Agents, Anomaly Detection and GOFAI

Overview

During my time working on the Safeguard project I collaborated on the development of an agent system that could protect electricity and telecommunications management networks against attacks, failures and accidents. At Queen Mary, University of London, we focused on the problems posed by electricity networks and developed an anomaly-detecting agent, a correlation agent and some low level wrapper agents that monitored file changes and network activity. After the project was successfully completed, I continued to work on the development of the test network at Queen Mary (see Figure 1) and produced a complete set of electricity test data to support further work in this field. A comprehensive survey of this work can be found in Gamez et. al. (2005).

QMUL test network

Figure 1. Safeguard agents in QMUL test network (click for larger version)

The components in Figure 1 are as follows:

  • E-Agora. Software used for loadflow and state estimation calculations.
  • DCF and DCF Client. Data Corruption and Filtering module. Applies data corruption and filtering to the data, passes it to the SCADA emulation and writes it to the database. The DCF Client is used to change the corruption and filtering parameters in real time.
  • ADBroker. Analogue Digital Broker. The first stage in the SCADA emulation that converts data from the electricity simulation into field measurements and passes on commands from the control room to the electricity simulation. The ADBroker also changes the load on the electricity network in accordance with the IEEE test network specification.
  • DC-1, DC-2, DC-3. Data Concentrators. These integrate the field measurements and pass them over a wide area network to the data acquisition system at the control centre.
  • DAS. Data Acquisition System. Receives data from the data concentrators and passes it on to the SCADA graphical interface and the state estimator.
  • SCADA GUI. SCADA Graphical User Interface. This emulates the graphical interface that would be viewed at the regional or national control centre by operators and used to control the electricity network.
  • COS. Control Operator Simulator. Simulates an operator who monitors the state of the electricity network and adjusts the capacitors, reactors and generators to keep the voltage and power within limits.

Anomaly Detection

At Queen Mary we focused on the problem of building up a model of the electricity data so that the agents could protect against scenarios in which a software error or attack alters this data and causes a blackout (as happened in the recent U.S. blackout). Our anomaly-detecting agent was composed of a number of low level modules, including range checkers and a linear invariant detector, and the output from these modules was integrated using a Bayesian network to reduce the number of false positives. Some preliminary results from this approach can be found in this paper.

Correlation with Bayesian Workflows

The other problem that I tackled as part of the Safeguard project was how messages arriving from a number of different agents could be correlated together and turned into a response that protects the system or alerts an operator. John Bigham and I developed a solution to this based on a combination of Petri Nets and Bayesian Networks, which we called Bayesian workflows. In this system, the Bayesian networks reason about what is going on in the system on a moment to moment basis and the Petri Nets keep track of context, have expectations about other messages or carry out sequences of actions. A simplified Bayesian workflow that deals with a worm attack is shown in Figure 2.

Bayesian workflow

Figure 2. Bayesian workflow to handle a worm attack

This combination of atemporal and temporal reasoning provided a good way of integrating messages from different agents and carrying out an effective response. In the correlation agent, the Petri nets were modelled using the Bossa workflow engine, which enabled it to have potentially thousands of 'streams of thought' running simultaneously without the overhead of separate threads. These workflows could be designed in a separate application and stored as XML, which made it easy to add different types to the system to handle a variety of attacks, failures and accidents.

Security Agents

To improve the security monitoring of the system I wrote a number of agents to wrap existing software. These included an agent monitoring network activity, an agent monitoring changes in system files (using AFICK) and an agent wrapping the Windows firewall, which dynamically changed its policy in response to messages from the correlation agent.

Electricity Test Data

After the end of the Safeguard project I continued to work at Queen Mary on a part-time basis. One of the outcomes of this work was a set of electricity data designed for the development and testing of new anomaly-detecting methodologies. This includes a year's worth of normal data and a number of data sets that have been corrupted in a variety of realistic ways.

Nav arrow to top of page ~ d a v i d g a m e z . e u ~ Nav arrow to top of page