Defending the network.

Detection and Diagnosis of

Anomalies
Noem Marta Fuentes Garca (nmfuentes@ugr.es)
Jos Camacho Pez (josecamacho@ugr.es)
Gabriel Maci Fernndez (gmacia@ugr.es)

Dept. Signal Theory, Telematics and Telecommunications, CITIC

ETS Ingenieras Informtica y de Telecomunicacin (University of Granada)

CITICoffees
Granada, March, 2017
 WHAT DO YOU THINK?

Defending the network. Detection and Diagnosis of Anomalies 2

 WHAT DO YOU THINK?

Trust everyone and not trust anyone are two vices:

But in the one there is more virtue, and in the other more security. Sneca
Defending the network. Detection and Diagnosis of Anomalies 3
 WHAT DO YOU THINK?

Defending the network. Detection and Diagnosis of Anomalies 4

 WHAT DO YOU THINK?

Defending the network. Detection and Diagnosis of Anomalies 5

 WHAT DO YOU THINK?

Defending the network. Detection and Diagnosis of Anomalies 6

 OUR REASON TO WORK

Intelligence is the ability to adapt to change. Stephen Hawking

Defending the network. Detection and Diagnosis of Anomalies 7

 MOTIVATION

SIEM = Security Information and Event Management

Defending the network. Detection and Diagnosis of Anomalies 8
 MOTIVATION

SIEM = Security Information and Event Management

Defending the network. Detection and Diagnosis of Anomalies 9
 MOTIVATION

SIEM = Security Information and Event Management

Defending the network. Detection and Diagnosis of Anomalies 10
PART I: INTRODUCTION. MSPC AND
DIAGNOSIS METHODS

11
 MSPC: PCA + STATISTICS
Everything should be simplified as much as possible, but no more. Albert Einstein

Defending the network. Detection and Diagnosis of Anomalies 12

 MSPC: PCA + STATISTICS
Everything should be simplified as much as possible, but no more. Albert Einstein

Defending the network. Detection and Diagnosis of Anomalies 13

 KEY CONCEPTS: MSPC Y MSNM

MSPC: MSNM:
Multivariate Statistical Process Control Multivariate Statistical Network Monitoring

NOC data (Normal Calibration

Condition Operation)
No
Incoming
Inspection Detection Anomaly?
data
Yes

Diagnosis

Troubleshoot
Defending the network. Detection and Diagnosis of Anomalies 14
 KEY CONCEPTS: MSPC Y MSNM

MSPC: MSNM:
Multivariate Statistical Process Control Multivariate Statistical Network Monitoring

NOC data (Normal Calibration

Condition Operation)
No
Incoming
Inspection Detection Anomaly?
data
Yes
#Syn #Con
Diagnosis
DoS

Troubleshoot
Defending the network. Detection and Diagnosis of Anomalies 15
PART II: PROPOSAL OF COMPARATIVE,
VALIDATION AND RESULTS

16
 EXPERIMENTS: SIMULEMV

Defending the network. Detection and Diagnosis of Anomalies 17

 EXPERIMENTS: SIMULEMV

Defending the network. Detection and Diagnosis of Anomalies 18

 EXPERIMENTS: SACCAROMYCES CEREVISIAE

Defending the network. Detection and Diagnosis of Anomalies 19

 EXPERIMENTS: NETWORK

Defending the network. Detection and Diagnosis of Anomalies 20

 RESULTS

Average
Diagnosis Ratios
D = c/ n

We can only see little of the future, but enough to realize that there is much to do.
Alan Turing
Defending the network. Detection and Diagnosis of Anomalies 21
 ANY PROBLEM?

Defending the network. Detection and Diagnosis of Anomalies 22

 NOW AND NEXT STEPS

Standard approach vs Hierarchical approach

variables x n
D, Q

R1 R2 Rn
variables variables variables

D1 Q1 D2 Q2 Dn Qn

R1 R2 Rn
variables variables variables
Defending the network. Detection and Diagnosis of Anomalies 23
Thanks for your attention!

Proyecto VERITAS
Visualizacin de Eventos en Red Inteligente para el Tratamiento y Anlisis de la Seguridad
http://nesg.ugr.es/veritas/

24
Thanks for your attention!

Proyecto VERITAS
Visualizacin de Eventos en Red Inteligente para el Tratamiento y Anlisis de la Seguridad
http://nesg.ugr.es/veritas/

25
 Acknowledgements

This work is funded by the Ministry of Economy and

Competitiveness and FEDER funds through the
TIN2014-60346-R project

http://nesg.ugr.es/veritas/

26