Situational Awareness of Network System Roles (SANSR)
- ORNL
In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g., file server, domain name server, email server). Using network flow data, already collected by most enterprises, we developed a proof-of-concept tool that discovers the roles of a system using both clustering and categorization techniques. The tool's role information would allow cyber analysts to detect consequential changes in the network, initiate incident response plans, and optimize their security posture. The results of this proof-of-concept tool proved to be quite accurate on three real data sets. We will present the algorithms used in the tool, describe the results of preliminary testing, provide visualizations of the results, and discuss areas for future work. Without this kind of situational awareness, cyber analysts cannot quickly diagnose an attack or prioritize remedial actions.
- Research Organization:
- Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
- Sponsoring Organization:
- ORNL LDRD Director's R&D; ORNL Program Development
- DOE Contract Number:
- AC05-00OR22725
- OSTI ID:
- 1356923
- Country of Publication:
- United States
- Language:
- English
Similar Records
CyberPetri at CDX 2016: Real-time Network Situation Awareness
Real-Time Visualization of Network Behaviors for Situational Awareness