l ow r ate f low l evel p eriodicity d etection
play

L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve - PowerPoint PPT Presentation

Sep 05, 2022 •152 likes •538 views

University of Southern California: ISI L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve Bartlett 1 , John Heidemann 1 , Christos Papapdopoulos 2 1 USC/Information Sciences Institute Marina del Rey, CA 2 Colorado State University, Ft.

  1. University of Southern California: ISI L OW -R ATE , F LOW -L EVEL P ERIODICITY D ETECTION Genevieve Bartlett 1 , John Heidemann 1 , Christos Papapdopoulos 2 1 USC/Information Sciences Institute Marina del Rey, CA 2 Colorado State University, Ft. Collins, CO

  2. M OTIVATION It’s 10pm, do you know what your computer’s doing??  Automatic computer initiated communication  More complex systems = more computer initiated communication 1

  3. L OW -R ATE AND P ERIODIC C ONNECTIONS  Subset of computer initiated: periodic connections  Find periodic series in aggregate traffic with signal processing  Flow-level  Event = connection start  Our methods could apply to many other events  Low-Rate: 2s to several hours (Days? Weeks?) 2

  4. A PPLIES TO M ANY A PPLICATIONS  Many applications are low-rate periodic:  User services (30-120 mins)  WeatherEye  MacOS Dashboard apps  Clock applet in Gnome (Linux)  RSS News Feeds (30-60mins)  Web Counters (5-30mins)  http refresh  Peer-to-Peer (~20-30 mins)  Adware (minutes to hours)  Spyware  Botnet Command & Control 3

  5. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 4

  6. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 5

  7. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 6

  8. A RE P ERIODIC A PPLICATIONS P REVALENT ?  Pick an interesting application  Malware!  How do we confirm periodic malware exists at USC?  No payload  Blacklisted sites  Aggregate traffic (groups of ~20)  Determine which groups show periodic communication 7

  9. H OW P REVALENT IS P ERIODIC C OMMUNICATION ? Nearly a third show periodic behavior! ∴ We can find 1/3 blacklisted servers on our network looking at periodic behavior as a first pass. 8

  10. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 9

  11. T YPICAL A PPROACH TO F INDING P ERIODIC E VENTS Network events > time series > FFT >analysis FFT Time Frequency 10

  12. W HAT A RE W E L OOKING F OR ?  Given network data:  Is there a periodic event?  If so, what is the period?  Location in time: Start/Stop of events Events Time 11

  13. G OALS AND D ESIGN Preserve time information wavelets Simple representation Haar wavelet basis: and implementation differencing/averaging match for sharp changes Low-rate periods Coarse time bins ~1min+ Large range of Iterative filter-bank frequencies Full decomposition 12

  14. M ULTIRESOLUTION A NALYSIS : S INGLE P ATH Different paths give different frequency splits. Can focus in on a frequency range, if we know which we want a priori. 13

  15. M ULTIRESOLUTION A NALYSIS : F ULL  Full decomposition  We examine multiple frequency ranges  Level of decomp determined by length and sample rate of original data 14

  16. V ISUALIZATION Original Time Series Level of decomp cv 15

  17. V ISUALIZATION Level of decomp 16

  18. V ISUALIZATION High time Res. Level of decomp High freq. Res. 17

  19. V ISUALIZATION (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. 18

  20. V ISUALIZATION (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. 19

  21. A RTIFICIAL E XAMPLE : 8 S P ERIOD (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. base harmonics 20

  22. A RTIFICIAL E XAMPLE : 8 S P ERIOD (30min)Longer periods Shorter periods (2s) High time Res. Level of decomp High freq. Res. base harmonics 21

  23. V ISUALIZATION : R EAL - WORLD E XAMPLE BitTorrent client communicating with tracker (hours)Longer periods Shorter periods (128s) High time Res. Level of decomp High freq. Res. 300s update with BitTorrent Tracker 22

  24. A UTOMATIC D ETECTION  Detection of period  Empirically derived threshold on energy  Threshold dependent on frequency range and decomposition level  Too few decompositions, not focused on frequency range  Too many decompositions, energy spreads out  Detection of when a change occurs  Start and stop of a periodic series of events  Move backwards on levels of decomposition to get more time resolution  Details in techreport 23

  25. C ONTRIBUTIONS  Low-rate periodicity as a phenomenon of interest  Low-rate periodicity prevalent in real- world traffic  Novel method for detection  Demonstration of applications  Self-surveillance (GI paper)  Pre-filtering for detection triage 24

  26. A PPLICATIONS  Self-surveillance  Desktop user  Changes indicate problems: stop in OS updates, addition of adware etc.  Pre-filtering  Target apps with low-rate periodic com.  Reduce set of hosts to investigate  Eg. Target BitTorrent trackers 25

  27. S ELF -S URVEILLANCE D EMONSTRATION  Detect start or stop of periodic communication  Here we look at unwanted communication: installation of a keylogger  Applies to stop of wanted periodic communication too!  Detect install of Keyboard Guardian on Windows  Set to report every 3 hours  3 day monitoring  1st day, no keylogger  2nd day, install keylogger 26

  28. N UMERICAL D ETECTION OF E VENT Automatic Detection Identifies presence (at harmonic) Correctly identifies installation time (within a 9 hour window). 27

  29. V ISUAL D ETECTION OF C HANGE Before After Report every 3 hours (every 10,800s) harmonics 28

  30. S UMMARY OF S ELF -S URVEILLANCE  Automatic detection  Identifies a periodic series of events  Identifies changes in events and when those changes occur  Demonstrated  Keylogger: Addition of a bad series of periodic communication  OS updates: Removal of a good series of periodic communication (techreport) 29

  31. S ENSITIVITY TO N OISE  Signal-to-Noise ratio  1 signal connection:10-20 unrelated connections  Easily achievable with periods of user inactivity  Watch for a long enough window 30

  32. S UMMARY  Variety of applications show periodic behavior  New wavelet based approach to finding periodic behavior in aggregate traffic  Demonstrated use for self-surveillance  Techreport & GI paper:  http://www.isi.edu/~bartlett/pubs/ Bartlett09a.html  http://www.isi.edu/~bartlett/pubs/ Bartlett11a.pdf 31

  33. E XTRAS 32

  34. H OW TO Q UANTIFY S ENSITIVITY ?  Why?  Know when we work and when we won’t  Quantify sensitivity to noise  Fixed amount of background traffic  Vary frequency  Study base frequency energy  With background / No background 33

  35. S ENSITIVITY TO N OISE Need SNR of at least ~0.05-0.1 1 periodic connection for every 10-20 non-periodic connections 34

  36. I S E VASION P OSSIBLE ?  Yes: Jitter  How much jitter is enough?  Experiment: vary jitter, study detection  Artificial signal  Jitter varies by Gaussian random 35

  37. E VALUATING J ITTER FOR E VASION Greater than 15% hides signal. Not disruptive to operation: 1 hr period ± 10 mins 36

Recommend

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM

Chapter 8-2: Communit unity D Det etection Jilles Vreeken IRDM 15/16 3 Dec 2015 IRDM Chapter 8, overview The basics 1. Properties of Graphs 2. Frequent Subgraphs 3. Graph Clustering 4. Youll find this covered in: Aggarwal,

1.07k views • 60 slides
AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L

AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L

T AK AKING L L ITER ACY E E FFO TS TO TO THE HE N N EX EXT L L EV EL : : ERAC FFORTS EVEL T HE HE L EC ECTIO A A PPROAC ACH FO FOR E E NHAN ED I I MPAC ACT HANCED Kelly Kulsrud, EdM Nonie K. Lesaux, PhD lectioapproach.com Todays Na%onal

234 views • 11 slides
OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share

OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share

I NFECTION D ETECTION April 12, 2016 ORIENTATION WEBINAR JASON T. SIMMINGTON, MHS OBJECTIVES Introduction to Network 14 BSI Team Discuss focus facility selection Share goals of I NFECTION D ETECTION Explain project components

1.22k views • 54 slides
DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN

DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN

SSUSH SUSH23 23 THE E STUDENT UDENT WIL ILL L DES ESCRIBE CRIBE AND ASSESS SESS THE E IM IMPACT CT OF POLI LITIC TICAL AL DEV EVEL ELOPMENT PMENTS S BET ETWEEN EEN 194 945 5 AND 1970. 70. A. DESCRIBE THE WARREN COURT AND

547 views • 17 slides
EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE

EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE

EL ELEV EVATED TED BL BLOOD OOD LEA EAD D LEV EVEL ELS S AMO MONG NG BUR URMES MESE CHI HILDREN DREN IN IN FOR ORT T WAYNE NE, , IN IN: : ENVI VIRONMENT ONMENTAL AL RISK SK FACTORS ORS *A A CO COMPAR ARISON ISON

730 views • 26 slides
Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes

Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes

Direct ection n fo for d dev evel elopment ent o of nea f near infr nfrared ed-dy dyes s for or dye ye-se sensit sitiz ized d so sola lar c cells lls from rom the he view ew p point nt of el f elect ectron i n inj

456 views • 42 slides
Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

Framingham Public Schools Where every child can and will reach high levels of achievement FY20 Budget - Joint Finance Subcommittees March 1 8, 201 9 Budget et D Dev evel elopmen ent P Proces ess Driven by the FPS Strategic Plan

109 views • 9 slides
Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the

Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the

Dev evel elopm pment nt of of Nov ovel el B Biothe otherap apeu eutics for for the Treatm the eatmen ent of of Tauopat auopathies Panor anoram ama Res esea earch, h, I Inc nc . Innov novat ative NeuroTec echno hnologi

378 views • 18 slides
2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre

2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre

Departmen ent of Local Gov overnmen nment Finance Cost Approa oach Part B 2020 Lev evel el 1 Tutorials Chapter er 2 Residential acreage parcels of more than one acre and not used for agricultural purposes are valued using the

789 views • 56 slides
Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends

Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends

Fa arm le evel e econo omics s and NZ ni itroge en leac ching g poli cy: be est fri iends s or un nhapp py ma arriag ge? Gra aeme Do oole 1,2 1 Cen ntre for Environ nmental E Econom ics and P Policy, Univer rsity of W Western

400 views • 39 slides
New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel

New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel

New ew Direct ections for Cur urricul ulum um Development nt & Facu culty Dev evel elopmen ent through a Consortium Approach Jess Gerrior Ira a Feldman an SCC Director of SCC Founder & Learning & Practice Managing

441 views • 15 slides
DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY-

DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY-

DA DAY-NR NRLM LM Sust staina inable ble Dev evel elopment opment Goa oals s DAY- NRLM OVERVIEW Centre- piece of Government of Indias rural poverty alleviation strategy - Based on ground tested best practices in Bihar and the

1.26k views • 36 slides
North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor

North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor

Central to Eveleigh Urban Transformation and Transport Program North E Evel eleigh open pen spa pace a and com community u uses (C (Clothi hing S Stor ore) w wor orkshop 31 M 1 March 20 2016 00 M 00 Month 20 2012 Welc elcom

1.17k views • 73 slides
Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of

Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of

Finding the good in EVEL: An evaluation of English Votes for English Laws in the House of Commons Daniel Gover and Michael Kenny Mile End Institute Queen Mary University of London 28 November 2016, Houses of Parliament Research project

792 views • 16 slides
Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence

Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence

Evel Evelyne Can Canter errann nne Flavoractiv Structuring Sensory Practices for Excellence in Gin Quality & Innovation Gin a widely consumed distilled beverage Neutral Juniper Spirits Berries Variety of Botanicals (e.g.,

219 views • 21 slides
Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL

Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL

Community Capital Assistance Project Toolkit Rec ecovery Ho Housi using Dev evel elopm pmen ent T Toolkit BUDGET T TOOL OL This Excel Spread sheet will allow you to enter all of your accrued/expected development and

413 views • 20 slides
First Quarter 2017 Results May 3, 2017 L EVEL 3 C OMMUNICATIONS J ULY 2016 Cautionary Statement

First Quarter 2017 Results May 3, 2017 L EVEL 3 C OMMUNICATIONS J ULY 2016 Cautionary Statement

First Quarter 2017 Results May 3, 2017 L EVEL 3 C OMMUNICATIONS J ULY 2016 Cautionary Statement Some statements made in this presentation are forward-looking in nature and are based on management's current expectations or beliefs. These

661 views • 27 slides
LLDSAL A L ow- L evel D omain- S pecific A spect L anguage for Dynamic Code-Generation and Program

LLDSAL A L ow- L evel D omain- S pecific A spect L anguage for Dynamic Code-Generation and Program

LLDSAL A L ow- L evel D omain- S pecific A spect L anguage for Dynamic Code-Generation and Program Modification Mathias Payer, Boris Bluntschli, & Thomas R. Gross Department of Computer Science ETH Zrich, Switzerland Motivation: program

655 views • 23 slides
Dev evel elopmen ent of Proje ject Evalu luatio ion Crit iteria ia August 5, 5, 2020

Dev evel elopmen ent of Proje ject Evalu luatio ion Crit iteria ia August 5, 5, 2020

Dev evel elopmen ent of Proje ject Evalu luatio ion Crit iteria ia August 5, 5, 2020 2020 Pres esent entation O n Over erview ew Consolidation of investment categories Scoring weightage (BCA Vs. planning factors)

271 views • 14 slides
Economic D Dev evel elopmen ent Strategy R Review 2018 2018-19 19 PROJECT OVERSIGHT TEAM

Economic D Dev evel elopmen ent Strategy R Review 2018 2018-19 19 PROJECT OVERSIGHT TEAM

Economic D Dev evel elopmen ent Strategy R Review 2018 2018-19 19 PROJECT OVERSIGHT TEAM MEETING #3 December 6, 2018 Norfolk County Tourism & Economic Development Ag Agend enda Update to Council (circulated) Draft Interim

557 views • 20 slides
P ARENT S E VENING G OING TO T HIRD L EVEL S T . B RENDAN S C OLLEGE Karen Rice Guidance

P ARENT S E VENING G OING TO T HIRD L EVEL S T . B RENDAN S C OLLEGE Karen Rice Guidance

P ARENT S E VENING G OING TO T HIRD L EVEL S T . B RENDAN S C OLLEGE Karen Rice Guidance Counsellor O VERVIEW Introduction The Offer Stage Course of Study Deferred places Vacant places Qualification HEAR

914 views • 74 slides
ESS NU SB R EQUIREMENTS ON ESS LINAC Mamad Eshraqi 2017 Sep 28 NuFACT 1 T OP L EVEL P

ESS NU SB R EQUIREMENTS ON ESS LINAC Mamad Eshraqi 2017 Sep 28 NuFACT 1 T OP L EVEL P

ESS NU SB R EQUIREMENTS ON ESS LINAC Mamad Eshraqi 2017 Sep 28 NuFACT 1 T OP L EVEL P ARAMETERS Key Linac parameters: Design Drivers: Energy 2.0 GeV High average beam power 5MW Current 62.5 mA High peak beam power 125 MW

333 views • 21 slides
Statistical detection approach to flutter monitoring Laurent M evel, Mich` ele Basseville,

Statistical detection approach to flutter monitoring Laurent M evel, Mich` ele Basseville,

Statistical detection approach to flutter monitoring Laurent M evel, Mich` ele Basseville, Albert Benveniste, IRISA (CNRS & INRIA, Rennes, France) basseville@irisa.fr - http://www.irisa.fr/sigma2/ 1 Contents Motivation and modelling

380 views • 13 slides
Web ebsite D e Dev evel elop opmen ent P Plan Pres esen enta tation S Slides es

Web ebsite D e Dev evel elop opmen ent P Plan Pres esen enta tation S Slides es

M9 Question 6 Web ebsite D e Dev evel elop opmen ent P Plan Pres esen enta tation S Slides es Myscha Day |M9 Q6 Website Development Plan Presentation Heligan Flower Garden Time Lapse https://youtu.be/WHG4ioKJb78 Myscha Day | M9 Q6

673 views • 6 slides

More recommend