network host classification using statistical analysis of
play

Network Host Classification Using Statistical Analysis of Flow Data - PowerPoint PPT Presentation

Mar 09, 2023 •273 likes •460 views

Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory Overview and Objectives Host/IP address profiling based on flow data over some time interval 10

  1. Network Host Classification Using Statistical Analysis of Flow Data Alex Kent, Mike Fisk, Eugene Gavrilov Los Alamos National Laboratory

  2. Overview and Objectives  Host/IP address profiling based on flow data over some time interval • 10 minutes to 7 days have been examined with 24 hours providing repetitively stationary results • Generate histograms of peer hosts, source ports, and destination ports over the time interval • Compute Shannon entropy values for the 3 dimensions  Outcomes: • Provide IP behavior “snapshots” of individual hosts • Allow comparison of behavior through clustering • Build models over large host sets in real-time

  3. Source / Destination Port Variance Does not provide an effective representation of categorical data sets

  4. Sample (simplified) Histogram of Flow Data Host A Cumulative bytes Cumulative packets Cumulative sessions Peer A 34958 324 54 3948 132 13 Peer B Peer C 231 43 9 Peer D 5675 123 29 Src Port 1 2358 77 32 Src Port 2 13246 345 67 Src Port 3 1231 75 12 Dst Port 1 54467 5653 199 Dst Port 2 563 345 1 Host B Peer X 842 347 23 Peer Y 23879 3452 874 Peer Z 9463 232 78 ... ... ... ... ...

  5. Shannon Entropy Using Packet Count Histograms where  Computed for host peers, source ports, and destination ports time-delineated histograms leveraging byte, packet, and session totals • Packet histograms/entropy calculation favored in final analysis • Since base 2: port entropy will be 0-16, peer 0-32 (IPv4)

  6. Sample Entropy Calculation For Host A: Cumulative packets Pi Packets Pi * log2( Pi ) Entropy Peer A 324 0.52 -0.49 Peer B 132 0.21 -0.47 Peer C 43 0.07 -0.27 Peer D 123 0.20 -0.46 1.69 Src Port 1 77 0.15 -0.42 Src Port 2 345 0.69 -0.37 Src Port 3 75 0.15 -0.41 1.19 Dst Port 1 5653 0.94 -0.08 Dst Port 2 345 0.06 -0.24 0.32

  7. Visual Example of Low/High Entropy Low Entropy Example High Entropy Example

  8. Data Overview  Uses generic flow data • Required fields: – SRC IP, DST IP, SRC Port, DST Port, Protocol, Packets, Bytes  Los Alamos unclassified network primarily over 24 hours (inclusive of a work day) • Approximately 200 million flows analyzed • 17,326 unique internal (Los Alamos) IP’s observed • Day-to-day traffic very consistent

  9. Destination Port / Peer Entropy Peer Host Entropy Destination Port Entropy

  10. Source Port / Peer Entropy Peer Host Entropy Source Port Entropy

  11. Source Port / Destination Port Entropy Destination Port Entropy Source Port Entropy

  12. Source/Destination Port Entropy Clustering Destination Port Entropy Source Port Entropy

  13. Entropy Clustering w/ 3 Dimensions Destination Port Entropy Source Port Entropy

  14. Interesting Clusters (<50) 749 Hosts (4.3% of total) Destination Port Entropy Source Port Entropy

  15. Interesting Clusters (b) Source port versus Peers Peer Host Entropy Source Port Entropy

  16. Major Servers Host Local Port EntRemote Port EntPeer Ent Cluster SMS 1 1.04 11.61 11.78 42 SMS 2 1.13 11.67 11.82 42 Int W W W 1.24 11.97 11.49 42 ActiveDir 1 2.7 11.52 11.96 42 ActiveDir 2 4.41 10.09 9.98 46 ActiveDir 3 2.86 10.62 10.56 46 DNS 1 1.76 9.76 9.11 5 DNS 2 0.74 12.5 9.99 13 VulnScanner 12.08 8.62 8.99 8 MailRelay 1 7.4 5.12 4.31 36 MailRelay 2 7.42 5.05 4.29 36 MailRelay 3 7.58 5.13 4.45 36

  17. Clusters C32 & C56 Bad Behavior (worm variants) Host IP Local Port EntRemote Port EntPeer Ent Remote Host A 11.45 0.79 11.89 Remote Host B 10.18 1.06 9.84 Internal Host A 10.32 1.26 9.87 Internal Host B 10.89 0.79 11.01 Remote Host C 10.83 1.77 10.46 Remote Host D 11.71 0.45 13.67 Remote Host E 11.04 0.65 10.8 Remote Host F 11.93 0.15 15.72

  18. Current, On-going Work  Demonstrated 1 million+ flows/minute processing on single system • Redesigning, porting system to map/reduce architecture for improved scaling and distributed processing  Integrating additional network flow data types (e.g. custom perimeter collected flows)  Static centroids for comparing host movements between k-means clusters • Enable predefined clusters, cluster definitions, and host movement between clusters  Histogram merging that allows graceful data aging for continuous data feed and anomaly detection  Application of novel change detection and machine learning across time series output

Recommend

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm

Probabilistic Foundations of Statistical Network Analysis Chapter 5: Statistical modeling paradigm Harry Crane Based on Chapter 5 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html

443 views • 31 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 3: Network sampling Harry Crane Based on Chapter 3 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

375 views • 18 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 2: Binary relational data Harry Crane Based on Chapter 2 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry

573 views • 13 slides
Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE

Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE

Statistical Network Analysis Olga Klopp MODALX, Universit e Paris Nanterre - CREST, ENSAE Olga Klopp (CREST - UP10) Statistical Network Analysis 1 / 7 Social Political Blog Network Problem Bisection of the graph Olga Klopp (CREST -

387 views • 9 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry

Probabilistic Foundations of Statistical Network Analysis Chapter 4: Generative models Harry Crane Based on Chapter 4 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

289 views • 13 slides
Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam

Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam

Automated Task Distribution in Multicore Network Processors using Statistical Analysis Arindam Mallik, Yu Zhang, Gokhan Memik Electrical Engineering and Computer Science Dept. Northwestern University Network Demand Gap Gap increases with the

441 views • 21 slides
A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod,

A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod,

A Traffic Analysis of a Small Private Network Compromised by an On-line Gaming Host Ron McLeod, BCSc, MCSc. Director - Corporate Development Telecom Applications Research Alliance Doctoral Student, Faculty of Computer Science, Dalhousie

486 views • 45 slides
Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane

Probabilistic Foundations of Statistical Network Analysis Chapter 1: Orientation Harry Crane Based on Chapter 1 of Probabilistic Foundations of Statistical Network Analysis Book website: http://www.harrycrane.com/networks.html Harry Crane

262 views • 14 slides
Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network layer protocols in every host, router Many historical examples, but only one really matters Network layer functions 1. Connection setup 5.

1.56k views • 113 slides
Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is

Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is

Foundations: Statistical Classification in Natural Language Processing Dietrich Klakow What is Classification? Classification: telling things apart 2 Introduction 3 Spam/junk/bulk Emails The messages you spend your time with just to

484 views • 45 slides
STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models

STA 214: Probability &amp; Statistical Models STA 214: Analysis of Statistical Models Probability/Statistical Models: Theory prob/math stats Simulation samples of y ( | ) p y Statistical analysis: Computation: Likelihood

250 views • 11 slides
Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for

Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for

Outline Exponential Random Graph Models for (Social) Network Data Analysis - Statistical Models for (Social) Network Data p 0 , p 1 , p 2 and and p* Overview, Challenges, Research Problems Graphons and Networks ERGM, bERGM, tERGM,

225 views • 9 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky ,

LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky ,

LO-PH Low-Observable Physical Host Instrumentation for Malware Analysis Chad Spensky , Hongyi Hu and Kevin Leach cspensky@cs.ucsb.edu hongyihu@alum.mit.edu kjl2y@virginia.edu lophi@mit.edu The Network and

532 views • 24 slides
Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez

Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez

Statistical analysis of the social network &amp; discussion threads in Slashdot Vicen Gmez Andreas Kaltenbrunner Vicente Lpez Barcelona Media Innovation Center (BM) Barcelona, Spain Department of Information and Comunication

482 views • 23 slides
Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification

Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification

Statistical NLP Spring 2011 Lecture 11: Classification Dan Klein UC Berkeley Classification Automatically make a decision about inputs Example: document category Example: image of digit digit Example: image of object

609 views • 48 slides
Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models

Statistical Data Analysis DS GA 1002 Statistical and Mathematical Models http://www.cims.nyu.edu/~cfgranda/pages/DSGA1002_fall16 Carlos Fernandez-Granda Descriptive statistics Statistical estimation Histogram Technique to visualize

1.16k views • 99 slides
Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and

Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and

Classification and Prediction Overview Introduction Decision Trees Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and Prediction Bayesian Classification Artificial Neural Networks Mirek

548 views • 42 slides
Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and

Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and

Classification and Prediction Overview Introduction Decision Trees Data Mining Techniques: Statistical Decision Theory Nearest Neighbor Classification and Prediction Bayesian Classification Artificial Neural Networks Mirek

701 views • 40 slides
Department of Statistics SVM based Classification of Instruments - Timbre Analysis Uwe Ligges

Department of Statistics SVM based Classification of Instruments - Timbre Analysis Uwe Ligges

Department of Statistics SVM based Classification of Instruments - Timbre Analysis Uwe Ligges and Sebastian Krey Department of Statistics, TU Dortmund Reisensburg, Statistical Computing 2009 Introduction Model Building Timbre

684 views • 29 slides
Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders

Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders

Wireless Network (Neutral Host) Request for Proposals Update Presented to the Riders Advisory Council March 5, 2008 1 Metros vision for future wireless services Project Build a comprehensive wireless network (Neutral Host) to

463 views • 4 slides
Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to another With normal IP addresses, host would either become unreachable, or it would need to get a new IP address somehow (DHCP, manual

226 views • 10 slides
Network layer (IP) Netw etwor ork k layer er Send datagram from one host to another

Network layer (IP) Netw etwor ork k layer er Send datagram from one host to another

Network layer (IP) Netw etwor ork k layer er Send datagram from one host to another Network layer protocols in every host, router Portland State University CS 430P/530 Internet, Web &amp; Cloud Systems Netw etwor ork k layer er

2.36k views • 89 slides
Beyond Classification: La Latent User Interests Profiling from Visual Contents Analysis Lon

Beyond Classification: La Latent User Interests Profiling from Visual Contents Analysis Lon

Beyond Classification: La Latent User Interests Profiling from Visual Contents Analysis Lon Longqi Ya Yang , Cheng-Kang (Andy) Hsieh, Deborah Estrin Communicati Co tions On Online P Purchases So Social Network Ou Our inte terests ts

243 views • 20 slides

More recommend