Automatically Inferring Patterns of Resource Consumption in Network Traffic Cristian Estan, Stefan Savage, George Varghese, ACM SIGCOMM 2003 Summary by Bill Yurcik/NCSA This paper has several aspects that are unique which came out in discussion: (1) cross-disciplinary (networking<->security); this paper is published in a high level network conference but its examples are security (denial-of-service identification) (2) data mining; it describes in an understandable way the use of data mining for intrusion detection even if only using the most basic of data mining cluster algorithms (3) operator usability- the goal is to provide meaningful information to security operators in a more inituitive way than currently available (4) visualization- one method it attempts use to provide usability is visualization of large amounts of complex data. The paper describes a network management framework and then a prototype system implementation: AutoFocus. This implementation and real-world case study experience description makes the difference in credibility of arguments in the paper. Network and Security management are both similar in that some of administration is automated, however, the actual degree of automation is much lower than most people think. Human operators are still very much "in-the-loop" particularly during emergencies. Delay in the human-computer interface can adversely affect system security so an important goal is to enhance this interface to reduce the delay. Methods are needed to help security operators more quickly extract the vital information from large amounts of data and translate this information into effective control actions. The text reports in Figure 5 which decouple technical IP addresses, protocols, and port numbers and attempt to give intuitive information to operators are a good first step. The visualizations in Figures 6/7/8 were less satisfying in that used standard visualization x-y representation to convey information when really a new visualization paradigm is needed. The data mining clustering algorithms were well-described but the consensus was that this is basic work that could use more sophisticated data mining expertise. Some stated that this paper was really not cross-disciplinary security paper at all but really just a core network management paper - the worm DoS examples were unpersuasive since DoS is about the easiest attack to detect and can be detected with many tools so this work does not make a unique contribution. The rebuttal to this argument was that the paper does describe some interactive query ability to set thresholds and tune parameters by an operator so security events can be detected given a strategy and insight of what to look for. In closing, the paper is successful in proposing and implementing a novel tool for operators in the network and security domains. The consensus was that these unique aspects were all good ideas and together they are synergistic but ultimately there is no singular in-depth breakthrough in any of the areas but incrementally the state-of-the-art is advanced. More work to be done here... ------------------------------------------------------------------------------- Pros: + attempt to process technical details for human presentation in reports + explanation and demonstration of data mining clustering algorithm + combining network and security management, this is hard to decouple and too many tools treat them in isolation Cons: - visualization paradigm is poor - data mining clustering algorithm is elementary - tool may miss important security data given thresholding ------------------------------------------------------------------------------- Votes: Strong Accept: 2 Weak Accept: 11 Weak Reject: 0 Strong Reject: 0