Towards a Platform for Widespread Embedded Intelligence - ERCIM
Towards a Platform for Widespread Embedded Intelligence - ERCIM
Towards a Platform for Widespread Embedded Intelligence - ERCIM
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
One problem <strong>for</strong> these more widely<br />
deployed smaller projects based on high<br />
per<strong>for</strong>mance embedded modules is the<br />
design cost and turnaround time.<br />
Un<strong>for</strong>tunately there is no all-encompassing<br />
design tool <strong>for</strong> DAQ systems.<br />
The design process relies on an increasingly<br />
large and diverse portfolio of complex<br />
tools that require a high level of<br />
expertise to operate. Thus there is a<br />
growing cost of keeping up with the tool<br />
flows required to access more powerful<br />
hardware.<br />
Currently we have an R&D program<br />
funded internally by our Centre <strong>for</strong><br />
Instrumentation (CFI) which will investigate<br />
the embedded processor design<br />
tools. This project aims to reduce the<br />
cost of the firmware and software design<br />
<strong>for</strong> DAQ projects by developing a unified<br />
approach based around FPGA<br />
vendor embedded development tools.<br />
Security<br />
Network Anomaly Detection<br />
by Means of Machine Learning<br />
by Roland Kwitt<br />
The strategy we propose is to exploit the<br />
hardware IP modules and facilities<br />
existing within the embedded design<br />
tools by adding instrumentation-specific<br />
DAQ IP <strong>for</strong> integration of the sensor data<br />
stream. Customising the vendor’s framework<br />
minimises the cost by reducing the<br />
amount of work that needs to be done,<br />
and minimises the risk by using standard<br />
interfaces.<br />
A similar approach is taken <strong>for</strong> the software<br />
libraries - by using standard network<br />
protocols (Ethernet) and operating<br />
system APIs the software side of the<br />
DAQ library is more like ‘DAQ middleware’.<br />
The addition of embedded networked<br />
microprocessors within our designs<br />
gives us the ability to add higher levels<br />
of intelligence to our systems which<br />
might otherwise be difficult to include.<br />
Anomaly detection should be an integral part of every computer security system,<br />
since it is the only way to tackle the problem of identifying novel and modified<br />
attacks. Our work focuses on machine-learning approaches <strong>for</strong> anomaly detection<br />
and tries to deal with the problems that come along with it.<br />
Since the number of reported security<br />
incidents caused by network attacks is<br />
dramatically increasing every year, corresponding<br />
attack detection systems<br />
have become a necessity in every company's<br />
network security system.<br />
Generally, there are two approaches to<br />
tackle the detection problem. Most commercial<br />
intrusion detection systems<br />
employ some kind of signature-matching<br />
algorithms to detect malicious activities.<br />
In intrusion detection terminology this is<br />
called “misuse detection”. Generally,<br />
such systems have very low false alarm<br />
rates and work very well in the event that<br />
the corresponding attack signatures are<br />
present. However, the last point leads<br />
directly to the potential drawback of<br />
misuse detection: missing signatures<br />
inevitably lead to undetected attacks!<br />
Here, the second approach, termed<br />
anomaly detection, is in evidence.<br />
Anomaly detection maps normal<br />
behaviour to a baseline profile and tries<br />
to detect deviations. Thus, no a priori<br />
knowledge about attacks is needed any<br />
longer and the problem of missing attack<br />
signatures does not exist.<br />
Our work deals with the applicability of<br />
machine-learning approaches, specifically<br />
Self-Organising Maps and neural<br />
networks in the field of network anomaly<br />
detection. By presenting a set of normal<br />
(problem-specific) feature vectors to a<br />
Self-Organising Map, it can learn the<br />
specific characteristics of these vectors<br />
and provide a distance measure of how<br />
well a new input vector fits into the class<br />
of normal data. In contrast to other<br />
machine-learning approaches, Self-<br />
R&D AND TECHNOLOGY TRANSFER<br />
Even allowing <strong>for</strong> the availability of C to<br />
hardware tools and an abundant gate<br />
count in the FPGA using embedded<br />
microprocessors would still be an efficient<br />
method.<br />
Examples of the type of features which<br />
could be added include real-time tuning<br />
of the data flow and processing algorithms,<br />
logging of environmental in<strong>for</strong>mation,<br />
safety critical monitoring of sensors<br />
(eg to prevent radiation damage),<br />
interaction with higher level control systems<br />
using standard protocols and provision<br />
of in<strong>for</strong>mation to the e-science systems<br />
to aid in the management of the<br />
integrity of the data set.<br />
Please contact:<br />
Rob Halsall, CCLRC Technology<br />
Ruther<strong>for</strong>d Appleton Laboratory UK<br />
Tel: +44 1235 445140<br />
E-mail: R.Halsall@rl.ac.uk<br />
Organizing Maps do not require a<br />
teacher who determines the favoured<br />
output.<br />
Considering the a<strong>for</strong>ementioned feature<br />
vectors, the vector elements strongly<br />
depend on the preferred layer of detection.<br />
That means, if anomaly detection is<br />
carried out at the connection level <strong>for</strong><br />
instance, connection specific features,<br />
<strong>for</strong> example packet counts, connection<br />
duration, etc., have to be collected.<br />
However, if we require detection at a<br />
higher level, <strong>for</strong> example at application<br />
layer, another set of features will be necessary.<br />
Generally we can state, that the<br />
more discriminative power a feature possesses,<br />
the better detection results we<br />
get.<br />
In case we use a neural network architecture<br />
<strong>for</strong> anomaly detection, such as a<br />
Feed-Forward Multi-Layer Perceptron<br />
(MLP), the training procedure <strong>for</strong><br />
normal behaviour might not be apparent<br />
at first sight, since such networks gener-<br />
<strong>ERCIM</strong> News No. 67, October 2006<br />
63