Embed Size (px)
DESCRIPTION
Ceaseless Case-Based Reasoning. Francisco J. Martin and Enric Plaza (2004). The problem. - PowerPoint PPT Presentation
Citation preview
Ceaseless Case-Based Reasoning
Francisco J. Martin and Enric Plaza
(2004)
The problem
Most existing CBR systems make assumptions that make them unsuitable for use in domains
that contain the possibility for interleaved problems and where it is difficult to set boundries
on the start and end of a case
The assumptions that cause problems
• Non-coincidental sources
• Full-fledged problem descriptions
• Individual cases independency
Ceaseless CBR
A model that does not make these assumptions
Alerts from probes (Snort)
ACC (Alba)
Network manager
Application domain: Intrusion detection
Too many non-important alerts are sentao the network manager
The application domain
• The input is a stream of alerts (unsegmented sequence)
• More than one problem can appear at the time
The goal
• Enhance ACC performance by using the Ceaseless CBR model
• More specifically: Segment the sequence of events to provide the best explanation of the current situation and suggest an action
Case-base with existing problem descriptions
Case-base with existing problem descriptions
Ceaseless CBR
Event EventEventBlaBlaBla...
Hm, what problems might be
occuring here?
List of events/alerts
Solutions
Revised solutions
User
Alerts
Sequential Cases
• A sequential case is a compositional case where a temporal order is established among all the parts that comprise it
• Sequential cases are represented by actionable trees
Cases
Roots: observable evidence (belonging to a sort)
Serial case
Looks for this sequence
Parallel case
Looks for these sequences in the event stream
Looking for similarity
• Much happens behind the scenes when looking for sequences yielded by actionable trees in the stream of alerts
Case activations
• Is a hypothesis
• Case activations can be compounded together (NB constraints)
Ceaseless Retrieve
• The point of the process is to generate case activations
• Note that case activations can persist over time steps
Get cases
Handles alerts not used in existing cases
Creates case activations
Removes old case activations
Sends case activations to the Reuse process
Ceaseless Reuse
• Tries to find the combination of case activations that best explains the sequence of alerts
How strongly do we believe the case activation (hypothesis)?
Select alerts that need to be explained
Generate explanations
Find the probability of each of theexplanations
Send best explanation to Revise-process
Revise
• Explanation presented to user
• User can make changes
Retain
• Updates sequential case base
