Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiresolution Semantic Visualization of Network Traffic Alefiya Hussain, Arun Viswanathan USC/Information Sciences Institute Discover PatternsCreate.

Published byColin Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "Multiresolution Semantic Visualization of Network Traffic Alefiya Hussain, Arun Viswanathan USC/Information Sciences Institute Discover PatternsCreate."— Presentation transcript:

1 Multiresolution Semantic Visualization of Network Traffic Alefiya Hussain, Arun Viswanathan USC/Information Sciences Institute Discover PatternsCreate Models Update kbase

2 Goal: Understand behavior in large volume and variety network traffic Need: 1. Associate meaning to the data; 2. Save discoveries and build upon them Approach: create models in a kbase, systematically explore complex and subtle spatial and temporal patterns

3 Semantically Rich Semantically Devoid

4 Visualization System I: Discover PatternsII: Create Models III: Update kbase Generate Viz Use visualization to find a pattern: an ordered sequence of events Expressive logic- based abstract model captures the relationship between the events Labels all instances of the pattern in the data; creates abstract events to drive next iteration of visual analysis

5 I: Discover a Pattern Sense-making loop Example Attack: A large stream of packets sent from a node in the network Behavior Model Attack Behavior Model Attack Symbol 10.1.11.2 Symbol 10.1.11.2 Meaning Attacker Meaning Attacker Associate MatchRepresents

6 II: Create Models State 1 State n State 1 State 2 State 3State 4State 6 State 5 Behavior 2 Behavior 2 Behavior 1 Behavior 1 Behavior: sequence of states related by causal relationships Model: Collection of behaviors 6 A model is an abstract representation of pattern in the data State: Sequence of events Arun Viswanathan, Alefiya Hussain, Jelena Mirkovic, Stephen Schwab, John Wroclawski, “A Semantic Analysis Framework for Data Analysis of Networked Systems”, USENIX NSDI, April 2011 Model Attack Model Attack 10.1.11.2 Attacker

7 Causal Relationships 7 Logical Operators Temporal Operators Constraints Express rich patterns within data: - ordering - dependence - concurrency Model Attack Model Attack 10.1.11.2 Attacker

8 III: Generate Visualization With Behavior Models Model Attack Model Attack 10.1.11.2 Attacker Webserver Attacker Victim 1.Roles and Relationships are identified 2.Packets are visually encoded to highlight relationships

9 Goal: Understand behavior in large volume and variety network traffic Need: 1. Associate meaning to the data; 2. Save discoveries and build upon them Approach: visualize with create models in a kbase, systematically explore complex and subtle spatial and temporal patterns

10 Large Network: Scale, Volume, Variety

11 Interactive Exploration Spatial Reduction – highly connected networks – significant amount of redundancy in semantically relevant relationships – Connectivity profiles to summarize nodes Temporal Reduction – useful to observe trends or change patterns in network data – aggregating groups of events based on time. – Behavior-based clustering to summarize events

12 Connectivity profiles based on locality Connectivity profiles based on behavior Spatial Reduction + Resolution + HighLow Subnet Reflectors

13 Temporal Reductions Behavior based clustering Example: Visualization of HTTP Connections 1. [header] 2. NAMESPACE = NET.ATTACKS 3. NAME = DNSKAMINSKY 4. QUALIFIER = {eventtype='PACKET_DNS'} 5. IMPORT = NET.APP_PROTO.DNSREQRES 6. [states] 8. AtoV_query = DNSREQRES.dns_req() 10. VtoR_query= DNSREQRES.dns_req(sipaddr=$AtoV_query.dipad dr, dnsquesname=$AtoV_query.dnsquesname) 12.RtoV_resp = DNSREQRES.dns_res($ dnsauth=fakens.fake.com) 14.AtoV_resp = DNSREQRES.dns_res($VtoR_query, dnsauth=realns.eby.com) [limit=*] 16.AtoV_noresp = DNSREQRES.dns_res($VtoR_query, dnsid != $VtoR_query.dnsid) [limit=*] 8.[behavior] 19.initial_query = (AtoV_query ~> VtoR_query) 20.b_1 = initial_query~>RtoV_resp ~> (AtoV_resp | AtoV_noresp) 21.b_2 = initial_query ~> AtoV_noresp ~> RtoV_resp 22.b_3 = initial_query ~> AtoV_resp ~> RtoV_resp Advertisement Images Text 1. [header] 2. NAMESPACE = NET.ATTACKS 3. NAME = DNSKAMINSKY 4. QUALIFIER = {eventtype='PACKET_DNS'} 5. IMPORT = NET.APP_PROTO.DNSREQRES 6. [states] 8. AtoV_query = DNSREQRES.dns_req() 10. VtoR_query= DNSREQRES.dns_req(sipaddr=$AtoV_query.dipaddr, dnsquesname=$AtoV_query.dnsquesname) 12.RtoV_resp = DNSREQRES.dns_res($ dnsauth=fakens.fake.com) 14.AtoV_resp = DNSREQRES.dns_res($VtoR_query, dnsauth=realns.eby.com) [limit=*] 16.AtoV_noresp = DNSREQRES.dns_res($VtoR_query, dnsid != $VtoR_query.dnsid) [limit=*] 8.[behavior] 19.initial_query = (AtoV_query ~> VtoR_query) 20.b_1 = initial_query~>RtoV_resp ~> (AtoV_resp | AtoV_noresp) 21.b_2 = initial_query ~> AtoV_noresp ~> RtoV_resp 22.b_3 = initial_query ~> AtoV_resp ~> RtoV_resp 1. [header] 2. NAMESPACE = NET.ATTACKS 3. NAME = DNSKAMINSKY 4. QUALIFIER = {eventtype='PACKET_DNS'} 5. IMPORT = NET.APP_PROTO.DNSREQRES 6. [states] 8. AtoV_query = DNSREQRES.dns_req() 10. VtoR_query= DNSREQRES.dns_req(sipaddr=$AtoV_que ry.dipaddr, dnsquesname=$AtoV_query.dnsquesnam e) 12.RtoV_resp = DNSREQRES.dns_res($ dnsauth=fakens.fake.com) 14.AtoV_resp = DNSREQRES.dns_res($VtoR_query, dnsauth=realns.eby.com) [limit=*] 16.AtoV_noresp = DNSREQRES.dns_res($VtoR_query, dnsid != $VtoR_query.dnsid) [limit=*] 8.[behavior] 19.initial_query = (AtoV_query ~> VtoR_query) 20.b_1 = initial_query~>RtoV_resp ~> (AtoV_resp | AtoV_noresp) 21.b_2 = initial_query ~> AtoV_noresp ~> RtoV_resp 22.b_3 = initial_query ~> AtoV_resp ~> RtoV_resp 20.b_1 = initial_query~>RtoV_resp ~> (AtoV_resp | Maaria’s Homepage Resolution Low: webpage High: packets Medium: objects

14 Challenges Spatio-temporal reductions – Simultaneous exploration of spatial and temporal behaviors Algorithms for clustering – Knowledge representation and data mining techniques Performance and Scale – Multi-type, multivariate, time-ordered data

15 Future Work Developing a prototype for network data set exploration and demonstration – Interactive and iterative Enrich the kw-base to include a large range of frequently seen patterns Thank you

Download ppt "Multiresolution Semantic Visualization of Network Traffic Alefiya Hussain, Arun Viswanathan USC/Information Sciences Institute Discover PatternsCreate."

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Kensington Oracle Edition: Open Discovery Workflow Meets Oracle 10g Professor Yike Guo.

Kensington Oracle Edition: Open Discovery Workflow Meets Oracle 10g Professor Yike Guo.
Copyright © 2002 Cycorp Introduction Fundamental Expression Types Top Level Collections Time and Dates Spatial Properties and Relations Event Types Information.

Copyright © 2002 Cycorp Introduction Fundamental Expression Types Top Level Collections Time and Dates Spatial Properties and Relations Event Types Information.
This work was supported by the TRUST Center (NSF award number CCF-0424422) 1. Setting up experiment on DETER testbed a)Created twelve pc backbone nodes.

This work was supported by the TRUST Center (NSF award number CCF ) 1. Setting up experiment on DETER testbed a)Created twelve pc backbone nodes.
9/15/2008 CTBTO Data Mining/Data Fusion Workshop 1 Spatiotemporal Stream Mining Applied to Seismic+ Data Margaret H. Dunham CSE Department Southern Methodist.

9/15/2008 CTBTO Data Mining/Data Fusion Workshop 1 Spatiotemporal Stream Mining Applied to Seismic+ Data Margaret H. Dunham CSE Department Southern Methodist.
MICHAEL MILFORD, DAVID PRASSER, AND GORDON WYETH FOLAMI ALAMUDUN GRADUATE STUDENT COMPUTER SCIENCE & ENGINEERING TEXAS A&M UNIVERSITY RatSLAM on the Edge:

MICHAEL MILFORD, DAVID PRASSER, AND GORDON WYETH FOLAMI ALAMUDUN GRADUATE STUDENT COMPUTER SCIENCE & ENGINEERING TEXAS A&M UNIVERSITY RatSLAM on the Edge:
Funding Networks Abdullah Sevincer University of Nevada, Reno Department of Computer Science & Engineering.

Funding Networks Abdullah Sevincer University of Nevada, Reno Department of Computer Science & Engineering.
GeoInformatics Discussion Group Betty Salzberg & Peggy Agouris.

GeoInformatics Discussion Group Betty Salzberg & Peggy Agouris.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Cascading Spatio-Temporal Pattern Discovery P. Mohan, S.Shekhar, J. Shine, J. Rogers CSci 8715 Presented by: Atanu Roy Akash Agrawal.

Cascading Spatio-Temporal Pattern Discovery P. Mohan, S.Shekhar, J. Shine, J. Rogers CSci 8715 Presented by: Atanu Roy Akash Agrawal.
Research on Intelligent Information Systems Himanshu Gupta Michael Kifer Annie Liu C.R. Ramakrishnan I.V. Ramakrishnan Amanda Stent David Warren Anita.

Research on Intelligent Information Systems Himanshu Gupta Michael Kifer Annie Liu C.R. Ramakrishnan I.V. Ramakrishnan Amanda Stent David Warren Anita.
Chapter 10: Stream-based Data Management Title: Design, Implementation, and Evaluation of the Linear Road Benchmark on the Stream Processing Core Authors:

Chapter 10: Stream-based Data Management Title: Design, Implementation, and Evaluation of the Linear Road Benchmark on the Stream Processing Core Authors:
Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.

Vulnerabilities of Passive Internet Threat Monitors Yoichi Shinoda Japan Advanced Institute of Science and Technology Ko Ikai National Police Agency, Japan.
An Introduction to Software Visualization Dr. Jonathan I. Maletic Software DevelopMent Laboratory Department of Computer Science Kent State University.

An Introduction to Software Visualization Dr. Jonathan I. Maletic Software DevelopMent Laboratory Department of Computer Science Kent State University.
Mobile Photos April 17, 2008. Auto Extraction of Flickr Tags Unstructured text labels Extract structured knowledge Place and event semantics Scale-structure.

Mobile Photos April 17, Auto Extraction of Flickr Tags Unstructured text labels Extract structured knowledge Place and event semantics Scale-structure.
Algorithm: For all e E t, define X e = {w e if e G t, 1 - w e otherwise}. Measure likelihood of substructure S by. Flag S as anomalous if, where is an.

Algorithm: For all e E t, define X e = {w e if e G t, 1 - w e otherwise}. Measure likelihood of substructure S by. Flag S as anomalous if, where is an.
Data mining in large spatiotemporal data sets Dr Amy McGovern Associate Professor, School of Computer Science Adjunct Associate Professor,

Data mining in large spatiotemporal data sets Dr Amy McGovern Associate Professor, School of Computer Science Adjunct Associate Professor,
Data Mining: Concepts & Techniques. Motivation: Necessity is the Mother of Invention Data explosion problem –Automated data collection tools and mature.

Data Mining: Concepts & Techniques. Motivation: Necessity is the Mother of Invention Data explosion problem –Automated data collection tools and mature.
LÊ QU Ố C HUY ID: QLU13069 1. OUTLINE  What is data mining ?  Major issues in data mining 2.

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.

Similar presentations

Ads by Google