Koji Maruhashi

MultiAspectForensics: Pattern Mining on Large-Scale Heterogeneous Networks with Tensor Analysis

Modern applications such as web knowledge base, network traffic monitoring and online social networks have made available an unprecedented amount of network data with rich types of interactions carrying multiple attributes, for instance, port number and time tick in the case of network traffic. The design of algorithms to leverage this structured relationship with the power of computing to assist researchers and practitioners for better understanding, exploration and navigation of this space of information has become a challenging, albeit rewarding, topic in social network analysis and data mining. The constantly growing scale and enriching genres of network data always demand higher levels of efficiency, robustness and generalizability where existing approaches with successes on small, homogeneous network data are likely to fall short. We introduce MultiAspectForensics, a handy tool to automatically detect and visualize novel sub graph patterns within a local community of nodes in a heterogenous network, such as a set of vertices that form a dense bipartite graph whose edges share exactly the same set of attributes. We apply the proposed method on three data sets from distinct application domains, present empirical results and discuss insights derived from these patterns discovered. Our algorithm, built on scalable tensor analysis procedures, captures spectral properties of network data and reveals informative signals for subsequent domain-specific study and investigation, such as suspicious port-scanning activities in the scenario of cyber-security monitoring.

Predicting types of protein-protein interactions using a multiple-instance learning model

We propose a method for predicting types of protein-protein interactions using a multiple-instance learning (MIL) model. Given an interaction type to be predicted, the MIL model was trained using interaction data collected from biological pathways, where positive bags were constructed from interactions between protein complexes of that type, and negative bags from those of other types. In an experiment using the KEGG pathways and the Gene Ontology, the method successfully predicted an interaction type (phosphorylation) to an accuracy rate of 86.1%.

TOPASE: Detection and Prevention of Brute Force Attacks with Disciplined IPs from IDS Logs

Brute force attacks are used to obtain pairs of user names and passwords illegally by using all existing pairs to login to network services. These are a major security threat faced by network service administrators. In general, to prevent brute force attacks, administrators can set limitations on the number of login trials and shut down the traffic of brute force attacks with an intrusion prevention system (IPS) at the entry point to their services. In recent years, stealthy brute force attacks that can avoid the security rules and IPS and intrusion detection system (IDS) detection have appeared. Attackers tend to arrange a large amount of hosts and allocate them fewer login trials than the limitations administrators set. In this paper, we report a kind of distributed brute force attack event (brute force attacks with disciplined IPs, or DBF) against the Remote Desktop Protocol (RDP) by analyzing IDS logs integrated from multiple sites. In DBF, a particular number of attacks is repeated automatically from a host to a service over a period. For this reason, existing countermeasures have no effect on DBF. We investigate the structure of DBF and improve the existing countermeasure system. We also present TOPASE, which is replaced at each step of the existing countermeasure system and is suitable for DBF countermeasures. TOPASE analyzes the regularity of login trials between a source host and a destination host. Furthermore, TOPASE intercepts the network traffic from the source host of the brute force attack for a specific period. As a result of the evaluation with our IDS log, we estimate the performance of TOPASE and clarify the factors that maximize TOPASE’s effectiveness.

MultiAspectSpotting: Spotting Anomalous Behavior within Count Data Using Tensor

Methods for finding anomalous behaviors are attracting much attention, especially for very large datasets with several attributes with tens of thousands of categorical values. For example, security engineers try to find anomalous behaviors, i.e., remarkable attacks which greatly differ from the day’s trend of attacks, on the basis of intrusion detection system logs with source IPs, destination IPs, port numbers, and additional information. However, there are large amount of abnormal records caused by noise, which can be repeated more abnormally than those caused by anomalous behaviors, and they are hard to be distinguished from each other. To tackle these difficulties, we propose a two-step anomaly detection. First, we detect abnormal records as individual anomalies by using a statistical anomaly detection, which can be improved by Poisson Tensor Factorization. Next, we gather the individual anomalies into groups of records with similar attribute values, which can be implemented by CANDECOMP/PARAFAC (CP) Decomposition. We conduct experiments using datasets added with synthesized anomalies and prove that our method can spot anomalous behaviors effectively. Moreover, our method can spot interesting patterns within some real world datasets such as IDS logs and web-access logs.

TOPASE: Detection of brute force attacks used disciplined IPs from IDS log

In recent years, there exists stealthy brute force attacks that can avoid the security rules and detection by IPS (Intrusion Prevention System) and IDS (Intrusion Detection System). Attackers tend to arrange innumerable hosts and allocate them fewer login trials than the limitations the administrators have set. In this paper, we report a brute force attack event (Brute force attacks with disciplined IPs, DBF) by analyzing log with site-federated viewpoint analysis. The analyses can lead us to the structure of DBF and the existence of attackers behind the DBF. We also present TOPASE, which detect victim hosts of DBF. Combining TOPASE and shutting down based on the regularity of DBF can mitigate the DBFs to those victims.

EigenSP: A More Accurate Shortest Path Distance Estimation on Large-Scale Networks

Estimating the distances of the shortest path between given pairs of nodes in a graph is a basic operation in a wide variety of applications including social network analysis, web retrieval, etc. Such applications require a response on the order of a few milliseconds, but exact algorithms to compute the distance of the shortest path exactly do not work on real-world large-scale networks, because of their infeasible time complexities. The landmark-based methods approximate distances by using a few nodes as landmarks, and can accurately estimate shortest-path distances with feasible time complexities. However, they fail at estimating small distances, as it is difficult for a few selected landmarks to cover the shortest paths of many close node pairs. To tackle this problem, we present a novel method EigenSP, that estimates the shortest-path distance by using an adjacency matrix approximated by a few eigenvalues and eigenvectors. The average relative error rate of EigenSP is lower than that of the landmark-based methods on large graphs with many short distances. Empirical results suggest that EigenSP estimates small distances better than the landmark-based methods.