The AASG is then the scenario where the process of stigmergy (see page137) between morwis is performed. Pheromones are deposited in the arcs of the AASG for reinforcing a path leading to a confirmed attack or retired to penalize one leading to a false alarm. This stigmergic process gives information to the newly generated morwis.
The values of pheromones are easily incorporated into the AASG model. Their accumulation is represented by ⌧n,m 2 R>0 for each existent arc nm. A modified
AASG including ⌧n,m in its arcs is called a stigmergic AASG. To represent pheromones
in the JSON format, we just add the numeric member ph to each object in children for each one of the sets of arcs (see page130).
The increment and decrement of pheromones is performed according to the evalu- ation of the alarms done by the security analyst, who provides feedback to the system. The amount of pheromones to be added up to the existent level of pheromones in an arc once the analyst has decided to reinforce the branch is called ⌧+. The amount
of the decrement is called ⌧ . To refer to any of the two, we use ⌧+, . We have
that ⌧+ 2 R
>0 and ⌧ 2 R<0.
6.1. Morwilog 143
⌧ [t + 1] = ⌧ [t] + ⌧+, (6.2)
The same as in classic ACO, a mechanism of pheromone evaporation is needed to avoid stagnation. Thanks to this, the morwis statistically have an opportunity to stop favoring branches where the level of pheromones is high but that have not been identified for long time. The evaporation consists in the decrease of the previous level of pheromones by an evaporation rate ⇢, with ⇢ 2 R and 0 < ⇢ < 1. The equation to calculate the resulting level of pheromones after evaporation is:
⌧ [t + 1] = (1 ⇢)· ⌧[t] (6.3)
Evaporation is applied to every arc in the AASG each time there is an update of pheromones, right before the addition of ⌧+, , independently if the selected branch
has its pheromones incremented or decremented.
While evaporation is done as in classic ACO, we have introduced an important variation in the increment and decrement. In the previous literature, both changes are constant and independent of the level of pheromones at the moment when the update is made. The values of ⌧+ and ⌧ are thus fixed before the execution
of the algorithm, as parameters. The combination of this fixed addition with the evaporation of Equation6.3 results in a variation of pheromones whose absolute value decays as subsequent updates of pheromones of the same sign are applied in an arc.
This constant pheromone variation is not enough for strongly penalizing badly chosen branches. We need to have in mind that the analyst can arrive at wrong conclusions when building the AASG, and we want those wrong paths to be out of the selective process as soon as possible. That is why we have introduced in ⌧+ and
⌧ a dependence on the current level of pheromones (⌧[t]). The proposed function is Gaussian, and ⌧+ = ⌧ :
⌧+(⌧ [t]) = ⌧+ 0 e
(⌧ [t] ⌧0)2
2w2 (6.4)
There are three parameters in this equation: ⌧0, ⌧0+ and w. The first one, ⌧0,
is the initial level of pheromones in the arc (⌧[0] = ⌧0). It is taken as a parameter
of the system and every arc in every new AASG is initialized with ⌧0 pheromones.
The Gaussian function for ⌧+, is centered to ⌧
0 to have the highest rate of change
right after the creation of the AASG. The amount of change for the first update, when ⌧ [t] = ⌧0, is precisely ⌧0+. It has the same value for both ⌧+ and ⌧ . Finally, w
In a complete update, pheromones are first evaporated and then incremented or decremented, based on the new value after the evaporation. Having this in mind, we have the following final equations for increment and decrement updates, respectively:
⌧ [t + 1] = (1 ⇢)· ⌧[t] + ⌧+ 0 e ((1 ⇢)·⌧[t] ⌧0)2 2w2 (6.5) ⌧ [t + 1] = (1 ⇢)· ⌧[t] ⌧0+e ((1 ⇢)·⌧[t] ⌧0) 2 2w2 (6.6)
It is desirable that the absolute value of the level of pheromones in each arc do not exceed certain threshold, to detect the moment from which a branch is clearly confirmed over the others. This also prevents the system to unlimitedly favor an arc. To do so, the difference between consecutive updates of the level of pheromones should decrease as the system evolves. This is the case of the classic ACO equation, whose convergence has been proven by Dorigo and Stützle [Dorigo 2004]. Equations 6.5 and
6.6 given here also converge to a certain value once the parameters are fixed.
For proving that, we choose one of the equations, for example the one corresponding to the increment (Equation6.5). We can imagine a really large number N of continuous increments in one of the arcs, so we constantly apply the same equation for each update. This scenario is known as a situation of continuous reinforcement. Calculating the exact limit of the Equation 6.5 in this scenario is not as trivial as in classic ACO, due to the recursive nature of the function. But we have empirically proven that this upper limit exists for certain values of the parameters just running the recursive function during a high number of pheromone updates.
The results are shown in Figure 6.3, where the evolution of the level of pheromone in one arc is represented against the number of pheromone updates. We use the parameters shown in Table 6.1. The curve ‘Increment’ represents the evolution of pheromones under the situation of continuous reinforcement, supposing there is an increment in every update. An upper limit, 3051, is almost reached in around 10 updates.
For comparing this result with classic ACO, we have also represented the result of the fixed increment in a continuous reinforcement scenario in the curve called ‘Classic’. To make the two curves comparable, we have chosen an increment value of 62.1, which is approximately the one needed to reach the same upper limit as in ‘Increment’, 3104,63. We see that our approach reaches the limit much earlier than the classical one.
6.1. Morwilog 145 0 5 10 15 20 25 0 1 2 3 4 ·10 3 Number of Steps Le ve l of P h er om on es Increment Decrement Classic
Figure 6.3: Graph representing the evolution of pheromones for continuous reinforce- ment in Morwilog (‘Increment’) and classic ACO (‘Classic’), and for continuous pe- nalization (‘Decrement’)
0
1
3 4 5
2
Human expert confirms (ei, ej, el) as an attack
Evaporation in every arc. Increment of ⌧0,1and ⌧1,3
t Tmax Tmax During t Tmax 9ej: ej 1= 1 9ek: ek 2= 1 During t Tmax 9el: el 3= 1 @em: em 4= 1 9en: en 5= 1 ⌧0,1= 2700 ⌧0,2= 100 ⌧1,3= 1000 ⌧1,4= 1500 ⌧1,5= 200 2775 1480 196 1470 ⌧0 1000 ⇢ 0.02 w 1000 ⌧+ 0 500 ⌧min 100 ei ej el 1
Figure 6.4: Example of evolution of the AASG when the attack is confirmed. a scenario of continuous penalization, where an arc sees its level of pheromones decre- mented after each pheromone update in the AASG. The function also converges, in this case to a lower limit. But this limit can be negative depending on the parameters chosen. Negative values of pheromones should be avoided, not only to adjust to the biological metaphor but also to make the operations in the algorithm easier, without needing the implementation of negative integers. As in classic ACO, a minimum value of pheromones ⌧min is artificially set. The level of pheromones in any arc is then force
0
1
3 4 5
2
Human expert dismiss (ei, ej, el) as false positive
Evaporation in every arc. Decrement of ⌧0,1and ⌧1,3
t Tmax Tmax During t Tmax 9ej: ej 1= 1 9ek: ek 2= 1 During t Tmax 9el: el 3= 1 @em: em 4= 1 9en: en 5= 1 ⌧0,1= 2700 ⌧0,2= 100 ⌧1,3= 1000 ⌧1,4= 1500 ⌧1,5= 200 2517 480 196 1470 ⌧0 1000 ⇢ 0.02 w 1000 ⌧0+ 500 ⌧min 100 ei ej el 1
Figure 6.5: Example of evolution of the AASG when the attack is a false alarm. to stay over this value. The curve ‘Decrement’ in Figure 6.3 shows the results of this continuous penalization, applying ⌧min = 100.
To finish this introduction, we retake the example we presented in last section (page 140), where the main steps of WannaCry were represented in the AASG. If the sequence returned by the morwi is evaluated as an attack, the level of pheromones of that branch is incremented. The result is shown in Figure 6.4.
On the contrary, we show the mechanism of decrement of pheromones in Figure6.5. This process is performed because the returned sequence is considered as a false alarm by the analyst. In the case of WannaCry, the command ‘transaction2_secondary’ in SMBv1, represented in node 3, can be used for testing purposes and not with a
malicious objective, even if it is an important step in the attack. If this happens, the feedback provided by the analyst leads to the process of decrement.