Sanguk Noh

Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning

As the complexity of Internet is scaled up, it is likely for the Internet resources to be exposed to Distributed Denial of Service (DDoS) flooding attacks on TCP-based Web servers. There has been a lot of related work which focuses on analyzing the pattern of the DDoS attacks to protect users from them. However, none of these studies takes all the flags within TCP header into account, nor do they analyze relationship between the flags and the TCP packets. To analyze the features of the DDoS attacks, therefore, this paper presents a network traffic analysis mechanism which computes the ratio of the number of TCP flags to the total number of TCP packets. Based upon the calculation of TCP flag rates, we compile a pair of the TCP flag rates and the presence (or absence) of the DDoS attack into state-action rules using machine learning algorithms. We endow alarming agents with a tapestry of the compiled rules. The agents can then detect network flooding attacks against a Web server. We validate our framework with experimental results in a simulated TCP-based network setting. The experimental results show a distinctive and predictive pattern of the DDoS attacks, and our alarming agents can successfully detect various DDoS attacks.

Bayesian Update of Recursive Agent Models

We present a framework for Bayesian updating of beliefs about models of agent(s) based on their observed behavior. We work within the formalism of the Recursive Modeling Method (RMM) that maintains and processes models an agent may use to interact with other agent(s), the models the agent may think the other agent has of the original agent, the models the other agent may think the agent has, and so on. The beliefs about which model is the correct one are incrementally updated based on the observed behavior of the modeled agent and, as the result, the probability of the model that best predicted the observed behavior is increased. Analogously, the models on deeper levels of modeling can be updated; the models that the agent thinks another agent uses to model the original agent are revised based on how the other agent is expected to observe the original agents behavior, and so on. We have implemented and tested our method in two domains, and the results show a marked improvement in the quality of interactions with the belief update in both domains.

Compiling network traffic into rules using soft computing methods for the detection of flooding attacks

The ability to dynamically collect and analyze network traffic and to accurately report the current network status is critical in the face of large-scale intrusions, and enables networks to continually function despite of traffic fluctuations. The paper presents a network traffic model that represents a specific network pattern and a methodology that compiles the network traffic into a set of rules using soft computing methods. This methodology based upon the network traffic model can be used to detect large-scale flooding attacks, for example, a distributed denial-of-service (DDoS) attack. We report experimental results that demonstrate the distinctive and predictive patterns of flooding attacks in simulated network settings, and show the potential of soft computing methods for the successful detection of large-scale flooding attacks.

Agent Modeling in Antiair Defense

This research addresses rational decision making and coordination among antiair units whose mission is to defend a specified territory from a number of attacking missiles. The automated units have to decide which missiles to attempt to intercept, given the characteristics of the threat, and given the other units’ anticipated actions, in their attempt to minimize the expected overall damages to the defended territory. Thus, an automated defense unit needs to model the other agents, either human or automated, that control the other defense batteries. For the purpose of this case study, we assume that the units cannot communicate among themselves, say, due to an imposed radio silence. We use the Recursive Modeling Method (RMM), which enables an agent to select his rational action by examining the expected utility of his alternative behaviors, and to coordinate with other agents by modeling their decision making in a distributed multiagent environment. We describe how decision making using RMM is applied to the antiair defense domain and show experimental results that compare the performance of coordinating teams consisting of RMM agents, human agents, and mixed RMM and human teams.

Implementing a Decision-Theoretic Approach to Game Theory for Socially Competent Agents

We describe an implementation of decision-theoretic paradigm of expected utility maximization applied to design rational socially competent agents. Our implementation uses a frame-based knowledge base which explicitly represents what the agent knows about the world, what it knows about the other agents, what it knows about what they know, and so on. We argue that this representation has to include uncertainty, since an agent does not have a direct access to the other agents’ knowledge states. We concentrate on realistic cases of finitely nested knowledge states, and, for these states, we briefly illustrate a dynamic programming solution method for our representation. The solution allows the agent to process the representation of its state of knowledge and arrive at an assignment of expected utilities to physical and communicative actions it can execute. The agent’s executing actions that maximize its expected utility leads to it being rational while coordinating and communicating with the other agents. We briefly summarize results we obtained of coordination and communication in interactions of our agents among themselves and with human subjects.

Implementation and evaluation of rational communicative behavior in coordinated defense

This paper reports on results we obtained on communication among artificial and human agents interacting in a simulated air defense domain. In our research, we postulate that the artificial agents use a decision-theoretic method to select optimal communicative acts, given the characteristics of the particular situation. Thus, the agents we implemented compute the expected utilities of various alternative communicative acts, and execute the best one. We build on our earlier work that uses the Recursive Modeling Method @MM) for coordination, and apply RMM to rational communication in an anti-air defense domain. In this domain, distributed units coordinate and communicate to defend a specified territory from a number of attacking missiles. We meaSure the benefits of rational commutiication by showing the improvement in the quality of interactions the communication results in. We show how the benefit of rational communication measured after the interactions is related to the expected utilities of best messages computed before the interaction takes place. Further, we compare our results to improvement due to communication achieved by human subjects under the same circumstances.

Autonomously Deciding Countermeasures against Threats in Electronic Warfare Settings

This paper investigates the autonomous decision-making process of threat detection, classification, and the selection of alternative countermeasures against threats in electronic warfare settings. We introduce a threat model, which represents a specific threat pattern, and a methodology that compiles the threat into a set of rules using machine learning algorithms. This methodology based upon the inductive threat model could be used to classify real-time threats. Further, we calculate the expected utilities of countermeasures which are applicable given a situation, and provide an intelligent command and control agent with the best countermeasure to threats. We present empirical results that demonstrate the agent’s capabilities of classifying threats and choosing countermeasures to them in simulated electronic warfare settings.

Calculating trust using aggregation rules in social networks

As Web-based online communities are rapidly growing, the agents in social groups need to know their measurable belief of trust for safe and successful interactions. In this paper, we propose a computational model of trust resulting from available feedbacks in online communities. The notion of trust can be defined as an aggregation of consensus given a set of past interactions. The average trust of an agent further represents the center of gravity of the distribution of its trustworthiness and untrustworthiness. And then, we precisely describe the relationship between reputation, trust, and average trust through a concrete example of their computations. We apply our trust model to online Internet settings in order to show how trust mechanisms are involved in a rational decisionmaking of the agents.

Uncertain Knowledge Representation and Communicative Behavior in Coordinated Defense

This paper reports on results we obtained on communication among artificial and human agents interacting in a simulated air defense domain. In our research, we postulate that the artificial agents use a decision-theoretic method to select optimal communicative acts, given the characteristics of the particular situation. Thus, the agents we implemented compute the expected utilities of various alternative communicative acts, and execute the best one. The agents use a probabilistic frame-based knowledge formalism to represent the uncertain information they have about the domain and about the other agents present. We build on our earlier work that uses the Recursive Modeling Method (RMM) for coordination, and apply RMM to rational communication in an anti-air defense domain. In this domain, distributed units coordinate and communicate to defend a specified territory from a number of attacking missiles. We measure the benefits of rational communication by showing the improvement in the quality of interactions the communication results in. We show how the benefit of rational communication measured after the interactions is related to the expected utilities of best messages computed before the interaction takes place. Further, we compare our results to improvement due to communication achieved by human subjects under the same circumstances.

Autonomous Situation Awareness Through Threat Data Integration

The ability to dynamically collect and analyze threat data and to accurately report the current battlefield situation is critical in the face of emergent hostile attacks, and enables battlefield helicopters to continually function despite of potential threats. The paper is to model threats to battlefield helicopters, which represents a specific threat pattern and a methodology that compiles the threat into a set of rules using machine learning algorithms. This methodology based upon the inductive threat model can be used to detect real-time threats. We report experimental results that demonstrate the distinctive and predictive patterns of threats in simulated battlefield settings, and show the potential of compilation methods for the successful detection of threat systems.