Situational Awareness of Network System Roles (SANSR)
- ORNL
In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g., file server, domain name server, email server). Using network flow data, already collected by most enterprises, we developed a proof-of-concept tool that discovers the roles of a system using both clustering and categorization techniques. The tool's role information would allow cyber analysts to detect consequential changes in the network, initiate incident response plans, and optimize their security posture. The results of this proof-of-concept tool proved to be quite accurate on three real data sets. We will present the algorithms used in the tool, describe the results of preliminary testing, provide visualizations of the results, and discuss areas for future work. Without this kind of situational awareness, cyber analysts cannot quickly diagnose an attack or prioritize remedial actions.
- Research Organization:
- Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
- Sponsoring Organization:
- USDOE Laboratory Directed Research and Development (LDRD) Program
- DOE Contract Number:
- AC05-00OR22725
- OSTI ID:
- 1356923
- Resource Relation:
- Conference: Cyber & Information Security Research Conference 2017, Oak Ridge, TN, USA, 20170404, 20170406
- Country of Publication:
- United States
- Language:
- English
Similar Records
Hybrid methods for cybersecurity analysis :
Development and Demonstration of a Security Core Component