atypical behavior identification in large scale network
play

Atypical Behavior Identification in Large Scale Network Traffic - PowerPoint PPT Presentation

Sep 12, 2022 •356 likes •545 views

Atypical Behavior Identification in Large Scale Network Traffic Daniel Best {daniel.best@pnnl.gov} Pacific Northwest National Laboratory Ryan Hafen, Bryan Olsen, William Pike 1 Agenda Background Behavioral algorithm Scalable data

  1. Atypical Behavior Identification in Large Scale Network Traffic Daniel Best {daniel.best@pnnl.gov} Pacific Northwest National Laboratory Ryan Hafen, Bryan Olsen, William Pike 1

  2. Agenda � Background � Behavioral algorithm � Scalable data intensive architectures � Visualization � Future directions 2

  3. What is large scale network traffic? � Most enterprises use some kind of continuous traffic monitoring . � Captured in either pcap or network flow format � Network flow is a summarization of network communication � Network flow is ubiquitous and voluminous � Groups of computers can easily have thousands of flow records per second � Large enterprises generate billions to tens of billions of flow records per day � src: 192.168.24.244, dest:123.321.184.1, src-port:62826, dest-port: 80, proto: 6, start-dtm: 1131850246948, end-dtm:1131850247948, duration: 235, packet-cnt: 38, byte-cnt: 11383, initial-flg: 2, all-flg: 27 3

  4. Development goals � Provide situation awareness and event discovery in large data sets � Facilitate behavioral modeling and anomaly visualization for streaming network traffic � Be capable of real-time and exploratory mode of investigation 4

  5. How to find atypical behavior? � Application concepts paying attention to three areas � Algorithm : Must be efficient to cope with volume of data � Data Management : Must be able supply data quickly � Visualization : Must provide the user the ability to discern atypical behavior and begin investigation process � Meeting our goals � Operationally demonstrated on a dataset containing 100B flow records � Demonstrated capability to stream network flows at ~3 thousand flows per second on a single desktop computer 5

  6. Atypical behavior algorithm background � Behavioral model based on temporal patterns � Improvement over previous models (SAX: Symbolic Aggregate approXimation) � Operates under the assumption that network flow attributes exhibit cyclical behavior of a weekly periodicity � Exploration has shown this holds well for most protocols � Various attributes can be modeled � Total bytes, total packets, network flow count � Aggregation is necessary for statistical robustness 6

  7. Weekly periodicity Take median to form baseline

  8. Comparing current activity to historical trends � Running median calculated for single current series and for m number of historic series � Median absolute deviation (MAD) calculated based on current and historic running medians � MAD and a configurable deviation number used to set upper and lower bounds for current and historic series 8

  9. Current and historic trend overlap NTP 9

  10. Visually encoding overlap with saturation Saturation used to color encode the background of plots 10

  11. Scalable data intensive architectures � Client visualization with various database back-ends � Postgres, Greenplum, Netezza � Needs database driver and appropriate configuration files � Scalability through aggregation � Using summary table (not required), improves performance � Network traffic grouped into categories � Rule based categorization algorithm � Based on attributes available in the data � port, protocol, payload, etc. 11

  12. Primary data architecture focus � Development and research on Netezza � Leverages available hardware and closely resembles the target release architecture � We still remain database agnostic for other deployments � DISTRIBUTE ON Clause � Determines how data is distributed across database appliance (Netezza specific) � Candidate keys should have high cardinality and commonly used in joins � We chose IP address 12

  13. Atypical behavior visualization (Clique) � Behavior baseline for actors � Creates statistical model of what is typical for a given actor and category set � Visualizes the deviation from typical activity � Actor / group hierarchy � Groups of IP addresses, a single IP address, or query based on an attribute � Site > Facilities > Buildings > Individuals � Individually configurable and sharable � Interactive interface provides semantic zooming (LiveRac) � Added adaptive bin widths, deviation highlighting, stability, and database independence 13

  14. Traffic categories Cell (Group & Category) User defined hierarchy Temporal selection 14

  15. 15

  16. Future directions � Investigate and implement alternative bottom up approach � statistical model per IP address and aggregation based on that model � Improve interface performance � Investigate alternate middle tier architectures � Enhance applicability by developing prototypes in different domains � Incorporate abrupt outlier identification and visualization 16

  17. How to get in touch Daniel Best @danvizsec daniel.best@pnnl.gov 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET)

Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET)

Large Scale I nternational I Pv6 Pilot Large Scale I nternational I Pv6 Pilot Network (6NET) Network (6NET) Athanassios Liakopoulos (aliako@grnet.gr) Greek Research & Technology Network (GRNET) I I I Global I Pv6 Summit November 2004

638 views • 37 slides
ALGORITHMS AND METHODS FOR LARGE- SCALE GENOME REARRANGEMENTS IDENTIFICATION Presented by Jose

ALGORITHMS AND METHODS FOR LARGE- SCALE GENOME REARRANGEMENTS IDENTIFICATION Presented by Jose

DEPARTMENT OF COMPUTER ARCHITECTURE DOCTORAL THESIS ALGORITHMS AND METHODS FOR LARGE- SCALE GENOME REARRANGEMENTS IDENTIFICATION Presented by Jose Antonio Arjona Medina Under the supervision of Prof. Dr. Oswaldo Trelles 1 Algorithms and

1.14k views • 65 slides
Leveraging local neighborhood topology for large scale person re-identification Svebor Karaman 1 ,

Leveraging local neighborhood topology for large scale person re-identification Svebor Karaman 1 ,

Leveraging local neighborhood topology for large scale person re-identification Svebor Karaman 1 , Giuseppe Lisanti 1 , Andrew D. Bagdanov 2 , Alberto Del Bimbo 1 1 Media Integration and Communication Center (MICC) University of Florence,

508 views • 12 slides
LARGE-SCALE KNOWLEDGE GRAPH IDENTIFICATION USING PSL Jay Pujara 1 , Hui Miao 1 , Lise Getoor 1

LARGE-SCALE KNOWLEDGE GRAPH IDENTIFICATION USING PSL Jay Pujara 1 , Hui Miao 1 , Lise Getoor 1

LARGE-SCALE KNOWLEDGE GRAPH IDENTIFICATION USING PSL Jay Pujara 1 , Hui Miao 1 , Lise Getoor 1 , William Cohen 2 1 University of Maryland, College Park, US 2 Carnegie Mellon University AAAI Symposium on Semantics for Big Data 11/16/2013

565 views • 37 slides
End-to-end Routing Behavior in the Internet: A Re-Appraisal from Access Networks Introduction

End-to-end Routing Behavior in the Internet: A Re-Appraisal from Access Networks Introduction

End-to-end Routing Behavior in the Internet: A Re-Appraisal from Access Networks Introduction Large scale behavior of end-to-end routing Collect traceroutes and other network performance metrics BISmark routers all over the world

548 views • 22 slides
The Impact of Network Noise on Large-Scale Communication Performance Torsten Hoefler , Timo

The Impact of Network Noise on Large-Scale Communication Performance Torsten Hoefler , Timo

The Impact of Network Noise on Large-Scale Communication Performance Torsten Hoefler , Timo Schneider, and Andrew Lumsdaine Open Systems Lab Indiana University Bloomington, USA Workshop on Large-Scale Parallel Processing/IPDPS09 Rome, Italy

462 views • 17 slides
The Dynamic Behavior of a Data Dissemination Protocol for Network Programming at Scale Jonathan

The Dynamic Behavior of a Data Dissemination Protocol for Network Programming at Scale Jonathan

The Dynamic Behavior of a Data Dissemination Protocol for Network Programming at Scale Jonathan W. Hui, David Culler Presented by: Thomas Repantis trep@cs.ucr.edu CS263-Seminar in Distributed Systems, Winter 2005 p.1/31 Overview Deluge,

520 views • 31 slides
StarBED: A Large-scale Network Experiment Testbed Razvan Beuran & The StarBED Team

StarBED: A Large-scale Network Experiment Testbed Razvan Beuran & The StarBED Team

StarBED: A Large-scale Network Experiment Testbed Razvan Beuran & The StarBED Team razvan@nict.go.jp February 2010 Outline 1. What is StarBED? 2. Using StarBED 3. Application areas 4. Summary 2 1. What is StarBED? Large-scale network

653 views • 42 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information

Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information

Accelerating Large-scale Phase Field Simulation with GPU Jian Zhang Computer Network Information Center(CNIC), Chinese Academy of Sciences 2 Outline Outline Background Phase Field Model Large Scale Smiulations Compute intensive

493 views • 26 slides
Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid

Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid

Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid Combination of a the Hybrid Combination of a MapReduce Cluster and MapReduce Cluster and a Highly Multithreaded System a Highly Multithreaded

449 views • 22 slides
Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh

Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh

Large-scale Virtualization in the Emulab Network Testbed Mike Hibler, Robert Ricci, Leigh Stoller, Jonathon Duerig, Shashi Guruprasad, Tim Stack, Kirk Webb, Jay Lepreau Emulab: Network Testbed 2 Emulab: Network Testbed 2 Emulab: Network

1.06k views • 88 slides
Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms

Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms

Understanding the Impact of Network Infrastructure Changes using Large-Scale Measurement Platforms Vaibhav Bajpai and Jrgen Schnwlder {v.bajpai, j.schoenwaelder}@jacobs-university.de AIMS 2013, Barcelona Computer Networks and Distributed

761 views • 19 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Contents Introduction Scalability and Accuracy in a Architecture Large-Scale Network

Contents Introduction Scalability and Accuracy in a Architecture Large-Scale Network

Contents Introduction Scalability and Accuracy in a Architecture Large-Scale Network Emulator Implementation and Evaluation Accuracy vs. Scalability Tradeoff Nov. 12, 2003 Case Studies Byung-Gon Chun 1 2 Motivation

299 views • 5 slides
M2S2 - Distributions Professor Jarad Niemi STAT 226 - Iowa State University August 29, 2018

M2S2 - Distributions Professor Jarad Niemi STAT 226 - Iowa State University August 29, 2018

M2S2 - Distributions Professor Jarad Niemi STAT 226 - Iowa State University August 29, 2018 Professor Jarad Niemi (STAT226@ISU) M2S2 - Distributions August 29, 2018 1 / 19 Outline Population Location Spread Modality: unimodal, bimodal

476 views • 19 slides
+ A Quantitative Survey on the Use of the Cube Vocabulary in the Linked Open Data Cloud Karin

+ A Quantitative Survey on the Use of the Cube Vocabulary in the Linked Open Data Cloud Karin

+ A Quantitative Survey on the Use of the Cube Vocabulary in the Linked Open Data Cloud Karin Becker Instituto de Informtica - Federal University of Rio Grande do Sul, Brazil Shiva Jahangiri , Craig A. Knoblock Information Sciences

472 views • 32 slides
Absorbing systematic effects to obtain a better Absorbing systematic effects to obtain a better

Absorbing systematic effects to obtain a better Absorbing systematic effects to obtain a better

Absorbing systematic effects to obtain a better Absorbing systematic effects to obtain a better background model in a search for new physics background model in a search for new physics Sascha Caron 1 , Glen Cowan 2 , Eilam Gross 3 , Stephan

719 views • 36 slides
Carnegie Mellon Univ. Problem Dept. of Computer Science Getting the data: Data Warehouses,

Carnegie Mellon Univ. Problem Dept. of Computer Science Getting the data: Data Warehouses,

Faloutsos & Pavlo CMU SCS 15-415/615 CMU SCS CMU SCS Data mining - detailed outline Carnegie Mellon Univ. Problem Dept. of Computer Science Getting the data: Data Warehouses, DataCubes, 15-415/615 DB Applications OLAP

476 views • 20 slides
Benchmarking Methodology for IPv6 Transition Technologies

Benchmarking Methodology for IPv6 Transition Technologies

iplab Benchmarking Methodology for IPv6 Transition Technologies draft-ietf-bmwg-ipv6-tran-tech-benchmarking-01 Marius Georgescu Nara Institute of Science and Technology Internet Engineering Laboratory 7 Apr. 2016 D RAFT M OTIVATION D RAFT

340 views • 13 slides
PSS718 - Data Mining Lecture 5 - Transforming Data Asst.Prof.Dr. Burkay Gen Hacettepe

PSS718 - Data Mining Lecture 5 - Transforming Data Asst.Prof.Dr. Burkay Gen Hacettepe

PSS718 - Data Mining Lecture 5 - Transforming Data Asst.Prof.Dr. Burkay Gen Hacettepe University October 23, 2016 Transforming Data Data Issues Methods Transforming Data Improving the performance of a model To improve the performance of

383 views • 37 slides
Transforming a continuous attribute into a discrete (ordinal) attribute Ricco RAKOTOMALALA

Transforming a continuous attribute into a discrete (ordinal) attribute Ricco RAKOTOMALALA

Transforming a continuous attribute into a discrete (ordinal) attribute Ricco RAKOTOMALALA Universit Lumire Lyon 2 Ricco Rakotomalala 1 Tutoriels Tanagra - http://tutoriels-data-mining.blogspot.fr/ Outline 1. What is the discretization

398 views • 36 slides
Medians MPM2D: Principles of Mathematics Consider ABD below. Centroid of a Triangle J.

Medians MPM2D: Principles of Mathematics Consider ABD below. Centroid of a Triangle J.

a n a l y t i c g e o m e t r y ( p a r t 2 ) a n a l y t i c g e o m e t r y ( p a r t 2 ) Medians MPM2D: Principles of Mathematics Consider ABD below. Centroid of a Triangle J. Garvin J. Garvin Centroid of a Triangle Slide 1/17

343 views • 3 slides

More recommend