Network Security Data Overview and Cluster Analysis for Scan Detection

1. SummarizingNetwork Security Data(presentation includes notes) Dave DeBarr debarr@mitre.org December 9, 2002

2. Overview • Network Layout • Event Descriptions • OLAP Support • Meta-Session Aggregations • Scan Detection (a sample application) • Frequent Meta-Sessions • Infrequent Meta-Session Groupings • Cluster Analysis

3. ACME Corporate Network Layout

4. Event Descriptions

5. Derived Attributes

6. OLAP Visualization Example

7. Meta-Session Aggregations

8. Sample Application: Identifying Scans

9. Scans: Clustering Approach • Agglomerative hierarchical clustering using Ward’s method to generate initial centroids • K-means for iterative relocation • Assigning each observation to the cluster for its nearest centroid • Recomputing the mean for each cluster • No concept of variance, but it’s quick  • Calinski-Harabasz index for evaluating models built using different values for K (the number of clusters)

10. Scans: Heuristic-Based Density Estimation

11. Summaries for 10 Common Scans

12. Frequent Meta-Sessions

13. Infrequent Meta-Session Groupings

14. Cluster Prototypes for2:Drop:TCP/27374,3:TCP Connect:TCP/27374

15. Cluster Visualization Example

16. Tiers to Support Drill-Down Operations • Summary for all events • Summaries for inbound and outbound events • Summaries for frequent and infrequent meta-sessions • Summaries/prototypes for meta-session clusters • Summaries for meta-sessions • Lists of events for a particular meta-session