architecture
The system is based on AI and is open for
different rules forced by the security
administrators, or learned and formed by selfmonitoring
of the live traffic. The system is
going to the market only as a self-educated AI
prevention and sensing engine, particularly in a
help for the administrators who do not know how
to form rules, but are good security
professionals. The Intelligent Threat Prevention
and Sensing Engine is divided into two types of
AI Engines in close interactivity:
Intelligent Threat Sensing Engine (ITSE) —
satellite modules that power up the bottleneck
packet inspection in nowadays Threat Detection
Systems. ITSE is based on short term rules and
Logical Deduction Machine working in a set
time intervals. New technology of parallel pipes
intelligent inspection is applied. The results form
the base for the next AI engine;
Intelligent Prevention Engine (IPE)—a central
module that powers up the assessment, builds the
security alerts and fulfills the first reaction
against the hacker activities. IPE rely on ITSE
engine’s output and as a second separate Logical
Deduction Machine considers long term rules as
examples. If no examples are presented this
Logical Deduction Machine tries to build
examples from the live traffic and diminish the
false positive alerts by asking questions the
security experts
3.1. Self-including agent
Figure 1 shows the basic components of a
self-including agent for security. The cyber
security of an enterprise is observed and/or
controlled, or it serves as a medium for
elementary functioning loop activities. [1]
305
The agent has percepts (entered through
sensors) as its inputs, and actions as its outputs
(produced by effectors, called actuators).
Software agents are computational units that are
repeated many times within an intelligent system
at many different levels as the units of
information in all of the subsystems are
aggregated into entities, events, situations, and
goals are decomposed into subgoal tasks and
generate actions or commands. Within each loop,
security sensors processing and security
modeling maintain a knowledge database with a
characteristic range and resolution. At each level,
plans are made and updated with different
planning horizons.
The architecture of an intelligent system is a
specific framework of agents and each agent has
its own architecture. In the core of any intelligent
system, is also the concept of generalized agent.
Agents with similar functions can be gradually
lumped in a group type agent which is a generalized
agent. The group agent gives a new world
representation (or new granulation or new
resolution).
Figure 1: Self-including agent
The proposed architecture includes elements of
intelligence to create functional relationships and
information flow between different subsystems.
The elements of intelligence are based on components
using one or more AI techniques: natural
language processing, artificial neural networks,
fuzzy logic.