skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Graph anomalies in cyber communications

Abstract

Enterprises monitor cyber traffic for viruses, intruders and stolen information. Detection methods look for known signatures of malicious traffic or search for anomalies with respect to a nominal reference model. Traditional anomaly detection focuses on aggregate traffic at central nodes or on user-level monitoring. More recently, however, traffic is being viewed more holistically as a dynamic communication graph. Attention to the graph nature of the traffic has expanded the types of anomalies that are being sought. We give an overview of several cyber data streams collected at Los Alamos National Laboratory and discuss current work in modeling the graph dynamics of traffic over the network. We consider global properties and local properties within the communication graph. A method for monitoring relative entropy on multiple correlated properties is discussed in detail.

Authors:
 [1];  [1];  [1];  [1];  [1]
  1. Los Alamos National Laboratory
Publication Date:
Research Org.:
Los Alamos National Lab. (LANL), Los Alamos, NM (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1046548
Report Number(s):
LA-UR-11-00221; LA-UR-11-221
TRN: US201215%%509
DOE Contract Number:
AC52-06NA25396
Resource Type:
Conference
Resource Relation:
Conference: INFORMS Computing Society Conference ; January 9, 2011 ; Monterery, CA
Country of Publication:
United States
Language:
English
Subject:
97 MATHEMATICAL METHODS AND COMPUTING; COMMUNICATIONS; DETECTION; ENTROPY; LANL; MONITORING; MONITORS; SIMULATION; VIRUSES

Citation Formats

Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, and Fisk, Michael. Graph anomalies in cyber communications. United States: N. p., 2011. Web.
Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, & Fisk, Michael. Graph anomalies in cyber communications. United States.
Vander Wiel, Scott A, Storlie, Curtis B, Sandine, Gary, Hagberg, Aric A, and Fisk, Michael. Tue . "Graph anomalies in cyber communications". United States. doi:. https://www.osti.gov/servlets/purl/1046548.
@article{osti_1046548,
title = {Graph anomalies in cyber communications},
author = {Vander Wiel, Scott A and Storlie, Curtis B and Sandine, Gary and Hagberg, Aric A and Fisk, Michael},
abstractNote = {Enterprises monitor cyber traffic for viruses, intruders and stolen information. Detection methods look for known signatures of malicious traffic or search for anomalies with respect to a nominal reference model. Traditional anomaly detection focuses on aggregate traffic at central nodes or on user-level monitoring. More recently, however, traffic is being viewed more holistically as a dynamic communication graph. Attention to the graph nature of the traffic has expanded the types of anomalies that are being sought. We give an overview of several cyber data streams collected at Los Alamos National Laboratory and discuss current work in modeling the graph dynamics of traffic over the network. We consider global properties and local properties within the communication graph. A method for monitoring relative entropy on multiple correlated properties is discussed in detail.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Tue Jan 11 00:00:00 EST 2011},
month = {Tue Jan 11 00:00:00 EST 2011}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share:
  • We describe the significance and prominence of network traffic analysis (TA) as a graph- and network-theoretical domain for advancing research in graph database systems. TA involves observing and analyzing the connections between clients, servers, hosts, and actors within IP networks, both at particular times and as extended over times. Towards that end, NetFlow (or more generically, IPFLOW) data are available from routers and servers which summarize coherent groups of IP packets flowing through the network. IPFLOW databases are routinely interrogated statistically and visualized for suspicious patterns. But the ability to cast IPFLOW data as a massive graph and query itmore » interactively, in order to e.g.\ identify connectivity patterns, is less well advanced, due to a number of factors including scaling, and their hybrid nature combining graph connectivity and quantitative attributes. In this paper, we outline requirements and opportunities for graph-structured IPFLOW analytics based on our experience with real IPFLOW databases. Specifically, we describe real use cases from the security domain, cast them as graph patterns, show how to express them in two graph-oriented query languages SPARQL and Datalog, and use these examples to motivate a new class of "hybrid" graph-relational systems.« less
  • Many modern datasets can be represented as graphs and hence spectral decompositions such as graph principal component analysis (PCA) can be useful. Distinct from previous graph decomposition approaches based on subspace projection of a single topological feature, e.g., the centered graph adjacency matrix (graph Laplacian), we propose spectral decomposition approaches to graph PCA and graph dictionary learning that integrate multiple features, including graph walk statistics, centrality measures and graph distances to reference nodes. In this paper we propose a new PCA method for single graph analysis, called multi-centrality graph PCA (MC-GPCA), and a new dictionary learning method for ensembles ofmore » graphs, called multi-centrality graph dictionary learning (MC-GDL), both based on spectral decomposition of multi-centrality matrices. As an application to cyber intrusion detection, MC-GPCA can be an effective indicator of anomalous connectivity pattern and MC-GDL can provide discriminative basis for attack classification.« less
  • Most cyber network attacks begin with an adversary gain- ing a foothold within the network and proceed with lateral movement until a desired goal is achieved. The mechanism by which lateral movement occurs varies but the basic signa- ture of hopping between hosts by exploiting vulnerabilities is the same. Because of the nature of the vulnerabilities typ- ically exploited, lateral movement is very difficult to detect and defend against. In this paper we define a dynamic reach- ability graph model of the network to discover possible paths that an adversary could take using different vulnerabilities, and how those paths evolvemore » over time. We use this reacha- bility graph to develop dynamic machine-level and network- level impact scores. Lateral movement mitigation strategies which make use of our impact scores are also discussed, and we detail an example using a freely available data set.« less
  • We present new algorithms for a distributed model for graph computations motivated by limited information sharing we first discussed in [20]. Two or more independent entities have collected large social graphs. They wish to compute the result of running graph algorithms on the entire set of relationships. Because the information is sensitive or economically valuable, they do not wish to simply combine the information in a single location. We consider two models for computing the solution to graph algorithms in this setting: 1) limited-sharing: the two entities can share only a polylogarithmic size subgraph; 2) low-trust: the entities must notmore » reveal any information beyond the query answer, assuming they are all honest but curious. We believe this model captures realistic constraints on cooperating autonomous data centers. We have algorithms in both setting for s - t connectivity in both models. We also give an algorithm in the low-communication model for finding a planted clique. This is an anomaly- detection problem, finding a subgraph that is larger and denser than expected. For both the low- communication algorithms, we exploit structural properties of social networks to prove perfor- mance bounds better than what is possible for general graphs. For s - t connectivity, we use known properties. For planted clique, we propose a new property: bounded number of triangles per node. This property is based upon evidence from the social science literature. We found that classic examples of social networks do not have the bounded-triangles property. This is because many social networks contain elements that are non-human, such as accounts for a business, or other automated accounts. We describe some initial attempts to distinguish human nodes from automated nodes in social networks based only on topological properties.« less
  • This paper compares the performance of the CYBER 203, CYBER 205, and CRAY-1 S computers when running a three-dimensional, three-phase reservoir simulator. The results show that the improvement obtained from one computer to the next is somewhat problem dependent. The parameters affecting the differences include the vector length and the amount of scalar code executed relative to vector code. The CYBER 205 demonstrated run times of 2.3 to 3.4 times faster than the CYBER 203 and was found to be 1.6 times faster than the CRAY-1 S. 5 refs.