Situational Awareness of Network System Roles (SANSR)
- Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g. file server, domain name server, email server). Understanding the roles of the systems in the network provides analysts with a situational awareness that will allow them to detect consequential changes in the network, initiate an incident response plan, and optimize their security posture. Using the network flow data, already collected by most enterprises, we developed a tool that enables analysts to automatically detect/classify services and roles of every machine that’s operating on a network (e.g. file server, domain name server, email server) for better situational awareness of potential threats to the network. his tool queries Elasticsearch for network flow data, creates a temporal behavior model of each system, uses unsupervised machine learning to cluster the models with a set of labeled temporal behavior models, and the resulting information can be printed to the console or programmatically accessed. The results include the likelihood that a machine has a labeled role and lists other machines that are most similar in behavior.
- Short Name / Acronym:
- SANSR
- Project Type:
- Closed Source
- Site Accession Number:
- 8101
- Software Type:
- Scientific
- Programming Language(s):
- Go 1.11.1
- Research Organization:
- Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
- Sponsoring Organization:
- USDOEPrimary Award/Contract Number:AC05-00OR22725
- DOE Contract Number:
- AC05-00OR22725
- Code ID:
- 96817
- OSTI ID:
- 1566849
- Country of Origin:
- United States
Similar Records
Framework for Real-Time All-Hazards Global Situational Awareness
Network Information System