Situational Awareness of Network System Roles (SANSR)

In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g. file server, domain name server, email server). Understanding the roles of the systems in the network provides analysts with a situational awareness that will allow them to detect consequential changes in the network, initiate an incident response plan, and optimize their security posture. Using the network flow data, already collected by most enterprises, we developed a tool that enables analysts to automatically detect/classify services and roles of every machine that’s operating on a network (e.g. file server, domain name server, email server) for better situational awareness of potential threats to the network. his tool queries Elasticsearch for network flow data, creates a temporal behavior model of each system, uses unsupervised machine learning to cluster the models with a set of labeled temporal behavior models, and the resulting information can be printed to the console or programmatically accessed. The results include the likelihood that a machine has a labeled role and lists other machines that are most similar in behavior.