an analytic architecture for machine speed network defense ... · context of the system, and...

AnAnalyticArchitectureforMachineSpeedNetworkOperations

Draftv0.6

©2018G2Inc. InnovationThatMakesaDifference302SentinelDrive|Suite300|AnnapolisJunction,MD20701|P:301-575-5100|www.g2-inc.com

2

AnAnalyticArchitectureforMachineSpeedNetworkOperations

Introduction

Effectivenetworkoperationsagainstrapidlyevolvingcyberthreatsrequiremachinespeedresponse.Ifwearetothwartouradversariesweneedtorespondastheattackistakingplace.Wedonothavetimetoperformforensicanalysisasaprecursortoalldefensivedecisionmaking,andyetforensicanddeeplearninganalysisisstillrequiredtogeneratetheunderstandingthatinformsmachinespeeddecisions.

Thegovernmentneedsalayeredarchitectureoptimizedforseveralcomputingapproaches.Machinevs.machineeffectsrequireinstantaneousdecisionsbasedonreal-timeobservationandpre-calculatedmodels.Atthenextanalysislayer,thosedecisionsareaugmentedwithconfidencebasedonbroadercontextacrossmultiplereal-timeplatformsandsomedataenrichment.Themodelsthemselvesarebuiltbasedonhigh-latency,deeplearninganalyticsthatgenerateglobalandhistoricknowledge.

Athree-zonedarchitecturewithEdge,FogandCloudelementswouldbewellsuitedtodistributeandintegratethisrangeofanalyticcomputefunctions.ThispaperdescribeseachofthezonesindetailandthenoffersexamplesthatdemonstratehowthesharingofanalyticmodelsenablesretrospectiveanalysissystemsliketheBigDataPlatformtoinformmachinespeedoperationsonedgesystemsliketheOpenDataPlatform.

A three-zoned architecture (Edge-Fog-Cloud) would bewell suited to enablemachine speeddecisionsbasedoninstantaneousobservationsinformedbylong-termunderstanding.Theabilitytodistributeanalyticcapabilitiesappropriatelyacrossthesezonesiskeytothesuccessofthisarchitecture.


3

Beforeexaminingeachofthesezonesindetail,itisusefultoconsidertheirrolesintheoverallanalyticendeavor.Machinespeedsensingandactiontakeplaceattheedge.Computationisinstantaneousandlocal,andpre-calculatedmodelsareusedtosupportautomateddecisions.Edgedataiscapturedinthefogandisusedtofeedcontextbuildinganalyticsthatsupporttheorchestrationofactionattheedgeandthatfeedhigherorderanalyticsinthecloud.Forwardlooking fog analytics are low latency and behavioral focused. They are used to increaseconfidenceinpredictiveanalyticsandmachineresponses.Backwardfacingfoganalyticsarehighlatency,onlyinitiatedafteraneventhastakenplace,oftenrequireahuman-inthe-loop,andareused to perform forensics or to validate past behaviors. Cloud analytics support theestablishmentofglobal(orenterprise-wide)insightsthroughdiscovery,deeplearning,historical,andrelationship-basedanalytics.Analyticsareofteninitiatedbyhumanquestions,andlatencyisgenerallyhigh.

Aswemovefromedgethroughfogtocloud,wetraverseseveralcontinua.Thebreakpointsonthesecontinuabetweenthezonesmaybesomewhatarbitraryandcanbeadjustedtoaddressthephysicalarchitectureoftheenterprise,buttheattributesattheendpointsandthedirectionofchangeremainthesameinallinstantiationsofthisthreezonearchitecture.Latencyincreasesfrom edge to cloud, ranging from instantaneous observation and response to high latencyoperations that must accommodate long term observations and long processing times. Thegeographicspanofconsiderationexpandsfromedgetocloud,rangingfromimmediatevicinitytoglobalreach.Similarly,thetemporalspanincreases,rangingfromstatelesstohistorical.Thecontentrichworldoftheedgeundergoesaseriesofabstractionsasitmovestothecontextrichworldofthecloudanddiscretefactsbecomeenrichedbyrelationships.Finally,theavailabilityofcomputeandstorageresourcesincreasesfromedgetocloud,constrainingthetypeofanalyticsthatcanbecarriedoutineachzone.


4

AnalyticApproachattheEdge

TheEdgeisthelocusofobservationandaction.Itconsistsofthesensorsthatcollectrawdata,flowmeasurements,andmeasurementsofsystemstateandofactuatorsthatcontrolsystemresponse.Inaphysicallydistributedsystem,theremotenodesaregenerallyalledgenodes,butitisamistaketoequateedgewithphysicallyremote.Sensorsdeployedatthecoretomeasuresystemstatearealsoedgenodes.Theedgeisaboutthehereandnow.Thedataarelowlatency,local,statelesspiecesofcontent.Theyarethenecessaryinputstodata-drivendecisions.Dataattheedgeisingestedandusedinanalyticsinallthreezones.Metadatasuchasplaceandtimeareadded at ingest. Edge analytics largely consist of comparisonof this data against establishedcriteria–thresholds,keywords,signatures,behavioralmodels–toseeiftheyareinteresting,anomalous,orwarrantaction.Suchanalyticsaremosteffectiveiftheycanproducedecisionsandinitiateautomatedactionsinrealtimeasthedataisstreamingthroughthesystembeforeitgoestostorage.Infact,oneoftheimportantdecisionsofasubsetofedgeanalyticsiswhetherandhowadatumshouldbesenttostorage.Thestatelessnatureofthisdatamakesitwellsuitedtostreaminganalytics.

The analytics that are best performed in the edge include: environmental sensing, patternmatching,keyword-basedselection,scoringagainstamodelorsetofrules,anomalydetection.It isazonewhich iswellservedusingacceleratorsandtheenvironment ischaracterizedbyaheterogeneoussetofplatformsincludingGPU-andFPGA-basedsystemsinadditiontotraditionalCPU-basedplatforms.Thecomputepowerisgenerallyontheorderoflessthan10servers.Rawdatamaybestoredhereifthereisarequirementforretentionofalldataforsomeperiod,buttherearefewstructureddatastoresinthisenvironment.Platformsaretypicallymobile,perhapsruggedized,orembeddedinlowlevelcomponents.


5

AnalyticApproachintheFogLayer

Dataisforwardedtothefogbasedonimmediaterelevancedecisionsmadebyedgeanalytics.Decisionsonbroaderrelevancearemadeinthefog.Datafrommultiplesensorsisaggregatedinthefogandcontextbeginstoemerge.Localmodelsarebuiltasobservationsarefedtomachinelearningalgorithms.Analyticsthatmakecomparisonscrosssensorsoracrossasinglesensorovertimeenrichthemetadatawithinsightintoattributesofthedatasuchasrelevancetobroaderquestions,novelty,confidence,urgency.Theseattributescanbeusedasinputtohigherlevelanalytics(gateway)orasfeedbacktotunethedecisionmakingofthelowerleveledgeanalytics(qualitycontrol).Whilethesegatewayandqualitycontroldecisionsneednotberealtime,theirusefulness degrades with latency, so speed remains an important consideration in fogcomputing,andmicrobatchprocessing,perhapsaugmentedbystreaming,ismostappropriateatthislevel.

Because the fog has access to both raw data and decision-making capabilities, has computeresourcesthatareadequatetoperformadvancedanalytics,andhaslowlatencycommunicationswith sensors and actuators, it is the locus of machine-speed orchestration. In the fog, localobservations trigger quick responses to be executed by local resources. Prior offline cloudprocessing is needed to establish the decision-making criteria, but the fog does not need toaccessthecloudtoapplythosecriteriabasedonaninterpretationoftheobservationshereandnow.Orchestratedmachinevsmachineactionsaremadepossible.

The analytics best performed in the fog include metadata annotation, correlation, datanormalization,consensusoperations,gisting,filtering,andtrafficflowcontrol.Acceleratorssuchas GPUs and FPGAs remain effective in the fog, but they are coupled with more capabletraditionalcomputation,ontheorderof50serversorso,andwithstructureddatastores.Fogcapabilities are typically one or two racks in size. They can be vehicle mounted, but theexpectationisthattheyarefixedandattachedtoarobustcommunicationnetworkforaperiodoftime.

AnalyticApproachintheCloud

Dataandmetadataareforwardedtothecloudandusedinavarietyoflongertermanalytics–forensics,modelbuilding,discoveryorexpositionofrelationships.Analyticsinthecloudmakesenseofthemeaningandsignificanceofthelowleveldatarelevanttoquestionsathand.Theybuild graphsof relationships amongdata, andoftenaremore concernedwith the factof anobservationthanwiththecontentofthatobservationitself.Theyconsiderhistoryandthebroadcontextofthesystem,andgenerallycannotberunatmachinespeed.Cloudanalyticsalsosetand update the decision criteria used in lower level analytics, however, and so remain timesensitive.

Higherorderanalyticssuchasgraphanalysis,modelbuilding,discoveryanalytics,deeplearning,and semantic-based analysis arewell suited for the cloudenvironment. This environment is


6

characterizedbyrobustcomputecapability,perhapsevenhighperformanceplatforms,andhasrichaccesstocomplexdatastores,networkconnectivity,andlongtermdatastorage.

TheConnectiveTissue

Thoughwedescribethesethreelevelsasdistinct,successfuloperationofthesystemrequirestheybecloselyinterrelated.Thedatapathfromedgethroughfogtocloudandthecontrolpathfromcloudthroughfogtoedgearecritical.Theedge is the local ingestionpoint for thedataoriginatingfromavarietyofsources.Eachdatapointwillbeanalyzedattheedgetodeterminethepaththatittakes.Basedonpre-definedpoliciesandruleswhicharedevelopedinthecloud,thedatamaybeprocessedlocally,maybesenttothecloudforfurtherprocessing,ormaybeusedatbothlevelsfordifferentpurposes.Thedatawhichiscriticaltothesecurityandoperationsofthelocalinfrastructurewillbeanalyzedandprocessedbytheedgecomputinglayeratmachinespeed.Thedatathatcontributestolong-termanalyticsbasedonhistoricaltrendsmovestothecloudforbatchprocessing.Therearefeedbackloopsonboththedataandcontrolpathstoassuretheanalyticsystemremainseffectiveinachangingenvironment.

Inaddition,thereareseveralservicesthatneedtobesharedacrossthethreelevelstoassuretheefficiency,effectiveness,andsecurityoftheanalyticendeavor.Dataexchangestandardsassurethatdataiscorrectlyinterpretedacrossalllevels.Dataandmodeldiscoveryservicesenabledatafromacrossthesystemtobebroughttobearinallanalyticsinwhichtheywillbeuseful.Dataprovenanceservicesassurethatdataoriginandtransformationsmadetothedataaretrackedsotheirimpactontheanalyticresultcanbeunderstood.Deviceregistrationandassetmanagementenable system resources to be used to best effect. Identity and access management keymanagement, public key infrastructure, and audit need to operate end-to-end to assure thesecurityofthesystem.

WorkedExamplesinNetworkOperations

This three tiered architecturewhich supports decisionmaking atmultiple time scales canbeeffectiveinprovidingmachinespeednetworkdefenseasthefollowingexamplesshow.

ExampleOne–NetworkDefense

Anedgedeviceismonitoringsystemstateandnoticesthatanapplicationistryingtoescalateprivilege. The behavioralmodel (previously developed on the cloud) that is embedded in itsanalyticsuggestthatthisisabadbehaviorthatshouldnotbeallowed.Theedgeanalyticmakesadecisiontopausetheapplicationandsendstheinformationtothefog.Thefoganalyticnoticesthatthereissimilarbehavioronneighboringdevicesanddecidesthisgivestheinitialobservationmorecredence.Itforwardtherelatedobservationstothecloudandnotifiestheedgedevicetostop the offending application. The cloud analytic puts the recent local observations in thecontextofpastattacksandattacksonotherpartsofthesystemandrecognizesaknown,butrareattack. Itupdatesthebehavioralmodeltoindicatetheincreasedlikelihoodoftheattackandsendstheupdatedmodeltoalltheedgeunitswhichlowerstheirthresholdforaction.Theinitial


7

decisiontopausecouldbemadeinstantlyandlocally,providingamachinespeeddefense.Thevalidityofthisdecisioncouldbeassessedquicklyusingtheimmediatecontextandthestrengthofresponsecanbeincreasedgiventheincreasedconfidenceintheinitialdecisionthatcomesfromthisvalidation.Thenlongertermanalysiscanbebroughttobeartoadjustthelongtermbehaviorofthesystemtobemoreresponsivetothisemergingthreat.

ExampleTwo–MaintainingSystemIntegrity

Sensorsaredeployedtomeasurenetworktraffictosupportandsystemstate.Measurementsfromneighboringsensorsareaggregatedandcomparedinthefogtodetectanomaloussenorbehavior.Thisinformationisusedlocallytomakedecisionsabouttheconfidencetobeplacedinsensordataandpassedtothecloudtobeusedinsystem-widedecision-makingconcerningsystemhealth.Trendanalytics running in theclouddetect the fact thataparticular sensor isconsistentlyreportinganomalousdataandanalysisofthesensorhistory indicatesanunusualpatternofcommunicationtothesensorfromasuspectsource.Assetmanagementnodesinthefogarenotifiedthatthesensorhasbeencompromised.Thesensorisre-flashedtoaknowngoodstate,andthesensormeasurementsreturntonormallevels.

ExampleThree–SupportforOffensiveOperations

Systemcommunication isgovernedbyanenterprisecommunicationpolicy formulated in thecloud.Foganalyticsoperateonthispolicytodevelopamodelofcompliantconnectionsthatcanbedeployedtotheedgeandusedinedgepolicy-matchanalytics.Dataflowmeasurementsattheedgedetectanexfiltrationpaththatconflictswithitsdeployedcommunicationspolicy.Itsendsaquerytothefog-basedorchestratorcheckingwhetherthispathiscorrect.Thefognotesthepolicybreach,issuesacommandtoblockthepath,andsendstheinformationtothecloudformoredetailedanalysisoftheanomaly.Cloudanalyticsdeterminethattheexfiltrationisindeedtheresultofanattackanddecidestousethepathasavectorforanoffensivedis-informationattack.Abogusdatastreamdesignedtoconfusetheattackerisdevelopedandsenttotheedgealongwithachangeofpolicythatvalidatesthetransmissionofthebogusdata.

ExampleFour–SupportforSplitBaseOperations

Effectivecyberoperationsareoftensplitbetweenforwarddeployedandheadquartersunits.Theforwarddeployedunitscanoperateautonomouslyintheirsphereofcontrol,butremainrobustlyconnectedtoheadquartersoperatorstomaintainaglobalviewandstrategicperspective.Theanalyticactivitiesoftheforwarddeployedunitareservedbythefogresources,headquartersanalysis uses the full range of capabilities in the cloud. The dynamic between fog and cloudmirrorsthedynamicbetweenforwarddeployedandheadquartersunits.


8

QualificationsandReferences

G2 works with clients to make significant contributions to some of their most challengingproblemswithincomputernetworkexploitation,cyberanalytics,datascience,edgecomputing,national cybersecurity guidance and enterprise IdAM. These contributions have led tomeaningfulimpactsatthenationalleveltoincludeinfluencingguidanceandpolicy,aswellas,developing national security protections. At the core of G2 is innovation. Every day we arebuildinginnovativeapproachesandsolutionstohelpfurtherdriveourclients’missionstosuccessnowandinthefuture.

IntendedandExpectedUsage

The use of this paper and the concepts presentedwithin this paper are strictly for the U.S.Governmentanditsappointedofficialpersonnel.

an analytic architecture for machine speed network defense ... · context of the system, and...

Documents