10/17/2002 RAID 2002, Zurich 1 ELISHA: A Visual-Based Anomaly Detection System Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI Dan Pei, Lan Wang, Lixia Zhang UCLA Randy Bush IIJ
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu University of California, Davis. Dan Massey, Xiao-Liang Zhao Allison Mankin USC/ISI. Dan Pei, Lan Wang, Lixia Zhang UCLA. Randy Bush IIJ. ELISHA: A Visual-Based Anomaly Detection System. Outline. Visual-based “Anomaly Detection” - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
10/17/2002 RAID 2002, Zurich 1
ELISHA: A Visual-Based Anomaly Detection System
Soon-Tee Teoh, Kwan-Liu Ma S. Felix Wu
University of California, Davis
Dan Massey, Xiao-Liang ZhaoAllison Mankin
USC/ISI
Dan Pei, Lan Wang, Lixia ZhangUCLA
Randy BushIIJ
10/17/2002 RAID 2002, Zurich 2
Outline
• Visual-based “Anomaly Detection”• The BGP/MOAS Problem• ELISHA and demo• Conclusion/Future Works
10/17/2002 RAID 2002, Zurich 3
A Few Research Objectives
• Limitations on “Anomaly Detection”– We need to convey the alerts (or their
abstraction) to the “human” users or experts
• Not only detecting the problem, but also, via an interactive process, finding more details about it– Root cause analysis– Event Correlation
• Human versus Machine Intelligence
10/17/2002 RAID 2002, Zurich 4
Visual-based “Anomaly Detection”
• Utilize human’s cognitive pattern matching capability and techniques from information visualization.
• “Visual” Anomalies– Something catches your eyes…
10/17/2002 RAID 2002, Zurich 5
An Interactive Process
• Methodology– Build an interactive
interface between network management and operators, so they can visualize the data
– Features help operators quickly perceive anomalies
Data Collection
Filtering
Mapping
Rendering
Viewing
10/17/2002 RAID 2002, Zurich 6
BGP & Autonomous Systems
AS6192 (UCDavis) AS11423 (UC)
AS11537 (CENIC)
169.237/16
10/17/2002 RAID 2002, Zurich 7
6192 UCDavis 11423 UC, the origin ID is CENIC 11537 is admined by University Corporation for Advanced InternetDevelopment, origin ID UCAID-1 513 is admined CERN - European Organization for Nuclear Research
3356 is admined by Level 3 Communications, LLC, origin ID is L3CL-1 6461 is admined by Abovenet Communications, Inc 13129 is RIPE Network Coordination Centre
209 is admined by Qwest, origin ID is QWEST-4 3320 is RIPE Network Coordination Centre 9177 is admined by NEXTRANET, T-Systems Multilink AG Switzerland.
4637 , 1221 and 4608 are admined by APNIC , but I can't find who theyare in APNIC whois database.
3549 is admined by Global Crossing, it is locate at Phoenix AZ .
3257 and 3333, 1103 are RIPE Network Coordination Centre
2914 is admined by Verio, Inc 7018 is admined by AT&T
10/17/2002 RAID 2002, Zurich 8
Origin AS in an AS Path
• UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS