monitoring massive network traffic using bayesian
play

Monitoring Massive Network Traffic using Bayesian Inference David - PowerPoint PPT Presentation

Mar 26, 2024 •35 likes •535 views

Monitoring Massive Network Traffic using Bayesian Inference David Rodriguez Cisco Systems, Inc. Senior Research Engineer November 7, 2018 Team Dhia Mahjoub Scott Sitar Gilad Ranier Matt Foley Irwin Fule-Ver Skyler Hawthorne Thomas

  1. Monitoring Massive Network Traffic using Bayesian Inference David Rodriguez Cisco Systems, Inc. Senior Research Engineer November 7, 2018

  2. Team Dhia Mahjoub Scott Sitar Gilad Ranier Matt Foley Irwin Fule-Ver Skyler Hawthorne Thomas Matthew Table: We are the research-engineering team implementing algorithms and maintaining the DNS threat intelligence to the Cisco Umbrella product.

  3. Table of contents Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  4. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  5. Signals of Threats Phishing Figure: 071867.vps-10.com

  6. Heuristic Fallout Figure: The combinatorial explosion of query patterns highlight patterns with zero queries. Also, notice, some patterns are similar if permuted.

  7. Here’s the Problem Detecting anomalies associated with threats are hard to determine if 1 : ◮ the domain has previous query volume ◮ there is large variations in query volume ◮ there are gaps between periods with query volume 1 we could also mention there are difficulties in modeling non-stationary time-series

  8. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  9. Be the Adversary Question What if roles were reversed? Rather than observing, you were asked to generate malicious traffic.

  10. Be the Adversary Question What if roles were reversed? Rather than observing, you were asked to generate malicious traffic. You might need some tools, but that’s not a problem.

  11. Common Discrete Distributions Observation If you can generate a random number then you can definitely generate any one of these: ◮ Geom ( p ) - the geometric ◮ Pois ( λ ) - the poisson ◮ Bin ( n , p ) - the binomial ◮ NB ( n , p ) - the negative binomial

  12. Common Discrete Distributions 2 Figure: Clockwise starting top left: geometric, poisson, negative binomial, and binomial distributions. For given parameters 100 samples generated per distribution. 2 likely not seen in the real traffic

  13. Common Discrete Distributions 3 Figure: Example query volume to jd.com over the last 30 days is bimodal and therefore not one of the previous distributions. 3 likely not seen in the real traffic

  14. Mixtures of Discrete Distributions We can mix distributions. 4 Zero Inflated Distributions f ( x ; θ ) = ψ I 0 + (1 − ψ ) g ( x ; θ ) (1) where I 0 is an indicator variable at zero, ψ ∈ [0 , 1], and g ( x ; θ ) is any discrete distribution from the previous slide. 4 be careful to maintain the properties of a probability distribution

  15. Spam Filtering as Mixtures of Distributions 5 Figure: Other applications using mixtures of distributions are spam filters where spam and ham can be seen a web topics . Certain words appear more frequently within topics. [2] 5 Think of an equation like this: f ( x ) = � n i ψ i f i ( x ) where � i ψ i = 1

  16. Zero Inflated Simulations Puzzle Pick an urn with probability p . If you pick urn A draw 0. If you pick urn B draw a number from a negative binomial distribution. Start over.

  17. Zero Inflated Simulations Figure: Picking a zero with probability p otherwise picking a number from a negative binomial.

  18. 24 Hour Simulations Figure: Zero-Inflated Poissons ( Zip ) Figure: Zero-Inflated Negative with ψ = . 30 along with Binomials ( Zinb ): λ = 5 , 10 , 20 , 30 ψ = . 3 , n = 10 , p = . 01 , . 3 , . 4 , . 6

  19. Real World versus Simulations Admittedly, our little game has limitations. Puzzle Consider hourly counts from one day to known botnets, phishing, dns-tunneling. Suppose, the order of the hours don’t matter, can we simulate daily traffic with a Zinb ( ψ, p , n )? 6 6 for some ψ, p , n that we can choose.

  20. Simulating Malicious Traffic 7 Figure: Botnet domain a1a79b359237e.hosting with Zinb (0 . 13 , 0 . 45 , 3 . 24) Figure: Phishing domain support-globomail.com with Zinb (0 . 50 , 0 . 25 , 2 . 01) 7 Images on left real the right simulated

  21. Simulating Malicious Traffic 8 Figure: Phishing domain universal-ads.com with Zinb (0 . 83 , 0 . 39 , 9 . 07) Figure: Phishing domain clientes-moopixel.com with Zinb (0 . 10 , 0 . 41 , 17 . 81) 8 Image on left real the right simulated

  22. Simulation Fit Note Be skeptical, just because a simulation looked good once, it might have been rare.

  23. Measure of Fit to Malicious Traffic Figure: a1a79b359237e.hosting Figure: support-globomail.com Figure: universal-ads.com Figure: clientes-moopixel.com Figure: QQ -Plots where tighter bands provide evidence the simualated data agrees with the observed. Wider bands, show more uncertainty.

  24. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  25. Rainier Bayes on the JVM Rainier supported by Stripe, Inc. 9 and authored by Avi Bryant 10 is an open-source Bayesian Inference project written in Scala. The appeal of this project is: ◮ functional API with higher order function abstractions ◮ efficient hierarchical model fitting for datasets fitting in memory ◮ community of collaborators working on problems related to predictive modeling and risk and fraud detection 9 https://stripe.com 10 https://twitter.com/avibryant

  26. Bayesian Inference and Monte Carlo Simulations Figure: Bayesian inference is iterative process of drawing samples from priors (sometimes accepting and rejecting the sample) then updating a posterior distribution. There are variety of sampling algorithms: Gibb, No U-Turn (NUTS), Leap Frog , etc.

  27. Example Bayesian Sampling[1] via Gibbs sampling Bayesian Sampling with data-augmentation 1: procedure Gibbs Sampler ⊲ Estimating ψ and θ ψ (0) ← u 0 ⊲ u 0 ∼ Uniform (0 , 1) 2: θ (0) ← θ 0 ⊲ random θ 0 3: for t ← 1 , . . . do 4: Generate z ( t ) ( i = 1 , . . . , n ) from ( j = 1 , . . . , k ) 5: i P ( z ( t ) = j | ψ ( t − 1) , θ ( t − 1) , x i ) ∝ ψ ( t − 1) f ( x i | θ ( t − 1) ) 6: i j j j j Generate ψ ( t ) from π ( ψ | z ( t ) ) 7: Generate θ ( t ) from π ( θ | z ( t ) , x ) 8: end for 9: return ψ ( n ) , θ ( n ) 10: 11: end procedure

  28. Sampling from Mixtures Figure: Two Zinb ( ψ, p , n ) where the parameters ψ, p , n have different prior distributions.Some priors are considered non-informative and should be handled carefully.

  29. Hello Rainier Listing 1: Fitting Zero Inflated Negative Binomial in Rainier 1 import com.stripe.rainier.core. { NegativeBinomial, LogNormal, Beta } 2 import com.stripe.rainier.sampler. { RNG, ScalaRNG } 3 4 case class Zinb(psi: Double, p: Double, n: Double) 5 6 object ZinbMCMC extends Serializable { 7 implicit val rng: RNG = ScalaRNG(1527608515939L) 8 9 def fit(data: Seq[Int]): Zinb = { 10 val priors = for { 11 p < − Beta(2, 5).param 12 n < − LogNormal(0, 1).param 13 } yield (p, n) 14 15 val psi = for { 16 (p, n) < − priors 17 psi < − Beta(2, 2).param 18 fit < − NegativeBinomial(p, n).zeroInflated(psi).fit(data) 19 } yield psi 20 21 // ... your decide 22 // ... call priors.sample() or psi.sample() for sequence of values 23 24 Zinb(fitPsi, fitP, fitN) 25 } 26 }

  30. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  31. Massive Parallelization Trick Using Apache Spark we can distribute our simulations and run as many as we would like in parallel. 11 11 http://spark.apache.org

  32. Massive Parallelization Figure: Passing chunks of the file(s) into rdd partitions, in Spark, distributes the Rainier simulations.

  33. Puzzle Given a file where each row contains a (domain, day, Seq[Int]) write a program using Rainier to fit a zero inflated negative binomial distribution.

  34. Hello Spark and Rainier 12 Listing 2: Dispatching the Zinb simulation (to days worth simulating) . 1 trait Event { 2 val name: String 3 val time: String 4 } 5 6 case class Dormant(name: String, time: String) extends Event 7 case class Singleton(name: String, time: String, value: Int) extends Event 8 case class MultiState(name: String, time: String, values: Seq[Int]) extends Event 9 10 def zinbDispatcher(event: Event): Zinb = { 11 event match { 12 case Dormant( , ) = > Zinb(0.0, 0.0, 0.0) 13 case Singleton( , , value) = > Zinb(1/2.40, 1/2, value ∗ 2) 14 case MultiState( , , values) = > ZinbMCMC.fit(values) 15 } 16 } 12 Completing the example: sc.textFile(pathToFile).map(assignState).map(zinbDispatcher)

  35. Gotcha Common errors occur with serialization of the rainier simulations. The previous example, not by accident, wrapped the Zinb simulation in a Serializable object. Another possibility, is to use: com.twitter.chill.Meatlocker(f) chill is shipped with Spark .

  36. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

  37. Scheduling the Processing Major challenges in deciding: ◮ How many minutes/hours/days should be fit . ◮ How long between fitting each signal.

  38. Scheduling Windows Figure: Some simulations can be run at non-overlapping intervals, overlapping intervals, and varied time windows.

  39. Notes on Aggregation and Disaggregation Note The idea of aggreagation over a large window of time that is subsequently compared to an aggregation over a small window of time has been studied in problems related to itermittant demand. [4]

  40. Plan Observe Signals Generate Signals Fit Fast Fit Many Fit Over Time Measure Risk

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building a Bayesian Network 223 / 385 The construction of a Bayesian network Construction of a

Building a Bayesian Network 223 / 385 The construction of a Bayesian network Construction of a

Chapter 5: Building a Bayesian Network 223 / 385 The construction of a Bayesian network Construction of a Bayesian network for an application domain involves three different tasks: to identify the ( random ) variables and their values;

2.11k views • 162 slides
The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network

Chapter 4: The Bayesian Network Framework 89 / 384 The network formalism, informal A Bayesian network combines two types of domain knowledge to represent a joint probability distribution: qualitative knowledge: a (minimal) directed I-map

1.63k views • 134 slides
Exact inference (Ch. 14) Bayesian Network A Bayesian network (Bayes net) is: (1) a directed

Exact inference (Ch. 14) Bayesian Network A Bayesian network (Bayes net) is: (1) a directed

Exact inference (Ch. 14) Bayesian Network A Bayesian network (Bayes net) is: (1) a directed graph (2) acyclic Additionally, Bayesian networks are assumed to be defined by conditional probability tables (3) P(x | Parents(x) ) We have actually

673 views • 28 slides
Bayes Nets (Ch. 14) Announcements Homework 1 posted Bayesian Network A Bayesian network (Bayes

Bayes Nets (Ch. 14) Announcements Homework 1 posted Bayesian Network A Bayesian network (Bayes

Bayes Nets (Ch. 14) Announcements Homework 1 posted Bayesian Network A Bayesian network (Bayes net) is: (1) a directed graph (2) acyclic Additionally, Bayesian networks are assumed to be defined by conditional probability tables (3) P(x |

463 views • 32 slides
Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey

Enterprise-Level Network Traffic Analysis and Security Monitoring Martin Arlitt and Carey Williamson Department of Computer Science University of Calgary Outline Introduction (Carey: 20 minutes) Internet TCP/IP protocol stack

959 views • 48 slides
Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner

Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner

Applying Predicate Logic to Monitoring Network Traffic Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Joint work with Temur

901 views • 30 slides
A Unified Monitoring Framework for Energy Consumption and Network Traffic Florentin Clouet, Simon

A Unified Monitoring Framework for Energy Consumption and Network Traffic Florentin Clouet, Simon

A Unified Monitoring Framework for Energy Consumption and Network Traffic Florentin Clouet, Simon Delamare, Jean-Patrick Gelas, Laurent Lefvre, Lucas Nussbaum, Clment Parisot, Laurent Pouilloux, Franois Rossigneux Grid5000 1 / 16

578 views • 21 slides
Wireless Network Monitoring Using Coordinated Sampling Chris McDonald (The University of Western

Wireless Network Monitoring Using Coordinated Sampling Chris McDonald (The University of Western

Wireless Network Monitoring Using Coordinated Sampling Chris McDonald (The University of Western Australia) Udayan Deshpande and David Kotz (Dartmouth College) Effective monitoring of wireless network traffic, using commodity hardware, is a

321 views • 21 slides
Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network

Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network

Random access and massive wireless networks Philippe Jacquet Nokia Bell Labs Terminal network interface model Packets internally generated Network interface buffer Network interface Server (one packet max) Traffic Poisson model Finite

601 views • 38 slides
Network Traffic Monitoring &amp; Analysis with GPUs Wenji Wu,

Network Traffic Monitoring &amp; Analysis with GPUs Wenji Wu,

Network Traffic Monitoring &amp; Analysis with GPUs Wenji Wu, Phil DeMar wenji@fnal.gov, demar@fnal.gov GPU Technology Conference 2013 March 18-21, 2013

605 views • 24 slides
Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic &amp; Network Traffic Metadata RP1 Presentation By Henk van Doorn &amp; Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin

Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin

Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

619 views • 26 slides
Bayesian networks (2) Lirong Xia Last class Bayesian networks compact, graphical

Bayesian networks (2) Lirong Xia Last class Bayesian networks compact, graphical

Bayesian networks (2) Lirong Xia Last class Bayesian networks compact, graphical representation of a joint probability distribution conditional independence 2 Bayesian network Definition of Bayesian network (Bayes net or

674 views • 23 slides
One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis

One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon Zaoxing Liu, Antonis Manousis, Greg Vorsanger, Vyas Sekar, and Vladimir Braverman Many Monitoring Requirements Traffic Engineering Anomaly Detection Flow Size

511 views • 28 slides
Beyond Uniform Priors in Bayesian Network Structure Learning (for Discrete Bayesian Networks)

Beyond Uniform Priors in Bayesian Network Structure Learning (for Discrete Bayesian Networks)

Beyond Uniform Priors in Bayesian Network Structure Learning (for Discrete Bayesian Networks) Marco Scutari scutari@stats.ox.ac.uk Department of Statistics University of Oxford April 5, 2017 Bayesian Network Structure Learning Learning a BN

536 views • 26 slides
Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com

Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com

Tracking Inverse Distributions of Massive Data Streams Graham Cormode cormode@bell-labs.com Network Monitoring RNC Enterprise Wireless IMS Network AS HSS PSTN CSCF Cable, DSL PSTN Todays converged networks bring many new challenges

549 views • 36 slides
A SURVEY DENIS KHRYASHCHEV, GRADUATE CENTER, CUNY, OCTOBER 2018 MOTIVATION Often datasets

A SURVEY DENIS KHRYASHCHEV, GRADUATE CENTER, CUNY, OCTOBER 2018 MOTIVATION Often datasets

PATTERN DISCOVERY IN TIME SERIES A SURVEY DENIS KHRYASHCHEV, GRADUATE CENTER, CUNY, OCTOBER 2018 MOTIVATION Often datasets represent processes that take place over long periods of time. Their outputs are measured at regular time intervals

619 views • 46 slides
6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper

6 and 8 Times Table and Division Facts Diving into Mastery Guidance for Educators Diving Deeper Deepest Aim This week we are really focusing on securing the 6 and 8 multiplication tables . It is really important to be able to recall these

198 views • 16 slides
Route testing dialer Break through your data What is a dialer? The route testing dialer route

Route testing dialer Break through your data What is a dialer? The route testing dialer route

Route testing dialer Break through your data What is a dialer? The route testing dialer route testing dialer is a software module that lets you test quality of routes quality of routes provided by your vendors by automatically dialing

362 views • 10 slides
Patent Breakout IIB: Patenting Tomorrows Data Security Technology: Navigating the PTO in a

Patent Breakout IIB: Patenting Tomorrows Data Security Technology: Navigating the PTO in a

Patent Breakout IIB: Patenting Tomorrows Data Security Technology: Navigating the PTO in a Post-Alice Environment&quot; Theodore Wood Parks Wood LLC 5 June 2015 By: T he o do re Wo o d Dr. Ma rc Da ndin 1 Ove r vie w Curso ry

251 views • 23 slides
I In recent years, regarding to basic progresses in design of integrated orbits, wireless

I In recent years, regarding to basic progresses in design of integrated orbits, wireless

Vol. 1(3), Oct. 2015, pp. 227-233 Presentation of an Optimum Routing Template in Wireless Sensor Networks (WSNs) Based on Imperialist Competitive Algorithm Mohammad Gharary, Javad Vahidi Computer MSc student, PHD analysis of algorithms Phone

686 views • 7 slides
Calibration of GHRS Burst Noise Rejection Techniques E. A. Beaver 1 , R. D. Cohen 1 , A. Diplas 1 ,

Calibration of GHRS Burst Noise Rejection Techniques E. A. Beaver 1 , R. D. Cohen 1 , A. Diplas 1 ,

Calibration of GHRS Burst Noise Rejection Techniques E. A. Beaver 1 , R. D. Cohen 1 , A. Diplas 1 , H. Garner 2 , S. R. Heap 3 M. Loveland 1 and R. D. Robinson 4 Abstract For observing very faint objects with the GHRS, the limiting magnitude is

385 views • 12 slides
Under Pressure: How Economic and Regulatory Strains Threaten to Undermine Tribal Gaming

Under Pressure: How Economic and Regulatory Strains Threaten to Undermine Tribal Gaming

Under Pressure: How Economic and Regulatory Strains Threaten to Undermine Tribal Gaming Christine M. Masse Partner Miller Nash LLP Partial Chapter Excerpt Introduction An industry once thought to be recession-proof is showing that no industry

341 views • 5 slides
P a r s i n g J S O N R e a l l y Q u i c k l y : L e s s o n s L e a r n e d D a n i e l L e m i r

P a r s i n g J S O N R e a l l y Q u i c k l y : L e s s o n s L e a r n e d D a n i e l L e m i r

P a r s i n g J S O N R e a l l y Q u i c k l y : L e s s o n s L e a r n e d D a n i e l L e m i r e b l o g : h t t p s : / / l e m i r e . m e t w i t t e r : @ l e m i r e G i t H u b : h t t p s : / / g i t h u b . c o m / l e m i r e / p ro fe

792 views • 63 slides

More recommend