Data Mining Technologies for Proactive Detection of Security Violations in Large Scale Information Systems

Period of Performance: 04/17/2000 - 01/17/2001

$100K

Phase 1 SBIR

Recipient Firm

Scientific Systems Company, Inc.
500 West Cummings Park Array
Woburn, MA 01801
Principal Investigator
Principal Investigator

Abstract

Scientific Systems proposes to investigate the use of selected DataMining technologies for enabling proactive anomaly detection ofsecurity violations in large scale information systems. Our mainresearch objective is to verify whether security violations leavetrails in network management databases, which could be used forproactive detection. For Data Mining, the Deterministic StochasticRealization Algorithm (DSRA) will be used to construct input-outputmodels describing the joint time evolution of MIB variables andselected performance metrics describing security. The correlationstructure between the MIB variables and the performance measures canbe obtained directly from the DSRA models, providing a valuable toolfor event correlation and proactive detection of security violations.The presence or absence of attacks will be reflected on variations inthe parameters of these models, thus permitting proactive detection.We also plan to investigate the applicability of Pi-Sigma ArtificialNeural Networks for this task. Aprisma Management Technologies(subsidiary of Cabletron and manufacturer of the SPECTRUM networkmanagement software) will provide datasets corresponding to networksunder normal operation as well as under attack. Prof. Joydeep Ghosh(UTexas, Austin) will support us in the application of machinelearning techniques. Aprisma will also provide technical andcommercialization support during all phases of the project. The Internet, Wide Area Networks, Local Area Networks and personalcomputers require a system to detect intrusions and fraudulent use ofresources. Protecting institutional networks from attacks accounts forabout 25 billion US dollars each year. 95 percent of the DoDcommunications pass through the National Information Infrastructure(NII) at some point. The proposed technology has the potential toprovide the NII with a much needed proactive capability to detectsecurity violations.