data fusion
play

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN - PowerPoint PPT Presentation

Nov 07, 2023 •186 likes •510 views

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016 Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach

  1. Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016

  2. Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach to fusion of NetFlow and Windows Event Log data Exploratory data analysis of fused data Topological analysis Spectral methods Persistent Homology January 20, 2016 2

  3. Introduction Remote Desktop Sessions Important to analyze in the context of NetFlow Data Sources NetFlow (using cisco NetFlow v5) Windows Event Logs Windows Logging Service (WLS) Developed by the Department of Energy's Kansas City Plant Enhance and standardize information coming from Windows logging Incorporated network interface information to create a hybrid data set enabling more accuracy in NetFlow/event log fusion at the enterprise level We will describe our lessons learned when fusing WLS and NetFlow sessions January 20, 2016 3

  4. The Challenge Research needs a way to “map” remote logins as the are represented in Windows event logs to the associated NetFlow records The mapping will highlight the relationship and fidelity of both datasets as representatives for remote login behavior Provide understanding for how each source may be used for topological and graph based approaches January 20, 2016 4

  5. Windows Event Illustrated - Remote Desktop Sessions January 20, 2016 5

  6. Windows Event Illustrated - Remote Desktop Sessions • User logs on to a remote machine using Remote Desktop Protocol (RDP) Generates (2) Windows Security Logon events with • Event ID 4624 and Logon Type 10 Interestingly, the only difference between the two 4624 • events are the Logon ID and the Logon GUID • The associated logoff event will the be event with the Logon GUID with all 0s January 20, 2016 6

  7. Windows Event Illustrated - Remote Desktop Sessions • Close RDP window: When a user simply closes their RDP session without doing a proper logoff • Their windows session remains "Logged On” • This will not generate the typical Windows Security Event (4634 or 4647) • Generates a Windows Security Other Logon/Logoff Events event with EventID 4779 • This event will have the LogonID which is related to the 4624 logon January 20, 2016 7

  8. Windows Event Illustrated - Remote Desktop Sessions We believe these are systematic logon/logoffs • which are associated with user reconnect logons and only last a few seconds January 20, 2016 8

  9. Windows Event Illustrated - Remote Desktop Sessions Logoff: When a user properly logs off (user clicks start->logoff) RDP • • Generates a Windows Security Logoff event with an Event ID 4647 (or 4634) and will have the same Logon ID from the 4624 event • Enables analyst to generate user sessions January 20, 2016 9

  10. Supporting Database Tables Event Staging Table (Logon) Flow Table Event Staging Table (Logoff) TIME_STR VARCHAR(30) FLOW_ID BIGINT TIME_STR VARCHAR(30) EVENTID BIGINT SIP BIGINT EVENTID BIGINT LOGONTYPE SMALLINT DIP BIGINT LOGONTYPE SMALLINT PROCESSNAME VARCHAR(255) SPORT INTEGER PROCESSNAME VARCHAR(255) SRC_DOMAIN VARCHAR(20) DPORT INTEGER SRC_DOMAIN VARCHAR(20) DST_DOMAIN VARCHAR(255) PROTOCOL SMALLINT DST_DOMAIN VARCHAR(255) ID VARCHAR(100) PACKETS BIGINT ID VARCHAR(100) BYTES BIGINT USERNAME VARCHAR(100) USERNAME VARCHAR(100) HOSTNAME VARCHAR(100) FLAGS VARCHAR(100) HOSTNAME VARCHAR(100) IP VARCHAR(10000) STIME NUMERIC IP VARCHAR(10000) LOGON_GUID VARCHAR(100) DURATION NUMERIC LOGON_GUID VARCHAR(100) ETIME NUMERIC SENSOR VARCHAR(100) DIRECTION_IN SMALLINT 1. Sessions w/ Proper Logon and Logoff Comma delimited list of IPs DIRECTION_OUT SMALLINT 4624 – 4647 with any Network STIME_MSEC NUMERIC 4778 – 4647 interfaces on device ETIME_MSEC NUMERIC DUR_MSEC NUMERIC 2. Sessions where closed window ITYPE VARCHAR(10) 4624 – 4779 ICODE VARCHAR(10) 4778 – 4779 INITIALFLAGS VARCHAR(100) Logon Event Session SESSIONFLAGS VARCHAR(100) 3. Get SrcIP from event 4624 ATTRIBUTES VARCHAR(100) LES_ID BIGINT When 4778 is logon event APPLICATION VARCHAR(100) LOGON_TIME TIMESTAMP (no srcIP) LOGOFF_TIME TIMESTAMP LOGON_EVENTID SMALLINT LOGOFF_EVENTID SMALLINT LOGONTYPE SMALLINT PROCESSNAME VARCHAR(255) SRC_DOMAIN VARCHAR(20) DST_DOMAIN VARCHAR(255) ID VARCHAR(100) USERNAME VARCHAR(100) HOSTNAME VARCHAR(100) HOST_IP BIGINT SRC_IP BIGINT January 20, 2016 10 LOGON_GUID VARCHAR(100)

  11. Findings: Many Sessions  1 Flow SIP: 1.1.1.1 This example illustrates a multi-user machine: E1 DIP: 2.2.2.2 Multiple users log into the same remote USER: 1 LogonTime: 01:00 destination from this system LogoffTime: 02:00 SIP: 1.1.1.1 E2 DIP: 2.2.2.2 USER: 2 LogonTime: 01:05 SIP: 1.1.1.1 F1 LogoffTime: 01:45 DIP: 2.2.2.2 Start Time: 01:20 SIP: 1.1.1.1 E3 End Time: 01:21 DIP: 2.2.2.2 Src Port: 49000 USER: 3 Dst Port: 3389 LogonTime: 1:20 LogoffTime: 1:25 SIP: 1.1.1.1 E4 DIP: 2.2.2.2 USER: 4 LogonTime: 00:30 LogoffTime: 02:15 January 20, 2016 11

  12. Findings: Many Flows  1 Event SIP: 1.1.1.1 This example illustrates a user session broken F1 DIP: 2.2.2.2 up into multiple flows. But….It appears as Start Time: 00:00 End Time: 00:01 though the same source port is used for the Src Port: 49000 duration of the user session Dst Port: 3389 SIP: 1.1.1.1 F2 DIP: 2.2.2.2 Start Time: 00:01 End Time: 00:03 SIP: 1.1.1.1 E1 Src Port: 49000 DIP: Dst Port: 3389 2.2.2.2 USER: 1 SIP: 1.1.1.1 F3 LogonTime: 00:01 DIP: 2.2.2.2 LogoffTime: 00:08 Start Time: 00:03 End Time: 00:04 Src Port: 49000 Dst Port: 3389 Since the 5 tuple (sip, dip, sport, dport, prot) remains consistent, we could aggregate these SIP: 1.1.1.1 F4 DIP: 2.2.2.2 flows into one. Start Time: 00:04 End Time: 00:08 Src Port: 49000 Dst Port: 3389 January 20, 2016 12

  13. Findings: Aggregation can help SIP: 1.1.1.1 E1 This example illustrates a multi-user machine: DIP: 2.2.2.2 Multiple users log into the same remote USER: 1 LogonTime: 01:00 destination from this system LogoffTime: 02:00 SIP: 1.1.1.1 SIP: 1.1.1.1 SIP: 1.1.1.1 E2 F1 F1 DIP: 2.2.2.2 DIP: 2.2.2.2 DIP: 2.2.2.2 USER: 2 Start Time: 01:20 Start Time: 01:20 LogonTime: 01:05 End Time: 01:21 End Time: 01:21 LogoffTime: 01:45 Src Port: 49000 Src Port: 49000 Dst Port: 3389 Dst Port: 3389 SIP: 1.1.1.1 E3 DIP: 2.2.2.2 SIP: 1.1.1.1 USER: 3 F2 DIP: 2.2.2.2 LogonTime: 1:19 LogoffTime: 1:29 Start Time: 01:22 End Time: 01:23 SIP: 1.1.1.1 E4 Src Port: 49000 DIP: 2.2.2.2 Dst Port: 3389 USER: 4 LogonTime: 00:30 SIP: 1.1.1.1 SIP: 1.1.1.1 SIP: 1.1.1.1 E3 a F1 F3 LogoffTime: 02:15 DIP: 2.2.2.2 DIP: 2.2.2.2 DIP: 2.2.2.2 USER: 1 Start Time: 01:20 Start Time: 01:24 LogonTime: 01:19 End Time: 01:28 End Time: 01:25 LogoffTime: 01:29 Src Port: 49000 Src Port: 49000 Dst Port: 3389 Dst Port: 3389 SIP: 1.1.1.1 F4 This example illustrates a user session broken up into multiple DIP: 2.2.2.2 flows. But….It appears as though the same source port is used Start Time: 01:25 for the duration of the user session End Time: 01:28 Src Port: 49000 Dst Port: 3389

  14. What we learned trying to join session “Join” remote login events to NetFlow records using the following conditions Flow records must have a Duration > 0 Flow records must have a Destination Port of 3389 Event sessions must NOT have a logoff Event ID of 4634. Automatic/systematic logoffs which only last a few seconds Flow Source IP = Event session Source IP Flow Destination IP = Event session Host IP Flow Start Time >= Event Session Start Time (- 1 minute) Flow End Time <= Event Session Stop Time (+ 1 minute) January 20, 2016 14

  15. Mapping Flow to RDP Sessions Learned that our NetFlow data had to be aggregated. Many flows for an actual “session” Enabled more accurate joins between RDP session table and Flows Joined on… Source and Destination IP Flow start time between event start time +/- 1min Flow end time between event end time +/- 1min Created a Mapping table that includes Aggregated FlowID and Logon Event Session ID (LES_ID) Created views to represent flow / session data January 20, 2016 15

  16. Fusion enables graph comparisons Compare a NetFlow graph with the login graph Enables… Higher level understanding of linked events Deviations within session behavior Initial work focused on understanding of RDP sessions and how those would represent themselves in both NetFlow and windows event log data January 20, 2016 16

  17. Spectral and topological methods applied to both Flow and Login graphs January 20, 2016 17

  18. Dimensionality Reduction for Graphs Graphs are complex objects, |V|+|E| pieces of information needed to describe Aim: map a graph into a lower dimensional space, study a dynamic graph sequence by following a trajectory through the lower dimensional space Questions What should the mapping be? How do dynamics depend on the mapping? Possible mappings Graph spectrum – top eigenvalues of an adjacency or Laplacian matrix Degree distribution Information measures on and label distributions Combination of graph measures Dynamics of random graph evolution using spectrum of adjacency matrix (top 4 images) and Laplacian matrix (bottom) 18

Recommend

Figure 1: Visual representation of M 3 Fusion . II. D ATA The study was carried out on Reunion

Figure 1: Visual representation of M 3 Fusion . II. D ATA The study was carried out on Reunion

M 3 Fusion : A Deep Learning Architecture for Multi- { Scale/Modal/Temporal } satellite data fusion P. Benedetti, D. Ienco, R. Gaetano, K. Os e, R. Pensa and S. Dupuy Abstract Modern Earth Observation systems provide sensing data at different

107 views • 9 slides
Probabilistic and Model Fusion: . . . Model Fusion: . . . Interval Uncertainty Model Fusion:

Probabilistic and Model Fusion: . . . Model Fusion: . . . Interval Uncertainty Model Fusion:

Data Fusion under . . . Data Fusion under . . . New Problem: . . . Why This Is Important New Idea: Model Fusion Probabilistic and Model Fusion: . . . Model Fusion: . . . Interval Uncertainty Model Fusion: Interval . . . Model Fusion:

503 views • 13 slides
Data Fusion Techniques and Application Guangyu Zhou Reference paper: Zheng Yu: Methodologies for

Data Fusion Techniques and Application Guangyu Zhou Reference paper: Zheng Yu: Methodologies for

Data Fusion Techniques and Application Guangyu Zhou Reference paper: Zheng Yu: Methodologies for Cross-Domain Data Fusion: An Overview Agenda Introduction Related work Data fusion techniques &amp; applications Stage-based methods

677 views • 49 slides
Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data Fusion? Motivation, general context Discussion of examples Today: Steep climb to a first algorithm. oral examination: 6 credit points

1.02k views • 56 slides
Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data

Introduction to Sensor Data Fusion Methods and Applications Last lecture: Why Sensor Data Fusion? Motivation, general context Discussion of examples Today: Steep climb to a first algorithm. oral examination: 6 credit points

995 views • 42 slides
S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services

S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services

S@NY Sensors Anywhere FP6-033564 Adding Value to Geospatial Data with SensorSA Fusion Services Final SANY Event, Linz, 19 November 2009 Stuart E. Middleton IT Innovation Centre, University of Southampton What is the value of data fusion?

450 views • 11 slides
Application of Data Fusion to Aerial Robotics Paul Riseborough March 24, 2015 Outline

Application of Data Fusion to Aerial Robotics Paul Riseborough March 24, 2015 Outline

Application of Data Fusion to Aerial Robotics Paul Riseborough March 24, 2015 Outline Introduction to APM project What is data fusion and why do we use it? Where is data fusion used in APM? Development of EKF estimator for APM

410 views • 40 slides
PERCEPTION I Estimation and Data Fusion Robotics Winter School Roland Chapuis

PERCEPTION I Estimation and Data Fusion Robotics Winter School Roland Chapuis

PERCEPTION I Estimation and Data Fusion Robotics Winter School Roland Chapuis chapuis.roland@uca.fr January 2019 1 Introduction 2 Data Fusion aims at combining several sensors data to: provide an accurate estimation of its state,

1.15k views • 99 slides
Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 |

Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 |

Data Visualisation with Google Fusion Tables Workshop Exercises Dr Luc Small | 12 April 2017 | 1.5 Data Visualisation with Google Fusion Tables Page 1 of 33 1 Introduction Google Fusion Tables is shaping up to be a powerful and accessible data

695 views • 33 slides
Training of Deep Bidirectional RNNs for Hand Motion Filtering via Multimodal Data Fusion Soroosh

Training of Deep Bidirectional RNNs for Hand Motion Filtering via Multimodal Data Fusion Soroosh

Introduction HMFP-DBRNN Data Fusion Conclusion Training of Deep Bidirectional RNNs for Hand Motion Filtering via Multimodal Data Fusion Soroosh Shahtalebi , S. Farokh Atashzar , Rajni V. Patel , and Arash Mohammadi

201 views • 18 slides
High resolution image fusion via fusion frames Shidong Li San Francisco State University

High resolution image fusion via fusion frames Shidong Li San Francisco State University

Motivation of Fusion Frames What is Fusion Frame? The fusion frame formulation of multi-camera image fusion Algorithms Nume High resolution image fusion via fusion frames Shidong Li San Francisco State University jointly with Zhenjie Yao

1k views • 67 slides
Fusion Nothing But The Truth Fusion Orbotech s True Commitment To The PCB Industry Overall

Fusion Nothing But The Truth Fusion Orbotech s True Commitment To The PCB Industry Overall

Fusion Nothing But The Truth Fusion Orbotech s True Commitment To The PCB Industry Overall Fusion Performance Discovery 9000 Discovery 8xxx Discovery 6/8 Fusion launch in 2010, with the Multi-Image Technology Spiron

365 views • 34 slides
Fusion - Everything You Wanted to Know* * But Were Afraid to Ask Sam Eddinger February 7, 2013

Fusion - Everything You Wanted to Know* * But Were Afraid to Ask Sam Eddinger February 7, 2013

Fusion - Everything You Wanted to Know* * But Were Afraid to Ask Sam Eddinger February 7, 2013 Introduction Overview What is Fusion Current Techniques for Scalable Fusion Toroidal Confinement Fusion (TOKAMAK) Also known as

349 views • 32 slides
Modeling with MOSEK Fusion Ulf Worse INFORMS Minneapolis October 5 2013 http://www.mosek.com

Modeling with MOSEK Fusion Ulf Worse INFORMS Minneapolis October 5 2013 http://www.mosek.com

Modeling with MOSEK Fusion Ulf Worse INFORMS Minneapolis October 5 2013 http://www.mosek.com What is Fusion? 2 / 24 What is Fusion? What is Fusion? Fusion is a modern object oriented API for conic What is Fusion? optimization in

246 views • 24 slides
Towards Improved Usual Solution to the . . . How to Improve the . . . Trapezoidal Approximation

Towards Improved Usual Solution to the . . . How to Improve the . . . Trapezoidal Approximation

Data Fusion: Main . . . Data Fusion for Fuzzy . . . Problem: Intersection . . . Towards Improved Usual Solution to the . . . How to Improve the . . . Trapezoidal Approximation Least Squares Method to Intersection (Fusion) of Problem with

199 views • 17 slides
Estimating PM2.5 using Fusion of Satellite Remote Sensing, GEOS-Chem, and other Parameters

Estimating PM2.5 using Fusion of Satellite Remote Sensing, GEOS-Chem, and other Parameters

Estimating PM2.5 using Fusion of Satellite Remote Sensing, GEOS-Chem, and other Parameters Joel Schwartz Harvard University Critical Issues in Modeling/Fusion Missing Data Surrogates for emissions have time varying impacts

450 views • 19 slides
Next Steps for Realizing Fusion Power and Comparative Analysis of Roadmaps of World Major Fusion

Next Steps for Realizing Fusion Power and Comparative Analysis of Roadmaps of World Major Fusion

Next Steps for Realizing Fusion Power and Comparative Analysis of Roadmaps of World Major Fusion Programs Mohamed Abdou With Alice Ying, Neil Morley and input from the FNST Community Related publications can be found at www.fusion.ucla.edu TOFE

723 views • 33 slides
Update of Magnetic Fusion Energy Research Brian A. Nelson for the UW Fusion Energy Research Group

Update of Magnetic Fusion Energy Research Brian A. Nelson for the UW Fusion Energy Research Group

Fusion: Why, What, and How Fusion Research Progress Summary Update of Magnetic Fusion Energy Research Brian A. Nelson for the UW Fusion Energy Research Group University of Washington (Some slides stolen from General Atomics web site,

411 views • 30 slides
Data Fusion at Scale Markus De Shon, Ph.D. Hive Data, LLC Situation awareness Situation

Data Fusion at Scale Markus De Shon, Ph.D. Hive Data, LLC Situation awareness Situation

Data Fusion at Scale Markus De Shon, Ph.D. Hive Data, LLC Situation awareness Situation awareness is the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection

371 views • 26 slides
Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei

Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei

Staging User Feedback toward Rapid Conflict Resolution in Data Fusion Romila P Pradhan* , Siarhei Bykau , Sunil Prabhakar* *Purdue University, Bloomberg L.P. 1 Fusing data from multiple sources Data It Item S 1 S 2 S 3 S 4 Zootopia Howard

461 views • 23 slides
Ontologies and Fusion Dale Walsh The MITRE Corporation Army Fusion SME (ontological novice)

Ontologies and Fusion Dale Walsh The MITRE Corporation Army Fusion SME (ontological novice)

Ontologies and Fusion Dale Walsh The MITRE Corporation Army Fusion SME (ontological novice) Fusion JCS Pub 1-02 The process of examining all sources of intelligence and information to derive a complete assessment of an activity.

248 views • 10 slides
Efficient Algorithm for Serial Data Fusion in Wireless Sensor

Efficient Algorithm for Serial Data Fusion in Wireless Sensor

Efficient Algorithm for Serial Data Fusion in Wireless Sensor Networks A. Mostefaoui 1 , M. Melkemi 2 and A. Boukerche 3 1 University of Franche-Comt, France

701 views • 51 slides
Data Discovery Tools Google Public Data Explorer and Fusion Tables Corrie Conrad, Program

Data Discovery Tools Google Public Data Explorer and Fusion Tables Corrie Conrad, Program

Data Discovery Tools Google Public Data Explorer and Fusion Tables Corrie Conrad, Program Manager, Google.org GLA Intelligence Seminar: Visualising London October 27, 2010 Organize the worlds information and make it universally accessible

517 views • 16 slides
Boos$ng Virtual Screening Enrichments Using Data Fusion Coalescing

Boos$ng Virtual Screening Enrichments Using Data Fusion Coalescing

Boos$ng Virtual Screening Enrichments Using Data Fusion Coalescing 2D fingerprints, shape, and docking Sastry, G. M., Inakollu, V. S. S., Sherman, W.

337 views • 20 slides

More recommend