T Fingerprinting and Classifying Participants F A NMRG Workshop, - - PowerPoint PPT Presentation

t
SMART_READER_LITE
LIVE PREVIEW

T Fingerprinting and Classifying Participants F A NMRG Workshop, - - PowerPoint PPT Presentation

Aug 02, 2023 216 likes •389 views

Automaton Models for Netflow Analysis T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015 R Christian A Hammerschmidt, christian.hammerschmidt@uni.lu D Interdisciplinary Centre for

slide-1
SLIDE 1

D R A F T

Automaton Models for Netflow Analysis

Fingerprinting and Classifying Participants

NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015

Christian A Hammerschmidt,christian.hammerschmidt@uni.lu

Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg

slide-2
SLIDE 2

D R A F T

Automaton Models

Short Overview

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 1 / 13

slide-3
SLIDE 3

D R A F T

Fingerprinting with Automatons

Prediction, Classification, and Visualization (I)

Prediction

I predicting next states I detecting outliers and

anomalies unsupervised Classification

I classifying flows I identifying type of activity or

infection (semi-) supervised

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 2 / 13

slide-4
SLIDE 4

D R A F T

Fingerprinting with Automatons

Prediction, Classification, and Visualization (I)

Prediction

I predicting next states I detecting outliers and

anomalies unsupervised Classification

I classifying flows I identifying type of activity or

infection (semi-) supervised

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 2 / 13

slide-5
SLIDE 5

D R A F T

Fingerprinting with Automatons

Prediction, Classification, and Visualization (II)

animation of automaton

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 3 / 13

slide-6
SLIDE 6

D R A F T

Challenges

NetFlow Data as a (Regular) Language

1

1http://www.cisco.com/c/dam/en/us/td/docs/ios/ipv6/configuration/

guide/ip6-netflow_v9.fm/_jcr_content/renditions/ip6-netflow_v9-1.jpg

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 4 / 13

slide-7
SLIDE 7

D R A F T

Challenges

NetFlow Data as a (Regular) Language

From regression of numeric values to classification:

I via clustering to obtain few representatives

  • r through discretization

I via binning to obtain a discrete state space

What to choose?

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 5 / 13

slide-8
SLIDE 8

D R A F T

Method

Learning State Structure from Data

2

2Taken from [2]

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 6 / 13

slide-9
SLIDE 9

D R A F T

Evaluation

Data Set

Experiments (on time-aggregated flow data):

  • 1. predicting statistics for next flows
  • 2. classifying flows on unlabeled data
  • 3. classifying flows on labeled data3

3Using a botnet traffic data set[1]

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 7 / 13

slide-10
SLIDE 10

D R A F T

Evaluation

Generated Automatons

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 8 / 13

slide-11
SLIDE 11

D R A F T

Evaluation

Excerpt

Data Set Experiment Error / F1 / FPR

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 9 / 13

slide-12
SLIDE 12

D R A F T

Conclusion

Conclusion and Future Work

Results

I structure learning on netflow data is feasible I initial results look very promising I this is still work-in-progress and offers a number of ways to

improve

Further Research

I compare performance to other fingerprinting solutions I apply a more expressive automaton model

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 10 / 13

slide-13
SLIDE 13

D R A F T

Conclusion

Conclusion and Future Work

Results

I structure learning on netflow data is feasible I initial results look very promising I this is still work-in-progress and offers a number of ways to

improve

Further Research

I compare performance to other fingerprinting solutions I apply a more expressive automaton model

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 10 / 13

slide-14
SLIDE 14

D R A F T

Future Work and Extensions

Currently Ongoing Research

4

4Taken from [2]

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 11 / 13

slide-15
SLIDE 15

D R A F T

Thank You!

Time for questions.

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 12 / 13

slide-16
SLIDE 16

D R A F T

References I

García, S. and Grill, M. and Stiborek, J. and Zunino, A. An empirical comparison of botnet detection methods Computers & Security, 2014.

  • S. E. Verwer, C. Witteveen, M. M. De Weerdt.

Efficient identification of timed automata: Theory and practice, March 2010. Heule, M.J.H., Verwer, S., Software model synthesis using satisfiability solvers. Empirical Software Engineering 18, 825–856., 2013

  • C. Hammerschmidt (SnT)

Automaton Models for NetFlows SnT 2015-07-24 13 / 13