Presentation is loading. Please wait.

Presentation is loading. Please wait.

Benchmarking Anomaly-based Detection Systems Ashish Gupta Network Security May 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Benchmarking Anomaly-based Detection Systems Ashish Gupta Network Security May 2004."— Presentation transcript:

1 Benchmarking Anomaly-based Detection Systems Ashish Gupta Network Security May 2004

2 Overview The Motivation for this paper –Waldo example The approach Structure in data Generating the data and anomalies Injecting anomalies Results –Training and Testing: the method –Scoring –Presentation –The ROC curves: somewhat obvious

3 Motivation Does anomaly detection depend on regularity/randomness of data ?

4 Where’s Waldo !

5

6

7 The aim Hypothesis: –Differences in data regularity affect anomaly detection –Different environments  different regularity Regularity –Highly redundant or random ? –Example of environment’s affect 010101010101010101010101 Or 0100011000101000100100101

8 Consequences One IDS : Different False Alarm Rates Need custom system/training for each environment ? Temporal affects: Regularity may vary over time ?

9 Structure in data Measuring randomness

10 010101010101010101010101 Or 0100011000101000100100101 Measuring Randomness Relative EntropySequential Dependence + Conditional Relative Entropy

11 The benchmark datasets Three types: –Training data ( the background data) –Anomalies –Testing data ( background + anomalies ) Generating the sequences –5 sets, each set  11 files ( for increasing regularity) –Each set  different alphabet size –Alphabet size  decides complexity

12 Anomaly Generation What’s a surprise ? –Different from the expected probability Types: –Juxta-positional : different arrangements of data 001001001001001001111 –Temporal Unexpected periodicities –Other types ?

13 Types in this paper Foreign symbol –AAABABBBABAB C BBABABBA Foreign n-gram –AAABABAABAABAAABB B BA Rare n-gram –AABBBABBBABBBABBBABBBABB AA

14 Injecting anomalies –Make sure not more than 0.24 %

15 The experiments The Hypothesis is true

16 The hypothesis: –Nature of “normal” background noise affects signal detection The anomaly detector –To detect anomalous subsequences –Learning phase  n-gram probability table –Unexpected event  anomaly ! –Anomaly threshold decides level of surprise

17 Example of anomaly detection AAA0.12 AAB0.13 ABA0.20 BAA0.17 BBB0.15 BBA0.12 AAC  ANOMALY !

18 Scoring Event outcomes –Hits –Misses –False alarms Threshold –Decides level of surprise –0  completely unsurprising, 1  astonishing –Need to calibrate

19 Presentation of results Presents two aspects: –% correct detections –% false detections Detector operates through a range of sensitivities –Higher sensitivity  ? –Need the right sensitivity

20

21 Interpretation Nothing overlaps  regularity affects detection !

22 What does this mean ? Detection metrics are data dependent Cannot say: –My XYZ product will flag down 75% percent anomalies with 10% false hit rate ! –Sir, are you sure ?

23 Real world data Regularity index for system calls for different users

24 Is this surprising ? What about network traffic ?

25 Conclusions Data Structure Anomaly Detection Effectiveness Evaluation is data dependent

26 Conclusions Change in regularity Different system Or Change the parameters

27 Quirks ? Assumes rather naïve detection systems –“Simple retraining will not suffice” An intelligent detection can take this into account. What is really an anomaly ? –If data is highly irregular, won’t randomness produce some anomalies by itself Anomaly is a relative term –Here anomalies are generated independently

Download ppt "Benchmarking Anomaly-based Detection Systems Ashish Gupta Network Security May 2004."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Applications of one-class classification

Applications of one-class classification
Signal Detection Theory. The classical psychophysicists believed in fixed thresholds Ideally, one would obtain a step-like change from no detection to.

Signal Detection Theory. The classical psychophysicists believed in fixed thresholds Ideally, one would obtain a step-like change from no detection to.
Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.

Learning Rules from System Call Arguments and Sequences for Anomaly Detection Gaurav Tandon and Philip Chan Department of Computer Sciences Florida Institute.
Understanding the Variability of Your Data: Dependent Variable.

Understanding the Variability of Your Data: Dependent Variable.
Evaluation of segmentation. Example Reference standard & segmentation.

Evaluation of segmentation. Example Reference standard & segmentation.
© Tan,Steinbach, Kumar Introduction to Data Mining 4/18/2004 1 Other Classification Techniques 1.Nearest Neighbor Classifiers 2.Support Vector Machines.

© Tan,Steinbach, Kumar Introduction to Data Mining 4/18/ Other Classification Techniques 1.Nearest Neighbor Classifiers 2.Support Vector Machines.
10 / 31 Outline Perception workshop groups Signal detection theory Scheduling meetings.

10 / 31 Outline Perception workshop groups Signal detection theory Scheduling meetings.
Review of the Basic Logic of NHST Significance tests are used to accept or reject the null hypothesis. This is done by studying the sampling distribution.

Review of the Basic Logic of NHST Significance tests are used to accept or reject the null hypothesis. This is done by studying the sampling distribution.
ROC Statistics for the Lazy Machine Learner in All of Us Bradley Malin Lecture for COS Lab School of Computer Science Carnegie Mellon University 9/22/2005.

ROC Statistics for the Lazy Machine Learner in All of Us Bradley Malin Lecture for COS Lab School of Computer Science Carnegie Mellon University 9/22/2005.
A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.

A Game-theoretic Approach to the Design of Self-Protection and Self-Healing Mechanisms in Autonomic Computing Systems Birendra Mishra Anderson School of.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Cbio course, spring 2005, Hebrew University (Alignment) Score Statistics.

Cbio course, spring 2005, Hebrew University (Alignment) Score Statistics.
Towards a Learning Incident Detection System ICML 06 Workshop on Machine Learning for Surveillance and Event Detection June 29, 2006 Tomas Singliar Joint.

Towards a Learning Incident Detection System ICML 06 Workshop on Machine Learning for Surveillance and Event Detection June 29, 2006 Tomas Singliar Joint.
Benchmarking Anomaly-Based Detection Systems Written by: Roy A. Maxion Kymie M.C.Tan Presented by: Yi Hu.

Benchmarking Anomaly-Based Detection Systems Written by: Roy A. Maxion Kymie M.C.Tan Presented by: Yi Hu.
1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.

1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.
Contraband Detection and Retesting. The Inspection Problem A sensor is a device used to attempt to determine some truth about an object; we will assume.

Contraband Detection and Retesting. The Inspection Problem A sensor is a device used to attempt to determine some truth about an object; we will assume.
Jacinto C. Nascimento, Member, IEEE, and Jorge S. Marques

Jacinto C. Nascimento, Member, IEEE, and Jorge S. Marques
PSY 307 – Statistics for the Behavioral Sciences

PSY 307 – Statistics for the Behavioral Sciences
CSCI 347 / CS 4206: Data Mining Module 06: Evaluation Topic 07: Cost-Sensitive Measures.

CSCI 347 / CS 4206: Data Mining Module 06: Evaluation Topic 07: Cost-Sensitive Measures.

Similar presentations

Ads by Google