evaluation of anomaly detection method based on pattern
play

Evaluation of Anomaly Detection Method based on Pattern Recognition - PowerPoint PPT Presentation

Oct 18, 2022 •245 likes •443 views

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The Graduate University for Advanced Studies Yosuke Himura The University of Tokyo Kensuke Fukuda National Institute of Informatics CNRS-Wide

  1. Evaluation of Anomaly Detection Method based on Pattern Recognition ● Romain Fontugne The Graduate University for Advanced Studies ● Yosuke Himura The University of Tokyo ● Kensuke Fukuda National Institute of Informatics CNRS-Wide 02-03/03/2009 1

  2. Outline ● Motivation ● Temporal-spatial structure of anomaly ● Pattern-recognition-based method – Hough transform ● Parameter space ● MAWI database ● Study case ● Conclusion CNRS-Wide 02-03/03/2009 2

  3. Motivation (1) ● Network traffic anomaly: – Misconfigurations, failure, network attacks ● Side effects: – Bandwidth consuming – Weaken network performance – Harmful traffic – Alter the traffic's characteristics CNRS-Wide 02-03/03/2009 3

  4. Motivation (2) ● Difficulties: – Huge amount of data – Variety of anomalous traffic – Identification of tiny flows ● Anomaly detection method: – Usually treated as a statistical problem ● Evaluate the main characteristics of traffic ● Discriminate traffic with singularities CNRS-Wide 02-03/03/2009 4

  5. Temporal-spatial structure of anomaly (darknet) ● Unwanted s s e traffic r d d a n o ● Linear i t a n i structures t s e D ● Unusual t r distribution o p e of traffic c r u feature o S CNRS-Wide 02-03/03/2009 5 Time

  6. Temporal-spatial structure of anomaly (MAWI) Destination address ● Samplepoint-F: – 2009/02/21 ssh Source port s s e r d d a n o i t a n i t s e CNRS-Wide 02-03/03/2009 6 D ssh http

  7. Pattern-recognition-based method ● Identification of linear structures in pictures: – Generate pictures from traffic – Hough transform – Retrieve packet information – Report anomalies CNRS-Wide 02-03/03/2009 7

  8. Hough transform ● Voting procedure – Points elects lines – Polar coordinates ρ = x · cos θ + y · sin θ – Hough space Original picture ● Identify line means extract max in the Hough space – Relative threshold CNRS-Wide 02-03/03/2009 8 Hough space

  9. Parameter space ● Hough parameter: – Weight for the voting procedure – Threshold to determine candidate line ● Picture resolution: – Time bin – Size of pictures CNRS-Wide 02-03/03/2009 9

  10. Evaluation of parameter space ● Heuristics: – suspected = false positive + unknown ● Prob. of suspected = suspected / total anomalies – Lower is better CNRS-Wide 02-03/03/2009 10

  11. MAWI database ● Samplepoint-B: – From 2001/01 to 2006/06 CNRS-Wide 02-03/03/2009 11

  12. Study case: sasser infection ● Gamma modeling vs. Pattern recognition (2004/08/01) Gamma modeling-based method tuned to detect the same number of anomalies ● (Includes many false positives) CNRS-Wide 02-03/03/2009 12

  13. 13 Gamma only s o u r c e p o r t p o r t e n t r o p y n b . p k t D e s t i n a t i o n i p Both p o r t e n t r o p y n b . p k t D e s t i n a t i o n i p s o u r c e p o r t CNRS-Wide 02-03/03/2009 Hough only

  14. Discussion ● Two different backgrounds – 50% of their results in common ● Detection of anomalies involving a tiny number of packets ● Identify easily network/port scans (dispersed distribution) ● Intensive uses of source port ● Gamma modelling = deeper analysis of the traffic's characteristics (highlight singular traffic) CNRS-Wide 02-03/03/2009 14

  15. Conclusion and future work ● No perfect method ● Combination of several methods ● Need of methods with different backgrounds ● Future work – Auto-tuning of parameters – Sampled data – More graphical representations – Study good combinations CNRS-Wide 02-03/03/2009 15

  16. Thank you Any questions? romain@nii.ac.jp CNRS-Wide 02-03/03/2009 16

  17. Comparison (2) Gamma Hough only only Both CNRS-Wide 02-03/03/2009 17

  18. Original data 18 n a t i o n i p s o u r c e p o r t p o r t e n t r o p y v o l u m e D e s t i CNRS-Wide 02-03/03/2009

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

331 views • 20 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM

Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM

Anomaly Detection CAMCOS 2009 Introduction ADAPT Anomaly Detection with State Space Models Multi-dimensional State Space Models SVD Method EM Algorithm Kalman Filter Maja Derek, Kate Isaacs, Duncan McElfresh, Jennifer Alarm Murguia,

1.4k views • 96 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2.

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2.

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2. Problem description 3. Research Questions & Method 4. Analyze 5. Solutions 6. Result 7. Conclusion Introduction Byte Internet Since 1999

295 views • 28 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State

Anomaly-based Bot Server (and more!) Detection Jim Binkley jrb@cs.pdx.edu Portland State University Computer Science outline background experimental flow tuples botnet server mesh detection botnet client mesh detection

364 views • 23 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
How to Determine the Optimal Anomaly Detection Method For Your Application Cynthia Freeman

How to Determine the Optimal Anomaly Detection Method For Your Application Cynthia Freeman

How to Determine the Optimal Anomaly Detection Method For Your Application Cynthia Freeman Research Engineer Jonathan Merriman Software Engineer Background Time Series A time series is a sequence of data points indexed in order of time.

630 views • 41 slides
Improving Domain-specific Transfer Learning Applications for Image Recognition and Differential

Improving Domain-specific Transfer Learning Applications for Image Recognition and Differential

Improving Domain-specific Transfer Learning Applications for Image Recognition and Differential Equations M.Sc. Thesis in Computer Science and Engineering Candidates: Alessandro Saverio Paticchio, Tommaso Scarlatti Advisor : Prof. Marco

710 views • 42 slides
SO YOUR DESIGNER WANTS A MASTHEAD... By ChenHuiJing / @hj_chen GET IMAGE RATIO

SO YOUR DESIGNER WANTS A MASTHEAD... By ChenHuiJing / @hj_chen GET IMAGE RATIO

SO YOUR DESIGNER WANTS A MASTHEAD... By ChenHuiJing / @hj_chen GET IMAGE RATIO Ratio=Height/Width 1057/2560=0.41289or41.289% SCENARIO #1 Designerwantsthemastheadtomaintainitsaspect ratioregardlessoffscreensize.

493 views • 16 slides
Outline Markov networks (a.k.a. Markov random fields) Markov Networks Reading: Michael

Outline Markov networks (a.k.a. Markov random fields) Markov Networks Reading: Michael

Outline Markov networks (a.k.a. Markov random fields) Markov Networks Reading: Michael Jordan, Graphical Models , Statistical Science (Special November 12, 2009 Issue on Bayesian Statistics), 19, 140- CS 486/686 155, 2004. University

325 views • 4 slides
DOROTA BAYER S W I N B U R N E U N I V E R S I T Y O F T E C H N O L O G Y A S T R O 3 D M E

DOROTA BAYER S W I N B U R N E U N I V E R S I T Y O F T E C H N O L O G Y A S T R O 3 D M E

PROBING THE NATURE OF DARK MATTER WITH GALAXY-GALAXY STRONG GRAVITATIONAL LENSING DOROTA BAYER S W I N B U R N E U N I V E R S I T Y O F T E C H N O L O G Y A S T R O 3 D M E L B O U R N E 1 4 O C T O B E R 2 0 2 0 INTRODUCTION What

725 views • 46 slides
Stereo Vision 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Whats different

Stereo Vision 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Whats different

Stereo Vision 16-385 Computer Vision (Kris Kitani) Carnegie Mellon University Whats different between these two images? Objects that are close move more or less? The amount of horizontal movement is inversely proportional to The amount

738 views • 50 slides
Stereo II CSE 576 Ali Farhadi Several slides from

Stereo II CSE 576 Ali Farhadi Several slides from

Stereo II CSE 576 Ali Farhadi Several slides from Larry Zitnick and Steve Seitz Camera parameters A camera is described by several parameters Translation T of the

807 views • 62 slides
CSE 152 Section 5 HW2: Stereo Geometry April 29, 2019 Owen Jow Stereo: two views. Why is one

CSE 152 Section 5 HW2: Stereo Geometry April 29, 2019 Owen Jow Stereo: two views. Why is one

CSE 152 Section 5 HW2: Stereo Geometry April 29, 2019 Owen Jow Stereo: two views. Why is one view not sufficient? 1. Depth and Disparity 3D from a single view? Ambiguity: depth lost during projection. If you multiply by the inverse

474 views • 34 slides
Geometry and Structure from Motion Computer Vision Fall 2018 Columbia University Stereo

Geometry and Structure from Motion Computer Vision Fall 2018 Columbia University Stereo

Geometry and Structure from Motion Computer Vision Fall 2018 Columbia University Stereo epipolar lines (x 2 , y 1 ) (x 1 , y 1 ) Two images captured by a purely horizontal translating camera ( rectified stereo pair) x 2 -x 1 = the disparity

650 views • 64 slides

More recommend