ViewingLabels - Datapository Anomaly Detection - Trac

Wiki Navigation

Viewing Labels

Viewing labels is useful for finding more information about a specific attack in the traffic set. It should provide you useful information about some of the properties of the attack which can help you better understand what the detection methods are capable of detecting or what the metrics are best at detecting the anomaly. The labels should also provide you with more detailed information about what type of worm it was, for example it could state that the activity is related to the Slammer worm.

You can use the user defined methods such as get_label(label_id) and print_labels(labels) to check your new label and view all labels. Note that if you want to view all labels you could use print_labels(get_all_labels()). Example of printing one label and its output:

irb> print_labels(get_label(1))

Label: 1
Attack: outbound bandwidth flood
Interval Span: 2
Attack flows: 22
Description:
- increased traffic on port 80 (magnitude larger than normal)
- destined to the single host: 402737628 (internet)
- 22 flow sizes > 755191
- two Intranet hosts generate all of this additional traffic: 179858, 147761
- does not show up in degree since these two hosts only contact 4 unique hosts

Searching Labels

Functionality is provided to search through labels to find words within the label descriptions. This is done in a non case sensitive manner, and can be done by searching for a label which matches all of the words or any of the words provided as the search string.

To use this functionality we provide the search_labels_and(words) and search_labels_or(words) methods. The prior will search for labels that match all of the words in string formatted parameter in an unordered manner. The latter will search for labels that match any of the words in the string formatted parameter.

For our example, we have two labels:

irb> print_labels(get_all_labels())

Label: 1
Attack: outbound bandwidth flood
Interval Span: 2
Attack flows: 22
Description:
- increased traffic on port 80 (magnitude larger than normal)
- destined to the single host: 402737628 (internet)
- 22 flow sizes > 755191
- two Intranet hosts generate all of this additional traffic: 179858, 147761
- does not show up in degree since these two hosts only contact 4 unique hosts

Label: 2
Attack: inbound worm activity
Interval Span: 1
Attack flows: 5
Description:
slammer worm

To find labels that contain the word "intranet":

irb> search_labels_and("intranet").each {|label| puts label}
1

To find labels that contain either intrAnet or slaMMer, also illustration case insensitivity:

irb(main):131:0> search_labels_or("intrAnet slaMMer").each {|label| puts label}
1
2

These methods can also be used in conjunction with the get_label(label_id) and print_labels(labels) methods to retrieve the full label information and print it nicely:

irb(main):132:0> search_labels_or("InTrAnet slaMMer").each {|label| print_labels(get_label(label))}

Label: 1
Attack: outbound bandwidth flood
Interval Span: 2
Attack flows: 22
Description:
- increased traffic on port 80 (magnitude larger than normal)
- destined to the single host: 402737628 (internet)
- 22 flow sizes > 755191
- two Intranet hosts generate all of this additional traffic: 179858, 147761
- does not show up in degree since these two hosts only contact 4 unique hosts

Label: 2
Attack: outbound worm activity
Interval Span: 1
Attack flows: 5
Description:
slammer worm

Download in other formats:

Plain Text