This article outlines how Emcien can be used to analyze network traffic to identify patterns of attack and apply those patterns to incoming network data.
Align your data with a use case
Note: This use case uses the network attack example data set. Your data should look similar to the example data, including the necessary dependent variable. In this data set there are fourteen different identified classifications of an attack. Additionally, each transaction in the data has been tagged with a classification score to prioritize attack status.
If your data doesn't follow this same structure, please consult the Preparing Your Data article. For further information you can contact Emcien's support team.
Optimize your data for analysis.
In order for Emcien to identify the patterns that identify an attack on your network, it is important to first analyze data that includes identified attacks.
If you do not have network data with identified network intrusion attempts, it may be possible to identify those transactions and mark them as such. Adding this “derivative data” is not limited to identifying attacks or other dependent outcomes, but can include day of the week, part of day, seasonality, or any additional information that can be attached to existing data. For more on the concepts behind adding additional data, see the Derived Data article.
This additional data complexity is relatively easy to add and can be very beneficial to Emcien's analysis.
Load your data for analysis.
You can upload data files to Emcien using SFTP and your preferred FTP client, such as FileZilla or Cyberduck.
To connect to Emcien using your FTP client, use the following credentials:
- Host: feeds.emcien.com
- Username: {Your Emcien Feeds server Username}
- Password: {Your Emcien Feeds server Password}
Analyze the data you've uploaded.
Using your preferred Internet Browser, navigate to the Emcien Sign In page:
For cloud users, navigate to http://patterns.emcien.com/ On the Home page click Analyze Data.
The Analyze Data button will bring up all of your uploaded data. Select your data set. You have the option of selecting a Project Folder or creating a new one.
Select a Project Folder, enter a Prediction Category if you have one (in this case, Priority), and if necessary rename the Report. For this data set we will be predicting the Category “Priority”.
Once your project is organized, click Start Analysis.
The load screen will take you through each stage of the analysis.
When the analysis is complete you will hear a chime and the View Analysis button will be highlighted in green. Just click the button to see your results.
See the results of your analysis.
In our analysis we have directed Emcien to predict the Category “Priority”. This will bring up the Dashboard and the Predictions metrics for the targeted outcome. The analysis has identified 269 rules to predict the three outcomes, Priorities 1, 2, and 3.
To see the predictions in detail, click the dark blue Priority button. The Category Detail is displayed, showing all three items, their connectivity statistics, and because this data includes a timestamp, a trend line graph.
Because we are interested in only the highest priority attacks we will select the item “Priority:3” at the bottom of the list.
The analysis has found 95 Predictors for Priority:3 attacks, with individual predictions with probabilities as high as 100% in this data. Clicking View Predictors will take us to the list of these rules.
All 95 Predictive Rules are shown for the Item Priority:3, listed in order of strength.
You can download these Predictive Clusters by clicking the Download CSV button in the top right corner of the page, but Emcien recommends that these predictions be automated through the real-time Prediction Server.
