functional networks: from brain dynamics to … 31 10 2014_vf.pdffunctional networks: from brain...
TRANSCRIPT
Functional networks: from brain dynamics to information systems security
David Papo
URJC, Móstoles, 31 October 2014
Goal
To illustrate the motivation for a functional network representation in information systems security.
2
Outline
1) Networks in neuroscience: potential and methods
2) Mini introduction to networks
3) Network theory and Information systems security issues: some suggestions
3
Networks in the brain
4
Some facts about the brain
• Circuitry: – ~ 1011 neurons (~ 104 synapses/neuron)
– ~ 150.000 km of cables • 105 neurons, 108 synapses, 4 km of axons (diameter: ~ 0.3 µm) per mm3
• Theoretical band-pass ~ 1 terabit/s (~ total internet capacity 2002)
• Storage capacity: 1012 bytes
• Computation rate: 3.6 X 1015 synaptic operations
• Computational efficiency: 1015 synaptic operations/joule
• Energy consumption:
– ~ 2% total body weight
– ~ 15% cardiac output
– ~ 20% total oxygen consumption
– ~ 25% total glucose consumption
– ~ 50% energy is used to send signals (axons &synapses)
How does the brain cope with the energetic problem?
5
Appropriate design
• Component miniaturisation
• Elimination of superfluous signals
• Sparse information “codes”
– Distribution in space and time
– Multiscale-ness
6
• Brain activity consists of transient spatio-temporal patterns of correlated activity
• Even at rest, this activity is non random
Contains structure both in space and in time: neuronal assemblies form at all spatial scales and with non-trivial temporal patterns
• Observed function results from the renormalization of activity at all these scales
• Patterns seen during task-induced activation are already present in spontaneous activity
Understanding the effect of perturbations without perturbing the system
7
The brain in action
Statistical Mechanics approach • ~ 1011 neurons (~ 104 synapses) • ~ 150.000 km of cables
1 mm3 of rat cortex contains: 105 neurons 108 synapses 4 km of axons
• Theoretical band-pass ~ 1 terabit/s (~ total internet capacity 2002)
8
Anatomical network Physical cables Dynamical network Information packets
Complex networks representation
Statistical mechanics approach Observable macroscopic properties
emerge as a result of the interactions of a huge number of microscopic particles (The characteristics of each particle are not
important)
Describing systems as complex networks
From: R.V. Solé and S. Valverde
Lecture Notes in Physics, 60, 189,
2004
Read more at:
Boccaletti et al.,
Phys. Rep., (2006)
Network set of nodes connected by links
Graph theory set of mathematical tools allowing a
quantitative characterization of a system at many spatial and temporal
scales
9
A fleeting foray into complex network theory
10
What’s a network?
0 1 0 0 0
1 0 1 0 1
0 1 0 1 1
0 0 1 0 1
0 1 1 1 0
1
2 3
4 5
Network: Set of labeled nodes and links uniting them
Adjacency matrix: The matrix of entries a(i,j)=1 if there is a link between node i and j a(i,j)=0 otherwise
11
Degree distribution
0
1
2
3
1 2 3
P(k)
1
2 3
4 5
ki aijj
Degree if node i: Number of links of node i
Network:
Degree distribution: P(k): how many nodes have degree k
12
Clustering coefficient
Ci |#of closed triangles |
ki(ki 1) /2
C2 1
3
C3 2
3
1
2 3
4 5
Local clustering coefficient
Network Clustering coefficient of nodes 2,3
13
Shortest distance
The shortest distance between two nodes is the minimal number of links than a path must hop to go from the source to the destination
1
3
4
The shortest distance between node 4 and node 1 is 3 between node 3 and node 1 is 2
2
5 14
Communities
A community is a set of nodes with a similar connectivity pattern.
Dolphins social network High-school dating networks
S. Fortunato Phys. Rep. 2010 15
Protein-protein networks
Social networks
Extraction of sector information in financial markets
Minimal-Spanning-Trees Planar maximally filtered graphs
NYSE daily returns USA equity market 1995-98 Bonanno et al. (2003) Tumminello et al. (2007)
17
“Communities”
More links “inside” than “outside”
Community structure
18
There is no absolute definition of community, only a relative one.
A network has a community structure if it is more ordered than a random version of it (null model).
Null model: class of random networks with the same degree sequence of the original one.
Community structure
19
There are many algorithms for community detection.
A new paradigm for brain function
• A new paradigm for brain function From few degrees of freedom to statistical mechanics
• Micro, meso and macroscopic scales (N.B. scales are relative)
Emergence of function • Network topological properties at all scales rather than specific node’s ones
• From important parts to general organizing principles Nodes and node centrality
Global properties: SW, scale-free; assortativity (but at what scales?); core-periphery
Mesoscale properties: motifs, community structure
Relationships across scales: hierarchical structure; self-similarity, self-dissimilarity
21
A new paradigm for brain function
• From structure to dynamics to function – Anatomical vs dynamical networks
– Anatomy structure; dynamics function
• The brain as a biophysical object – Observed activity as the result of an evolutionary process
• :Morphospaces
– Efficiency and costs • e.g. SW: high efficiency for low wiring costs
– Robustness and Adaptativity • E.g. modularity
• Characterizing brain disease and cognitive function
– Anatomical networks, Resting state, Task-activated dynamical networks • Relationships between them?
– Healthy brains vs. psychiatric/neurological diseases
22
Detecting alerts: the case of epilepsy
• Seizure etiology and propagation Abnormal pattern of synchronization across brain regions
Focal, multifocal, extended support
Spatio-temporal nature of seizure propagation
Plurality of predictors [behavioural, neurophysiological] • Are they related to each other?
• Seizure detection (retroactive or in real time)
Spiking activity even in normal brains
• Seizure prediction (proactive)
Nonlinear correlations
23
Sensitivity vs.
Specificity
}
Building networks from experimental data
24
Define the network nodes. Estimate a metric of association between nodes. Generate an association matrix and apply a threshold to each element adjacency matrix or undirected graph. Calculate network parameters of interest (compare to population of random networks).
Building Networks
Eguiluz et al. (2005) 25
7
12
17
1 2 3 4 5 6 7 8 9
7
12
17
22
1 2 3 4 5 6 7 8 9
7
12
17
22
1 2 3 4 5 6 7 8 9
Functional networks as correlation
0
2
4
6
8
10
12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0
2
4
6
8
10
12
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Functional networks as causality
27
Networks and Security
28
Credit card fraud Detecting clusters of similar users
Peer group analysis: system that allows identifying accounts that are behaving differently from others at one moment in time whereas they were behaving the same previously.
Normal behavior Suspected fraud
Bolton, R. J., & Hand, D. J. (2001). Unsupervised profiling methods for fraud detection.
Credit Scoring and Credit Control VII, 235-255. 29
Credit card fraud Detecting clusters of similar users
Problem: Complexity of defining similarity
Why functional networks? Great flexibility in the type of co-occurrence
Relationships can be non-linear
30
Credit card fraud Detecting clusters of similar users
Problem: Difficulty in detecting groups of users Sub-networks are not complete: A may be similar to B, B to C, but A and C may be different
Why functional networks? Detecting meso-scales and communities
in real data sets
Serrà, J., Zanin, M., Herrera, P., & Serra, X. (2012). Characterization and exploitation of community structure in
cover song networks. Pattern Recognition Letters, 33 (9), 1032-1041. 31
Credit card fraud Detecting clusters of similar users
Problem: Changes in groups. For instance, a student that starts working – thus changing his/her habits
Why functional networks? Meso-scale goes beyond a single group
Analysis of time-varying networks
32
Credit card fraud Detecting clusters of similar stores
Similarly to peer group analysis, it is possible to detect groups of similar stores. Problems: • Store name is not fully identifying, as a single entity may use different names • Low volume stores may not have the same risk as their peer group The solution: content analysis using functional networks • Stores are connected when realizing similar transactions in similar volumes • Use of text mining to complement low-level numerical information • Possible use of multi-layer structures
Detecting and measuring risk with predictive models using content mining US 7376618 B1 33
Credit card fraud Forecasting legal transactions
Detect patterns in the use of credit card, to forecast a legal transaction before its realization
Similar to recommender systems in on-line stores
Zanin, M., Cano, P., Buldú, J. M., & Celma, O. (2008, January). Complex networks in recommendation systems.
In Proc. 2nd WSEAS Int. Conf. on Computer Engineering and Applications, Acapulco, Mexico.
Lü, L., Medo, M., Yeung, C. H., Zhang, Y. C., Zhang, Z. K., & Zhou, T. (2012). Recommender systems.
Physics Reports, 519(1), 1-49.
Why analyzing transactions, when they can be forecasted?
34
Network security
Spatio-temporal correlations
Attacks to a network are usually distributed among its nodes. Moreover, attacks against a network may also involve multiple steps: evidence is typically distributed over time as well.
Jiang, G., & Cybenko, G. (2004, June). Temporal and spatial distributed event correlation for network security.
In American Control Conference, 2004. Proceedings of the 2004 (Vol. 2, pp. 996-1001). IEEE.
Computer networks as dynamical systems
Events as observables of their dynamics
35
Network security
Spatio-temporal correlations
Types of observables:
Firewall warning
Intrusion Detection System (IDS) alerts
Software log files
Internet and Ethernet communications
Users and programs activity
CPU and memory load
Hig
h-l
evel
sem
anti
c
Low
-lev
el d
ata
36
Network security
Spatio-temporal correlations
Major problem:
High number of false alarms
Reconstruct the topological space of true alarms
Nodes represent alarms
Pairwise connected when they co-occur in a real attack
37
Network security
Spatio-temporal correlations
Advantages:
1. Strengthens the diagnosis
2. Reduces the overall number of alarms
3. Improves the content of the alarms
Morin, B., & Debar, H. (2003, January). Correlation of intrusion symptoms: an application of chronicles.
In Recent Advances in Intrusion Detection (pp. 94-112). Springer Berlin Heidelberg. 38
Network security Spatio-temporal correlations
What about causality?
Reconstruct functional networks based on causality relations between alerts
Root alert
Cascade effect Cascade effect
39
Network security
Spatio-temporal correlations
Advantages:
1. Post-event analysis of attacks
2. Identification of root alarms, i.e. those
acting at the beginning of the attack
3. Identification of redundant alarms
Lee, W., & Qin, X. (2005). Statistical causality analysis of INFOSEC alert data.
In Managing Cyber Threats (pp. 101-127). Springer US. 40
Network security
Spatio-temporal correlations
Alternative solution:
Monitoring the appearance of some standard attack patterns
Pattern 1 Pattern 2 Pattern n
41
Network security
Spatio-temporal correlations
Major problem:
The system is reactive, in that the same (or very similar) patterns should have appeared in the past
Pattern matching cannot work under unknown
conditions!
42
Problem: Reactive vs. proactive system
Why functional networks? Detect variations from a normal (base-line) network
Network security
Spatio-temporal correlations
The red node is not expected to be central
Security alert
43
Conclusions
• Substantial similarities between issues encountered when studying normal and pathological brain activity on the one hand, and information systems security on the other hand.
• Functional networks (and the tools of graph analysis and
complex network theory) can be used to tackle some of these common problems
44
45