distributed summary statistics with bro
play

Distributed Summary Statistics with Bro Vlad Grigorescu 1 > - PowerPoint PPT Presentation

Dec 30, 2023 •45 likes •305 views

Distributed Summary Statistics with Bro Vlad Grigorescu 1 > whoami Member of the Bro development team Senior Developer at Broala LLC Senior Information Security Engineer at Carnegie Mellon University

  1. Distributed Summary Statistics with Bro Vlad Grigorescu 1

  2. > whoami • Member of the Bro development team • Senior Developer at Broala LLC • Senior Information Security Engineer at Carnegie Mellon University https://github.com/grigorescu @0f010d 2

  3. Goal To develop statistics that can efficiently summarize network activity distributed over a large number of sensors, while minimizing memory usage. 3

  4. Outline 1. Observation examples 2. What types of questions can we answer? 3. SumStats Framework 1. Overview 2. Available Reducers 4. Real-world usage 4

  5. Observation Examples • 192.168.2.13 received an NXDOMAIN reply for a DNS A query of: host.244.ipoe2.subnets.khb.ttkdv.ru 5

  6. Observation Examples • 192.168.2.14 received a 403 Forbidden when performing a POST to: http://sqm.microsoft.com/sqm/ Windows/sqmserver.dll 6

  7. Observation Examples • 192.168.2.15 sent an e-mail with an application/x-dosexec attachment, with MD5 hash c84a46850de0a29483ed1f7a0b9897ab 7

  8. What types of questions can we answer? • Which source/dest IP pairs have the lowest variance in TCP session byte counts? • Which ASNs have the highest number of connections into your network? • Which IP source has connected to the highest number of unique destinations? 8

  9. What types of questions can we answer? • In the past 24 hours, which clients have sent the most failed DNS queries? • Which servers have received the most failed DNS queries? • If we look at each IP’s ratio of failed to total DNS queries, which IPs have had over 90% failures? 9

  10. SumStats Framework • A set of Bro scripts for generating summary statistics • Tie into the existing Bro scripts to make observations about events in layers 2-7 • Can threshold values to create notices, which can prompt automated responses • Can query the current values for more advanced use-cases scripts 10

  11. SumStats Framework: Philosphy All summary statistics must be: • Highly memory efficient, • Streaming (the data is only seen once), • Mergable (distributable across thousands of nodes, each of which see a subset of the total traffic) 11

  12. SumStats Framework: Design Observation! Notice! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Reducer Observation! SumStat Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! 12

  13. SumStats Framework: Design Observation! Notice! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Reducer Observation! SumStat Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! Observation! 13

  14. SumStats Framework: Design Reducer Reducer Observation! Reducer 14

  15. SumStats Framework: Reducers “Classic” Stats: “Memory Efficient” Stats: • Average • HyperLogLog • Min • Top-k • Max • Reservoir Sampling • Last • Sum • Std Dev • Variance • Cardinality 15

  16. Reducers: HyperLogLog • Streaming algorithm for calculating cardinality of huge datasets • Can calculate cardinality of 1 billion elements with a relative accuracy of 2% using 1.5 KB of memory • Mergeable without any loss in accuracy 16

  17. Reducers: HyperLogLog Which IP source has connected to the highest number of unique destinations? Let’s assume that you have a fully populated /8 network (16.5M hosts). We want to know the cardinality of destinations for each host. 16.5M ₒ 1.5 KB ≈ 24 GB of RAM 17

  18. Reducers: Top-k • Streaming algorithm for finding the most frequent elements in a dataset, in a space-saving way • Implementation of: Metwally A, Agrawal D, El Abbadi A (2005) Efficient computation of frequent and top-k elements in data streams. 18

  19. Reducers: Top-k Which IP source has connected to the highest number of unique destinations? Connect our HyperLogLog reducer to a Top-k reducer. Still assuming /8 network and 2% error; top talker connected to 1000 destinations ≈ 6 GB of RAM. 19

  20. Real-World Usage: Writing a SumStat Script Which source/dest IP pairs have the lowest variance in TCP session byte counts? 20

  21. Real-World Usage: Writing a SumStat Script 1. Observation: event connection_state_remove(c: connection) { SumStats::observe("end_of_conn", [$key=cat(c$id$orig_h,c$id$resp_h)], [$num=c$orig$size+c$resp$size]); } 21

  22. Real-World Usage: Writing a SumStat Script 2. Reducers: local r1 = SumStats::Reducer( $stream="end_of_conn", $apply=set(SumStats::VARIANCE, SumStats::SUM) ); 22

  23. Real-World Usage: Writing a SumStat Script 3. SumStat: SumStats::create( [$name="variance_of_orig_bytes", $epoch=5min, $reducers=set(r1), $threshold_val=(1-variance), #See note $threshold=0.9, $threshold_crossed=doNotice()#See note ]); Note: Slightly simplified for brevity where commented. 23

  24. Real-World Usage: scan.bro Tracks the number of failed connection attempts (“port scans”) by source IP. Generates a notice when: • A source scans over 25 unique IPs on the same port within 5 minutes, or • A source scans over 25 unique ports on the same destination IP within 5 minutes. 24

  25. Real-World Usage: scan.bro • Carnegie Mellon sees approximately 3000-6000 failed connection attempts per second • scan.bro uses approx. 150 MB of RAM and has detected 49,500 scans from July-November 2013 25

  26. Ongoing Work • Writing more SumStats scripts to detect: • DNS amplification attacks • Beaconing • Behavioral changes 26

Recommend

Probability & Statistics: Intro, summary statistics, probability 2 - Efron & Tibshirani,

Probability & Statistics: Intro, summary statistics, probability 2 - Efron & Tibshirani,

1 Mathematical Tools for Neural and Cognitive Science Fall semester, 2018 Probability & Statistics: Intro, summary statistics, probability 2 - Efron & Tibshirani, Introduction to the Bootstrap , 1998 3 Some history 1600s:

536 views • 19 slides
Next Generation Vital Statistics Summary Report Letter to the Secretary Next Steps

Next Generation Vital Statistics Summary Report Letter to the Secretary Next Steps

Next Generation Vital Statistics Summary Report Letter to the Secretary Next Steps Hearing Summary (Table of Contents) Executive Summary I. Introduction and Overview of the Hearing II. The Vital Records and Statistics System

283 views • 10 slides
The Statistics of Summary-Data MR Qingyuan Zhao Department of Statistics, Wharton School,

The Statistics of Summary-Data MR Qingyuan Zhao Department of Statistics, Wharton School,

The Statistics of Summary-Data MR Qingyuan Zhao Department of Statistics, Wharton School, University of Pennsylvania ( From August 1st : Statistical Laboratory, University of Cambridge) July 17, 2019 @ MRC-IEU Mendelian randomization conference,

247 views • 22 slides
Frequency Distribution and Summary Statistics Dongmei Li Department of Public Health Sciences

Frequency Distribution and Summary Statistics Dongmei Li Department of Public Health Sciences

Frequency Distribution and Summary Statistics Dongmei Li Department of Public Health Sciences Office of Public Health Studies University of Hawaii at M noa Outline 1. Stemplot 2. Frequency table 3. Summary statistics 2 1. Stem-and-leaf

924 views • 61 slides
1 Practical Information 2 Introduction to Statistics Per Bruun Brockhoff 3 Descriptive Statistics:

1 Practical Information 2 Introduction to Statistics Per Bruun Brockhoff 3 Descriptive Statistics:

Agenda Course 02402 Introduction to Statistics Lecture 1: Introduction to Statistics 1 Practical Information 2 Introduction to Statistics Per Bruun Brockhoff 3 Descriptive Statistics: Summary Statistics DTU Informatics Building 305 - room 110

194 views • 5 slides
DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey,

DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey,

DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey, Tams Budavri, Yanif Ahmad, Alexander Szalay Johns Hopkins University Department of Computer Science ncarey4@jhu.edu Context Simple Top-k

176 views • 16 slides
Introduction to Data Science: x (1) x 1 x 2 x ( n ) x i n 1 1 Size: size

Introduction to Data Science: x (1) x 1 x 2 x ( n ) x i n 1 1 Size: size

Exploratory Data Analysis Exploratory Data Analysis: Summary Statistics Exploratory Data Analysis: Summary Statistics EDA with the grammar of graphics Exploratory Data Analysis: Summary Statistics Exploratory Data Analysis: Summary Statistics

1.27k views • 90 slides
Practical methods for handling missing summary statistics in meta-analysis of continuous outcomes

Practical methods for handling missing summary statistics in meta-analysis of continuous outcomes

www.ed.ac.uk/usher @EdinUniUsher Practical methods for handling missing summary statistics in meta-analysis of continuous outcomes Cochrane Webinar, 5 February 2019 Professor Christopher Weir Personal Chair in Medical Statistics & Clinical

682 views • 29 slides
Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y =

Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y =

7/11/19 Distributed Training on HPC Presented By: Aaron D. Saxton, PhD Statistics Review Simple y = $ + regression Least Squares to find m,b With data set { ) , ) } )-.,..,0 Very special, often hard to

433 views • 16 slides
Distributed multi-sensor data fusion for 3D mapping & AI applications

Distributed multi-sensor data fusion for 3D mapping & AI applications

Prof. Rozenn Dahyot Associate Professor in Statistics School of Computer Science & Statistics Trinity College Dublin https://www.scss.tcd.ie/Rozenn.Dahyot/ Distributed multi-sensor data fusion for 3D mapping & AI applications

310 views • 13 slides
How to choose summary statistics for model selection and model checking. Sarah Filippi Imperial

How to choose summary statistics for model selection and model checking. Sarah Filippi Imperial

How to choose summary statistics for model selection and model checking. Sarah Filippi Imperial College London Theoretical Systems Biology Group 13/02/2012 Choice of summary statistics Sarah Filippi 1 of 22 Model selection vs model checking

631 views • 33 slides
Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the

Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the

Visualizing Distributions Recall the definition: Math 140 The values of a summary statistic (e.g. the Introductory Statistics average age of the laid-off workers) and how often they occur. Four of the most common basic shapes :

317 views • 21 slides
2.2: Numerical summary Measures of location. Measures of spread. Measures of form.

2.2: Numerical summary Measures of location. Measures of spread. Measures of form.

Applied Statistics 2.2: Numerical summary Measures of location. Measures of spread. Measures of form. Recommended reading: Chapters 3 to 7 of Portilla (2004) Applied Statistics DESCRIPTIVE STATISTICS Why are they useful?

538 views • 34 slides
Review: Types of Summary Statistics Were often interested in describing the following

Review: Types of Summary Statistics Were often interested in describing the following

Review: Types of Summary Statistics Were often interested in describing the following characteristics of the distribution of a data series: Central tendency - where is the middle of the distribution? Dispersion - how spread out is the

448 views • 28 slides
Elements of Statistics for Economists Session 3 Presentation of Data: Numerical Summary

Elements of Statistics for Economists Session 3 Presentation of Data: Numerical Summary

ECON 214 Elements of Statistics for Economists Session 3 Presentation of Data: Numerical Summary Measures Part 2 Lecturer: Dr. Bernardin Senadza , Dept. of Economics Contact Information: bsenadza@ug.edu.gh College of Education School of

661 views • 38 slides
Descriptive and Summary Statistics BIO5312 FALL2017 STEPHANIE J. SPIELMAN, PHD Logistics All

Descriptive and Summary Statistics BIO5312 FALL2017 STEPHANIE J. SPIELMAN, PHD Logistics All

Descriptive and Summary Statistics BIO5312 FALL2017 STEPHANIE J. SPIELMAN, PHD Logistics All course materials will be hosted here: http://sjspielman.org/bio5312_fall2017 Submit assignments via Canvas: https://templeu.instructure.com Please

823 views • 36 slides
Choosing the Summary Statistics and the Acceptance Rate in Approximate Bayesian Computation (ABC)

Choosing the Summary Statistics and the Acceptance Rate in Approximate Bayesian Computation (ABC)

Introduction Standard algorithms Potential pitfalls with ABC Local Bayesian linear regression Conclusion Choosing the Summary Statistics and the Acceptance Rate in Approximate Bayesian Computation (ABC) Michael G.B. Blum Laboratoire

241 views • 22 slides
Brief Summary on Topology and Performance of Distributed Hash Tables Zhirong Yang Helsinki

Brief Summary on Topology and Performance of Distributed Hash Tables Zhirong Yang Helsinki

Brief Summary on Topology and Performance of Distributed Hash Tables Zhirong Yang Helsinki University of Technology rozyang@cc.hut.fi Agenda Introduction Basic DHTs Pastry (mentioned later) CAN (coming soon) Tapestry

531 views • 21 slides
A Linked Data Representation for Summary Statistics and Grouping Criteria RPI IDEA/Tetherless

A Linked Data Representation for Summary Statistics and Grouping Criteria RPI IDEA/Tetherless

A Linked Data Representation for Summary Statistics and Grouping Criteria RPI IDEA/Tetherless World Constellation James P. McCusker, Michel Dumontier, Shruthi Chari, Joanne S. Luciano, and Deborah L. McGuinness Class: G(case:TCGA-BRCA)

292 views • 17 slides
Statistics for Social Sciences I: Introduction to Statistics Introduction to Statistics

Statistics for Social Sciences I: Introduction to Statistics Introduction to Statistics

Undergraduate Degree Programme in International Studies Statistics for Social Sciences I: Introduction to Statistics Introduction to Statistics Motivation: uses of statistics Surveys Economic predictions Poverty indices Decision making

534 views • 24 slides
Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data

Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data

Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data crunching (supercomputers) Rendering (render farms, Hollywood, Pixar, etc.) High availability (failover of things like web apps) Data

573 views • 19 slides
Exploratory Data Analysis Summary Statistics Administrivia o Please activate your Piazza account

Exploratory Data Analysis Summary Statistics Administrivia o Please activate your Piazza account

Exploratory Data Analysis Summary Statistics Administrivia o Please activate your Piazza account if you haven t already done so o No laptops until we get to the in-class notebook part of the lecture o [Fried 2006] 64% of students are

511 views • 39 slides
Math 140 Sampling Distributions. Distribution of summary statistics obtained from taking

Math 140 Sampling Distributions. Distribution of summary statistics obtained from taking

7.1 Generating Sampling Distributions Math 140 Sampling Distributions. Distribution of summary statistics obtained from taking repeated random Introductory Statistics samples. Steps for generating a sampling distribution: I. Take a

137 views • 9 slides
Effective integration of Distributed Solar PV Project summary November 2019 The team 2 The

Effective integration of Distributed Solar PV Project summary November 2019 The team 2 The

Effective integration of Distributed Solar PV Project summary November 2019 The team 2 The environment 3 86 % drop in the last 10 years Reduction of solar PV 2 $/Wp German spot market prices for polycrystalline investment modules

253 views • 12 slides

More recommend