SLIDE 1
David Rodriguez March 28, 2019
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
Masquerading Malicious DNS Traffic Bayesian Inference, Rainier, - - PowerPoint PPT Presentation
Masquerading Malicious DNS Traffic Bayesian Inference, Rainier, - - PowerPoint PPT Presentation
Masquerading Malicious DNS Traffic Bayesian Inference, Rainier, Spark David Rodriguez March 28, 2019 The Outline Masquerading Time Series Rainier Anomaly DNS Modeling + Detection Traffic Spark The Outline Masquerading Time Series
SLIDE 2
SLIDE 3
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
The Outline
SLIDE 4
Cisco Umbrella DNS Resolution
SLIDE 5
Part 1 DNS Resolution
Web Server IP Address Mail Server Many More DNS Records 180 Billion Per Day Cisco Umbrella
SLIDE 6
Part 1 Protection 101
Phishing Compromised Account Malvertising Ransomware Worms Virus
SLIDE 7
Part 1 Definition
Masquerading Traffic = Masquerading Users +
Compromised Websites
SLIDE 8
Part 1 Masquerading Users
PDF Viewer Text Editor Browsing Internet Email SSH Keys
SLIDE 9
Part 1 Compromised Websites
Compromised Server Malicious Webpage Backdoor Vulnerability Typical Visitors Phished Browser Redirect
SLIDE 10
Part 1 Masquerading DNS Traffic
Atypical Vistor Typical Vistor DNS Traffic
SLIDE 11
Part 1 Emotet Campaign
Phishing Email User Click Links or Opens Attachments to Email Links or Macros Make DNS Requests Malware Downloaded Emotet Runs Code in Process and Registers Computer with C2 Server Masquerading Traffic
SLIDE 12
Part 1 Emotet Campaign
SLIDE 13
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
The Outline
SLIDE 14
Part 2 Time-Series Analysis
Expected Non-Zero Volume Expected Zero Volume Extreme Outliers
SLIDE 15
Part 2 Time-Series Analysis
Probability of Demand Expected Demand when non-zero
SLIDE 16
Part 2 Croston’s Method
Spark Volume Pipeline Spark Table Join Spark Historical Table Spark Table Note : Trended Data Store
SLIDE 17
Part 2 Bayesian Approach X Y
Probability Distribution Probability of Demand Expected Demand when non-zero
SLIDE 18
Part 2 Bayesian Approach
1 2 3 4 5 6 7 8 9 Zero Distribution Non-Zero Distribution Outliers Outliers
SLIDE 19
Part 2 Mixture Models
SLIDE 20
Part 2 Discrete Models
SLIDE 21
Part 2 Continuous Models
SLIDE 22
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
The Outline
SLIDE 23
Part 3 MCMC Methods
Observations Proposed Distribution Sampling From Distribution Rejection
- f
Samples
SLIDE 24
Part 3 MCMC Methods
SLIDE 25
Part 3 Rainier ~ README
Depending on your background, you might think of Rainier as aspiring to be either: “Stan, but on the JVM”
- r
“Tensorflow, but for small data”.
SLIDE 26
Part 3 Rainier Methods
SLIDE 27
Part 3 PyMC Methods
SLIDE 28
Part 3 Rainier + Spark
JVM Rainier Spark
SLIDE 29
Part 3 Rainier + Spark
Hourly Aggregations Daily Aggregations Rainier Simulations Spark Job 150 Million Paid-Level Domains Spark Job Spark Job Filtering Heuristics
SLIDE 30
SLIDE 31
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
The Outline
SLIDE 32
Part 4 Window Based
Window 1 Window 2
Rainier
Window 1 Window 2
Simulated Parameter Values Distribution Parameter Values Difference
SLIDE 33
Part 4 Window Simulations
Week 1 Week 2 Week 3 Week 4
SLIDE 34
Part 4 Outlier Window
SLIDE 35
Part 4 Local Outlier to Global
SLIDE 36
Closing Recap
Rainier + Spark Time Series Modeling Anomaly Detection Masquerading DNS Traffic
SLIDE 37
Closing Glossed Over Details
Outliers Goodness
- f
Fit
SLIDE 38
A Review of Croston's method for intermittent demand forecasting
https://www.researchgate.net/publication/254044245_A_Review_of_Croston's_method_for_intermittent_demand_forecasting
Rainier
https://github.com/stripe/rainier
PyMC3
https://docs.pymc.io/
Emotet
https://www.us-cert.gov/ncas/alerts/TA18-201A
Bokeh Plots
https://bokeh.pydata.org/en/latest/
Twitter Chill
https://github.com/twitter/chill
Closing References
SLIDE 39 Twitter
Email
Website
davidrdgz.github.io
Github
@davidrdgz
@davidrdgz
davrodr3 at cisco.com