• Home

  • Documents

  • Protocol Inspection and State Machine Analysis...
59
Protocol Inspection and State Machine Analysis (PRISMA) Tammo Krueger Hugo Gascon Konrad Rieck Motivation PRISMA Preprocessing Embedding Testing Event Clustering Markov Model Templates and Rules Example Evaluation Similarity Syntax & Semantic Outlook Protocol Inspection and State Machine Analysis (PRISMA) Tammo Krueger Hugo Gascon Konrad Rieck 19.6.2012 University of G¨ ottingen

Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Protocol Inspection and State MachineAnalysis (PRISMA)

Tammo KruegerHugo GasconKonrad Rieck

19.6.2012 University of Gottingen

Page 2: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Proactive Security for Convergent Communication(PROSEC)

Proactive protection of services:

Self-learning protocol analysis

Deployment of “Honey-Services”

Proactive protection of communication and attackdetection

Page 3: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Motivation

PRISMALENS

Client/Server

CommunicationSimulated C/S

Communication

Generic Messages

Abstract State Machine

Given a pool of client/server communication infer genericmessages and abstract state machine

1 To emulate services (honeypots)

2 Lure attackers

3 Gather information about threat potential

Page 4: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Motivation – Top-Down Model of Tasks

PRISMA

Embedding

Events

Markov Model

Templates

Rules

LENSClient/Server

CommunicationSimulated C/S

Communication

By embedding and event clustering approximate abstract statemachine and message types:

Infer Markov model of the behavior

Find inherent structure of the messages (templates)

Gather information flow between states (rules)

Page 5: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Markov Model

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 6: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview – Preprocessing

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Markov Model

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 7: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Preprocessing

Data acquisition via tcpdump

Tool chain needed, to process these binary dump files

Derrick assembles packet contents based on themature libnids library

Harry concatenates packets to messages andextracts session information

Data available for the next steps:

1 messages as sequence of bytes

2 sessions as sequence of messages

Point 1 will be used in the embedding step

Outcome of the embedding step will be used in theclustering step

Point 2 and outcome of the clustering will be used in themodel building step

Page 8: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview – Embedding

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Markov Model

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 9: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Embedding

1 N-grams: Given the set of all possible n-grams over bytesequences S “ t0, . . . , 255un, we define the embeddingfunction φ : t0, . . . , 255u‹ ÞÑ R|S | as

φpxq “ pφspxqqsPS with φspxq “ occspxq.

Example (n “ 3):

φp”Hello”q “ p0, . . . ,Hel1 ,

ell1 ,

llo1 , . . . , 0qT P R16777216

2 Tokens: Given a set of seperators Sep we can split thebyte sequence into tokens; example (Sep “ t u):

φp”We’ll meet again”q “ p0, . . . ,We’ll

1 ,meet

1 ,again

1 , . . . , 0qT P R?

Page 10: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Dimension Reduction via Statistical Testing

Embedding space high-dimensional but sparse

Some dimension do not carry real information:

Fixed protocol tokensRandom, volatile tokens (cookies, nonces, . . . )

Focus the analysis by splitting the feature set F :

F “ Fprotocol Y Falphabet Y Fvolatile

Keep features, which are not part of the protocol and arenot volatile

How to decide, whether a feature belongs to Fprotocol orFvolatile? Use statistical testing!

Page 11: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Anatomy of a Statistical Testing Procedure

Given measurements decide, whether we can accept orreject a hypotheses (H0) in favor to an alternative (H1) ina statistical sense

Distribution assumption (parametric/non-parametric)

Predefined significance level (α P 0.01, 0.05, 0.1)

Test statistic

p-value: probability to observe a value for the test statisticat least as extreme as the value that was actually observedgiven H0 is true

Decision rule: reject H0 if p-value is smaller than thesignificance level

Page 12: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example I

Mean Shaft Size

Fre

quen

cy

85 90 95 100 105 110 115

050

100

150

200

Measure impact of fertilizer A on grain shaft size:1 collect N samples from several fields treated with fertilizer

A2 record the mean size of these N samples per field3 plot the distribution and calculate mean µA and standard

deviation σA

Outcome: µA “ 100cm, σA “ 4cm

Page 13: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example I

90 95 100 105 110

0.00

0.04

0.08

Mean Shaft Size

d 1 − α

Given a new measurement of a field x , can we determinewith a given error level of α, whether it was treated withfertilizer A?

Assume normal distribution Ñ p1´ αq “ 95% of the datalies in the interval r92.16, 107.83s!

Page 14: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example I

90 95 100 105 110

0.00

0.04

0.08

Mean Shaft Size

d 1 − α

Different question: has new field x a bigger grain shaftsize than the fields treated with fertilizer A?

Assume normal distribution Ñ p1´ αq “ 95% of the datalies in the interval r´8, 106.57s!

Page 15: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example I

90 95 100 105 110

0.00

0.04

0.08

Mean Shaft Size

d 1 − α

Different question: has new field x a smaller grain shaftsize than the fields treated with fertilizer A?

Assume normal distribution Ñ p1´ αq “ 95% of the datalies in the interval r93.42,`8s!

Page 16: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Testing: What Can Go Wrong?

H0 is true H1 is true

Accept H0 Right decision Type II Error (β)Reject H0 Type I Error (α) Right decision

Type I error controlled by significance level α

Type II error is used to describe the power p1´ βq, i.e. theprobability of correctly rejecting H0

Page 17: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example II

Mean Shaft Size

Fre

quen

cy

95 100 105 110 115 120

050

100

150

Measure impact of new fertilizer B on grain shaft size:1 collect N samples from several fields treated with fertilizer

B2 record the mean size of these N samples per field3 plot the distribution and calculate mean µB and standard

deviation σB

Outcome: µB “ 110cm, σB “ 4cm

Page 18: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example II

90 95 100 105 110 115 120

0.00

0.04

0.08

x

d 1 − α 1 − β

Different question: has new field x been treated withfertilizer A or fertilizer B?

Power 1´ β of test is directly connected to thesignificance level α!

Page 19: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Test – Example II

90 95 100 105 110 115 120

0.00

0.05

0.10

0.15

0.20

x

d 1 − α 1 − β

How can we improve the power of the test?

Increase the sample size N to lower the standarddeviations σA and σB !

Page 20: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Testing: What Can Go Wrong? – Part 2

http://xkcd.com/882/

Page 21: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Testing: What Can Go Wrong? – Part 2

Page 22: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Statistical Testing: What Can Go Wrong? – Part 2

Page 23: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Multiple Testing

0 20 40 60 80 100

0.2

0.4

0.6

0.8

1.0

Number of Parallel Tests

P(a

t lea

st o

ne ty

pe I

erro

r)

In explorative data studies (e.g. micro-array experiments)a lot of tests are made in parallelFor each of these k tests an error of type I can occur withprobability α:

Ppat least one type I errorq

“ 1´ Ppno type I errorq

“ 1´ p1´ αqk

Page 24: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Multiple Testing – α Correction

20 40 60 80 100

0.00

10.

003

0.00

5

Number of Parallel Tests

α

SidakBonferroni

Use adjusted α (Sidak Correction):

Ppat least one type I errorq “ α

ÐÑ 1´ p1´ αqk “ α

ÐÑ α “ 1´ p1´ αq1{k

Bonferroni Correction: use α “ α{k « 1´ p1´ αq1{k .

Page 25: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Dimension Reduction via Statistical Testing

Embedding space high-dimensional but sparseSome dimension do not carry real information:

Fixed protocol tokensRandom, volatile tokens (cookies, nonces, . . . )

Focus the analysis by splitting the feature set F :

F “ Fprotocol Y Falphabet Y Fvolatile

Calculate frequency f of each feature and test viaaproximated binomial test:

pprotocol “ binom.testpH0 : f « 1.0q

pvolatile “ binom.testpH0 : f « 0.0q

Adjust significance level α for multiple testing

Keep features, which are not part of the protocol and arenot volatile: pprotocol ď α^ pvolatile ď α

Page 26: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview – Event Clustering

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Markov Model

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 27: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Clustering – Introduction

●●

●● ●

●●

● ●

●● ●

●●

●●

● ●

●●

●● ●●

●●

●●

●●

●●

●●

● ●

●●

● ●●

●●

●●

●● ●

●●

●●

● ●

●●

●●

●●

●●●

●●

●●●

● ●

●●

● ●●

● ●

●● ●

● ●●

●● ●

●●

●●

● ●●

Vectorial representation of messages allows application ofgeometrical concepts

Example k-means: find k cluster centers, which exhibit theminimal squared distance to their assigned observations

Other methods from machine learning readily applicable

Page 28: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Event Clustering – Application in PRISMA

Clustering as factorization of embedding matrix X P Rk,N

with B P Rk,e ,C P Re,N , bi P Rk,1, ci P Re,1, e ! k :

X « BC “

event basishkkkkkkkikkkkkkkj

b1 . . . be

‰ “

c1 . . . cN‰

looooooomooooooon

event assignments

via Non-Negative Matrix Factorization:

pB,C q “ arg minB,C

}X ´ BC}

s.t. bij ě 0, cjn ě 0 .

Other techniques (e.g. hierarchical clustering, expertknowledge) can be incorporated easily

Page 29: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview – Markov Model

Markov

Model

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 30: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Markov Model – Introduction

Probabilistic model to describe process evolving over time

Formally, the process is a sequence of random variables:

ST1 “ rSp1q,Sp2q, . . . ,SpT ´ 1q,SpT qs

. . . which fullfill the Markov Assumption:

@t P 1, . . . ,T : PSptq|Sp1q,Sp2q,...,Spt´2q,Spt´1q “ PSptq|Spt´1q.

Spiq represents the internal state of the system

Examples and notation from Hidden Markov Models andDynamical Systems by Andrew M. Fraser (SIAM, 2008)

Page 31: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Markov Model – Example

12

v

w1

u 12

121

2

PSp1q ““

13 ,

13 ,

13

, (1)

Spt ` 1qPpspt ` 1q|sptqq u v w

u 0 1 0

Sptq v 0 12

12

w 12

12 0

(2)

Page 32: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Markov Model – Example

Calculate the probability of s41 “ ru, v ,w , v s:

Ppu, v ,w , vq “ Ppv |u, v ,wq ¨ Ppw |u, vq ¨ Ppv |uq ¨ Ppuq (3)

“ Ppv |wq ¨ Ppw |vq ¨ Ppv |uq ¨ Ppuq (4)

“1

1

2¨ 1 ¨

1

3“

1

12. (5)

Eqn. (3): Conditional probability (PA,B “ PB|APA)Eqn. (4): Markov assumptionEqn. (5): Eqn. (1) and Eqn. (2)General case for sT1 :

PpsT1 q “ Ppsp1qqTź

τ“2

Ppspτq|sτ´11 q

“ Ppsp1qqTź

τ“2

Ppspτq|spτ ´ 1qq

Page 33: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Introduction

Again, the process is a sequence of (unobservable) randomvariables ST

1 “ rSp1q,Sp2q, . . . ,SpT ´ 1q,SpT qs, whichgenerate a sequence of random variableY T1 “ rY p1q,Y p2q, . . . ,Y pT ´ 1q,Y pT qs

The observations are just dependent on the current hiddenstate:

PY ptq|S t1 ,Y

t´11“ PY ptq|Sptq. (6)

The hidden state sequence is generated according to theMarkov assumption:

PSpt`1q|S t1 ,Y

t1“ PSpt`1q|Sptq. (7)

Page 34: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Introduction

Sp2q Sptq Spt ` 1q

Y p1q Y p2q Y pt ` 1qY ptq

Sp1q

Hidden Markov model as a Bayes’ net

Edges indicate dependence relations, i.e. for allt P 1, . . . ,T :

Y ptq just depends on SptqSptq just depends on Spt ´ 1q

Page 35: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Example

12

v

w1

u 12

121

2

d

1

13

e f23

e23

f

13

YPpy |sq d e f

u 1 0 0

S v 0 13

23

w 0 23

13

Page 36: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Example

Calculate the probability y41 “ rd , e, f , es

Possible state sequences, which could generate theobservation: ru, v , v , v s, ru, v , v ,w s, and ru, v ,w , v s

s41 Pps41 q Ppy41 |s

41 q Ppy4

1 , s41 q

uvvv 13 ¨ 1 ¨ 12 ¨

12 1 ¨ 13 ¨

23 ¨

13

2324

uvvw 13 ¨ 1 ¨ 12 ¨

12 1 ¨ 13 ¨

23 ¨

23

4324

uvwv 13 ¨ 1 ¨ 12 ¨

12 1 ¨ 13 ¨

13 ¨

13

1324

Now:

Ppy41 q “

ÿ

s41

Ppy41 , s

41 q “

ÿ

s41

Ppy41 |s

41 qPps

41 q “

2` 4` 1

324.

Page 37: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Example

Assumptions of Eqn. (6) and Eqn. (7):

PpsT1 q “ PpSp1qqTź

t“2

Ppsptq|spt ´ 1qq

PpyT1 |s

T1 q “

t“1

Ppyptq|sptqq

Single calculation:

PpyT1 , s

T1 q “ PpsT1 qPpyT

1 |sT1 q

“ Ppsp1qqTź

t“2

Ppsptq|spt ´ 1qqTź

t“1

Ppyptq|sptqq.

Iterate over all possible state sequences:

PpyT1 q “

ÿ

sT1 PST

PpyT1 , s

T1 q

Page 38: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Algorithms

The Viterbi Algorithm: Given a model θ and a sequenceof observations yT

1 , finds the most probable statesequence sT1 :

sT1 “ arg maxsT1

sT1 |yT1 , θ

¯

The Baum-Welch Algorithm: Given a sequence ofobservations yT

1 and an initial set of model parameters θ0,calculates a new set of parameters θ1 that has higherlikelihood:

yT1 |θ1

¯

ě P´

yT1 |θ0

¯

Page 39: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Viterbi Algorithm

Find the best sequence sT1 that maximizes the probabilityP`

sT1 |yT1

˘

Equivalent to maximizing log`

P`

yT1 , s

T1

˘˘

, since PpyT1 q is

just a constant:

sT1 ” arg maxsT1

PpsT1 |yT1 q

“ arg maxsT1

´

PpsT1 |yT1 q ¨ PpyT

1 q

¯

“ arg maxsT1

´

PpyT1 , s

T1 q

¯

.

Trick for numerical stability: use log

Page 40: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Viterbi Algorithm:Definitions

upst1q Utility of state sequence st1

” log`

Ppy t1 , s

t1q˘

νps, tq Utility of best sequence ending with sptq “ s

” maxst1:sptq“s

upst1q

ωps, s 1, tq Utility of best sequence with spt ´ 1q, sptq “ s, s 1

” maxst1:spt´1q“s^sptq“s

1upst1q

Bps 1, tq Best predecessor state given sptq “ s 1

” arg maxs

ωps, s 1, tq

Page 41: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Viterbi Algorithm:Overview

Initialize utility log`

PY p1q,Sp1q pyp1q, sq˘

for each states P S.

Forward step: for each successive time step t : 1 ă t ď T

for each state s determine the best predecessor for thatstate and store it in Bps, tqcalculate utility of the best state sequence ending in thatstate and store it in νps, tq

Backtrack step:

identify the best final state as spT q “ arg maxs νps,T qfor t from T ´ 1 to 1 backtrack through B array to findthe other states in the sequence sT1 , i.e.,sptq “ Bpspt ` 1q, t ` 1q

Page 42: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Viterbi Algorithm:Iteration

Initialize:for each s

νnextpsq “ log`

PY p1q,Sp1q pyp1q, sq˘

Iterate:for t from 2 to T

# νoldp¨q “ νp¨, t ´ 1q; νnextp¨q “ νp¨, tqνold “ νnextfor each snext

for each soldωpsold, snextq “ νoldpsoldq ` log pPpsnext|soldqq` log pPpyptq|snextqq

# Find best predecessorBpsnext, tq “ arg maxsold ωpsold, snextq# Update ννnextpsnextq “ ωpBpsnext, tq, snextq

Page 43: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Hidden Markov Model – Viterbi Algorithm:Backtrack

Backtrack:s “ arg maxs νnextpsqspT q “ sfor t from T ´ 1 to 1

s “ Bps, t ` 1qsptq “ s

A lot more to learn about Markov models:

forward/backward algorithmBaum-Welch algorithmKalman filter

So consult: Hidden Markov Models and DynamicalSystems by Andrew M. Fraser (SIAM, 2008)

Page 44: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Markov Model – Application in PRISMA

Each message is assigned to an event from the event spaceE , so a session S “ re1, e2, . . . e|S |s, e1,2,...,|S | P E

Represent the dynamics for the system by a Markov modelof order m ě 2:

1 Estimate the frequencies of the initial events (i.e.Ppeq, e P E )

2 Estimate the frequencies of an event given the mpredecessors in time (i.e. Ppet |et´m, . . . , et´2, et´1q)

Resulting networks can be big (potentially |E |m nodes):

Markov model can be transformed in a DFACompress structure via DFA minimization algorithm

Reduced network can be described by a hidden Markovmodel

Page 45: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

System Overview – Templates and Rules

b

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

a

c

d

e

f

g

h

i

b

Event 1

Event 2

Event 3

a

c

d

e

f

g

h

i

Event 2

Msg. 1

Msg. 2

Msg. 4

Msg. 3

Msg. 5

Msg. 6

Event 1

Event 3

X = B C

Client

Session 1

Session 2

Session 3

...

Session n

Msg. 1

Communication

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Derrick & Harry

Embedding Event Clustering

Markov Model

Template1

RULE srcField:0 dstField:0 type:ExactRule

RULE srcField:1 dstField:2 type:ExactRule

RULE srcField:3 dstField:1 type:ExactRule

RULE dstField:4 type:DataRule

data:678537408252460955, ...

RULE dstField:5 type:DataRule

data:252460957,252461242,252461608, ...

RULE dstField:6 type:DataRule

data:12004,12020,12018,12028,12002,12004

Server

Page 46: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Templates and Rules

State A State B State C

Session 1 GO 1 OBJECT A CARRY A 0

Session 2 GO 2 OBJECT D CARRY D 0...

......

Session n GO 0 OBJECT B CARRY B 0

Template GOÜ

OBJECTÜ

CARRYÜ

0

Template generation:Assign each message to its corresponding stateAlign messages and find static and changing parts (fields)

Rules between templates:Exact copy the content of one field

Sequence increment the number of a fieldCopyCompl. copy field and add parts before/afterCopyPartial copy parts of the field

Data pick a value from a data pool

Page 47: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot example

Goal: learn the control of a robot, which collects goodsinside a contaminated room, from network traffic

The robot communicates with the environment by asimple protocol:

GO <dir>

CARRY <object> <dir>

The environment responds with the following statusmessages after each action of the robot:

WALL

FREE

BASE

OBJECT <object>

Hands-on example. . .

Page 48: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot example

Page 49: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot example

GO 2 |

WALL |

GO 0 |

OBJECT E |

CARRY E 0 |

FREE |

CARRY E 0 |

WALL |

CARRY E 3 |

FREE |

CARRY E 3 |

FREE |

CARRY E 3 |

BASE |

GO 0 |

Page 50: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot Model before Minimization

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|FREE.UAS

CARRY.UAC|BASE.UAS

FREE.UAS|CARRY.UAC

BASE.UAS|ENDBASE.UAS|GO.UAC

GO.UAC|BASE.UAS

GO.UAC|FREE.UAS

GO.UAC|WALL.UAS

GO.UAC|OBJECT.UAS

FREE.UAS|GO.UAC

WALL.UAS|GO.UAC

OBJECT.UAS|CARRY.UAC

START|GO.UAC

START|START

Page 51: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot Model after Minimization

CARRY.UAC|WALL.UAS

WALL.UAS|CARRY.UAC

CARRY.UAC|BASE.UAS

CARRY.UAC|FREE.UAS

BASE.UAS|ENDBASE.UAS|GO.UAC

FREE.UAS|CARRY.UAC

START|START

Page 52: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Demo – Robot Templates and Rules

TEMPLATE id:2 state:FREE.UAS—CARRY.UACCARRY

Ü Ü

TEMPLATE id:5 state:CARRY.UAC—FREE.UASFREE

RULE transition:2;5;2srcId:2 srcField:0 dstField:0

RULE transition:2;5;2srcId:2 srcField:1 dstField:1

Page 53: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Evaluation

Split pool into train (90% of the sessions) and testing slice

For each session in the testing slice simulate both from theperspective of Client and Server (repeat 100 times)

Message similarity evaluation: for each session andrepetition

1 calculate the normalized edit distance of the generatedmessage to the real message

2 collect all distances ě 0 attained at a specific position

Syntactical and semantical correctness evaluation:

1 is message well-formed according to the underlyingprotocol specification (wireshark)

2 is session information retained, i.e. CallID, from- andto-tag are preserved

Page 54: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Evaluation – SimilarityAlcatel-Lucent (8878 Messages)

pos

sim

0.75

0.80

0.85

0.90

0.95

1.00

2 4 6 8 10 12 14

count

500

1000

1500

2000

2500

3000

3500

Page 55: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Evaluation – Syntax & SemanticAlcatel-Lucent (8878 Messages)

Syntax Semantic

1 s. Sim. 2 s. Sim. 1 s. Sim. 2 s. Sim.

some Errors 0.03% 0.80% 3.77% 0.00%100% Correct 99.97% 99.20% 96.23% 100.00%

Measure the number of correct messages per session

1 s. Sim.: Simulate one side of the communication with aPRISMA model and use other side from data set

2 s. Sim.: Simulate both sides of the communication witha PRISMA model

Page 56: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Conclusion and Future Work

Protocol Inspection and State Machine Analysis:

1 Embed messages in a suitable vector space2 Transform sequences of messages to a sequence of events3 Learn the event machine with a Markov model

Application as “Honey-Service”

Future work:

Stateful anomaly detectionDeep fuzzingInfiltration of botnets

Page 57: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Questions? Remarks?Thanks for your attention!

Page 58: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Evaluation – Length

length

ecdf

0.0

0.2

0.4

0.6

0.8

1.0

0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40

experiment

1 Side Simulation

2 Side Simulation

Original

Page 59: Protocol Inspection and State Machine Analysis (PRISMA)tammok.github.io/talks/prismalecture.pdfSemantic Outlook Statistical Test { Example II 90 95 100 105 110 115 120 0.00 0.05 0.10

ProtocolInspection andState Machine

Analysis(PRISMA)

TammoKrueger

Hugo GasconKonrad Rieck

Motivation

PRISMA

Preprocessing

Embedding

Testing

Event Clustering

Markov Model

Templates andRules

Example

Evaluation

Similarity

Syntax &Semantic

Outlook

Evaluation – Syntax & Semantic detailedAlcatel-Lucent (8878 Messages)

Syntax Semantic

1 Side Sim. 2 Side Sim. 1 Side Sim. 2 Side Sim.

ă 80% 0.01% 0.50% 0.30% 0.00%8X % 0.00% 0.20% 1.64% 0.00%9X % 0.02% 0.10% 1.83% 0.00%100% 99.97% 99.20% 96.23% 100.00%

Measure the frequency of % correct messages per session

Reading example: For the one side simulation 0.02% ofthe sessions have between 90% and 99% syntacticalcorrect messages inside the session and 99.97% of thesessions have all messages syntactical correct


IIHS Status Report newsletter, Vol. 46, No. 10, Nov. 17, 2011...Status Report, Vol. 46, No. 10, Nov. 17, 2011 3 0.05 0.10 0.15 0.20 0.05 0.10 0.15 0.20 hybrid conventional counterpart

IIHS Status Report newsletter, Vol. 46, No. 10, Nov. 17, 2011...Status Report, Vol. 46, No. 10, Nov. 17, 2011 3 0.05 0.10 0.15 0.20 0.05 0.10 0.15 0.20 hybrid conventional counterpart

Documents
ASSESSING THE IMPORTANCE OF ASIAN PORTS BY APPLYING … · Environnemental Maritime Research Workshop Royal University of Agriculture, October 19, 2017 -0.15-0.10-0.05 0.00 0.05 0.10

ASSESSING THE IMPORTANCE OF ASIAN PORTS BY APPLYING … · Environnemental Maritime Research Workshop Royal University of Agriculture, October 19, 2017 -0.15-0.10-0.05 0.00 0.05 0.10

Documents
Modelling Returns: the CER and the CAPMdidattica.unibocconi.it/mypage/dwload.php?nomefile=slides_capmcer... · 0.20 0.15 0.10 0.05 0.00 0.05 0.10 Series: RET_M_C Sample 1948M02 2014M06

Modelling Returns: the CER and the CAPMdidattica.unibocconi.it/mypage/dwload.php?nomefile=slides_capmcer... · 0.20 0.15 0.10 0.05 0.00 0.05 0.10 Series: RET_M_C Sample 1948M02 2014M06

Documents
123./*0() ˘FLEX...Ü m @ ¡ A 0.00 0.0 0.00 0.05 0.15 0.20 0.10 0.25 -0.05 fi fl fi fl Efi fl ‘RST 8 9 5 0.10 0.15 ]RST ]RST E]RST–!†‡ :!ÜmO¡U 0 20 0.25 0.30 ·a µa

123./*0() ˘FLEX...Ü m @ ¡ A 0.00 0.0 0.00 0.05 0.15 0.20 0.10 0.25 -0.05 fi fl fi fl Efi fl ‘RST 8 9 5 0.10 0.15 ]RST ]RST E]RST–!†‡ :!ÜmO¡U 0 20 0.25 0.30 ·a µa

Documents
Forest Sector Modeling Conference Lillehammer, Norway ... · China-0.15-0.10-0.05 0.00 0.05 0.10 0.15 0.20 0 0.2 0.4 0.6 0.8 1 Growth Rate Market Share Wood-based Panels Production

Forest Sector Modeling Conference Lillehammer, Norway ... · China-0.15-0.10-0.05 0.00 0.05 0.10 0.15 0.20 0 0.2 0.4 0.6 0.8 1 Growth Rate Market Share Wood-based Panels Production

Documents
Introduction Sensor setup - TU · PDF fileindustry rack and equipped with the required safety infrastructure meeting the ATEX ... -0.05 0.00 0.05 0.10 0.15 (A.U.) H 2 S Reference Cell

Introduction Sensor setup - TU · PDF fileindustry rack and equipped with the required safety infrastructure meeting the ATEX ... -0.05 0.00 0.05 0.10 0.15 (A.U.) H 2 S Reference Cell

Documents
S - wir transist ac ecording - Lieber Research Groupcml.harvard.edu/assets/Scalable-ultrasmall-three...Conductance (nS) 1,000 V g (V) –0.10 –0.05 0.00 0.05 100 150 200 250 Conductance

S - wir transist ac ecording - Lieber Research Groupcml.harvard.edu/assets/Scalable-ultrasmall-three...Conductance (nS) 1,000 V g (V) –0.10 –0.05 0.00 0.05 100 150 200 250 Conductance

Documents
Preservation for coatings and building materials - schülke · parmetol® A 26 N 0.05 - 0.20 0.05 - 0.20 0.05 - 0.20 0.10 ... Preservation for coatings and building materials The

Preservation for coatings and building materials - schülke · parmetol® A 26 N 0.05 - 0.20 0.05 - 0.20 0.05 - 0.20 0.10 ... Preservation for coatings and building materials The

Documents
STYLE # 902 Generation:Contemporary Category: Circe Size ... · Rhinestones 20 $0.02 $0.40 Hook & Eye Closure 1 $0.10 $0.10 Labels 1 $0.05 $0.05 (TOTAL TRIMS) $1.89 CMT/LABOR COSTS:

STYLE # 902 Generation:Contemporary Category: Circe Size ... · Rhinestones 20 $0.02 $0.40 Hook & Eye Closure 1 $0.10 $0.10 Labels 1 $0.05 $0.05 (TOTAL TRIMS) $1.89 CMT/LABOR COSTS:

Documents
LTC2972 (Rev. B) - Analog Devices€¦ · TMPT C –50 2 0 2 50 7 100 2 2 –0.15 –0.10 –0.05 0.00 0.05 0.10 0.15 2 2 O OF G. 2972 Tb. LTC2972. 2. e B. For more information

LTC2972 (Rev. B) - Analog Devices€¦ · TMPT C –50 2 0 2 50 7 100 2 2 –0.15 –0.10 –0.05 0.00 0.05 0.10 0.15 2 2 O OF G. 2972 Tb. LTC2972. 2. e B. For more information

Documents
High Precision Polarimetry for Jefferson Lab at 11 GeVpeople.virginia.edu/~kdp2c/pubpage/talkarchive/...Levchuk 0.30% - Target Temp 0.05% - Dead Time - 0.10% Background - 0.10% Total

High Precision Polarimetry for Jefferson Lab at 11 GeVpeople.virginia.edu/~kdp2c/pubpage/talkarchive/...Levchuk 0.30% - Target Temp 0.05% - Dead Time - 0.10% Background - 0.10% Total

Documents
DryMatter - Agricultural Research Service … · Dry Matter Partitioning in Taro 0.35 0.30 0.25 0.20 0.15 0.10 0.05 0.00 0.70 0.60 0.50 0.40 0.30 0.20 0.10 200 250 300 350 100 150

DryMatter - Agricultural Research Service … · Dry Matter Partitioning in Taro 0.35 0.30 0.25 0.20 0.15 0.10 0.05 0.00 0.70 0.60 0.50 0.40 0.30 0.20 0.10 200 250 300 350 100 150

Documents
prisma VENT30 prisma VENT30-C prisma VENT40 prisma VENT50

prisma VENT30 prisma VENT30-C prisma VENT40 prisma VENT50

Documents
3M Textool 1.27 mm pitch, Open Top, BGA Test & Burn-In …...Pitch 1.27 –0.05 Pitch 45.00 –0.05 52.50 –0.10 38.40 –0.05 729x 05 m Contact Hole Min Diameter 33.02 –0.10 Max

3M Textool 1.27 mm pitch, Open Top, BGA Test & Burn-In …...Pitch 1.27 –0.05 Pitch 45.00 –0.05 52.50 –0.10 38.40 –0.05 729x 05 m Contact Hole Min Diameter 33.02 –0.10 Max

Documents
Chapter 1: Basics of Machine Learning Modeling...Actual vs. Prediction (Linear SVM) -02 _0.4 Actual vs. Prediction (Linear Regression) 0.10 0.05 0.00 -0.05 -0.10 Linear Regression

Chapter 1: Basics of Machine Learning Modeling...Actual vs. Prediction (Linear SVM) -02 _0.4 Actual vs. Prediction (Linear Regression) 0.10 0.05 0.00 -0.05 -0.10 Linear Regression

Documents
GiGuard - ESD Protection for High Speed Circuits · 2021. 2. 3. · 1.60 ± 0.10 (0.063 ± 0.004) 0.80 ± 0.10 (0.031 ± 0.004) 0.60 ± 0.10 (0.024 ± 0.004) 0.30 ± 0.05 (0.012 ±

GiGuard - ESD Protection for High Speed Circuits · 2021. 2. 3. · 1.60 ± 0.10 (0.063 ± 0.004) 0.80 ± 0.10 (0.031 ± 0.004) 0.60 ± 0.10 (0.024 ± 0.004) 0.30 ± 0.05 (0.012 ±

Documents
Longperiod seismic amplification in the Kanto Basin from the ......log10 (PGM (T)) 0.05 0.10 0.15 0.20 SLOPE 234 7 891056 0.00 0.05 0.10 Period (s) RMS 0.00 this study Campbell et

Longperiod seismic amplification in the Kanto Basin from the ......log10 (PGM (T)) 0.05 0.10 0.15 0.20 SLOPE 234 7 891056 0.00 0.05 0.10 Period (s) RMS 0.00 this study Campbell et

Documents
Measuring the Impact of Sharing Abuse Data with Web ... · -0.10-0.05 0.00 0.05 0.10 0.15 Median blacklist to clean pre-sharing - post-sharing Median recompromise rate pre-sharing

Measuring the Impact of Sharing Abuse Data with Web ... · -0.10-0.05 0.00 0.05 0.10 0.15 Median blacklist to clean pre-sharing - post-sharing Median recompromise rate pre-sharing

Documents
STP - PHD, Inc · STP COMPACT SLIDE SIZE 08 12 16 20 25 lb 0.03 0.04 0.05 0.10 0.15 0.20 0.22 0.29 0.40 0.65 0.85 1.03 0.57 0.87 1.16 kg 0.014 0.018 0.023 0.05 0.07 0.09 0.10 0.13

STP - PHD, Inc · STP COMPACT SLIDE SIZE 08 12 16 20 25 lb 0.03 0.04 0.05 0.10 0.15 0.20 0.22 0.29 0.40 0.65 0.85 1.03 0.57 0.87 1.16 kg 0.014 0.018 0.023 0.05 0.07 0.09 0.10 0.13

Documents
PRISMA - orawearabletech.com · prisma prisma prisma prisma prisma prisma The smart watch adopt the mini volume and high performance built- in lithium battery to ensure stable power

PRISMA - orawearabletech.com · prisma prisma prisma prisma prisma prisma The smart watch adopt the mini volume and high performance built- in lithium battery to ensure stable power

Documents
Salt 600x600mm.pdf · AAYU EXIM Value ± 0.10% ± 0.10% ± 0.20 % ± 0.20 0/0 < 0.05 % > 45 n/mm2 > 144 mm2 > 0.4 > 2500 n 2.4 Frost proof No damage No damage No damage

Salt 600x600mm.pdf · AAYU EXIM Value ± 0.10% ± 0.10% ± 0.20 % ± 0.20 0/0 < 0.05 % > 45 n/mm2 > 144 mm2 > 0.4 > 2500 n 2.4 Frost proof No damage No damage No damage

Documents
Partial ACF -0.10 -0.05 0.00 0.05 0.10 0download.lww.com/.../MD/A/MD_2015_12_03_HAGIHARA_MD...Supplementary data Figure S1. Diagnostics of models: partial autocorrelation function

Partial ACF -0.10 -0.05 0.00 0.05 0.10 0download.lww.com/.../MD/A/MD_2015_12_03_HAGIHARA_MD...Supplementary data Figure S1. Diagnostics of models: partial autocorrelation function

Documents
FT20150127 Arms (6 max) - PL Omaha Hi - $0.05-$0.10

FT20150127 Arms (6 max) - PL Omaha Hi - $0.05-$0.10

Documents
INSTRUCTION MANUAL Copyright © 2007 · Maximum On-State Resistance [RDS-ON][Ohms] 0.29 0.13 0.10 0.05 0.29 0.23 0.05 0.6 0.35 0.8 0.55 INPUT SPECIFICATIONS (1) Description DC Control

INSTRUCTION MANUAL Copyright © 2007 · Maximum On-State Resistance [RDS-ON][Ohms] 0.29 0.13 0.10 0.05 0.29 0.23 0.05 0.6 0.35 0.8 0.55 INPUT SPECIFICATIONS (1) Description DC Control

Documents
In Vivo Cocaine Experience Generates Silent Synapseszhenyan/cocaine+NMDA.pdf · cocaine, 1.22 ± 0.10, n = 15; p < 0.05; total: saline, 1.00 ± 0.05, n = 25; cocaine, 1.04 ± 0.09,

In Vivo Cocaine Experience Generates Silent Synapseszhenyan/cocaine+NMDA.pdf · cocaine, 1.22 ± 0.10, n = 15; p < 0.05; total: saline, 1.00 ± 0.05, n = 25; cocaine, 1.04 ± 0.09,

Documents
Fertility in India Trends and Prospects€¦ · Annual TFR Decrease, Tamil Nadu, Based on 3 Year Moving Average 1972-1974 to 2005-2007-0.10-0.05 0.00 0.05 0.10 0.15 0.20 0.25. 1 9

Fertility in India Trends and Prospects€¦ · Annual TFR Decrease, Tamil Nadu, Based on 3 Year Moving Average 1972-1974 to 2005-2007-0.10-0.05 0.00 0.05 0.10 0.15 0.20 0.25. 1 9

Documents
96FBGA with Lead-Free & Halogen-Free (RoHS compliant)...P R T 7.50 ± 0.10 0.80 3.20 (Datum B) 6.00 (Datum A) 0.10MAX 0.9 0.1 #A1 9 8765432 1.60 7.50 ± 0.10 13.30 ± 0.10 0.37 0.05

96FBGA with Lead-Free & Halogen-Free (RoHS compliant)...P R T 7.50 ± 0.10 0.80 3.20 (Datum B) 6.00 (Datum A) 0.10MAX 0.9 0.1 #A1 9 8765432 1.60 7.50 ± 0.10 13.30 ± 0.10 0.37 0.05

Documents
United States Patent US 7,145,399 B2 Staszewski et al. Dec ... · u.s. Patent Dec. 5,2006 Sheet 8 of 12 US 7,145,399 B2 FIG.9a 0.10 0.05 905 0.00 phe-t-0.05-0.10-0.15 0 200 400 600

United States Patent US 7,145,399 B2 Staszewski et al. Dec ... · u.s. Patent Dec. 5,2006 Sheet 8 of 12 US 7,145,399 B2 FIG.9a 0.10 0.05 905 0.00 phe-t-0.05-0.10-0.15 0 200 400 600

Documents
2001 NHTS – NYS EMFAC PROFILES...region time pct_vmt lower 95% upper 95% Capital District 1 0.44 0.16 0.72 Capital District 2 0.10 0.00 0.27 Capital District 3 0.05 0.00 0.10 Capital

2001 NHTS – NYS EMFAC PROFILES...region time pct_vmt lower 95% upper 95% Capital District 1 0.44 0.16 0.72 Capital District 2 0.10 0.00 0.27 Capital District 3 0.05 0.00 0.10 Capital

Documents
Asymptotic properties of Bayesian nonparametrics and ... · 0.5 1.0 1.5 x f2[, 1]-4 -2 0 2 4 0.00 0.05 0.10 0.15 x f1[, 1]-4 -2 0 2 4 0.00 0.05 0.10 0.15 0.20 0.25 0.30 x f2[, 1]

Asymptotic properties of Bayesian nonparametrics and ... · 0.5 1.0 1.5 x f2[, 1]-4 -2 0 2 4 0.00 0.05 0.10 0.15 x f1[, 1]-4 -2 0 2 4 0.00 0.05 0.10 0.15 0.20 0.25 0.30 x f2[, 1]

Documents