evaluating software sensors for actively profiling
play

Evaluating Software Sensors for Actively Profiling Windows 2000 - PowerPoint PPT Presentation

Dec 03, 2023 •144 likes •320 views

Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users Mark Shavlik Jude Shavlik Michael Fahland Motivation and General Approach Identify unique characteristics of each user/servers behavior Every second,

  1. Evaluating Software Sensors for Actively Profiling Windows 2000 Computer Users Mark Shavlik Jude Shavlik Michael Fahland

  2. Motivation and General Approach � Identify ˜ unique characteristics of each user/server’s behavior � Every second, measure 100’s of Windows 2000 properties � in/out network traffic, programs running, keys pressed, kernel usage, etc � Predict Prob( normal | measurements ) � Raise alarm if recent measurements seem unlikely for this user/server

  3. Goal: Choose “Measurement Space” that Widely Separates User from General Population Specific User Probability General Population Possible Measurements

  4. Initial Experiment � Subjects: 10 users at Shavlik Technologies � Unobtrusively collected data for 6 weeks � 7 GBytes archived � Task: Are current measurements from user X? � Initial Focus: Keystroke data � Which key pressed? � Time key down � Time since previous key press

  5. Training, Tuning, and Testing Sets � Very important in machine learning to not use testing data to optimize parameters! � Train Set: first two weeks of data � Build a (statistical) model � Tune Set: middle two weeks of data � Choose good parameter settings � Test Set: last two weeks of data � Evaluate “frozen” model

  6. Our Intrusion-Detection Template Last W ( window width) keystrokes ... time If prob(current keystroke) < T then raise “mini” alarm If # “mini” alarms in window > F then predict intrusion Use tuning set to choose good values for T and F

  7. Alarm #1 - Probability We Estimate Prob( current keystroke = K3 and previous keystroke = K2 and two-ago keystroke = K1 and time between K2 and K3 = Interval23 and time between K1 and K2 = Interval12 and time K3 was down = Downtime3 )

  8. Visualizing Alarm #1 Interval12 Interval23 K1 K2 K3 alpha very short digit punct ... very long During training count how often each path taken (per user)

  9. Testset Results – Alarm #1 “Intrusion” Detection Rates (with < 1 false alarm per day per user) 100% Detection Rate 80% on Testset 60% Absolute Prob 40% 20% 0% 10 20 40 80 160 320 640 Window Width (W)

  10. Using Relative Probabilities Alarm #2: Prob( keystrokes | machine owner ) Prob( keystrokes | population ) 100% Detection Rate 80% on Testset Relative Prob 60% 40% Absolute Prob 20% 0% 10 20 40 80 160 320 640 Window Width (W)

  11. Using Two Best Alarm Types (Chosen on Tuning Set) We are also investigating other keystroke-related alarms (eg, length of words, sentences, etc) 100% Detection Rate 80% Best 2 Alarms on Testset 60% Relative Prob 40% Absolute Prob 20% 0% 10 20 40 80 160 320 640 Window Width (W)

  12. Cascading Window Sizes � Alarm in Window Size = W also if alarm in any smaller window � (To Do: Re-choose thresholds for this scenario) W / 8 W / 4 W / 2 W

  13. Cascading Window Sizes - Results Can detect intrusions before window W completely full 100% Cascaded Alarm #2 Detection Rate 80% Uncascaded on Testset Alarm #2 60% Cascaded 40% False Alarms 20% Uncascaded False Alarms 0% One False Alarm 10 20 40 80 160 320 640 per Day Window Width (W)

  14. Tradeoff between False Alarms and Detected Intrusions (ROC Curve) 100% Detection Rate 80% on Testset W=80 60% W=160 40% 20% one / day 0% 0.0% 0.5% 1.0% 1.5% 2.0% 2.5% False-Alarm Rate on Testset Note: left-most values result from ZERO tune-set false alarms

  15. Current Work � Extend to non-keystroke data � Condition probabilities on other measurements � Prob( keystrokes | MS Office running ), Prob( keystrokes | browser running ), … � Combine additional alarms � Approx full joint probability distribution (Bayes nets) on user’s measurements most divergent from general population � Train standard machine learners to distinguish user X from general population

  16. Some Related Work � Machine learning for intrusion detection � Gosh et al. (1999) � Lane & Brodley (1998) � Lee et al. (1999) � Warrender et al. (1999) � Typically Unix-based; system calls &TCP analyzed � Analysis of keystroke dynamics � Monrose & Rubin (1997) � For authenticating passwords

  17. Conclusion � Can accurately characterize individual user behavior using simple models � Separate data into train , tune , and test sets � “Let the data decide” good parameter settings, on per-user basis � Normalize prob’s by general-population prob’s � Separate rare for this user/server from rare for everyone

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

From Performance Profiling to Predictive Analytics while evaluating Hadoop performance using

From Performance Profiling to Predictive Analytics while evaluating Hadoop performance using

www.bsc.es From Performance Profiling to Predictive Analytics while evaluating Hadoop performance using ALOJA Nicolas Poggi , Senior Researcher June 2015 ALOJA talks in WBDB.ca 2015 0. About ALOJA DEMO 1. From Performance Profiling to

594 views • 45 slides
Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt

Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt

Simulation-Based Tracing and Profiling for System Software Development Anselm Busse , Reinhardt Karnapke, and Helge Parzyjegla | SYSTOR 2017 | Haifa 2017-05-22 Motivation Tracing and profiling is crucial to system software development State

683 views • 8 slides
Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity

EMX Industries Inc . Application Driven Sensors Our Product Range Color Sensors Luminescence Sensors Contrast Sensors Opacity Sensors Brightness Sensors Special Sensors Bluetooth Switch The Facts Fastest Speed

309 views • 10 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides
EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The

EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The

EAP ATAM and Collaboration at the Enterprise Level Evaluating Software Architecture ATAM The Architecture Trade-off Analysis Method n Evaluating software architecture Determines if the architecture meets the business drivers One of its

148 views • 11 slides
Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin

Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin

Performance Profiling with EndoScope, an Acquisitional Software Monitoring Framework Alvin Cheung Sam Madden MIT CSAIL August 25, 2008 Collecting System Runtime Data Many uses Real-time system monitoring Detect security breaches

357 views • 25 slides
Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors:

Real-Time Monitoring Sensors Rain Gauge Sensors: Water Level Sensors: Other Sensors: Tipping Bucket Above Water - Radar, Ultrasonic Soil Moisture Sensor Measures Accumulation and Rainfall Rate Submersible

536 views • 7 slides
Software Workshops Week 1 - 10/11/19 What do we do? - Code in Kotlin - Sensors -

Software Workshops Week 1 - 10/11/19 What do we do? - Code in Kotlin - Sensors -

Software Workshops Week 1 - 10/11/19 What do we do? - Code in Kotlin - Sensors - Controlling motors and pneumatics - Control theory - Computer vision - Microcontrollers What will you learn? - Kotlin - Various tools - IntelliJ,

795 views • 48 slides
Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of

Profiling of Algorithms Profiling refers to the experimental measurement of the performance of algorithms. Profiling techniques fall into two main categories: Instruction counting the number of times which particular instruction(s)

672 views • 19 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling

Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling

software evolution &amp; architecture lab Department of Informatics s.e.a.l. Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling Joel Scheuner 2017-06-15 Page 1 Master Thesis Defense software

510 views • 38 slides
An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson

An introduction to Profiling Physics Coding Club: 09/06/2017 D. Dickinson (d.dickinson@york.ac.uk) Overview What is meant by profiling? Why do we care about profiling? How do we do profiling? Specific example using Scalasca

912 views • 22 slides
CS510 Software Engineering Program Profiling Asst. Prof. Mathias Payer Department of Computer

CS510 Software Engineering Program Profiling Asst. Prof. Mathias Payer Department of Computer

CS510 Software Engineering Program Profiling Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Scott A. Carr Slides inspired by Xiangyu Zhang http://nebelwelt.net/teaching/15-CS510-SE Spring 2015 Definition of

570 views • 28 slides
Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel

Profiling of Data-Parallel Processors Daniel Kruck 09/02/2014 09/02/2014 Profiling Daniel Kruck 1 / 41 Outline Motivation 1 Background - GPUs 2 Profiler 3 NVIDIA Tools Lynx Optimizations 4 Conclusion 5 09/02/2014 Profiling

441 views • 41 slides
Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie

Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie

Web User Profiling using Data Redundancy http://aminer.org/profiling Xiaotao Gu, Hong Yang, Jie Tang, Jing Zhang Tsinghua University 1 Web User Profiling using Data Redundancy Introduction Traditional Way Basic Idea

717 views • 34 slides
Software Execution Analysis Philipp Sch afer February 5, 2014 February 5, 2014 Seminar -

Software Execution Analysis Philipp Sch afer February 5, 2014 February 5, 2014 Seminar -

Introduction Software Profiling System Tracing Summary Software Execution Analysis Philipp Sch afer February 5, 2014 February 5, 2014 Seminar - Software Execution Analysis Philipp Sch afer 1 / 42 Introduction Software Profiling

706 views • 42 slides
TulStat 911 PSC The City Experience Inside City Hall April 17, 2017 911 PSC Mission

TulStat 911 PSC The City Experience Inside City Hall April 17, 2017 911 PSC Mission

TulStat 911 PSC The City Experience Inside City Hall April 17, 2017 911 PSC Mission Statement Take the Call &amp; Send Help Take the Call Requirements Adequate # of trained call-takers Data analytics Connectivity to

911 views • 47 slides
Overview Last Week: How to program UNIX processes (Chapters 7-9) fork() and exec() Unix

Overview Last Week: How to program UNIX processes (Chapters 7-9) fork() and exec() Unix

Overview Last Week: How to program UNIX processes (Chapters 7-9) fork() and exec() Unix System Programming This Week: Signals UNIX inter-process communication mechanism: signals, pipes and FIFOs. How to program with UNIX signals

135 views • 13 slides
Artificial Intelligence Probabilistic Reasoning CS 444 Spring 2019 Dr. Kevin Molloy

Artificial Intelligence Probabilistic Reasoning CS 444 Spring 2019 Dr. Kevin Molloy

Artificial Intelligence Probabilistic Reasoning CS 444 Spring 2019 Dr. Kevin Molloy Department of Computer Science James Madison University Bayesian Networks A simple, graphical notation for conditional independence assertions and hence

599 views • 22 slides
Bayesian Networks Part 1 CS 760@UW-Madison Goals for the lecture you should understand the

Bayesian Networks Part 1 CS 760@UW-Madison Goals for the lecture you should understand the

Bayesian Networks Part 1 CS 760@UW-Madison Goals for the lecture you should understand the following concepts the Bayesian network representation inference by enumeration Introduce the learning tasks for Bayes nets Bayesian

541 views • 29 slides
Probabilistic Models CS 4100: Artificial Intelligence Bayes Nets Models describe how (a

Probabilistic Models CS 4100: Artificial Intelligence Bayes Nets Models describe how (a

Probabilistic Models CS 4100: Artificial Intelligence Bayes Nets Models describe how (a portion of) the world works ks Mo Model els ar are e al alway ays simplifi ficat cations May not account for every variable May not

275 views • 4 slides
Baysian Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University

Baysian Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University

Lecture 5 Baysian Networks Marco Chiarandini Department of Mathematics &amp; Computer Science University of Southern Denmark Slides by Stuart Russell and Peter Norvig Probability Basis Course Overview Bayesian networks Introduction

487 views • 27 slides
1 Building the (Entire) Joint Example: Alarm Network We can take a Bayes net and build any

1 Building the (Entire) Joint Example: Alarm Network We can take a Bayes net and build any

Announcements Introduction to Artificial Intelligence How was mid-term? V22.0472-001 Fall 2009 Will grade mid-term / assignment 2 this Lecture 14: Bayes Nets 2 Lecture 14: Bayes Nets 2 weekend weekend Assignment 3 due this time

327 views • 6 slides
Embedded Systems Programming Signaling (Module 24) Yann-Hang Lee Arizona State University

Embedded Systems Programming Signaling (Module 24) Yann-Hang Lee Arizona State University

Embedded Systems Programming Signaling (Module 24) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Signals A signal is an event generated by OS

470 views • 8 slides

More recommend