Traffic anomaly detection and attack
Download as PPTX, PDF0 likes628 views
The document discusses the increase in network attacks targeting critical infrastructures and organizations, focusing on real-time anomaly detection in network traffic and application behavior. It describes a framework that uses network-level and application-level metrics to identify deviations from normal behavior through various approaches, including diffusion maps and advanced methods like homotopy in temporal diffusion maps. The goal is to improve the detection and understanding of network anomalies, enhancing cybersecurity measures.
![Anomaly Recognition Qrator Labs4
DARPA: simulated attacks on air base[1]
The example of IP-domen traffic’s features due one day and its relations (features)
The stochastic process X={x1,…xn} where x_i- all features at the moment of the time](https://image.slidesharecdn.com/trafficanomalydetectionandattack-160511124511/85/Traffic-anomaly-detection-and-attack-4-320.jpg)
![Anomaly Recognition Qrator Labs8
DARPA: simulated attacks on air base[1]](https://image.slidesharecdn.com/trafficanomalydetectionandattack-160511124511/85/Traffic-anomaly-detection-and-attack-8-320.jpg)
![Anomaly Recognition Qrator Labs9
DARPA: simulated attacks on air base[1]](https://image.slidesharecdn.com/trafficanomalydetectionandattack-160511124511/85/Traffic-anomaly-detection-and-attack-9-320.jpg)
![Anomaly Recognition Qrator Labs12
Standard approach: Diffusion Maps (DM)
[2] R.R. Coifman, S. Lafon, Diffusion maps, Applied and Computational
Harmonic Analysis, 21, 5-30, 2006.](https://image.slidesharecdn.com/trafficanomalydetectionandattack-160511124511/85/Traffic-anomaly-detection-and-attack-12-320.jpg)
Traffic anomaly detection and attack
- 1. Traffic Anomaly Detection and Attack Recognition QRATOR Labs
- 2. Anomaly Recognition Qrator Labs2 The threat Network attack is becoming a major threat on nations, governmental institutions, critical infrastructures and business organizations. Some attacks are focused on exploiting software vulnerabilities to implement denial of service attacks, damage or steal important data. Other use a large number of infected machines to implement denial-of-service attacks. In this presentation we are focusing on detecting network attacks by detecting the anomalies in network traffic flow data and anomalous behavior of the network applications. The goal is to detect the beginning of the attack in a real-time and to detect when the system is returned back to the normal state.
- 3. Anomaly Recognition Qrator Labs3 The threat The network traffic flow data can be represented by a set of network-level metrics (amount of packets for different protocols, inbound and outbound traffic, etc.) and application-level metrics (like the response duration histogram for web server). These metrics are collected by the traffic analyser at fixed rate. The goal for the state analyzer is to detect anomalous network and application behavior basing on these metrics. The input data for the analyzer is statistics matrix that contains a single row for every traffic time slice. Each row contains the network-level and application- level features that come from different scales. This matrix is the input for the intrusion detection processes (both training and detection steps).
- 4. Anomaly Recognition Qrator Labs4 DARPA: simulated attacks on air base[1] The example of IP-domen traffic’s features due one day and its relations (features) The stochastic process X={x1,…xn} where x_i- all features at the moment of the time
- 5. Anomaly Recognition Qrator Labs5 The threat Challenge: How to process an “ocean” of data in order to find abnormal patterns in the data? How to fuse data from different sources (sensors) to find correlations and anomalies? How to find distances in high-dimensional data? How can we determine whether a point belongs to a cluster/segment or not? The goal is to identify points that deviate from normal behaviour which reside in the cluster. How we treat huge high dimensional data that is dynamically and constantly changes? How can we model the high dimensional data to find deviations from normal behavior?
- 6. Anomaly Recognition Qrator Labs6 Network Intrusion Detection Systems
- 7. Anomaly Recognition Qrator Labs7 Electronic intelligence and Cyber threat management: Generic approach Theory, efficient algorithms, software and prototypes (integrated system) which process data in real time to detect anomalies that deviate from normal behavior
- 8. Anomaly Recognition Qrator Labs8 DARPA: simulated attacks on air base[1]
- 9. Anomaly Recognition Qrator Labs9 DARPA: simulated attacks on air base[1]
- 10. Anomaly Recognition Qrator Labs10 Problem setup
- 11. Anomaly Recognition Qrator Labs11 Standard approach: Diffusion Maps (DM)
- 12. Anomaly Recognition Qrator Labs12 Standard approach: Diffusion Maps (DM) [2] R.R. Coifman, S. Lafon, Diffusion maps, Applied and Computational Harmonic Analysis, 21, 5-30, 2006.
- 13. Anomaly Recognition Qrator Labs13 Standard approach: Diffusion Maps (DM) It is easy to see that the map has the following properties: • The map represents the data in a space of dimension m. • The map is not linear. • The distance between the images of points is equal to the diffuse distance, that is, the probability to get from point x to point y via random walk on the graph for the time t.
- 14. Anomaly Recognition Qrator Labs14 Standard approach: Diffusion Maps (DM) The figure illustrates the effectiveness of the separation of mixed known clusters via “diffusion maps”. If the generated data is represented as two interlocking rings (marked different shades of blue), no any linear methods is able to divide it. Nevertheless, a random walk on the graph represented by these rings, have ability to divide the classes. The probability remain inside the same ring by random walk is greater than the probability of jumping from one ring to another.
- 15. Anomaly Recognition Qrator Labs15 Diffusion Maps (DM): The problem Classification background and anomaly?
- 16. Anomaly Recognition Qrator Labs16 Diffusion Maps (DM): The problem BAD RESULT
- 17. Anomaly Recognition Qrator Labs17 Diffusion Maps (DM): The problem Anomalies are not grouped in clusters
- 18. Anomaly Recognition Qrator Labs18 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) 2 2 2 1 2 2 mod)( ji xxDji ij eeG Diffusion operator The diffusion geometry is oriented around a smooth parametric curve. The curve represents the day and night
- 19. Anomaly Recognition Qrator Labs19 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) Once X is mapped - extension of to , using representatives from X (sampling) f Xx Xx
- 20. Anomaly Recognition Qrator Labs20 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x) i i iEx iExiE xxG ))(,( ))(,()( )( )( xG
- 21. Anomaly Recognition Qrator Labs21 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x) i i iEx iExiE xxG ))(,( ))(,()( )( )( xG
- 22. Anomaly Recognition Qrator Labs22 Advanced approach: Alpha-stream process for anomaly detection
- 23. Anomaly Recognition Qrator Labs23 Advanced approach: Alpha-stream process for anomaly detection
- 24. Anomaly Recognition Qrator Labs24 Advanced approach: Alpha-stream process for anomaly detection Image Processing application of “alpha-stream”: Object segmentation
- 25. Anomaly Recognition Qrator Labs25
- 26. Anomaly Recognition Qrator Labs26 The features(left) and its representation in DM (right)
- 27. Anomaly Recognition Qrator Labs27
- 28. Anomaly Recognition Qrator Labs28 The features(left) and its representation in DM (right)
- 29. Anomaly Recognition Qrator Labs29
- 30. Anomaly Recognition Qrator Labs30 anomalies background anomalies 0,95 0,05 background 0,03 0,97 Table 1: distribution of the “false- positive” and “true-negative” for the result of presented algorithm. anomalies background anomalies 0,63 0,37 background 0,29 0,71 Table 2: distribution of the “false- positive” and “true-negative” for the result of projection on PCA.