enhancing network visibility and security through tensor
TRANSCRIPT
Enhancing Network Visibility and Security through Tensor Analysis
Muthu M Baskaran, Tom Henretty, James Ezick, Richard Lethin
Reservoir Labs Inc., 632 Broadway Suite 803, New York, NY 10012
David Bruns-Smith
University of California, Berkeley, CA
Abstract
The increasing size, variety, rate of growth and change, and complexity of network data has warrantedadvanced network analysis and services. Tools that provide automated analysis through traditional oradvanced signature-based systems or machine learning classifiers suffer from practical difficulties. Thesetools fail to provide comprehensive and contextual insights into the network when put to practical use inoperational cyber security. In this paper, we present an effective tool for network security and traffic analysisthat uses high-performance data analytics based on a class of unsupervised learning algorithms called tensordecompositions. The tool aims to provide a scalable analysis of the network traffic data and also reducethe cognitive load of network analysts and be network-expert-friendly by presenting clear and actionableinsights into the network.
In this paper, we demonstrate the successful use of the tool in two completely diverse operational cybersecurity environments, namely, (1) security operations center (SOC) for the SCinet network at SC16 -The International Conference for High Performance Computing, Networking, Storage and Analysis and (2)Reservoir Labs’ Local Area Network (LAN). In each of these environments, we produce actionable resultsfor cyber security specialists including (but not limited to) (1) finding malicious network traffic involvinginternal and external attackers using port scans, SSH brute forcing, and NTP amplification attacks, (2)uncovering obfuscated network threats such as data exfiltration using DNS port and using ICMP traffic,and (3) finding network misconfiguration and performance degradation patterns.
Keywords:Network analysis, Cyber security, Tensor decompositions, Network threats
1. Introduction
Network analysis and network threat identifi-cation are notoriously difficult problems to solve.Traditional signature-based approaches are oftenthwarted by the ever-changing nature of moderncyber threats. It is nearly impossible to define sig-natures for what is or is not normal that generalizeacross many networks. Even on a given network,expected behaviors might change from day to day.
Email addresses:{baskaran,henretty,ezick,lethin}@reservoir.com
(Muthu M Baskaran, Tom Henretty, James Ezick, RichardLethin), [email protected] (David Bruns-Smith)
Furthermore, it might not be possible to write co-herent rules that capture all activities of concern.
The application of cutting-edge data analytics tonetwork traffic logs has struggled to surpass theshortcomings of classical signature-based systems.Supervised techniques run afoul of the same keyproblem – it is not realistic to specify normal versusabnormal behavior upfront. Other approaches thatrely on training a model based on large volumesof historical data are hindered by another issue –because of the sensitive nature of network trafficthere is very little publicly-available training data,and that data is not guaranteed to generalize in ameaningful way to the user’s own network.
Tensor decompositions are a class of algorithms
Preprint submitted to Elsevier September 23, 2017
that provides a new approach for analyzing net-work traffic data that has been demonstrated toovercome these traditional shortcomings. A tensoris a multidimensional array of data – a suitable ab-straction for structured network metadata collectedin the form of network logs. A tensor decomposi-tion breaks down a tensor, such as a log, into afinite set of patterns, called components. In thisway, tensor decompositions perform a form of un-supervised learning on network traffic that does notrequire prior training data.
A tensor-based approach is uniquely better suitedthan other classical unsupervised machine learningapproaches for network analysis and cyber securityin that a tensor decomposition can natively capturepatterns that span the entire multidimensional dataspace. This can include patterns that reflect mul-tiple sources, multiple receivers, periodic time in-tervals, and other complex patterns that cannot becaptured with approaches such as k-means cluster-ing or Principal Component Analysis (PCA). Thishas enabled tensor decompositions to extract ma-licious behavior that has been intentionally obfus-cated during our experiments on real network trafficdata. In particular, initial experiments have shownthat tensor decompositions especially excel at iden-tifying data exfiltration, an activity of special con-cern in the security community.
We develop and present CANDID, a highly scal-able and user-friendly network analysis tool fordeeply analyzing network metadata and present-ing clear and actionable insights. CANDID isbuilt upon ENSIGN [1], a generic high-performancetensor analysis tool, developed at Reservoir Labs,that provides fast, efficient, and scalable tensor de-compositions. ENSIGN provides novel data struc-tures [2] for storing tensors and implementationsof multiple tensor decomposition algorithms specif-ically engineered to scale to large problems [3, 4].
In this paper, we make the following specificcontributions:
• Present a scalable network analysis workflowstarting from tensor construction from net-work log data to integrating the results of ten-sor analysis into widely-used data managementplatforms such as Splunk.
• Present the use of tensor decompositions inlarge-scale operational cyber security environ-ments.
• Present concrete, actionable discoveries usingthis approach.
The remainder of the paper is organized as fol-lows. Section 2 provides an overview of tensors,tensor decompositions, and how to interpret theirresults. Section 3 discusses some related researchwork on applying tensor decompositions for cybersecurity. Section 4 discusses the workflow of ourCANDID network analysis tool. Sections 5 and 6detail the practical deployment of our tool at SC16SCinet network and Reservoir Labs’ LAN, respec-tively, and discuss some of the significant resultsfrom the deployment. Section 7 discusses our planfor using and demonstrating CANDID/ENSIGN onSC17 SCinet network. Section 8 summarizes ourwork with a foreword on our ongoing work.
2. Tensor Analysis and Tensor Decomposi-tions
2.1. Representing Multidimensional Data as Ten-sors
Tensors (aka multidimensional arrays) are a nat-ural fit for representing data with multiple associ-ated attributes such as network traffic data. Con-sider a sample data log of network traffic messages.For each message, let us assume that the log recordsthe timestamp of the message, IP address that sentthe message, TCP/UDP port that the IP addressused, and IP address that the message is sent to.This dataset can be formed into a four-dimensionaltensor with the dimensions (“modes” in the tensoranalysis parlance) being timestamp, sender IP, re-ceiver IP, and port. For each (timestamp, senderIP, receiver IP, port) tuple, the tensor contains thecount of the number of messages sent at that time,by that sender IP, on that port, to the receiver IP.
2.2. Tensor Decompositions
Tensor decompositions are a valuable, mathemat-ically sound set of tools for exploratory analysisof multidimensional data and for capturing under-lying multidimensional relationships. Tensor de-compositions separate the input data into patternscalled “components.” Each component representsa latent behavior or correlation from within thedataset. This separation into components occurswithout training or upfront specification. Thereare two prominent tensor decomposition models,namely, CANDECOMP/PARAFAC (CP) decom-position and Tucker decomposition. The particulardecomposition model used in this paper is the CPdecomposition illustrated in Figure 1.
2
Figure 1: A CP Decomposition of a 3-dimensional tensorinto R components.
A CP tensor decomposition decomposes a tensorinto a set of components, each of which representsa different pattern extracted from the original ten-sor. Each component has a weight and then onescore vector for each tensor mode. The componentweight reflects how large the contribution of thiscomponent is to the original dataset. The lengthof the score vector for the ith-mode is equal to thenumber of indices in the ith-mode.
In the experiments described in this paper, weuse the Alternating Poisson Regression (APR) al-gorithm [5] for computing CP decomposition. Thisalgorithm computes a CP decomposition in a waythat is tailored to work on sparse data that is mod-eled by a Poisson distribution. It is well knownthat real world count/event data is roughly ap-proximated by a Poisson distribution, and thismethod produces good decomposition results forcyber data.
2.3. Interpreting Decomposition Results
The output components of tensor decompositionsare the core of tensor analysis. Let us consideragain the previous four-mode tensor with the di-mensions timestamp, sender IP, receiver IP, andport. Performing a CP decomposition would de-compose this tensor into components. Each compo-nent has a weight that corresponds to the volume ofnetwork traffic this component describes. This willnot be the exact number of messages explained bythis component, but an approximate volume (sincesometimes components have non-integer weights).Higher weight components correspond to large-scalepatterns and low weight components correspond tomore anomalous or specific traffic. Each componenthas four score vectors: one for timestamp, one forsender IP, one for receiver IP, and one for port. Thelength of the score vector of each mode will be thetotal number of distinct entities in that mode (i.e.,number of distinct time steps, sender IPs, receiverIPs, ports).
The individual score values indicate how much aspecific index contributes to this cluster of networkactivity. Each score is a continuous value between0.0 and 1.0. Within each score vector, the scoresare normalized so that they sum to 1.0. Thus anatural interpretation of the score is what fractionof the total network messages represented in thiscomponent this index contributes to.
3. Related Work
Some existing work in the literature (e.g., Mul-tiAspectForensics [6] and MalSpot [7]) has appliedtensor decompositions to network traffic data in or-der to extract anomalies and malicious patterns.Unlike the other work, we extend beyond theoret-ical research and toolbox development to demon-strate practical operational results. Our experi-ments are set up in operational cyber security en-vironments, enabling us to study how tensor de-compositions fit into a realistic work flow. Thenetwork at SC16 was extremely high volume andbad actors were common making it a uniquely idealdata source compared to publicly available networkdatasets.
Since the ENSIGN tensor toolbox includes a scal-able implementation of Poisson regression based CPalgorithm for tensors of arbitrarily many dimen-sions, we also avoid many of the limitations ex-isting in other work such as MalSpot. Our Pois-son regression based tensor decomposition methodproduces sparse component vectors with all non-negative scores. This is critical for network securityanalysis because it allows components to be exam-ined individually for the behavior they represent.With the commonly used CP algorithm (based onAlternating Least Squares method), the componentvectors are often dense and have both positive andnegative scores. This means that most entries inthe reconstructed tensor have contributions frommultiple components (some of which might be pos-itive while others may be negative) that compli-cates analysis. MalSpot, for example, addressesthis problem by plotting IP address scores betweencomponents and then clustering the points in thatspace. However, this creates a proliferation of workfor the analyst. In the case of highly heterogeneousdata such as real network traffic, a day’s worth ofdata might take tens to hundreds of components toaccurately decompose. To plot the IP scores be-tween all possible pairs (or even triples) of compo-nents is not feasible.
3
4. CANDID Workflow
Figure 2 represents the CANDID network analy-sis workflow. CANDID involves a data transforma-tion module that transforms network flow logs (cur-rently Bro [8] logs) into tensors. The data transfor-mation module can build an arbitrary number oftensors from network flow logs.
Figure 2: CANDID Workflow
There are multiple Bro log files (such as conn.log,files.log, dns.log, http.log) and each log file has mul-tiple fields or attributes. In theory, one could con-struct an arbitrarily large number of tensors de-pending upon the choices made in terms of the logfiles, log file attributes, and transformations appliedon the attributes. We choose an initial suite ofnetwork tensors that provides visibility into diversenetwork traffic patterns. The current version of thedata transformation module takes in four differentkinds of flow and protocol-specific Bro logs, namely,conn.log, files.log, dns.log, and http.log and pro-duces a suite of tensors (as shown in Table 1) fordecomposition that gives maximum network visibil-ity and uncovers network patterns/behaviors andthreats.
The tensors created from the network flow logsare analyzed using the ENSIGN tensor analysis en-gine, the core module of the workflow. The resultsfrom tensor analysis are passed on to a tensor out-put validation module (this module is an optionalmodule in the workflow and is not a focus of thispaper), from which the tensor decomposition re-sults are passed on to a Splunk [9] dashboard fora user-friendly visualization of the results. Devel-oping the Splunk dashboard is a work in progress.For the work described in this paper, the Splunkinvestigation is done manually. However it is to benoted that the components from tensor decomposi-tions (that are few hundreds in number compared
to the million or billion lines of original logs) pro-vide the map to an effective investigation in Splunkthat requires less cognitive load.
A network traffic pattern is ultimately a set ofnetwork log entries that belong to a distinct class ofactivity. Therefore we can represent network trafficpatterns as filters to apply to the original networklogs that select only those messages associated withthis pattern. The advantage of doing this withinSplunk is that the user/analyst not only has imme-diate access to all the statistics and visualizationtools available, but is also enabled to inspect a sin-gle discovered traffic pattern in greater detail. TheSplunk dashboard will expose the network patternsto an analyst in a clear and interpretable way thatdoes not require tensor expertise.
5. Tensor Analysis at SC16 SCinet
SCinet, described as “the fastest network con-necting the fastest computers,” is set up each yearat SC – the International Conference for HighPerformance Computing, Networking, Storage andAnalysis. In 2016 SCinet offered 3.15Tbps fromthe network operations center and connected over12,000 researchers. There is no firewall and no assetidentification or authorization. We were located inthe security operations center (SOC) for SCinet an-alyzing network traffic metadata from 40 networktaps across 1/10/100Gbps wired connections and200 wireless access points. A cluster of ReservoirLabs’ R-Scope network security appliances [10] run-ning a highly optimized version of the Bro networksecurity monitor provided network traffic metadata.Tensor decompositions were performed on a 12-coreHPE Apollo 2000 machine.
Numerous threats and suspicious sessions wereisolated into distinct decomposition components.We present a list of interesting network traffic pat-terns and security attacks that we identified and ob-served from our tensor analysis. In the subsequentsub-sections, we discuss in detail some of these pat-terns/behaviors, including security threats/attacks.
We found a number of interesting networkbehaviors and activities from our connectionstensor. Some of them include:
• SSH scanning and SSH password guessing
• Groups of IPs working together to accomplishscans leading to successful SSH infiltration
• Bit-torrenting
4
Tensor Name Bro Log Tensor Dimensions
Connections Tensor The connections log (conn.log) Time x Sender IP x Receiver IP xPort
Outgoing Tensor Connections log entries with localsender and external receiver
Time x Sender IP x Receiver IP xPort
Incoming Tensor Connections log entries with localreceiver and external sender
Time x Sender IP x Receiver IP xPort
Time Independent ConnectionsTensor
The connections log Sender IP x Receiver IP x Port xConnection State
Extended Time Independent Con-nections Tensor
The connections log Sender IP x Receiver IP x Port xConnection duration x Originatorbytes x Connection State
File Transfer Tensor The file transfer log (files.log) Time x Sender IP x Receiver IP xMIME-Type
HTTP Tensor The HTTP traffic log (http.log) Time x Sender IP x Receiver IP xURI x User Agent
DNS Query Tensor All queries from the DNS log(dns.log)
Time x Sender IP x Receiver IP xQuery x Query Type
Table 1: CANDID Tensor Library
• Internet Printing Protocol traffic indicating avulnerable machine
• Isolating a timeperiod when a particular ma-chine had a vulnerability through port 51413
• Private network CAPWAP traffic – unusuallymore common at night than during conferenceoperating hours
• Security team’s Nessus scanner traffic includ-ing internal management of the scanner
• Boomerang power monitor traffic
• Steam downloads and scanning of gamingserver ports
• Vulnerable Brazilian university supercomputertraffic
Our tensor analysis using extended connectionstensor (including metadata attributes such asconnection duration and originator bytes), wefound and isolated patterns and activities thatwere obfuscated. Some of them that were securityrelevant are:
• Anomalous outgoing ICMP traffic indicatingexfiltration
• Exfiltration through concealed outgoing DNStraffic
• NTP amplification attack
• Late night outgoing SSH connections to manyhosts
Figure 3: A component from the decomposition of an“incoming traffic” tensor. The component represents dis-tributed network mapping and port scanning with stronglikelihood of hostile intent.
The tensor analysis from the DNS tensor iden-tified the following interesting but non-maliciousentities:
• DNS hierarchy mapping of a leading company
• Misconfigured DNS server of a popular univer-sity
• Outgoing LDAP through DNS “SRV” typerequests (not malicious but anomalous)
5.1. External Scanners
We now discuss how we captured and isolatedthe evolution of an external scanning attack on thenetwork and a subsequent data exfiltration from acompromised host.
5
The component in Figure 3 represents eight hoursof traffic from 8AM to 4PM on the opening dayof the conference. The topmost chart (timestamp)shows activity starting shortly after the conferencestart time of 9AM and ramping up throughout theday. The second chart (source IP) shows inboundtraffic from a number of external IP addresses (theIP addresses are anonymized as “1.2.3.*” in the fig-ure). The third chart (destination IP) shows a largenumber of internal IP addresses as destinations ofthe inbound traffic. The fourth chart (destinationport) shows a specific set of ports being targeted bythe external hosts.
It is clear that this component represents a coor-dinated attempt by multiple external actors to findhosts on SCinet with particular services enabled.In other words, the component shown in Figure 3represents distributed network mapping and portscanning with strong likelihood of hostile intent. It,indeed, turned out to be the reconnaissance phaseof a successful attack.
Further investigation of the IP addresses involvedresulted in the discovery of a compromised host tar-geted during the initial reconnaissance phase. Thisis captured by the Splunk investigation and ten-sor decomposition component shown in Figure 4.The tensor decomposition component (Figure 4(b))shows that the compromised host made 40, 000 out-going SSH connections, which is clearly a very badsign. The component also shows that the outgoingSSH connections started after the compromise, re-mained heavy initially, went relatively low-key aftersometime, and then resumed heavily after 8 hours.
To summarize, Figures 3 and 4 illustrate the evo-lution of an attack – an initial component show-ing distributed network mapping and port scanningand a later component showing promiscuous out-going SSH traffic from one of the scanned hosts.Splunk was used to connect the dots between thecomponents and confirm the attack. This is oneexample of a network threat identified using tensordecomposition with no prior attack signature.
5.2. ICMP Tunneling
We discuss below a case of suspected ICMP tun-neling that was neither seen by other security per-sonnel nor surfaced by other network security tools.
Anomalous ICMP traffic is difficult to distinguishwith tensor decompositions done on tensors withstandard attributes such as IP addresses, port, con-nection state/time. Figure 5 shows components
Figure 5: Components from the decomposition of a “basictime independent connections” tensor, showing ICMP trafficpatterns from which it is not clear to distinguish anomalousICMP traffic from normal ICMP traffic.
Figure 6: A component from the decomposition of an “ex-tended time independent connections” tensor, clearly iden-tifying suspicious ICMP traffic.
representing traffic patterns involving ICMP mes-sages. As it can be seen, typically ICMP traffic isseparated by message type (in Bro logs, the “port”field is overloaded with ICMP message type forICMP messages). These components represent pat-terns that look like normal ICMP traffic and do notindicate any abnormal behavior.
We performed subsequent tensor decompositionson tensors constructed from the same data as be-fore, but with additional attributes such as connec-tion duration (binned by log10 scale) and numberof originator bytes (binned by log10 scale). The de-compositions of these larger tensors with additionalmetadata attributes immediately (and clearly) un-covered suspicious network traffic involving ICMP.This is shown in Figure 6.
The first chart in Figure 6 (sender IP) revealedsix IP addresses and each IP belonged to a differ-ent subnet. These IPs did not trigger any signature-based alert, threat intel, or Intrusion Detection Sys-tem (IDS) alert. The top scoring destination IP(from the second chart) was a blacklisted Russian
6
(a) Splunk investigation (b) Tensor decomposition component
Figure 4: A component from the decomposition of an “outgoing traffic” tensor. The component represents a host, compromisedfrom the scanning attack, involved in promiscuous outgoing SSH traffic. Splunk queries filtered using the top-scoring entriesin the component (across all dimensions of the tensor) helped us to confirm the attack.
IP address. The suspicion came as a result of theduration of the connection (longest connection du-ration being 11, 000 seconds for an echo reply) andnumber of originator bytes (up to 100 KB). Uponsearching all the ICMP traffic from these senderIPs, it was found out that the time course of thetraffic happened mostly in the middle of the night.This led to the suspicion that it is ICMP tunneling.
Upon searching for all inbound traffic from theblacklisted Russian IP address (the destination IPof the suspicious ICMP traffic), it was found thatthe IP address was involved in Remote DesktopProtocol (RDP) attacks. However the target of theRDP attacks were not the six IP addresses identi-fied in the suspicious ICMP traffic, indicating thatthis is not an easy-to-understand case of compro-mise.
5.3. NTP Amplification
We were able to clearly isolate traffic resultingfrom a NTP amplification attack. Figure 7 showsa component that resulted from the decompositionof extended time independent connections tensor,representing noisy traffic from a NTP amplifica-tion attack. The decomposition of basic (time-included and time independent) connections ten-sors saw NTP amplification traffic as noise withinnormal traffic patterns and it was not isolated intoa separate component. However the extended ten-sor including the connection duration and origina-tor bytes pulled out the component. The unusually
Figure 7: A component from the decomposition of “extendedtime independent connections tensor”, identifying a NTPamplification attack victim.
long duration connections (as seen in Figure 7), ofthe order of 10000s-100000s, isolated the compo-nent and helped us to nail down the NTP ampli-fication attack on two SCinet hosts (first chart ofFigure 7) from a couple of Chinese IP addresses(second chart of Figure 7).
6. Tensor Analysis on Reservoir Labs LAN
At Reservoir Labs, we perform nightly tensoranalysis using CANDID on network metadata col-lected on our own office LAN traffic. On businessdays the LAN connects 40 to 50 devices over a1Gbps network and 200Gbps firewalled link to the
7
Internet. A single R-Scope network security appli-ance provides network traffic metadata. Tensor de-compositions are performed on a 32-core x86 server.
Deep analysis of Reservoir Labs network throughCANDID illustrated three main capabilities.
1. Ability to give a high-level overview of the mostcommon traffic on the network.
2. Extraction of patterns relevant to networkmonitoring and maintenance. Examples in-clude:
• DHCP misconfiguration
• Printer misconfiguration
• DNS caching failure
• UPnP misconfiguration
• Noisy HTTPS (change in network state)
• Link local IPv6 traffic
3. Successful detection of synthetic anomaloustraffic seeded into the network.
6.1. Network Maintenance and Monitoring
Some of the decomposition patterns from thedeep analysis corresponding to background systemsmanagement traffic revealed concretely actionablenetwork misconfigurations, highlighting the valueof the CANDID approach for network monitoring.Figure 8 enumerates a few such examples.
Figure 8(a) shows a component representing atraffic pattern that occurs regularly through timeand entirely on port 67 – corresponding to DHCPtraffic. There are two destination IP addresses thathave non-zero scores and these correspond to ournetwork’s two DHCP servers. There are a hand-ful of different sender IP addresses including Win-dows virtual machines (VMs) and several officephones. To further investigate the traffic patternrepresented here, we filtered the conn.log in Splunkto only include the timestamps, senders, receivers,and ports with a non-zero score in this tensor com-ponent. This revealed DHCP misconfiguration inthe Windows VMs and office phone systems identi-fied by the component.
Figure 8(b) shows a component that has onehigh-scoring sender, two high-scoring receivers, andtwo high scoring ports. The dominant sender IP ad-dress is an office workstation, the two receiver IPaddresses are the Epson printer and the broadcastaddress (255.255.255.255), and finally the two portsare 3289 and 161. The component contains two re-lated activities - Epson printer specific connections
Figure 9: A component showing a sudden increase in traffic– noisy HTTPS traffic
over port 3289 and SNMP connections on port 161.The constant noisy chatter (clearly unrelated to anactual print request) indicates a device misconfigu-ration. Furthermore, this workstation has not beenin active use for several months and is therefore alikely candidate for inspection.
Figure 8(c) represents a component that revealeda DNS caching failure. The component involves asingle sender and receiver. The receiver is a DNSserver. The sender is a Linux machine that is per-forming a batch of DNS lookups as part of a re-search task. This batch of lookups occurs four timeswithin the timeframe of this particular decomposi-tion. However, because of caching misconfigura-tion, the results are not stored and the enormousbatch of lookups has to be repeated each time.
Figure 9 reveals noisy HTTPS traffic. This isnot a result of any network misconfiguration. How-ever this demonstrates an important network mon-itoring capability: detecting a change in networkstate over time. The top chart (timestamp) in Fig-ure 9 very clearly displays a sudden change aroundhalfway through the day.
The only sender with a non-zero score is a singleengineer’s workstation, and the only port with anon-zero score is port 443 (HTTPS/SSL). The topreceivers are around 20 different Amazon AWS IPaddresses. Upon inspecting the SSL log in Splunk,we found that this activity is almost exclusivelylifefyre (an Internet comments service) traffic andthe machine’s owner confirmed that this sudden in-crease in traffic was due to a browser tab left openovernight. This is not malicious activity, but high-lights a valuable lesson that the connections tensorwith the timestamp dimension can reveal how pat-
8
(a) DHCP misconfiguration (b) Printer misconfiguration (c) DNS caching failure
Figure 8: Network misconfigurations detected by CANDID
Figure 10: A component with a beaconing pattern. In thiscase a browser left open on the auto-refreshed New YorkTimes home page was identified as the cause.
terns of activity change over time.
6.2. Anomalous Behaviors
The analysis revealed many anomalous behaviorsthat prompted further investigation from the net-work administrators. We discuss one of the exam-ples in this section. Figure 10 shows a componentfrom our nightly analysis representing an anoma-lous beaconing-like activity. The top chart (times-tamp) shows highly regular periodic activity. Thesecond chart (source IP) shows a single user work-station. The third chart (destination IP) shows theprimary DNS server. The fourth chart (DNS query)shows a large number of queries for records associ-ated with the New York Times website.
This component prompted the network adminis-trator to investigate it further and it was discov-ered that a browser left open on the user worksta-tion auto-refreshed New York Times home page andcaused the beaconing-like traffic.
7. Plan for SC17 SCinet
Our research objective at SCinet NRE 2017 isto validate the capability of CANDID/ENSIGN toprovide deep network visibility by analyzing diversenetwork security logs that are available from theSCinet network security stack. As in previous years,we will demonstrate the effectiveness of our networkanalysis and cyber security capability in an opera-tional cyber environment. We will demonstrate anend-to-end workflow where we take network datafrom diverse network security logs such as Bro logs,Attivo Networks logs, and other available systemlogs from the security stack, perform advanced net-work analysis, and display the identified networkpatterns, indicating attacks or interesting networkbehaviors, in a Splunk dashboard.
At SCinet NRE 2015 and 2016, we successfullydemonstrated our tool on offline network data feeds.Specifically, we demonstrated how our tool sepa-rated normal and off-normal traffic patterns in away that led to the discovery of indicators consis-tent with, and in some cases prior to, human an-alyst discovery (e.g., a distributed takeover attackon a vendor booth and suspected ICMP-based dataexfiltration). The major advance that we plan todemonstrate at SCinet NRE 2017 is the addition ofa streaming analysis capability for cyber securitythat will improve the timeliness of the previouslydemonstrated offline analysis of network metadata.Further, we plan to demonstrate how informationfrom multiple network security sources could befused to provide a comprehensive and coordinatedview of the network behaviors.
We will install and operate CANDID/ENSIGNfrom a node in the SCinet Network Security Cloudthat is provided by CloudLab. We will use Splunk
9
Figure 11: Pictorial representation of SCinet cloud infras-tructure and deployment of CANDID/ENSIGN in the cloud.
as a data management and visualization platform.We will pull data from the Splunk instance hostedin the Cloud and use CANDID Splunk dashboard toview and show results. Figure 11 shows the networktopology.
8. Conclusion
CANDID, along with the foundational work ofENSIGN, contributes uniquely to network traf-fic analysis by solving many of the problems notaddressed by traditional approaches for cyber se-curity. Avoiding requirements for large trainingdatasets that plague many machine learning tech-niques and not requiring a definition of normal orabnormal activity upfront are some of the clear ben-efits that make this approach elegant and powerful.Furthermore, CANDID/ENSIGN tensor decompo-sitions capture patterns that span the entire mul-tidimensional space extracting anomalous activityeven when an attacker explicitly crafts their actionsto subvert signature-based detection methods, orhides attacks within a broader pattern of normalactivity. The practical use of the tool in real oper-ational cyber security environments on large-scalenetworks is proof that it can be integrated into anetwork security specific solution.
Our plan for ongoing and future work is to furtherimprove and advance the tool with respect to cybersecurity practice and move closer to a deployable,turnkey solution. Some of the work towards this ob-jective include automatic classification of network
traffic patterns and threats, automatic distinctionof malicious and benign anomalies, and ranking ofthreats and/or interesting patterns.
Acknowledgment
This material is partially based upon work sup-ported by the U.S. Department of Energy, Office ofScience, Office of Advanced Scientific ComputingResearch under Award Number DE-SC0017081.
References
[1] R. Labs, ENSIGN Tensor Toolbox.URL https://www.reservoir.com/product/
ensign-cyber
[2] M. Baskaran, B. Meister, N. Vasilache, R. Lethin, Effi-cient and Scalable Computations with Sparse Tensors,in: IEEE High Performance Extreme Computing Con-ference, Waltham, MA, 2012.
[3] M. Baskaran, B. Meister, R. Lethin, Low-overheadLoad-balanced Scheduling for Sparse Tensor Computa-tions, in: IEEE High Performance Extreme ComputingConference, Waltham, MA, 2014.
[4] M. Baskaran, T. Henretty, B. Pradelle, M. H. Langston,D. Bruns-Smith, J. Ezick, R. Lethin, Memory-efficientParallel Tensor Decompositions, in: IEEE High Perfor-mance Extreme Computing Conference, Waltham, MA,2017.
[5] E. C. Chi, T. G. Kolda, On Tensors, Sparsity, and Non-negative Factorizations, arXiv:1304.4964 [math.NA](December 2011).URL http://arxiv.org/abs/1112.2414
[6] K. Maruhashi, F. Guo, C. Faloutsos, Multiaspectforen-sics: Pattern mining on large-scale heterogeneous net-works with tensor analysis, in: Internatoinal Conferenceon Advances in Social Networks Analysis and Mining,Kaohsiung, Taiwan, 2011.
[7] H.-H. Mao, W. Chung-Jung, E. E. Papalexakis, K.-C. L.Christos Faloutsos, T.-C. Kao, Malspot: Multi2 mali-cious network behavior patterns analysis, in: Pacific-Asia Conference on Knowledge Discovery and DataMining, Tainan, Taiwan, 2014.
[8] V. Paxson, Bro: A system for detecting networkintruders in real-time, Comput. Netw. 31 (23-24)(1999) 2435–2463. doi:10.1016/S1389-1286(99)00112-7.URL http://dx.doi.org/10.1016/S1389-1286(99)
00112-7
[9] Splunk, Server and Network Infrastructure Monitoring.URL https://www.splunk.com/en_us/solutions/
solution-areas/it-operations-management/
server-and-network-infrastructure-monitoring.
html
[10] R. Labs, R-Scope.URL https://www.reservoir.com/product/r-scope
10