Wednesday, 2 January 2019

Anomaly detection as detecting identity drifting

Suppose you want to detect man-in-the-middle attacks – a typical case of cybercrime in which the legit user of a system is taken over by a malicious attacker (either human or computer-based).
Which machine learning would best match said problem? The major issue is that this a case of anomaly detection – one wants to detect a condition that is usually very rare. No or very few public datasets describe malicious transactions of this type, so if one wants to construct a training set for a machine learning algorithm, one has a large number of negative examples (legit transactions) and very few, if any, positive examples. How to deal with this issue?

A solution is the one modelled in my paper “Antifragility = Elasticity + Resilience + Machine Learning: Models and Algorithms for Open System Fidelity”: to encode the normal behaviour and detect anomalies as driftings from the normal behaviour. A way to do this is by means of Markov chains – a powerful mathematical model that has been used, e.g., to generate random text in the style of a reference text. The idea is to use a reference Corpus – for instance, the Plays of Shakespeare – and feed them into a program that approximates the probabilities of observing a given word, given that that word is preceded by a number of other words. As an oversimplified example, one would calculate the probability that « to » and « be » are followed by « or », the probability that « be » and « or » are followed by « not », the probability that « or » and « not » are followed by « to », and so forth: 

P { ( « to », « be » ) => « or » } = some value x
P { ( « be », « or » ) => « not » } = some value y

Those probabilities would capture the peculiar way in which sentences are constructed in the reference Corpus – its identity, if you like. The random text would then be generated by taking a “random walk” from an initial sequence to a final one – as if the probabilities were the orbits of a dynamic system on words (namely, through the same approach I used in my paper “Permutation Numbers”).

How can the above mathematical model be of use to solve of our anomaly detection problem? It’s actually quite simple: one has to construct an analogy between the sentences in a reference Corpus and the behaviour exercised by the user of a software system. What does a user of a software system typically does? S/he uses a graphical user interface to specify actions that s/he requires to be executed. How is this done in practice? By visiting the widgets of the user interface, pressing keys, and so forth. Think of those actions as words in a sentence, and the interaction sessions of user U as the sentences that user U “says”. Then we can use the Markov approach and approximate the probabilities that a given number of user interface actions be followed by another such action. Those probabilities then encode… the reference behaviour of user U when using a given interface!
For each user U then one could create a set of reference probabilities I(U), representing the stereotypical behaviour of U – namely, its identity. Every time U logs into the system, I(U) would then be loaded and used as a reference identity. The new interaction session would then be used to construct a new set of probabilities, C(U). The distance of I(U) from C(U) would then quantitatively express the experienced anomaly. When said distance would become larger than a given threshold, the system would declare a case of man-in-the-middle attack.

Note that the same approach could be used to detect a slow drifting away of C(U) from I(U). This would represent a monotonic change in the user stereotype, which could be a sign the user developing fatigue of perception/ cognitive disorders.

The pictures below describes the approach via a collaboration diagram. User U expresses actions such as "visualize flights"; an instrumented user interface received the action and forwards the information to an "interaction logger" that creates a suitable representation for the "sentence" that U is building. The Markovian analyzer is then notified so as to update the probabilities describing the "sentence". At the end, those probabilities are stored into I(U).

At run-time, a new set of reference probabilities, C(U), is constructed and compared with I(U). An alarm is issued when the discrepancy between those two values becomes too large:

Sunday, 11 February 2018

A hypothesis in evolutionary biology

Many authors, starting with the classic work by Trivers and Willard [1], hypothesized the existence of “conditions” able to influence or control the sex of the offspring. Ever since the publication of that classic work, researchers have been producing an impressive amount of results that either bring evidence or contradict that hypothesis. This production has been chaotic to say the least, with scholars deriving their conclusions from “facts” ranging from dubious interpretations of microscope images to extremely serious mathematical and statistical models of the many organs and processes at play. I am merely an information scientist, lacking too many important pieces in this trans-disciplinary problem. But I have read several papers on this, and my focus on information led me to a simple observation: in information science, what is really important is the variation of the signal rather than the signal itself; in other words, it is a signal's variation that carries information -- it is a message -- while a steady signal it is not. As an example, a diet is a signal while a change in a diet, especially when it is a significant change – it is a message. Evidence corroborating this idea may be found in several works. Professor Elissa Cameron and her team, for instance, found out [2] that, rather than glucose, it is the glucose gradient that might play a role in adjusting the offspring’s sex ratio in mice. This gradient represents a “message” from the environment, declaring the onset of a more favorable condition. The existence of “messages” of the opposite sign and outcome is also discussed by Professor Kristen Navara, who hypothesizes “a bias toward females during times of stress”, mediated by glucocorticoids in her very interesting paper [3]. A stress / glucocorticoids-gradient signals in this case a time where an investment in a male offspring would not be advisable.
Testosterone gradients are another example. It is well known how such changes represent “boosts” that can lead to more daring behaviors. The late Dr. Valerie J Grant, in several articles (e.g. [4]) and her book ([5]) suggests that higher levels of testosterone might be associated with a higher sex ratio. Results are a little contradictory though, and I suspect that this might be due to measurements of the signal and not of its variations. Also it is not clear to me whether testosterone would have a causal role or rise “simply” as a side effect of some “first cause.”
Other examples of such gradients may be found in the huge bibliography of Dr. William H. James, who drew several hypotheses of endocrine mechanisms to control or influence the sex ratio (see e.g. [6], [7]).
Of course, if we assume that such messages are actually “there,” a logical question would be: Which type of messages are at play here? My answer comes from considering the theory of a fractal organization of the all – as one can find, for instance, the human body. The latter is composed of a primary unit "personifying" the whole – the brain – and a sophisticated hierarchy of organized systems, each of which is further composed of hierarchies of organized sub-systems. The overall functioning of the human body requires messages flowing from one end to the other, signaling actions that need to be taken when certain conditions are established; hormonal messages are a typical example of this large distributed organization.
My conclusion is then that mechanisms for the alteration of the gender of the offspring could possibly be formulated in terms of a distributed system of said messages. Perhaps a distributed system of fractally organized messages! Messages that is with a scope that ranges from the micro to the macro, signaling waves of actions that could "tune" our internal mechanisms after the external conditions expressed by the environment. In a number of my papers (e.g. [7], [8], [9]), I have suggested that said mechanism could be modeled, in sociotechnical systems, in terms of evolutionary game theory -- which I believe is very much in line with what had been theorized by Trivers and Willard. In fact, my conjecture is that particular messages from the “whole” (the brain) to the “parts” (the systems of organs) are meant to provide contextual information to the latter ones in order to adjust their local action in such a way as to favor a global condition matching the passed information. Local conditions favoring the birth of an offspring with an optimal evolutionary advantage are maybe the outcome of those messages. As a response, “thinner” messages would request the onset of other conditions of a “lesser” (hierarchical) scope. In this view, one could say that Dr. James' hypotheses characterize the endocrine nature of a "layer" of those messages.

As Dr. James himself expressed multiple times  [10], the verification of an hypothesis such as mine would require the collaboration of many a specialist in domains I’m not acquainted with. I hope this short text may produce some interest and trigger exchange of ideas and chances for collaboration.


[1] Trivers, Robert L. & Willard, Dan E.. Natural Selection of Parental Ability to Vary the Sex Ratio of Offspring. Science, 05 Jan 1973 : 90-92
[2] Cameron, Elissa & R Lemons, Patrick & Bateman, Philip & Bennett, Nigel. (2008). Experimental alteration of litter sex ratios in a mammal. Proceedings. Biological sciences / The Royal Society. 275. 323-7. 10.1098/rspb.2007.1401.
[3] Navara, Kristen. (2010). Programming of offspring sex ratios by maternal stress in humans: Assessment of physiological mechanisms using a comparative approach. Journal of comparative physiology. B, Biochemical, systemic, and environmental physiology. 180. 785-96. 10.1007/s00360-010-0483-9.
[4] Grant V. J., et al. (2010). Can mammalian mothers influence the sex of their offspring peri-conceptually? Reproduction 140(3):425-33. doi: 10.1530/REP-10-0137.
[5] Grant, Valerie J. (1998) Maternal Personality, Evolution and the Sex Ratio: Do Mothers Control the Sex of the Infant? Rouletdge. ISBN: 978-0415158800
[6] James, William H (2008). Evidence that mammalian sex ratios at birth are partially controlled by parental hormone levels around the time of conception. Journal of Endocrinology 198, 3–15
[7] De Florio, V. Interpretations of the concepts of resilience and evolution in the philosophy of Leibniz,
[8] De Florio, V. Resilience as concurrent interplays of opponents: preliminary ideas and call for collaborations!
[9] De Florio, V. (2017) Systems, Resilience, and Organization: Analogies and Points of Contact with Hierarchy Theory. Procedia Computer Science 109, pp. 935-942.
[10] James, William H. (2013). "How Studies Of Human Sex Ratios At Birth May Lead To The Understanding Of Several Forms Of Pathology" Human Biology Open Access Pre-Prints. Paper 37.

Saturday, 3 February 2018

Remembering Jean-Claude Laprie

On May 2, 2007, I was in Erlangen, Germany, at the EWICS-ReSIST Joint Workshop on "Teaching Resilient Computing". I presented there my ideas about a possible M.Sc. course on software resilience. It was there that I had the pleasure to meet -- for the first and only time, Jean-Claude Laprie. I'm glad I had with me my camera, so that I could take a few picture of the Maestro.

Thursday, 15 June 2017

Interesting questions about resilience and antifragility

A colleague and member of the Computational Antifragility linked-in group, Dr. Hans Konstapel, asked today:

"The resilient resists shocks and stays the same, while the antifragile entity gets better". What is the relationship between a Shock and the "Antifragile" or the "Resilient" and what is the difference between the "Antifragile" and the "Resilient". If both are "identities" perhaps a "shock" is also an identity. If so is a "shock" resilient or even anti-fragile?

 This is my reply to Dr. Konstapel's interesting questions.

My understanding is as follows:
the difference in the resilient and the antifragile is not in their reaction to a Change or a Shock. In fact, under certain circumstances, the reaction of a resilient system might be such that the system masks/tolerates the new conditions. The same conditions might lead the antifragile to a failure. The added value of the antifragile system is the "genetic feedback" that those conditions produce. The resilient system is an "entelechy", namely does its best to "stay the same", and in doing so it repeats the same strategy on and on. The identity of the system is immutable. Not so the antifragile system: the identity of such system is dynamic -- which of course might also introduce concern (see for instance Stephen Hawking's plea against unbound AI).
More information e.g. and

Re: your interesting question: in my opinion the Shock is an action of the system we are in contact with -- the "environment"-system. Said system may indeed be resilient; antifragile; elastic; or plain "stupid" (meaning, able to only exercise non-purposeful behaviors). In fact in my opinion Game Theory is the perfect modeling tool to reason about the outcome of the interaction between the system and its environment.
(As a side note, it is significant that all the above ideas can be found already in Leibniz and His concept of compossible and non-compossible substances...)
More information here:

Picture from