ࡱ> PMNOFv*t`U}ŰC(JFIFddDuckyP&Adobed (G2u      I  !0@1"PA2#3$BC4!1AQ 0aq"2@BRrт#3cPbC`!!1AQa q0@ *.Uմ%.t (\sV'%R&SkjQ`j¤V !z]/?O)qyz@EpBUyW֊d՝܍|<*oF^ў[}.uP*2`3;tqЪ֌}: 47"hIzBt&IZؕ%*jҴ4>Z1 rμk:=X2|Nb Z9<*ʽ]&둮8ލ>v+5[(BSҺ.oX"$?<47#h@;TEᅥ+rF zJ413B !xb^6.H5"o-o Ѥa=XC趼ͷ7 W=\hQvy5>rI.%,owm\]?l=̨T`FҤMEIHiJ4]##p jk'LۗIԂjTyF[cUs&AP YkXڊ ۍz؜ r4K=S,@>E`9'z,EݑfH@T(И )T qWQ%Pm.R%*RZ['mCBԴ0OEdSw=p؋K.:t974 (yGY857YοK~K*~eIVAfSL ki#iZYw)܌6: "Af 4X%$g -٩JF2"kF,4Aivx (Y=sȣ==BAH];؋]/7A)QQjЅVy`)e R^d DMb欝 o62hVN¨¬ T)TL's*<~ 2ښfBd*AJPs(tI6D Kr<=CL@ 7aƁg'ӄE vNFTHFxAj&46Pv|hLVAS;7FL"~ 1Qțg%<"E.JyO3)Qi:'2= w*FUamlBQ@ۑ P6v,ͼE(˹3Txk2![L*  iZ".j[hzVvӐܖ!Rʬ^Rz*%:Ygd/t,,OϻۛǨ{.3]9Pz+Z+Rأ*KG&3H n6Sf-IyAD%)+KȖ(Zak^ !"Uw*a32 @:bw'NɉT=LFApMvF&t<_+e6daث л@=J+R+B[EOs@Q\W(T'!!ame\Ta{:ڊ0FsLf^[빺{ C>3HG&Tt5-w MZb ]6%q?Ofj.&ejV!rk98MٷԦʅt-tEr&\$M'7S*tʂ!ؽ(+FFZٕY2GMҋK4 0 * 1vQ ]:s򕥥,`&EAY j@?Yԕ@2-)[e])95g;y[r nLL,-/[=$?Opu"W9癤 bY½.Q7Q&Yܖl U$utcGFSn#pbJH@XZȭIrjlK*:5wv7b&ȥjR*{y7z dFE*n'+h6Ef)mCv^.:UV+Pam&^UĽL2 il!ՂMg8;7pG2^m ܭS5~jiif blg ,!3,1nRMcHيД-X0N qCaFL X wstCJ\HCSTjvmfL=v9Ei|﷕ pvvܝ Myk`Qh&by{KH1`a@,k1B (Z0nN9khR:vǏB(#& UiJϴ G"%iBy)qf;cl-zR#1+;zYkRGQ՘Y*RV;yr7b[&˚V&Zƫӳ~u^Ay̟ɋeb2?VbCGՖ"f[qh<*EzX1Э?R|&ѭg}5q^776X|v=,kV5јԂZR䵤FɑI$Ȓ{! 1I56q3?Sb:2ZضK(NSJ/^Uz"*lҋqd|CW /vW/3#n-hhzLLLLN ͵Y$dhEH!dd{r=жF[[ihzBQģ4`M&tMG'_ J8ګ2&GJuXV.3źVײt.MGVGnYOזڪMFYZ*I=b``:$=FH12233=3Wi]ѡ}k c]+[U=-Kuέo)Qnm-ͪzּ'_\Z22322' 1ՊFFFfg{Oha] mldfOH#LS6kb#3љjJKi,oArsL[սٻ:1Ԃ:y2233332$b``zŬaȓ#3{h h⼘+1lfO[.^S~=5-ةmj㎗Fw-VQRzYHf6j]|er2u7,:O_ѫǫFn-?B-96NUl-{_ɵ%W| Emd-ؙ yGX}6Pb)i$zzG=#zٲ6^W#nZS{M[njcY*ȮJiѯm\~Bۣf:I5Rlf>WiL2h[Ju FkάCh_Ls#"pWaLQ>kMǮOd-Ț] W%)3vj/nnUUfY2YJbG[ V&2]+j?dc?[Ij5IDB2%vkޫO3ZwԲ6k慵1]naX[YeyH׵ ˯ߏ'9 [[bxVJ3."?~?iR,%*J KaO'Og/el[>*)"}#SKmV3;V8E}]LOyۄy?I${$3#"I$|bD}de~&s)+OI${L$lL|3 >Y$I$D$I"تbVI$ȒzbI$/ub,WAddI=dI2$Ջ_GtdI=g}dI$lLFʲ~6/ I$$lLI$/$잲I$tI$6U#III'GH }Q"a #龟LiA hA #A 11#B_`1 >iI'GlI$'AAA|I=$z]$6dffdO#  #]Izذ >$AAvGk^1vH BQu#$##/&$AGt2?,.To`} H :Ab:E?RX=I=`?>$t:AGd Kc]$ #:O| u:A`DtU> z kI?vGd;ǵ|RI$=bG$Aǔ=A~=#}}P6I$~t&$uKt#":GVGԎ" 'v"Bo>}\GSOH#uO?;>  $ Iꌌ>wGAC_"}}G!#|pAw![]P>11 . ]P?$G‘"v$I$"CD H>0A#Du}dI$I'~1|Ϥ4AGdH&FD? A}>  C3T2#w=/?Mu$2$}OT=$O_BIXjANzOdI?At D#w.OjntǾI$c$Oj >I=$I}Y^2> d䞓"}^ ^I??>D wOI'LbڟGٓ!3 {$LxWӟ?Yt`?Qt.}`2'!ucA磩2(G|>~L ;I?*J<|S?e O?|? bb2OxKW6H?rҗ W%Ǎq7ګmD\|ENT-AJz 3O8)Iy!yNJ1'l9F]U-":X*Y[(Z|ϸmTr6 w mro\8k5(e{y9ySCe'^ qT35Ewx T5q%GdmaHÁd^O @n)onf&Pc4&Y "7=`I3x<5]MK5b/i**|+(>afaPԑ-SHY[:g+S)X75XqBvUNq\D;eZwGKJ"q5qġbVWiC\*$ہVy"ҽ.!7SJH)H(\kSڧTL`#/ j]3~!gjjG΢Ohn*pMOϼȂA#҆ <5o2NfPDMb0caT1YPHǭE#_Lo0؄T곺Z.م3#^goo7A1/?TdxKt+a3,G:"T5MQ1JF;y)7C)ԝv;T )q $z)fa OVx6)#e۳ l^UE?!OQ"V/JSYˏ̺le*BjvK*s`s6VL BpA2DlS]A:0Nfc`yWPÜJqO{&dhG? żVtOѓ28g^<.dT #h+@ˌҁ ̉VB\]1x`'!jXCx&72:F/b .>̳ [J劍}to22Os#KYx#d[5:"\KpxCtx2V/f2SUJooHyJ(;ŇIݘpxnQK{ӋyLqhgBeP}Fl2x]záLf*}R 21ҁ3 JFS\!:|ChbFo/`LΡѹr]뢠̷8% ^(y^11>bo0gBt;<[w"1.129NohlТ%;}`-LPWiI  ۏ&! n 0whAюӯ0ؖB)4;'^hCuiľF5ԯP#F6wT\;6 }0JRdL訅oH4x~b p3bnۛnc8܆hQ9S k.Bb͢΄.qXĩf⇜4 cʦX widpXWAOq*<5-{J<_{>%/&-"dNu珺-4A,f9{J34Q&9nQƆYn6/]n#Ax0q^&jWv3ԾKx/'s9ϘĴ~^Q& Ž7#{>##b&mU6i#,eWMt;D9udEjY1(0-w?9?&{"FǼjQVg ƊwLc$2vK _AlӇxTƖ.f1t eo$-Ի7s)˞!Xro*9ѷ~7e0Ԧy9`p9]KlF@\ ?t˷y18ǏyR{9Kf(C`ˈ/w=?O< e3<2}nqj]E ,V6^eX?B ٻ{B n ̅a\n;$hWLl7~-qqugxvsg3..h+? C[*o g3ɶ}pr-栈KjqGҦPA|~) 7oYBM3|:ag~t8f%d,YML^8sm7}? X-h1M&9T"X q ûfb(b<G&gj}"!6Mo xs%X8a n |ȩS;fQWR,!fYe%ٴ\KdV Ǵ ͹/Z"^gL!Blo'\vͻ<̯r|cdlrƔqr* /dT^RR/%{ke%h8OWsΐ ;7c8ÂJ>g L|Pq,%xyMQq\EDuSm4d!qY1W˜wj<)^üQS |>% ʸ[VͿg\ 7xw{u Y { Bax`>l~ ލʶ{&g0cJ|]jHB1KQza˅᭣R E0}|d6x1m|@3gjA*ed2S '+``-fGK0EB(0|P c;1Eݓmdc,1nxnI?3 LJOw ,hM )?tMřbZrd13 :#lٖ }'0=w3/)K!f/10 ʎIaj1E@{&b[GfCۋ"}H{q]xaiɳXe;<Zѿ$*ϓ7GoYm_/o(TxJ "&b?/3!yiGȉ.8&.L<m m}%Ms%&x--+(ӵ%KD<1%D,΅RAmT[,x&hBUY ){T+o߿F얭¶o+o#+Zʺf\DPTa=Ѕhl }7pxG ^=a-89*ӍngQlY1DOv7C5Uk!ߞf9^XbOPbAJ\06 XfQn`3 r01l+x0YQX ƥ";J_']| ɋy/J8rxG[Տ7cxA`y锵i$s;E}G!7"}Veşnkml1|&o,c3^cetGv)(~J^ %MyqXР_)9rtÑd\wY f V~Qq VyS,Wmr˕*TRJ}j)peҽ Je\jiqe˗.\A.\*TRJ$RhIGVaQ^ܹrn\IzT^OUh,NOh8Kq}5J*TU˗.\RJQe\*Vie"m..\~*TRzn\r%J֥JBRzӭ~\ERJJ+P%G.^ R(ez/K/=*+JZ*j:YtEzM8k n:k~ r/Pҥ*TIj2Е Z^f11*![tp!@ˈT,=!*TZ+C,0NdKbҴ0*2Rir 5R@M*T@at+RJ4C DɻSlYGE.QMҴ:_ԩP%GR ZemM} +Kr^Yt*TS&&qRL-MGARR W4CSxJ*Vz1pʳ.s*֑CHJt+UhTt $}*TOH^pcO M*+N=iZ+eZ&TH1?=V7Mzjm5U+ZGF/J*ԚŃVд+ͤ?^!"+Z=S蘚oI-``"_zVz+IQJZVuDk_Z_ D ҵ*VBidcFa?@j5jc֟?!֣RjʌV2lcyZ :l\..\qŃ/ uw9rT4ҴT*&*&+So BKϢq`mԽ.\o[MMJY*WT+^!LC(0@a踣h#+LB:/TR@+FJ$ Hܽ*0! 5__RJ֩Q&cC^UJ#e3ҺTE~ ִIRJTm+n_?0~P]˗5*&J"VU}]~W/ZTM/1Zދ.\*WU*T}eJár˗/Б=Wҽ7/Eԕ*T%JҥJ *TPA/Kܹz^:T.Nb@TR>rrO`%fWK.^}.\rjT_rr˗.\rTaEMˆ˔r~*TR+[.^A._5},n_ҽ7 .\I˗..\kJI^ҽ7K!+RW?Ƚ.^M ._ƃx=ҥiQTs|!JcEzDZ+U\z/˗ ˗:6M :qBwEsd٥hr댩Pz[Yr..\4 vACynIZWQ3t\rgz\rrz/K.\Bl7ߥZܹr˗._\.ҏME˗˗+U/jV.\rJMŗ#Ore˗\E BSAZ\pNHgu}uv?^Ao^h_’e2W˗~_Z4V\ ]/Zb-.)4_꿊R@M.7EkrTe`J"uQҢ 5xzP6%`rjRHt %GECD>Ҵ(!/Ez "/\GY1?ED*] Xz\/O OkS -)Wr1D^vTp de-0h*1!9̎xR"쎕 bS>4f @v. @tZ}= ']ʁ{̿|XD0Sa3x <>򶤣2H৙YLY3%/5z&űaM￸7_Y֋VyjDޜy>lR ?I,;԰s w|`Q-5(۳lLh1h/&;]/QDr9!ܼ5@05(k+G8~䚯VT}YFk6ň h dz@sd`[$&_!%dl5&xTi=orCrd`0ڛr#7|(BzY]>CK&ǹ;o8TPXҺO{h*e Vo~Q<`F/cvty#,(XgfI/Đh(rTJ?Ca/]K/e@r.o# nNeE[ LgjcTT7FBQlS23Ll ŧn<a| Nj?c(&SA|`x]Թ)HX@ "mkaŷbmJlLQJ6OGC L=aW]+"lÏ7,nШ mmвo fZe{Ȅ4 Lԛ`b5䣸@>G!DmD $ ȓ"TߖWxaa{{àWiQmJ}u"<2qZ7 /-S< Z{%MTkF!*.ݎH\ӛqp?0.1! 9ɞb08!m f9hq\6!SrgqRP&NǏeD4YtQ~A0^Yj|l l/G }--ց?Qqc3tLO nG2oN .?1U,u.{L]16!Zd d8x28Ħ(^"XkI#S%vaW>eftYn`# !)s̯p<vy!;UA\'ȎB{RϤ¼f߁qJD0Șel 3 Nɒhp̰S5E\LwrtVuE!eek2y1ſJos1DC\vLpDn>x;3yR Ph;7C %̜܊6 Vs)َ Qkk_s6˷-΋S+Ҙ3@q2t;nm%VQ\g=4qRUNN"xˇd1bx1;%-M|7qy~/vt" nAchؽ"6ćZ.֯#6,)D$Y ^UE[0VY9Ou.089j90 AW0V!ՖB,sD 8 a%` *g&ӈ+8*P ]x2[%MPΫ+r!TmT{o-/Q8!kE<B5{D-گC=BrX P48BfUZ1x\{LbӂnSb/(~7GɒOr8,Rwqde?o@0n6+MyDyp>W 9Go?EYgNJ xPG*e{ǻTv/`]}>"BR.9ޖL (鼷 =LY`ձeܖaO 3t,ó#u@@PwUao k`B.)(STit`bڿ3,v Tl$($Cp⥃,YW ѱ.$W2FB{n6H ueNb3n<ܼEaA|%fJ&m 6"8MKQlRf`˽Ǝ0NCܻtOlcPU\-g>y9Pn,xh/mo ݐ[` [xo1,{yWF*׏pAȌGڝ Sr+9dM"hj!cqC0! xJvyFY8 WQU"jK? 2|B.OH<]\# . hDlU.nc9p dbȡUCr&ނf'A<C&WnK(&_,k}EƳ& 0({/m8Ј}B偺}ȗ#l-jPO 4Ί;njNꢡMW2F.!vA6c[8xY+2N1녾jBrҪ %R?qS! ivoؕԴ/GlMF*GS?mD+5PRܢ^sДQY8/v+\Sd,]k^rLx ' DZSm5(Ő#S2bw*X2X}`+Zx,Tҋ`@JW* 0hn]",6Bu T[Ee"Pn4u iܴ;N񖃄: b J`QN A818fA mbE0;9yx{F`OQ:Dnlҏ%O:.7ub}V\.N7( C 3-smٹ7FSk)11 ¿ڥ]Qc3_?1nϬ%6B9l[N7p\[mψջdEhR5XhY.]n!1ix=>ҦŀM(V%_fۇVpl8\'2b fB[QQ 5f,yb(̡̣_AgBbvJ]SB(f2V\ Wnoe_YBe%jF]=U漐-sJW)Xcoڈm ";l.=䈨9ȗd/9>%~WrŃҗ6`s$Syf[ }\_He ~ |<φZiC.Y/ƼeHl1S({G9~!b_-U*mDyT / ZryhE2v^o$afsa"TsU*3fPj#x|O*A*؁̑v^(DD^xeW(G6(bF-#q/c;Ne E 1_Kҍ b[I[ջJ"BΘf'!tωg\`V!nv7 8m \h)% [c@Ug+΁ʙ[&⥼.3TB;6cUxetE6/قbO/ĠSPC^ Ғ UD2TL|'.6{w;oqsTҥwH%Ck-0pb-\V 4UAL5T9b !{`abceu0@7; [0\fXs/@ᛑ}ɺKmvBj̭PѴ[q^, 6.N)< {Kȶ]7.?( RāQi\O،J̋ÏרeYPhbmG&('"eͷmdw+&Сoq j}vwĽz'e4²ݠhnYc,i-1 ´ $>HM8v|x.iw\ Z( ,gp$P܂Q0Bar3aGkq~فR B(ա(}ȸsGkf"#ˊ)/ z!@"7l(~GnHc)ag aHl_̄ͺ_`F[1e;=0wc87&P+r߲CF-{"%38ldtm\Hca# KM_14= p(~ĩo$㇖a2+;P{‰?DhL)勮ۇ W߾w0KesSnk(XM,UȩT_1MүԼ0Fx01p21WQGHd/B D'T019Rj/J6^$D@Na)Lfnc\\n⃶񻜼UFR%6}5yy"+M&tnv>`4`5 +/QBȣ6W'tqSd( TΜ*o %p.,Dd፰)w?$j0z0b %^ɾH 8oXMqR5ט.XJ RtgZ|&+xs. Mh"0& v` owqU>o-+y pĵ~2G63Ss/|04 {˚EIE鼺SHcaf!qWGIt3vy 2}&B{.oUG!pK rD+dt%rĭ|[ɛ♸Mٳ;ؘP-(JG<ʭp̨Sw}sq %pÑXX}08M3P%>Hmv>QF&l`C"66p»3._ xʄ!G&u$fhk!n (-(؁ c&{-]au3Nv=*DMPY.'Um+xu*Sm$RR̞ =oZ/Ƭr>ew{BGRנ 1ݹb 34˂`-+۠2ehx7>]1(J0Tea{ixxe>X %Yb ~ gQHe(6`P-3oa6d ,yCą=W, uX\) Vo]^G%#U1{߻b{91;tsx+5U~!'}C<@X~:abvŢྰnΣ(!/'x.~E@SWG /\|Յ؞"nlU"n`Q:R0nO27>IϴW-z̥'-łI (1fFFa Tq .$"A %iA*W. @0"2B El "8ʉd+8 zQei4 *VYpY2TSEJҡp*[ 1,L G1  R+D ˋRE+ CUҥJ*TiZWWhZ\EHD }6!B DВM:Z2/CFKhEʕRzaIq )J.` .$hD EED\A*ƁN=⮁ZZ eʄي%) 2T%c (04KԚzj[;OKbrCp2f ܀. A3IJ&.(1-RВu4r p֗Z*VS}Q`2Y,d0/ Y@ KQr8ԩrr: THF* YrzƾCPmE2 iwETo}Q 4a\)Ap)t@V%Y*Yh*SY-sG5L2d;SD tZF KЭCT%t+Lhu&B2E._i06D0Rd@)J$rDU 4 %`ʕCBJ0*J2ҖPRC#8Eq1BZfVYW(tA365Jw crȲ %%j!-[JƕCGQGBTL!J) eLJGD;jb5#q@jȸtT))!B4IRn#VTfǡiiW/aq47cFThHFYthe,n^V`JRk; GX!k=16F;ZȄD4U- ceQPػA7a GІQ&¸aJ:E1M#.#Ybds Ht7T4Ye &Tt x2UC2C P*Cz[&RiZemo Eѹ- 2FU0QbUebM 1%Փ],dD]@u*T@wM TpE.Tܫra(Z%1,'UPtnTfAptEgD!q9A`SVb:m*{A`ܢ1+Drf[.zHĕhΕ 9DEL ıFKASdv)*,_XQMRZ18k1Ѩ.50%q뉙F$Css7F33Bvك?%ФQff5.n^ZX+cbI #4jmP:hyM`HS%B-*^6Z72n)RDZeh覺lT(C rvHő4ƿɎK.\bId9:Sl+Փq.\4 B}MJDIZ) /FЙQ 3:0hJ;b4(~(&4Pfj8TՄ! RjP ꨑ%FY+a8TMec ..5Ńy5 0str=EbFDdn9W2"bV)1C+T\dq 36*HcJ)2J3.c&2mPuuCIVa0aKQᆚ.^,1,7Z\VDed7Ԫ*A)D*5$H BI %/LK`X1u#Z$/T\HXYP&*RGP1CltXˋ%7Je辋&%9W)r̭j%YF[)T ӕ˃#Q& +C /S--Rސh5/Ve9"F:ME&jGI4IQҠ֯@ zTt\r^Z\7J._J TJ0 KE$4'[NZA%z*TcJ/JKrT/ԩQ*\Yq̠1E{[yD|"̶aA]K%5j@\tFRHW/rJ)6FT-1pla1|˄H%E[h*zM.\2z*Vi%%K5BzJQĽg2EcpJ rʖrRnYr[- &QQ4n0Ljz4.^[ܡQ*s*Z԰bJ*T`c,%j2˂㴸b2Yu-j@&,m coFmGrCHw) 0ˋ-LбpJ@AAҥ֠9e$҂!&nfІg8iKd(R:d{"92I o 44ЕM#l@ekbZ[C7A8BhaDKeR)hA G^)^fW[C@)q,e ( ,XIƴ-L5&VLbCLXQ $ M2 !aJ"hK'2\Vɸn5t )xIX[M&ll$ ňbnR>t9[Xc6jt%0Ca'm@Q &4f)TP0ZlA Dm2"`i[JZSXxAh¸f! Zf. s$n 0f7Lh GD}#fnf!F,f&PNG  IHDR2YsBITOPLTEBbKGDH@IDATx 0AVa"xTd"H$D"YL/c8tIENDB`nkv>ήDiPNG  IHDRd}sBITO PLTE4obKGDHRIDATx 0 $ )B_& DDDDDDDDD&ٌ,~<^UsIENDB`n- cïL[y ㅺϸPNG  IHDRQJUPLTE4oZjꖠ,AxK]})>v!6qQ񙣽lz8K뚣?Q7Jm{EWFXL]CUPa9MaqOaHZ6I~@S/Czky|@R^m*?wDVނSdsʿ֍u8L4H}w;N׼Ԯ1F{N_􋖴GYr{Tem|ĝIbKGDHIDATx훇sGwϊ,ɒ@'+vPbX 706z z Zz{{ٷVG|dkpjgIBb{Q,<1h 4 @1h 4 @1h 4 @1h 4 @1h 4 @1h 4 @1h 4 @1h 4 @1h 4 @1h 4 5 3MC#v:QDgX]{' hs 4qhh]["CcMkT( js4m=ys΄^f.*]~xŤ~΀Ƶ͛mo8d KM_Mv AUx{=5,_{֝ AU ϮQb![u$kt]˸r1 <4~j#r3G{ŕ AUjcujzEUqڞmѸb{IlQUc;OLAmj?1s\xu7W;VƠ*]^ol]EcHL[艐 4addG=5+}46wiqh CcI.urv>|'4rN糧'OƠjE]cnfi|,{Sv\X&|X1W.4vrla{/g~n<*O։‡2:;=\h2d}k<}t~ba@@K5[^ָ4VƁ1j̷ƟKi.dhV4VƁPcoGxA4VƑ CtFDtR QfX4"BF)C5d0!ҍ,M,eV1Nurƙ8"jdroR2hDs%#2[1 rBҟ74z{ɉ)dk$M9Z%5>rLxhΒ>d4E^H㢀Qq)ٞ-4Nhu+XV6cIIrEc Sh\ڤVfAƁS.Wp>672$?'Mfeb5vh,$5`'5)T,=5Rj\䨬GSVq(1Ek\8vz?5fw֕i="% g)>ˑ3Y$K9_j\J.8iL#]x!w5 4G%Tzu@@nz:!3)x~hWw˗I ě7}&{"&ǘÌFsƥq1:73fk,a;"3y6X$oe5.\ 35֘Xhn5eml>9t;\_f9cc4B_k Zm@ch4@ ael }IENDB`nLFoʲTwĝYrPNG  IHDRBPLTE4oZjꖠ,AxK]})>v!6qQ񙣽lz8K뚣?Q7Jm{EWFXL]CUPa9MaqOaHZ6I~@S/Czky|@R^m*?wDVނSdsʿ֍u8L4H}w;N׼Ԯ1F{N_􋖴GYr{Tem|ĝIbKGDHWIDATxS1 tFAQ*P; [^{0O&&ZbŊ6dN77Z='N_ 0z1#K!#K@6lP-F79m|+!@8`"p:VPQ Zfe6 Tj&֛ؤ $m3^ɋ4}RŰbUZ#DIGl/iwZ0=ɪkRv:]T}ql q&4/kZ)ou-7X\.b"Κ"4kʤ-Ϛ>\[bŊ?<`IENDB`n΂S:ѬvPNG  IHDR2 jgAMA pHYs+EIDATx]8P{Nm,W֧VKB(x!?^7{k )ks̛|K[ _|ߟ%29Gaϡ흱쩿R/oくE%圖,gu2< <3Y)+0gO_unj 晱˼6}b楚/"#%!bŘ?+^_u:slأ.*0%l޾(?k[{ %P#8[MfkI&qrw.9?R?Bm8l7}6Z-%W`N-X @ b @%\O'KE&GK"ķ<~"Ss~Κrx0@rXLXb$L,QL K2XII&bKP)>D@b*dR/$ш%ʓI}L"D b*uJ2X$5Dbbd$K_$KPi$ % IL\E,$KPi`ȤI&h @%u0׫k]uw}*1DE[;2'1ě]-sk̜ꢎ(Wqmi^(oRdl*[V='fx g[dsyc6ϽF>4Q>ҜěKb&OdNyJ~4g6j#V٢+mEZzzqB@hƵe^rwM ֈY\u=FěQz3YANS*KN鳂7LfQEG=Nͫw[[Z71Dh @|%K"D,G`N.2%HBbLjLKn2V$2$ib hM2 fPKH&ֈ$.$X$H&>y9T"4)DWbiF2h$Ob A2C,MǡaI&nbi62$bi"2.Hɉ% 434 JE2Mn;5gc5ݱ;5!GK@>Zrߑ״!iL>^Vlc>]} @ b @KW/tIpo\׎z|`^?9Yz\{sOזzR\K|N}"n՚ʴ9}f+I}姾W]>'1O28˱wOԠ}¢Ic345է!iO!z,ӧ ;{h_iɤ}J?^׀Kkgr7/.Nyfcӗ}RO>-1B4tGd>eMzmijg1sZ5S>7SX'eL|.,53bꘞ {O 9?Ʊ+oC/Q፣S|λykJQa\TvEL,y;½ S#s1Im|͛AkL`ԌD}<Իע?5= "iu̱ǹ#LFOMw^gc|s^uuƱb0퓯1gǾ7ks=nSV*ŵO\ڧ?mk]"W]>}f<@Xb @%K"dXzVKpov~T@ҋ*5K[z}hS ?9hLV+^ xi-{͐OT%n} q`?]SXa :2RI`@H;nI&jtMqIci4 qcE м4y8]SʼPd*bX~< FAt9oX" h @%K"D,X _W/@kO>=Ѯ|wZ9V}7NKS8;-j Kkֳ~ 蒡gx/C=ߺỶs/+B78 \5^KٜѬ oi^ Az3d/7]e6z_LrYq 6W Y,pntXlNSq8IgkzA,~\bH\_e0 dx/_U;+=oӣ݇kπyMvm᭭|JC{I<ǶDѦ:[-tm U쒶gx3r77V VZF)Hg%6oxC|U2|Sݿ~اt2DXxh ~8Zb @%K"D, t߻QːyXwfXeaZnL>#MZ1ǒ}$0[csN0 X֋ [k<*O߱DGfk-cɾ4ݮ5^]DZDwj-(kiq ؅Pͤf8ZVVWZQW8#]_81㬦X;Ƹy1\8Z߻ԯUa;EAk~mɠx<PQ+U(k.ŒAjQJ9_a.ז|7|}{_US)MQ8Oo 3^gw/XJets4 6-m6,'\JX΀+% I۱=JXp28\ Cm\[:k.QR~5au'^'PdR|6JՑFWZ|L*V,=QoU|굙jF"4Ȥy*q@WiKaWX T?qNsSDP+ˇXTefv7M fBiwȢ] "9RLJ1ll?XDu)gyb^ILpfMW+sU$ǎ[ӆZ(ﱚ ~oim^U*JyU֖!0E^o;Z,ݢ^zJ,^XwlKuWW b+cXXԵ!ciNx PG.^sҝ "b~i!%tE Fm~)]kG<"lǷۯJ5b5,t%,5eH>y&rm߫B>j?WTpwΈ\]'߯aMi|p3j{RФl4_l!%gDlp=Z6=.4sNd 52Y9#YynYyn"⑍P呍 =#`d#@< od{W@%Swp7߈[2̍1y&j(eg 7-lx17xnZ@6'M˃ "d#|֪v- Fxd#@<KYH֣g(LaGQm%:6]Ul3at6﹨A@ [k#cI?ްӪCۣn=_e$G[7-Pԅ( .6hۺ|/)\ _b{NQ&(s#davqa3{. Z 5M\N ̷jL޵Q7Hu\JVk9 lc|OdGL>Ֆ_QVaW3ie7e~xY=R+v5=u6:mljke#Ɋv]H]FcuB3%1zm%#r.S Q7s$}WALфdq:Nm>JQƳn*pNrgk{QruAxKAU9!KfzCW};mU ]ymk՛EW'DM@E{T/=3W ?ՒD>I5«^F:R}I3 ,<>*bdl@V4vm* |cRN;uC]GUzn$^Z,w㬚u2!䑹m$8%bR0G+zTl䏍{&u}fimJq|`93/߾6p8jQs%z&1Z$_>U[i=A\izj("zW1  Qu/kn?n: 0Al`sKݩX9X611BjZ_FoQ,s#@!d#@< lG6#⑍Fxd#@< lG6#⑍Fxd#@< ?ݐy?IENDB``!M!ýO"!nhdQoxڭXKOG]`_>XL؂؉#R7N;CfZYJ/(R ? rR|%Bjjzzf/LXjU_7PR$$Y' *'m5 ry>eXOvȞ^Y3!R.| JcoN]lFC$Fc@H_Y] |rϽ[K#QD*շ<_ʑi2x[+R#S: TcaDGX1qQݠ%[ΧCt[=# į}YоfMؤ}M;aD͍at_'ϡ=hDrZ#B؞G& 삧)r`s ͈aԲrX5:4yxG̬<4r|fo*;\ŵYL0Ŷ} UȖW^ [,֘%ľ 7صWF *7~z Āݶ ?~+=xq ud?zh-&Kp-H[zw6 jcʎq^E5T*8\XTU_bƷ#">?*1D%BZH~ED,c^U8Z;+rClowH.w%{;q=OϠ\UfO8אP=쪙t-=x-W gONҙ pI+dܶ<ǚ18 q@ e7; lcyl4T50gkfޤjVrt|Ft11bjoM$v+| >6}g.! pȿ[7C+άyTiq}fd ꬞`kJ_|˱ykk1Qm=#k/(V?smumGi ~:U:H<3+U#{m5i*|>>zn8P?D      _?_?>)y7DWmaJ!obXo嵊 7{vy­$(6Lz~GmG=<b&|le./6ub*'EkplX+mS/65 f,ͷ HWboqǼz{SInn K.NjF_sªMf6eRWb )Hc>GW|~H{W+"$qrIe+G)Lhy{u)'{;sc>:.ue *##qIny1ϕ=/qMIˇ'p5MǼ|xtO" ̧6ӝ+yɔ< 0 Y8MWfH{I.&NSo)·HwN:pi GC7qb"O'zZLnuC8s :#C;{UYSG7e9(䘧$Lr;z 'J)1rGphg>3m*wx>y~դgŬ\,px{Y.αYC~Cz7v:1ҡ쮒ֲXFqk=qSJ#7U,1du[ZG#L_v:T PJV[sqf[ɺ|rIz@2jkSJ5 Z.|c:qhh.Y:qcߐE_\RjK̍b)&N*ˇ'"p(e=qoH/fn[pO2g=i;'J[Hq=|q`!~͹=[>6Su7Gl=]X29ߩ6xQɝ«ČmnTSw 87rcBsz﹏9$<UCvC4޳m/>W;1oH&~[[{9=,U<޾}ɇJ_e538Iy ;YH~CJ1gdȺ̳GܫuM5Ϸ³c1*耋}juP~s.yT\8+?롪STJaI*1wKr} mO2vvα#ss%Ț@ >tu&@~Ч䛏Rwɸr%~$[Kw@z[O}1lbrBd]>~+ՀJ֧ͮ{~f2{]?}~V{y̐oV_I\UÁN]K-C:u5d~gjlT@x>[ U :Uv ӧ0b~%7OB iPb~wgjti0tb9Xfð7|mJ{d￁{8p7e8<)5Q1ʓHSPO7mH>F&!h$7 rC7d@~Cz:ڈkW)UP'u3 f.uਛoHcQd$7ӌғu39 E3 @~C=]HuOCksT̴7$_C=-)THLH~ҒҮTT7\qC=-)+ HnZ'š97;je@Ko9|Ќqz}8o޸?毻Wb[r+D}HKt?5|}/7ŲjҞ}3x\o\QWOhu.ELYI9e3Ek,3:@mܟK)߬ڈ\ IBtnoFQU6h^=q /?8I|Ez~6 ʞJEw*SI͙ +YYQ5;UC19Jn?->JX~3@8[Y,sKxQt;1s*x7#*33բ|.=X24XtuL+AtPqOъwZ+:]=>(sXM4ܛ>1kκ ??G jlޖzZXNO%,_'S o[ٜ#`EI53JbBxV2@c>Y z8zmObfflo+*aCD"FqJoܐHLN~3:7 %|87@.R.q)p ͠$7#amBߌHrCaR˰O~0l#ZŌY7Ѧp1YHn7mQaV=@4(`vj0ZՓ]zQhPP,PS׽ kj#nE?eb 2zMIӿ vKJ8}Wukov4agI7ucRh>/-@ $ @+Ire(MsrSX$Cz%#iƥcҡr=qiW%󟏦|SZ :˳YF`B S,2(ضKyhv\*˵}Y?;jG.~_8iIZ9+. 1dǘo[6['FrM$gMԎij[EUo.D1,\tiqBPrjSĈ)Oe01. ndv2YS'#RP}4$.ۚ׏S WҊiꬹڑ|Ԏ<'Q˔qrK͉nI帾 ΚڨԎN>r-A"y~sG4]Ѯ6Lkp]>ΚQkԛnx>0W1f_' Ɖff*mѶjx]6ߜvU2OYbFRe} t1UvGJq:ȠOeO!Z ,{SHIg >?_i:O`E.V/ۮs ;"o87q9|նTE[@ӟj}ڈo.Ҋ-p|t|iBjXT& RR%7]Fd&um.0!1%9k*v\7NŀsAL "!<^#2P~~Ww,h[sgMCԎo$ 4sf5]9#y~SejPYS 'jG.~1a7vhsYjrZ3r%W;kjv5Hh+֫)OZ9I\obb0_&k]qhqNcm5<-ih+ "I+l("׫{rkν{>[ktY?6"EVjGZ#Ԏ.V]X&X;qƜrᅷgqhɘZۼxuv[/z")OhE͕T؛I~s%#6/OpN"1U f MDЀBVyD:>U,bCtՐzňTUD79͠mfkߥ{tKw&g0u9"O-i7>>PY-q"b`8>&?V \7^NYNaփv]A&/Ohχߥ$/᫇ܚ[£B"U2oŰMӊ77y^gœT[s%G|>"zb0lQ; z1E"UĿ{Kc'WM|n( S{&\äJ9r{[ŒD,Ext}I P?>bn|"{CI!J7nN& RBu| 'M9=Z:)WT h @Z4t~ߵurNBМVihݸMךIq8 R@[o@CoּNSNq*z4!F>7@o7@o7@o7@o7@o7@o7@oJ}uv^O* x"ϧ (^lV(6S#2??v֔RoaWI/^H&BR5֊.T寨Ȗ8C/rs~3SZ>.lD,|I:BPaedo8,^HftI4hśIgn9^,XuC~@%sIJS*WtzZ (0vk\͡X*Zq{xᜢ7WTPI:->ZB*U$T @B7777777 +$.-2I~АwĀzo|KZMŨU 5ӈP^IqZ6j@>7@&m7.7[trh;!qi8q MCr 74G#[Hx*TRixFM@gB7FJs+ߩir (:GAbqtH(YbIsrX\ 䤜v(p1J E P,Rs_dy+`p:s]$in FK@L9DIz 8h}͖?ԟہ/H\4e?yN7@]^*:_A6+?ysTI < kD<- ͿKXZ>?LA4W'O](~;X/!$J7VDx z R`2QIr W֟ ָxo[ oFf\FD2MoiofGs=֍5hUI4#.URੈԦSUT5v+c"k42sxDr7}Xmh"Xw:)ڈ}(1~z)n$)ڈwID\==!G?fF"?ձI ɯڈ/qND3P> ΢ʼߵ7-"e'yS•\=PO͆NZ4'jc,3µ/"cSnl%GPxDn=~sUqƳ$SCP眕W%1;X`E)E|~l]vpK1-9۠hƗy̒[F2oNW:[~uN$pxM75ʹMy\#Vsұvo:z~Ӵ.(^n|zMv(֕$Hn߸KK1-DE'5H,r0xÍ>oTr7bZ ujX%^뿿w%̭d9i&I VtQnbq2ڥLn뿘&0sT$WlC7z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#z#zDƥrIENDB``!8n|f!% kTVxXoGk'1Є-"nbR,AQ|)]P%sdn!***UZ"!K= . ?8ٷ3y{~c36V8~gc4ۃOox~(n^B Tq jzrOzVZm|+CoQBI2pMRiiI2lf@ԯyme_Tm~ W&4èf)fSDOr7S[f[:3ւU1*j>2?#;go ۏ+,ܾl_M+%Gj0L|x,T\avJ{=ev:_XH6qC~vp,ݟ~WSxT`/^Y!s?PgZ?c?Of/hV2=Ua"ce2]{3[f56 p(j%8JZ3NSdeɞmћfhX,uj h=Uz,/YulX%3s5R[*zvWp X+L=x=2y8H^>}Jg}abof-^]i8"Vz˚Ζη3u-tEhk&8V# -=M/ w-U"yKb}oEA2O*3BWo Ӕ'2Xk~%W+9Pw"]{]5 lla^r}sՃ==j(R rѪ@ܶ(~1D1-ӘÈf-+, 7Vڀ xU/ELAgL{TR"FC0\G c2J. Mu~60K01 qx[PV2|bX1bC5)ʈ:<ĜȈ),QvRd2]+5rA\*(0h&<zRN0]ANe!yq d!6n3b>9%bCH~+δ~l~f/F\FPvZ`ũyO~5;,llٯd_ڬ̨,`5ӃU{]wLͶ{VW TYoy̖(xD Ap/4Ȧ癴ل=9gb 6yy; 3c?gӤ&g,MIjZ!p;j+p2;g솨[! c^džhpjqc &J#J2נmP_Y=D5s0~v~Nlp`NoAs[ ^n۵f`/ӎŹkv8{PyLxAQG7 ?O?x-~llغʊl^q,3^,`UE 5T;/_ I{9?,F?(||=F\[@ 1| :b ,fEKI;/_ԋW܉q9sgi(f[#op˿ZUqQ~\c<2UK'6sHUC"ˏǃL؏W34ƞhdpQlwǣsO"&F;δ~l~aj:?|'<(  d *08Document Word.Document.80.Microsoft Word Document0";Document Word.Document.80.Microsoft Word Document</ 0DTimes New RomanĴĴа0 0DTahomaew RomanĴĴа0 0"  @n?" dd@  @@`` `k@ !&$      !5%&  456'."*0"R$*t`U}ŰC( vb$A#e_HC vb$ߞp,ږ"vb$Tי5 wb$3 i9azm@Wڀb$΂S:Ѭvb$W\]$;=.h( X$2$M!ýO"!6b$Tk(IשEfp|#aߩ2$n|f!%@@c $P333@ g4WdWd 0Hppp@ <4!d!dhvĴ<4BdBdhvĴHsg4:d:d 0 zp@ pp:2___PPT9/ 0?$ 12/20/01O ={.NAnomaly Detection Using  Normal Data ((&$6$Lynn Jones Stottler Henke Associates, Seattle, WA Lockheed Martin, Gaithersburg, MD " 12/20/01*a4,& Table of Contents .Introduction Related work Project overview SHAI s anomaly detection Key component: CVFDT Why this will work What else we need Other application areas Z$,e#ChAD: Change and Anomaly Detection$( Model-based Change and Anomaly Detection system. Has nothing to do with voting in Florida. Models normal behavior by observing normal behavior. Detects departures from normal. Does not require profiles or signatures of abnormal behavior (faults, attacks).8  H#ChAD: Change and Anomaly Detection$( Learns a model unique to the monitored network and host. Robust when faced with noisy data. Adapts to fluctuations in network usage. Detects when characteristics change. Reports on the rate and significance of observed changes.Related work by SHAINetwork management and security Athena: Mixed-initiative Defensive Information Warfare. ICE: Intelligent Correlation of Evidence (for network intrusion detection).&  #Related work by SHAIDatamining CASAD: Clustering Activity Streams for Anomaly Detection. MediMiner, IKODA (Intelligent Knowledge Discovery Assistant) data mining algorithms and frameworks. 6  E \Related commercial workAprisma s SPECTRUM suite event correlation and model-based reasoning. SNMP MIB and other data. SRI s Emerald (eBayes) hybrid signature-based / anomaly detection monitoring. tcpDump data and derived events.TZFZZXZFXH V 9%Related researchCabrera, et.al. look for differences in behavior of selected  key variables. INBOUNDS statistical modeling using  abnormality factors and  standardization factors. Eskin, et.al. Automatic outlier partitioning and learned model replacement. Z?Z ZPZZAZ> O@   JChAD is a component of MASRRMASRR: Multi-Agent System for Network Resource Reliability Decentralized monitoring and response. Prediction and detection of attacks, faults, misconfigurations, etc. Network steering to maintain performance. Funded as a DARPA SBIR Phase II.6;!;!R MASRR goalsDetection of events not previously seen. Adaptation to changing usage characteristics. Operation in heterogeneous environments. Real-time performance. Scalability in deployment and operation. Autonomous / semi-autonomous operation. Robustness.ZMASRR current focusKWe have chosen to focus our efforts on Anomaly Detection using normal data. 0SHAI s anomaly detectionUse data mining methods to build a descriptive model that detects changes in the data stream. We believe we can overcome specific issues and problems...:0SHAI s anomaly detection<0SHAI s anomaly detection Key component: CVFDTConcept-adaptive Very Fast Decision Tree on-line decision tree model. does not have to see  all the data first. accuracy converges to offline models. Network usage changes over time. Rather than a stationary concept, data is  generated by a series of concepts. Hulten, Spencer, & Domingos,  Mining Time-Changing Data Streams , KDD  01n)ZnZq0Z2KZ(nqJ, 0=Decision Trees, in general?Adaptive Decision TreesThe company changes the supplier of its oil seals, and begins seeing early failures of seals when operating pressure is around 15, with a wide variance in temperature. The adaptive tree starts an alternate tree... @ Adaptive Decision TreesB!CVFDT - more detailEach node keeps  sufficient statistics on the examples seen. Sliding window of examples. Nodes maintain statistics, forget examples as the window slides. Structure of the tree is periodically evaluated, using statistics.$D"CVFDT - more detailAlternate tree is started using different split attribute. After every n examples, trees are tested for accuracy. If alternate is better, replace original. If alternate fails to improve, it is pruned.2G""" CVFDT reveals:That system behavior is changing. How it s changing  which variable(s). The degree to which it s changing  how dramatically, how rapidly, whether transient or permanent. ChAD applies CVFDT in a novel way to perform anomaly detection using normal, unlabeled data. Z_0Z2""@]3[ MASRR agents use ChADSegment usage and model different periods of normal activity. Manage the library of normal models. Interpret results of ChAD models. Share their observations. Adjust parameters to tune model sensitivity.wP Why this will workUtilizes routine fluctuations to create more precise periodic models. Each agent is sensitive to small changes (slow changes, changes across few variables) on the element(s) it monitors.  2H#Why this will workWhen the network is compromised in some area, absence of data or agent response is also used as information. Combines general anomaly detection with root cause analysis. 2Why this will workBMore general than eBayes: can detect various kinds of anomalies across different variables.  Key variable signatures not required as in Cabrera, et. al. (similar rules might be used for fault/attack identification). Decentralized analysis more sensitive than INBOUNDS centralized system."!   Known issuesOverhead - processing, disk space. Getting the sensitivity parameters right. Are parameters universal? Or do they depend on the data? Amount of data needed. What about pre-existing conditions? Feature selection.$ What (else) will it take?Testing and refinement with real data. Implementation of the agent reasoning system. Implementation of heuristics. Feature selection experiments. Other applicationsManufacturing processes monitoring. Condition-based monitoring (military and commercial) - e.g., fault and wear prediction for maintenance scheduling. <  ConclusionSHAI is developing an anomaly detection system that we believe: is scalable, works in real-time, detects attacks or faults not previously observed, learns in-place using normal, unlabeled data. &@@General info on SHAIArtificial Intelligence R&D firm, founded in 1988. Extensive experience Hundreds of fielded systems. Variety of AI techniques and application areas. 6HNHN  Contact infozLynn Jones lwjones@shai-seattle.com http://64.81.14.30/ReliabilityWeb/ SHAI 1107 NE 45th St. Suite 427 Seattle, WA 98105{! {P 5/d !"$()* - . /023456ACEFGJKLMN O!Q#j ` ̙33` ` ff3333f` 333MMM` f` f` 3>?" dd@,|?" dd@   " @ ` n?" dd@   @@``@n?" dd@  @@``PR    @ ` ` p>> > 6 $ (  $ $ S AC:\Documents and Settings\lynn\My Documents\SHAIgifs\table_bkg.jpg X $ 0` $ 6v   v T Click to edit Master title style! ! $ 0 v  v RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S $ 0t v  v ?*  $ 0 v 0   v A*  $ 0!v   v Hslide *      $ c  (A|C:\Documents and Settings\lynn\My Documents\SHAIgifs\left.gif  $ S AC:\Documents and Settings\lynn\My Documents\SHAIgifs\image_04.gif H  $ S N6AC:\Documents and Settings\lynn\My Documents\SHAIgifs\image_04.gifZH:   $ c AC:\Documents and Settings\lynn\My Documents\SHAIgifs\shailogo_top.gif 0  $ S MAC:\Documents and Settings\lynn\My Documents\SHAIgifs\image_04.gifH  $ S MAC:\Documents and Settings\lynn\My Documents\SHAIgifs\image_04.gifH` X $ 0` $ C AC:\Documents and Settings\lynn\My Documents\SHAIgifs\AIsolutions.gif` H $ 0޽h ? ̙33  SHAI-2n 0 .&0 ( @`    0< P   v =*   0<    v ?* d  c $ ?  v  0d<  @ v RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6ă< `P  v =*   6$< `  v ?* H  0޽h ? ̙332 P r(   l  C <$`@ @ R  s *`@l  C 4<$0 @ H  0޽h ? ̙33   p( )pM@ l  C <$   @ l  C <$  @ H  0޽h ? ̙33  $(  r  S <$   v r  S 4<$` v H  0޽h ? ̙33  (  l  C <$   @ l  C <$0 @ H  0޽h ? ̙33  (  l  C <$   @ l  C T<$ @ H  0޽h ? ̙33  (  l  C <$   @ l  C 4<$ @ H  0޽h ? ̙33  ,(  ,l , C T<$   v l , C <$ @ H , 0޽h ? ̙33   (  l  C $|$   @ l  C |$ @ H  0޽h ? ̙33  0((  (l ( C D|$   @ l ( C |$0 @ H ( 0޽h ? ̙33  @(  l  C $|$   @ l  C |$ @ H  0޽h ? ̙33  TLP(  l  C d|$   @ l  C |$ @   C AC:\Documents and Settings\lynn\My Documents\My Pictures\focus.bmp` H  0޽h ? ̙33   `0( ܼܼ\Wy0 0l 0 C |$   @ l 0 C |$ @ H 0 0޽h ? ̙33  pD((  Dl D C |$   @ | D0 0A ?$;-m"  @H D 0޽h ? ̙33   L4( w Lr L S |$   @  L0 6A "?$l. " @H L 0޽h ? ̙33   8(  8l 8 C d|$   | l 8 C |$` | H 8 0޽h ? ̙33  P9( 0  Pl P C |$   |  P C AC:\Documents and Settings\lynn\My Documents\My Pictures\tree.bmp  P 0d|@, A decision tree built from some engine data shows that the life of oil seals depends on the operating temperature, and, less definitively, the pressure.  P 0|  N:This model might be used in making a maintenance schedule.H P 0޽h ? ̙33  \(  \l \ C O|$   | l \ C P|$ | H \ 0޽h ? ̙33  7/`(  `l ` C $Q|$   |  ` C A C:\Documents and Settings\lynn\My Documents\My Pictures\tree2.bmpNN O ` 0Q|  New records are processed by both trees. As the alternate tree grows, it eventually becomes more accurate than the original. The alternate is promoted and the original tree is pruned.H ` 0޽h ? ̙33  h(  hl h C Q|$   | l h C DR|$ | H h 0޽h ? ̙33  p$(  pr p S S|$   | r p S dS|$0 | H p 0޽h ? ̙33  X(  Xl X C $T|$   | l X C T|$ | H X 0޽h ? ̙33  @(   @l @ C U|$   | l @ C V|$ | H @ 0޽h ? ̙33  L(  Ll L C dV|$   | l L C V|$p` | H L 0޽h ? ̙33 !  (   l  C W|$   | l  C DX|$ | H  0޽h ? ̙33  0(  l  C Y|$   | l  C dY|$ | H  0޽h ? ̙33  @p(  pl p C D[|$   | l p C Ā|$ | H p 0޽h ? ̙33  P`(  `l ` C |$   | l ` C |$ | H ` 0޽h ? ̙33  `h(  hl h C |$   | l h C d|$p` | H h 0޽h ? ̙33 # px(  xl x C |$   | l x C |$ | H x 0޽h ? ̙33  (  l  C |$   @ l  C d|$ @ H  0޽h ? ̙33   |(  |l | C <$   v l | C D<$p` v H | 0޽h ? ̙33f 0 &(  R  3     @$  C T<  @  @ bWe call our system ChAD, for Change and Anomaly Detection. The system models normal behavior by observing normal behavior. It detects when the system behavior changes. Unexpected changes are picked up as anomalies. Does not require profiles or signatures of abnormal behavior (faults, attacks). -- therefore it can detect anomalies never before observed.$cLH  0޽h ? ̙33t  0 4 ,  (  R  3     @2   C 4<  @  @ f There are benefits of this approach that make it particularly suitable for network security and network management: Each ChAD model is learned in-place, and is unique to the particular network, network element, or host it monitors. This is a requirement, since every network will have its own fluctuating characteristics. Typically, there are recognizable patterns to these fluctuations (for example, the  after-lunch effect, when everyone gets back from lunch and checks their email, a backup that runs at midnight, etc)  ChAD models find these normal patterns and then detect when the characteristics change. They are able to report information about the change that can be used for diagnosing the anomaly and identifying the cause. Benefits of ChAD ( Big Fat Claims ) - unique: not brittle.  A model built for one particular system may not prove accurate on another system. >> each model tailors itself to the modeled system - noise: there will typically be a wide variance in traffic measures, even under  normal operation - fluctuations: time-of-day, day-of-week. ChAD can be used to segment network usage patterns into typical periods.  Normal profiles form basis for anomaly detection. PyA{H  0޽h ? ̙33 0 OG(  R  3     @M  C |  @  @ The goal of this project is to create a decentralized agent monitoring and response system that can detect changes in network behavior, really anything that could degrade performance or signal intrusion or misuse, and then take steps to mitigate or correct the situation. As the system develops, it will become more of a proactive or predictive system, actually able to predict problems and steer network behavior to ensure the best possible overall network reliability. H  0޽h ? ̙33  0  z  ( Q-@ R  3     @   C |  @  @  What s driving development of this project is the need to detect faults and intrusions and problems that have never been seen before, in order to move away from signature-based intrusion detection. Why is this necessary? Because we don t have signatures for new exploits. Signatures may not necessarily be applicable to every network configuration. We would like to extend monitoring to assist in network management and maintenance, so then we would need fault signatures as well as attack signatures. Importantly, network usage characteristics change over time, which could  break other models or signatures. Other requirements include the need to operate in a heterogeneous environment, using current protocols and hardware. Of course the system must act in real-time. These requirements contributed to our decision to work with SNMP data, which can be collected from nearly all devices at fairly low overhead, using standard protocols. Scalability during operation was a  given , but as we did our own requirements analysis, we realized that scalability of deployment was also a necessity, and that no network administrator is going to customize each agent of a decentralized system in order to install it. Scalability, autonomous operation, and robustness are all related to the overall goal of maintaining the best possible network performance even in the face of attack or partial failure. yy H  0޽h ? ̙33  0   V ( pp R  3     @   C D|    @ d Why is it a hard problem? real data is noisy - anomaly detection is sort of an outlier detection problem. It is very hard to distinguish outliers from noise. Not just difficult - impossible:  Formal languages theory of computation as a  recognizer of sentences in a grammar. Gold, E. Mark (1967) Language identification in the limit. Information and Control 10:447-474. Gold s Theorem states that it is impossible to learn a language using only positive examples of the language. In practice: False alarm rate remains unmanageably high Side note:Statistical anomaly detection does not yield understandable models Why fault/change/anomaly/attack detection using normal data is needed (relevant): - can t possibly know all possible faults, exploits, etc. New ones occurring/found all the time. Must be able to recognize and respond to situations not previously observed. - can t introduce (or simulate) faults, attacks, etc. for data collection - too costly, etc. - Even if could, data labeling and cleaning is cost-prohibitive - A model built for one particular system may not prove accurate on another system. lO!!NSNH  0޽h ? ̙338 0 ( )pM@ R  3     @  C <  @  @ *Athena: is a tool for Mixed Initiative Information Warfare. Seeks to make optimal use of the human-in-the-loop to do automated monitoring online analysis & asynchronous human input guided evidence analysis Uses model-based reasoning, active evidential reasoning, , case-based reasoning ICE: Real-Time Intrusion Detection Automatic Tuning in Response to System Policies and False Alarms Integrates Multiple and Variable Evidence Sources performs Centralized Analysis from Distributed Evidence Collection Uses Bayes nets to represent attack hypothesis .+%H  0޽h ? ̙33 0 @(  R  3     @  C <  @  @ NCASAD: formulating data characterization models that could then be used as the basis for the specification of security policies and the detection of information attacks on the data repositories utilized by DBMS applications. In pursuit of this objective SHAI worked to produce a unique algorithm for analyzing the hidden structure of database usage patterns to effectively profile the behavior associated with specific user roles and construct rules that can distinguish normal from suspicious activities Subspace clustering $H  0޽h ? ̙33 0 x(  R  3     @~  C Ć|  @  @  H  0޽h ? ̙33  0 d \  (  R  3     @b   C $|  @  @   J. Cabrera, L. Lewis, X. Qin, W. Lee, R. Prasanth, B. Ravichandran, and R. Mehra. Proactive Detection of Distributed Denial of Service Attacks using MIB Variables: A Feasibility Study. In the Proceedings of the 7th IFIP/IEEE International Symposium on Integrated Nework Management, Seattle, WA, May 14-18, 2001. Feature selection is a different but related task that we may have time to explore during the remainder of the MASRR project This work may be incorporated into Aprisma s products at this time SNMP MIB data INBOUNDS: R. Balupari,, B. Tjaden, S. Ostermann, M. Bykova, L. Tong, and A. Mitchell. Real-time Network-Based Anomaly Intrusion Detection. Submitted to Journal of Parallel and Distributed Computing Practices, 2001. http://zen.ece.ohiou.edu/~inbounds/index.shtml real-time tcpTrace data, plus other - hosts, users, processes, resources E. Eskin, M. Miller, Z.-D. Zhong, G. Yi, W.-A. Lee, and S. Stolfo. Adaptive model generation for intrusion detection. In Proceedings of the ACMCCS Workshop on Intrusion Detection and Prevention, Athens, Greece, 2000. system call data Can t determine when system has changed - models relearned  periodically 49S!R6   1   :H  0޽h ? ̙33 0 x (   R   3     @~   C t<  @  @  H   0޽h ? ̙33 0 sk( " R  3     @q  C |  @  @ What are we going to do to solve this anomaly detection problem? We have a data mining approach that builds a descriptive model of normal system behavior and then uses the model to detect when the incoming data stream shows the system behavior changes. H  0޽h ? ̙33' 0 w( " R  3       C $|  @   !This is a new development that was presented at the Knowledge Discovery in Databases (KDD) this summer. The Very Fast Decision Tree is a online decision tree model, meaning that it is built using streaming data in real time, as opposed to requiring all the data at once to be accessed from a database. It has been proven that its accuracy converges to that of a corresponding model that has all the data in advance. The extension to this approach, that makes it Concept-adaptive, was developed because many, if not most, systems change over time. Rather than viewing the data as though it were generated by a stationary, or unchanging, concept, we view it as being generated by a series of concepts. One of the authors of the paper on CVFDT, Laurie Spencer, is working on this project at SHAI. H"mM=H  0޽h ? ̙33 0  J( "  R   3        C D  @   XDThis approach alone only detects change, whether normal or abnormal. I mentioned earlier that we can use this algorithm to segment observations into separate patterns of normal usage. That would be done during the agent s learning stage. Once done, the agent will have a library of learned models to load at the appropriate times. Those models represent the expected behavior, and the agent treats any change or departure from the baseline model as being potentially anomalous. Agents observing changes(or lack of changes) in their locally monitored regions will share their observations and interpretations in order to form a more certain understanding of occurrences. H   0޽h ? ̙33 0 |tp$ ( " $R $ 3     z $ C   @   The CVFDT tree can give us a lot of information about the behavior of the parts of the network being monitored. The tree structure itself yields information about the interactions and dependencies of various usage attributes. More importantly, it can tell us about changes in behavior: that there is a change which attributes values are showing changes the speed or scale of the change H $ 0޽h ? ̙33 0 xp,( x@q@ ,R , 3     v , C   @   One issue with anomaly detection is achieving the proper level of sensitivity. This would be particularly true of detection systems that might be calibrated for general behavior -- they will either be too sensitive and generate lots of false alarms, or they will not be sensitive enough and will miss actual events. The time segmentation allows more precise models to be used so that smaller deviations are seen as anomalies rather than as routine fluctuations in a widely varying system. Additionally, the detection of multiple small changes, and having a reasoning component correlate the observations, allows the agents to perform fine-grained diagnosis at the appropriate sensitivity level. This capability will be required for prediction and proactive response. H , 0޽h ? ̙338 0 0( x@q@ 0R 0 3      0 C $  @   (caveat: these assessments based on single papers, and I have not made a more thorough survey of recent developments of this work)H 0 0޽h ? ̙33  0 h`4( x@q@ 4R 4 3     f 4 C   @   Overhead: Models are generally compact and efficient, but we may have 50+ variables. Online model, so shouldn t have to store much data, but depends on the window size.. Sensitivity Training: Get lots of info from models. Need to tune the interpretation of it. Universal: will parameters set for one element apply to the models on another element? Can we learn these as we go? Data: Currently, 50k+ records. Need to reduce this for early detection. Pre-existing: Agents will use a library of heuristics that encode guidelines, best practices, known problems etc., to allow recognition of problems that otherwise would be learned as  normal Feature selection: Remains an open problem. However, MASRR agents will be able to initiate monitoring and add variables to the models when the variable would reduce uncertainty about a diagnosis; can remove models when things  return to normal H 4 0޽h ? ̙33  0 vn8( x@q@ 8R 8 3     t 8 C   @   Agent correlating and reasoning about observed events and information from other agents. Heuristics - encoding of  best practices , known performance rules that will enable agents to spot pre-existing (and other) problems. Feature selection experiments - we ve done background research and designed an approach, but have put on hold in order to devote resources to anomaly detection. Results of this work would help optimize the minimum set of features that are monitored at all times as well as identify features that are indicative of particular faults. For this work, we would want to use fault and attack data as well as normal data.H 8 0޽h ? ̙33  0 <2(  <R < 3      < C   @   @other potential sources of revenue, should you want to invest :-) Domains in which systems are monitored for changes or faults, in which the  universe of faults may not be known or for which data cannot be collected. Domains in which someone wants to detect change (not just faults) -- network planning and load balancing, time-of-day segmentation for utilities, etc. :C0 2C/ H < 0޽h ? ̙33   0 l d @d( E dR d 3     j d C D|  @   So now it seems that pressure is becoming more indicative than temperature of oil seal wear. As new examples arrive, they are processed by both the original tree and the alternate tree. If there is truly a change to the underlying system, which in this case there is because the company has changed suppliers, if there s truly a change, the alternate tree will begin to classify new examples more accurately. When this happens, the alternate tree is promoted and the original tree is pruned. Suppose, instead of changing suppliers, the company had simply received a  bad batch  a shipment with a lot of faulty seals. Then, the accuracy of the alternate tree may improve over time but not exceed the original. In this case it would not be promoted. An offline decision tree would have incorrect output, and would have to be relearned from the new data. The VFDT (non-adaptive) would be able to grow from the leaf nodes only, becoming large, inefficient, and unclear (not informative). Eventually, it would  break . H d 0޽h ? ̙33! 0 Plf(  lR l 3      l C |  @   t4The model is built example by example. It starts with the root node and tries to divide the examples according to the attributes and values that would make the most compact tree (in general - various split evaluation functions have somewhat different properties). If the examples seen by a node are all the same class, the node will be a  leaf node and there is no need for further splitting. Each node keeps statistics on the attribute values and classes it  has seen . The algorithm uses a  sliding window of examples, in order to adapt to changes - counts are incremented for each new example and are decremented as examples drop out of the window, effectively allowing the model to  forget the past concept. The window shrinks and grows, depending on how rapidly changes are occurring. $^ H l 0޽h ? ̙33" 0 `tR(  tX t C      t S |  @   TWhen the split evaluation (e.g., information gain) function shows that another attribute would be chosen as the split point, an alternate tree is started. Examples continue to be processed by both the original and the alternate subtree(s). After so many examples, the trees structures are again tested. If and when the alternate tree surpasses the original, the original is replaced. If the alternate tree fails to improve, the changes are considered transient (noise) and the alternate tree is pruned.. H t 0޽h ? ̙33`  0   x ( D0  xR x 3       x C |  @    Decision Tree is a classification model. Suppose we had collected data on engine wear, and we were interested to learn what characteristics or values affected the wear-out rate of oil seals. We could divide up the failures of oil seals that we had observed into classes; here they are shown as the life of the seal, whether they lasted 12 months or 8 months, etc. Then, each example or record in the data can be said to fall into a particular class. So could build this decision tree to learn about the engine wear. In order to do so, we have an algorithm that examines all the data and develops statistics for all the values in relation to each record s class. There s a measurement that indicates which attribute (column in the data) is most discriminating in dividing the records by class (these measures include  information gain , entropy functions, GINI indexes). The algorithm creates a node and divides the records according to the best split point it found. At the child nodes, the same process is repeated, until the records have been fully classified (meaning, records at a  leaf node are all the same class). In this example, we learn that the operating measures most indicative of oil seal wear are the engine temperature and the oil pressure. An online decision tree (such as VFDT) does basically the same thing, but rather than requiring all records in advance, each node stores statistics as the records are processed, and it re-evaluates the split function periodically. H x 0޽h ? ̙33 0 }u0| (  &   |R | 3     { | C |  @   But, many systems change over time. Suppose this company made a replacement schedule based on the earlier decision tree, and then they changed suppliers of the oil seals. And they started seeing failures earlier than the replacement schedule. In the records with early failures, the values for temperature and pressure do not fit the previous model. If we are building a Concept-adaptive online tree, the statistics stored in each node will cause the tree to select a different split point and start an alternate tree.H | 0޽h ? ̙33 0 `( T D  R  3     @  C T<  @  @ '  H  0޽h ? ̙33  0 x@( @@L@ R  3     v~  C Ć<  @  v  H  0޽h ? ̙33 0 x( 0  R