Information Fusion Ganesh Godavari. DDoS Data Set DARPA DDoS data set (2000) is available –MIT Lincoln Laboratory –Data Set spans approximately 3 hours.

Slides:



Advertisements
Similar presentations
A probabilistic model for retrospective news event detection
Advertisements

A Framework for Clustering Evolving Data Streams Charu C. Aggarwal, Jiawei Han, Jianyong Wang, Philip S. Yu Presented by: Di Yang Charudatta Wad.
Intrusion Detection and Information Fusion/Decision Making By Ganesh Godavari.
Performance Evaluation of the Fuzzy ARTMAP for Network Intrusion Detection Nelcileno Araújo Ruy de Oliveira Ed’Wilson Tavares Ferreira Valtemir Nascimento.
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
Access Control Chapter 3 Part 5 Pages 248 to 252.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Multi-Route Anomaly detection using Principal Component Analysis Adnan Iqbal Superviser Dr. Waqar Mahmood
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Building an Intelligent Web: Theory and Practice Pawan Lingras Saint Mary’s University Rajendra Akerkar American University of Armenia and SIBER, India.
The Role of Intrusion Detection Systems (IDSs) Article Authors: - John McHugh - Alan Christie - Julia Allen Presentation: - Ali Ardalan - October 12 th,
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Top-k Queries on Uncertain Data: On score Distribution and Typical Answers Presented by Qian Wan, HKUST Based on [1][2]
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
12/6/2010CS Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.
Report on statistical Intrusion Detection systems By Ganesh Godavari.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Intrusion Detection Jie Lin. Outline Introduction A Frame for Intrusion Detection System Intrusion Detection Techniques Ideas for Improving Intrusion.
Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )
Improving Intrusion Detection System Taminee Shinasharkey CS689 11/2/00.
PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS
Approaches to Event Prediction in Complex Environments Terence Tan (PhD Candidate) Advisors: Prof Christian Darken,
1 Survey Presentation on Four Selected Research Papers on Data Mining Based Intrusion Detection System : Security and Privacy on the Internet Instructor:
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
Honeypot and Intrusion Detection System
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,
Mapping and analysis for public safety: An Overview.
A-Gas II- Video Detection for Damage Prevention Kickoff Meeting Kickoff Meeting July 27, 2009 New York, NY P&L E-Communications, LLC.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Marcelo R.N. Mendes. What is FINCoS? A Java-based set of tools for data generation, load submission, and performance measurement of event processing systems;
Mitigating the Insider Threat using High-dimensional Search and Modeling Presenter: Eric van den Berg Wednesday, July 13, 2005.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Security monitoring boxes Andrew McNab University of Manchester.
Randomization in Privacy Preserving Data Mining Agrawal, R., and Srikant, R. Privacy-Preserving Data Mining, ACM SIGMOD’00 the following slides include.
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.
University at BuffaloThe State University of New York Lei Shi Department of Computer Science and Engineering State University of New York at Buffalo Frequent.
MINING COLOSSAL FREQUENT PATTERNS BY CORE PATTERN FUSION FEIDA ZHU, XIFENG YAN, JIAWEI HAN, PHILIP S. YU, HONG CHENG ICDE07 Advisor: Koh JiaLing Speaker:
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology Advisor : Dr. Hsu Graduate : Yu Cheng Chen Author: Chung-hung.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
 Frequent Word Combinations Mining and Indexing on HBase Hemanth Gokavarapu Santhosh Kumar Saminathan.
1 Neighboring Feature Clustering Author: Z. Wang, W. Zheng, Y. Wang, J. Ford, F. Makedon, J. Pearlman Presenter: Prof. Fillia Makedon Dartmouth College.
Information Fusion Ganesh Godavari. DDoS Data Set DARPA DDoS data set (2000) is available –MIT Lincoln Laboratory –Data Set spans approximately 3 hours.
Anomaly Detection. Network Intrusion Detection Techniques. Ştefan-Iulian Handra Dept. of Computer Science Polytechnic University of Timișoara June 2010.
An Energy-Efficient Approach for Real-Time Tracking of Moving Objects in Multi-Level Sensor Networks Vincent S. Tseng, Eric H. C. Lu, & Kawuu W. Lin Institute.
Scientific Data Analysis via Statistical Learning Raquel Romano romano at hpcrd dot lbl dot gov November 2006.
Marcelo R.N. Mendes. What is FINCoS? A Java-based set of tools for data generation, load submission, and performance measurement of event processing systems;
ID NO : 1070 S. VARALAKSHMI Sethu Institute Of Tech IV year -ECE department CEC Batch : AUG 2012.
Profiling: What is it? Notes and reflections on profiling and how it could be used in process mining.
Profiling: What is it? Notes and reflections on profiling and how it could be used in process mining.
NOVEL APPROACH FOR NETWORK INTRUSION DETECTION
Backdoor Attacks.
Noise Prediction Modeling I
A. Srivastava, S. Pandey, P. Banerjee, Y. Wu
Xiaohong (Dorothy) Yuan North Carolina A&T State University 11/16/2017
Supporting Fault-Tolerance in Streaming Grid Applications
Internet Worms, SYN DOS attack
Pong: Diagnosing Spatio-Temporal Internet Congestion Properties
Statistical based IDS background introduction
Presentation transcript:

Information Fusion Ganesh Godavari

DDoS Data Set DARPA DDoS data set (2000) is available –MIT Lincoln Laboratory –Data Set spans approximately 3 hours The five phases of the attack scenario depicted [1]: –IPsweep of the Air Force Base from a remote site –Probe of live IP's to look for the sadmind daemon running on Solaris hosts –Breakins via the sadmind vulnerability, both successful and unsuccessful on those hosts –Installation of the trojan mstream DDoS software on three hosts at the AFB –Launching the DDoS

Related Work Charu C. Aggarwal Philip S. Yu (2001) “Outlier detection for high dimensional data”, International Conference on Management of Data, ACM SIGMOD Pg: 37 – 46 John McHugh (2000) “Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory”, ACM TISSEC, 3(4) Pg: Risto Vaarandi. (2003) A Data Clustering Algorithm for Mining Patterns From Event Logs. Work shop on IEEE IP Operations and Management

Attack Scenario [1]

Phase 1 Attack (DDoS DataSet) IdDate Time Duration SrcIPTarget IP AnalyzerService 103/07/ :51:36 00:00: tcpdump_inside icmp-E-R 203/07/ :51:36 00:00: tcpdump_inside icmp-E-Rp 3 03/07/ :51:36 00:00: tcpdump_inside icmp-E-R 4 03/07/ :51:36 00:00: tcpdump_inside icmp-E-Rp 5 03/07/ :51:38 00:00: tcpdump_inside icmp-E-R 603/07/ :51:38 00:00: tcpdump_inside icmp-E-Rp 703/07/ :51:41 00:00: tcpdump_insideicmp-E-R 803/07/ :51:50 00:00: tcpdump_insideicmp-E-R 903/07/ :51:50 00:00: tcpdump_inside icmp-E-Rp 10 03/07/ :51:51 00:00: tcpdump_inside icmp-E-R 11 03/07/ :51:51 00:00: tcpdump_inside icmp-E-Rp 12 03/07/ :51:51 00:00: tcpdump_insideicmp-E-R 13 03/07/ :51:51 00:00: tcpdump_inside icmp-E-Rp 14 03/07/ :51:52 00:00: tcpdump_inside icmp-E-R :::::: 3203/07/ :52:00 00:00: tcpdump_inside icmp-E-R 3303/07/ :52:00 00:00: tcpdump_inside icmp-E-R icmp-E-R => icmp-echo-request icmp-E-Rp => icmp-echo-reply

Algorithm Step 1: go over the data file and build vocabulary –Read all the unique fields in the data files Step 2: identify the frequent vocabulary in the data file –How to determine frequency? How can one determine the threshold for frequency ? Step 3: Generate cluster candidates –Lines containing the same frequent words form cluster Step 4: Identify temporal relationships between cluster candidates –The 24 relationships of data Step 5: Generate unique lines –Lines in the data file in based on the candidate cluster

Need Suggestions Is it safe to assume that a threshold parameter is provided? Cluster candidate generation can involve too much data generation (next slide shows how)

Cluster Candidate Generation Data Set has 8 dimensions frequent words(4byte col. # word) with threshold > 10 are – repeated 22 –000103/07/2000 repeated 33 –000300:00:00 repeated 31 –0007icmp-echo-request repeated 22 –0007icmp-echo-reply repeated 11 –0006tcpdump_inside repeated 33 – repeated 11

Candidate Generation Example Example 03/07/ :51:36 00:00: tcpdump_inside icmp-E-R 03/07/ :51:36 00:00: tcpdump_inside icmp-E-Rp 03/07/ :51:36 00:00: tcpdump_inside icmp-E-R 03/07/ :51:36 00:00: tcpdump_inside icmp-E-Rp In all data first field is common so should they be considered as a candidate cluster? Cluster 1 = { line 1, line 2, line 3, line 4} Cluster 2 = { line 1, line 3, line 4} Cluster 3 = { line 1, line 3} Cluster 4 = { line 2, line 4} Cluster 5 = { line 1, line 2, line 3, line 4} Cluster 5 = { line 1, line 3} Cluster 6 = { line 2, line 4} Reduction but loss of information? –Cluster 1 = { line 1, line 3} –Cluster 2 = { line 2} –Cluster 3 = { line 4}

Work to be done Complete the algorithm and coding part

References [1] MIT Lincoln laboratories _data_index.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.