vis sense cluster meeting
DESCRIPTION
TRANSCRIPT
![Page 1: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/1.jpg)
www.vis-sense.euNo. 257495
Visual Analytic Representation of Large Datasets for Enhancing Network Security
James DaveyFraunhofer Institute for Computer Graphics Research IGDFraunhoferstraße 564283 Darmstadt
Phone +49 6151 155-655 | Fax [email protected]/igd-a3
![Page 2: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/2.jpg)
www.vis-sense.euNo. 257495
VIS-SENSE Organisation
6 partners from 4 countries:
� Fraunhofer IGD (Germany) – Coordinator
� CERTH / ITI (Greece)
� Institut EURECOM (France)
� Institut Telecom (France)
� Symantec Ltd. (Ireland)
� University of Konstanz (Germany)
Topic:
Grant Agreement:
Time Frame:
Budget:
Technology and Tools for Trustworthy ICT (2009.1.4)
STREP – 257495
01.10.2010 until 30.09.2013
3,32 million euro / 2.35 million euro EU contribution
![Page 3: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/3.jpg)
www.vis-sense.euNo. 257495
Root-Cause Analysis
Use Case: Root-Cause AnalysisUse Case: Root-Cause Analysis
Overview over the Internet threat landscapeOverview over the Internet threat landscape
Zooming OutZooming Out
![Page 4: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/4.jpg)
www.vis-sense.euNo. 257495
Overview – Zooming Out
![Page 5: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/5.jpg)
www.vis-sense.euNo. 257495
Overview – Zooming Out
![Page 6: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/6.jpg)
www.vis-sense.euNo. 257495
Overview – Zooming Out
![Page 7: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/7.jpg)
www.vis-sense.euNo. 257495
Features in an interactive map:
�Position,
�Area,
�Street hierarchy,
�Etc.
Overview – Zooming Out
Our Features:
�I.P. addresses,
�Server names,
�Email addresses,
�Keyword sets,
�Distributions,
�Timestamps,
�Etc.
![Page 8: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/8.jpg)
www.vis-sense.euNo. 257495
Features in an interactive map:
�Grouping is easy and unambiguous
Overview – Zooming Out
Our Features:
�Grouping is difficult
�Grouping is ambiguous
�We need some definition of distance or similarity
Similarity Models
![Page 9: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/9.jpg)
www.vis-sense.euNo. 257495
The TRIAGE (1) approach
� Clustering based on Multi-Criteria Decision Analysis (MCDA)
� Automatic grouping of elements likely to share the same root causes
Σ
Per feature
Graph-based representation
Multi-criteria
Aggregation
(data fusion)
Multi-Dimensional
Clusters (MDC’s)
Events
Features
Selection
1) Triage (med.): process of prioritizing patients based on the severity of their condition
9
9
![Page 10: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/10.jpg)
www.vis-sense.euNo. 257495
Definitions
Entities
Features
![Page 11: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/11.jpg)
www.vis-sense.euNo. 257495
Similarity – Models for Similarity
![Page 12: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/12.jpg)
www.vis-sense.euNo. 257495
Per Feature Similarity Example – Real Numbers
![Page 13: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/13.jpg)
www.vis-sense.euNo. 257495
Grouping with respect to different features
![Page 14: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/14.jpg)
www.vis-sense.euNo. 257495
Aggregate Similarity Example
![Page 15: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/15.jpg)
www.vis-sense.euNo. 257495
An example of Rogue AV campaign
Registration date
750 domains registered over a span of 8 months
/24 network of web server
Domain name
Registrant email
![Page 16: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/16.jpg)
www.vis-sense.euNo. 257495
- domain name patterns- use of whois privacy
protection services
![Page 17: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/17.jpg)
www.vis-sense.euNo. 257495
Rustock
Unclassified
Grum
Cutwail
Subject keywords
Spam event
Bot name
Spam BotnetsInter-relationships
Mega-D
![Page 18: Vis sense cluster meeting](https://reader033.vdocuments.net/reader033/viewer/2022051817/547c49f55906b559798b46de/html5/thumbnails/18.jpg)
www.vis-sense.euNo. 257495
Thanks for Your Attention
IGD
_Fol
ienv
orla
ge_v
2010
.10.
ppt
James DaveyFraunhofer IGDFraunhoferstraße 564283 Darmstadt
Tel +49 6151 155 – 655 | Fax – [email protected]/igd-a3