Evolving decision trees to detect anomalies in recurrent ICS networks

Created by W.Langdon from gp-bibliography.bib Revision:1.4420

  author =       "Jasenko Hosic and Jereme Lamps and Derek H. Hart",
  booktitle =    "2015 World Congress on Industrial Control Systems
                 Security (WCICSS)",
  title =        "Evolving decision trees to detect anomalies in
                 recurrent ICS networks",
  year =         "2015",
  pages =        "50--57",
  abstract =     "Researchers have previously attempted to apply machine
                 learning techniques to network anomaly detection
                 problems. Due to the staggering amount of variety that
                 can occur in normal networks, as well as the difficulty
                 in capturing realistic data sets for supervised
                 learning or testing, the results have often been
                 underwhelming. These challenges are far less pronounced
                 when considering industrial control system (ICS)
                 networks. The recurrent nature of these networks
                 results in less noise and more consistent patterns for
                 a machine learning algorithm to recognise. We propose a
                 method of evolving decision trees through genetic
                 programming (GP) in order to detect network anomalies,
                 such as device outages. Our approach extracts over a
                 dozen features from network packet captures and
                 netflows, normalizes them, and relates them in decision
                 trees using fuzzy logic operators. We used the trees to
                 detect three specific network events from three
                 different points on the network across a statistically
                 significant number of runs and achieved 100percent
                 accuracy on five of the nine experiments. When the
                 trees attempted to detect more challenging events at
                 points of presence further from the occurrence, the
                 accuracy averaged to above 98percent. On cases where
                 the trees were many hops away and not enough
                 information was available, the accuracy dipped to
                 roughly 50percent, or that of a random search. Using
                 our method, all of the evolutionary cycles of the GP
                 algorithm are computed a-priori, allowing the best
                 resultant trees to be deployed as semi-real-time
                 sensors with little overhead. In order for the trees to
                 perform optimally, buffered packets and flows need to
                 be ingested at twenty minute intervals.",
  keywords =     "genetic algorithms, genetic programming",
  DOI =          "doi:10.1109/WCICSS.2015.7420323",
  month =        dec,
  notes =        "Sandia National Laboratories, Albuquerque, New Mexico
                 87123, United States

                 Also known as \cite{7420323}",

Genetic Programming entries for Jasenko Hosic Jereme Lamps Derek H Hart