Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Published byHugh Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active."— Presentation transcript:

1 Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active Learning for Statistical Intrusion Detection NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

2 Motivation  Metadata of Microsoft’s external internet traffic is logged using ISA Server Firewall  ISA – Internet Security and Acceleration  Up to 35 million log entries per day  Security analysts must search for and identify new anomalies  Looking for new malware, bad PTP, etc.  Can machine learning help? NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

3 Active Learning  Human interactively provides labels for new sample  Network traffic metadata logged to SQL  ALADIN evaluates and ranks samples  Security Analyst labels samples  ALADIN reranks samples and repeats NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

4 ALADIN  Multiclass classifier for monitoring network traffic  Goal: Minimize analyst labeling time  Weights can be adaptively improved at user’s site 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security

5 Choosing Samples for Labeling – Active Anomaly Detection  Label only anomalies (Pelleg, Moore, NIPS04)  Discover rare and interesting classes  Multiclass model  Avoid “Normal” vs. “Not Normal” problem  Leads to high error rates 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security

6 Choosing Samples for Labeling – Active Learning  Label only samples closest to the decision boundary (Almgren, Jonsson, CSFW04)  RBF SVM  Ignore samples located away from the decision boundaries  May not find new classes 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security

7 ALADIN: Combines Active Anomaly Detection and Active Learning NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

8 Classification Stage 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security  Discriminative Learning, Logistic Regression  Minimize cross entropy function  Uncertainty Score  Fast computation for interactive labeling  Scales well

9 Modeling Stage 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security  naïve Bayes Model  Training Data  labeled data  predicted labels of the unlabeled data  Anomaly Score  Fast computation for interactive labeling  Scales well

10 Network Intrusion Detection Results  KDD-Cup 99 Data Set  Provides Oracle Labels  100K Samples  Use All Features in the Data  Label 10 Initial Samples Randomly  100 Samples Labeled per Iteration NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

11 Results – Anomaly Detection 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security

12 Results – Prediction Accuracy 12/8/2007NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security

13 FP/FN Per Class True Label Num Labeled Samples True Predicted Label TP Count Incorrectly Predicted Label FN CountFP RateFN Rate normal551normal55715satan34.12%0.20% guess_passwd10 ipsweep67 back2 neptune57neptune204250.00% smurf82smurf18904normal70.00%0.04% back36back5normal19610.00%99.75% ipsweep58ipsweep675normal270.07%3.85% satan49satan470normal200.00%4.08% portsweep54portsweep223normal10.00%0.45% NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

14 Malware Detection on Microsoft Network Logs  Analyzed several daily log files.  Identified “5.exe” on the corporate network which was not previously identified  Trojan.Esteems.D. 5.exe monitors user Internet activity and private information. It sends stolen data to a hacker site.  Identified several other worms (NewApt Worm, Win32.Bropia.T, W32.MyDoom.B), and keyloggers (svchqs.exe)  All of which were currently logged  Some waiting to be labeled  All currently blocked by ISA firewall rules NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

15 Conclusions  ALADIN discovers rare and interesting classes  ALADIN maintains low classification error  Scales due to fast learning with logistic regression and naïve Bayes  Identifies network intrusion attacks  Identifies malware via network traffic patterns  Tech Report: http://research.microsoft.com/~jstokeshttp://research.microsoft.com/~jstokes NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

16 Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active Learning for Statistical Intrusion Detection NIPS Workshop 2007 – Machine Learning in Adversarial Environments for Computer Security12/8/2007

Download ppt "Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active."

Similar presentations

Pseudo-Relevance Feedback For Multimedia Retrieval By Rong Yan, Alexander G. and Rong Jin Mwangi S. Kariuki 2008-11629.

Pseudo-Relevance Feedback For Multimedia Retrieval By Rong Yan, Alexander G. and Rong Jin Mwangi S. Kariuki
Florida International University COP 4770 Introduction of Weka.

Florida International University COP 4770 Introduction of Weka.
UC Berkeley Online System Problem Detection by Mining Console Logs Wei Xu* Ling Huang † Armando Fox* David Patterson* Michael Jordan* *UC Berkeley † Intel.

UC Berkeley Online System Problem Detection by Mining Console Logs Wei Xu* Ling Huang † Armando Fox* David Patterson* Michael Jordan* *UC Berkeley † Intel.
Indian Statistical Institute Kolkata

Indian Statistical Institute Kolkata
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
Cos 429: Face Detection (Part 2) Viola-Jones and AdaBoost Guest Instructor: Andras Ferencz (Your Regular Instructor: Fei-Fei Li) Thanks to Fei-Fei Li,

Cos 429: Face Detection (Part 2) Viola-Jones and AdaBoost Guest Instructor: Andras Ferencz (Your Regular Instructor: Fei-Fei Li) Thanks to Fei-Fei Li,
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Collaborative Filtering in iCAMP Max Welling Professor of Computer Science & Statistics.

Collaborative Filtering in iCAMP Max Welling Professor of Computer Science & Statistics.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Classification and risk prediction

Classification and risk prediction
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Integrating User Feedback Log into Relevance Feedback by Coupled SVM for Content-Based Image Retrieval 9-April, 2005 Steven C. H. Hoi *, Michael R. Lyu.

1 Integrating User Feedback Log into Relevance Feedback by Coupled SVM for Content-Based Image Retrieval 9-April, 2005 Steven C. H. Hoi *, Michael R. Lyu.
Adaboost and its application

Adaboost and its application
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.

Machine Learning as Applied to Intrusion Detection By Christine Fossaceca.
Review Rong Jin. Comparison of Different Classification Models  The goal of all classifiers Predicating class label y for an input x Estimate p(y|x)

Review Rong Jin. Comparison of Different Classification Models  The goal of all classifiers Predicating class label y for an input x Estimate p(y|x)
Ensemble Learning (2), Tree and Forest

Ensemble Learning (2), Tree and Forest
Learning at Low False Positive Rate Scott Wen-tau Yih Joshua Goodman Learning for Messaging and Adversarial Problems Microsoft Research Geoff Hulten Microsoft.

Learning at Low False Positive Rate Scott Wen-tau Yih Joshua Goodman Learning for Messaging and Adversarial Problems Microsoft Research Geoff Hulten Microsoft.
Anomaly detection Problem motivation Machine Learning.

Anomaly detection Problem motivation Machine Learning.

Similar presentations

Ads by Google