Plan Discovery

Chain patterns reflect causality relations according to background knowledge. Discovering chain patterns can have important applications. Particularly, chain patterns can be used to find the motives (i.e., goals) from a collection of intrusion logs. These patterns can be used to detect security flaws in a system. Since chain patterns describe structural patterns reflecting causal relations, inter-related actions can be rapidly identified. As a result, we believe that chain patterns can be computed efficiently for large collections of input data. To support this claim, we recently performed experiments with Greenberg's UNIX command traces, which consists of thousands of commands. We were able to compute chain patterns on this large, real-world data collection in less than a minute even though we ran our experiments on a PC (1.6GHz machine, 512MBytes RAM). This in-itself is a surprising result since our algorithm for learning chain patterns is knowledge-intensive, using a variation of Golden & Etzioni representation of actions.

Here are a few resources used in this project:

• We obtained the collection of UNIX command traces collected by Dr. Saul Greenberg (University of Calgary, Canada). It contains command histories of 168 users, totaling thousands of commands (Greenberg, 1988). For obtaining these traces please contact Dr. Greenberg.

• We obtained a collection of operator definitions for UNIX commands from Dr. Keith Golden (NASA Ames Research Center) and Dr. Oren Etzioni (University of Washington). Although these definitions by no means cover the whole spectrum of UNIX commands, it does show that it is feasible to represent the conditions and effects of UNIX commands in a formal language. This collection is available in Dr. Golden's PhD thesis.

• We did some variations of these commands and added definitions for several that were unavailable. Our definitions in XML format can be found here.

• Software for discovering chain patterns will be available soon here. Please e-mail us for questions.

• Contact authors: Shreeram Sahasrabudhe and Hector Munoz-Avila

Last updated: Tue Jan 28 14:49:51 EST 2003