behavior aware network segmentation using ip flows
play

Behavior-Aware Network Segmentation using IP Flows The 14th - PowerPoint PPT Presentation

Sep 22, 2023 •517 likes •762 views

Behavior-Aware Network Segmentation using IP Flows The 14th International Conference on Availability, Reliability and Security August 26 August 29, 2019 University of Kent, Canterbury, UK Juraj Smeriga , Tomas Jirsik Institute of Computer

  1. Behavior-Aware Network Segmentation using IP Flows The 14th International Conference on Availability, Reliability and Security August 26 – August 29, 2019 University of Kent, Canterbury, UK Juraj Smeriga , Tomas Jirsik Institute of Computer Science, Masaryk University, Czech Republic

  2. Network Segmentation What is it good for? Network segmentation in computer networking is the act or practice of splitting a computer network into subnetworks , each being a network segment . ARES 2019: Behavior-Aware Network Segmentation using IP Flows 2 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  3. Network IP Flow Monitoring IP flows tell the stories Connection-oriented network traffic observation § Aggregates packets by flow keys § Optimized for high speed, large-scale networks § Who is communicating with whom , how long , on which port/protocol § Application protocols monitoring – HTTP, DNS ARES 2019: Behavior-Aware Network Segmentation using IP Flows 3 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  4. ? What is the Problem? Problems, problems everywhere § Complexity of networks – multilayered network, dynamics § Lack of information – limited/no access to all hosts in a network § Connection-oriented IP Flows – host-oriented view is required § Large volume of data – impossible to process manually What are the segments? How to assign hosts to the segments? ARES 2019: Behavior-Aware Network Segmentation using IP Flows 4 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  5. What is the Problem? Problems, problems everywhere � Machine learning solves it all ARES 2019: Behavior-Aware Network Segmentation using IP Flows 5 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  6. What is the Problem? Problems, problems everywhere � Machine learning solves it all Really? ARES 2019: Behavior-Aware Network Segmentation using IP Flows 6 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  7. Hypotheses Choosing the right question. Explore the possibilities of utilizing machine learning on IP flows to create behavior- consistent network segments. � � Network can be divided into behavior- It is possible to assign an unknown consistent segments using machine host to an existing segment based on learning. its behavior. ARES 2019: Behavior-Aware Network Segmentation using IP Flows 7 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  8. � � � � � � Methodology It’s about the journey, not the destination � � � � � � ARES 2019: Behavior-Aware Network Segmentation using IP Flows 8 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  9. Dataset � ARES 2019: Behavior-Aware Network Segmentation using IP Flows 9 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  10. � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Data collection From connections to host profiles Features § 1 month of data from /16 campus network § Aggregations – flow duration, number of packets, bytes, flows § Distinct counts – peers, ports, protocols, AS numbers, country over days by hour by src IP none ARES 2019: Behavior-Aware Network Segmentation using IP Flows 10 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  11. � Data collection From connections to host profiles ARES 2019: Behavior-Aware Network Segmentation using IP Flows 11 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  12. � Dataset No more ”garbage in, garbage out” Labelling Origin – list of existing administrative units (network ranges) § Labels – range, administrative unit, and administrative subunit § Preprocessing Missing Values – missing labels (9.18%), all missing values (42.74%), other replaced by 0, § remains 31 501 hosts Outliers – 0.95 quantile § Standardization – zero mean and unit variance § Dataset balancing – undersampling of the major unit by 75% § Release Anonymization – IP addresses and ranges anonymized by CryptoPan § Publishing platform – zenodo.org with feature description § ARES 2019: Behavior-Aware Network Segmentation using IP Flows 12 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  13. Network Segment Discovery � ARES 2019: Behavior-Aware Network Segmentation using IP Flows 13 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  14. � Algorithms Clustering – identifying groups in unknown What class of algorithm? § Problem – divide hosts into a previously unknown groups of similar hosts § Unsupervised ML - Clustering Algorithms - the task of grouping a set of objects in such a way that objects in the same are more similar to each other than to those in other groups Selected Clustering Algorithms § K-Means � simple , fast , scales to large datasets predefined number of clusters , initial centroids matters , curse of dimensionality � § Density-based spatial clustering of applications with noise ( DBSCAN ) � no need for predefined number of clusters , non-convex cluster identification non-determinism , heavy dependence on selected distance measure � § Time-series modification LB Keogh Dynamic time warping instead Euclidean distance § ARES 2019: Behavior-Aware Network Segmentation using IP Flows 14 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  15. � Training Practice makes perfect K-Means § Number of clusters – 22 equal to number of administrative units § Initial centroids – random selection § Max iterations – 300 DBSCAN § Elbow identification – minPts = 44, ε = 160 § Grid search – minPts = 40, ε = 5 Evaluation § Silhouette coefficient – no labels, <-1 (bad) , 1 (good) >, § Adjusted Rand index – labels, around 0 (bad) , 1 (good) ARES 2019: Behavior-Aware Network Segmentation using IP Flows 15 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  16. � Results Are there behavior-consistent segments? Number of clusters § DBSCAN optimum 7 clusters Initial Results Advanced Analysis Takeaway A less behavior-similar segments than the § administrative ones Segments are overlapping § DBSCAN is slightly better for clustering behaviors § on network ARES 2019: Behavior-Aware Network Segmentation using IP Flows 16 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  17. Network Segment Assignment � ARES 2019: Behavior-Aware Network Segmentation using IP Flows 17 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  18. � Algorithms Classification – assigning to a category What class of algorithm? § Problem – assign a new host into an existing segment § Supervised ML - Classification Algorithms – based on the data creates model and predict the class of given data points Selected Classification Algorithms § K-nearest neighbors § Decision Trees � simple , only one parameter � easy to understand , requires little data preparation non-robust , overfitting homogenous features , curse of dimensionality � � § Support Vector Machines kernel choice , avoids overfitting � plenty of parameters to set � ARES 2019: Behavior-Aware Network Segmentation using IP Flows 18 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  19. � Training Practice makes perfect K-nearest neighbors 0.50 k value setting – elbow analysis § 0.49 0.48 Error Rate SVM 0.47 Kernel – polynomial § 0.46 Penalty parameter, kernel coef. – grid search § 0.45 Penalty parameter – 0.01 § Kernel coef. – 1 § 0.44 Uniform weights, no iteration limit § 2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0 K values Evaluation Decision Trees Split – Gini impurity § Train : test ratio – 80:20, random selection § Max features considered – 22 Metrics – precision, recall, F-Score § § No depth limit § ARES 2019: Behavior-Aware Network Segmentation using IP Flows 19 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  20. � Results Is it possible to assign a host? Initial Results Advanced Analysis Takeaway § Noise is introduced by small fuzzy administrative segments § Hosts with similar behaviors are present in more administrative segments § DT and SVM performs better than KNN § No time causality required for classification ARES 2019: Behavior-Aware Network Segmentation using IP Flows 20 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

  21. Conclusions Take away messages � � We can divide network to behavior-consistent segments using ML § A less behavior-similar segments than the administrative ones § Segments are overlapping � § DBSCAN is slightly better for clustering behaviors on network � It is possible to assign an unknown host to an existing segment based on its behavior. § Noise is introduced by small fuzzy administrative segments § Hosts with similar behaviors are present in more administrative segments § No time causalit y required for classification § DT and SVM performs better than KNN ARES 2019: Behavior-Aware Network Segmentation using IP Flows 21 Juraj Smeriga, Tomas Jirsik , Masaryk University, Brno

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Coding-Aware Queue Network Coding Aware Queue Management for Unicast Flows over Coded

Network Coding-Aware Queue Network Coding Aware Queue Management for Unicast Flows over Coded

Network Coding-Aware Queue Network Coding Aware Queue Management for Unicast Flows over Coded Wireless Networks Coded Wireless Networks Hlya Sefero lu, Athina Markopoulou University of California Irvine University of California, Irvine

287 views • 24 slides
Budget-aware Semi-Supervised Semantic and Instance Segmentation Miriam Bellver, Amaia Salvador,

Budget-aware Semi-Supervised Semantic and Instance Segmentation Miriam Bellver, Amaia Salvador,

Budget-aware Semi-Supervised Semantic and Instance Segmentation Miriam Bellver, Amaia Salvador, Jordi Torres, Xavier Giro-i-Nieto Women In Computer Vision - CVPR 2019 Motivation Semantic segmentation Instance segmentation Pixel-level

282 views • 15 slides
v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

v v 1 3 20 liquids through pipe 16 Vancouver parts through an assembly line s t 10

4.2 Network Flows A directed graph can model a flow network where some material (e.g., widgets, current, . . . ) is produced or enters the network at Mat 3770 a source and is consumed at a sink . Network Flows Production and consumption

465 views • 11 slides
NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function

NETWORK FLOWS NETWORK FLOWS A network consists of a loopless digraph D = ( V , A ) plus a function c : A R + . Here c ( x , y ) for ( x , y ) A is the capacity of the edge ( x , y ) . We use the following notation: if : A R and S , T

566 views • 17 slides
Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM545 Linear and Integer Programming Lecture 12 Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Network Flows Outline Duality 1. (Minimum Cost) Network Flows 2. Duality in

625 views • 35 slides
Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson

Mat 3770 Network Flows Network Flow Mat 3770 Conservation Max Flow Network Flows flow Cancellation Cut Ford- Fulkerson Residual Spring 2014 Network Augmenting Path Max-flow Min-cut Matching 4.2 Network Flows Mat 3770 Network

896 views • 61 slides
Using BGP Flow-Spec for distributed micro-segmentation Davide Pucci / 12019364 Attilla de Groot /

Using BGP Flow-Spec for distributed micro-segmentation Davide Pucci / 12019364 Attilla de Groot /

Using BGP Flow-Spec for distributed micro-segmentation Davide Pucci / 12019364 Attilla de Groot / Cumulus Networks Data Center micro-segmentation Layer 2 segmentation Layer 3 segmentation VLANs to isolate multiple flows VRFs to separate

461 views • 16 slides
Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on

Network Flows Upper bounds on flow Network Flows Math 482, Lecture 23 Misha Lavrov March 30, 2020 Network Flows Upper bounds on flow Definition of a network 1 4 2 1 s t 3 2 1 2 3 2 3 2 A set N of nodes . Here, N = { s , 1 , 2 ,

749 views • 34 slides
Semantic segmentation Image classification Object detection Semantic segmentation Evolution

Semantic segmentation Image classification Object detection Semantic segmentation Evolution

Accel : A Corrective Fusion Network for Efficient Semantic Segmentation on Video Samvit Jain , Xin Wang , Joseph Gonzalez RISE Lab, UC Berkeley Semantic segmentation Image classification Object detection Semantic segmentation Evolution

857 views • 13 slides
CHAPTER CONTENTS What is Marketing The Marketing Mix Market Segmentation &amp;

CHAPTER CONTENTS What is Marketing The Marketing Mix Market Segmentation &amp;

CHAPTER CONTENTS What is Marketing The Marketing Mix Market Segmentation &amp; Targeting Understanding Consumer Behavior Corporate Buying Behavior Product New Product Development International Marketing Mix Small

844 views • 47 slides
Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of

DM545 Linear and Integer Programming Lecture 11 Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Network Flows Duality Outline Assignment and Transportation 1. (Minimum Cost)

675 views • 39 slides
Pr Proposal Tr Tracking an and Se Segmentation (PTS) S): A A cascaded network for video obje

Pr Proposal Tr Tracking an and Se Segmentation (PTS) S): A A cascaded network for video obje

Pr Proposal Tr Tracking an and Se Segmentation (PTS) S): A A cascaded network for video obje ject segmentation Zilong Huang*, Qiang Zhou*, Lichao Huang, Han Shen, Yongchao Gong, Chang Huang, Wenyu Liu, Xinggang Wang speeding_zZteam

397 views • 17 slides
You Are How You Drive: Peer and Temporal-Aware Representation Learning for Driving Behavior

You Are How You Drive: Peer and Temporal-Aware Representation Learning for Driving Behavior

You Are How You Drive: Peer and Temporal-Aware Representation Learning for Driving Behavior Analysis Pengyang Wang, Yanjie Fu, Jiawei Zhang, Pengfei Wang, Yu Zheng, Charu Aggarwal Outline 1 Background and Motivation Definition and

1.09k views • 38 slides
VIDEO SIGNALS Segmentation WHAT IS SEGMENTATION WHAT IS SEGMENTATION Segmentation is a

VIDEO SIGNALS Segmentation WHAT IS SEGMENTATION WHAT IS SEGMENTATION Segmentation is a

VIDEO SIGNALS Segmentation WHAT IS SEGMENTATION WHAT IS SEGMENTATION Segmentation is a fundamental low level operation on Segmentation is a fundamental low-level operation on images. If an image is already partitioned into segments

639 views • 51 slides
Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer

Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer

DM545 Linear and Integer Programming Lecture 10 Well Solved Problems Network Flows Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Well Solved Problems Outline Network Flows 1. Well Solved

278 views • 23 slides
An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline

An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline

An Overview of Semantic Image Segmentation with Deep Learning Simone Bonechi Outline Semantic Image Segmentation Deep Network for Semantic Segmentation FCN (Fully Convolutional Neural Network) DeconvNet PSPNet (Pyramid Scene

746 views • 22 slides
Healthy Cities Network Implementation Framework for Phase VII (2019-2024) WHO European Healthy

Healthy Cities Network Implementation Framework for Phase VII (2019-2024) WHO European Healthy

WHO European Healthy Cities Network Implementation Framework for Phase VII (2019-2024) WHO European Healthy Cities Network Agenda Background Phase VII: Goals and strategic approaches Phase VII: Requirements Designation of

819 views • 43 slides
2. Background and Related Work or non-backbone, depends on its h -hop neighborhood in- formation

2. Background and Related Work or non-backbone, depends on its h -hop neighborhood in- formation

On Constructing k -Connected k -Dominating Set in Wireless Networks Fei Dai and Jie Wu Department of Computer Science and Engineering Florida Atlantic University Boca Raton, FL 33431 Abstract [1, 2, 4, 8, 11, 16, 26, 30, 31], virtual

409 views • 10 slides
MariLight the German maritime lightweight network Bremen, January 29th 2020 Seminar on

MariLight the German maritime lightweight network Bremen, January 29th 2020 Seminar on

MariLight the German maritime lightweight network Bremen, January 29th 2020 Seminar on Lightweight Applications at Sea, Bremen www.marilight.net 1 Launched in March 2019 as national sub - network of E-LASS Coordinated by CMT

649 views • 7 slides
Longer term DUoS Charging Model Nigel Turvey Design &amp; Development Manager WPD Project

Longer term DUoS Charging Model Nigel Turvey Design &amp; Development Manager WPD Project

Longer term DUoS Charging Model Nigel Turvey Design &amp; Development Manager WPD Project Started in March 2005 1 year duration working with The University of Bath Objective to develop a charging methodology based usage of

199 views • 18 slides
Communicating Scala Objects Andrew Bate and Gavin Lowe Department of Computer Science University

Communicating Scala Objects Andrew Bate and Gavin Lowe Department of Computer Science University

A Debugger for Communicating Scala Objects Andrew Bate and Gavin Lowe Department of Computer Science University of Oxford Overview Implementation of a GUI debugger for Scala+CSO Extracts information from the use of concurrency

1.27k views • 20 slides
Pajek Chase Christopherson, Heriberto Diaz, Jiyuan Guo Pajek overview Pajek is designed to

Pajek Chase Christopherson, Heriberto Diaz, Jiyuan Guo Pajek overview Pajek is designed to

Pajek Chase Christopherson, Heriberto Diaz, Jiyuan Guo Pajek overview Pajek is designed to be used for analyzing large networks. Pajek intends to draw from several sources of machine-readable networks. Pajek is free for download

807 views • 36 slides
Interoperability to Improve Healthcare HIMSS EHR Vendors Association Hugh Zettel Hugh Zettel

Interoperability to Improve Healthcare HIMSS EHR Vendors Association Hugh Zettel Hugh Zettel

Interoperability to Improve Healthcare HIMSS EHR Vendors Association Hugh Zettel Hugh Zettel GE Healthcare GE Healthcare Director, Government &amp; Industry Relations Director, Government &amp; Industry Relations Vice Chair, HIMSS EHRVA

451 views • 23 slides
Climate change and related Climate change and related impacts in the Mediterranean impacts in

Climate change and related Climate change and related impacts in the Mediterranean impacts in

Climate change and related Climate change and related impacts in the Mediterranean impacts in the Mediterranean at regional and national scales. at regional and national scales. Lessons learnt from GI CC &amp; Lessons learnt from GI CC &amp;

767 views • 41 slides

More recommend