[UCI-Calit2] CS seminar series Friday March 8, 11a.m.

[Anna Lynn Spitzer]

Computer Sciences Seminar Series (with NetSys)

 

Title: Anomaly Detection among Packet Flows

 

Speaker: George Kesidis, Pennsylvania State University 

 

Time: 11a.m. - noon  

 

Date: Friday, March 8, 2013 

 

Location: Donald Bren Hall, Room 6011


Abstract:
We consider the problem of using packet-flow data for detection of
botnet command and control (C&C) activity.  We realistically salt such
recorded Zeus botnet C&C traffic into separately recorded "background"
traffic by calibrating the botnet traffic packet-timing features to the
background traffic. Certain packet-flow features previously identified
as being effective for flow classification are augmented with timing
based features (e.g., throughput), however port-numbers are not used. We
present the results for several supervised classifiers. Our experiments
show that the presence of timing artifacts in botnet traces can
significantly impact detection results. They also show that the features
used do not well discriminate normal Web activity from Zeus botnet C&C
activity (which also uses port 80).  So, we focus on this problem in the
second half of the talk in an unsupervised framework, i.e., the
implicitly statistical problem of anomaly detection.

For high (N) dimensional feature spaces, we consider detection of an
unknown, anomalous class of samples amongst a batch of collected samples
(of size T), under the null hypothesis that all samples follow the same
probability law.  Since the features which will best identify the
anomalies are a priori unknown, common detection strategies include: 1)
evaluating atypicality of a sample (its p-value) based on the null
distribution defined on the full N-dimensional feature space; 2)
considering a (combinatoric) set of low order distributions, e.g., based
on all singletons and all feature pairs, with detections made based on
the smallest p-value yielded over all such low order tests.  The first
approach relies on accurate estimation of the joint distribution, while
the second may suffer from increased false alarm rates as N and T grow.
Alternatively, inspired by greedy feature selection commonly used in
supervised learning, we propose a novel sequential anomaly detection
procedure with a growing number of tests.  Here, new tests are
(greedily) included only when they are needed, i.e., when their use (on
currently undetected samples) will yield greater aggregate statistical
significance of (multiple testing corrected) detections than obtainable
using the existing test cadre.  Our approach thus aims to maximize
aggregate statistical significance of all detections made up until a
finite horizon.  Our performance study shows that judicious feature
representation is essential for discriminating Zeus C&C activity from
Web.

We conclude with a discussion of how to adapt such an anomaly detection
system to new ground truth samples, either nominal or attack, the latter
corroborated by, for example, alert correlation or offline forensic
analysis.

Work in Collaboration with: Prof. D.J. Miller, F. Kocak, J. Raghuram, B.
Celik

Bio:
George Kesidis received his M.S. and Ph.D. in EECS from U.C. Berkeley in
1990 and 1992 respectively.  He was a professor in the E&CE department
of the University of Waterloo, Canada, from 1992 to 2000. Since 2000, he
has been a professor of CSE and EE at the Pennsylvania State University.
His research, including several areas of computer/communication
networking and machine learning, has been primarily supported by NSERC
of Canada, NSF and Cisco Systems URP.  He served as the TPC co-chair of
IEEE INFOCOM 2007 among other networking conferences. He has also served
on the editorial boards of the Computer Networks Journal, ACM TOMACS and
IEEE Journal on Communications Surveys and Tutorials. Currently, he is
an "intermittent expert" (part-time program officer) for the National
Science Foundation's Secure and Trustworthy Cyberspace (SaTC) program.
His home page is http://www.cse.psu.edu/~kesidis
<http://www.cse.psu.edu/~kesidis> .

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://maillists.uci.edu/mailman/public/uci-calit2/attachments/20130306/ef11c85e/attachment-0001.html