Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS 2010 1.

Slides:



Advertisements
Similar presentations
Fast Algorithms For Hierarchical Range Histogram Constructions
Advertisements

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Sequence Clustering and Labeling for Unsupervised Query Intent Discovery Speaker: Po-Hsien Shih Advisor: Jia-Ling Koh Source: WSDM’12 Date: 1 November,
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Hidden Markov Model based 2D Shape Classification Ninad Thakoor 1 and Jean Gao 2 1 Electrical Engineering, University of Texas at Arlington, TX-76013,
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Video Table-of-Contents: Construction and Matching Master of Philosophy 3 rd Term Presentation - Presented by Ng Chung Wing.
Introduction to Evolutionary Computation  Genetic algorithms are inspired by the biological processes of reproduction and natural selection. Natural selection.
Evaluating Hypotheses
Metamorphic Malware Research
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.
Ranking by Odds Ratio A Probability Model Approach let be a Boolean random variable: document d is relevant to query q otherwise Consider document d as.
WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Sensys 2009 Speaker:Lawrence.  Introduction  Overview & Challenges  Algorithm  Travel Time Estimation  Evaluation  Conclusion.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Active Learning for Class Imbalance Problem
Presented by Tienwei Tsai July, 2005
Exploiting Clustering Techniques for Web Session Inference A.Bianco, G. Mardente, M. Mellia, M.Munafò, L. Muscariello (Politecnico di Torino)
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
UOS 1 Ontology Based Personalized Search Zhang Tao The University of Seoul.
When Experts Agree: Using Non-Affiliated Experts To Rank Popular Topics Meital Aizen.
1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.
A genetic approach to the automatic clustering problem Author : Lin Yu Tseng Shiueng Bien Yang Graduate : Chien-Ming Hsiao.
Cluster-specific Named Entity Transliteration Fei Huang HLT/EMNLP 2005.
Event retrieval in large video collections with circulant temporal encoding CVPR 2013 Oral.
Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology Advisor : Dr. Hsu Graduate : Yu Cheng Chen Author: Manoranjan.
University “Ss. Cyril and Methodus” SKOPJE Cluster-based MDS Algorithm for Nodes Localization in Wireless Sensor Networks Ass. Biljana Stojkoska.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
Robust Kernel Density Estimation by Scaling and Projection in Hilbert Space Presented by: Nacer Khalil.
BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.
Part I Web Service Composition
Discriminative Frequent Pattern Analysis for Effective Classification By Hong Cheng, Xifeng Yan, Jiawei Han, Chih- Wei Hsu Presented by Mary Biddle.
Predicting the Location and Time of Mobile Phone Users by Using Sequential Pattern Mining Techniques Mert Özer, Ilkcan Keles, Ismail Hakki Toroslu, Pinar.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.
Text Information Management ChengXiang Zhai, Tao Tao, Xuehua Shen, Hui Fang, Azadeh Shakery, Jing Jiang.
A Robust and Accurate Binning Algorithm for Metagenomic Sequences with Arbitrary Species Abundance Ratio Zainab Haydari Dr. Zelikovsky Summer 2011.
Instance Discovery and Schema Matching With Applications to Biological Deep Web Data Integration Tantan Liu, Fan Wang, Gagan Agrawal {liut, wangfa,
An unsupervised conditional random fields approach for clustering gene expression time series Chang-Tsun Li, Yinyin Yuan and Roland Wilson Bioinformatics,
Learning and Removing Cast Shadows through a Multidistribution Approach Nicolas Martel-Brisson, Andre Zaccarin IEEE TRANSACTIONS ON PATTERN ANALYSIS AND.
Clustering [Idea only, Chapter 10.1, 10.2, 10.4].
Anomaly Detection of Web- based Attacks Kruegel, C. and Vigna, G. University of California, Santa Barbara The 10th ACM Conference on Computer and Communication.
A Study on Speaker Adaptation of Continuous Density HMM Parameters By Chin-Hui Lee, Chih-Heng Lin, and Biing-Hwang Juang Presented by: 陳亮宇 1990 ICASSP/IEEE.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
Using the Fisher kernel method to detect remote protein homologies Tommi Jaakkola, Mark Diekhams, David Haussler ISMB’ 99 Talk by O, Jangmin (2001/01/16)
Efficient Similarity Search : Arbitrary Similarity Measures, Arbitrary Composition Date: 2011/10/31 Source: Dustin Lange et. al (CIKM’11) Speaker:Chiang,guang-ting.
Machine Learning for the Quantified Self
MadeCR: Correlation-based Malware Detection for Cognitive Radio
Challenges in Creating an Automated Protein Structure Metaserver
Authors Bo Sun, Fei Yu, Kui Wu, Yang Xiao, and Victor C. M. Leung.
Roland Kwitt & Tobias Strohmeier
Objective of This Course
Network Profiler: Towards Automatic Fingerprinting of Android Apps
Authors: Wai Lam and Kon Fan Low Announcer: Kyu-Baek Hwang
Handwritten Characters Recognition Based on an HMM Model
Outline System architecture Current work Experiments Next Steps
Presentation transcript:

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Outline Introduction Training Data Scarcity Exploiting Global Knowledge Evaluation 2

Properties of Anomaly Detection Pros – Unknown attacks can be identified automatically – Without any a priori knowledge about the application. – Need not manually analyze applications composed of hundreds of components Cons – Tendency to produce a non-negligible amount of false positives – Critically rely upon the quality of enough training data used to construct their models 3

Motivation Web application component invocations are non-uniformly distributed For those components, it is often impossible to gather enough training data to accurately model their normal behavior No proposals exist that satisfactorily address the problem 4

Contributions Provide evidence for that traffic is distributed in a non-uniform fashion Propose an approach to address the problem of undertraining by using global knowledge Evaluate the proposed approach on a large data set of real-world traffic from many web applications 5

Outline Introduction Training Data Scarcity Exploiting Global Knowledge Evaluation 6

Summary of Notation Notations – A: a set of web applications – R: a set of resource paths or components – P: parameters – Q: requests Each request is represented by the tuple 7

Summary of Notation (cont’d) The set of models associated with each unique parameter instance can be represented as a tuple: The knowledgebase of an anomaly detection system trained on web application is denoted by 8

Multi-model Approach A profile for a given parameter is the tuple – describe normal intervals for integers and string lengths – models character strings as a ranked frequency histogram, or Idealized Character Distribution (ICD), – models sets of character strings by inducing a Hidden Markov Model (HMM). – models parameter values as a set of legal tokens 9

The Problem Non-uniform training data In the case of low-traffic applications – the rate of client requests is inadequate to allow models to train in a timely manner. In the case of high-traffic applications – a large subset of resource paths might fail to receive enough requests 10

Non-uniform training data 11

Outline Introduction Training Data Scarcity Exploiting Global Knowledge Evaluation 12

Exploiting Global Knowledge Parameters of the same type tend to induce model compositions that are similar to each other The goal is substituting profiles for similar parameters of the same type The proposed method is composed of three phases – Enhanced training – Building profile knowledge bases – Mapping undertrained profiles to well-trained profiles 13

14

Phase I: Enhanced training Generate undertrained profiles – Let denote a sequence of client requests containing parameter p for a i – Randomly sampled κ-sequences, where κ can take values in Each of the resulting profiles is then added to a knowledge base Each model monitors its stability during the training phase Well trained, or stable, profile is stored in a knowledge base 15

Phase II: Building profile knowledge bases Merge a set of knowledge bases as the undertrained profile database Profile clustering is performed in in order to time- optimize query execution The resulting clusters of profiles in are denoted by An agglomerative hierarchical clustering algorithm using group average linkage was applied 16

Distance Measure More formally, the distance between the profiles c i and c j is defined as: where is the distance function 17

Distance Functions 18

Phase III: Mapping undertrained profiles to well-trained profiles The mapping is implemented as follows – A nearest-neighbor match is performed between and – A nearest-neighbor match is performed between and the members of to discover the undertrained profile at minimum distance from – Well-trained profile is substituted for 19

Mapping Quality 20

Mapping Quality Let be a mapping from an undertrained cluster to the maximum number of elements in that cluster that map to the same cluster in C The robustness metric ρ is then defined as And where is a minimum robustness threshold 21

Outline Introduction Training Data Scarcity Exploiting Global Knowledge Evaluation 22

Experimental Setting HTTP connection observed over a period of approximately three months A portion of the resulting flows were then filtered using Snort to remove known attacks The data set contains 823 distinct web applications, 36,392 unique components, 16,671 unique parameters, and 58,734,624 HTTP requests 23

Profile clustering quality 24

Profile mapping robustness 25

Detection accuracy 100,000 attacks 26

Conclusion Have identified that non-uniform web client access distributions cause model undertraining Propose the use of global knowledge bases of well- trained profiles to remediate a local scarcity of training data 27