GA-IDS: Genetic Art For Intrusion Detection

The goal of the GA-IDS project is to determine whether it is possible to evolve visualizations of computer network and computer systems data that make intrusions or anomalies easier for network or system administrators to detect than existing visualization schemes. Instead of starting with a preconceived visualization model, we start with a language for expressing visualizations and then use genetic programming to produce increasingly refined visualizations based on user feedback.

As a first step, we want to determine whether individuals who believe they have knowledge of the current state of the network drive the evolution to a quantitatively and qualitatively different place than individuals who do not have this belief. The kiosk at the entrance of the CS department implements this experiment. It looks like this:

Please play with it! Your feedback will cause the visualizations to evolve over time. The kiosk is currently under test. When testing is completed, it will be moved to the entrance of the Technological Institute and fed with real-time network data from the Northwestern edge router. A full scale experiment to test this question will then be done.

A partial web implementation, without animation, of the kiosk is available. It uses the same code as the kiosk, but outputs single images. A low quality movie (Quicktime, 24 MB) of the kiosk in action is also available.

The kiosk and web systems are based on the following elements, all developed from scratch for this project:

  • A genetic programming system for expression languages. It is parameterized with a grammar, fitness function, input data types, and other configuration elements.
  • An expression language for visualizations. More detail is given in the talk described below.
  • A translator that converts expressions into Cg code that is in turn compiled into a binary for an NVIDIA graphics card.
  • A run-time system that computes the expression on the graphics card, feeding it a stream of data to be visualized. This results in a real-time animation of the data on the screen.
  • Components for outputting image files from animation frames.
  • A graphical expression debugger.
  • A Linux device driver for Evo Touchscreens.
    • When run without input data, the output is an instance of genetic art. We also acknowledge the influence of Andrej Bauer's random art project. Our goal is not to evolve effective art, but rather to determine whether we can evolve art that can help users to detect anomalies and intrusions in network, host, and other data.

    Please email ga-ids@cs.northwestern.edu with your comments!

    Members

  • Brian Cornell
  • Rachel Goldsborough
  • Peter Dinda

    • Talks

  • Genetic Art For Intrusion Detection (powerpoint), Rachel Goldsborough.

    • Papers

    In progress.
  • System Documentation

    • Codes

    Eventually.

    Acknowledgment

    This material is based upon work supported by the National Science Foundation under an REU supplement to Grant No. ANI-0093221, and by funds associated with the Lisa Wissner-Slivka and Benjamin Slivka junior chair in Computer Science. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation (NSF). We also thank Andrej Bauer for generously sharing his Random Art system with us.