Intelligent Database Systems Lab Presenter : YAN-SHOU SIE Authors : E.J. Palomo, J. North, D. Elizondo, R.M. Luque, T. Watson 2012. NN Application of growing.

Intelligent Database Systems Lab

Presenter : YAN-SHOU SIE

Authors : E.J. Palomo , J. North , D. Elizondo , R.M. Luque

, T. Watson

2012. NN

Application of growing hierarchical SOM for visualisation of network forensics traffic data

Intelligent Database Systems Lab

Outlines

MotivationObjectivesMethodologyExperimentsConclusionsComments

Intelligent Database Systems Lab

Motivation

• In information burst age,network of packets are too large cause network attack pattern difficult to find and identifying the error's data in the pattern that data take.

Intelligent Database Systems Lab

Objectives

• We utilize GHSOM to find network attack pattern , have following advantage:– A visualisation technique can more intuitive and

understandable.– Network attack pattern be easy find or judge.

Intelligent Database Systems Lab

Methodology• Growing hierarchical self-organising map– consists of several growing SOMs

arranged in layers– quantitative features– qualitative features

Intelligent Database Systems Lab

Methodology• GHSOM flow charts

Intelligent Database Systems Lab

• Euclidean distance

• quantisation error

• hierarchical growth controlled

Methodology

Intelligent Database Systems Lab

Methodology• winning neuron of the map

• weight vector update

• map growth controlled

Intelligent Database Systems Lab

Experiments• Feature extraction

• Finally feature subset – qualitative : IP source address, IP destination address , protocol

type , source port

– quantitative :date, time, packet length and delta time

Captured packets

handled missing value

Feature selection

Intelligent Database Systems Lab

Experiments• Data visualization

3D GHSOM 2D GHSOM

Intelligent Database Systems Lab

Experiments• plot of the input data hits

Layer-1

Layer-2

Intelligent Database Systems Lab

Experiments• U-matrix

Layer-1

Layer-2

Intelligent Database Systems Lab

Experiments• Component planes – Layer 1

Layer-1

Intelligent Database Systems Lab

Experiments• Component planes– Layer 2

Layer-2

Intelligent Database Systems Lab

Experiments• distribution of countries of origin

Intelligent Database Systems Lab

Conclusions• The results show that the GHSOM can be used to

cluster network traffic data and to represent this in a manner that can be of aid in network forensics. Therefore,this information can allow an expert in the field to successfully conclude a digital investigation.

Intelligent Database Systems Lab

Comments• Advantages– Use visualisation technique help user can more

intuitive and understandable to watch data.

• Applications– Network forensics– network forensics