Time Series Data Mining for Context-Aware Event Analysis

Mona Lange

Abstract

Data-communication networks contain a multitude of data sources for data mining such as network traffic, vulnerabilities detected by vulnerability scanners or events reported by security sensors such as intrusion detection systems, intrusion prevention systems, or firewalls. Thereby, data are automatically produced within monitored networks. By applying time series data mining techniques, we are able to use these data to provide context-aware event analysis. In contrast to related work, our context-aware event analysis approach does not focus on modeling an attacker, but aims to automatically learn ongoing workflows and anticipate negative effects of threats. Negative effects of threats could entail network dependencies leading to a chain of events, difficult to anticipate for network operators. Network traffic analysis allows us to develop a deeper understanding of an event’s context within a monitored network. For this purpose we propose to automatically recognize network dependencies from network traffic. To learn network dependencies, we introduce a methodology based on the normalized form of cross correlation. Cross correlation is a well-established methodology for detecting similar signals in feature matching applications. We term the network dependency discovery approach Mission Oriented Network Analysis (MONA). Network dependencies identified by MONA are the foundation for mining workflows based on network traffic. Workflow models describe the underlying dependencies of network devices and network services within data-communication networks. Thus, linking events to workflows observed within a network, allows us to understand an event’s context. The context-aware event analysis approach introduced by this work is systematically evaluated with real-life case studies conducted within an energy distribution network. In addition, we compare MONA’s performance and sensitivity to other state of the art network dependency mining methodologies. This systematic comparison shows that MONA outperforms the state of the art.
Original languageEnglish
QualificationDoctorate / Phd
Awarding Institution
Supervisors/Advisors
  • Möller, Ralf, Supervisor
  • Fischer, Stefan, Supervisor
Award date24.05.2017
Publication statusPublished - 01.06.2017

Fingerprint

Dive into the research topics of 'Time Series Data Mining for Context-Aware Event Analysis'. Together they form a unique fingerprint.

Cite this