Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Temporal Multi-View Inconsistency Detection for Network Traffic Analysis
WWW’15 Florence, Italy
Houping Xiao1, Jing Gao1,
Deepak Turaga2, Long Vu2, and Alain Biem2
1Department of Computer Science and Engineering, University at Buffalo;2 IBM T.J. Watson Research Center
1
• Motivation
• Challenges
• Proposed Framework• Temporal Multi-View Inconsistency Detection (TMVID)
• Experiments
• Conclusions
Outline
2
Motivation
• Multiple views information• Network traffic data typically involve multiple views
• Example: Network traffic data can be collected through different protocols, such as TCP, UDP, and ICMP
• Question?• Which host has suspicious behavior?
• Our solution• Calculate the degree of receiving inconsistent
information across multiple views
• Higher degree of inconsistency – More suspicious
3
How to Find Inconsistent Behavior
• Single view approach• Apply many anomaly detector algorithms on each view of
the data and then compare the detector scores
• However, the detector scores may be noisy and fail to consider the intrinsic relationship between different views
• Analyze the behavior of host across multiple views
4
• First apply existing anomaly detection algorithm• Convert data from different views into comparable features and
discard noisy information• However, after the application of anomaly detectors on each
view, it is still challenging to compare anomaly detector outputs from different views
5
Raw detector scores from network traffic flow on 4 views
Host ID
De
tect
or
Sco
reOur Solution
Our Solution
• Project multi-view data into a new space where inconsistent and consistent hosts can be well separated
• Identify detector clusters and compare at the cluster level• In each source, detectors can be partitioned into clusters
so that detectors in the same cluster share similar behavior patterns on hosts across multiple views
• The behavior of the underlying detector cluster should be consistent across multiple views
6
Temporal Behavior
• Observations• Behavior of hosts evolves over time
• The temporal patterns of hosts’ behavior must be taken into consideration when finding inconsistency
• Example: a host with a very high volume of network traffic is normal on weekdays, while it’s suspicious on weekends
• Solution• In each view, timestamps will be partitioned into clusters
• Temporal behavior over timestamp clusters should be consistent across multiple views
7
Proposed Framework
8
host
hostdete
ctor
dete
ctor
𝑽𝒊𝒆𝒘𝟏
𝑽𝒊𝒆𝒘𝟐
𝑽𝒊𝒆𝒘𝒋
𝑽𝒊𝒆𝒘𝑴
𝑽𝒊𝒆𝒘𝑴−𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵−𝟏
Component 1Anomaly Detector System
Temporal Multi-View Inconsistency Detection (TMVID )
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟐
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝒋
Observed tensor
Proposed Framework
9
Component 2Joint Probabilistic Tensor Factorization
host
hostdete
ctor
dete
ctor
𝑽𝒊𝒆𝒘𝟏
𝑽𝒊𝒆𝒘𝟐
𝑽𝒊𝒆𝒘𝒋
𝑽𝒊𝒆𝒘𝑴
𝑽𝒊𝒆𝒘𝑴−𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵−𝟏
Component 1Anomaly Detector System
Temporal Multi-View Inconsistency Detection (TMVID )
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟐
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝒋
Detector cluster assignment matrixObserved tensor
Identity matrixLatent tensor
Timestamps cluster assignment matrix
Proposed Framework
10
Inconsistency Score
Component 3Inconsistency Score
Computation
Component 2Joint Probabilistic Tensor Factorization
host
hostdete
ctor
dete
ctor
𝑽𝒊𝒆𝒘𝟏
𝑽𝒊𝒆𝒘𝟐
𝑽𝒊𝒆𝒘𝒋
𝑽𝒊𝒆𝒘𝑴
𝑽𝒊𝒆𝒘𝑴−𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵−𝟏
Component 1Anomaly Detector System
Temporal Multi-View Inconsistency Detection (TMVID )
InconsistentHosts
+
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝑵
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟐
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝟏
𝑫𝒆𝒕𝒆𝒄𝒕𝒐𝒓𝒋
Latent tensor
Joint Probabilistic Tensor Factorization
11
• is the latent tensor. Each entry stands for the detector score at the u-th detector cluster and w-th timestamp cluster for v-th host
• is the d-th projection matrix, which constructs the multi-linear mapping between the observed detector tensors and the latent tensors
• is the residue tensor. Each entry is assumed to follow a Gaussian distribution
Joint Probabilistic Tensor Factorization
12
• Parameter set:
• The log-likelihood of given observed tensors:
Joint Probabilistic Tensor Factorization
13
• Assumptions:• The behavior of anomaly detectors should be similar
across different views• The behavior of hosts on timestamp should be
similar across different views• Based on these assumptions, we introduce the penalized
log-likelihood function:
Where
Joint Probabilistic Tensor Factorization
14
• Goal:
Constraints: Projection matrices should be similar across views
Factorization error
Inconsistency Score Computation
• Inconsistency Score
𝒌𝒌 𝒌 𝒌⋯ ⋯
𝑪
𝑫
𝑪 𝑪𝑪
𝑫 𝑫𝑫
15
Experiment Set-up
• Datasets:• Synthetic datasets
• Two Real-world datasets• Collected from IBM enterprise networks
• Network Traffic Flow Data
• Domain Name System Data
16
Table 2: F-Measure Comparison
Effectiveness Comparison
Vote/
mean
Vote/
min
Vote/
maxMean Min Max NMF TMVID
Synth-1 .81 .85 .80 .10 .15 .10 .80 1.0
Synth-2 .86 .92 .85 .20 .21 .20 .82 1.0
Synth-3 .90 .95 .85 .25 .30 .28 .87 1.0
17
# detectors # hosts # timestamps # views
Synth-1 50 1000 200 3
Synth-2 50 2000 300 10
Synth-3 100 5000 500 50
Table 1: Statistics of Synthetic Data sets
Results: For the F-Measure, the higher, the better. It’s seen from the table that the proposed TMVID can achieve highest F-measure.
Scalability V.S. # Hosts
18
TMVID
# Hosts Time(s)
1.0 × 102 1.3
1.0 × 103 10.5
5.0 × 103 50.8
1.0 × 104 107.8
5.0 × 104 533.4
1.0 × 105 1107.5
Pearson Correlation 0.9998
Results: The scalability of the proposed algorithm is almost linear with respect to the number of hosts
Scalability V.S. # Views
19
# Views
Ru
nn
ing
Tim
e/s
ec
Results: The scalability of the proposed algorithm is linear with respect to the number of views
Network Traffic Flow
20
Host ID
Inco
nsi
ste
ncy
Sco
re
Results: Figure of the inconsistency scores for hosts. Most of the hosts are considered as consistent, while only a small set of hosts receives very high inconsistency scores
Case Study
21
Det
ect
or
Sco
re
Top1 Inconsistent Host
Det
ect
or
Sco
re
Top1 Consistent Host
Results: For inconsistent host, the detector score patterns of views on both timestamp and detector clusters are well separated in the subspace found by the joint probabilistic tensor factorization, while the behavior of consistent host is almost the same across views
Case Study
22
Top 2 Inconsistent Hosts
Timestamp
Det
ect
or
Sco
re
Top 2 Consistent Hosts
Timestamp
Det
ect
or
Sco
re
Results: For inconsistent hosts, the patterns of detector clusters’ are quite different across multiple views, while the patterns are similar for consistent hosts across views, ignoring noise
Case Study
23
Top 2 Inconsistent Hosts
Detector ID
De
tect
or
Sco
re
Top 2 Consistent Hosts
Detector ID
Det
ect
or
Sco
re
Results: For inconsistent hosts, the patterns of timestamp clusters’ vary a lot across views, especially for view 2 and view 4, whose patterns are obviously different from that of view 1 and view 3. However, the patterns are quite similar for consistent hosts
• Developed a novel framework (TMVID) to conduct inconsistency detection from multiple views of temporal data
• Proposed joint probabilistic tensor factorization to extract the common behavior hidden in multiple views, and presented how to calculate inconsistency score for each host
• Demonstrated the efficacy of TMVID to capture inconsistency in multi-view temporal data on synthetic and real-world network traffic data sets
Conclusions
24
Thank You!Questions?
25