Pattern Detection in Computer Networks Using Robust Principal - - PowerPoint PPT Presentation
Pattern Detection in Computer Networks Using Robust Principal Component Analysis Randy Paffenroth Associate Professor of Mathematical Sciences, and Associate Professor of Computer Science Data Science Program Worcester Polytechnic Institute
CS525 URBAN NETWORKS: METHODS AND ANALYSIS 4-19-2017
Associate Professor of Mathematical Sciences, and Associate Professor of Computer Science Data Science Program Worcester Polytechnic Institute
By Howchou (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
By Hibernia Networks (Hibernia Networks) [Public domain], via Wikimedia Commons
analysis of computer networks.
where much of the data is unlabeled and has to “speak for itself”
think about network analysis.
talk without any equations :-)
Theory and Practice
Stuxnet, Flame, Target In Inc., Ne Neiman Marcus, Affin init ity Gaming, Dairy Queen...
iry Queen!? This is is is when thin ings got
l...
less some sensor, or coll llectio ion of sensors, is effected by an atta tack then you can't detect it it.
I.e. eit ither the marginal or jo join int probabil ilit ity densit ity functio ion of the sensors must be dif ifferent in in a stati tistically ly meanin ingful way, condit ition
ich you don’t have a signature.
irus detectio ion and intrusio ion detectio ion systems (ID IDS) do a good jo job of
ing atta tacks for whic ich a sig ignature is is known, but have ve noth
ing to say if if the atta tack has no sig ignature
ly be detected by sensors whic ich were not
igned to detect th that threat.
ve to get t lucky and have a sensor th that detects ts the new att ttack eve ven though it it was not desig igned to do
lary": You want lots of sensors!
ven once you have a way of fusin ing the data, how
you avo void id being ove verwhelmed with fals lse alarms!
Reconnaissance
Botnet
Pivoting Pivoting Pivoting Pivoting
Exfiltration
Point of entry Command and control
No attack No attack Attack Attack Time Sensor Response
No attack No attack Attack Attack Time Sensor Response
No attack No attack Attack Attack Time Sensor Response
inspired by information theory.
Butun, Ismail, Salvatore D. Morgera, and Ravi Sankar. "A survey of intrusion detection systems in wireless sensor networks." Communications Surveys & Tutorials, IEEE 16.1 (2014): 266-282. Moosavi, M. R., et al. "ENTROPY BASED FUZZY RULE WEIGHTING FOR HIERARCHICAL INTRUSION DETECTION." Iranian Journal of Fuzzy Systems 11.3 (2014): 77-94.
N Y A U B V
In our work we focused on analyzing the second order statistics of by way of its covariance or normalized cross correlation matrix , such as
Interesting questions:
Maximum Likelihood covariance estimation (e.g. using convex
Well defined for missing data and different data types (e.g. point-biserial correlation).
much of which we suspect the current audience is aware of.
and robust matrix completion have generated a lot of interest, including among us!
Ma, “Stable Principal Component Pursuit,” ISIT 2010: Proceedings of IEEE International Symposium on Information Technology, 2010.
“Robust principal component analysis?,” J. ACM, vol. 58, pp. 11:1–11:37, June 2011.
Completion With Noise,” Proceedings of the IEEE, vol.98, no.6, p.11, 2009 E.Candes and B.Recht, “Exact matrix completion via convex optimization,” Foundations of Computational Mathematics, vol. 9, pp. 717–772, December 2009. Eckart, C.; Young, G. (1936). "The approximation of one matrix by another of lower rank". Psychometrika 1 (3): 211–8.
Matrix completion: The Netflix problem! Robust principal component analysis
Space-time signal processing for distributed pattern detection in sensor networks IEEE Journal of Selected Topics in Signal Processing, Vol. 7, No.1, February 2013
Point-wise Error Constraints in preparation 2012.
What I am interested in :-)
Singular values L S = + M
The appropriate structures appear all
Insurance Satisfaction Surveys
Elisa Rosales
Singular Values of Matrices
Amazon product communities SKAION Internet Attack (e.g., DDoS) simulations
The appropriate structures appear all
Rakesh Biradar
Singular Values of Matrices
➢ IPsweep of the AFB from a remote site ➢ Probe of live IP's to look for the
sadmind daemon running on Solaris hosts
➢ Breakins via the sadmind vulnerability,
both successful and unsuccessful on those hosts
➢ Installation of the trojan mstream DDoS
software on three hosts at the AFB
➢ Launching the DDoS
https://www.ll.mit.edu/ideval/d ata/2000/LLS_DDOS_1.0.html
Raw PCAP files Derived features
,
0 * 1
, . . arg min ( ) ( )
L S
L S L S s P P L S M t l
W W
+
+
site,
addresses looking for a running Sadmind daemon,
PCA – Too many false negatives RPCA – Too many false positives
Too “thick” Too “thin” Just right l
supervised training data
– Like
l
Training data for l Algorithm not trained on this attack vector!
The LANDER project measures the number of “active” (i.e. respond to pings)
the Internet Same structure appears! Can be used to pick out all LG DACOM subnets in Europe.
Subnets in anomaly: [1, 210, 44, 0] [1, 210, 173, 0] [1, 219, 34, 0] [1, 210, 206, 0] [1, 218, 60, 0] [1, 218, 121, 0] [1, 218, 173, 0] Test round number Number of responding hosts
Here is a small section of the
1.1 petabyte
(and growing) CAIDA data set. It contains measurements of the worldwide Internet connectivity and latency (traceroute). Same structure appears!
Time Normalized latency
By Holger Motzkau 2010, Wikipedia/Wikimedia Commons (cc-by-sa-3.0), CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=11115505
Math Computer Science
Original algorithm. Rank=2, probability of corruption=2%,
and new algorithm!
Proceedings Vol. 8857, Signal and Data Processing of Small Targets, October 2013, Oliver E. Drummond; Richard D. Teichgraeber, Editors.
Hey, wait a minute...
Think about as distributed databases.
Ali Benamara
http://www.independent.co.uk/arts-entertainment/films/reviews/iron-man-3-review-a-big-hand-for-downey-jr-but-movie-lacks-dramatic-mettle-8588873.html
N Y A U B V