�ݺ�ߣ

Design and analysis of
distributed k-nearest
neighbors graph algorithms
Thibault Debatty
2018-10-05

Design and analysis of distributed k-nearest neighbors graph algorithms 2
k-nn graph
�� Edge to k most similar nodes
�� Directed graph
�� Similarity assumed to be
symmetrical

k-nn graph
Is it useful for analyzing large
datasets ?
E.g.: triage (SPAM), proxy logs, etc.

k-nn graph
Challenges:
�� Interactive analysis
�� Avoid algorithms that require O(nx)
where x>1
�� Distributed algorithms
�� Similarity is not always a metric
(e.g. text datasets)

Outline
�� Fundamental algorithms:
�C Building from text datasets
�C Online building
�C Partitioning
�� Applications:
�C Text clustering
�C APT detection

Building from text datasets
�� Has to be built from a dataset
(like an index)
�� Exact graph: O(n?) similarities

�� We focus on large datasets
=> n? is not acceptable!
�� Some algorithms if similarity is
metric
�� But text similarity is not always
metric
(e.g. Jaro-Winkler)

�� NN-Descent
Build an approximate graph
Compute O(n1.14) similarities
�� BUT: iterative!

NNCTPH
�� Hash using modified hashing
function
CTPH / ssdeep / spamsum
�� Build subgraphs in parallel
�� Merge subgraphs
Single iteration!

�� Experimental evaluation:
�C Apache Hadoop MapReduce
�C SPAM dataset
�C Jaro-Winkler string similarity
(not metric)

�� Thibault Debatty, Pietro Michiardi, Olivier Thonnard,
and Wim Mees. Scalable graph building from text data. In
Proceedings of the 3rd International Workshop on Big
Data, Streams and Heterogeneous Source Mining:
Algorithms, Systems, Programming Models and
Applications, BigMine ��14, 2014
�� Thibault Debatty, Pietro Michiardi, Olivier Thonnard,
and Wim Mees. Building k-nn graphs from large text data.
In Proc. of IEEE BigData, 2014
�� Implementation of NN-Descent and NNCTPH on GitHub
�� java-string-similarity library on GitHub and Maven
�� Java-lsh library on GitHub and Maven

Online building
�� Given a distributed graph:
�C Add nodes
�C Remove nodes
�C Search nearest neighbors of query node
�� Requires k-medoids partitioning of
graph

Partitioning
�� k-medoids clustering
�� CLARANS is slow to converge
�� Two faster methods:
�C Inspired by Simulated Annealing
�C Heuristic
�� Impact of partitioning when we
perform distributed search

Text clustering
�� Text dataset with Jaro-Winkler
similarity (not a metric)
�� Steps:
�C Build (approximate) k-nn graph
�C Prune
�C Compute connected components

APT Detection
�� Advanced => no signatures
�� Persistent => limited activity
�� Threats
�� Need a C2 channel

APT Detection

APT Detection
Here:
APT relying on HTTP
=> proxy logs

APT Detection
How hard can that be?

APT Detection

APT Detection
Displaying a page requires multiple
HTTP requests
=> link each request to its parent
using the logs from the proxy

APT Detection

APT Detection
weight is higher if:
�� Requests are close in time
�� Requests belong to the same domain
�� Same sequence repeats

APT Detection
After pruning the weighted graph,
the APT remains isolated!

APT Detection
weight is higher if:
�� Requests are close in time
�� Requests belong to the same domain
�� Same sequence repeats

APT Detection
�� Batch: build graphs
�� Interactive (web interface):
�C Merge
�C Prune
�C Cluster
�C Filter
�� Approximate k-nn graph
(time and memory)

APT Detection

APT Detection
�� Experimental evaluation
�C Proxy logs of real network
�C Simulated APT traffic
�C Rank suspicious domains
�� Results
�C High detection / false alarm ratio
�C Without prior knowledge about APT

APT Detection
�� False positives:
�C Content Delivery Networks (CDN)
�C Advertising domains
�C Javascript library delivery
�C Websites with very few visits
=> same behavior as APT

Conclusion
k-nn graph is an interesting tool to
analyze large datasets, but
�� Only if approximation is acceptable
�� Other possibilities exist

Perspectives...
�� Broaden to other graph-like
structures:
�C (Hierarchical) Small World Network
graphs
�C Asymmetrical graphs
�� Broaden to other applications
(clustering, nn search)
�� Predict the magnitude of
approximation

Questions...

TH?SE
pour obtenir le grade de docteur d��livr�� par
TELECOM ParisTech
Sp��cialit�� ? INFORMATIQUE et RESEAUX ?
pr��sent��e et soutenue publiquement par
Thibault DEBATTY
le 5 octobre 2018

Directeurs de th��se
�� Pietro MICHIARDI
�� Wim MEES
Jury
�� M. Giovanni NEGLIA, Charg�� de Recherche HDR, INRIA
�� M. Jean-Michel DRICOT, Professeur associ��,
Universit�� Libre de Bruxelles
�� M. Marc DACIER, Professeur, Eurecom
�� Mme Elena BARALIS, Professeur, Politecnico di
Torino

�ݺ�ߣ

Design and analysis of distributed k-nearest neighbors graph algorithms

More Related Content

Design and analysis of distributed k-nearest neighbors graph algorithms