conformal clustering and its ... - giovanni cherubinconformal clustering and its application to...
TRANSCRIPT
![Page 1: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/1.jpg)
Conformal Clustering and its Application to
Botnet TrafficGiovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman
Roberto Jordaney, Zhi Wang, Davide Papini, Lorenzo Cavallaro
![Page 2: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/2.jpg)
Netflow, network traces
Internet
netflow Date Duration IP_src Port_src IP_dst Port_dst TCP/UDP
Sent Packets
Recv Packets
Sent Bytes
Recv Bytes
Tot Packets
Tot Bytes Flags…
Bot
![Page 3: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/3.jpg)
Netflow, network tracesDate Duration TCP/
UDPSent
Bytes Port_dst …
netflow_1 1248089563 2939 TCP 503 445
netflow_2 1248089702 51 TCP 354 139
…
![Page 4: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/4.jpg)
Conformal Predictor
Conformal PredictorD, zn, A pn: p-value
Does zn conform D for 1-ε confidence?
![Page 5: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/5.jpg)
CP for anomaly detection [Laxhammar11, Smith14]
x1
x2
![Page 6: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/6.jpg)
Conformal Clustering
• Conformal Predictors in unsupervised setting.
• Controls the objects left outside the clusters.
• Regulates the “depth” of clusters.
![Page 7: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/7.jpg)
x1
x2
training objects
![Page 8: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/8.jpg)
x1
x2
training objects
![Page 9: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/9.jpg)
x1
x2
0.1
0.1
0.2 0.1 0.0
0.3 …
0.3
p-values grid
![Page 10: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/10.jpg)
x1
x2
respect to ε=0.1
![Page 11: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/11.jpg)
x1
x2
neighbouring rule
![Page 12: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/12.jpg)
x1
x2
test set
![Page 13: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/13.jpg)
x1
x2
clusters
![Page 14: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/14.jpg)
Our Approach• Each network trace produces a feature vector.
• Normalisation.
• Dimensionality reduction (t-SNE).
• Non-conformity measures: k-NN, KDE.
• Performance measures: Purity, Average P-Value.
![Page 15: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/15.jpg)
Performance MeasuresPurity!
• How “pure” are the clusters.
• For the same ε the number of clusters is not influenced.
Average P-Value!
• Efficiency criterion.
• Size of the prediction set.
• The smaller the prediction set the better.
0.1
0.1
0.2 0.1 0.0
0.3 …
0.3
![Page 16: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/16.jpg)
Results (ε=0.2)k-NN non-conformity measure
k 1 2 3 4 5 … 10APV 0.129 0.139 0.141 0.147 0.160 0.193
Purity 0.99 0.97 0.97 0.96 0.96 0.92
KDE (Gaussian kernel) non-conformity measureh 0.001 0.005 0.01 0.05 0.1 … 1.0
APV 0.404 0.332 0.299 0.165 0.130 0.221Purity 1.00 0.98 1.00 0.99 0.99 0.92
![Page 17: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/17.jpg)
Future work
• Avoid dimensionality reduction, reduce complexity.
• New criteria of accuracy.
• New non-conformity measures based on previous work in botnets detection (e.g.: BotFinder).
• Detection: “malicious” and “benign” data.
![Page 18: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/18.jpg)
Bibliography• [Vovk05] V. Vovk et al., Algorithmic learning in a random world.
Springer, 2005.
• [Maaten08] L. van der Maaten et al., Visualizing data using t-SNE. Journal of Machine Learning Research, 2008.
• [Laxhammar11] R. Laxhammar et al., Sequential conformal anomaly detection in trajectories based on hausdorff distance, 2011.
• [Lei13] J. Lei et al., A conformal prediction approach to explore functional data, 2013.
• [Smith14] J. Smith et al., Anomaly Detection of Trajectories with Kernel Density Estimation by Conformal Prediction. Artificial Intelligence Applications and Innovations, Springer, 2014.
![Page 19: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/19.jpg)
Thanks
![Page 20: Conformal Clustering and its ... - Giovanni CherubinConformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney,](https://reader030.vdocuments.us/reader030/viewer/2022040803/5e3f6df00cd5fa438703863a/html5/thumbnails/20.jpg)
Conformal Clustering and its Application to
Botnet TrafficGiovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman
Roberto Jordaney, Zhi Wang, Davide Papini, Lorenzo Cavallaro