s9385 ai based anomaly detections and threat forecasting
play

S9385 AI-Based Anomaly Detections and Threat Forecasting for Unified - PowerPoint PPT Presentation

Mar 03, 2024 •154 likes •474 views

S9385 AI-Based Anomaly Detections and Threat Forecasting for Unified Communications Networks Kevin Riley CTO, Ribbon Tim Thornton - Director Software Engineering, Ribbon About Ribbon Ribbon is a global leader in secure real-time

  1. S9385 AI-Based Anomaly Detections and Threat Forecasting for Unified Communications Networks Kevin Riley – CTO, Ribbon Tim Thornton - Director Software Engineering, Ribbon

  2. About Ribbon Ribbon is a global leader in secure real-time communications providing software, cloud , core, and edge network infrastructure solutions to service providers and enterprises. 2 Ribbon Communications Confidential and Proprietary

  3. About Ribbon Four Decades of Combined Leadership Experience in Real Time Communications ~ 2,300 Employees and Doing Business in 100+ countries 1,000+ Service Provider and Enterprise Customers Globally #1 in VoIP Switching, #1 E-SBC, #2 CSP SBC, #1 in Media Gateways 800+ Patents Worldwide Publicly Traded Company on NASDAQ Leadership Ranking Source: IHS Research and ExactVentures 3Q-2018 Market share data (Ribbon includes GENBAND, Sonus, and Edgewater) 3 Ribbon Communications Confidential and Proprietary

  4. Where You Will Find Us More than 350 The World's U.S. Department Leading Tier One of Defense Locations Service Providers The Largest Banks, Airlines, Retailers and Manufacturers across the Globe $ 4 Ribbon Communications Confidential and Proprietary

  5. Ribbon Protect Big-data Analytics to Secure Communications Networks Use Cases Toll Fraud Continuous Monitoring Threat Intel Sharing Intelligent Operations RTC Security Accelerate Investigations Improve Operations Consolidate RTC tools, NW Policy Analytics Added context to investigations, enforcement, active monitoring, visualization, multi sourced data troubleshooting, SOC/SIEM integration collection, automation, drill down Big Data Protect High-speed Incident Data GPU Hadoop ML / data ingestion Management Enrichment Acceleration Behavior Analytics Communications Network Sensors / 3 rd Party SBC Enforcers Firewall IP-PBX 5

  6. Goals: Use Deep Learning to model calls Anomaly Forecast detection utilization Behavioral Call signatures user / network Analysis & Policy Big Data Automation Self-Healing Prediction Real-time Communications Networks 6

  7. Modeling calls in a real-time Communication Network Challenges Network Data Dimensionality Analytics Scale Complexity Input sources contain high Network behavior varies Call rates per sec greatly between operators. dimensional, text based data (in 10’s of thousands) that results in large features pose challenges for real-time sets Machine learning models based modeling and detection must be built and trained with operators data to capture the Metrics(KPI’s) used for Billions of records per day for unique characteristics of their behaviors models can number analytical processing from 10’s to 1000’s which network. presents significant resource Security incidents and Feature significance vary from challenges. operational events can take operator to operator and may significant time to detect change over time 7

  8. The Approach Parameterize Apply machine learning techniques to create features for call flows, user behavior and endpoint information Model Leverage deep learning to model typical or normative behavior such that anomalies can be readily identified and acted on Initial Key Focus Areas Operational Forecasting and thresholding network KPI’s Identifying anomalous behaviors on network resources Security Behavioral modeling of subscribers usage and network calling patterns Identifying security anomalies of subscribers actions 8

  9. SIP Call Signature Hypothesis Applications • Service Assurance (Operational) Use Call signaling information – Understand types of devices on network to create a “signature” – Onboarding new devices – Determining distribution of devices • Network Security – Identity Management • User activity monitoring (think bank and credit card) Datasets • Changes in user features as compared to corpus • Changes in user and device relationships ML Algorithms – Behavioral • Changes in users calling patterns • Changes in network usage Evaluation Feature Feature Modeling Deployment Engineering Scaling and Tuning Data Preparation 9

  10. Unified Communications Data Sources CDR – Call Detail Records Logs/pCap (SIP Messages) • Created at the beginning and end of • Unstructured text calls (ATTEMPT, START, STOP) • Much higher data volume than CDR • CSV format with 300+ columns • Requires protocol parsing to • Contains summary information about parameterize the calls (duration, quality, packets). • Minimum of 4 messages per call • Typically used for operator billing Challenge in building machine learning solution Lack of labelled data Scope of data attributes • Getting access to enough • Device types, call types, device training data configurations/options, network • Diversity of device types modifications 10

  11. Session Initiated Protocol (SIP) Overview INVITE sip:+17325551234@10.2.0.1:5060 SIP/2.0 What is SIP Via: SIP/2.0/UDP 192.168.1.1:0;branch=z9hG4bK-14243-27817-0 From: +13155559999 <sip:+ 13155559999 @192.168.1.1:0>;tag=14243SIPpTag0027817 • Text based protocol To: +17325551234 <sip:+17325551234@10.2.0.1:5060> • Similar to HTTP Call-ID: 387A9EFB@192.168.1.1 CSeq: 1 INVITE • “Soft” standard Contact: sip:+ 13155559999 @192.168.1.1:0 - Syntax Max-Forwards: 70 - Parameters Subject: Performance Test - Extensibility Content-Type: application/sdp Content-Length: 137 • Lends to vendor specific v=0 implementations which we can o=user1 53655765 2353687637 IN IP4 192.168.1.1 leverage s=- c=IN IP4 192.168.1.1 t=0 0 m=audio 6001 RTP/AVP 0 a=rtpmap:0 PCMU/8000 11

  12. SIP Message – Device features Identify “what” is making a call INVITE sip:+17325551234@10.2.0.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.1:0;branch=z9hG4bK-14243-27817-0 From: +13155559999 <sip:+ 13155559999 @192.168.1.1:0>;tag=14243SIPpTag0027817 To: +17325551234 <sip:+17325551234@10.2.0.1:5060> Call-ID: 387A9EFB@192.168.1.1 CSeq: 1 INVITE Contact: sip:+ 13155559999 @192.168.1.1:0 Max-Forwards: 70 Subject: Performance Test Header inclusion/exclusion Content-Type: application/sdp Format, parameters Content-Length: 137 Header Order v=0 Syntax o=user1 53655765 2353687637 IN IP4 192.168.1.1 s=- c=IN IP4 192.168.1.1 t=0 0 m=audio 6001 RTP/AVP 0 a=rtpmap:0 PCMU/8000 12

  13. SIP Message – User features Identify “who” is making this call INVITE sip:+17325551234@10.2.0.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.1:0;branch=z9hG4bK-14243-27817-0 From: +13155559999 <sip:+ 13155559999 @192.168.1.1:0>;tag=14243SIPpTag0027817 To: +17325551234 <sip:+17325551234@10.2.0.1:5060> Call-ID: 387A9EFB@192.168.1.1 CSeq: 1 INVITE Contact: sip:+ 13155559999 @192.168.1.1:0 Max-Forwards: 70 User identification Subject: Performance Test Content-Type: application/sdp User parameters Content-Length: 137 Route (via) IP information v=0 o=user1 53655765 2353687637 IN IP4 192.168.1.1 s=- c=IN IP4 192.168.1.1 t=0 0 m=audio 6001 RTP/AVP 0 a=rtpmap:0 PCMU/8000 13

  14. SIP Message – Destination features Identify “where” the call is going INVITE sip:+17325551234@10.2.0.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.1:0;branch=z9hG4bK-14243-27817-0 From: +13155559999 <sip:+ 13155559999 @192.168.1.1:0>;tag=14243SIPpTag0027817 To: +17325551234 <sip:+17325551234@10.2.0.1:5060> Call-ID: 387A9EFB@192.168.1.1 CSeq: 1 INVITE Contact: sip:+ 13155559999 @192.168.1.1:0 Max-Forwards: 70 Destination information Subject: Performance Test Type of call Content-Type: application/sdp Content-Length: 137 Media information v=0 o=user1 53655765 2353687637 IN IP4 192.168.1.1 s=- c=IN IP4 192.168.1.1 t=0 0 m=audio 6001 RTP/AVP 0 a=rtpmap:0 PCMU/8000 14

  15. SIP Message – Call features Identify details of this call INVITE sip:+17325551234@10.2.0.1:5060 SIP/2.0 Via: SIP/2.0/UDP 192.168.1.1:0;branch=z9hG4bK-14243-27817-0 From: +13155559999 <sip:+ 13155559999 @192.168.1.1:0>;tag=14243SIPpTag0027817 To: +17325551234 <sip:+17325551234@10.2.0.1:5060> Call-ID: 387A9EFB@192.168.1.1 CSeq: 1 INVITE Contact: sip:+ 13155559999 @192.168.1.1:0 Max-Forwards: 70 Subject: Performance Test Identify of specific call Content-Type: application/sdp Calling,Called Content-Length: 137 Call idenfication attributes v=0 callId, Tags, Routing o=user1 53655765 2353687637 IN IP4 192.168.1.1 Type of call s=- Statistics (duration, etc) c=IN IP4 192.168.1.1 t=0 0 m=audio 6001 RTP/AVP 0 a=rtpmap:0 PCMU/8000 15

  16. Creating Machine Learning Features Data Preparation Example of a few techniques used to create features from SIP messages: • Header Presence – for each header in message identify number of occurrences • Header Sequence – identifies the sequence or order of a header in the message • Header Syntax – the original message syntax for the header name (upper/lower) • Masks – creates a format mask for implementing specific SIP parameters. • Typically helpful to identify a device specific implementation • Where: • N – numeric • U – upper case • L – lower case • S – space • X – special character • Z – other • Example : Encoding tag value contained in from header • From: …;tag=14243SIPpTag0027817 -> NNNNNUUULULLNNNNNNN 16

Recommend

Forecasting Lightning Threat Earth-Sun System Division National Aeronautics and Space

Forecasting Lightning Threat Earth-Sun System Division National Aeronautics and Space

https://ntrs.nasa.gov/search.jsp?R=20100017230 2018-07-02T22:35:22+00:00Z Forecasting Lightning Threat Earth-Sun System Division National Aeronautics and Space Administration Using WRF Proxy Fields E. W. McCaul, Jr. USRA Huntsville Workshop

528 views • 28 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential

November 2017 Direct Hydrocarbon Leak Detections based on Nanocomposite Sensors Private and Confidential Contents Needs for Leak Detection Sensors Review of Leak Detection Systems Husky Leak N. Battleford, SK; July 2016 Platform

635 views • 24 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Sixteenth Session of the Forum on Regional Climate Monitoring, Assessment and Prediction for Asia (FOCRAII), May 7, 2020 ( ), y , Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with SMART-based

457 views • 16 slides
Welcome to Forecasting Using R Rob Hyndman Author, forecast Forecasting Using R What you will

Welcome to Forecasting Using R Rob Hyndman Author, forecast Forecasting Using R What you will

FORECASTING USING R Welcome to Forecasting Using R Rob Hyndman Author, forecast Forecasting Using R What you will learn Exploring and visualizing time series Simple benchmark methods for forecasting Exponential smoothing and

715 views • 22 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current

ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current

ASTROPHYSICAL IMPLICATIONS OF THE FIRST LIGO AND VIRGO DETECTIONS Tania Regimbau 2 LIGO Current Detections LIGO and Virgo have already observed 5 (+1?) BBHs and 1 BNS. 3 Possible Formation Scenarios Field: formed from stars born in a

639 views • 24 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON:

NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON:

NEW ANOMALY INDUCED SECOND ORDER TRANSPORT F. PEA-BENTEZ IFT - UAM/CSIC BASED ON: 1304.5529 WITH EUGENIO MEGAS OUTLINE ANOMALIES AND HYDRODYNAMICS STRONGLY COUPLED MODEL FLUID GRAVITY CORRESPONDENCE RESULTS SUMMARY, ACTUAL AND

382 views • 34 slides
Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and

Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and

Anomaly Detection through DNS Correlations Michael H. Warfield Senior Security Researcher and Threat Analyst IBM Security Services X-Force Why DNS? This is still a work in progress but... Why look at the DNS? It's just THERE.

496 views • 21 slides
Processing Forecasting Queries Processing Forecasting Queries Songyun Duan, Shivnath Babu Duke

Processing Forecasting Queries Processing Forecasting Queries Songyun Duan, Shivnath Babu Duke

Processing Forecasting Queries Processing Forecasting Queries Songyun Duan, Shivnath Babu Duke University Motivation Motivation Real-time forecasting of future events based on historical data is useful in many domains Proactive system

991 views • 25 slides
Fermi-LAT Upper Limits on Gamma-ray Bursts Daniel Kocevski Kavli Institute for Particle

Fermi-LAT Upper Limits on Gamma-ray Bursts Daniel Kocevski Kavli Institute for Particle

Fermi-LAT Upper Limits on Gamma-ray Bursts Daniel Kocevski Kavli Institute for Particle Astrophysics and Cosmology SLAC - Stanford University On behalf of the Fermi collaboration Fermi GRB Detections 291 GBM detections 10 LAT detections

447 views • 13 slides
Continuous Asset Discovery, Risk Management &amp; Threat Monitoring for IIoT &amp; ICS Networks

Continuous Asset Discovery, Risk Management &amp; Threat Monitoring for IIoT &amp; ICS Networks

Continuous Asset Discovery, Risk Management &amp; Threat Monitoring for IIoT &amp; ICS Networks SANS Webinar on NIST Recommendations for IIoT &amp; ICS Security With Behavioral Anomaly Detection (BAD) February 28, 2019 Phil Neray, VP of

714 views • 42 slides
A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four spacetime dimensions, an SU(2) gauge theory with a single multiplet of fermions that transform under SU(2) in the spin 1/2 representation is

820 views • 43 slides
Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123

Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123

Anomaly-mediated supersymmetry breaking demystified based on JHEP03(2009)123 (arXiv:0902.0464) Jae Yong Lee (KIAS) in collaboration with Dong-Won Jung (NCU) PHENO 2009 SYMPOSIUM 1 OUTLINE

439 views • 26 slides
Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan

Robust and Unsupervised KPI Anomaly Detection Based on Conditional Variational Autoencoder Zeyan Li , Wenxiao Chen, Dan Pei Department of Computer Science and Technology Tsinghua University November 18, 2018 1/37 Table of Contents 1 Background

573 views • 41 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger

An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger

An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger Department of Secure Information Systems University of Applied Sciences Upper Austria harald.lampesberger@fh-hagenberg.at LangSec Workshop, 26. May 2016

526 views • 20 slides
Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2.

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2.

Host based anomaly detection for webservers RP1 Sudesh Jethoe Overview 1. Introduction 2. Problem description 3. Research Questions &amp; Method 4. Analyze 5. Solutions 6. Result 7. Conclusion Introduction Byte Internet Since 1999

295 views • 28 slides

More recommend