On-line Fusion of Functional Knowledge Within Distributed Sensor - - PowerPoint PPT Presentation

on line fusion of functional knowledge within distributed
SMART_READER_LITE
LIVE PREVIEW

On-line Fusion of Functional Knowledge Within Distributed Sensor - - PowerPoint PPT Presentation

Dec 06, 2023 195 likes •438 views

On-line Fusion of Functional Knowledge Within Distributed Sensor Networks Dominik Fisch, Bernhard Sick Research Group Computationally Intelligent Systems University of Applied Sciences Deggendorf www.cis-research.de 11th Colloquium of

slide-1
SLIDE 1

On-line Fusion of Functional Knowledge Within Distributed Sensor Networks

Dominik Fisch, Bernhard Sick

Research Group “Computationally Intelligent Systems” University of Applied Sciences Deggendorf www.cis-research.de

11th Colloquium of the DFG Priority Program 1183 “Organic Computing” October 7./8. 2010 Munich

Fisch, Sick Knowledge Fusion October 2010 1 / 20

slide-2
SLIDE 2

1

Brief Status Report

2

Emergence Measurement and Knowledge Exchange

3

New Emergence Measurement Techniques

4

Experimental Results Artificial Data Real-World Data (Intrusion Detection)

5

Conclusion and Outlook

Fisch, Sick Knowledge Fusion October 2010 2 / 20

slide-3
SLIDE 3

Brief Status Report

Brief Status Report – 1

Collaboration of intelligent systems (e.g., teams of robots, smart sensor networks, software agents) by exchanging classification rules

learned rules (functional knowledge) How is the local environ- ment observed? How does a node react on certain

  • bservations?

communication

Fisch, Sick Knowledge Fusion October 2010 3 / 20

slide-4
SLIDE 4

Brief Status Report

Brief Status Report – 2

Research Issues 2009/2010 Theory: Comparison of our probabilistic classifier to some other functionally equivalent paradigms (Elsevier Information Sciences, 2010) Extension of this classifier for time series classification (IEEE Tr. Knowledge and Data Engineering, 2011) Divergence-based techniques for emergence measurement (IEEE SASO 2010, Best Paper Award) Autonomous assessment of the interestingness of classification rules (ICAART 2011) Knowledge fusion based on Bayesian parameter estimation techniques Application: Collaborative Intrusion Detection and Anomaly Detection (Elsevier Information Sciences, 2010; IEEE Tr. Dependable and Secure Computing, 2011; IFIP BICC 2010) Toolbox for the OC community

Fisch, Sick Knowledge Fusion October 2010 4 / 20

slide-5
SLIDE 5

Brief Status Report

Brief Status Report – 2

Research Issues 2009/2010 Theory: Comparison of our probabilistic classifier to some other functionally equivalent paradigms (Elsevier Information Sciences, 2010) Extension of this classifier for time series classification (IEEE Tr. Knowledge and Data Engineering, 2011) Divergence-based techniques for emergence measurement (IEEE SASO 2010, Best Paper Award) Autonomous assessment of the interestingness of classification rules (ICAART 2011) Knowledge fusion based on Bayesian parameter estimation techniques Application: Collaborative Intrusion Detection and Anomaly Detection (Elsevier Information Sciences, 2010; IEEE Tr. Dependable and Secure Computing, 2011; IFIP BICC 2010) Toolbox for the OC community

Fisch, Sick Knowledge Fusion October 2010 4 / 20

slide-6
SLIDE 6

Emergence Measurement and Knowledge Exchange

Emergence Measurement and Knowledge Exchange – 1 Why are we interested in emergence measurement? What is the relation of emergence measurement and knowledge exchange?

Emergence Measurement: Detecting unexpected state changes of a (e.g., self-organizing) system. Knowledge Exchange: Detecting observations that cannot be “explained” by a given model (e.g., classifier) and realizing the need to acquire new knowledge (e.g., asking other agents for classification rules).

Common: need for a kind of situation-awareness

Fisch, Sick Knowledge Fusion October 2010 5 / 20

slide-7
SLIDE 7

Emergence Measurement and Knowledge Exchange

Emergence Measurement and Knowledge Exchange – 2

Fisch, Sick Knowledge Fusion October 2010 6 / 20

slide-8
SLIDE 8

New Emergence Measurement Techniques

Motivation of a New Technique

Emergence: property of the system that is irreducible to the constituent parts of the system Goal: quantitative measurement of emergence The chicken farm example

Figure: [Mnif & M¨ uller-Schloer, 2006]

Fisch, Sick Knowledge Fusion October 2010 7 / 20

slide-9
SLIDE 9

New Emergence Measurement Techniques

Motivation of a New Technique

Emergence: property of the system that is irreducible to the constituent parts of the system Goal: quantitative measurement of emergence The chicken farm example

Figure: [Mnif & M¨ uller-Schloer, 2006]

Fisch, Sick Knowledge Fusion October 2010 7 / 20

slide-10
SLIDE 10

New Emergence Measurement Techniques

Quantitative Emergence

How to detect emergence? Selection of attributes Creation of a model of the current situation Comparison to the model of a past situation Solution (assuming that attributes are given) Use probabilistic models to represent the system state Use probabilistic measures to capture state changes

Fisch, Sick Knowledge Fusion October 2010 8 / 20

slide-11
SLIDE 11

New Emergence Measurement Techniques

Discrete Entropy Difference (DED) – 1

First proposed by Mnif and M¨ uller-Schloer (2006) Each dimension represents an attribute of the system Categorization of continuous attributes Calculate the (discrete) entropy for each attribute Use the difference between two entropy values as indicator for emergent behavior

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Fisch, Sick Knowledge Fusion October 2010 9 / 20

slide-12
SLIDE 12

New Emergence Measurement Techniques

Discrete Entropy Difference (DED) – 2

Practical applications have continuous attributes, too Problems:

◮ Categorization of attributes ◮ Correlation between attributes is ignored

(but may be desired depending on application)

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Fisch, Sick Knowledge Fusion October 2010 10 / 20

slide-13
SLIDE 13

New Emergence Measurement Techniques

Measurement

Create model p for a time step tp Create model q for a later time step tq Measure the “difference” of the models

Fisch, Sick Knowledge Fusion October 2010 11 / 20

slide-14
SLIDE 14

New Emergence Measurement Techniques

New Approach: Modelling

Avoid categorization of continuous attributes Approach I (PW): non-parametric density model (Parzen window estimator, e.g. with Gaussian kernel)

◮ No assumptions on the underlying distribution are made ◮ Computationally expensive ◮ Comparison of two densities via sampling

Approach II (GMM): parameterized functional model (e.g. Gaussian mixture models for continuous attributes)

◮ Needs information about the underlying distribution ◮ Easy handling (faster, less computations) ◮ For Gaussians the comparison can be done analytically Fisch, Sick Knowledge Fusion October 2010 12 / 20

slide-15
SLIDE 15

New Emergence Measurement Techniques

New Approach: Hellinger Distance

Measuring the distance between two probability densities: Hellinger distance (Hel) Hel(p, q) =

  • 1 − BC(p, q)

Bhattacharyya coefficient: BC(p, q) = p(x)q(x)dx Hellinger distance is restricted to [0, 1] The Hellinger distance measure is compatible to approach I (PW) and approach II (GMM)

Fisch, Sick Knowledge Fusion October 2010 13 / 20

slide-16
SLIDE 16

Experimental Results Artificial Data

Comparison: DED – Hel

0.5 1 1.5 600 800 1000 1200 1400 1600 1800 2000 Emergence Measure Time Distribution switch Hel DED X DED Y

Cluster @ (0,0)

  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

0.5 1 1.5 600 800 1000 1200 1400 1600 1800 2000 Emergence Measure Time Distribution switch Hel DED X DED Y

Cluster @ (1,1)

  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
  • 5
  • 4
  • 3
  • 2
  • 1
1 2 3 4 5
  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

Fisch, Sick Knowledge Fusion October 2010 14 / 20

slide-17
SLIDE 17

Experimental Results Artificial Data

DED – Hel with PW – Hel with GMM

Scenario: Different processes generating data One process (the topmost) begins to move (concept drift)

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

  • 5
  • 4
  • 3
  • 2
  • 1

1 2 3 4 5

  • 5.0
  • 4.5
  • 4.0
  • 3.5
  • 3.0
  • 2.5
  • 2.0
  • 1.5
  • 1.0
  • 0.5

0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0

  • 0.2
  • 0.1

0.1 0.2 0.3 0.4 0.5 0.6 0.7 200 400 600 800 1000 1200 1400 1600 1800 2000 Emergence Measure Time Drift start Hel PW Hel GMM DED X DED Y

With assumptions about the underlying distribution (Hel GMM), an earlier detection is possible

Fisch, Sick Knowledge Fusion October 2010 15 / 20

slide-18
SLIDE 18

Experimental Results Real-World Data (Intrusion Detection)

Intrusion Detection – 1

Data set: KDD-Cup ’99 network intrusion (5 million connection records, 41 attributes) For simplicity, only 2 attributes were selected (number of bytes from sender to receiver and vice versa) Both attributes are integers with a large value range and, thus, they can be treated as continuous attributes 3 attack scenarios were constructed:

◮ Phase I: Start with background traffic ◮ Phase II: Continue with mixture of attack records to background traffic

(1 : 3)

◮ Phase III: End with background traffic Fisch, Sick Knowledge Fusion October 2010 16 / 20

slide-19
SLIDE 19

Experimental Results Real-World Data (Intrusion Detection)

Intrusion Detection – 2

From left to right: nmap, neptune and back

0.1 0.2 0.3 0.4 0.5 0.6 5000 10000 15000 20000 25000 Emergence Measure Time Nmap start Nmap end Hel GMM DED src_bytes DED dst_bytes 0.1 0.2 0.3 0.4 0.5 0.6 5000 10000 15000 20000 25000 Emergence Measure Time Neptune start Neptune end Hel GMM DED src_bytes DED dst_bytes

  • 0.6
  • 0.4
  • 0.2

0.2 0.4 5000 10000 15000 20000 25000 Emergence Measure Time Back start Back end Hel GMM DED src_bytes DED dst_bytes

DED only captures the back attack Hel captures all three attacks, most clearly neptune and back

Fisch, Sick Knowledge Fusion October 2010 17 / 20

slide-20
SLIDE 20

Conclusion and Outlook

Conclusion

We focused on different measurement methods for the detection and quantitative assessment of emergence Advantages of this new approach:

◮ No categorization of continuous attributes ◮ Multivariate modeling (application dependent) is possible ◮ Computationally inexpensive if model assumptions can be met (Hel

GMM)

The advantages were shown using artificial and real data

Fisch, Sick Knowledge Fusion October 2010 18 / 20

slide-21
SLIDE 21

Conclusion and Outlook

Outlook

Investigation of real-world applications Hybridization (having continuous and categorical attributes) Techniques based on a penalty/reward scheme

◮ Avoid sliding windows ◮ Assess each sample individually Fisch, Sick Knowledge Fusion October 2010 19 / 20

slide-22
SLIDE 22

Questions

Many thanks to Christian M¨ uller-Schloer for our excellent collaboration and thanks to you for your attention!

Questions?

Fisch, Sick Knowledge Fusion October 2010 20 / 20