Angle web interface user guide
1. Static Mode (Historical data view of the network)
Angle is a web based Anomaly Detection system to monitor network traffic and
to detect unknown anomalous events. Network health is monitored by capturing
packets at multiple Internet locations and detecting new traffic trends and sudden changes.
Modes in Angle
- Static Mode (Historical data view of the network)
- Real Time Streaming Mode
1. Static Mode (Historical data view of the network)
To have the system working one has to select the following options
- Location
- Threshold
- Features
- Time
- Scoring Model
Location
This is the list of places from network data is available. The list includes
This is the list of places from network data is available. The list includes
- uic2 (Chicago)
- uofc (University of chicago)
- Anl (Argon national Labs)
- ISI (California)
Threshold
This is a value between 0-1 . It is the value for the selected feature, all nodes which score a value more than this threshold will be listed out.
This is a value between 0-1 . It is the value for the selected feature, all nodes which score a value more than this threshold will be listed out.
Features
The set of features depends on the collection chosen. The list of available features are
The set of features depends on the collection chosen. The list of available features are
- numberOfPorts
- numberOfIps
- numberOfPackets
- averagePacketSize
- averageDataSize
- maxPacketsPerDestination
- maxPacketsPerPort
- maxInterpacketInterval
Time
Its the Month Year/date /Time, for which the network state is compared with the selected Model and the output is given For each selection in the time selector the next box gets highlighted in a red color loading the appropriate values for the corresponding Location selected. One should select a month,day and time for which the analysis has to be performed.
Its the Month Year/date /Time, for which the network state is compared with the selected Model and the output is given For each selection in the time selector the next box gets highlighted in a red color loading the appropriate values for the corresponding Location selected. One should select a month,day and time for which the analysis has to be performed.
Collection
The collection defines the predefined set of models which has a predefined subset of the features (defined above), over which the base Models are defined. Every Model in the list has one or more of the feature set included in it for comparison.
The collection defines the predefined set of models which has a predefined subset of the features (defined above), over which the base Models are defined. Every Model in the list has one or more of the feature set included in it for comparison.
Scoring Model
Select a Model for scoring . This is the base model with which the current selection is compared with.
Select a Model for scoring . This is the base model with which the current selection is compared with.
Score
The Score function is called once the button is clicked. It compares the selected Location along with the Features with the Threshold value and the Time with the preset Model selected from the given collection. The Scoring function calculates the deviation of the attributes of the packet with the centroid of the Clusters in the selected Model and gives the IPs which are above the given threshold. The Given IPs are displayed in the google Maps with red circles.
One can click on the red dot to get more information on it.
The Score function is called once the button is clicked. It compares the selected Location along with the Features with the Threshold value and the Time with the preset Model selected from the given collection. The Scoring function calculates the deviation of the attributes of the packet with the centroid of the Clusters in the selected Model and gives the IPs which are above the given threshold. The Given IPs are displayed in the google Maps with red circles.
One can click on the red dot to get more information on it.
Score of Ips over a period of 10 mins
Cluster Dispersion in the selected Model
2. Real Time Mode
The set of controls for the real time mode is similiar to the previous one except there is no Time entry , all data which is collected real time and analysed.
There is a "Start Stream" and "Stop Stream" to start and start the analysis engine. The analysis is made for 10 mins after which it stops(for demo pupose).
Features of Real Time Mode
The set of controls for the real time mode is similiar to the previous one except there is no Time entry , all data which is collected real time and analysed.
There is a "Start Stream" and "Stop Stream" to start and start the analysis engine. The analysis is made for 10 mins after which it stops(for demo pupose).
Features of Real Time Mode
- Real Time mode refreshes the anomolous IP list almost every second (one can see the red spots growing in the google maps)
- The time series grows as time grows and it shows the last 3 mins data of the score calculated .
- Features from every packet of data received is taken and the score is calculated based on the base model selected .
- On every second the list of IPs which fall out of the threshold is highlighted .