streamworks a system for real time graph pattern matching
play

StreamWorks A System for Real-Time Graph Pattern Matching on - PowerPoint PPT Presentation

May 22, 2023 •167 likes •796 views

StreamWorks A System for Real-Time Graph Pattern Matching on Network Traffic GEORGE CHIN, SUTANAY CHOUDHURY AND KHUSHBU AGARWAL Pacific Northwest National Laboratory January 21, 2015 Unclassified 1 Emerging Graph Patterns Goal: Detect

  1. StreamWorks – A System for Real-Time Graph Pattern Matching on Network Traffic GEORGE CHIN, SUTANAY CHOUDHURY AND KHUSHBU AGARWAL Pacific Northwest National Laboratory January 21, 2015 Unclassified 1

  2. Emerging Graph Patterns Goal: Detect and identify precursor events and patterns as they emerge in complex networks such that events or threats may be mitigated or acted upon before they are fully realized Capture evolution of critical graph patterns Devise optimal search strategy to identify emerging pattern Consider cases where target subgraph patterns may or may not be known Subgraph pattern matching is a well-studied NP-hard problem. Some work on scalable algorithms Limited work on subgraph matching in dynamic networks Application areas: Computer network intrusions and threats Social media and network analysis Financial and stock market analysis Distributed sensor networks January 21, 2015 Unclassified 2

  3. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Host Host Host DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 3

  4. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Host Host Host DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 4

  5. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 5

  6. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 6

  7. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 7

  8. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 8

  9. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 9

  10. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 10

  11. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 11

  12. Emerging Graph Pattern Algorithm in Action Subgraph Join Tree DNS Web 100% Server Server Data Graph Maple Goliath (DNS Host Host Host Server) Cedar DNS Web 67% Host 33% Server Server Pine Birch Web DNS Host Host Server Server Trout (Web Oak Server) 33% 33% Host Host Alder DNS Web Web DNS Server Server Server Server January 21, 2015 Unclassified 12

  13. Detecting Emerging Cyber Attacks Developing emerging subgraph pattern algorithm in a package we call StreamWorks to detect cyber intrusions and attacks in computer network traffic Constructing set of cyber attack graph patterns related to network scans, reflector attacks, flood attacks, viruses, worms, etc. in collaboration with PNNL cybersecurity analysts Utilizing anonymized internet traces data curated by CAIDA (The Cooperative Association for Internet Data Analysis) at SDSC/UCSD and simulated intrusion detection datasets from the University of New Brunswick’s Information Security Centre of Excellence January 21, 2015 Unclassified 13

  14. Witty Worm Host Host Host Host Host Host 796<=Packet Len<=1307 Port 4000 796<=Packet Len<=1307 796<=Packet Len<=1307 796<=Packet Len<=1307 Port 4000 Port 4000 Port 4000 Host Host Host Host 796<=Packet Len<=1307 Port 4000 Host Host Host Host Host Host Internet worm that began to spread on March 19, 2004 Targeted buffer overflow vulnerability in internet security systems (ISS) products Payload contained phrase “(^.^) insert witty message here (^.^)” Attacked port 4000 with packets of sizes between 796 and 1307 January 21, 2015 Unclassified 14

  15. Distributed Denial-of-Service Smurf Attack Host ICMP Echo Request ICMP Echo Reply ICMP Echo Request ICMP Echo Request ICMP Echo Reply Hacker Router Host Victim ICMP Echo Request ICMP Echo Reply Host ICMP Echo Request Attacker sends packets to broadcast IP address with spoofed source address of victim’s Packets delivered to intermediate hosts Intermediate hosts reply to return address of victim January 21, 2015 Unclassified 15

  16. Distributed Denial-of-Service DNS Amplification Attack Agents or zombies DNS Zombie DNS Query Response generate large number Server DNS Query | ICMP Dest Unreachable | Frag IP Address of DNS requests with DNS Query spoofed source address DNS Query Response | ICMP Dest Unreachable DNS servers send 3 | Frag IP Address DNS Zombie Victim different types of Server DNS Query DNS Query responses to victim DNS Query Response | ICMP Dest Unreachable DNS response packets | Frag IP Address may be significantly DNS Query larger than DNS DNS Zombie request packets Server DNS Query January 21, 2015 Unclassified 16

  17. Subgraph Join Tree for DDoS Smurf Attack Cyberattack Pattern Subgraph Join Tree (Breadth-First) 100% Host Host Time < E1 ICMP Echo Request ICMP Echo Reply Router Host Victim Time < E1 ICMP Echo Request ICMP Echo Request ICMP Echo Reply Hacker Router Host Victim Host Time < E1 E1 ICMP Echo Request ICMP Echo Reply Host 86% 14% Host ICMP Echo Request Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 43% 43% Host Host ICMP Echo ICMP Echo Reply Request Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Reply Request January 21, 2015 Unclassified 17

  18. DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 48:06 January 21, 2015 Unclassified 18 18

  19. DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 51:39 January 21, 2015 Unclassified 19 19

  20. DDoS Smurf Attack Query Breadth-First SJT Host 100% Time < E1 Router Host Victim Time < E1 Host Time < E1 E1 86% 14% Host Time < E2 Router Victim E2 Router Host Victim E3 Time ICMP Echo < E3 Request Host E4 Time < E4 Host Host 43% 43% ICMP Echo ICMP Echo Request Reply Host Host Victim Router ICMP Echo ICMP Echo Broadcast Request Reply Address Host Host ICMP Echo ICMP Echo Request Reply 53:11 January 21, 2015 Unclassified 20 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LPEG: a new approach to pattern LPEG: a new approach to pattern matching in Lua matching in Lua

LPEG: a new approach to pattern LPEG: a new approach to pattern matching in Lua matching in Lua

LPEG: a new approach to pattern LPEG: a new approach to pattern matching in Lua matching in Lua Roberto Ierusalimschy (real) regular expressions (real) regular expressions inspiration for most pattern-matching tools Ken Thompson, 1968

1.05k views • 58 slides
Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern Matching 1 Outline and Reading Strings (11.1) Pattern matching algorithms Brute-force algorithm (11.2.1) Boyer-Moore algorithm (11.2.2)

612 views • 14 slides
Timed Pattern Matching Doan Ulus joint with T. Ferrere, E. Asarin, O. Maler and D. Nickovic

Timed Pattern Matching Doan Ulus joint with T. Ferrere, E. Asarin, O. Maler and D. Nickovic

Timed Pattern Matching Doan Ulus joint with T. Ferrere, E. Asarin, O. Maler and D. Nickovic Verimag, University of Grenoble-Alpes May 6, 2015 Real-time systems 2 Control Systems with Real-time Communication timing systems Biological

1.08k views • 38 slides
CSE182-L6 P-value and E-value Dicitionary matching Pattern matching October 09 CSE182 Why is

CSE182-L6 P-value and E-value Dicitionary matching Pattern matching October 09 CSE182 Why is

CSE182-L6 P-value and E-value Dicitionary matching Pattern matching October 09 CSE182 Why is BLAST fast? Assume that keyword searching does not consume any time and that alignment computation the expensive step. Query m=1000, random

433 views • 18 slides
Concurrent Pattern Matching: combining discovery, privacy and symmetry using pattern matching

Concurrent Pattern Matching: combining discovery, privacy and symmetry using pattern matching

Introduction Background Deliverables &amp; Methodology State of research Concurrent Pattern Matching: combining discovery, privacy and symmetry using pattern matching Thomas Given-Wilson, University of Technology, Sydney Supervisor:

559 views • 21 slides
Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan Jeffrey DePaul University, Chicago Pattern-Matching Spi-Calculus p.1/11 Types for Cryptographic Protocols Pattern-Matching Spi-Calculus

779 views • 55 slides
Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

CSC209 Fall 2001 What is AWK? Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern matches, do something Many details handled automatically very easy to one off (write and throw away)

673 views • 12 slides
Globbing, pattern matching Globbing is the term used for bashs form of pattern matching in

Globbing, pattern matching Globbing is the term used for bashs form of pattern matching in

Globbing, pattern matching Globbing is the term used for bashs form of pattern matching in commands It is used when we want to use a pattern to describe a set of strings, e.g. all filenames ending in .c, all directories that have a

755 views • 5 slides
Quantum pattern matching fast on average Ashley Montanaro Department of Computer Science,

Quantum pattern matching fast on average Ashley Montanaro Department of Computer Science,

Quantum pattern matching fast on average Ashley Montanaro Department of Computer Science, University of Bristol, UK 12 January 2015 Pattern matching In the traditional pattern matching problem, we seek to find a pattern P : [ m ] within

1.25k views • 53 slides
Matching Tree Patterns on Partial-trees Optimizing Tree-Pattern Matching Shachar Harussi

Matching Tree Patterns on Partial-trees Optimizing Tree-Pattern Matching Shachar Harussi

Outline Motivation: Graph querying Background: tree patterns Partial trees - holistic divide and concur Matching Tree Patterns on Partial-trees Optimizing Tree-Pattern Matching Shachar Harussi Supervision of Prof. Amir Averbuch September 1,

1.07k views • 78 slides
7.5 Bipartite Matching Matching Matching. Input: undirected graph G = (V, E). M E

7.5 Bipartite Matching Matching Matching. Input: undirected graph G = (V, E). M E

7.5 Bipartite Matching Matching Matching. Input: undirected graph G = (V, E). M E is a matching if each node appears in at most edge in M. Max matching: find a max cardinality matching. 3 Bipartite Matching Bipartite matching.

542 views • 37 slides
Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time

EDA222/DIT160 Real-Time Systems, Chalmers/GU, 2008/2009 Lecture #10 Updated 2009-02-15 Real Real- -Time Systems Time Systems Designing a real- Designing a real -time system time system Logical function What should be done &amp;

500 views • 8 slides
CS 126 Lecture T1: Pattern Matching Outline Introduction Pattern matching in Unix

CS 126 Lecture T1: Pattern Matching Outline Introduction Pattern matching in Unix

CS 126 Lecture T1: Pattern Matching Outline Introduction Pattern matching in Unix Regular expressions in Unix Regular expressions as formal languages Finite State Automata Conclusions CS126 14-1 Randy Wang Introduction

431 views • 41 slides
Graph Matchings Matching A matching M in a graph G is a set of non-loop edges with no shared

Graph Matchings Matching A matching M in a graph G is a set of non-loop edges with no shared

Graph Matchings Matching A matching M in a graph G is a set of non-loop edges with no shared endpoints. D E A B C F D E Matching A B C F D E D E A B C F A B C F Matching A vertex is saturated if it is incident to M

629 views • 26 slides
Pattern matching and lexing Informatics 2A: Lecture 6 John Longley School of Informatics

Pattern matching and lexing Informatics 2A: Lecture 6 John Longley School of Informatics

Pattern matching Lexing Pattern matching and lexing Informatics 2A: Lecture 6 John Longley School of Informatics University of Edinburgh jrl@inf.ed.ac.uk 30 September, 2011 1 / 15 Pattern matching Lexing 1 Pattern matching grep and its

495 views • 15 slides
Lecture 8 n Agenda: n String matching n How to evaluate a pattern recognition system String

Lecture 8 n Agenda: n String matching n How to evaluate a pattern recognition system String

Lecture 8 n Agenda: n String matching n How to evaluate a pattern recognition system String Matching (note 1) n n Definitions: n x = movi. Text :zlatanibrahimovic n Shift: s = offset from start of text to start position of x n Valid

919 views • 35 slides
Differentiable Tree Planning for Deep RL Greg Farquhar 1 In Collaboration With Tim

Differentiable Tree Planning for Deep RL Greg Farquhar 1 In Collaboration With Tim

Differentiable Tree Planning for Deep RL Greg Farquhar 1 In Collaboration With Tim Rocktaschel, Maximilian Igl, &amp; Shimon Whiteson Greg Farquhar 2 / 35 Overview Reinforcement learning Model-based RL and online planning

385 views • 35 slides
Locality-Preserving Blockchain Implementation Maxime Sierro DEDIS Lab Supervisors : Kelong

Locality-Preserving Blockchain Implementation Maxime Sierro DEDIS Lab Supervisors : Kelong

Locality-Preserving Blockchain Implementation Maxime Sierro DEDIS Lab Supervisors : Kelong Cong, Cristina Basescu Responsible : Prof. Bryan Ford Introduction Project goal : implement a blockchain system which is adapted to Nyle. A Nyle

461 views • 42 slides
Template Rural Health Network Facilitator Name Job Title Date 1 Strategic Planning It is

Template Rural Health Network Facilitator Name Job Title Date 1 Strategic Planning It is

Strategic Planning Presentation Template Rural Health Network Facilitator Name Job Title Date 1 Strategic Planning It is not enough to just do your best or work hard. You must know what to work on. Edward Deming 2 A

445 views • 30 slides
Keep Durham Beautiful 919.560.4197 DurhamNC.gov Follow Us @ CityofDurhamNC Empowering volunteers

Keep Durham Beautiful 919.560.4197 DurhamNC.gov Follow Us @ CityofDurhamNC Empowering volunteers

Keep Durham Beautiful 919.560.4197 DurhamNC.gov Follow Us @ CityofDurhamNC Empowering volunteers to create a cleaner, greener Durham! 919.560.4197 DurhamNC.gov Follow Us @ CityofDurhamNC Mission | Focus Mission To engage and inspire

527 views • 25 slides
PERIMETER WALL MAINTENANCE &amp; REPAIRS NEIGHBORHOOD UPDATE - HAMILTON COMM. CENTER MAY 15,

PERIMETER WALL MAINTENANCE &amp; REPAIRS NEIGHBORHOOD UPDATE - HAMILTON COMM. CENTER MAY 15,

PERIMETER WALL MAINTENANCE &amp; REPAIRS NEIGHBORHOOD UPDATE - HAMILTON COMM. CENTER MAY 15, 2019 6:30 PM TONIGHTS DISCUSSION Thank You Ham. Fields HOA Board ( Marie Hoch &amp; Nancy Kawata ) Brief Discussion of the CFD, Ham. HOAs, and

451 views • 15 slides
An Introduction to Neural Network Rule Extraction Algorithms By Sarah Jackson Can we trust

An Introduction to Neural Network Rule Extraction Algorithms By Sarah Jackson Can we trust

An Introduction to Neural Network Rule Extraction Algorithms By Sarah Jackson Can we trust magic? Neural Networks Machine learning black boxes Magical, unexplainable results Problems People won't trust Neural Networks since

509 views • 26 slides
SO SOUTHWESTERN MED EDIC ICAL DIS ISTRIC ICT STREETSCAPE MASTER PL PLAN A PR PRESCRIP

SO SOUTHWESTERN MED EDIC ICAL DIS ISTRIC ICT STREETSCAPE MASTER PL PLAN A PR PRESCRIP

SO SOUTHWESTERN MED EDIC ICAL DIS ISTRIC ICT STREETSCAPE MASTER PL PLAN A PR PRESCRIP IPTION FOR THE CITY CITY OF OF DALLAS URBAN HEAT IN DALLAS Surface Paving Area Across Dallas Tree Canopy Cover Across Dallas (% of km 2 grid

457 views • 23 slides
The Importance of Tree Canopy in Urban Conservation Amy Miller &amp; Sarah Hurteau The Nature

The Importance of Tree Canopy in Urban Conservation Amy Miller &amp; Sarah Hurteau The Nature

The Importance of Tree Canopy in Urban Conservation Amy Miller &amp; Sarah Hurteau The Nature Conservancy February 14, 2018 Mission -- Conserve the Lands and Waters on Which All Life Depends Science-based, non-partisan organization The

609 views • 13 slides

More recommend