Vissec2014
•Descargar como PPTX, PDF•
0 recomendaciones•224 vistas
This is the presentation I gave at VizSec 2014 on our information-theoretic method for anomaly detection. The conference was held in Paris in November 2014.
Recomendados
Más contenido relacionado
Destacado
Similar a Vissec2014
Similar a Vissec2014 (20)
Más de Simon Walton
Más de Simon Walton (7)
Último
Último (20)
Vissec2014
- 1. Multiple Queries with Conditional Attributes (QCATs) for Anomaly Detection in Visualization Simon Walton, Eamonn Maguire, Min Chen
- 3. Motivation • Anomaly detection is often hard, and context sensitive • We usually don’t have enough annotated training data, and annotation itself is uncertain • Many different techniques exist • The human ideally should be in the loop • The visual analytics loop!
- 4. Aims • To develop an anomaly detection method that • Is context-sensitive • Does not rely on supervised learning • Can be expanded and refined easily by the user when needed • Is not cost-prohibitive to run, and is linearly scalable
- 6. Information is Additive • Notion: the number of all possible answers is the amount of information • Roll a fair dice: 6 outcomes, equiprobable • What if I roll it n times? • We can make information additive:
- 7. But… few things are equiprobable! • Most die are biased • Most coins, too
- 8. Let’s Play a Game • 1/3 chance of getting the ball • What is the amount of information then in the answer?
- 9. Defining the Total Information • Average of all outcomes - i.e. weight according to their probabilities: • More generally,
- 11. 0.3 0.99 0.97 0.82 0.33 0.1 Work 1 Viagra Single Girls Job Opportunity Work 2 From Mum Bayesian DNS checksum Blacklists
- 12. QCATs: Query with Conditional Attributes • Dataset A = {a1,a2,...,an} with n attributes 1 2 3 4 5 6 7 8 9 106 Conditional 2 VON VON 4
- 13. QCATs: Executing a QCAT month machine user Take QCAT Bind conditionals month machine user 11= SELECT uniq(machine, user) WHERE month = 11 Pseudo-SQL Instantiated QCATQCAT Specification
- 15. A Visual Analytical Workflow for QCATs
- 16. Goals • An effective UI for designing QCATs • The visual analytics loop (right) is ideal for this • Primarily this system would be used by the model designer • A modified version for the analyst, with additional tool support • A simplified visualisation (e.g. time-series) for the observers Visualisation Knowledge Models (QCATs) Data
- 17. CMU-CERT Dataset • http://www.cert.org/insider- threat/tools/index.cfm • Contains known ground-truth for insider threat scenarios • Each event linked to a user Email: 20m time, user, machine, to (inc. CC, BCC), from, size, number of attachments, content Web: 3.5m time, user, machine, url Device: 1.24m time, user, machine id, [insert/remove] Logon/off: 2.6m time, user, machine, [logon/logoff]
- 19. QCAT Workflow • Let’s add a QCAT!
- 24. Multiple QCATs • Real power comes from multiple QCATs • To compare performance • To combine results for analysis • So let’s add another!
- 29. Implementation: Scalability • Linear with number of columns• Linear with number of rows
- 30. Discussion and Future Work • Future work • Understanding how mutual information can be represented • Choice of information-theoretic measure still an issue • Binning strategies and assisted bin design
- 31. But wait! There’s more!
- 32. Questions? • CC-licensed photo acknowledgements: • Coins - https://www.flickr.com/photos/wwarby • Cups and Balls - https://www.flickr.com/photos/eschipul • Dice - https://www.flickr.com/photos/darwinbell
Notas del editor
- {\color[rgb]{1.000000,1.000000,1.000000}log_2(\frac{1}{\frac{1}{3}}) = log_2(\frac{3}{1}) = log_2(3) \approx 1.58} {\color[rgb]{1.000000,1.000000,1.000000}log_2(\frac{3}{2}) \approx 0.58}
- {\color[rgb]{1.000000,1.000000,1.000000} \frac{1}{3}log_2(3) + \frac{2}{3}log_2(\frac{3}{2}) =\approx 0.92 } {\color[rgb]{1.000000,1.000000,1.000000} \sum^r_{i=1}{p_i \cdot log_2(\frac{1}{p_i})} }
- 10 attributes
- Each unique combination of variants in result set is considered a letter in the alphabet