160 likes | 221 Views
Summarizing Network Security Data (presentation includes notes). Dave DeBarr debarr@mitre.org December 9, 2002. Overview. Network Layout Event Descriptions OLAP Support Meta-Session Aggregations Scan Detection (a sample application) Frequent Meta-Sessions
E N D
SummarizingNetwork Security Data(presentation includes notes) Dave DeBarr debarr@mitre.org December 9, 2002
Overview • Network Layout • Event Descriptions • OLAP Support • Meta-Session Aggregations • Scan Detection (a sample application) • Frequent Meta-Sessions • Infrequent Meta-Session Groupings • Cluster Analysis
Scans: Clustering Approach • Agglomerative hierarchical clustering using Ward’s method to generate initial centroids • K-means for iterative relocation • Assigning each observation to the cluster for its nearest centroid • Recomputing the mean for each cluster • No concept of variance, but it’s quick • Calinski-Harabasz index for evaluating models built using different values for K (the number of clusters)
Cluster Prototypes for2:Drop:TCP/27374,3:TCP Connect:TCP/27374
Tiers to Support Drill-Down Operations • Summary for all events • Summaries for inbound and outbound events • Summaries for frequent and infrequent meta-sessions • Summaries/prototypes for meta-session clusters • Summaries for meta-sessions • Lists of events for a particular meta-session