Anomaly and Intrusion Detection in IoT Networks with Enterprise Scale Endpoint Communication

This is part one of a series of articles to be published on LinkedIn based on a classroom project for ISM 647: Cognitive Computing and Artificial Intelligence Applications taught by Dr. Hamid R. Nemati at the University of North Carolina at Greensboro Bryan School of Business and Economics.

The Internet of Things (IoT) continues to be one of the most innovative and exciting areas of technology in the last decade. IoT are a collection of devices that reside in the world that collect data from the environment around it or through mechanical, electrical, thermodynamic or hydrological processes. These environments could be the human body, geological areas, the atmosphere, etc. The networking of IoT devices has been more prevalent in the many industries for years including the gas, oil and utilities industry. As companies create demand for higher sample read rates of data from sensors, meters and other IoT devices and bad actors from foreign and domestic sources have become more prevalent and brazen, these networks have become vulnerable to security threats due to their increasing ubiquity and evolving role in industry. In addition to this, these networks are also prone to read rate fluctuations that can produce false positives for anomaly and intrusion detection systems when you have enterprise scale deployment of devices that are sending TCP/IP transmissions of data upstream to central office locations. This paper focuses on developing an application for anomaly detection using cognitive computing and artificial Intelligence as a way to get better anomaly and intrusion detection in enterprise scale IoT applications.

This project is to use the capabilities of automating machine learning to develop a cognitive application that addresses possible security threats in high volume IoT networks such as utilities, smart city, manufacturing networks. These are networks that have high communication read success rates with hundreds of thousands to millions of IoT sensors; however, they still may have issues such as:

  1. Noncommunication or missing/gap communication.
  2. Maintenance Work Orders
  3. Alarm Events (Tamper/Power outages)

In large scale IoT networks, such interruptions are normal to business operations. Certainly, noncommunication is typically experienced because devices fail, or get swapped out due to a legitimate work order. Weather events and people, can also cause issues with the endpoint device itself, as power outages can cause connected routers to fail, and tampering with a device, such as people trying to do a hardwire by-pass or removing a meter.

The scope of this project is to build machine learning models that address IP specific attacks on the IoT network such as DDoS from within and external to the networking infrastructure. These particular models should be intelligent enough to predict network attacks (true positive) versus communication issues (true negative). Network communication typical for such an IoT network include:

  1. Short range: Wi-Fi, Zigbee, Bluetooth, Z-ware, NFC.
  2. Long range: 2G, 3G, 4G, LTE, 5G.
  3. Protocols: IPv4/IPv6, SLIP, uIP, RLP, TCP/UDP.

Eventually, as such machine learning and deep learning models expand, these types of communications will also be monitored.

Scope of Project

This project will focus on complex IoT systems typical in multi-tier architectures within corporations. As part of the research into the analytical properties of IT systems, this project will focus primarily on the characteristics of operations that begin with the collection of data through transactions or data sensing, and end with storage in data warehouses, repositories, billing, auditing and other systems of record. Examples include:

  1. Building a simulator application in Cisco Packet Tracer for a mock IoT network.
  2. Creating a Machine Learning anomaly detection model in Azure.
  3. Generating and collecting simulated and actual TCP/IP network traffic data from open data repositories in order to train and score the team machine learning model.

Other characteristics of the IT systems that will be researched as part of this project, include systems that preform the following:

  1. Collect, store, aggregate and transport large data sets
  2. Require application integration, such as web services, remote API calls, etc.
  3. Are beyond a single stack solution.

Next: Business Use Cases and IoT security

Derek MooreErica Davis, and Hank Galbraith, authors.

Deep Learning, Oracle Database Performance and the Future of Autonomous Databases

“The goal is to have databases in the Cloud run autonomously.  The Cloud should be about scale, elasticity, statelessness and ease of operation and interoperability.  Cloud infrastructures are about moving processes into microservices and the agile deployment of business services.  Deep Learning has the potential to give databases innovative and powerful level autonomy in a multitenant environment, allowing DBAs the freedom to offer expertise in system architecture and design…”.

Introduction

This article details initial research performed using deep learning algorithms to detect anomalies in Oracle performance.  It does not serve as a “deep” dive into deep learning and machine learning algorithms.  Currently, there are many really good resources available from experts on the subject matter and I strongly recommend those who are interested in learning more about these topics to check out the list of references at the end of this article.  Mathematical terminology is used throughout this article (it’s almost impossible to avoid), but I attempted to keep the descriptions brief, as it’s best that people interested in these topics seek to out the rich resources available online to get a better breadth of information on individual subjects.

 

In this final article on Oracle performance tuning and machine learning, I will discuss the application of deep learning models in predicting performance and detecting anomalies in Oracle.  Deep Learning is a branch of Machine Learning method that uses intensive Artificial Intelligence (AI) techniques with data to learn iteratively; while deploying optimization and minimization functions. Applications for these techniques include natural language processing, image recognition, self-driving cars, anomaly and fraud detection.  With the number of applications for deep learning models growing substantially in the last few years, it was only a matter of time that it would find its way into relational databases.   Relational databases have sort of become the workhorses of the IT industry and still generate massive amounts of revenue.  Many data-driven applications still use some type of relational database; even with the growth of Hadoop and NoSQL databases.  It’s been a business goal of Oracle Corporation, one of the largest relational database software companies in the world, to create database services that are easier manage, secure and operate.

As I mentioned in my previous article, Oracle Enterprise Edition has a workload data repository that it already uses to produce great analysis for performance and workload.  Microsoft SQL-Server also has a warehouse that can store performance data, but I’ve decided to devote my research into Oracle.

For this analysis, the focus was specifically on the Oracle Program Global Area (PGA).

Oracle Program Global Area

 

The Program Global Area (PGA) is a private memory in the database that contains information for server processes.  Each user session gets a private memory region within the PGA.  Oracle will read and write information to the PGA based on requests from server processes.  The PGA performance metrics accessed for this article are based on Oracle Automatic Shared Memory Management (ASMM).

As a DBA, when troubleshooting PGA performance, I typically look at the PGA advisor, which are a series of modules that collects monitoring and performance data from PGA.  It recommends how large the PGA should be in order to fulfill process requests for private memory and is based on the Cache Hit Percentage value.

 

Methodology

 

The database was staged in a Microsoft Azure virtual machine processing large scale data from a data generator.  Other data was compiled from public portals such as EAI (Energy Administration Institute) and PJM Interconnection, an eastern regional transmission organization.

Tools used to perform the analysis include SAS Enterprise Miner, Azure Machine Learning studio and the SciKit Learn with TensorFlow machine learning libraries.  I’ve focused my research on a few popular techniques for which I continuously do research.  These include

  • Recurrent Neural Networks
  • Autoencoders
  • K-Nearest Neighbors
  • Naїve Bayes
  • Principal Component Analysis
  • Decision Trees
  • Support Vector Machines
  • Convolutional Neural Network
  • Random Forest

For this research into databases, I focused primarily on SVM, PCA and CNN. The first step was to look at the variable worth (the variables that had the greatest weight on the model) for data points per sample.

 

picture2

 

 

The analysis of Oracle Performance data on Process Memory within dedicated process memory in Oracle in the program global area of the database.

Once the data was collected, cleaned, imputed and partitioned, Azure ML studio was used to build two types of classifiers for anomaly detection.

 

Support Vector Machine (SVM):  Implements a binary classifier where the training data consists of examples of only one class (normal data).  The model attempts to separate the collection of training data from the origin using maximum margin.

 

Principal Component Analysis (PCA): Create subspace spanned by orthonormal eigenvectors associated with the top eigenvalues of the data covariance matrix for approximation of classifiers.

 

For prediction, I compared Artificial Neural Networks and Regression models.  For Deep Learning, I researched the use of CNN specifically for anomaly detection.

 

Deep Learning and Oracle Database Performance Tuning

My article Using Machine Learning and Data Science for Performance Tuning in Oracle  discusses the use of Oracle’s automated workflow repository, a data warehouse which stores snapshots of views for SQL, O/S and system state and active session history among many other areas of system performance.  Standard data science methods require having a strong understanding of business processes through qualitative and quantitative methods, cleaning data to find outliers and missing values, and applying data partitioning strategies to get better data validation and scoring of models.  As a final step, a review of the results would be required to determine its hypothetical testing accuracy.

 

Deep Learning has changed these methodologies a bit by applying artificial intelligence into building models.  These models learn from iteratively training as data moves from hidden layers with activation functions from input to output.  The hidden layers in this article are convolutional and are specific to spatial approximations such as convolution, pooling and fully connected layers (FCL).  This has opened many opportunities to automate a lot of the steps typically used in typical data science models.  If there is data generated which would require interpretation by a human operator, this can now be interpreted using deep neural networks at much higher rates that can possibly be done by a human operator.

 

Deep Learning is a subset of Machine Learning which is loosely based on how neurons learn in in the brain.  Neural networks have been around for decades but have just recently gained popularity in the information technology for its ability to identify and classify images.  Image data has exploded with the increase in social media platforms, digital images and image data storage.  Imaging data, along with text data how a multitude of applications in the real world, so there is no shortage of work being done in this area.  The latest popularity of neural networks can be attributed to Alexnet, a deep neural network that on the ImageNet classification challenge for achieving low error rates on the ImageNet dataset.

 

With anomaly detection, the idea is to train a deep learning models to detect anomalies without overfitting data.  As the model iterates through the layers of a deep neural network, cost functions help to determine how close it is classifying real-world data.  The model should have no prior knowledge of the processes and should be iteratively trained in the data for the cost functions from input arrays and activation functions of other previous layers [7].

 

Anomaly detection is the process of detecting outliers in the data streams such as financial transactions and network traffic. It can also be applied to deviations in system performance for the purpose of this article.

 

Predictive Analysis versus Anomaly Detection

Using predictive analytics to model targets through supervised learning techniques is most useful in planning for capacity and performing aggregated analysis of resource consumption and database performance.  For the model, we analyzed regression and neural network models to determine how well each one scored based on inputs from PGA metrics.

Predictive analysis requires cleansing of data, supervised and non-supervised classification, imputation and variable worth selection to create model. Most applications can be scored best with linear or logistic regression.  In the analysis on PGA performance, I found a logistic regression model scored better than an artificial neural network for predictive ability.

 

picture3

 

In my previous article, I mentioned the role that machine learning and data science can play in Oracle performance data.

  1. Capacity Planning and IT Asset Planning.
  2. Performance Management
  3. Business Process Analysis

The fourth application for data science and machine learning in Oracle is anomaly detection.  Which specifically means applying artificial intelligence to the training of algorithms mostly used in image recognition and language processing and credit fraud detection.  It’s also a possibly less efficient way of detecting performance problems in Oracle performance.  To attempt to obtain accuracy in the algorithm presents a risk itself, since such models could result in overfitting and high dimensionality that you want to avoid in deep neural networks.  Getting accuracy that is comparable to what I human operator can do, works better because basically you don’t want the process to overthink things.  The result of an overfitting model is a lot of false positives.  You want the most accurate signs of an anomaly, not a model that is oversensitive.  Deep Learning techniques also perform intense resource consumption to generate output in a neural network.  Most business scale applications require GPUs to build them efficiently.

Convolutional Neural Networks

 

Convolutional Neural Networks (CNN) are designed for high dimensional data such as images and signals.  It’s used for computer vision as well as network intrusion detection and anomaly detection.  Oracle performance data is designed as normal text (ASCII) data and contains many different ranges of metrics like seconds versus bytes of memory. Using a mathematical normalization formula, text data can be converted in vector arrays that can be mapped, pooled and compressed.  Convolutional Neural Networks are good distinguishing features in an image matrix.  Computationally, it is efficient to represent images as multi-dimensional arrays.

 

The first step is to normalize the PGA data, which contains multiple scales and features.  Below is a sample of the data.

picture4

 

Normalizing the data can be done with the following formula[8]:

2019-03-29_10-33-41

 

The second step is to convert this data into image format.  This would require building a dimensional array of all the features.  Filtering the array can be done by removing small variances and nonlinear features to generate an overall neutral vector.  The goal is to normalize and create a multidimensional array of the data.

 

CNN is often used to identify the NMIST data, which is a set of handwritten numbers.  It contains 60,000 training images and 10,000 testing images.  Researchers have used CNN to get an error rate on the NMIST data of less than 1%.

 

Convolution Neural Networks have five basic components, input layer, convolution layer, pooling layer, fully connected layer and output layer.  Below is a visual of how CNN works to recognize an image of a bird versus and image of a cat.

 

picture4picture5

The activation function uses a popular rectified linear unit ReLU, which is typical used for CNN.  Popular activation functions include logistic sigmoid and hyperbolic tangents.  ReLU is defined as a linear y=x for positive values and linear y=0 for negative values.  It’s great as an activation function for CNN, due to it’s simplicity and because it helps the time it takes to iterate in the neural network.

 

 

 

Comparing Support Vector Machines (SVM) and Principal Component Analysis (PCA)

Support Vector Machines or SVM are good for finding large margin classifications and identifying vectors of data that are related.  The nice thing about SVM is that it has features to deal with outliers built into it. Support Vector Machines is a feature-rich supervised machine learning technique used for classification of observations by their coordinates.  I compared the SVM with principal component analysis (PCA) to approximate.  PCA creates subspaces spanned by orthonormal eigenvectors associated with the top eigenvalues of the data covariance matrix.  PCA based methods help to remove redundancy and reduce dimensionality that is persistent in performance data.   Once data was split into training and testing, we used SVM and PCA to optimize multiple dimensions in the data.

 

 

Evaluation of Machine Learning Models for Oracle Workloads

For this test, we compared neural networking regression models and ANN.  Deep Learning of patterns concerned with anomalies within a database require AI style learning techniques.  Finding the correct classifier for performance metrics to improve the accuracy of an Oracle anomaly detection system can include ANN, naive Bayes, k-nearest neighbors and general algorithms.

 

There are several classification methods that can be used when evaluating anomaly detection models

 

  • RoC Curve
  • Area under RoC
  • Precision-Recall Curve
  • Mean average precision (mAP)
  • Accuracy of classification

 

Below is a RoC chart used to score PCA and SVM models.  RoC charts plot false positive rates against true positive rates.   When comparing the PCA and the SVM model, PCA had a higher true positive rate.

picture6

Summary:  The Future of Autonomous Databases

Oracle has released its first deep learning database, marketed as “The world’s first self-driving database”.  Oracle has announced 18c as a new autonomous database that requires no human labor for daily operational task, can provide more security, and automate most database processes.  The database will self-tune, self-upgrade and self-patch – all while maintaining %99.995 availability with machine learning.  For many companies, especially those working on cloud and PaaS infrastructures, this will mean lower costs.  With Exadata, this would include compression techniques that would add further benefits to very large and enterprise level workloads.

 

Will there be more databases that will be completely run by Artificial Intelligence and Deep Learning algorithms?  As a DBA, maintaining a database can be arduous, but many of my DBA colleagues enjoy the respect and prestige of database management and database tuning.  With the role of a DBA evolving rapidly, autonomous database may provide the freedom for DBAs to provide database design and development to corporate teams.

 

It remains to be seen if databases as a service (DBaaS) will reach the reality of full autonomy.  It’s bound to happen before automobiles become level 5 autonomous.  Selecting the service on this platform could provide opportunities of minimal configurations – and you’re done.  Everything else is taken care of.  There would be no operator, either in the hosted environment or on premise, nor would anyone ever touch the database for any reason except for application and software development.

 

In summary, this is a very high-level article on techniques for using deep learning and machine learning on Oracle performance data.  I hope that this cursory introduction will inspire DBAs and operators to do their own research and apply it to their toolbox.

 

References

 

1http://deeplearning.net/reading-list/

 

2https://www.analyticsvidhya.com/

 

3http://www.kdnuggets.com/

 

4http://www.ieee.org/

 

5https://www.computer.org/

 

6https://www.udacity.com/course/deep-learning-nanodegree-nd101se/deep-learning-nanodegree–nd101

 

7https://www.fast.ai

 

8“A Novel Intrusion Detection Model for Massive Network Using Convolutional Neural Networks” Kehe Wu; Zuge Chen; Wei Li.  IEEE Access. Received July 29, 2018.

 

9“Enhanced Network Anomaly Detection Based on Deep Neural Networks”.  Naseer, Sheraz; Saleem, Yasir; Khalid, Shezad, Bashir, Muhammad Khawar; Jihun Han, Iqbal, Muhammad Munwar; Kijun Han.  IEEE Acwwwcess Received June 3, 2018.  Accepted July 16, 2018.

 

10https://www.pyimagesearch.com Dr. Adrian Rosebrock

 

11U.S. Energy Information Administration. https://www.eia.gov/.

 

12PJM Interconnection.  https://www.pjm.com/markets-and-operations.aspx

 

13Oracle Corporation.  https://www.oracle.com/index.html

DataSciCon.Tech 2017 Review

Saturday, December 2nd , 2017

DataSciCon.Tech is a data science conference held in Atlanta, Georgia Wednesday November 29th to Friday, December 1st and includes both workshops and conference lectures. It took place at the Global Learning Center on the campus of Georgia Tech.  This was the first year of this conference, and I attended to get a sense of the data science scene in Atlanta.  Overall, the experience was very enlightening and introduced me to the dynamic and intensive work being conducted in the area of data science.

IMG_1786

Keynote speaker Rob High, CTO of IBM Watson, discussing IBM Watson and Artificial Intelligence (DataSciCon.Tech 2017).

DataSciCon.Tech Workshops

Four workshop tracks were held Wednesday including Introduction to Machine Learning with Python and TensorFlow, Tableau Hands-on Workshop, Data Science for Discover, Innovation and Value Creation and Data Science with R Workshop.  I elected to attend the Machine Learning with Python with TensorFlow track.  TensorFlow is an open source software library for numerical computations using data flow graphs for Machine Learning.

To prepare for the conference, I installed the TensorFlow module downloaded from https://www.tensorflow.org/install.  In addition to TensorFlow, I downloaded Anaconda (https://www.anaconda.com/), a great Python development environment for those practicing data science programming and includes many of the Python data science packages such as Numpy and SciKit-Learn.

Among the predictive and classification modeling techniques discussed in the workshop:

  • Neural Networks
  • Naive Bayes
  • Linear Regression
  • k -nearest neighbor (kNN)  analysis

These modeling techniques are popular for classifying data and predictive analysis.    Few training sessions on Python, SciKit-Learn or Numpy go into these algorithms in detail due to the various math educational levels of the audience members.  For the course, we used Jupyter Notebook, a web-based python development environment which allows you to share and present your code and results using web services.  Jupyter Notebook can also be hosted in Microsoft Azure, as well as, in other cloud platforms such as Anaconda Cloud and AWS.  To host Python Jupyter Notebook in Azure sign into  https://notebooks.azure.com.

TensorFlow

TensorFlow has a series of functions that uses neural networks and machine learning to test, train and score models.  The advantage of TensorFlow is its ability to train models faster than other modules, which is a very big advantage since splitting data for training models is a process intensive operation. It is particularly powerful on the Graphics Processing Unit (GPU) architecture popular for Machine Learning and Deep Learning.

Download Tensorflow from http://tensorflow.org.  The website also includes a Neural Network Tensorflow sandlot at http://playground.tensorflow.org.

2017-11-29_16-11-32

source:  http://playground.tensorflow.org.  tensorflow.org (DataSciCon.Tech)

DataSciCon.Tech Sessions

I’m going to break down the sessions I attended into the main topics that were covered.  So this is a very high level, one hundred foot point-of-view of the topics covered at the conference.  My plan is to create a few more blogs on the topic that will go into my work as an aspiring data scientist/data architect.  All the information in this blog is based on information presented at the DataSciCon.Tech 2017 conference.

Machine Learning and Artificial Intelligence

The conference emphasized Artificial Intelligence and Machine Learning pretty heavily.  Artificial Intelligence was discussed more in theory and direct applications than design and development.  There were a few demonstrations of the popular IBM Watson Artificial Intelligence system; but I want to focus this blog primarily on Machine Learning, as it’s something that interests me and other data architects.  Artificial Intelligence and Machine Learning are both based on computerized learning algorithms.  Machine Learning uses past data to learn, predict events or identify anomalies.

Another key fact presented at the conference is the number of open source projects and companies that have produced software modules, libraries and packages devoted to the use and implementation of Machine Learning in business applications.  I strongly recommend anyone interested in learning more to research the software solutions discussed in this blog and how they can be implemented.

For those who are new to the concept of Machine Learning (like me), essentially it is defined as follows:

Machine Learning is a subset of Artificial Intelligence that focuses on creating models that learn and predict events based on past data without a human computer programmer having to change code to adapt to new events.  An example would be a spam filter learning new exploits and then blocking those exploits.

2017-12-02_8-17-02 Continue reading