anomaly detection based on simplicity theory
play

Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar - PowerPoint PPT Presentation

Sep 10, 2023 •138 likes •795 views

Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar Badias Sim Research Project 1 - #43 Supervisor: Giovanni Sileno Lecturer: Cees de Laat TABLE OF 01 INTRODUCTION Basic concepts and Research CONTENTS questions 02 THEORY

  1. Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar Badias Simó Research Project 1 - #43 Supervisor: Giovanni Sileno Lecturer: Cees de Laat

  2. TABLE OF 01 INTRODUCTION Basic concepts and Research CONTENTS questions 02 THEORY TO PRACTICE Set a context and quantify complexities 03 THE DATA Dataset treatment and feature definition 04 IMPLEMENTATION 05 RESULTS AND CONCLUSIONS 2

  3. 01 INTRODUCTION TABLE OF Basic concepts and CONTENTS Research questions 02 THEORY TO PRACTICE Set a context and quantify complexities 03 THE DATA Dataset treatment and feature definition 04 IMPLEMENTATION 05 RESULTS AND CONCLUSIONS 3

  4. Simplicity Theory Calculates unexpectedness of a situation U(s) ● Cognitive probability in terms of complexity and simplicity, rather than standard mathematical, set-based, terms. 4

  5. Simplicity Theory Calculates unexpectedness of a situation U(s) ● Cognitive probability in terms of complexity and simplicity, rather than standard mathematical, set-based, terms. Generation complexity C w (s) ● Description complexity ● C d (s) 5

  6. Simplicity Theory Calculates unexpectedness of a situation U(s) ● Cognitive probability in terms of complexity and simplicity, rather than standard mathematical, set-based, terms. Generation complexity C w (s) ● Description complexity ● C d (s) U(s) = C w (s) - C d (s) 6

  7. Simplicity Theory An example ● Fair lottery draw: 1-2-3-4-5-6 ● Same chances than any other combination ● Odd from a human point of view 7

  8. Simplicity Theory An example ● Fair lottery draw: 1-2-3-4-5-6 ● Same chances than any other combination ● Odd from a human point of view ● Same generation cost of other combinations ● Low description cost ("1 to 6") ● Therefore: U(s) = C w (s) - C d (s) 8

  9. Simplicity Theory A situation is unexpected, in the eyes of an observer, when it is hard to generate (high C w (s)) and/or easy to describe (low C d (s)). 9

  10. Anomaly Detection Anomaly detection systems model the normal behavior of a target system and report abnormal activities, which are analyzed as a possible intrusions. 10

  11. Research Questions 1. How can an anomaly detection tool based on Simplicity Theory be designed and implemented? 2. How effective said tool can be in detecting anomalies in network logs in a system? 11

  12. TABLE OF 01 INTRODUCTION Basic concepts and Research CONTENTS questions 02 THEORY TO PRACTICE Set a context and quantify complexities 03 THE DATA Dataset treatment and feature definition 04 IMPLEMENTATION 05 RESULTS AND CONCLUSIONS 12

  13. Putting it Into Practice U(s) = C w (s) - C d (s) 13

  14. Putting it Into Practice U(s) = C w (s) - C d (s) QUANTIFY COMPLEXITIES How can generation and description complexity be quantified? The quantification needs to be representative and comparable . 14

  15. Putting it Into Practice U(s) = C w (s) - C d (s) SET A CONTEXT Simplicity Theory allows for observer point-of-view bias . Different observer might have different concepts of “abnormal”. 15

  16. Set a Context (1) Define object prototypes. Prototypes, in the conceptual space, are used as baseline to compute generation and description complexity of a given state. Defined in n dimensions, where n is the number of features 16

  17. Set a Context (2) In our case, one of the categorical features... 17

  18. Set a Context (2) In our case, one of the categorical features... ● Source IP: monitor an IP address traffic for abnormal behaviours. (Compromised machine) 18

  19. Set a Context (2) In our case, one of the categorical features... ● Source IP: monitor an IP address traffic for abnormal behaviours. (Compromised machine) Destinatination IP: monitor for unusual traffic to a specific machine. (Server under attack) ● 19

  20. Set a Context (2) In our case, one of the categorical features... ● Source IP: monitor an IP address traffic for abnormal behaviours. (Compromised machine) Destinatination IP: monitor for unusual traffic to a specific machine. (Server under attack) ● ● Protocol: monitor for abnormal protocol-specific traffic. (Specific attacks) 20

  21. Set a Context (2) In our case, one of the categorical features... ● Source IP: monitor an IP address traffic for abnormal behaviours. (Compromised machine) Destinatination IP: monitor for unusual traffic to a specific machine. (Server under attack) ● ● Protocol: monitor for abnormal protocol-specific traffic. (Specific attacks) ...however not necessary ● Combination of categorical features K-Prototypes ● ● No prototypes (aka one prototype) 21

  22. Set a Context (3) Object prototypes TCP DNS Dst. IP Length Dst. IP Dimensions Length Source IP Info 96 104 Feature prototypes 192.168.0.1 192.168.0.2 192.168.0.3 22

  23. Quantifying Complexities - Generation (1) 23

  24. Quantifying Complexities - Generation (1) ” The length of the shortest program that a given environment must execute to achieve a given state ” 24

  25. Quantifying Complexities - Generation (1) ” The length of the shortest program that a given environment must execute to achieve a given state ” Real-life events are often NOT like fair lottery, some events are more likely to happen than others ... 25

  26. Quantifying Complexities - Generation (1) ” The length of the shortest program that a given environment must execute to achieve a given state ” Real-life events are often NOT like fair lottery, some events are more likely to happen than others ... … a ranking of most frequently occurring feature prototypes has to be created. 26

  27. Quantifying Complexities - Generation (2) CODE COMPLEXITY 1st 0 2nd 0 1 3rd 1 1 4th 00 2 5th 01 2 6th 10 2 7th 11 2 8th 000 3 9th 001 3 27

  28. Quantifying Complexities - Generation (2) CODE COMPLEXITY 192.168.0.1 0 192.168.0.2 0 1 192.168.0.3 1 1 192.168.0.4 00 2 192.168.0.5 01 2 192.168.0.6 10 2 192.168.0.7 11 2 192.168.0.8 000 3 192.168.0.9 001 3 28

  29. Quantifying Complexities - Generation (2) CODE COMPLEXITY 1st 0 1 192.168.0.1 0 192.168.0.2 0 1 2nd 3rd 192.168.0.3 1 1 1 0 192.168.0.4 00 2 192.168.0.5 01 2 4th 5th … … … 0 1 192.168.0.6 10 2 192.168.0.7 11 2 8th 9th 192.168.0.8 000 3 192.168.0.9 001 3 29

  30. Quantifying Complexities - Description (1) 30

  31. Quantifying Complexities - Description (1) ”The shortest possible description of a state that an observer can produce to discriminate it without ambiguity” 31

  32. Quantifying Complexities - Description (1) ”The shortest possible description of a state that an observer can produce to discriminate it without ambiguity” It could be the same as the generation complexity... 32

  33. Quantifying Complexities - Description (1) ”The shortest possible description of a state that an observer can produce to discriminate it without ambiguity” It could be the same as the generation complexity... … but an observer can also use its own memory to achieve simpler descriptions. 33

  34. Quantifying Complexities - Description (1) ”The shortest possible description of a state that an observer can produce to discriminate it without ambiguity” It could be the same as the generation complexity... … but an observer can also use its own memory to achieve simpler descriptions. The cheapest option is chosen. 34

  35. Quantifying Complexities - Description (2) MOVES COMPLEXITY At observation time N, the stack pointer N-1 0 1 is here. N-2 1 1 N-3 2 (10) 2 N-4 3 (11) 2 N-5 4 (100) 3 N-6 5 (101) 3 N-7 6 (110) 3 N-8 7 (111) 3 N-9 8 (1000) 4 35

  36. Quantifying Complexities - Numerical (1) PROBLEM! Previous methods work for categorical feature prototypes. Numerical feature prototypes cannot be ranked. 36

  37. Quantifying Complexities - Numerical (1) PROBLEM! Previous methods work for categorical feature prototypes. Numerical feature prototypes cannot be ranked. Idea: numerical feature prototypes could be transformed into categorical ones. 37

  38. Quantifying Complexities - Numerical (2) SOLUTION - Binary Tree Compute mean and standard deviation over all the possible feature prototypes. Describe a feature prototype as being n * (m 𝝉 ) away from the mean. Populate the tree with m 𝝉 intervals, starting from the closest to the mean. 38

  39. Quantifying Complexities - Numerical (3) Mean -m 𝝉 +m 𝝉 -2m 𝝉 +2m 𝝉 -3m 𝝉 +3m 𝝉 -4m 𝝉 +4m 𝝉 000 01 00 0 1 10 11 111 CODES 3 2 2 1 0 0 1 2 2 3 COMPLEXITIES 39

  40. Quantifying Complexities - Numerical (4) 0 𝝉 0 1 -m 𝝉 +m 𝝉 1 0 -2m 𝝉 -3m 𝝉 … … … 0 1 -5m 𝝉 -6m 𝝉 40

  41. Quantifying Complexities - Numerical (5) SOLUTION - Memory Stack Compute mean and standard deviation over all the possible feature prototypes. Describe an observation as being n * (m 𝝉 ) away from a previous observation. Complexity is given by the depth of the previous observation and its distance from the current observation. 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 8 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand annual report readability Examine the

1.12k views • 85 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter

ACCT 420: Topic modeling and anomaly detection Session 9 Dr. Richard M. Crowley 1 Front matter 2 . 1 Learning objectives Theory: NLP Anomaly detection Application: Understand the distribution of readability Examine

1.31k views • 82 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

<Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection

Data Council Singapre 2019 Autoencoder Forest for Anomaly Detection from IoT Time Series <Title> Yiqun Hu, SP Group Agenda Condition monitoring & anomaly detection Autoencoder for anomaly detection Autoencoder

540 views • 27 slides
Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The

Dataflow Anomaly Detection Presented By Archana Viswanath Computer Science and Engineering The Pennsylvania State University Anomaly Intrusion Detection Systems Anomaly Intrusion Detection Systems Model normal behavior. Attack - Any

417 views • 20 slides
STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am

STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am

STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am honored to be invited to speak to the European Parliament, though saddened that due to my governments intentions I may not be able to return

347 views • 8 slides
SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya

SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya

SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya Zhai Lindsay Neubauer Overview Functional Language Generates Serialist compositions Syntax and semantics loosely based on Haskell

189 views • 6 slides
EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on

EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on

EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on and timed with the Smurfs 2 Movie (Sony Pictures Entertainment) THE GAME 2011 G AME TITLE === The Smurfs 2 G ENRE ====== 2D Platformer 189K Units P

728 views • 30 slides
Presentation Presentation Piteraq Piteraq A new line of eco bio make up that has the power of

Presentation Presentation Piteraq Piteraq A new line of eco bio make up that has the power of

Presentation Presentation Piteraq Piteraq A new line of eco bio make up that has the power of nature. A Made in Italy brand that offers a complete range of vegan make up cosmetics and vegan brushes products, created to satisfy the beauty

857 views • 19 slides
IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology

IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology

Ministry of Science, People First, Performance Now Technology and Innovation IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant Head Technology Consultant IPv6 Global Sdn Bhd 7

622 views • 30 slides
A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk Master's degree studying Majoring in Information technology Faculty of informatics, Mahasarakham University The 4th International Conference on

207 views • 17 slides
Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its

Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its

Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its compelling Bauxite Hills Mine towards production in early 2018 1 Bauxite fundamentals & strong price outlook given rising China seaborne demand 2

740 views • 28 slides
Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This

Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This

Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This presentation is not a prospectus nor an offer for securities in any jurisdiction nor a securities recommendation. The information in this presentation is

267 views • 14 slides

More recommend