CognitiveOne Architecture
CognitiveOne berings an unprecedented level of quality by use of Artificial Intelligence approach. Only standard NetFlow/IPFIX data are processed without the need for supplementary information (application, content of user).
CognitiveOne is based on five state-of-the-art anomaly detection methods integrated by the novel CAMNEP algorithm, based on latest advancement in the fields of trust modeling and reputation handling. Cognitive integrates:
- MINDS algorithm [Ertoz et al, 2004] (Minnesota Intrusion Detection System) processes the number of flows from the same source IP as the evaluated flow, number of flows towards the same destination host, number of flows towards the same destination from the same source port, and number of flows from the same source towards the same destination port.
Xu et al. algorithm [Xu, Zhang et al, 2005] that actually classifies the traffic sources. For each source, we determine the normalized entropy of the set of source ports, destination ports and destination IPs of all the flows from this source. Anomalies are determined by application of static classification rules.- Volume prediction algorithm [Lakhina et al, 2004] that uses the Principal Components Analysis (PCA) to build the model of traffic volumes from individual sources. We model three values for each source IP with non-negligible volume of originating traffic: the number of flows, number of bytes and number of packets from the source, and use the PCA method to identify the relationships between the traffic from distinct sources.
- Entropy prediction algorithm [Lakhina et al, 2005] that is based on the similar PCA-based traffic model, but uses different features than volume prediction. It aggregates the traffic from the individual source IPs, but instead of traffic volumes, it predicts the entropies of destination IPs, destination ports and source ports over the set of flows from each source.
- TAPS algorithm [Sridharan et al, 2006] targets a specific class of attacks, the horizontal and vertical scans. The algorithm classifies a subset of suspicious traffic sources, characterized by three features: number of destination IP addresses and ports in the set of flows from the source, and the entropy of the flow size measured in number of packets. The anomaly of the source is based on the ratios between the values.
CognitiveOne is a multi-agent system that integrates three classes of agents
- The detection agents which encapsulate the above listed detection methods, process all flows from the local probe and use their anomaly and trust models to assign trustfulness, represented as a value in the [0,1] interval, to all flows in the current set.
- The trustfulness constitutes an estimate of flow legitimacy by a given agent, and is processed by the aggregation agents that integrate the opinions of all local detection agents, thus building a joint trustfulness value. Each aggregation agent embodies one or more averaging functions (such as arithmetic average ore best ordered weighted average) and these agents compete between them to provide the best overall result -- the best combination of the individual agent's opinions.
- Reporting and interface agents that export the system results to external systems in industry-standard alert formats (IETF IDMEF/TEXT) by email, ticket reporting, file logs, and syslog. The system also provides highly-interactive web interface that allows the analyst to continuously monitor current security situation and supports in-depth investigation of individual security incidents or network anomalies.
CNBA History
CNBA system is based on the original CAMNEP intrusion detection algorithm, developed by the researchers from the Czech Technical University in Prague. The development of the algorithm has been in parts funded by the US Army, Communications-Electronics Research, Development, and Engineering Center under a grant W911NF-08-1-0250. CNBA has been tested in a CESNET high-speed backbone network.
Partners
