network host classification using statistical analysis of
play

Network Host Classification Using Statistical Analysis of Flow Data - PowerPoint PPT Presentation

Mar 09, 2023 •273 likes •460 views

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory Overview and Objectives Host/IP address profiling based on flow data over some time interval 10

  1. Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory

  2. Overview and Objectives  Host/IP address profiling based on flow data over some time interval • 10 minutes to 7 days have been examined with 24 hours providing repetitively stationary results • Generate histograms of peer hosts, source ports, and destination ports over the time interval • Compute Shannon entropy values for the 3 dimensions  Outcomes: • Provide IP behavior “snapshots” of individual hosts • Allow comparison of behavior through clustering • Build models over large host sets in real-time

  3. Source / Destination Port Variance Does not provide an effective representation of categorical data sets

  4. Sample (simplified) Histogram of Flow Data Host A Cumulative bytes Cumulative packets Cumulative sessions Peer A 34958 324 54 3948 132 13 Peer B Peer C 231 43 9 Peer D 5675 123 29 Src Port 1 2358 77 32 Src Port 2 13246 345 67 Src Port 3 1231 75 12 Dst Port 1 54467 5653 199 Dst Port 2 563 345 1 Host B Peer X 842 347 23 Peer Y 23879 3452 874 Peer Z 9463 232 78 ... ... ... ... ...

  5. Shannon Entropy Using Packet Count Histograms where  Computed for host peers, source ports, and destination ports time-delineated histograms leveraging byte, packet, and session totals • Packet histograms/entropy calculation favored in final analysis • Since base 2: port entropy will be 0-16, peer 0-32 (IPv4)

  6. Sample Entropy Calculation For Host A: Cumulative packets Pi Packets Pi * log2( Pi ) Entropy Peer A 324 0.52 -0.49 Peer B 132 0.21 -0.47 Peer C 43 0.07 -0.27 Peer D 123 0.20 -0.46 1.69 Src Port 1 77 0.15 -0.42 Src Port 2 345 0.69 -0.37 Src Port 3 75 0.15 -0.41 1.19 Dst Port 1 5653 0.94 -0.08 Dst Port 2 345 0.06 -0.24 0.32

  7. Visual Example of Low/High Entropy Low Entropy Example High Entropy Example

  8. Data Overview  Uses generic flow data • Required fields: – SRC IP, DST IP, SRC Port, DST Port, Protocol, Packets, Bytes  Los Alamos unclassified network primarily over 24 hours (inclusive of a work day) • Approximately 200 million flows analyzed • 17,326 unique internal (Los Alamos) IP’s observed • Day-to-day traffic very consistent

  9. Destination Port / Peer Entropy Peer Host Entropy Destination Port Entropy

  10. Source Port / Peer Entropy Peer Host Entropy Source Port Entropy

  11. Source Port / Destination Port Entropy Destination Port Entropy Source Port Entropy

  12. Source/Destination Port Entropy Clustering Destination Port Entropy Source Port Entropy

  13. Entropy Clustering w/ 3 Dimensions Destination Port Entropy Source Port Entropy

  14. Interesting Clusters (<50) 749 Hosts (4.3% of total) Destination Port Entropy Source Port Entropy

  15. Interesting Clusters (b) Source port versus Peers Peer Host Entropy Source Port Entropy

  16. Major Servers Host Local Port EntRemote Port EntPeer Ent Cluster SMS 1 1.04 11.61 11.78 42 SMS 2 1.13 11.67 11.82 42 Int W W W 1.24 11.97 11.49 42 ActiveDir 1 2.7 11.52 11.96 42 ActiveDir 2 4.41 10.09 9.98 46 ActiveDir 3 2.86 10.62 10.56 46 DNS 1 1.76 9.76 9.11 5 DNS 2 0.74 12.5 9.99 13 VulnScanner 12.08 8.62 8.99 8 MailRelay 1 7.4 5.12 4.31 36 MailRelay 2 7.42 5.05 4.29 36 MailRelay 3 7.58 5.13 4.45 36

  17. Clusters C32 & C56 Bad Behavior (worm variants) Host IP Local Port EntRemote Port EntPeer Ent Remote Host A 11.45 0.79 11.89 Remote Host B 10.18 1.06 9.84 Internal Host A 10.32 1.26 9.87 Internal Host B 10.89 0.79 11.01 Remote Host C 10.83 1.77 10.46 Remote Host D 11.71 0.45 13.67 Remote Host E 11.04 0.65 10.8 Remote Host F 11.93 0.15 15.72

  18. Current, On-going Work  Demonstrated 1 million+ flows/minute processing on single system • Redesigning, porting system to map/reduce architecture for improved scaling and distributed processing  Integrating additional network flow data types (e.g. custom perimeter collected flows)  Static centroids for comparing host movements between k-means clusters • Enable predefined clusters, cluster definitions, and host movement between clusters  Histogram merging that allows graceful data aging for continuous data feed and anomaly detection  Application of novel change detection and machine learning across time series output

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm Harry Crane Based on Chapter 5 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html

443 views • 31 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane Based on Chapter 3 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

375 views • 18 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry Crane Based on Chapter 2 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry

573 views • 13 slides
Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE

Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE

Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE Olga Klopp (CREST - UP10) Statistical Network Analysis 1 / 7 Social Political Blog Network Problem Bisection of the graph Olga Klopp (CREST -

387 views • 9 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry Crane Based on Chapter 4 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

289 views • 13 slides
Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam

Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam

Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam Mallik, Yu Zhang, Gokhan Memik Electrical Engineering and Computer Science Dept. Northwestern University Network Demand Gap Gap increases with the

441 views • 21 slides
A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod,

A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod,

A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom Applications Research Alliance Doctoral Student, Faculty of Computer Science, Dalhousie

486 views • 45 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane Based on Chapter 1 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

262 views • 14 slides
Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network layer protocols in every host, router Many historical examples, but only one really matters Network layer functions 1. Connection setup 5.

1.56k views • 113 slides
Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is

Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is

Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is Classification? Classification: telling things apart 2 Introduction 3 Spam/junk/bulk Emails The messages you spend your time with just to

484 views • 45 slides
STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models Probability/Statistical Models: Theory prob/math stats Simulation samples of y ( | ) p y Statistical analysis: Computation: Likelihood

250 views • 11 slides
Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for

Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for

Outline Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for (Social) Network Data p 0 , p 1 , p 2 and and p* Overview, Challenges, Research Problems Graphons and Networks ERGM, bERGM, tERGM,

224 views • 9 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky ,

LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky ,

LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky , Hongyi Hu and Kevin Leach cspensky@cs.ucsb.edu hongyihu@alum.mit.edu kjl2y@virginia.edu lophi@mit.edu The Network and

532 views • 24 slides
Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez

Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez

Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez Andreas Kaltenbrunner Vicente Lpez Barcelona Media Innovation Center (BM) Barcelona, Spain Department of Information and Comunication

482 views • 23 slides
Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification

Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification

Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification Automatically make a decision about inputs Example: document category Example: image of digit digit Example: image of object

609 views • 48 slides
Delek US Holdings, Inc. Investor Presentation September 2020 Disclaimers Forward Looking

Delek US Holdings, Inc. Investor Presentation September 2020 Disclaimers Forward Looking

Delek US Holdings, Inc. Investor Presentation September 2020 Disclaimers Forward Looking Statements: Delek US Holdings, Inc. (Delek US) and Delek Logistics Partners, LP (Delek Logistics; and collectively with Delek US, we or

557 views • 44 slides
3D Sound GWU Why Sound? Emotional Impact Improved Presence Situational Awareness

3D Sound GWU Why Sound? Emotional Impact Improved Presence Situational Awareness

3D Sound GWU Why Sound? Emotional Impact Improved Presence Situational Awareness Sensory Substitution Better Graphics Product Recognition GWU 3D Sound: Rendering Pipeline Emitter Model How we represent

896 views • 52 slides
Medication errors detected among spontaneously reported ADRs to HALMED Viola Macoli arini

Medication errors detected among spontaneously reported ADRs to HALMED Viola Macoli arini

Medication errors detected among spontaneously reported ADRs to HALMED Viola Macoli arini Prague , 28.10.2015. For public health 2 Aim of the study The objective of the study was to: identify, evaluate and describe

546 views • 16 slides
Thermodynamics Slide 3 / 93 Slide 4 / 93 First Law of Thermodynamics Chemical Thermodynamics

Thermodynamics Slide 3 / 93 Slide 4 / 93 First Law of Thermodynamics Chemical Thermodynamics

Slide 1 / 93 Slide 2 / 93 Thermodynamics Slide 3 / 93 Slide 4 / 93 First Law of Thermodynamics Chemical Thermodynamics Recall a system is a portion of the universe that has been The Golden Gate Bridge is painted regularly to slow chosen for

530 views • 21 slides
Shore Protection BROWARD COUNTY SOLICITATION T2112588P1 1 Atkins Team Overview Atkins

Shore Protection BROWARD COUNTY SOLICITATION T2112588P1 1 Atkins Team Overview Atkins

8/16/2017 Coastal Engineering Consultant Services for Segment III Shore Protection BROWARD COUNTY SOLICITATION T2112588P1 1 Atkins Team Overview Atkins originated in Miami in 1960 Leader Integrating Coastal Science and Engineering

676 views • 11 slides
Game Preserve Stormwater Management Retrofit Projects Stormwater Management Retrofit Projects

Game Preserve Stormwater Management Retrofit Projects Stormwater Management Retrofit Projects

Game Preserve Stormwater Management Retrofit Projects Stormwater Management Retrofit Projects January 7, 2014 Public Meeting Montgomery County Department of Environmental Protection Watershed Management Division T d Todays Agenda A d

631 views • 16 slides
Health Insurance Oct. 2017 Presentation by: Betsy Imholz, Consumers Union National Conference of

Health Insurance Oct. 2017 Presentation by: Betsy Imholz, Consumers Union National Conference of

Presidents Executive Order on Health Insurance Oct. 2017 Presentation by: Betsy Imholz, Consumers Union National Conference of Insurance Legislators Annual Meeting Phoenix, Nov. 18, 2017 3 main parts of Executive Order Association Health

513 views • 7 slides
A 21 st Century Vision for Sustainable Forestry Higher Education Trends B. Bruce Bare, Dean

A 21 st Century Vision for Sustainable Forestry Higher Education Trends B. Bruce Bare, Dean

A 21 st Century Vision for Sustainable Forestry Higher Education Trends B. Bruce Bare, Dean College of Forest Resources University of Washington Seattle, WA 98195-2100 WFPA Annual Meeting -- November 15, 2007 1 Changes Effecting the

619 views • 17 slides

More recommend