detection of http get attack with clustering and
play

Detection of HTTP-GET Attack with Clustering and Information - PowerPoint PPT Presentation

Feb 08, 2024 •233 likes •590 views

Problem definition Clustering Detection Measurements Result analysis Future work Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel Chwalinski Roman Belavkin Xiaochun Cheng Middlesex University

  1. Problem definition Clustering Detection Measurements Result analysis Future work Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements Pawel Chwalinski Roman Belavkin Xiaochun Cheng Middlesex University School of Science and Technology London, United Kingdom FOUNDATIONS & PRACTICE OF SECURITY, 2012 Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  2. Problem definition Clustering Detection Measurements Result analysis Future work Outline Problem definition 1 Clustering 2 Web Dataset and Sessions Web clusters as joint distributions Entropy-based clustering Attacking Strategies Cluster assignment Results and comparison against K-means Detection Measurements 3 Mutual Information Mahalanobis Distance Likelihood of the same request segments Result analysis 4 Future work 5 Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  3. Problem definition Clustering Detection Measurements Result analysis Future work Outline Problem definition 1 Clustering 2 Web Dataset and Sessions Web clusters as joint distributions Entropy-based clustering Attacking Strategies Cluster assignment Results and comparison against K-means Detection Measurements 3 Mutual Information Mahalanobis Distance Likelihood of the same request segments Result analysis 4 Future work 5 Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  4. � � Problem definition Clustering Detection Measurements Result analysis Future work Flash Crowd ❣ ❣ ❣ ❣ ❣ ❣ Legitimate ❣ ❣ ❣ ❣ ❣ ❣ Surge of connections ❲ ❲ ❲ ❲ ❲ ❲ Illegitimate ❲ ❲ ❲ ❲ ❲ ❲ ❲ ❲ ❲ Resource exhaustion Increased number of attacking sessions � = Increased arrival rate No bandwidth flooding The only difference is in intent, rather than in behaviour Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  5. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Outline Problem definition 1 Clustering 2 Web Dataset and Sessions Web clusters as joint distributions Entropy-based clustering Attacking Strategies Cluster assignment Results and comparison against K-means Detection Measurements 3 Mutual Information Mahalanobis Distance Likelihood of the same request segments Result analysis 4 Future work 5 Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  6. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Dataset D divided into: D T for training and D V validating Example: s i =( homepage , homepage , homepage , news , news , news , homepage , homepage , weather , tv ) s i =(1 , 1 , 1 , 2 , 2 , 2 , 1 , 1 , 5 , 7) Ω= { 1 , 2 , . . . , n C } , where each ω represents a numerical label of an actual category, and n C = 17 Pairs of two consecutive requests are analysed, such that ( x , y ) ∈ Ω × Ω Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  7. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means 0.4 0.3 P(x,y) 0.2 0.1 0 17 16 15 14 1 13 2 12 3 Category Label 11 4 5 10 6 l 9 e 7 b 8 8 a L 7 9 y 10 6 r o 11 5 g 12 e 4 t 13 a 14 C 3 15 2 16 1 17 Figure: Joint distribution of the the pairs of requests observed in a cluster (i.e. one pattern of “behaviour”) Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  8. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means 0.25 0.2 P(x,y) 0.15 0.1 0.05 0 1 2 3 4 5 6 7 8 91011121314151617 1 2 3 4 5 6 7 8 9 1011121314151617 Category Label e l b a L y r o g e t a C Figure: Joint distribution of the the pairs of requests observed in a cluster (i.e. one pattern of “behaviour”) Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  9. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means n random variables { X 1 , . . . , X n } having discreet joint distribution defined as p ( x 1 , . . . , x n ) for which entropy is calculated as: � � h ( x 1 , . . . , x n ) = − . . . p ( x 1 , . . . , x n ) log p ( x 1 , . . . , x n ) (1) x 1 ,..., x n For a joint distribution p ( x , y ), entropy h ( x , y ) is calculated as: � � h ( x , y )= − p ( x , y ) log p ( x , y ) (2) x y Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  10. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means H T H T H 0.25 0.25 H 0.02 0.02 T 0.25 0.25 T 0.02 0.94 Table: Legitimate Coins Table: Biased Coins Entropy of legitimate distribution: h ( x , y ) = 2( bits ) x , y ∈{ H , T } Entropy of biased distribution: h ( x , y ) = 0 . 3952( bits ) x , y ∈{ H , T } Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  11. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Clustering metric A set C = { C 1 , C 2 , . . . , C k } of k clusters, the goal is to minimise the average entropy of the clusters, which is computed as follows: � | C j | k � � E { H } = | D T |{ h j } (3) j =1 Having grouped b , 1 ≤ b ≤ n T sequences from D T given (3), every time a sequence s i , b < i ≤ n T is to be added to C , a cluster C j , 1 ≤ j ≤ k is picked where adding sequence s i decreases (3) the most. Problems: Unwanted effect of sequence order (Re-clustering & Merging). Minimization of (3) is computationally expensive (Partitioning) Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  12. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Re-clustering Suppose that s i has been added to C j , 1 ≤ j ≤ k . Having grouped other b sequences, there exists another cluster C j ′ , 1 ≤ j ′ ≤ k , j ′ � = j such that placing the previously added s i inside C j ′ , minimises (3) further. Therefore, after processing a batch of b sequences, the algorithm is stopped, and the whole set C is re-clustered. Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  13. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Merging Suppose there are two joint distributions p i ( x , y ) , 1 ≤ i ≤ k , and p j ( x , y ) , 1 ≤ j ≤ k is the application of Kullback-Leibler (KL) divergence formula: p i ( x , y ) log p i ( x , y ) � � D KL ( p i || p j )= (4) p j ( x , y ) x , y ∈ Ω Two clusters C i and C j are similar, and are merged when D KL ( p i || p j ) ≤ η KL , and D KL ( p j || p i ) ≤ η KL . Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  14. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Partitioning D T divided into p same-length blocks { B 1 , B 2 , . . . , B p } . For each block B i , 1 ≤ i ≤ p minimisation of (3) merging re-clustering Having combined { B 1 , B 2 , . . . , B p } into C : merging re-clustering Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

  15. Web Dataset and Sessions Problem definition Web clusters as joint distributions Clustering Entropy-based clustering Detection Measurements Attacking Strategies Result analysis Cluster assignment Future work Results and comparison against K-means Decision-making problem for attackers Having requested a link from category c ( ω t ) , ω t ∈ Ω, a programmed zombie decides whether � remain p R c ( ω t +1 ) = p M =1 − p R move Uniformly-changing zombies where | Ω | and p M =1 − p R = | Ω |− 1 p R = 1 | Ω | are too easy to detect. Frequently-changing hosts are the ones that tend to change categories less frequently comparing to the uniformly-changing zombies, such that p M = p R =0 . 5. Chwalinski, Belavkin, Xiaochun Detection of HTTP-GET Attack

Recommend

Clustering Community Detection

Clustering Community Detection

Clustering Community Detection http://image.slidesharecdn.com/communitydetectionitilecture22june2011-110622095259-phpapp02/95/community-detection-in-social-media-1-728.jpg?cb=1308736811 Jian Pei: CMPT 741/459 Clustering (1) 2 Customer Relation

1.02k views • 32 slides
Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof.

Universitt Tbingen Computer Networks and Internet Distributed Measurements for Attack Detection Distributed Measurements for Attack Detection Prof. Dr. Georg Carle Chair for Computer Networks and Internet University of Tbingen Germany

291 views • 8 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Graph clustering and community detection in networks Michel Habib

Graph clustering and community detection in networks Michel Habib

Graph clustering and community detection in networks Graph clustering and community detection in networks Michel Habib habib@liafa.univ-paris-diderot.fr http://www.liafa.univ-paris-diderot.fr/~habib STRUCO, 13 november 2013 Graph clustering

428 views • 38 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides
Community detection and cascades Rik Sarkar Today Community Detection Spectral

Community detection and cascades Rik Sarkar Today Community Detection Spectral

Community detection and cascades Rik Sarkar Today Community Detection Spectral clustering Overlapping community detection Cascades Spectral clustering Clustering or community detection using eigen vectors of the laplacian

672 views • 31 slides
Hierarchically clustering time-directed graphs and the effects of teleportation and memory Jevin

Hierarchically clustering time-directed graphs and the effects of teleportation and memory Jevin

Hierarchically clustering time-directed graphs and the effects of teleportation and memory Jevin West, Information School, University of Washington Network Clustering Graph Partitioning Community Detection Block Models Module Detection

789 views • 52 slides
Clustering Reference:http://www.elet.polimi.it/upload/matteucc/Clustering/tutorial_html/ Dr Ahmed

Clustering Reference:http://www.elet.polimi.it/upload/matteucc/Clustering/tutorial_html/ Dr Ahmed

Clustering Reference:http://www.elet.polimi.it/upload/matteucc/Clustering/tutorial_html/ Dr Ahmed Rafea Outline Introduction Clustering Algorithms K-means Fuzzy C-means Hierarchical clustering Introduction(1)

394 views • 23 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
Clustering in Go May 2016 Wilfried Schobeiri MediaMath

Clustering in Go May 2016 Wilfried Schobeiri MediaMath

5/26/2016 Clustering in Go Clustering in Go May 2016 Wilfried Schobeiri MediaMath http://127.0.0.1:3999/clustering-in-go.slide#1 1/42 5/26/2016 Clustering in Go Who am I? Go enthusiast These days, mostly codes for fun Focused on

917 views • 42 slides
BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic

BotGraph: Large Scale Spamming Botnet Detection Web-account abuse attack recent spamming technic New different approche for sending spam Basing on reputation of email providers Difficult to detect signup detection monitoring users' activity

157 views • 15 slides
Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone

Alpha Presentation Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint George Zhao Yash Patel Graham Thomas Brad Doherty Crystal Lewis Department of Computer Science and Engineering

761 views • 10 slides
Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone

Project Plan Next Generation Malware Detection, Clustering and Heuristics The Capstone Experience Team Proofpoint Crystal Lewis Yash Patel George Zhao Graham Thomas Brad Doherty Department of Computer Science and Engineering Michigan

402 views • 11 slides
SPEAKER, ENVIR ONMENT AND CHANNEL CHANGE DETECTION AND CLUSTERING VIA THE BA YESIAN

SPEAKER, ENVIR ONMENT AND CHANNEL CHANGE DETECTION AND CLUSTERING VIA THE BA YESIAN

SPEAKER, ENVIR ONMENT AND CHANNEL CHANGE DETECTION AND CLUSTERING VIA THE BA YESIAN INF ORMA TION CRITERION Sc ott Shaobing Chen &amp; P.S. Gop alakrish nan IBM T.J. Watson R ese ar ch Center email:

521 views • 6 slides
Lecture 23: Spectral clustering Hierarchical clustering What is a good clustering?

Lecture 23: Spectral clustering Hierarchical clustering What is a good clustering?

Lecture 23: Spectral clustering Hierarchical clustering What is a good clustering? Aykut Erdem May 2016 Hacettepe University Last time K-Means An iterative clustering algorithm - Initialize: Pick K random points as cluster

933 views • 64 slides
Clustering Hierarchical clustering, k-mean clustering Genome 559: Introduction to Statistical and

Clustering Hierarchical clustering, k-mean clustering Genome 559: Introduction to Statistical and

Clustering Hierarchical clustering, k-mean clustering Genome 559: Introduction to Statistical and Computational Genomics Elhanan Borenstein A quick review The clustering problem: partition genes into distinct sets with high homogeneity

772 views • 40 slides
Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and

Integrated Presentation Attack Detection and Automatic Speaker Verification: Common Features and Gaussian Back-end Fusion Massimiliano Todisco 1 , H ector Delgado 1 , Kong Aik Lee 2 , Md Sahidullah 3 , Nicholas Evans 1 , Tomi Kinnunen 4 and

292 views • 5 slides
Graph Clustering Graph Clustering What is clustering? What is clustering? Finding patterns

Graph Clustering Graph Clustering What is clustering? What is clustering? Finding patterns

Graph Clustering Graph Clustering What is clustering? What is clustering? Finding patterns in data, or grouping similar groups of data-points together into clusters . Clustering algorithms for numeric data: Lloyds K-means, EM

688 views • 19 slides
Focused Clustering and Outlier Detection in Large Attributed Graphs ACM SIG-KDD August 26, 2014

Focused Clustering and Outlier Detection in Large Attributed Graphs ACM SIG-KDD August 26, 2014

Focused Clustering and Outlier Detection in Large Attributed Graphs ACM SIG-KDD August 26, 2014 Bryan Perozzi , Leman Akoglu Stony Brook University Patricia Iglesias Snchez * , Emmanuel Mller * * Karlsruhe Institute of Technology

245 views • 23 slides
Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection &amp; Mitigation Techniques (NIT-K) S. K. Pal Defence Research &amp; Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo

RUN-TIME ATTACK DETECTION IN CRYPTOGRAPHIC APIS Marco Squarcina 1 , joint work with Riccardo Focardi 1 August 23, 2017 1 Universit Ca Foscari Venezia (IT) / Cryptosense (FR) 30th IEEE Computer Security Foundations Symposium (CSF2017) Santa

1.1k views • 46 slides
Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and

Scalable Data Analytics Pipeline for Real-Time Attack Detection; Design, Validation, and Deployment in a Honeypot Environment Eric Badger Masters Student Computer Engineering 1 Overview Introduction/Motivation Challenges

508 views • 30 slides
Overview What is Adversarial Attack? Why should we care? How does it work? Real

Overview What is Adversarial Attack? Why should we care? How does it work? Real

Adversarial Attacks on Phishing Detection Ryan Chang Overview What is Adversarial Attack? Why should we care? How does it work? Real World Demo on Phishing Detection Model How to defend? Adversarial Examples on

610 views • 26 slides

More recommend