t
play

T Fingerprinting and Classifying Participants F A NMRG Workshop, - PowerPoint PPT Presentation

Aug 02, 2023 •216 likes •387 views

Automaton Models for Netflow Analysis T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015 R Christian A Hammerschmidt, christian.hammerschmidt@uni.lu D Interdisciplinary Centre for

  1. Automaton Models for Netflow Analysis T Fingerprinting and Classifying Participants F A NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015 R Christian A Hammerschmidt, christian.hammerschmidt@uni.lu D Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg

  2. Automaton Models Short Overview T F A R D C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 1 / 13

  3. Fingerprinting with Automatons Prediction, Classification, and Visualization (I) Prediction Classification T F A I predicting next states I classifying flows R I detecting outliers and I identifying type of activity or anomalies infection D unsupervised (semi-) supervised C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 2 / 13

  4. Fingerprinting with Automatons Prediction, Classification, and Visualization (I) Prediction Classification T F A I predicting next states I classifying flows R I detecting outliers and I identifying type of activity or anomalies infection D unsupervised (semi-) supervised C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 2 / 13

  5. Fingerprinting with Automatons Prediction, Classification, and Visualization (II) T F A animation of automaton R D C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 3 / 13

  6. Challenges NetFlow Data as a (Regular) Language T F A R D 1 1 http://www.cisco.com/c/dam/en/us/td/docs/ios/ipv6/configuration/ guide/ip6-netflow_v9.fm/_jcr_content/renditions/ip6-netflow_v9-1.jpg C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 4 / 13

  7. Challenges NetFlow Data as a (Regular) Language From regression of numeric values to classification: T I via clustering to obtain few representatives F or through discretization A I via binning to obtain a discrete state space R D What to choose? C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 5 / 13

  8. Method Learning State Structure from Data T F A R D 2 2 Taken from [2] C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 6 / 13

  9. Evaluation Data Set T F Experiments (on time-aggregated flow data): A 1. predicting statistics for next flows 2. classifying flows on unlabeled data R 3. classifying flows on labeled data 3 D 3 Using a botnet traffic data set[1] C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 7 / 13

  10. Evaluation Generated Automatons T F A R D C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 8 / 13

  11. Evaluation Excerpt T F Data Set Experiment Error / F 1 / FPR A R D C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 9 / 13

  12. Conclusion Conclusion and Future Work Results T I structure learning on netflow data is feasible I initial results look very promising F I this is still work-in-progress and offers a number of ways to A improve R D Further Research I compare performance to other fingerprinting solutions I apply a more expressive automaton model C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 10 / 13

  13. Conclusion Conclusion and Future Work Results T I structure learning on netflow data is feasible I initial results look very promising F I this is still work-in-progress and offers a number of ways to A improve R D Further Research I compare performance to other fingerprinting solutions I apply a more expressive automaton model C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 10 / 13

  14. Future Work and Extensions Currently Ongoing Research T F A R 4 D 4 Taken from [2] C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 11 / 13

  15. Thank You! T F A R D Time for questions. C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 12 / 13

  16. References I García, S. and Grill, M. and Stiborek, J. and Zunino, A. T An empirical comparison of botnet detection methods F Computers & Security, 2014. A S. E. Verwer, C. Witteveen, M. M. De Weerdt. R Efficient identification of timed automata: Theory and practice, March 2010. Heule, M.J.H., Verwer, S., D Software model synthesis using satisfiability solvers. Empirical Software Engineering 18, 825–856., 2013 C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 13 / 13

Recommend

More recommend