adding rigor to the comparison of anomaly detector outputs
play

Adding rigor to the comparison of anomaly detector outputs Romain - PowerPoint PPT Presentation

Feb 20, 2023 •117 likes •323 views

Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS

  1. Introduction Problem Proposed method Evaluation Discussion Conclusion Adding rigor to the comparison of anomaly detector outputs Romain Fontugne , National Institute of Informatics / SOKENDAI, Tokyo Pierre Borgnat , Physics Lab, CNRS, ENS Lyon Patrice Abry , Physics Lab, CNRS, ENS Lyon Kensuke Fukuda , National Institute of Informatics / PRESTO JST, Tokyo April 25, 2010 Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 1

  2. Introduction Problem Proposed method Evaluation Discussion Conclusion Motivation Anomaly detection in backbone traffic • Active research domain • Wavelet [IMC 02], PCA [SIGCOMM 05, SIGMETRICS 07], gamma law [LSAD 07], association rule [IMC 09]... • Tricky evaluation, lack of common ground truth: • Manual inspection • Synthetic traffic • Comparison with other methods Similar problems arise in traffic classification Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 2

  3. Introduction Problem Proposed method Evaluation Discussion Conclusion Goal Long term goal: Provide common “ground truth data” • Labeling MAWI archive • Combining several anomaly detector results • Ground truth relative to the state of the art Goal of this work: Find relations between outputs of different classifiers Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 3

  4. Introduction Problem Proposed method Evaluation Discussion Conclusion Problem statement: Eventx=Eventy?? Event (= anomaly detector’s alarm) Set of traffic feature containing at least 2 timestamps and one traffic feature. i.e. one flow, one IP address, a set of flows, a set of packets... Main difficulties • Different granularities: Event1=Event2?=Event3? • Overlapping: Event4=Event5? • Different points of view: Event1=Event6? Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 4

  5. Introduction Problem Proposed method Evaluation Discussion Conclusion Proposed method Approach Identify similar events by using community mining on graph Overview • Oracle: Uncover relations between traffic and events • Graph gen.: Represent events and their relations in a graph • Community Mining: Find similar events by looking at dense components Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 5

  6. Introduction Problem Proposed method Evaluation Discussion Conclusion Oracle Uncover relations between original traffic and events • List the events that match each packet of the original traffic • i.e. pkt1: { IP 1 : 80 → IP 2 : 12345 } = Event1: { srcIP = IP 1 } Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 6

  7. Introduction Problem Proposed method Evaluation Discussion Conclusion Graph generator Build a non-directed weighted graph from the Oracle output • Nodes are events and edges are shared packets • Weight on each edge: similarity measure, Simpson index, | E 1 ∩ E 2 | / min( | E 1 | , | E 2 | ), E i : packets matching event i Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 7

  8. Introduction Problem Proposed method Evaluation Discussion Conclusion Community mining Identify community (= dense component) in the graph • Louvain algorithm 1 : based on Modularity 2 • Take into account node connectivity and edge weight 1Blondel et al.: Fast unfolding of communities in large networks. J.STAT.MECH. (2008) 2Newman, Girvan: Finding and evaluating community structure in networks. Phys. Rev.E (Feb 2004) Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 8

  9. Introduction Problem Proposed method Evaluation Discussion Conclusion Data and anomaly detectors Data set • MAWI archive (trans-Pacific link) • During the outbreak of the Sasser worm (08/2004) Anomaly detectors • Sketches and multiresolution gamma modeling 3 Report source or destination IP • Image processing: Hough transform 4 Report set of packets 3Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., Cho, K.: Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. SIGCOMM LSAD 07 4Fontugne, R., Himura, Y., Fukuda, K.: Evaluation of anomaly detection method based on pattern recognition. IEICE Trans. on Commun. E93-B(2) (February 2010) Adding rigor to the comparison of anomaly detector outputs, Fontugne, Borgnat, Abry, Fukuda 9

Recommend

Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the

Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the

Principles to Methodologies Software Engineering Methodologies Principles Tools Methods and techniques Principles Seven Principles Rigor and Formality Rigor and Formality Rigor is the tightness of the definition, design,

329 views • 3 slides
What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments &

What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments &

What Does Rigor Look Like? A New Lens for Examining Cognitive Rigor in Assessments & Curriculum National Conference on Student Assessm ent Sponsored by the Council of Chief State School Officers Detroit, MI , June 2 0 -2 3 , 2 0 1 0

358 views • 16 slides
CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen,

CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen,

CLIC detector requirements and technologies first comparison with the pp case Lucie Linssen, CERN on behalf of the CLIC detector and physics study (CLICdp) Lucie Linssen, FHC meeting, 27/1/2014 1 contents Contents: CLIC detector

431 views • 39 slides
What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues)

What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues)

What We Learned By Using the Rigor Metric Emily S. Patterson, PhD (and numerous colleagues) Need for Analytic Rigor: Avoid Surprise August 7, 1998 Bombings of US Embassies in Africa 224 killed, including 12 US personnel Need for Rigor

471 views • 24 slides
Comparison of Comparison of Several Anomaly Detection Methods on Several Anomaly Detection

Comparison of Comparison of Several Anomaly Detection Methods on Several Anomaly Detection

The Fifth Japan-Taiwan International Workshop The Fifth Japan-Taiwan International Workshop on Hydrological and Geochemical Research for Earthquake Prediction on Hydrological and Geochemical Research for Earthquake Prediction Comparison of

775 views • 38 slides
ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE

ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE

ANOMALY DETECTOR FOR CYBER-PHYSICAL INDUSTRIAL SYSTEMS ANNA GUINET TELECOM SUDPARIS FRANCE iCIS 9 th November 2018 Radboud University CONTENTS 1. PRESENTATION 2. CYBER-PHYSICAL SYSTEMS 2.1 Presentation 2.2 Networked control systems

658 views • 38 slides
in their ability to define it (p. 269). How do you know academic rigor when you see it?

in their ability to define it (p. 269). How do you know academic rigor when you see it?

Poll Everywhere Draeger, Hill, Hunter, and Mahler (2013) reported everyone seemed to believe that they know it [rigor] when they see it, but few felt confident in their ability to define it (p. 269). How do you know academic rigor

281 views • 27 slides
Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1

Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1

Co-producing the future Tony Bovaird INLOGOV TSRC Governance International November 2014 1 Private and third sector market outputs Public sector outputs Whose Informal economy outputs activities are adding value for our Formal

744 views • 30 slides
Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In

Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In

Upping the Rigor Vertically aligning the curriculum from ESL to ASE Why rigor? In the next decade... US Jobs: 63 percent will require postsecondary education. NEW, US Jobs: 90 percent in growing industries will

315 views • 29 slides
Has our school forged a common 2. How does it transition from middle to high school vision of

Has our school forged a common 2. How does it transition from middle to high school vision of

Leading for Rigor, Relevancy and Literacy ODE Summer Conference 2007 Leading for Rigor, Relevance Essential Skill: and Literacy Instructional Leadership 1. Reflect on your schools vision for instruction 2. Introduction to rigor and

516 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can

Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can

Causal Inference in Observational Studies Contents 1 Causal Inference and Predictive Comparison 2 1.1 How Predictive Comparison Can Mislead . . . . . . . . . . . . . 2 1.2 Adding Predictors as a Solution . . . . . . . . . . . . . . . . . .

274 views • 14 slides
Session Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss

Session Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss

Ensuring Rigor in First-Year Mathematics Courses Connie Richardson, Manager, Higher Education Course Programs Joan Zoellner, Course Program Specialist December 7, 2018 Session Outcomes Participants will: Explore the meaning of rigor in

920 views • 46 slides
Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March

Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March

Ensuring Rigor in First-Year Mathematics Courses Joan Zoellner, Course Program Specialist March 21, 2019 Outcomes Participants will: Explore the meaning of rigor in mathematics. Discuss ways to promote rigor in the first year

319 views • 31 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four spacetime dimensions, an SU(2) gauge theory with a single multiplet of fermions that transform under SU(2) in the spin 1/2 representation is

820 views • 43 slides
indicators Julia Slay, NEF Introductions around the room The first distinction: outputs

indicators Julia Slay, NEF Introductions around the room The first distinction: outputs

Outputs, outcomes and indicators Julia Slay, NEF Introductions around the room The first distinction: outputs Outputs Outputs are a quantitative summary of an activity. For example, the activity is we provide training and the output

560 views • 20 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Rigor of TP in Educational Engineering Software Walther Neuper IICM, Institute for Computer

Rigor of TP in Educational Engineering Software Walther Neuper IICM, Institute for Computer

Rigor of TP in Educational Engineering Software Walther Neuper IICM, Institute for Computer Media, University of Technology. Graz, Austria wneuper@ist.tugraz.at The discipline of Computer Theorem Proving (TP) distinguishes itself by formal rigor

272 views • 6 slides
Phonons in metals - Kohn in metals - Kohn anomaly anomaly Phonons ion background

Phonons in metals - Kohn in metals - Kohn anomaly anomaly Phonons ion background

Phonons in metals - Kohn in metals - Kohn anomaly anomaly Phonons ion background oscillation relative to (fixed) electron analog to plasma oscillation ion mass ion density ion charge screening of Coulomb by (fast) electrons Kohn

1.08k views • 8 slides
Strategic Plan for Detector R&D at Fermilab Petra Merkel Fermilab Detector R&D

Strategic Plan for Detector R&D at Fermilab Petra Merkel Fermilab Detector R&D

Strategic Plan for Detector R&D at Fermilab Petra Merkel Fermilab Detector R&D Coordinator September 27 th 2019 Detector R&D Organization at Fermilab Detector Advisory Group : ~15 experts of different detector technologies

908 views • 32 slides
MUSCATINE HIGH SCHOOL GOALS (C omprehensive S chool I mprovement P lan ) 1. Add rigor back into

MUSCATINE HIGH SCHOOL GOALS (C omprehensive S chool I mprovement P lan ) 1. Add rigor back into

MUSCATINE HIGH SCHOOL GOALS (C omprehensive S chool I mprovement P lan ) 1. Add rigor back into our system (50% increase in college readiness scores by 2016) 2. Reduce the number of Freshman Fs by 50% by 2016 Addressing Goal #1 RIGOR

701 views • 43 slides
Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Sixteenth Session of the Forum on Regional Climate Monitoring, Assessment and Prediction for Asia (FOCRAII), May 7, 2020 ( ), y , Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with SMART-based

457 views • 16 slides

More recommend