cadcam jf.ppt

7/27/2019 cadcam jf.ppt

1/22

EL 933 Final Project Presentation

Combining Filtering and StatisticalMethods for Anomaly DetectionAugustin Soule Kave Salamatian Nina Taft


2/22


3/22

OverviewIntroduction - AIM and general discussion of methodologyApproach - What tools are used and why ?Sequence of different analysis for anomaly detection

Modeling the network Obtaining the residual using filteringanalysis of the residual using all the methods and comparison of the methods in the due courseResults (analysis)

ResultsConclusionFuture work some ideas about what I like about the paper


4/22

IntroductionAim Develop an approach for anomaly detection for largescale networks using Traffic Matrix. (TM)

The main idea is to predict the normal behavior(TM approach)of the network, filter the normal traffic the actual trafficmatrix that is got using more recent measurement data thanthose used for prediction.

Examination of anomalies in the residual traffic using the 4methods proposed in the paper, two of which are new andother two are the ones in use


5/22

ApproachWhat is Traffic Matrix ? How we obtain it here ? (SNMPdata) Should Time interval to be considered ???

What kinds of anomalies are in focus and why only those ?

Few quick example of such anomalies..

What is a Kalman filter ? What is it used here for ??

What are the four different methods proposed ?


6/22

Sequencing the different analysis

proceduresSNMP data -> TM -> It has OD flows -> filter normal toget residual -> Anomaly analysis

What are OD flows ? Its significance here .They are preferred over direct usage of the monitored datacaptured at the target granularity level

What is included anomaly analysis ?Methods used for analysis and validation of these methods Using actual dataUsing a synthetic anomaly generator.


7/22

Continued ..Using network wide perspective (TM) for volume anomalydetection is justified but the data will be lots so have to bescaled.

By projecting onto a small number of principlecomponents we can filter out normal traffic. The traffic

projecting onto the remaining components is analyzed for anomalies.


8/22

Modeling the NetworkObtain per-link statistics on byte counts (SNMP today)Infer TM that includes all the OD flows (hidden states!)Total traffic on a link = Sum of all OD flows traversing that link whichcan be expressed as : Yt = At * Xt + Vt

Where Yt = vector of link counts at time t, Xt = OD flows as vectors and Vtcorresponds to the measurement errors and At is the routing matrix

To capture the dynamic model of OD flow we need a model thatspecifies Xt+1 in terms of Xt.

Where Ct is the state trasition matrix Wt is the noise that accounts for randomness in the fluctuation of flow.

For traffic estimation, get total byte count per link and then partition in based on the number of OD flows traversing that link. Now when ananomaly occurs on the link, then it is possible that the anomaly maybeget distributed across all OD flows on that link and to avoid that weuse Ct as a diagonal matrix.


9/22

Continued..The assumptions are that Vt and Wt are uncorrelated.

Now the task is that we need to Estimate the (t+1)st

instance of Xt+1 and that is done by using a Kalman filter.The Kalman filter is a robust filter that estimates thesystem state process by using a 2 step approach thatiterates at time t. using this we get ,

which is the estimate of Xt at time i, where t >= I andhence the estimated are obtained.


10/22

Continued .

The methods used and their details:Method I - based on comparison of the residual traffic to thethreshold.

ADV it triggers an anomaly very fast as the test is verified as soon as theKalman filter processes the new observation.DISADV the test is being performed independently on past results

This creates a High false positive rate i.e it will detect the anomaly based on oneobservation and which is not the right approach.

Method II - based on comparison of local and global variance on our filtered residual signal.

ADV - Uses Cumulative summation approach which solves the DISADV of the previous method. It is a very powerful method as it is proved that its the

best estimator when the variance and level change are unknown.DISADV - It adds some delay for the detection as it takes some observationsafter the anomaly to estimate the deviation level.


11/22

Continued..Method III - Based on multi-scale and variance

ADV - The rational behind multi-scale is that anomalies should appear atdifferent time scales and hence by monitoring these multiple scales the false

positive rate should be reduced that is because the change on one time scalewill not trigger an alarm (anomaly detected)DISADV Detection lag involved as wavelet analysis is involved

Method IV - Based on multi-scale variance shiftIn this methods an alarm is triggered if the ratio between the local and global

variance exceeds a thresholdThis analysis is based on two scales one is the scale at which the globalvariance is calculated and other is the scale at which the local variance iscalculated.Again detection lag seen as wavelet analysis of the signal is performed.


12/22


13/22


14/22

Continued..Both these approached will be used in our paper so that wecan analyze the methods better.Lets consider an Abilene network for testing.

Has 11 POPsData is collected from every POP.This data results in a TM of 121 OD flows.

Synthetic anomaly generator

Select either one or a set of OD flows to add anomaly and then addanomalies on top of the baseline traffic level for those OD flows.

Anomaly is characterized by 4 factors :Volume, duration, number of OD flows, shape function. (TABLE 1)


15/22

Continued..


16/22

Continued..


17/22

Results


18/22


19/22


20/22

Detection Time ComparisonOnset of attacks is rapid on the internet so the methodsshould be fast and have very less detection time.


21/22

Continued..Second method detected 90% anomalies with no lag andBasic method detected 95% of anomalies with no lag Wavelet method takes about half hour for detection of anomalies and hence its too slow and also it dint performwell.It is interesting that the vshift method performs well in thesynthetic than the abilene network.


22/22

Conclusion and what I feelInteresting granularity level for anomaly detection namely that of TM.Estimation and prediction was interesting as we used wavelets.The idea of filtering normal traffic to analyze residual traffic for

anomalies was nice.Detection schemes were tested well as it involves use of both actualdata and the synthetic anomaly generator.The anomaly generator got close to depict anomalies like DOS, flashcrowds etc. which helped in the validation and evaluation of the four methods well, but then it was not very effective in depicting the attackslike worms.The wavelet based method dint do very well because of the detechtiontime involved.

cadcam jf.ppt

Documents