A correlation framework for continuous user authentication using data mining

The emergence of new transport technologies coupled with deregulation and privatisation has contributed to thecontiguous growth of telecommunications networks particularly in terms of both the intricacy and size of the network.The rapid growth in network size, and intricacy, is of a concern to those who are involved in Network Management -particularly those involved with network operation, administration, maintenance and provisioning (OAM&P;) functioits.The integration of the evolving and emerging technologies, and systems, with legacy systems provides additionalconcerns for those endeavouring to ensure availability of the network resources particularly those required to meetagreed Service Level Agreements (SLAs). In this paper, we discuss the potential use of Data Mining algorithms andtechniques, for classifying the Network Stale, and hence whether SLAs are being met, by analysing performanceindicative data collected from networks using the Synchronous Digital Hierarchy (SDH) as an exemplar underlyingtransmission system. KeywordsData Mining, Network Management, Telecommunications, Service Level Agreement (SLA), Knowledge Discovery,Network State, Alarm Correlation, Synchronous Digital Hierarchy (SDH), Networks, Pro-active Management, Quality ofService (QoS).I . INTRODUCTIONThe setting up of SLAs demands a high standard ofnetwork availability and performance through improvedquality management systems. The current practises ofnetwork management can overload networkmanagement architectures and thus agreed quality ofservice (QoS) |11 deHned in the SLA contracts. This isdue to the various processes enacted in theMaintenance Function |21 which involves-monitoring,and managing, extremely large amounts of data s aresult of the sheer size, and complexity of the networks.Data that is collected in order to achieve QoS, isdetermined via analysis of the network performanceindicators. This can involve analysis of voluminoussamples of data collected from monitoring of networkperformance, and alarms used to resolve or avoid faultsI3|, which is collected for the maintenance function.Typically, for example, performance informationcollected routinely for an ATM network every 15minutes amounts to 15MB [41. The onset of overloading network operation centre isthe availability of the network, which is dependent onthe restoration and preventative IS| (e.g. re-routing thenetwork configuration) functions enact in the networkmanagement processes. Network elements (NEs) affecteach other and consequence or sequential I6|generation of notiHcation messages is inevitable as aresult of the occurrence of faults. A single incident, orfault, due to a particular anomaly or defect may triggermultiple generation of notification messages. Thesenotification manifests externally as alarms anddepending on the protocol used by the Managementsystems, an alarm is referred to as a trap or notificationI7|, where the later using CMIP, while the former usingSNMP. When considering the network complexity,which can consist of several hundred to thousands ofNEs, this represents a large amount of alarms.Prominently, this can cause alarm inundation of anetwork operation centre and has strong antecedentsin fault localisation. Hence analysis of the alarmsenabling, hypothesis of the root cause of the fault to beproposed. Performance information collected routinely and alarms,in addition to alarm log which, contains informationabout an alarm event entered in chronologicalsequence, provides a huge repository of raw data fromnetworks. Using domain expert to analyse this data canbe exhaustive and time consuming especially theclassification of the state of the network and thediscovery of latent trends or patterns to resolvetransfent problems. Consequently, alarm correlation |81has been one of the many correlation techniquesemployed in fault localisation. Alarms, with germane entities or trends are grouped together to form newsemantics and the parenthesis is enriched to provideuseful information pertaining the generation of thealarms which, may include corrective measures. Hence, Attributes /fieldsGeneratedDataDataExploratoryDataSelectionDataMiningInterpretation Fiourel: Methodology for alarm conrelation this reduces the amount of information displayed andprovides plausible information, to enable the subtletask of fault diagnosis.In this paper we, discuss the potential of Data Miningalgorithms, and techniques for the prediction ofproblems that are likely to persist, as well as those thatare likely to degrade network perfomrance henceenabling classification of the network performanceindicators. In section 2, we provide a conceptualintroduction to Data Mining. This is followed bydescription of the methodology used which, is thefocus of this work; the Data Mining of SDH networkperformance indicators in the telecommunicationdomain. Section 4 provides the results of thisinvestigative work while section 5 provides theconclusion and discussion. Future work is alsodiscussed in section 6.domains although little reported work has been carriedout to determine network state by analysis of thenetwork performance indicators o f alarms I14-I7I.2.1 Data Mining taskThe initial sequence upon acquiring the requiredunderstanding of the proposed application domain orpriori knowledge is to determine the DM task. DilTerentalgorithms are optimised based on the predefined DMtask. This involves deciding whether the goals of theDM process is classification, association, or sequential1181. Classification has two distinct meanings. We mayaim of classifying new observations into classes fromestablished rules or establishing the existence ofclasses, or clusters in data 119]. Association attemptsto generate rules or discover correlation in data and isexpressed: • X => Y. where X and Y are sets of items.2. DATA MININGData Mining (DM) can be described as a collection oftechniques and methodologies used to explore vastamounts of data in order to find potentially useful,ultimately understandable patterns |9I and to discoverrelationships. DM is an iterative and interactiveprocess, involving numerous steps with manydecisions being made by the user. The fundamentalgoals of data mining are finding latent trends in data,which enables prediction and description [101 of theanalysis phases. DM is a rapidly expanding field which,has been exploited in lucrative domains such as in thefinancial |11 | business |12I and communications I13IThis means that an event or transaction of databasethat contains X tends to contain Y.Sequential looks at events occurring in a sequenceover time or time-ordered sequences. This could beexpressed through the following:• E ? N, E is a set of event types, an event pair( A, t ) , where A ? E is an event type.Where t represent the time of the event or occurrenceof an event. This is followed by predefined sets of faultconditions where: • F is a set of fault types and C ? F, C is afault type, hence for example:9 0 % of the time, if the event (A, t ) occurs, it isfoilowed by fault type C. NT USERC U E N TTMN FRA^EWORK (SOFTWARE BACKPLANE) / ,>• / *c .y-/-^PRdBE \; PROBE . __ -_I A Xe marlPagerPnrtRrJAVA U G HC U C M T