Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis

Similar documents
NStreamAware: Real-Time Visual Analytics for Data Streams to Enhance Situational Awareness

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

RAVEN, Network Security and Health for the Enterprise

Challenge 10 - Attack Visualization The Honeynet Project / Forensic Challenge 2011 /

AXIS Camera Station Quick Installation Guide

VeloView Offline GUI

IP/SIP Trunk Software User Guide

Network Instruments white paper

Network Management and Monitoring Software

Using IPM to Measure Network Performance

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

Network Monitoring as an essential component of IT security

Flexible Web Visualization for Alert-Based Network Security Analytics

Axis 360 Guides Table of Contents. Axis 360 & Blio ebooks with Android Devices (1/30/14)

Situational Awareness Through Network Visualization

AD Account Lockout Investigation and Root Cause Analysis

Flow Visualization Using MS-Excel

WAMLocal. Wireless Asset Monitoring - Local Food Safety Software. Software Installation and User Guide BA/WAM-L-F

TIBCO Spotfire Metrics Modeler User s Guide. Software Release 6.0 November 2013

mbits Network Operations Centrec

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD)

Monitor network traffic in the Dashboard tab

Manual. Sealer Monitor Software. Version

Security Management. Keeping the IT Security Administrator Busy

FOXBORO. I/A Series SOFTWARE Product Specifications. I/A Series Intelligent SCADA SCADA Platform PSS 21S-2M1 B3 OVERVIEW

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

VMware vrealize Operations for Horizon Administration

Juniper Networks Management Pack Documentation

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

SIP Trunk Installation & User Guide

BI SURVEY. The world s largest survey of business intelligence software users

Citrix EdgeSight User s Guide. Citrix EdgeSight for Endpoints 5.4 Citrix EdgeSight for XenApp 5.4

BlackHawk for MAC Software User Guide

pt360 FREE Tool Suite Networks are complicated. Network management doesn t have to be.

Condition Based Monitoring Dashboard User Manual. User Manual

SECTION WEB-BASED POWER MONITORING COMMUNICATIONS SYSTEM

Intelligent Network Monitoring for Your LAN, WAN and ATM Network

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance

Defining, building, and making use cases work

pc resource monitoring and performance advisor

TITANXR Multi-Switch Management Software

Central Management Software CV3-M1024

SIP Trunk Installation & User Guide

A Framework for Effective Alert Visualization. SecureWorks 11 Executive Park Dr Atlanta, GA {ubanerjee,

VISIBLY BETTER RISK AND SECURITY MANAGEMENT

DIGICLIENT 8.0 Remote Agent Software

Information Technology Solutions

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

How to Leverage IPsonar

User Reports. Time on System. Session Count. Detailed Reports. Summary Reports. Individual Gantt Charts

September 20, 2013 Senior IT Examiner Gene Lilienthal

How To Manage A Network With Kepware

Cover. White Paper. (nchronos 4.1)

CHAPTER. Monitoring and Diagnosing

The SIEM Evaluator s Guide

OPERATION MANUAL. MV-410RGB Layout Editor. Version 2.1- higher

Trading Diary Manual

CyberNEXS Global Services

How To Create A Network Monitoring System (Flowmon) In Avea-Tech (For Free)

Monitoring Operation Manual (US Region)

White Paper Integrating The CorreLog Security Correlation Server with BMC Software

ON THE IMPLEMENTATION OF ADAPTIVE FLOW MEASUREMENT IN THE SDN-ENABLED NETWORK: A PROTOTYPE

A Frequency-Based Approach to Intrusion Detection

Cyber Watch. Written by Peter Buxbaum

NNMi120 Network Node Manager i Software 9.x Essentials

Service Description DDoS Mitigation Service

Wonderware Alarm Adviser Providing the Right Advice to Improve Operator Efficiency

Secure and Effective IT Infrastructure

Auditing the LAN with Network Discovery

Unified Monitoring Portal Online Help Dashboards

User s Manual. Management Software for ATS

White Paper April 2006

USER MANUAL Detcon Log File Viewer

Throughput Capacity Planning and Application Saturation

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Using VDOMs to host two FortiOS instances on a single FortiGate unit

REAL-TIME & HISTORICAL FEATURES OF THE BLUEARGUS SOFTWARE SUITE

Network Probe User Guide

IntraVUE Diagnostics. Device Failure

TSM Studio Server User Guide

Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats

Pervade Software. Use Case PCI Technical Controls. PCI- DSS Requirements

EMC Smarts Integration Guide

21 CFR Part 11 Administrative Tools Part 11 Trackable Changes Maintenance Plans Upgrades Part 11 LDAP Support QC-SORT

Analyzing Logs For Security Information Event Management

White Paper: Application and network performance alignment to IT best practices

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

TORNADO Solution for Telecom Vertical

Network Architecture & Topology

Defending Against Data Beaches: Internal Controls for Cybersecurity

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

siemens.com/mobility Traffic data analysis in Sitraffic Scala/Concert The expert system for visualization, quality management and statistics

1 Introduction This document describes the service Performance monitoring for the GTS Virtual Hosting service.

Analyzing Logs For Security Information Event Management

Cisco IPS Manager Express

Today s Class. High Dimensional Data & Dimensionality Reduc9on. Readings from Last Week: Readings from Last Week: Scien9fic Data.

NVisionIP: An Interactive Network Flow Visualization Tool for Security

Microsoft Technologies

configurability compares with typical SIEM & Log Management systems Able to install collectors on remote sites rather than pull all data

Transcription:

VizSec 2013 October 14, 2013 Atlanta GA, USA Finding Anomalies in Time- Series using Visual Correla/on for Interac/ve Root Cause Analysis Florian Stoffel, Fabian Fischer, Daniel A. Keim Data Analysis and Visualiza/on Group University of Konstanz

Mo#va#on Computer networks are very important for the daily life and today s economy. Keeping them secure and available is crucial. Many different threats exist1: Ø Cyber Crime Ø HackGvism Ø Cyber Warfare Ø Cyber Espionage 1: according to hjp://hackmageddon.com/ Source: PEER1 Hos=ng/Jeff Johnston 2

Mo#va#on II Adobe Data Leak 40GB of source code. 2.9 million credit card and password records. Source: krebsonsecurity.com Wanted Ability to detect such incidents. If an incident is discovered, what services are involved? 3

Mo#va#on III Approach: Incidents like security breaches and data theu should be detectable in network traffic data (anomalies). Challenges: Large amount of data. Define and search for anomalies. Scalable visualizagon. Source: www.jolyon.co.uk 4

Outline Related Work Network Monitoring Data Gathering, Processing, Modeling Visualiza/on Design, Proper=es System Architecture, Usage Conclusion Summary, Future Work 5

Related Work Network Monitoring Infrastructure and service monitoring. Network graphing. Manually defined thresholds trigger alarms. Usually no modelling or predicgon. 6

Data 7

Data Data is gathered via probes analyzing network flows. A probe contains a number of different descriptors. Descriptors describe a specific property of a protocol, applicagon, If a descriptor matches, a numeric counter is incremented. Server Internet Router Firewall Desktop PCs Managed Switch Network Tap Analysis Probe(s) Server 8

Data II Network with 30 workstagons and 20 regular users. 11 month of data. Counter transmission interval: 5 minutes. Self developed, high performance Gme- series store. Server Internet Router Firewall Desktop PCs Managed Switch Network Tap Analysis Probe(s) Server 9

Data III - Processing Data restoragon Ø Linear interpolagon of missing values. Re- sampling with a fixed interval. Ø ConGnuous Gme- series. Incremental stagsgcs computagon. Ø Min, Max, Mean, Variance per day Storage with indices over Gme and Gme- series. Leads to: consistent data set with no missing values. 10

Data IV Model Both, Fourier and Wavelet TransformaGon can be used to decompose Gme- series data. Fourier Transforma/on: frequency domain, but no locality in Gme. Wavelet Transforma/on: locality in Gme, efficient. 11

Data IV Model Value green: low pass filter black: high pass filter red: raw model blue: example =me- series Time 12

Data IV Model & Anomalies Value Define a Gme- span as anomalous, when it lies outside some borders. Time 13

Visualiza#on 14

Visualiza#on Line Chart Line charts are widely used for not only Gme- series displays. Easy to interpret, easy to compare, well- known to analysts. Our Modifica/ons: Focus plus Context. Rotated view to foster visual, pre- ajengve correlagon. Space efficient representagon on a standard PC screen. Scalable to any screen size. 15

Visualiza#on II Focus + Context Context Focus Context 16

Visualiza#on III Rotated Line Chart Different Time- Series Idea: Weaken the intent to go along the Gme- axis and follow a series. AJempt to guide the analyst to comparison based on Gme- spans. 17

Visualiza#on IV Line Chart and Anomalies Background of the line charts used for anomaly display. Red: value above model and threshold Blue: value below model and threshold 18

Visualiza#on V Visual OpGons width, height, colors, focus/ context area size, pinning, in- place comparison, scaling, ordering, InteracGon browsing via mouse- wheel, zooming and querying based on mouse selecgon SynchronizaGon locagon and changes in Gme visual opgons 19

20

System 21

System Two main components: Server Time- series storage. AnalyGcs backend. Client Time- series and visualizagon framework. MulG- screen and mulg- window support. Access to the analygcs backend of the server. Third component: Network traffic analysis framework (probes). 22

System II Analysis, VisualizaGons, Dashboards, Server Components Client Components 23

System III Root Cause Analysis 1. Browse through Gme- series. 2. Find interesgng Gme spans. 3. Formulate a similarity query. 4. Inspect the query results. 5. (go at 1 if necessary) 6. Start more detailed analysis in other tools, if necessary. 24

25

Conclusion Framework for Gme- series processing, containing: Time- series modelling. Scalable Gme- series analysis. Scalable Gme- series visualizagon. Future Work: Evaluate the line charts (rotagon). Show the usefulness in a real world use- case with interesgng data. WIP: DNA Sequence Alignment Browser/ExploraGon. More AutomaGc methods. 26

http://vis.uni-konstanz.de/ Thank you very much for your ajengon! Ques/ons? For more informagon about our work please contact Florian Stoffel Tel. +49 7531 88-3070 florian.stoffel@uni- konstanz.de @florianstoffel

Dataset Details transmission id Ø id of the data transmission descriptor id Ø id of the descriptor Counter Ø counter reading of the descriptor transmission =me Ø Gme of insergon DuraGon Ø data gathering interval Status Ø transmission status 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information