Functional networks: from brain dynamics to information systems security David Papo URJC, Móstoles, 31 October 2014
Goal To illustrate the motivation for a functional network representation in information systems security. 2
Outline 1) Networks in neuroscience: potential and methods 2) Mini introduction to networks 3) Network theory and Information systems security issues: some suggestions 3
Networks in the brain 4
Some facts about the brain Circuitry: ~ 10 11 neurons (~ 10 4 synapses/neuron) ~ 150.000 km of cables 10 5 neurons, 10 8 synapses, 4 km of axons (diameter: ~ 0.3 µm) per mm 3 Theoretical band-pass ~ 1 terabit/s (~ total internet capacity 2002) Storage capacity: 10 12 bytes Computation rate: 3.6 X 10 15 synaptic operations Computational efficiency: 10 15 synaptic operations/joule Energy consumption: ~ 2% total body weight ~ 15% cardiac output ~ 20% total oxygen consumption ~ 25% total glucose consumption ~ 50% energy is used to send signals (axons &synapses) How does the brain cope with the energetic problem? 5
Appropriate design Component miniaturisation Elimination of superfluous signals Sparse information codes Distribution in space and time Multiscale-ness 6
The brain in action Brain activity consists of transient spatio-temporal patterns of correlated activity Even at rest, this activity is non random Contains structure both in space and in time: neuronal assemblies form at all spatial scales and with non-trivial temporal patterns Observed function results from the renormalization of activity at all these scales Patterns seen during task-induced activation are already present in spontaneous activity Understanding the effect of perturbations without perturbing the system 7
Statistical Mechanics approach ~ 10 11 neurons (~ 10 4 synapses) ~ 150.000 km of cables 1 mm 3 of rat cortex contains: 10 5 neurons 10 8 synapses 4 km of axons Theoretical band-pass ~ 1 terabit/s (~ total internet capacity 2002) Anatomical network Physical cables Dynamical network Information packets Complex networks representation Statistical mechanics approach Observable macroscopic properties emerge as a result of the interactions of a huge number of microscopic particles (The characteristics of each particle are not important) 8
Describing systems as complex networks Network set of nodes connected by links Graph theory set of mathematical tools allowing a quantitative characterization of a system at many spatial and temporal scales From: R.V. Solé and S. Valverde Lecture Notes in Physics, 60, 189, 2004 Read more at: Boccaletti et al., Phys. Rep., (2006) 9
A fleeting foray into complex network theory 10
What s a network? Network: Set of labeled nodes and links uniting them 2 3 1 Adjacency matrix: The matrix of entries a(i,j)=1 if there is a link between node i and j a(i,j)=0 otherwise 5 0 1 0 0 0 1 0 1 0 1 0 1 0 1 1 0 0 1 0 1 0 1 1 1 0 4 11
Degree distribution Degree if node i: Number of links of node i k i j a ij Network: 1 Degree distribution: P(k): how many nodes have degree k 2 3 3 2 5 4 1 0 1 2 3 12 P(k)
Clustering coefficient Local clustering coefficient C i # of closed triangles k i (k i 1)/2 Network 1 Clustering coefficient of nodes 2,3 2 3 C 2 1 3 5 4 C 3 2 3 13
Shortest distance The shortest distance between two nodes is the minimal number of links than a path must hop to go from the source to the destination 2 1 3 The shortest distance between node 4 and node 1 is 3 between node 3 and node 1 is 2 5 4 14
Communities Dolphins social network High-school dating networks A community is a set of nodes with a similar connectivity pattern. S. Fortunato Phys. Rep. 2010 15
Protein-protein networks Social networks
Extraction of sector information in financial markets Minimal-Spanning-Trees Planar maximally filtered graphs NYSE daily returns USA equity market 1995-98 Bonanno et al. (2003) Tumminello et al. (2007) 17
Community structure Communities More links inside than outside 18
Community structure There is no absolute definition of community, only a relative one. A network has a community structure if it is more ordered than a random version of it (null model). Null model: class of random networks with the same degree sequence of the original one. There are many algorithms for community detection. 19
A new paradigm for brain function A new paradigm for brain function From few degrees of freedom to statistical mechanics Micro, meso and macroscopic scales (N.B. scales are relative) Emergence of function Network topological properties at all scales rather than specific node s ones From important parts to general organizing principles Nodes and node centrality Global properties: SW, scale-free; assortativity (but at what scales?); core-periphery Mesoscale properties: motifs, community structure Relationships across scales: hierarchical structure; self-similarity, self-dissimilarity 21
A new paradigm for brain function From structure to dynamics to function Anatomical vs dynamical networks Anatomy structure; dynamics function The brain as a biophysical object Observed activity as the result of an evolutionary process :Morphospaces Efficiency and costs e.g. SW: high efficiency for low wiring costs Robustness and Adaptativity E.g. modularity Characterizing brain disease and cognitive function Anatomical networks, Resting state, Task-activated dynamical networks Relationships between them? Healthy brains vs. psychiatric/neurological diseases 22
Detecting alerts: the case of epilepsy Seizure etiology and propagation Abnormal pattern of synchronization across brain regions Focal, multifocal, extended support Spatio-temporal nature of seizure propagation Plurality of predictors [behavioural, neurophysiological] Are they related to each other? } Seizure detection (retroactive or in real time) Spiking activity even in normal brains Seizure prediction (proactive) Nonlinear correlations Sensitivity vs. Specificity 23
Building networks from experimental data Define the network nodes. Estimate a metric of association between nodes. Generate an association matrix and apply a threshold to each element adjacency matrix or undirected graph. Calculate network parameters of interest (compare to population of random networks). 24
Building Networks Eguiluz et al. (2005) 25
Functional networks as correlation 17 12 7 1 2 3 4 5 6 7 8 9 22 17 12 7 1 2 3 4 5 6 7 8 9 22 17 12 7 1 2 3 4 5 6 7 8 9
Functional networks as causality 12 10 8 6 4 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 12 10 8 6 4 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 27
Networks and Security 28
Credit card fraud Detecting clusters of similar users Peer group analysis: system that allows identifying accounts that are behaving differently from others at one moment in time whereas they were behaving the same previously. Normal behavior Suspected fraud Bolton, R. J., & Hand, D. J. (2001). Unsupervised profiling methods for fraud detection. Credit Scoring and Credit Control VII, 235-255. 29
Credit card fraud Detecting clusters of similar users Problem: Complexity of defining similarity Why functional networks? Great flexibility in the type of co-occurrence Relationships can be non-linear 30
Credit card fraud Detecting clusters of similar users Problem: Why functional networks? Difficulty in detecting groups of users Sub-networks are not complete: A may be similar to B, B to C, but A and C may be different Detecting meso-scales and communities in real data sets Serrà, J., Zanin, M., Herrera, P., & Serra, X. (2012). Characterization and exploitation of community structure in cover song networks. Pattern Recognition Letters, 33 (9), 1032-1041. 31
Credit card fraud Detecting clusters of similar users Problem: Why functional networks? Changes in groups. For instance, a student that starts working thus changing his/her habits Meso-scale goes beyond a single group Analysis of time-varying networks 32
Credit card fraud Detecting clusters of similar stores Similarly to peer group analysis, it is possible to detect groups of similar stores. Problems: Store name is not fully identifying, as a single entity may use different names Low volume stores may not have the same risk as their peer group The solution: content analysis using functional networks Stores are connected when realizing similar transactions in similar volumes Use of text mining to complement low-level numerical information Possible use of multi-layer structures Detecting and measuring risk with predictive models using content mining US 7376618 33 B1
Credit card fraud Forecasting legal transactions Why analyzing transactions, when they can be forecasted? Detect patterns in the use of credit card, to forecast a legal transaction before its realization Similar to recommender systems in on-line stores Zanin, M., Cano, P., Buldú, J. M., & Celma, O. (2008, January). Complex networks in recommendation systems. In Proc. 2nd WSEAS Int. Conf. on Computer Engineering and Applications, Acapulco, Mexico. Lü, L., Medo, M., Yeung, C. H., Zhang, Y. C., Zhang, Z. K., & Zhou, T. (2012). Recommender systems. Physics Reports, 519(1), 34 1-49.
Network security Spatio-temporal correlations Attacks to a network are usually distributed among its nodes. Moreover, attacks against a network may also involve multiple steps: evidence is typically distributed over time as well. Computer networks as dynamical systems Events as observables of their dynamics Jiang, G., & Cybenko, G. (2004, June). Temporal and spatial distributed event correlation for network security. In American Control Conference, 2004. Proceedings of the 2004 (Vol. 2, pp. 996-1001). 35 IEEE.
High-level semantic Low-level data Network security Spatio-temporal correlations Types of observables: Firewall warning Intrusion Detection System (IDS) alerts Software log files Internet and Ethernet communications Users and programs activity CPU and memory load 36
Network security Spatio-temporal correlations Major problem: High number of false alarms Reconstruct the topological space of true alarms Pairwise connected when they co-occur in a real attack Nodes represent alarms 37
Network security Advantages: Spatio-temporal correlations 1. Strengthens the diagnosis 2. Reduces the overall number of alarms 3. Improves the content of the alarms Morin, B., & Debar, H. (2003, January). Correlation of intrusion symptoms: an application of chronicles. In Recent Advances in Intrusion Detection (pp. 94-112). Springer Berlin Heidelberg. 38
Network security Spatio-temporal correlations What about causality? Reconstruct functional networks based on causality relations between alerts Cascade effect Cascade effect Root alert 39
Network security Advantages: Spatio-temporal correlations 1. Post-event analysis of attacks 2. Identification of root alarms, i.e. those acting at the beginning of the attack 3. Identification of redundant alarms Lee, W., & Qin, X. (2005). Statistical causality analysis of INFOSEC alert data. In Managing Cyber Threats (pp. 101-127). Springer 40 US.
Network security Spatio-temporal correlations Alternative solution: Monitoring the appearance of some standard attack patterns Pattern 1 Pattern 2 Pattern n 41
Network security Major problem: Spatio-temporal correlations The system is reactive, in that the same (or very similar) patterns should have appeared in the past Pattern matching cannot work under unknown conditions! 42
Network security Spatio-temporal correlations Problem: Reactive vs. proactive system Why functional networks? Detect variations from a normal (base-line) network The red node is not expected to be central Security alert 43
Conclusions Substantial similarities between issues encountered when studying normal and pathological brain activity on the one hand, and information systems security on the other hand. Functional networks (and the tools of graph analysis and complex network theory) can be used to tackle some of these common problems 44
45