adding rigor to the comparison of anomaly detector outputs
play

Adding rigor to the comparison of anomaly detector outputs Romain - PowerPoint PPT Presentation

Feb 20, 2023 •117 likes •323 views

Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS

  1. Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS Lyon Patrice Abry , Physics Lab, CNRS, ENS Lyon Kensuke Fukuda , National Institute of Informatics / PRESTO JST, Tokyo April 25, 2010 Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 1

  2. Introduction Problem Proposed method Evaluation Discussion Conclusion Motivation Anomaly detection in backbone traffic • Active research domain • Wavelet [IMC 02], PCA [SIGCOMM 05, SIGMETRICS 07], gamma law [LSAD 07], association rule [IMC 09]... • Tricky evaluation, lack of common ground truth: • Manual inspection • Synthetic traffic • Comparison with other methods Similar problems arise in traffic classification Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 2

  3. Introduction Problem Proposed method Evaluation Discussion Conclusion Goal Long term goal: Provide common “ground truth data” • Labeling MAWI archive • Combining several anomaly detector results • Ground truth relative to the state of the art Goal of this work: Find relations between outputs of different classifiers Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 3

  4. Introduction Problem Proposed method Evaluation Discussion Conclusion Problem statement: Eventx=Eventy?? Event (= anomaly detector’s alarm) Set of traffic feature containing at least 2 timestamps and one traffic feature. i.e. one flow, one IP address, a set of flows, a set of packets... Main difficulties • Different granularities: Event1=Event2?=Event3? • Overlapping: Event4=Event5? • Different points of view: Event1=Event6? Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 4

  5. Introduction Problem Proposed method Evaluation Discussion Conclusion Proposed method Approach Identify similar events by using community mining on graph Overview • Oracle: Uncover relations between traffic and events • Graph gen.: Represent events and their relations in a graph • Community Mining: Find similar events by looking at dense components Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 5

  6. Introduction Problem Proposed method Evaluation Discussion Conclusion Oracle Uncover relations between original traffic and events • List the events that match each packet of the original traffic • i.e. pkt1: { IP 1 : 80 → IP 2 : 12345 } = Event1: { srcIP = IP 1 } Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 6

  7. Introduction Problem Proposed method Evaluation Discussion Conclusion Graph generator Build a non-directed weighted graph from the Oracle output • Nodes are events and edges are shared packets • Weight on each edge: similarity measure, Simpson index, | E 1 ∩ E 2 | / min( | E 1 | , | E 2 | ), E i : packets matching event i Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 7

  8. Introduction Problem Proposed method Evaluation Discussion Conclusion Community mining Identify community (= dense component) in the graph • Louvain algorithm 1 : based on Modularity 2 • Take into account node connectivity and edge weight 1Blondel et al.: Fast unfolding of communities in large networks. J.STAT.MECH. (2008) 2Newman, Girvan: Finding and evaluating community structure in networks. Phys. Rev.E (Feb 2004) Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 8

  9. Introduction Problem Proposed method Evaluation Discussion Conclusion Data and anomaly detectors Data set • MAWI archive (trans-Pacific link) • During the outbreak of the Sasser worm (08/2004) Anomaly detectors • Sketches and multiresolution gamma modeling 3 Report source or destination IP • Image processing: Hough transform 4 Report set of packets 3Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., Cho, K.: Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. SIGCOMM LSAD 07 4Fontugne, R., Himura, Y., Fukuda, K.: Evaluation of anomaly detection method based on pattern recognition. IEICE Trans. on Commun. E93-B(2) (February 2010) Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the

Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the

Principles to Methodologies Software Engineering Methodologies Principles Tools Methods and techniques Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the tightness of the definition, design,

329 views • 3 slides
What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments &

What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments &

What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments & Curriculum National Conference on Student Assessm ent Sponsored by the Council of Chief State School Officers Detroit, MI , June 2 0 -2 3 , 2 0 1 0

356 views • 16 slides
CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen,

CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen,

CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen, CERN on behalf of the CLIC detector and physics study (CLICdp) Lucie Linssen, FHC meeting, 27/1/2014 1 contents Contents: CLIC detector

431 views • 39 slides
What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues)

What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues)

What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues) Need for Analytic Rigor: Avoid Surprise August 7, 1998 Bombings of US Embassies in Africa 224 killed, including 12 US personnel Need for Rigor

471 views • 24 slides
Comparison of Comparison of Several Anomaly Detection Methods on Several Anomaly Detection

Comparison of Comparison of Several Anomaly Detection Methods on Several Anomaly Detection

The Fifth Japan-Taiwan International Workshop The Fifth Japan-Taiwan International Workshop on Hydrological and Geochemical Research for Earthquake Prediction on Hydrological and Geochemical Research for Earthquake Prediction Comparison of

775 views • 38 slides
ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE

ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE

ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE iCIS 9 th November 2018 Radboud University CONTENTS 1. PRESENTATION 2. CYBER-PHYSICAL SYSTEMS 2.1 Presentation 2.2 Networked control systems

658 views • 38 slides
in their ability to define it (p. 269). How do you know academic rigor when you see it?

in their ability to define it (p. 269). How do you know academic rigor when you see it?

Poll Everywhere Draeger, Hill, Hunter, and Mahler (2013) reported everyone seemed to believe that they know it [rigor] when they see it, but few felt confident in their ability to define it (p. 269). How do you know academic rigor

281 views • 27 slides
Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1

Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1

Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1 Private and third sector market outputs Public sector outputs Whose Informal economy outputs activities are adding value for our Formal

744 views • 30 slides
Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In

Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In

Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In the next decade... US Jobs: 63 percent will require postsecondary education. NEW, US Jobs: 90 percent in growing industries will

315 views • 29 slides
Has our school forged a common 2. How does it transition from middle to high school vision of

Has our school forged a common 2. How does it transition from middle to high school vision of

Leading for Rigor, Relevancy and Literacy ODE Summer Conference 2007 Leading for Rigor, Relevance Essential Skill: and Literacy Instructional Leadership 1. Reflect on your schools vision for instruction 2. Introduction to rigor and

516 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can

Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can

Causal Inference in Observational Studies Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can Mislead . . . . . . . . . . . . . 2 1.2 Adding Predictors as a Solution . . . . . . . . . . . . . . . . . .

274 views • 14 slides
Session Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss

Session Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss

Ensuring Rigor in First-Year Mathematics Courses Connie Richardson, Manager, Higher Education Course Programs Joan Zoellner, Course Program Specialist December 7, 2018 Session Outcomes Participants will: Explore the meaning of rigor in

920 views • 46 slides
Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March

Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March

Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March 21, 2019 Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss ways to promote rigor in the first year

319 views • 31 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms

QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms

QoS, CoS, BE Markus Peuhkuri 2002-09-12 Lecture topics Course organisation Why QoS Terms related to Quality of Service Chapters from book: Chapter 1: The Big Picture Course

338 views • 9 slides
DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris

DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris

DPICO: A High-S peed Deep Packet Inspect ion Engine Using Compact Finit e Aut omat a Chris Hayes Rensselaer Polytechnic Inst itute (formerly UMAS S Lowell) Yan Luo University of Massachusetts Lowell Agenda Baseline Design Design

535 views • 20 slides
Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga

Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga

10/21/2003 Routing and Transport in Wireless Sensor Networks Ibrahim Matta (matta@bu.edu) Niky Riga (inki@bu.edu) Georgios Smaragdakis (gsmaragd@bu.edu) Wei Li (wli@bu.edu) Vijay Erramilli (evijay@bu.edu) References Adaptive Protocols

633 views • 23 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my

The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my

The News Reading Source Code, 1 of 5 #! /usr/bin/perl -w use strict; use Net::NNTP; $| = 1; my $the_server = shift; my $userid = shift; my $passwd = shift; my $server = Net::NNTP->new( $the_server ) or die "nws: Cant connect to

631 views • 21 slides
Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and

Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and

Todd Warren CS 394 Spring 2011 Team structure at Microsoft Product Complexity and Scheduling Quality and software testing Knowing when to ship 3x Programming Program System 3x 9x Programming Programming System Product

884 views • 40 slides
Web Systems & Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due,

Web Systems & Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due,

Web Systems & Technologies: An Introduction Prof. Ing. Andrea Omicini Ingegneria Due, Universit di Bologna a Cesena andrea.omicini@unibo.it 2005-2006 Web Systems Architecture Basic architecture information is structured as ipertext

560 views • 20 slides
Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P.

Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P.

Collecting and Analysing Traffic Profiles within a Commercial Network Prof. D. J. Parish P. Sandford High Speed Networks Group Loughborough University Presentation Summary Overview of the Detecting and Preventing Criminal Activities on

346 views • 32 slides

More recommend