The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Subtle Adversarial Intrusion Detection with SONAR Software

Principal Investigator: Hany Abdel-Khalik

The Signal-Oriented Network Anomaly Recognition (SONAR) tool is an extension of Idaho National Laboratory’s (INL’s) Risk Analysis Virtual Environment (RAVEN) framework focused on data-level intrusion detection. SONAR aims to expand the already-widespread capabilities of the RAVEN framework by providing additional tools for both data analysis and intrusion detection that are fully compatible with downstream analyses performed by RAVEN.

SONAR utilizes a decomposition-based approach to categorize unknown signals based on their similarity to genuine articles in the so-called feature space. The tool has been designed with flexibility in mind, so the type of distance metric utilized, e.g., cosine distance, Euclidean distance, etc., and manner of decomposition, e.g., dynamic mode decomposition, Fourier decomposition, etc., are flexible to the needs of the user. The advantage of intrusion detection in the feature space is that subtle variations produce outsized differences in high-ranking characteristics that are not otherwise detectable. By considering low-distance signals as ‘genuine’, SONAR has shown remarkable consistency in identifying subtle intrusions in a variety of experimental and simulated datasets; the various intrusions have been modelled as a modified form of the well-known Triangle Attack to generate a well-hidden data perturbation within the standard behavior of the data that would typically go undetected in real-world and industrial systems. SONAR, as a tool, also provides numerous data analysis capabilities, including visualization, decomposition, and a parameter sweeping protocol, in order to optimize the effectiveness of intrusion detection; this capability allows for further specification allowing unknown data samples to be characterized with a high degree of certainty.


Students: Tyler Lewis Yeni Li

Representative Publications

Keywords: condition monitoring, intrusion detection, Network Security, subtle anomaly