Publications

Previously, researchers have attempted to apply machine learning techniques to network anomaly detection problems. Due to the staggering amount of variety that can occur in normal networks, the results have often been underwhelming. These challenges are far less pronounced when considering industrial control system (ICS) networks. The recurrent nature of these networks results in less noise and more consistent patterns for a machine learning algorithm to recognize. Here, we propose a method of evolving decision trees through genetic programming (GP) in order to detect network anomalies, such as device outages. Our approach extracts over a dozen features from network packet captures and netflows, normalizes them, and relates them in decision trees using fuzzy logic operators. Furthermore, the trees were used to detect three specific network events from three different points on the network across a statistically significant number of runs and achieved 100% accuracy on five of the nine experiments. When the trees attempted to detect more challenging events at points of presence further from the occurrence, the accuracy averaged to above 98%. Finally, using our method, all of the evolutionary cycles of the GP algorithm are computed a-priori, allowing the best resultant trees to be deployed as semi-real-time sensors with little overhead.

Researchers have previously attempted to apply machine learning techniques to network anomaly detection problems. Due to the staggering amount of variety that can occur in normal networks, as well as the difficulty in capturing realistic data sets for supervised learning or testing, the results have often been underwhelming. These challenges are far less pronounced when considering industrial control system (ICS) networks. The recurrent nature of these networks results in less noise and more consistent patterns for a machine learning algorithm to recognize. We propose a method of evolving decision trees through genetic programming (GP) in order to detect network anomalies, such as device outages. Our approach extracts over a dozen features from network packet captures and netflows, normalizes them, and relates them in decision trees using fuzzy logic operators. We used the trees to detect three specific network events from three different points on the network across a statistically significant number of runs and achieved 100% accuracy on five of the nine experiments. When the trees attempted to detect more challenging events at points of presence further from the occurrence, the accuracy averaged to above 98%. On cases where the trees were many hops away and not enough information was available, the accuracy dipped to roughly 50%, or that of a random search. Using our method, all of the evolutionary cycles of the GP algorithm are computed a-priori, allowing the best resultant trees to be deployed as semi-real-time sensors with little overhead. In order for the trees to perform optimally, buffered packets and flows need to be ingested at twenty minute intervals.

Abstract not provided.

Current manual techniques of static reverse engineering are inefficient at providing semantic program understanding. We have developed an automated method to categorize applications in order to quickly determine pertinent characteristics. Prior work in this area has had some success, but a major strength of our approach is that it produces heuristics that can be reused for quick analysis of new data. Our method relies on a genetic programming algorithm to evolve decision trees which can be used to categorize software. The terminals, or leaf nodes, within the trees each contain values based on selected features from one of several attributes: system calls, byte n-grams, opcode n-grams, cyclomatic complexity, and bonding. The evolved decision trees are reusable and achieve average accuracies above 95% when categorizing programs based on compiler origin and versions. Developing new decision trees simply requires more labeled datasets and potentially different feature selection algorithms for other attributes, depending on the data being classified.