pattern detection in computer networks using robust
play

Pattern Detection in Computer Networks Using Robust Principal - PowerPoint PPT Presentation

Nov 22, 2022 •44 likes •494 views

Pattern Detection in Computer Networks Using Robust Principal Component Analysis Randy Paffenroth Associate Professor of Mathematical Sciences, and Associate Professor of Computer Science Data Science Program Worcester Polytechnic Institute

  1. Pattern Detection in Computer Networks Using Robust Principal Component Analysis Randy Paffenroth Associate Professor of Mathematical Sciences, and Associate Professor of Computer Science Data Science Program Worcester Polytechnic Institute CS525 URBAN NETWORKS: METHODS AND ANALYSIS 4-19-2017

  2. Urban networks vs. Computer networks By Howchou (Own work) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia By Hibernia Networks (Hibernia Networks) [Public Commons domain], via Wikimedia Commons

  3. What am I going to talk about? ● Robust Principal Component Analysis as applied to analysis of computer networks. ● In effect, I am interested in “semi-supervised” learning where much of the data is unlabeled and has to “speak for itself” ● Attempt to justify why I think this is an interesting way to think about network analysis. ● Show some examples in this area. ● Beware! I am a mathematician and, morally, I can’t give a talk without any equations :-)

  4. Theory and Practice

  5. Where we find our inspiration for practice... St Stuxnet, Flame, Target In Inc., Ne Neiman Marcus, Affin init ity Gaming, Dairy Queen... ● Et tu, Dair iry Queen!? This is is is when thin ings got ot personal. l... ● "Axiom" 1: Unle less some sensor, or coll llectio ion of sensors, is effected by an atta tack then ● you can't detect it it. I. I.e. eit ither the marginal or jo join int probabil ilit ity densit ity functio ion of the sensors must be ● dif ifferent in in a stati tistically ly meanin ingful way, condit ition oned on the absence or presence of an attack. "Axiom" 2: The most dangerous attacks are those for whic ich you don’t have a signature. ● Vir irus detectio ion and intrusio ion detectio ion systems (ID IDS) do a good jo job of of detectin ing ● atta tacks for whic ich a sig ignature is is known, but have ve noth othin ing to say if if the atta tack has no sig ignature "Theorem": Therefore the most dangerous attacks can only ly be detected by sensors ● whic ich were not ot desig igned to detect th that threat. You have ve to get t lucky and have a sensor th that detects ts the new att ttack eve ven though it it ● was not desig igned to do o so. "Corolla lary": You want lots of sensors! ● But, how ow do you fuse them? Eve ven once you have a way of fusin ing the data, how ow do ● you avo void id being ove verwhelmed with fals lse alarms!

  6. Advanced Persistent Threats Reconnaissance Pivoting Pivoting Pivoting Point of entry Command and control Botnet Pivoting Exfiltration

  7. What do we mean by a sensor? Attack Attack Sensor Response Time No attack No attack

  8. What do we mean by a sensor? Attack Attack Sensor Response Time No attack No attack

  9. What do we mean by a sensor? Attack Attack Sensor Response Time No attack No attack

  10. What kinds of sensors? ● Already talked about packet rates. ● Port, CPU, memory activity, etc. ● Intrusion Detection Systems ● Bro, Snort, Suricata, etc. ● More "complicated" sensors such as those inspired by information theory. ● Packet payload entropy Butun, Ismail, Salvatore D. Morgera, and Ravi Sankar. "A survey of intrusion detection systems in wireless sensor networks." Communications Surveys & Tutorials, IEEE 16.1 (2014): 266-282. Moosavi, M. R., et al. "ENTROPY BASED FUZZY RULE WEIGHTING FOR HIERARCHICAL INTRUSION DETECTION." Iranian Journal of Fuzzy Systems 11.3 (2014): 77-94.

  11. Best with an example!

  12. Data matrix

  13. First order anomaly

  14. Sparse correlations? Latent signal model... U V Y A B N

  15. A simple second order anomaly

  16. Second order theory! In our work we focused on analyzing the second order statistics of by way of its covariance or normalized cross correlation matrix , such as Interesting questions: ● Correlation versus covariance? ● More refined calculations such as Maximum Likelihood covariance Well defined for missing estimation (e.g. using convex data and different data optimization). types (e.g. point-biserial correlation).

  17. Second order anomaly

  18. Standing on the shoulders of giants ● Over the past 4-5 years there has been a flurry of activity on this problem, much of which we suspect the current audience is aware of. Eckart, C.; Young, G. (1936). "The Ideas such as matrix completion, robust principal component analysis, ● approximation of one matrix by another of and robust matrix completion have generated a lot of interest, including lower rank". Psychometrika 1 (3): 211–8. among us! Matrix completion: The Robust principal component analysis Netflix problem! E. Candes, X. Li, Y. Ma, and J. Wright, E.Candes and B.Recht, “Exact matrix Z. Zhou, X. Li, J. Wright, E. Cande`s, and Y. completion via convex optimization,” “Robust principal component analysis?,” J. Ma, “Stable Principal Component Pursuit,” Foundations of Computational ACM, vol. 58, pp. 11:1–11:37, June 2011. ISIT 2010: Proceedings of IEEE International Mathematics, vol. 9, pp. 717–772, Symposium on Information Technology, December 2009. 2010. What I am interested in :-) E. Candes and Y. Plan, “Matrix Completion With Noise,” Proceedings of the IEEE, vol.98, no.6, p.11, 2009 R. Paffenroth, P. Du Toit, R. Nong, L. Scharf, A. Jayasumana and V. Bandara Space-time signal processing for distributed pattern detection in sensor networks IEEE Journal of Selected Topics in Signal Processing, Vol. 7, No.1, February 2013 P. Du Toit, R. Paffenroth, R. Nong Stability of Principal Component Pursuit with Point-wise Error Constraints in preparation 2012.

  19. M L S = + Singular values

  20. The appropriate structures appear all over the place in real data! Elisa Rosales Singular Values of Matrices Insurance Satisfaction Surveys

  21. The appropriate structures appear all over the place in real data! Rakesh Biradar Singular Values of Matrices Amazon product communities SKAION Internet Attack (e.g., DDoS) simulations

  22. Abilene Internet2 Backbone

  23. Abilene Internet2 Backbone

  24. Abilene Internet2 Backbone

  25. Abilene Internet2 Backbone

  26. Abilene Internet2 Backbone

  27. Enough math for the moment, lets try a really practical example ● DARPA Lincoln Lab Intrusion Detection Evaluation Data Set ➢ IPsweep of the AFB from a remote site ➢ Probe of live IP's to look for the sadmind daemon running on Solaris hosts ➢ Breakins via the sadmind vulnerability, both successful and unsuccessful on those hosts ➢ Installation of the trojan mstream DDoS software on three hosts at the AFB ➢ Launching the DDoS https://www.ll.mit.edu/ideval/d ata/2000/LLS_DDOS_1.0.html

  28. Feature generation Raw PCAP files Derived features

  29. Imporant idea... don't blindly follow theory = + l L , S arg min L S 0 * 1 L , S 0 0 + - s . . t P ( L S ) P ( M ) W W 0 0

  30. Lincoln Labs DARPA Intrusion Detection Data Set - PCA ● IP sweep from a remote site, ● a probe of live IP addresses looking for a running Sadmind daemon, ● and then an exploitation of a Sadmind vulnerability.

  31. Lincoln Labs DARPA Intrusion Detection Data Set - Comparison RPCA – Too many PCA – Too many false positives false negatives

  32. Lincoln Labs DARPA Intrusion Detection Data Set - Comparison Too “thick” Too “thin” Just right l

  33. Key idea ● Semi-supervised learning ● PCA and RPCA have many parameters ● Far to many to train on reasonably sized collections of attacks ● Only train a few important parameters on supervised training data l – Like ● Gives better generalization and less over-fitting

  34. Key idea ● Semi-supervised learning Training data for l Algorithm not trained on this attack vector!

  35. Other fun problems: LANDER The LANDER project measures the number of “active” (i.e. respond to pings) on subnets across the Internet Number of responding hosts Same structure appears! Subnets in anomaly: [1, 210, 44, 0] [1, 210, 173, 0] Can be used to [1, 219, 34, 0] pick out all LG [1, 210, 206, 0] DACOM subnets [1, 218, 60, 0] [1, 218, 121, 0] in Europe. [1, 218, 173, 0] Test round number

  36. Other fun problems: CAIDA Here is a small section of the 1.1 petabyte (and growing) CAIDA data set. It contains measurements of Normalized latency the worldwide Internet connectivity and latency (traceroute). Same structure Time appears!

  37. Big Data Computer Science Math By Holger Motzkau 2010, Wikipedia/Wikimedia Commons (cc-by-sa-3.0), CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=11115505

  38. Equivalent formulation

  39. Big Data Original algorithm. Rank=2, probability of corruption=2%, observations=10m and new algorithm! ● R. Paffenroth, R. Nong, P. Du Toit, On covariance structure in noisy, big data. Proceedings Vol. 8857, Signal and Data Processing of Small Targets, October 2013, Oliver E. Drummond; Richard D. Teichgraeber, Editors.

  40. Big Data Hey, wait a minute...

  41. How can this be? Math helps... ) ) ( ( ) )) ( ( (

  42. How can this be? Implementation helps... Think about as distributed databases.

  43. Distributed databases. Ali Benamara

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer

Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer

Robust Aggregation in Sensor Robust Aggregation in Sensor Networks Networks Jie Gao Computer Science Department Stony Brook University 1 Papers Papers [Nath04] Suman Nath, Phillip B. Gibbons, Zachary Anderson, and Srinivasan Seshan,

616 views • 43 slides
Bag-of-Features Acoustic Event Detection for Sensor Networks Julian K urby, Ren e Grzeszick,

Bag-of-Features Acoustic Event Detection for Sensor Networks Julian K urby, Ren e Grzeszick,

Bag-of-Features Acoustic Event Detection for Sensor Networks Julian K urby, Ren e Grzeszick, Axel Plinge, and Gernot A. Fink Pattern Recognition, Computer Science XII, TU Dortmund University September 3, 2016 DCASE Workshop Budapest,

217 views • 20 slides
Object detection & classification for ADAS Robust for Bad situations Small object sizes

Object detection & classification for ADAS Robust for Bad situations Small object sizes

Object detection & classification for ADAS Robust for Bad situations Small object sizes Robust for occlusion Small model size SVNet @ NVIDIA TX2 Please click Icon for Video 5/19/2017 2 Robust detection for various

123 views • 11 slides
How Robust are Thresholds for Community Detection? Ankur Moitra (MIT) Robust Statistics Summer

How Robust are Thresholds for Community Detection? Ankur Moitra (MIT) Robust Statistics Summer

How Robust are Thresholds for Community Detection? Ankur Moitra (MIT) Robust Statistics Summer School Let me tell you a story about the success of belief propagation and statistical physics THE STOCHASTIC BLOCK MODEL Introduced by Holland,

1.65k views • 119 slides
Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on

Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on

Monte Carlo Semantics McPIET at RTE-4: Robust Inference and Logical Pattern Processing Based on Integrated Deep and Shallow Semantics Richard Bergmair University of Cambridge Computer Laboratory Natural Language Information Processing Text

640 views • 39 slides
Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan Li , Wenxiao Chen, Dan Pei Department of Computer Science and Technology Tsinghua University November 18, 2018 1/37 Table of Contents 1 Background

573 views • 41 slides
A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tlle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg,

641 views • 15 slides
Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep

Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep

Monte Carlo Semantics Robust Inference and Logical Pattern Processing Based on Integrated Deep and Shallow Semantics Richard Bergmair University of Cambridge Computer Laboratory Natural Language Information Processing Flatlands Meeting, Jun-06

465 views • 20 slides
Emergent Pattern Detection in Vegetable Population Dynamics S. Bandini, S. Manzoni, G. Mauri, S.

Emergent Pattern Detection in Vegetable Population Dynamics S. Bandini, S. Manzoni, G. Mauri, S.

Emergent Pattern Detection in Vegetable Population Dynamics S. Bandini, S. Manzoni, G. Mauri, S. Redaelli Dept. Of Computer Science, Systems and Communication University of Milan-Bicocca 1 CAFFE (Cellular Automata For Forest Ecosystems)

264 views • 12 slides
Anomaly Detection in Computer Networks Carolina Fortuna, Bla Fortuna, Mihael Mohoric Outline

Anomaly Detection in Computer Networks Carolina Fortuna, Bla Fortuna, Mihael Mohoric Outline

Anomaly Detection in Computer Networks Carolina Fortuna, Bla Fortuna, Mihael Mohoric Outline Intrusion Detection Evaluation Criteria Scenarios Data Acquisition Results Datasets Conclusions Related Work Data

500 views • 29 slides
Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong

Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong

Towards Robust Detection of Adversarial Examples Tianyu Pang, Chao Du, Yinpeng Dong and Jun Zhu Department of Computer Science and Technology Tsinghua University TSAIL NeurIPS | 2018 Adversarial Examples From

590 views • 10 slides
Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks

Peer-to-Peer Networks 14 Security Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Cuckoo Hashing for Security Awerbuch, Scheideler, Towards Scalable and Robust Overlay Networks Problem: -

329 views • 19 slides
Localization of Sensor Networks Localization of Sensor Networks Jie Gao Computer Science

Localization of Sensor Networks Localization of Sensor Networks Jie Gao Computer Science

Localization of Sensor Networks Localization of Sensor Networks Jie Gao Computer Science Department Stony Brook University 9/13/05 Jie Gao CSE590-fall05 1 Papers Papers D. Moore, J. Leonard, D. Rus, S. Teller, Robust distributed

514 views • 40 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on

Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on

Real-time Pattern Detection in IP Flow Data using Apache Spark International Symposium on Integrated Network Management ( IM 2019) May 9, 2019 Milan Cermak, Martin Lastovicka, Tomas Jirsik Institute of Computer Science, Masaryk University, Brno

403 views • 11 slides
A Graphical Notation for Design Pattern Detection Haneen Dabain Department of Computer Science

A Graphical Notation for Design Pattern Detection Haneen Dabain Department of Computer Science

A Graphical Notation for Design Pattern Detection Haneen Dabain Department of Computer Science and Engineering York University October 24, 2011 Haneen Dabain (York University) FINDER October 24, 2011 1 / 56 Introduction Table of contents

755 views • 58 slides
Dimensionality Reduction: Linear Discriminant Analysis and Principal Component Analysis CMSC 678

Dimensionality Reduction: Linear Discriminant Analysis and Principal Component Analysis CMSC 678

Dimensionality Reduction: Linear Discriminant Analysis and Principal Component Analysis CMSC 678 UMBC Outline Linear Algebra/Math Review Two Methods of Dimensionality Reduction Linear Discriminant Analysis (LDA, LDiscA) Principal Component

884 views • 70 slides
How? Where? Who? When? Matthew 16:18 And I tell you, you are Peter, and on this rock I will

How? Where? Who? When? Matthew 16:18 And I tell you, you are Peter, and on this rock I will

Church Planting Why? How? Where? Who? When? Matthew 16:18 And I tell you, you are Peter, and on this rock I will build my church, and the gates of hell shall not prevail against it. Atlanta Metro Population Statistics: Current: 5.9

545 views • 12 slides
E9 205 Machine Learning for Signal Processing Dimensionality Reduction - I 21-08-2019 Instructor

E9 205 Machine Learning for Signal Processing Dimensionality Reduction - I 21-08-2019 Instructor

E9 205 Machine Learning for Signal Processing Dimensionality Reduction - I 21-08-2019 Instructor - Sriram Ganapathy (sriramg@iisc.ac.in) Principal Component Analysis Reducing the data of dimension to lower dimension

238 views • 10 slides
CSC 411: Lecture 14: Principal Components Analysis & Autoencoders Class based on Raquel

CSC 411: Lecture 14: Principal Components Analysis & Autoencoders Class based on Raquel

CSC 411: Lecture 14: Principal Components Analysis & Autoencoders Class based on Raquel Urtasun & Rich Zemels lectures Sanja Fidler University of Toronto March 14, 2016 Urtasun, Zemel, Fidler (UofT) CSC 411: 14-PCA &

1.07k views • 18 slides
History and Theory of Nonlinear Principal Component Analysis Jan de Leeuw February 11, 2011 Jan

History and Theory of Nonlinear Principal Component Analysis Jan de Leeuw February 11, 2011 Jan

UCLA Department of Statistics History and Theory of Nonlinear Principal Component Analysis Jan de Leeuw February 11, 2011 Jan de Leeuw NLPCA History UCLA Department of Statistics Abstract Relationships between Multiple Correspondence

536 views • 27 slides
ECS231 PCA, revisited May 28, 2019 1 / 18 Outline 1. PCA for lossy data compression 2. PCA for

ECS231 PCA, revisited May 28, 2019 1 / 18 Outline 1. PCA for lossy data compression 2. PCA for

ECS231 PCA, revisited May 28, 2019 1 / 18 Outline 1. PCA for lossy data compression 2. PCA for learning a representation of data 3. Extra: learning XOR 2 / 18 1. PCA for lossy data compression 1 Data compression: given data points { x (1)

347 views • 18 slides
compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall

compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall

compsci 514: algorithms for data science Cameron Musco University of Massachusetts Amherst. Fall 2019. Lecture 13 0 MAP Feedback: Going to adjust a bit how I take questions in class. Will try to more clearly identify important

1.12k views • 88 slides
Dimensionality Reduction & Embedding Prof. Mike Hughes Many ideas/slides attributable to:

Dimensionality Reduction & Embedding Prof. Mike Hughes Many ideas/slides attributable to:

Tufts COMP 135: Introduction to Machine Learning https://www.cs.tufts.edu/comp/135/2019s/ Dimensionality Reduction & Embedding Prof. Mike Hughes Many ideas/slides attributable to: Liping Liu (Tufts), Emily Fox (UW) Matt Gormley (CMU) 2

1.01k views • 33 slides

More recommend