In this discussion paper, we briefly describe a novel approach to network security, accepted for presentation at ECAI 2024. The approach leverages Answer Set Programming (ASP) for finding contrast sequential patterns that characterize diferent attacks on the 4G-LTE network in the context of Urban Air Mobility. The experiments show that an ASP-based declarative approach is feasible in this context, and that the implementation of span and gap constraints in the sequence mining phase makes the search for patterns more eficient and efective.
use ASP for extracting condensed representations of sequential patterns. Guyet et al. [15] introduce ASP encodings for two representations of embeddings (fill-gaps vs skip-gaps) in sequence mining. Lisi and Sterlicchio present the first ASP encoding for the CSPM problem in [ 16] which we will refer to as Mining with Answer Set Solving - Contrast Sequential Patterns (MASS-CSP) hereafter. To address the challenges of DPM in the context of network security, in [11] we have improved the eficiency and the efectiveness of the sequence mining phase in MASS-CSP by adding span and gap constraints.
The paper is organized as follows. In Section 2 and 3 we briefly describe our ASP-based approach to the problem in hand, and report some experimental results obtained on sets of traces for two kinds of attacks. Section 4 concludes the paper with final remarks.
We start with a couple of observations about the limits of MASS-CSP. For illustrative purposes, let us consider the pattern ⟨, ⟩ and the sequences ⟨, , ⟩ and ⟨, , , ⟩. First, they do not deal with the number of gaps between one embedding and another. In other words, two consecutive items of a sequential pattern can be gaps apart within a sequence, in the example 0 and 2 respectively. Secondly, ⟨, ⟩ has support in both sequences but with diferent span, namely 1 and 3 respectively. Our work develops on the basis of these two observations because in various application domains, patterns that reflect certain characteristics are more informative. In [ 17] there were defined many types of constraints on patterns and embeddings for sequence mining, among which the ones based on the notion of gap and span that are detailed below.
The span constraint specifies the minimum/maximum length allowed for a sequential pattern. As illustrated in Figure 1, it is the diference between its last item timestamp that is 8 and its first item timestamp, i.e. 3, and thus ⟨, , ⟩ has span 5 in that sequence. It requires that the pattern duration should be longer or shorter than a given time period. By setting a span constraint, we can focus on identifying shorter or longer sequences of events based on our specific requirements. The gap constraint controls the minimum/maximum gap allowed between consecutive occurrences of items within a sequence. In Figure 1, the gap between and is 1 while 2 between and . It specifies how many time units may intervene before an item is observed again. Gap constraints are essential for capturing temporal relationships between events. Setting appropriate gap values helps identify patterns where there might be delays or interruptions between related events but still maintain their significance.
According to [15], we have encoded these constraints as choices rules instead of using ASP denials, thus implementing them in the generate stage for pruning the search space earlier. The full encoding with other details can be found in [18]. The result is an increase in eficiency and efectiveness of the ifnal output as described in the following section.
CSPM can be particularly useful to 4G-LTE for diferent reasons, e.g., optimizing network performance by analyzing contrast patterns and making informed decisions on network configurations, resource allocations, and trafic management strategies and ensuring quality of services requirements. Since our focus is on security, anomalies or unusual behavior in the network trafic can be detected by mining contrast sequential patterns, thus helping in identifying potential security threats. Contrast sequential patterns are those that characterize normal and attack behaviour given diferent traces. Our work considers a couple of attacks - namely authentication failure attack and the numb attack [19] - as a case study and we used the traces made available by [20]1. Listing 1 shows example patterns for both attacks. More precisely they are the longest contrast sequential patterns found having 30% support across all sequences. They describe the timeline of events that leads to the attack. Interestingly, both attacks share common behavior with the exception of the authentication_failure event that occurs always in subsequence ⟨. . . ,authentication_request, authetication_failure, authentication_request, . . . ⟩ in (a) but not in (b).
Listing 1: Examples of longer attack patterns found with 30% support in (a) Auth_Failure_40 and (b)
Numb_Attack_40 ( a ) < a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ f a i l u r e , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t , a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ f a i l u r e , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t > ( b ) < a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t , a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e >
The main goal is to show the feasibility of a declarative approach to CSPM in the context of network security. Also, experiments have been designed in order to provide a comparative evaluation between the basic ASP encoding reported in [16] and the ASP encodings proposed that implement the span/gap constraints. We empirically show what are the advantages of adding new constraints on pattern embeddings. Figure 2 makes a comparison between the basic ASP encoding (dotted lines) and the improved one with the span/gap constraints (continuous lines) that for space reasons we only report the authentication failure attack. First, with the gap constraint we have control over the type of pattern we want thanks to the minimum and maximum gap. The pattern output set is considerably reduced, extracting only those actually useful for our purpose with an advantage on time and memory as we act directly in the pattern generation phase, having a smaller ground program than the previous one. Using the span constraint, we are able to reduce the number of patterns and the execution time without memory improvement. The gap constraint is the one that brings the best advantages in terms of overall performance.
This discussion paper addresses the problem of detecting attack patterns to the network security in the context of UAM, and focuses on a couple of attacks to 4G LTE, namely the authentication failure and the numb attack. We have suggested that CSPM can be helpful and presented an ASP-based approach to mine contrast sequential patterns from 4G-LTE traces characterizing normal and attack behavior for diferent types of attacks. The patterns found with our approach may be useful for post-attack analysis in order to understand the steps of the immediate attack and implement defensive mechanisms. 1https://github.com/CLC-UIowa/SySLite (a)
Experiments have shown that applying a declarative approach is feasible. Also, results have highlighted the benefits of adding constraints to embeddings. In particular, the span and gap constraints allow pruning the set of patterns found, thus decreasing the memory consumption and the execution time. Finally, since the only input is the set of execution traces, the approach applies also to other attacks on the same network or even on other networks such as 5G.
This work was partially supported by the project FAIR - Future AI Research (PE00000013), under the NRRP MUR program funded by the NextGenerationEU.