Adding rigor to the comparison of anomaly detector outputs Romain - - PowerPoint PPT Presentation

▶

Feb 20, 2023 117 likes •324 views

Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS

SLIDE 1

Introduction Problem Proposed method Evaluation Discussion Conclusion

Adding rigor to the comparison of anomaly detector outputs

Romain Fontugne, National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat, Physics Lab, CNRS, ENS Lyon Patrice Abry, Physics Lab, CNRS, ENS Lyon Kensuke Fukuda, National Institute of Informatics / PRESTO JST, Tokyo April 25, 2010

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 1

SLIDE 2

Introduction Problem Proposed method Evaluation Discussion Conclusion

Motivation

Anomaly detection in backbone traffic

Active research domain
Wavelet [IMC 02], PCA [SIGCOMM 05, SIGMETRICS 07],

gamma law [LSAD 07], association rule [IMC 09]...

Tricky evaluation, lack of common ground truth:
Manual inspection
Synthetic traffic
Comparison with other methods

Goal

Long term goal: Provide common “ground truth data”

Labeling MAWI archive
Combining several anomaly detector results
Ground truth relative to the state of the art

Goal of this work: Find relations between outputs of different classifiers

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 3

SLIDE 4

Introduction Problem Proposed method Evaluation Discussion Conclusion

Problem statement: Eventx=Eventy??

Event (= anomaly detector’s alarm)

Set of traffic feature containing at least 2 timestamps and one traffic feature. i.e. one flow, one IP address, a set of flows, a set of packets...

Main difficulties

Different granularities: Event1=Event2?=Event3?
Overlapping: Event4=Event5?
Different points of view: Event1=Event6?

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 4

SLIDE 5

Introduction Problem Proposed method Evaluation Discussion Conclusion

Proposed method

Approach

Identify similar events by using community mining on graph

Overview

Oracle: Uncover relations between traffic and events
Graph gen.: Represent events and their relations in a graph
Community Mining: Find similar events by looking at dense

components

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 5

SLIDE 6

Introduction Problem Proposed method Evaluation Discussion Conclusion

Oracle

Uncover relations between original traffic and events

List the events that match each packet of the original traffic
i.e. pkt1:{IP1 : 80 → IP2 : 12345} = Event1:{srcIP = IP1}

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 6

SLIDE 7

Introduction Problem Proposed method Evaluation Discussion Conclusion

Graph generator

Build a non-directed weighted graph from the Oracle output

Nodes are events and edges are shared packets
Weight on each edge: similarity measure, Simpson index,

|E1 ∩ E2|/ min(|E1|, |E2|), Ei: packets matching event i

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 7

SLIDE 8

Introduction Problem Proposed method Evaluation Discussion Conclusion

Community mining

Identify community (= dense component) in the graph

Louvain algorithm1: based on Modularity2
Take into account node connectivity and edge weight

1Blondel et al.: Fast unfolding of communities in large networks. J.STAT.MECH. (2008) 2Newman, Girvan: Finding and evaluating community structure in networks. Phys. Rev.E (Feb 2004) Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 8

SLIDE 9

Introduction Problem Proposed method Evaluation Discussion Conclusion

Data and anomaly detectors

Data set

MAWI archive (trans-Pacific link)
During the outbreak of the Sasser worm (08/2004)

Anomaly detectors

Sketches and multiresolution gamma modeling 3

Report source or destination IP

Image processing: Hough transform 4

Report set of packets

3Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., Cho, K.: Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. SIGCOMM LSAD 07 4Fontugne, R., Himura, Y., Fukuda, K.: Evaluation of anomaly detection method based on pattern

recognition. IEICE Trans. on Commun. E93-B(2) (February 2010)

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 9

SLIDE 10

Introduction Problem Proposed method Evaluation Discussion Conclusion

Results

Graph

Reported events; Gamma-based: 332, Hough-based: 873
Intersection 235 and 247 events: 124 connected components
Biggest component: 47 events (G.34, H.13), 8 communities

201.46.145.73d;142055pkt 212.69.78.53s;142054pkt 1;142054pkt 212.69.78.53s;149836pkt 0.999993;142054pkt 201.46.145.73d;87904pkt 1;87904pkt 213.81.0.20s;32795pkt 3.04925e-05;1pkt 213.81.0.20s;32794pkt 3.04934e-05;1pkt 1;142054pkt 1;87904pkt 1;87904pkt 138.241.107.243d;67971pkt 214.26.222.68s;10616pkt 1;10616pkt 214.26.222.68s;71331pkt 0.999617;67945pkt 0.999435;10610pkt 0.199.181.106s;5098pkt 138.241.115.41d;80692pkt 1;5098pkt 0.199.181.106s;64299pkt 1;5098pkt 138.241.115.41d;102053pkt 1;5098pkt 0.792563;50961pkt 3.82.19.96s;37450pkt 0.77773;29126pkt 0.99627;80391pkt 1;64299pkt 1;37450pkt 200.160.182.154d;885pkt 217.10.174.133s;843pkt 0.00118624;1pkt 200.243.158.152s;502pkt 0.141434;71pkt 18.163.134.138s;504pkt 0.228175;115pkt 217.10.174.133s;2963pkt 0.00112994;1pkt 1;843pkt 69.236.75.39d;1830pkt 145.207.243.232s;940pkt 0.378723;356pkt 145.207.243.232s;7985pkt 0.956831;1751pkt 150.82.154.45s;1016pkt 0.0019685;2pkt 150.82.154.45s;3307pkt 0.0010929;2pkt 215.93.172.113d;635pkt 0.0125984;8pkt 0.751064;706pkt 193.11.100.166d;595pkt 0.00168067;1pkt 0.207874;132pkt 150.82.98.6s;860pkt 206.95.146.68d;2857pkt 0.00465116;4pkt 150.82.98.6s;8083pkt 0.995349;856pkt 150.82.147.96s;384pkt 0.216146;83pkt 150.82.154.83s;6575pkt 0.306965;877pkt 112.173.220.79d;171pkt 1;171pkt 220.23.117.18d;247pkt 145.206.169.39s;386pkt 1;247pkt 172.92.130.51s;159pkt 0.345912;55pkt 0.345912;55pkt 213.117.195.228s;2777pkt 200.160.180.18d;10965pkt 0.46345;1287pkt 3.148.122.7s;12282pkt 0.174373;1912pkt 200.91.100.222s;11029pkt 0.218057;2391pkt 212.19.213.111s;2611pkt 0.194178;507pkt 212.81.120.33s;6569pkt 0.255899;1681pkt 200.160.180.18d;10835pkt 0.202769;2197pkt 1;10835pkt 145.207.126.105s;261435pkt 112.173.72.177d;3276pkt 1;3276pkt 108.229.243.42d;9815pkt 1;9815pkt 194.92.125.170d;2783pkt 1;2783pkt 108.3.107.146d;11798pkt 1;11798pkt 195.167.14.142d;4047pkt 1;4047pkt 4.2.128.38d;1442pkt 1;1442pkt 145.207.126.105s;42747pkt 0.948979;40566pkt 145.207.243.232d;20749pkt 0.628464;13040pkt 0.807336;7924pkt 3.144.45.43s;348pkt 150.129.57.189d;3769pkt 1;348pkt 201.94.118.13s;1093pkt 201.46.151.99d;1639pkt 1;1093pkt 211.62.54.235s;247pkt 0.00404858;1pkt 3.164.4.11d;5933pkt 200.24.119.113s;33509pkt 0.362886;2153pkt 200.24.119.113s;21160pkt 0.996123;5910pkt 214.79.36.98d;99pkt 1;99pkt 10.20.0.9d;792pkt 0.472222;374pkt 195.56.240.86d;2380pkt 0.327731;780pkt 10.10.1.1d;994pkt 0.376258;374pkt 10.2.1.50d;297pkt 1;297pkt 10.1.1.239d;253pkt 0.853755;216pkt 10.23.1.2d;6644pkt 0.25286;1680pkt 10.8.128.39d;264pkt 0.708333;187pkt 10.1.10.9d;612pkt 0.30719;188pkt 10.3.232.51d;406pkt 0.3867;157pkt 192.168.200.23d;304pkt 0.513158;156pkt 205.68.46.154d;559pkt 0.354204;198pkt 10.15.7.18d;380pkt 0.557895;212pkt 10.75.3.2d;260pkt 0.434615;113pkt 195.56.240.64d;273pkt 0.351648;96pkt 192.168.238.20d;399pkt 0.273183;109pkt 172.23.0.11d;319pkt 0.275862;88pkt 197.73.183.171d;632pkt 0.39557;250pkt 10.4.1.19d;347pkt 0.420749;146pkt 172.16.10.22d;288pkt 0.493056;142pkt 10.40.1.29d;277pkt 0.353791;98pkt 193.92.212.83d;583pkt 0.319039;186pkt 172.16.253.153d;470pkt 0.312766;147pkt 170.66.142.177d;410pkt 0.290244;119pkt 192.168.0.230d;288pkt 0.274306;79pkt 172.20.0.2d;265pkt 0.301887;80pkt 0.262004;5544pkt 1;612pkt 1;406pkt 1;260pkt 1;277pkt 1;99pkt 150.82.147.102s;956pkt 212.81.118.80d;917pkt 0.0141767;13pkt 150.82.147.102s;5210pkt 0.910042;870pkt 70.138.249.134d;356pkt 0.0589888;21pkt 0.0479826;44pkt 150.82.147.100s;5038pkt 0.0577972;53pkt 200.160.180.18s;67012pkt 0.14831;136pkt 1.220.128.31d;185pkt 0.383784;71pkt 201.46.148.146s;450pkt 212.65.137.91d;653pkt 0.342222;154pkt 212.69.78.53d;93713pkt 201.46.145.73s;93713pkt 1;93713pkt 201.46.145.73s;98741pkt 1;93713pkt 1;93713pkt 145.206.90.140s;658pkt 140.188.22.183d;442pkt 0.357466;158pkt 0.00168067;1pkt 145.206.90.140s;1287pkt 0.108597;48pkt 5.228.17.82s;273pkt 170.35.227.4d;4559pkt 1;273pkt 150.82.147.100s;465pkt 0.0730337;26pkt 0.780645;363pkt 0.438202;156pkt 0.474719;169pkt 200.160.182.9s;42184pkt 0.0308989;11pkt 0.616216;114pkt 0.0204724;13pkt 193.1.85.161d;573pkt 0.0104712;6pkt 69.224.152.205d;727pkt 0.00550206;4pkt 0.00336134;2pkt 0.103346;105pkt 150.82.2.248s;405pkt 0.00740741;3pkt 0.00493827;2pkt 0.0279232;16pkt 150.129.57.185s;554pkt 0.00902527;5pkt 145.206.145.160s;2515pkt 0.0157068;9pkt 0.00275103;2pkt 0.0218487;13pkt 172.92.106.182s;1099pkt 200.98.208.49d;352pkt 0.0340909;12pkt 172.92.106.182s;62pkt 0.677419;42pkt 150.82.65.185s;1079pkt 0.148.45.66d;3683pkt0.39759;429pkt 212.81.118.163d;475pkt 0.0105263;5pkt 150.82.65.185s;10212pkt 0.803522;867pkt 0.972848;3583pkt 150.129.57.177s;17701pkt 0.000271518;1pkt 0.0568421;27pkt 0.0252632;12pkt 150.129.20.70d;1058pkt 211.91.27.42s;15083pkt 0.00283554;3pkt 210.131.216.219s;30818pkt 0.00283554;3pkt 210.148.194.50s;30461pkt 0.00283554;3pkt 211.91.27.42s;15063pkt 0.00283554;3pkt 1;15063pkt 210.161.50.184d;482pkt 1;482pkt 208.8.4.157d;1218pkt 1;1218pkt 210.164.0.64d;2305pkt 1;2305pkt 210.174.147.110d;2555pkt 1;2555pkt 211.91.27.42d;4687pkt 1;4687pkt 214.79.36.98d;286pkt 0.475524;136pkt 150.129.57.177s;5036pkt 1;5036pkt 0.11.24.43d;341pkt 0.501466;171pkt 1;4687pkt 145.207.218.82d;544pkt 200.98.208.49s;244pkt 0.0655738;16pkt 172.92.106.182d;392pkt 0.0368852;9pkt 201.46.150.69s;695pkt 213.81.0.20d;1185pkt 0.00143885;1pkt 201.46.146.5s;551pkt 0.00181488;1pkt 213.81.0.20d;1pkt 1;1pkt 201.46.146.65d;718pkt 0.00139276;1pkt 0.00139276;1pkt 1;32794pkt 211.47.159.77d;63363pkt 138.241.80.78s;63418pkt 1;63363pkt 138.241.80.78s;66456pkt 0.993387;62944pkt 0.992526;62944pkt 207.96.55.36d;349pkt 145.206.84.22s;8813pkt 0.630372;220pkt 214.27.62.58d;258pkt 0.976744;252pkt 4.200.18.18d;3099pkt 0.0251694;78pkt 169.48.168.215d;1117pkt 0.406446;454pkt 145.206.84.22s;1522pkt 1;1522pkt 196.61.9.102d;2551pkt 1;2551pkt 0.00161342;5pkt 169.48.168.215d;259pkt 1;259pkt 150.82.137.35d;1074pkt 0.203.211.80s;707pkt 0.110325;78pkt 0.203.211.66s;811pkt 0.0110974;9pkt 172.92.106.184d;8097pkt 0.0226308;16pkt 138.241.112.153d;4805pkt 0.0325318;23pkt 138.241.119.80d;2345pkt 3.204.29.86s;374pkt 0.986631;369pkt 4.203.92.0s;301pkt 1;301pkt 4.203.92.120s;75pkt 1;75pkt 3.210.39.162s;1175pkt 0.482553;567pkt 138.241.81.6d;1760pkt 70.138.240.21s;900pkt 0.491111;442pkt 70.138.249.134s;430pkt 0.0186047;8pkt 200.160.182.154s;1089pkt 200.243.158.152d;424pkt 0.136792;58pkt 5.193.11.127d;347pkt 0.314121;109pkt 0.148.18.225d;4862pkt 0.0587695;64pkt 200.91.100.222d;843pkt 1;843pkt 212.81.120.33d;1097pkt 0.985415;1081pkt 0.0145852;16pkt 146.160.88.158d;250pkt 1;250pkt 212.187.13.65d;11896pkt 1;11896pkt 200.160.180.18s;23207pkt 0.84726;10079pkt 150.82.173.133d;13312pkt 0.054388;647pkt 0.301053;143pkt 0.955617;22177pkt 1;13312pkt 0.787861;10488pkt 150.82.147.102d;1950pkt 0.3;129pkt 70.138.253.137s;216pkt 0.717593;155pkt 70.138.253.196s;124pkt 0.330645;41pkt 70.138.253.197s;320pkt 0.159375;51pkt 70.138.253.198s;40pkt 1;40pkt 70.138.253.204s;527pkt 0.195446;103pkt 70.138.253.206s;83pkt 0.493976;41pkt 70.138.253.207s;171pkt 0.707602;121pkt 70.138.253.218s;73pkt 0.547945;40pkt 150.82.147.102d;39pkt 1;39pkt 1;39pkt 150.82.154.176d;668pkt 0.7.41.83s;313pkt 1;313pkt 150.82.154.176d;388pkt 1;388pkt 1;313pkt 0.148.60.128s;334pkt 0.148.60.128s;173pkt 1;173pkt 201.46.149.58d;2687pkt 0.203.211.65s;2687pkt 1;2687pkt 0.203.211.66s;253pkt 1;253pkt 0.0863132;70pkt 0.054254;44pkt 0.203.211.105s;2294pkt 1;2294pkt 0.203.211.194s;933pkt 1;933pkt 0.203.211.212s;3339pkt 0.99401;3319pkt 172.92.106.184d;5930pkt 0.996627;5910pkt 0.844377;1937pkt 1;3339pkt 0.203.211.150s;396pkt 0.0126263;5pkt 0.203.211.150s;208pkt 1;208pkt 0.0126263;5pkt 145.207.75.87d;1905pkt 0.203.211.244s;1444pkt 0.864958;1249pkt 145.207.75.87d;1962pkt 0.655643;1249pkt 0.203.211.205s;884pkt 0.80543;712pkt 0.864958;1249pkt 1.191.114.252s;259pkt 138.241.115.65d;28494pkt 1;259pkt 1.191.114.252s;73pkt 1;73pkt 0.148.18.83s;539pkt 0.686456;370pkt 1;73pkt 3.26.138.168s;43pkt 0.302326;13pkt 69.244.219.20s;552pkt 1;552pkt 200.96.36.244s;1636pkt 1;1636pkt 200.111.106.47s;975pkt 0.549744;536pkt 210.133.66.11s;793pkt 0.423707;336pkt 211.35.34.239s;1pkt 1;1pkt 214.39.90.72s;7290pkt 0.0631001;460pkt 214.81.95.137s;6209pkt 1;6209pkt 214.215.154.204s;61pkt 1;61pkt 138.241.115.65d;18248pkt 0.61952;11305pkt 0.148.56.251s;460pkt 0.521739;240pkt 214.4.52.64s;239pkt 1;239pkt 4.200.18.17s;670pkt 0.0597015;40pkt 1;7290pkt 1;6209pkt 200.171.11.44d;2386pkt 0.285075;191pkt 3.90.37.163s;19250pkt 0.893546;2132pkt 4.200.18.17s;70pkt 1;70pkt 71.28.149.70s;7636pkt 0.000419111;1pkt 200.171.11.44d;2385pkt 0.197065;470pkt 1;70pkt 0.835639;1993pkt 172.92.150.20d;300pkt 3.144.44.88s;260pkt 1;260pkt 138.241.82.119d;7973pkt 3.161.49.7s;502pkt 1;502pkt 210.144.8.21s;210pkt 1;210pkt 210.144.8.91s;2033pkt 1;2033pkt 217.140.3.19s;1432pkt 1;1432pkt 138.241.82.119d;1548pkt 1;1548pkt 0.877261;1358pkt 3.193.58.162s;103242pkt 3.193.58.162s;107977pkt 1;103242pkt 145.207.126.105d;109463pkt 4.1.133.125s;4729pkt 1;4729pkt 154.95.169.112s;3203pkt 1;3203pkt 213.235.124.7s;3328pkt 1;3328pkt 2.82.146.201s;15073pkt 0.948982;14304pkt 4.1.133.125s;25388pkt 0.963684;24466pkt 5.70.2.43s;12554pkt 1;12554pkt 154.95.169.112s;16676pkt 0.947889;15807pkt 194.30.239.23s;5950pkt 1;5950pkt 201.24.161.115s;5050pkt 0.958812;4842pkt 213.175.23.109s;8016pkt 0.959581;7692pkt 213.235.124.7s;8103pkt 0.962113;7796pkt 145.207.126.105d;71474pkt 0.950178;67913pkt 210.90.12.161s;233pkt 0.00858369;2pkt 211.58.145.23s;91pkt 0.010989;1pkt 0.980123;4635pkt 1;4729pkt 1;3203pkt 1;3203pkt 1;3328pkt 1;15073pkt 1;25388pkt 1;12554pkt 1;16676pkt 172.92.177.68d;438pkt 4.200.18.18s;3728pkt 0.913242;400pkt 150.182.163.54d;5966pkt 69.20.114.84s;30466pkt 0.000838082;5pkt 210.141.134.147s;15080pkt 0.000838082;5pkt 69.236.75.39s;276pkt 69.236.75.39s;4186pkt 0.735507;203pkt 0.917105;3839pkt 172.92.48.180d;29845pkt 69.249.185.67s;3831pkt 0.411903;1578pkt 69.249.185.81s;1867pkt 1;1867pkt 172.92.48.180d;27291pkt 0.905903;24723pkt 1;3831pkt 1;1867pkt 73.227.160.12d;11595pkt 73.227.160.12s;37091pkt 1;11595pkt 210.144.8.91d;1407pkt 138.241.82.119s;1399pkt 0.99857;1397pkt 214.166.45.97d;9593pkt 138.241.83.72s;8485pkt 0.878374;7453pkt 138.241.107.240s;1774pkt 0.258174;458pkt 145.207.136.163s;1143pkt 1;1143pkt 150.82.139.9s;1211pkt 1;1211pkt 138.241.115.41s;2978pkt 138.241.115.41s;58367pkt 1;2978pkt 144.209.69.181s;563pkt 144.209.69.181s;325pkt 0.84;273pkt 196.61.9.102d;4564pkt 0.700701;3198pkt 145.206.74.249s;69pkt 1;69pkt 1;1522pkt 1;2551pkt 1;1522pkt 212.36.172.189d;1481pkt 0.330182;489pkt 145.206.84.71s;1147pkt 0.398431;457pkt 145.206.94.114s;371pkt 0.495957;184pkt 145.206.145.160s;1554pkt 0.326806;484pkt 0.0352941;21pkt 0.969755;1507pkt 210.144.2.134d;456pkt 145.207.70.155s;580pkt 0.899123;410pkt 145.207.192.55s;528pkt 145.207.192.55s;250pkt 0.372;93pkt 210.162.226.143d;2667pkt 145.207.233.244s;19380pkt 1;2667pkt 150.82.21.60s;603pkt 150.82.21.60s;1056pkt 0.99005;597pkt 2.80.109.135d;3661pkt 150.129.57.189s;3373pkt 0.580492;1958pkt 217.122.21.18d;4997pkt 150.129.58.183s;5005pkt 1;4997pkt 208.5.203.33d;820pkt 150.167.24.102s;1477pkt 0.993902;815pkt 210.163.128.178d;2728pkt 150.182.162.172s;675pkt 0.699259;472pkt 150.182.163.55s;46382pkt 0.0527859;144pkt 210.131.216.219d;2522pkt 0.106661;269pkt 210.142.165.106d;4356pkt 0.0982553;428pkt 210.165.157.64d;2105pkt 1;2105pkt 214.169.100.221d;6613pkt 1;6613pkt 172.82.213.242s;1258pkt 172.82.213.242s;5067pkt 1;1258pkt 69.249.185.81d;11009pkt 172.92.48.180s;18359pkt 0.995095;10955pkt 210.133.66.52d;322pkt 172.92.103.79s;173pkt 0.99422;172pkt 172.92.177.68s;434pkt 172.92.177.68s;121pkt 1;121pkt 172.92.235.178s;288pkt 172.92.235.178s;817pkt 0.979167;282pkt 214.27.65.181d;433pkt 172.92.237.3s;644pkt 1;433pkt 138.241.81.5d;10918pkt 200.0.199.156s;1421pkt 1;1421pkt 217.143.86.149s;10612pkt 0.698172;7409pkt 217.143.105.108s;40pkt 0.55;22pkt 200.105.21.134s;468pkt 200.105.21.134s;4216pkt 0.854701;400pkt 0.277778;130pkt 0.911053;3841pkt 138.241.82.29d;39791pkt 214.33.123.89s;2677pkt 1;2677pkt 200.106.6.144s;337pkt 1;337pkt 214.10.7.57s;6523pkt 0.357504;2332pkt 214.32.103.52s;38973pkt 0.292331;11393pkt 214.33.123.89s;19753pkt 0.340606;6728pkt 215.87.56.225s;49145pkt 0.362343;14418pkt 138.241.82.29d;80286pkt 0.64502;25666pkt 1;2677pkt 0.996279;38828pkt 0.8374;41154pkt 200.210.110.107d;762pkt 1;762pkt 193.161.95.245d;301pkt 1;301pkt 196.33.144.21d;233pkt 1;233pkt 0.148.16.34d;615pkt 1;615pkt 195.62.35.193d;440pkt 0.672727;296pkt 0.327273;144pkt 147.11.57.207d;576pkt 1;576pkt 219.210.95.170d;432pkt 1;432pkt 220.114.166.93d;729pkt 1;729pkt 112.162.229.170d;443pkt 1;443pkt 200.171.11.44s;1921pkt 200.171.11.44s;2080pkt 0.845914;1625pkt 201.46.151.99s;1595pkt 201.46.151.99s;6481pkt 0.693417;1106pkt 2.162.237.225d;625pkt 201.46.152.181s;994pkt 0.9712;607pkt 150.82.39.231d;290pkt 206.180.237.195s;38pkt 1;38pkt 208.8.4.157s;15426pkt 208.8.4.157s;15426pkt 1;15426pkt 208.29.67.116s;15004pkt 208.29.67.116s;15124pkt 1;15004pkt 210.130.88.214s;14461pkt 210.130.88.214s;14475pkt 1;14461pkt 210.134.229.49s;7972pkt 210.134.229.49s;15527pkt 0.929629;7411pkt 210.140.27.68s;14951pkt 210.140.27.68s;15112pkt 1;14951pkt 210.148.180.121s;15062pkt 210.148.180.121s;15062pkt 1;15062pkt 210.151.137.50s;15347pkt 210.151.137.50s;15347pkt 1;15347pkt 210.162.56.132s;24792pkt 210.162.56.132s;25248pkt 0.999637;24783pkt 210.162.210.213s;15174pkt 210.162.210.213s;15174pkt 1;15174pkt 145.207.233.244d;34145pkt 210.162.226.143s;33034pkt 0.811891;26820pkt 217.105.172.169s;30pkt1;30pkt 145.207.233.244d;32751pkt 0.810265;26537pkt 214.88.148.89s;3940pkt 0.890102;3507pkt 1;32751pkt 150.182.162.168d;866pkt 210.163.128.178s;15559pkt 0.00808314;7pkt 210.174.47.146s;12003pkt 0.0034642;3pkt 69.197.196.223s;1034pkt 0.158199;137pkt 210.163.147.216s;15204pkt 210.163.147.216s;14654pkt 1;14654pkt 210.165.155.70s;7014pkt 210.165.155.70s;7014pkt 1;7014pkt 210.165.157.64s;15553pkt 210.165.157.64s;15553pkt 1;15553pkt 210.166.144.204s;15795pkt 210.166.144.204s;15554pkt 0.993185;15448pkt 210.172.176.240s;14806pkt 210.172.176.240s;14806pkt 1;14806pkt 210.173.153.34s;9378pkt 210.173.153.34s;9378pkt 1;9378pkt 211.84.11.218s;15408pkt 211.84.11.218s;15216pkt 1;15216pkt 211.86.36.247s;7686pkt 211.86.36.247s;7811pkt 1;7686pkt 145.207.236.98d;3318pkt 212.85.231.154s;182pkt 1;182pkt 138.241.81.94d;2465pkt 214.17.167.99s;2310pkt 1;2310pkt 138.241.81.94d;1750pkt 0.905714;1585pkt 0.905714;1585pkt 170.35.248.195d;444pkt 214.77.253.150s;761pkt 0.63964;284pkt 214.82.149.44s;580pkt 0.0045045;2pkt 150.129.128.249d;384pkt 214.163.35.51s;7074pkt 0.0078125;3pkt 217.122.21.18s;7912pkt 0.0078125;3pkt 214.166.45.23s;4558pkt 214.166.45.23s;4816pkt 0.989688;4511pkt 214.168.138.145s;15324pkt 214.168.138.145s;15324pkt 1;15324pkt 172.92.178.12s;11556pkt 3.90.37.163d;4943pkt 1;4943pkt 170.35.135.22s;1735pkt 3.129.22.202d;1037pkt 0.697203;723pkt 3.129.22.250d;1374pkt 0.660844;908pkt 170.35.227.153s;8531pkt 3.148.122.7d;8684pkt 1;8531pkt 130.136.75.97s;1980pkt 69.249.196.108d;1792pkt 1;1792pkt 138.241.80.78d;59719pkt 211.47.159.77s;59670pkt 1;59670pkt 211.47.159.77s;61947pkt 0.993704;59343pkt 138.241.7.197d;655pkt 0.328244;215pkt 138.241.80.78d;60507pkt 0.983623;58741pkt 0.0942857;165pkt 0.99452;59343pkt 0.328244;215pkt 0.984431;58741pkt 0.0942857;165pkt 0.328244;215pkt 1;60507pkt 0.0942857;165pkt 0.328244;215pkt 0.251908;165pkt 0.0942857;165pkt 0.203.211.153s;352pkt 0.0454545;16pkt 3.144.44.64s;273pkt 1;273pkt 217.8.43.208s;13451pkt 145.207.70.155d;6522pkt 1;6522pkt 3.109.163.85s;4198pkt 145.207.154.217d;1901pkt 0.980537;1864pkt 150.82.154.41s;6852pkt 145.207.198.36d;138pkt 0.485507;67pkt 3.144.44.109s;497pkt 150.82.5.203d;453pkt 1;453pkt 0.148.18.225s;4126pkt 150.82.139.9d;1599pkt 1;1599pkt 4.203.92.123s;3830pkt 150.82.147.100d;1498pkt 0.981308;1470pkt 3.144.45.144s;217pkt 150.82.154.83d;237pkt 1;217pkt 217.160.83.27s;461pkt 150.129.72.121d;184pkt 0.0380435;7pkt 145.206.154.101s;364pkt 193.25.135.44d;233pkt 0.781116;182pkt 217.160.83.65s;842pkt 200.160.131.94d;2324pkt 0.909739;766pkt 200.172.97.203s;14707pkt 200.160.182.9d;14593pkt 1;14593pkt 3.144.44.106s;302pkt 201.46.151.1d;152pkt 1;152pkt 172.92.182.22s;946pkt 212.81.120.33d;1351pkt 1;946pkt 193.20.82.59s;293pkt 218.164.84.52d;96pkt 1;96pkt 1.162.57.151s;361pkt 1.162.57.151s;361pkt 1;361pkt 69.241.42.252s;264pkt 69.241.42.252s;264pkt 1;264pkt 87.234.193.219d;367pkt 138.241.119.80s;755pkt 0.959128;352pkt 175.24.221.70s;1152pkt 175.24.221.70s;1281pkt 0.914931;1054pkt 138.241.115.102s;2016pkt 138.241.115.102s;24pkt 1;24pkt 208.34.138.21s;12957pkt 208.34.138.21s;12916pkt 1;12916pkt 210.129.41.31s;15335pkt 210.129.41.31s;14899pkt 1;14899pkt 210.134.33.135s;823pkt 210.134.33.135s;880pkt 1;823pkt 214.94.220.20s;235pkt 214.94.220.20s;215pkt 1;215pkt 214.170.12.56s;10521pkt 214.170.12.56s;15429pkt 1;10521pkt 1.162.0.157s;105pkt 1.162.0.157s;71pkt 1;71pkt 4.8.192.8s;898pkt 4.8.192.8s;796pkt 1;796pkt 69.64.154.78s;505pkt 69.64.154.78s;505pkt 1;505pkt 69.66.136.84s;226pkt 69.66.136.84s;461pkt 1;226pkt 192.202.214.88s;245pkt 192.202.214.88s;229pkt 1;229pkt 210.163.212.210s;489pkt 210.163.212.210s;720pkt 1;489pkt 211.16.195.49s;408pkt 211.16.195.49s;853pkt 1;408pkt 145.207.210.215d;431pkt 214.14.110.134s;278pkt 0.00719424;2pkt 145.207.117.218d;769pkt 0.0327869;8pkt 214.79.224.69s;158pkt 0.00632911;1pkt 145.207.136.32d;375pkt 216.224.72.155s;5289pkt 0.00266667;1pkt

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 10

SLIDE 11

Introduction Problem Proposed method Evaluation Discussion Conclusion

Simple connected components

Two event component

86 small components, mainly Sasser
Gamma-based = red; Hough-based = green

(1) Sasser infected host. (2) Different src.IP and dest.IP.

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 11

SLIDE 12

Introduction Problem Proposed method Evaluation Discussion Conclusion

Large connected components I

Large component with one community

38 components having more than two events
RSync traffic identified by 5 events

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 12

SLIDE 13

Introduction Problem Proposed method Evaluation Discussion Conclusion

Large connected components II

DNS traffic

29 events in which 27 are from the gamma-based detector

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 13

SLIDE 14

Introduction Problem Proposed method Evaluation Discussion Conclusion

Communities in components

Distinct traffics

Network scan on port 3128 and nntp traffic

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 14

SLIDE 15

Introduction Problem Proposed method Evaluation Discussion Conclusion

Communities in components

Same kind of traffic

14 events reporting HTTP traffic

150.82.137.35d;1074pkt 0.203.211.80s;707pkt 0.110325;78pkt 0.203.211.66s;811pkt 0.01109;9pkt 172.92.106.184d;8097pkt 0.0226308;16pkt 138.241.112.153d;4805pkt 0.0325318;23pkt 0.203.211.150s;396pkt 0.0126263;5pkt 0.203.211.150s;208pkt 1;208pkt 0.0126263;5pkt 0.203.211.66s;253pkt 1;253pkt 0.0863132;70pkt 0.0542;44pkt 0.203.211.105s;2294pkt 1;2294pkt 0.203.211.194s;933pkt 1;933pkt 0.203.211.212s;3339pkt 0.99401;3319pkt 172.92.106.184d;5930pkt 0.996627;5910pkt 0.844377;1937pkt 1;3339pkt 0.203.211.153s;352pkt 0.0454545;16pkt 3.144.44.64s;273pkt 1;273pkt

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 15

SLIDE 16

Introduction Problem Proposed method Evaluation Discussion Conclusion

Discussion

Advantages

Uncover relations between classifier outputs
Able to compare outputs of different kinds of classifiers

Applications

Comparing/combining anomaly detectors
Clarifying output of a single detector
Understanding detector sensitivity to parameter tuning

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 16

SLIDE 17

Introduction Problem Proposed method Evaluation Discussion Conclusion

Conclusion and future work

Conclusion

Uncover relations between classifiers outputs
Graph theory
General and rigorous method

Future work

Deeper analysis of the method
Combining anomaly detectors
Labelling MAWI

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 17

SLIDE 18

Introduction Problem Proposed method Evaluation Discussion Conclusion

Thank you!

Questions? romain@nii.ac.jp

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 18

SLIDE 19

Introduction Problem Proposed method Evaluation Discussion Conclusion

[1] Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: Uncovering relations between traffic classifiers and anomaly detectors via graph theory. TMA (2010) 101–114

Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 19

Adding rigor to the comparison of anomaly detector outputs

Romain Fontugne, National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat, Physics Lab, CNRS, ENS Lyon Patrice Abry, Physics Lab, CNRS, ENS Lyon Kensuke Fukuda, National Institute of Informatics / PRESTO JST, Tokyo April 25, 2010

Motivation

Anomaly detection in backbone traffic

gamma law [LSAD 07], association rule [IMC 09]...

Similar problems arise in traffic classification

Goal

Long term goal: Provide common “ground truth data”

Goal of this work: Find relations between outputs of different classifiers

Problem statement: Eventx=Eventy??

Event (= anomaly detector’s alarm)

Set of traffic feature containing at least 2 timestamps and one traffic feature. i.e. one flow, one IP address, a set of flows, a set of packets...

Main difficulties

Proposed method

Approach

Identify similar events by using community mining on graph

Overview

components

Oracle

Uncover relations between original traffic and events

Graph generator

Build a non-directed weighted graph from the Oracle output

|E1 ∩ E2|/ min(|E1|, |E2|), Ei: packets matching event i

Community mining

Identify community (= dense component) in the graph

Data and anomaly detectors

Data set

Anomaly detectors

Report source or destination IP

Report set of packets

Results

Graph

Simple connected components

Two event component

(1) Sasser infected host. (2) Different src.IP and dest.IP.

Large connected components I

Large component with one community

Large connected components II

DNS traffic

29 events in which 27 are from the gamma-based detector

Communities in components

Distinct traffics

Network scan on port 3128 and nntp traffic

Communities in components

Same kind of traffic

14 events reporting HTTP traffic

Discussion

Advantages

Applications

Conclusion and future work

Conclusion

Future work

Thank you!

Questions? romain@nii.ac.jp

[1] Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: Uncovering relations between traffic classifiers and anomaly detectors via graph theory. TMA (2010) 101–114