ASAP: Automatic semantics-aware analysis of network payloads

Automatic inspection of network payloads is a prerequisite for effective analysis of network communication. Security research has largely focused on network analysis using protocol specifications, for example for intrusion detection, fuzz testing and forensic analysis. The specification of a protocol alone, however, is often not sufficient for accurate analysis of communication, as it fails to reflect individual semantics of network applications. We propose a framework for semantics-aware analysis of network payloads which automaticylly extracts semantic components from recorded network traffic. Our method proceeds by mapping network payloads to a vector space and identifying semantic templates corresponding to base directions in the vector space. We demonstrate the efficacy of semantics-aware analysis in different security applications: automatic discovery of patterns in honeypot data, analysis of malware communication and network intrusion detection

Resource Constrained Adaptive Sensing.

RESOURCE CONSTRAINED ADAPTIVE SENSING by Raghuram Rangarajan Chair: Alfred O. Hero III Many signal processing methods in applications such as radar imaging, communication systems, and wireless sensor networks can be presented in an adaptive sensing context. The goal in adaptive sensing is to control the acquisition of data measurements through adaptive design of the input parameters, e.g., waveforms, energies, projections, and sensors for optimizing performance. This dissertation develops new methods for resource constrained adaptive sensing in the context of parameter estimation and detection, sensor management, and target tracking. We begin by investigating the advantages of adaptive waveform amplitude design for estimating parameters of an unknown channel/medium under average energy constraints. We present a statistical framework for sequential design (e.g., design of waveforms in adaptive sensing) of experiments that improves parameter estimation (e.g., scatter coefficients for radar imaging, channel coefficients for channel estimation) performance in terms of reduction in mean-squared error (MSE). We derive optimal adaptive energy allocation strategies that achieve an MSE improvement of more than 5dB over non adaptive methods. As a natural extension to the problem of estimation, we derive optimal energy allocation strategies for binary hypotheses testing under the frequentist and Bayesian frameworks which yield at least 2dB improvement in performance. We then shift our focus towards spatial design of waveforms by considering the problem of optimal waveform selection from a large waveform library for a state estimation problem. Since the optimal solution to this subset selection problem is combinatorially complex, we propose a convex relaxation to the problem and provide a low complexity suboptimal solution that achieves near optimal performance. Finally, we address the problem of sensor and target localization in wireless sensor networks. We develop a novel sparsity penalized multidimensional scaling algorithm for blind target tracking, i.e., a sensor network which can simultaneously track targets and obtain sensor location estimates.Ph.D.Electrical Engineering: SystemsUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/57621/2/rangaraj_1.pd

Manifold learning visualization of network traffic data

When traffic anomalies or intrusion attempts occur on the network, we expect that the distribution of network traffic will change. Monitoring the network for changes over time, across space (at various routers in the network), over source and destination ports, IP addresses, or AS numbers, is an important part of anomaly detection. We present a manifold learning (ML)-based tool for the visualization of large sets of data which emphasizes the unusually small or large correlations that exist within the data set. We apply the tool to display anomalous traffic recorded by NetFlow on the Abilene backbone network. Furthermore, we present an online Java-based GUI which allows interactive demonstration of the use of the visualization method