Presentation is loading. Please wait.

Presentation is loading. Please wait.

Structural Mining of Large-Scale Behavioral Data from the Internet Thesis Defense Mark Meiss April 30, 2010.

Published byRoxanne Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "Structural Mining of Large-Scale Behavioral Data from the Internet Thesis Defense Mark Meiss April 30, 2010."— Presentation transcript:

1 Structural Mining of Large-Scale Behavioral Data from the Internet Thesis Defense Mark Meiss April 30, 2010

2 The Internet in 1969

3 The Internet in 2010

4

5

6

7

8

9

10 WWW Bittorrent email FTP SSH Skype IRC Gnutella Botnets Shoutcast Flash WinMX DirectConnect NFS ConnectGateway eDonkey World of Warcraft Back Doors SQL Server Nintendo WFC Battlenet Steam Tsunami USENET

11 1,800,000,000 users

12 Key Questions Can we make meaningful inferences about user behavior with available sources of data? What implications do patterns of network behavior have for its design and structure? How can behavioral data be used to understand users and improve network applications?

13 “how it acts” > “what it is”

14 Patterns > Payloads

15 Practicality

16 Privacy

17 Roadmap Background Network flow analysis Web click analysis Conclusions

18 Roadmap Background Network flow analysis Web click analysis Conclusions

19 Weighted digraph

20 Degree and strength

21 Distributions We can calculate probability density functions for degree, strength, etc. –Area under curve is 1 –Can calculate likelihood of a node being in some interval Shown here is an example of a very wide- tailed distribution –Best approximated by power law

22 Scaling relations We can also investigate how these distributions are correlated Shown here is a degree vs. strength plot.

23 Other network properties Spectral analysis: Looking at the eigen{values,vectors} of the connectivity matrix. Clustering: Looking at the density of connections among neighbors of a node. Assortativity: Looking at whether high- degree nodes connect to other high- degree nodes.

24 Roadmap Background Network flow analysis Web click analysis Conclusions

25 The Internet2/Abilene Network TCP/IP network connecting research and educational institutions in the U.S. –Over 200 universities and corporate research labs Also provides transit service between Pacific Rim and European networks

26 Why study Abilene? Wide-area network that includes both domestic and international traffic Heterogeneous user base including hundreds of thousands of undergraduates High capacity network (10-Gbps fiber-optic links) that has never been congested Research partnership gives access to (anonymized) traffic data unavailable from commercial networks Variety of traffic to both academic and commercial hosts

27 Introducing the “flow” Web

28 Introducing the “flow” Web

29 Flow collection Flows are exported in Cisco’s netflow-v5 format and anonymized before being written to disk.

30 Data dimensions In a typical day: –Over 200 terabytes of data exchanged –Almost 1 billion flow records –Over 40 gigabytes on disk –Over 20 million unique hosts involved

31 What can you do with a flow? Standard answer: –Treat a flow as a record in a relational database Who talked to port 1337? What proportion of our traffic is on port 80? Who is scanning for vulnerable systems? Which hosts are infected with this worm?

32 What can you do with a flow? Graph-centric approach: –Treat a flow as a directed, weighted edge

33 Multiple digraphs Other Web P2P

34

35

36

37

38

39

40 Where do flows come from? Architectural features of Internet routers allow them to export flow data Routers can’t summarize all the data –Packets are sampled to construct the flows –Typical sampling rate is around 1:100

41

42 p(packet | 1 router) p(packet | 3 routers) p(flow | n packets)

43 Distribution Recovery Try to recover a power law, exponent = 2. Send to each of 10 hosts: 256 10-packet flows 128 20-packet flows 64 40-packet flows (etc.)

44

45 Increase number of flows by factor of 10

46 Increase duration of flows by factor of 10

47 Results Nonlinear chance of flow detection. Very small flows lead to an overestimate of the exponent. With large flows, a range of exponents can be recovered reliably. Aggregation is necessary for accurate results.

48 Roadmap Background Network flow analysis Web click analysis Conclusions

49 Source of Click Data ~100 K users

50 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests

51 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests We have a Web request

52 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests from this client

53 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests going from this URL

54 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests to this one

55 Source MAC: 03:5a:66:17:90:5e Dest. MAC: 10:99:19:3f:51:2f Source IP: 192.168.39.190 Dest. IP: 127.100.251.3 Source Port: 9421 Dest. Port: 80 GET /index.html HTTP/1.1 Agent: SuperCrawler-2009/beta Referer: http://www.grumpy-puppy.com/ Host: www.happy-kitty.com Web Requests using this agent

56 Click Collection

57

58 Structural properties: Degree (Link Count)

59 Structural properties: Strength (Site Traffic)

60 Evaluation of PageRank PR is a stationary distribution of visit frequency by a modified random walk Compare with actual site traffic (in-strength) From an application perspective, we care about the resulting ranking of sites

61 PageRank Assumptions 1. Equal probability of following each link from any given node 2. Equal probability of teleporting to each of the nodes 3. Equal probability of teleporting from each of the nodes

62 #1: Kendall’s Rank Correlation

63 Local Link Heterogeneity perfect concentration perfect homogeneity HH Index of concentration or disparity

64 #2: Teleportation Target Heterogeneity

65 #3: Teleportation Source Heterogeneity (“hubness”) s out < s in teleport sources browsing sinks -2 s out > s in popular hubs

66 Click data with retention of user identity

67 Popularity is unbounded!

68 Session properties depend on timeout.

69 Where’s the “sweet spot” ?

70 All users are abnormal.

71

72 Timeout dependence is much weaker.

73

74

75

76 Page Traffic Empty Referrer Traffic

77 Link Traffic Entropy

78 Session Size Session Depth

79

80 Roadmap Background Network flow analysis Web click analysis Conclusions

81 Internet behavior is characterized by extreme heterogeneity.

82 Conclusions Behavioral analysis offers advantages over packet inspection.

83 Conclusions We observe heterogeneity because users are idiosyncratic, not pathologically eclectic.

84 Future Directions Relationship between traffic & substrate Community detection Characterization of links Validation of HITS Time-series analysis

85 THANKS! Filippo Menczer Alessandro Vespigani Katy Börner Minaxi Gupta Kay Connelly Steven Wallace Gregory Travis David Ripley Edward Balas Camillo Viecco Jean Camp J. Duncan Alessandro Flammini Santo Fortunato Bruno Gonçalves José Ramasco Damon Beals Dave Hershberger John Stigall Heather Roinestad

86 Questions & Comments

Download ppt "Structural Mining of Large-Scale Behavioral Data from the Internet Thesis Defense Mark Meiss April 30, 2010."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Web Usage Mining Web Usage Mining (Clickstream Analysis) Mark Levene (Follow the links to learn more!)

Web Usage Mining Web Usage Mining (Clickstream Analysis) Mark Levene (Follow the links to learn more!)
Peer-to-Peer and Social Networks An overview of Gnutella.

Peer-to-Peer and Social Networks An overview of Gnutella.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Power Laws By Cameron Megaw 3/11/2013. What is a Power Law?

Power Laws By Cameron Megaw 3/11/2013. What is a Power Law?
Analysis and Modeling of Social Networks Foudalis Ilias.

Analysis and Modeling of Social Networks Foudalis Ilias.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
An Analysis of Sampling Effects on Graph Structures Derived from Network Flow Data Mark Meiss Advanced Network Management Laboratory Indiana University.

An Analysis of Sampling Effects on Graph Structures Derived from Network Flow Data Mark Meiss Advanced Network Management Laboratory Indiana University.
Ranking Web Sites with Real User Traffic Mark Meiss Filippo Menczer Santo Fortunato Alessandro Flammini Alessandro Vespignani Web Search and Data Mining.

Ranking Web Sites with Real User Traffic Mark Meiss Filippo Menczer Santo Fortunato Alessandro Flammini Alessandro Vespignani Web Search and Data Mining.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Empirical Investigations of WWW Surfing Paths Jim Pitkow User Interface Research Xerox Palo Alto Research Center.

Empirical Investigations of WWW Surfing Paths Jim Pitkow User Interface Research Xerox Palo Alto Research Center.
Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.

Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
Sampling from Large Graphs. Motivation Our purpose is to analyze and model social networks –An online social network graph is composed of millions of.

Sampling from Large Graphs. Motivation Our purpose is to analyze and model social networks –An online social network graph is composed of millions of.
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.
On Power-Law Relationships of the Internet Topology CSCI 780, Fall 2005.

On Power-Law Relationships of the Internet Topology CSCI 780, Fall 2005.
Introduction to client/server architecture

Introduction to client/server architecture
Internet Basics.

Internet Basics.

Similar presentations

Ads by Google