SlideShare a Scribd company logo

Traffic anomaly detection and attack

Download as PPTX, PDF
Qrator Labs
Qrator Labs

This presentatiom provides a method of mathematical representation of the traffic flow of network states. Anomalous behavior in this model is represented as a point, not grouped in clusters allocated by the "alpha-stream" process

Internet
1 of 30
Traffic Anomaly Detection and Attack Recognition QRATOR Labs
Anomaly Recognition Qrator Labs2 The threat Network attack is becoming a major threat on nations, governmental institutions, critical infrastructures and business organizations. Some attacks are focused on exploiting software vulnerabilities to implement denial of service attacks, damage or steal important data. Other use a large number of infected machines to implement denial-of-service attacks. In this presentation we are focusing on detecting network attacks by detecting the anomalies in network traffic flow data and anomalous behavior of the network applications. The goal is to detect the beginning of the attack in a real-time and to detect when the system is returned back to the normal state.
Anomaly Recognition Qrator Labs3 The threat The network traffic flow data can be represented by a set of network-level metrics (amount of packets for different protocols, inbound and outbound traffic, etc.) and application-level metrics (like the response duration histogram for web server). These metrics are collected by the traffic analyser at fixed rate. The goal for the state analyzer is to detect anomalous network and application behavior basing on these metrics. The input data for the analyzer is statistics matrix that contains a single row for every traffic time slice. Each row contains the network-level and application- level features that come from different scales. This matrix is the input for the intrusion detection processes (both training and detection steps).
Anomaly Recognition Qrator Labs4 DARPA: simulated attacks on air base[1] The example of IP-domen traffic’s features due one day and its relations (features) The stochastic process X={x1,…xn} where x_i- all features at the moment of the time
Anomaly Recognition Qrator Labs5 The threat Challenge: How to process an “ocean” of data in order to find abnormal patterns in the data? How to fuse data from different sources (sensors) to find correlations and anomalies? How to find distances in high-dimensional data? How can we determine whether a point belongs to a cluster/segment or not? The goal is to identify points that deviate from normal behaviour which reside in the cluster. How we treat huge high dimensional data that is dynamically and constantly changes? How can we model the high dimensional data to find deviations from normal behavior?
Anomaly Recognition Qrator Labs6 Network Intrusion Detection Systems
Anomaly Recognition Qrator Labs7 Electronic intelligence and Cyber threat management: Generic approach Theory, efficient algorithms, software and prototypes (integrated system) which process data in real time to detect anomalies that deviate from normal behavior
Anomaly Recognition Qrator Labs8 DARPA: simulated attacks on air base[1]
Anomaly Recognition Qrator Labs9 DARPA: simulated attacks on air base[1]
Anomaly Recognition Qrator Labs10 Problem setup
Anomaly Recognition Qrator Labs11 Standard approach: Diffusion Maps (DM)
Anomaly Recognition Qrator Labs12 Standard approach: Diffusion Maps (DM) [2] R.R. Coifman, S. Lafon, Diffusion maps, Applied and Computational Harmonic Analysis, 21, 5-30, 2006.
Anomaly Recognition Qrator Labs13 Standard approach: Diffusion Maps (DM) It is easy to see that the map has the following properties: • The map represents the data in a space of dimension m. • The map is not linear. • The distance between the images of points is equal to the diffuse distance, that is, the probability to get from point x to point y via random walk on the graph for the time t.
Anomaly Recognition Qrator Labs14 Standard approach: Diffusion Maps (DM) The figure illustrates the effectiveness of the separation of mixed known clusters via “diffusion maps”. If the generated data is represented as two interlocking rings (marked different shades of blue), no any linear methods is able to divide it. Nevertheless, a random walk on the graph represented by these rings, have ability to divide the classes. The probability remain inside the same ring by random walk is greater than the probability of jumping from one ring to another.
Anomaly Recognition Qrator Labs15 Diffusion Maps (DM): The problem Classification background and anomaly?
Anomaly Recognition Qrator Labs16 Diffusion Maps (DM): The problem BAD RESULT
Anomaly Recognition Qrator Labs17 Diffusion Maps (DM): The problem Anomalies are not grouped in clusters
Anomaly Recognition Qrator Labs18 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) 2 2 2 1 2 2 mod)(  ji xxDji ij eeG  Diffusion operator The diffusion geometry is oriented around a smooth parametric curve. The curve represents the day and night
Anomaly Recognition Qrator Labs19 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) Once X is mapped - extension of to , using representatives from X (sampling) f Xx Xx
Anomaly Recognition Qrator Labs20 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x)    i i iEx iExiE xxG ))(,( ))(,()( )(   )( xG
Anomaly Recognition Qrator Labs21 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x)    i i iEx iExiE xxG ))(,( ))(,()( )(   )( xG
Anomaly Recognition Qrator Labs22 Advanced approach: Alpha-stream process for anomaly detection
Anomaly Recognition Qrator Labs23 Advanced approach: Alpha-stream process for anomaly detection
Anomaly Recognition Qrator Labs24 Advanced approach: Alpha-stream process for anomaly detection Image Processing application of “alpha-stream”: Object segmentation
Anomaly Recognition Qrator Labs25
Anomaly Recognition Qrator Labs26 The features(left) and its representation in DM (right)
Anomaly Recognition Qrator Labs27
Anomaly Recognition Qrator Labs28 The features(left) and its representation in DM (right)
Anomaly Recognition Qrator Labs29
Anomaly Recognition Qrator Labs30 anomalies background anomalies 0,95 0,05 background 0,03 0,97 Table 1: distribution of the “false- positive” and “true-negative” for the result of presented algorithm. anomalies background anomalies 0,63 0,37 background 0,29 0,71 Table 2: distribution of the “false- positive” and “true-negative” for the result of projection on PCA.

Recommended

Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detection
철 김
 
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Drjabez
 
M41028892
M41028892M41028892
M41028892
IJERA Editor
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
Probabilistic models for anomaly detection based on usage of network traffic
Probabilistic models for anomaly detection based on usage of network trafficProbabilistic models for anomaly detection based on usage of network traffic
Probabilistic models for anomaly detection based on usage of network traffic
Alexander Decker
 
Data fusion
Data fusionData fusion
Data fusion
yousef emami
 
The Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteThe Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteAlois Reitbauer
 
Anomaly Detection for Security
Anomaly Detection for SecurityAnomaly Detection for Security
Anomaly Detection for Security
Cody Rioux
 

Recommended

Anomaly detection
Anomaly detectionAnomaly detection
Anomaly detection
철 김
 
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Novel Methodology of Data Management in Ad Hoc Network Formulated using Nanos...
Drjabez
 
M41028892
M41028892M41028892
M41028892
IJERA Editor
 
Anomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine LearningAnomaly detection (Unsupervised Learning) in Machine Learning
Anomaly detection (Unsupervised Learning) in Machine Learning
Kuppusamy P
 
Probabilistic models for anomaly detection based on usage of network traffic
Probabilistic models for anomaly detection based on usage of network trafficProbabilistic models for anomaly detection based on usage of network traffic
Probabilistic models for anomaly detection based on usage of network traffic
Alexander Decker
 
Data fusion
Data fusionData fusion
Data fusion
yousef emami
 
The Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteThe Dark of Building an Production Incident Syste
The Dark of Building an Production Incident SysteAlois Reitbauer
 
Anomaly Detection for Security
Anomaly Detection for SecurityAnomaly Detection for Security
Anomaly Detection for Security
Cody Rioux
 
Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC Keynote
Ted Dunning
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alerts
Alois Reitbauer
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing test
Alois Reitbauer
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
Alois Reitbauer
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production AlertingAlois Reitbauer
 
PyGotham 2016
PyGotham 2016PyGotham 2016
PyGotham 2016
Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
Cloud Tech III: Actionable Metrics
Cloud Tech III: Actionable MetricsCloud Tech III: Actionable Metrics
Cloud Tech III: Actionable Metrics
royrapoport
 
SSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's InceptionSSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's Inceptionroyrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in Production
Alois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
Jeff Henrikson
 
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly BenchmarkEvaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Numenta
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
Real time analytics @ netflix
Real time analytics @ netflixReal time analytics @ netflix
Real time analytics @ netflix
Cody Rioux
 
Anomaly detection in plain static graphs
Anomaly detection in plain static graphsAnomaly detection in plain static graphs
Anomaly detection in plain static graphs
dash-javad
 
Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Editor IJARCET
 

More Related Content

Viewers also liked

Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World Systems
Manojit Nandi
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC Keynote
Ted Dunning
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysis
Manojit Nandi
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alerts
Alois Reitbauer
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing test
Alois Reitbauer
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
Alois Reitbauer
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production AlertingAlois Reitbauer
 
PyGotham 2016
PyGotham 2016PyGotham 2016
PyGotham 2016
Manojit Nandi
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection.
Alois Reitbauer
 
Cloud Tech III: Actionable Metrics
Cloud Tech III: Actionable MetricsCloud Tech III: Actionable Metrics
Cloud Tech III: Actionable Metrics
royrapoport
 
SSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's InceptionSSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's Inceptionroyrapoport
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014
royrapoport
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in Production
Alois Reitbauer
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Alois Reitbauer
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
tboubez
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at Netflix
Extract Data Conference
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
Jeff Henrikson
 
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly BenchmarkEvaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Numenta
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)
royrapoport
 
Real time analytics @ netflix
Real time analytics @ netflixReal time analytics @ netflix
Real time analytics @ netflix
Cody Rioux
 

Viewers also liked (20)

Anomaly Detection for Real-World Systems
Anomaly Detection for Real-World SystemsAnomaly Detection for Real-World Systems
Anomaly Detection for Real-World Systems
 
Where is Data Going? - RMDC Keynote
Where is Data Going? - RMDC KeynoteWhere is Data Going? - RMDC Keynote
Where is Data Going? - RMDC Keynote
 
Parallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysisParallel Programming in Python: Speeding up your analysis
Parallel Programming in Python: Speeding up your analysis
 
Monitoring without alerts
Monitoring without alertsMonitoring without alerts
Monitoring without alerts
 
Can a monitoring tool pass the turing test
Can a monitoring tool pass the turing testCan a monitoring tool pass the turing test
Can a monitoring tool pass the turing test
 
Monitoring large scale Docker production environments
Monitoring large scale Docker production environmentsMonitoring large scale Docker production environments
Monitoring large scale Docker production environments
 
The Dark Art of Production Alerting
The Dark Art of Production AlertingThe Dark Art of Production Alerting
The Dark Art of Production Alerting
 
PyGotham 2016
PyGotham 2016PyGotham 2016
PyGotham 2016
 
The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection. The definition of normal - An introduction and guide to anomaly detection.
The definition of normal - An introduction and guide to anomaly detection.
 
Cloud Tech III: Actionable Metrics
Cloud Tech III: Actionable MetricsCloud Tech III: Actionable Metrics
Cloud Tech III: Actionable Metrics
 
SSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's InceptionSSL Certificate Expiration and Howler Monkey's Inception
SSL Certificate Expiration and Howler Monkey's Inception
 
Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014Python Through the Back Door: Netflix Presentation at CodeMash 2014
Python Through the Back Door: Netflix Presentation at CodeMash 2014
 
Monitoring Docker Application in Production
Monitoring Docker Application in ProductionMonitoring Docker Application in Production
Monitoring Docker Application in Production
 
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days. Ruxit - How we launched a global monitoring platform on AWS in 80 days.
Ruxit - How we launched a global monitoring platform on AWS in 80 days.
 
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
Five Things I Learned While Building Anomaly Detection Tools - Toufic Boubez ...
 
Anomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at NetflixAnomaly Detection for Global Scale at Netflix
Anomaly Detection for Global Scale at Netflix
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
 
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly BenchmarkEvaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
Evaluating Real-Time Anomaly Detection: The Numenta Anomaly Benchmark
 
Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)Operational Insight: Concepts and Examples (w/o Presenter Notes)
Operational Insight: Concepts and Examples (w/o Presenter Notes)
 
Real time analytics @ netflix
Real time analytics @ netflixReal time analytics @ netflix
Real time analytics @ netflix
 

Similar to Traffic anomaly detection and attack

Anomaly detection in plain static graphs
Anomaly detection in plain static graphsAnomaly detection in plain static graphs
Anomaly detection in plain static graphs
dash-javad
 
Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Editor IJARCET
 
Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Editor IJARCET
 
Efficient Doubletree: An Algorithm for Large-Scale Topology Discovery
Efficient Doubletree: An Algorithm for Large-Scale Topology DiscoveryEfficient Doubletree: An Algorithm for Large-Scale Topology Discovery
Efficient Doubletree: An Algorithm for Large-Scale Topology Discovery
IOSR Journals
 
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
chennaijp
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
IEEEGLOBALSOFTSTUDENTSPROJECTS
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEEMEMTECHSTUDENTPROJECTS
 
Android malware detection through online learning
Android malware detection through online learningAndroid malware detection through online learning
Android malware detection through online learning
IJARIIT
 
Security threats in cognitive radio
Security threats in cognitive radioSecurity threats in cognitive radio
Security threats in cognitive radioNavya Shree
 
Defending against collaborative attacks by
Defending against collaborative attacks byDefending against collaborative attacks by
Defending against collaborative attacks by
jpstudcorner
 
Intrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map AlgorithmsIntrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map Algorithms
Editor IJCATR
 
Image Morphing: A Literature Study
Image Morphing: A Literature StudyImage Morphing: A Literature Study
Image Morphing: A Literature Study
Editor IJCATR
 
Intrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map AlgorithmsIntrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map Algorithms
Editor IJCATR
 
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
IJCSIS Research Publications
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
SubhashreddyPalleti
 
A1803060110
A1803060110A1803060110
A1803060110
IOSR Journals
 
Anomaly Detection using multidimensional reduction Principal Component Analysis
Anomaly Detection using multidimensional reduction Principal Component AnalysisAnomaly Detection using multidimensional reduction Principal Component Analysis
Anomaly Detection using multidimensional reduction Principal Component Analysis
IOSR Journals
 
IRJET- Credit Card Fraud Detection Analysis
IRJET- Credit Card Fraud Detection AnalysisIRJET- Credit Card Fraud Detection Analysis
IRJET- Credit Card Fraud Detection Analysis
IRJET Journal
 
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
IRJET Journal
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...
swathi78
 

Similar to Traffic anomaly detection and attack (20)

Anomaly detection in plain static graphs
Anomaly detection in plain static graphsAnomaly detection in plain static graphs
Anomaly detection in plain static graphs
 
Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368
 
Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368Ijarcet vol-2-issue-7-2363-2368
Ijarcet vol-2-issue-7-2363-2368
 
Efficient Doubletree: An Algorithm for Large-Scale Topology Discovery
Efficient Doubletree: An Algorithm for Large-Scale Topology DiscoveryEfficient Doubletree: An Algorithm for Large-Scale Topology Discovery
Efficient Doubletree: An Algorithm for Large-Scale Topology Discovery
 
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
 
Android malware detection through online learning
Android malware detection through online learningAndroid malware detection through online learning
Android malware detection through online learning
 
Security threats in cognitive radio
Security threats in cognitive radioSecurity threats in cognitive radio
Security threats in cognitive radio
 
Defending against collaborative attacks by
Defending against collaborative attacks byDefending against collaborative attacks by
Defending against collaborative attacks by
 
Intrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map AlgorithmsIntrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map Algorithms
 
Image Morphing: A Literature Study
Image Morphing: A Literature StudyImage Morphing: A Literature Study
Image Morphing: A Literature Study
 
Intrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map AlgorithmsIntrusion Detection System Using Self Organizing Map Algorithms
Intrusion Detection System Using Self Organizing Map Algorithms
 
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
Comparative Analysis of K-Means Data Mining and Outlier Detection Approach fo...
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
A1803060110
A1803060110A1803060110
A1803060110
 
Anomaly Detection using multidimensional reduction Principal Component Analysis
Anomaly Detection using multidimensional reduction Principal Component AnalysisAnomaly Detection using multidimensional reduction Principal Component Analysis
Anomaly Detection using multidimensional reduction Principal Component Analysis
 
IRJET- Credit Card Fraud Detection Analysis
IRJET- Credit Card Fraud Detection AnalysisIRJET- Credit Card Fraud Detection Analysis
IRJET- Credit Card Fraud Detection Analysis
 
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
Binary Decompilation And Wavelet Analysis Were Used To Detect Avionics Supply...
 
a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...a system for denial-of-service attack detection based on multivariate correla...
a system for denial-of-service attack detection based on multivariate correla...
 

More from Qrator Labs

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017
Qrator Labs
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017
Qrator Labs
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat.
Qrator Labs
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences.
Qrator Labs
 
BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74
Qrator Labs
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?
Qrator Labs
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
Qrator Labs
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
Qrator Labs
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делать
Qrator Labs
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Qrator Labs
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is here
Qrator Labs
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
Qrator Labs
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border Definition
Qrator Labs
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Qrator Labs
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of Caucasus
Qrator Labs
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6
Qrator Labs
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атак
Qrator Labs
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016
Qrator Labs
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
Qrator Labs
 

More from Qrator Labs (20)

Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017Годовой отчет Qrator Labs об угрозах интернета 2017
Годовой отчет Qrator Labs об угрозах интернета 2017
 
Qrator Labs annual report 2017
Qrator Labs annual report 2017Qrator Labs annual report 2017
Qrator Labs annual report 2017
 
Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat. Memcached amplification DDoS: a 2018 threat.
Memcached amplification DDoS: a 2018 threat.
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences. BGP Flexibility and its Consequences.
BGP Flexibility and its Consequences.
 
BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74BGP Route Leaks at Ripe74
BGP Route Leaks at Ripe74
 
IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?IoT: реальная угроза или маркетинг?
IoT: реальная угроза или маркетинг?
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
 
Сколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делатьСколько стоит доступ в память, и что с этим делать
Сколько стоит доступ в память, и что с этим делать
 
Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]Анализ количества посетителей на сайте [Считаем уникальные элементы]
Анализ количества посетителей на сайте [Считаем уникальные элементы]
 
Caution i pv6 is here
Caution i pv6 is hereCaution i pv6 is here
Caution i pv6 is here
 
Масштабируя TLS
Масштабируя TLSМасштабируя TLS
Масштабируя TLS
 
ISP Border Definition
ISP Border DefinitionISP Border Definition
ISP Border Definition
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Internet Roads of Caucasus
Internet Roads of CaucasusInternet Roads of Caucasus
Internet Roads of Caucasus
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6
 
Особенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атакОсобенности использования машинного обучения при защите от DDoS-атак
Особенности использования машинного обучения при защите от DDoS-атак
 
Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016Финансовый сектор. Аспекты информационной безопасности 2016
Финансовый сектор. Аспекты информационной безопасности 2016
 
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозеWhite Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
White Paper. Эволюция DDoS-атак и средств противодействия данной угрозе
 

Recently uploaded

Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 

Recently uploaded (16)

Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 

Traffic anomaly detection and attack

  • 1. Traffic Anomaly Detection and Attack Recognition QRATOR Labs
  • 2. Anomaly Recognition Qrator Labs2 The threat Network attack is becoming a major threat on nations, governmental institutions, critical infrastructures and business organizations. Some attacks are focused on exploiting software vulnerabilities to implement denial of service attacks, damage or steal important data. Other use a large number of infected machines to implement denial-of-service attacks. In this presentation we are focusing on detecting network attacks by detecting the anomalies in network traffic flow data and anomalous behavior of the network applications. The goal is to detect the beginning of the attack in a real-time and to detect when the system is returned back to the normal state.
  • 3. Anomaly Recognition Qrator Labs3 The threat The network traffic flow data can be represented by a set of network-level metrics (amount of packets for different protocols, inbound and outbound traffic, etc.) and application-level metrics (like the response duration histogram for web server). These metrics are collected by the traffic analyser at fixed rate. The goal for the state analyzer is to detect anomalous network and application behavior basing on these metrics. The input data for the analyzer is statistics matrix that contains a single row for every traffic time slice. Each row contains the network-level and application- level features that come from different scales. This matrix is the input for the intrusion detection processes (both training and detection steps).
  • 4. Anomaly Recognition Qrator Labs4 DARPA: simulated attacks on air base[1] The example of IP-domen traffic’s features due one day and its relations (features) The stochastic process X={x1,…xn} where x_i- all features at the moment of the time
  • 5. Anomaly Recognition Qrator Labs5 The threat Challenge: How to process an “ocean” of data in order to find abnormal patterns in the data? How to fuse data from different sources (sensors) to find correlations and anomalies? How to find distances in high-dimensional data? How can we determine whether a point belongs to a cluster/segment or not? The goal is to identify points that deviate from normal behaviour which reside in the cluster. How we treat huge high dimensional data that is dynamically and constantly changes? How can we model the high dimensional data to find deviations from normal behavior?
  • 6. Anomaly Recognition Qrator Labs6 Network Intrusion Detection Systems
  • 7. Anomaly Recognition Qrator Labs7 Electronic intelligence and Cyber threat management: Generic approach Theory, efficient algorithms, software and prototypes (integrated system) which process data in real time to detect anomalies that deviate from normal behavior
  • 8. Anomaly Recognition Qrator Labs8 DARPA: simulated attacks on air base[1]
  • 9. Anomaly Recognition Qrator Labs9 DARPA: simulated attacks on air base[1]
  • 10. Anomaly Recognition Qrator Labs10 Problem setup
  • 11. Anomaly Recognition Qrator Labs11 Standard approach: Diffusion Maps (DM)
  • 12. Anomaly Recognition Qrator Labs12 Standard approach: Diffusion Maps (DM) [2] R.R. Coifman, S. Lafon, Diffusion maps, Applied and Computational Harmonic Analysis, 21, 5-30, 2006.
  • 13. Anomaly Recognition Qrator Labs13 Standard approach: Diffusion Maps (DM) It is easy to see that the map has the following properties: • The map represents the data in a space of dimension m. • The map is not linear. • The distance between the images of points is equal to the diffuse distance, that is, the probability to get from point x to point y via random walk on the graph for the time t.
  • 14. Anomaly Recognition Qrator Labs14 Standard approach: Diffusion Maps (DM) The figure illustrates the effectiveness of the separation of mixed known clusters via “diffusion maps”. If the generated data is represented as two interlocking rings (marked different shades of blue), no any linear methods is able to divide it. Nevertheless, a random walk on the graph represented by these rings, have ability to divide the classes. The probability remain inside the same ring by random walk is greater than the probability of jumping from one ring to another.
  • 15. Anomaly Recognition Qrator Labs15 Diffusion Maps (DM): The problem Classification background and anomaly?
  • 16. Anomaly Recognition Qrator Labs16 Diffusion Maps (DM): The problem BAD RESULT
  • 17. Anomaly Recognition Qrator Labs17 Diffusion Maps (DM): The problem Anomalies are not grouped in clusters
  • 18. Anomaly Recognition Qrator Labs18 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) 2 2 2 1 2 2 mod)(  ji xxDji ij eeG  Diffusion operator The diffusion geometry is oriented around a smooth parametric curve. The curve represents the day and night
  • 19. Anomaly Recognition Qrator Labs19 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) Once X is mapped - extension of to , using representatives from X (sampling) f Xx Xx
  • 20. Anomaly Recognition Qrator Labs20 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x)    i i iEx iExiE xxG ))(,( ))(,()( )(   )( xG
  • 21. Anomaly Recognition Qrator Labs21 Advanced approach: Homotopy in Temporal Diffusion Maps (DM) iELet be approximating curve and Xx iE Define homotopy G(x)    i i iEx iExiE xxG ))(,( ))(,()( )(   )( xG
  • 22. Anomaly Recognition Qrator Labs22 Advanced approach: Alpha-stream process for anomaly detection
  • 23. Anomaly Recognition Qrator Labs23 Advanced approach: Alpha-stream process for anomaly detection
  • 24. Anomaly Recognition Qrator Labs24 Advanced approach: Alpha-stream process for anomaly detection Image Processing application of “alpha-stream”: Object segmentation
  • 26. Anomaly Recognition Qrator Labs26 The features(left) and its representation in DM (right)
  • 28. Anomaly Recognition Qrator Labs28 The features(left) and its representation in DM (right)
  • 30. Anomaly Recognition Qrator Labs30 anomalies background anomalies 0,95 0,05 background 0,03 0,97 Table 1: distribution of the “false- positive” and “true-negative” for the result of presented algorithm. anomalies background anomalies 0,63 0,37 background 0,29 0,71 Table 2: distribution of the “false- positive” and “true-negative” for the result of projection on PCA.