graph based role mining techniques for cyber security
play

Graph Based Role Mining Techniques for Cyber Security KIRI OLER, - PowerPoint PPT Presentation

Dec 28, 2022 •388 likes •625 views

Graph Based Role Mining Techniques for Cyber Security KIRI OLER, SUTANAY CHOUDHURY Pacific Northwest National Laboratory Flocon 2015, Portland, OR, USA January 15, 2015 1 Motivation Analyzing a machines past behavior in the face of an

  1. Graph Based Role Mining Techniques for Cyber Security KIRI OLER, SUTANAY CHOUDHURY Pacific Northwest National Laboratory Flocon 2015, Portland, OR, USA January 15, 2015 1

  2. Motivation � Analyzing a machine’s past behavior in the face of an alert is a common task for security analysts � Analyzing past history for a machine can be a time consuming task, and slows down response to the alert � Therefore, techniques that summarize the past behavior of a system in terms of easily understood cyber features described in English can be a powerful capability � This work presents Role Mining algorithms as an approach towards accomplishing this goal January 15, 2015 2

  3. Preliminaries � We use the terms graphs and network almost interchangeably in this presentation � Graph refers to the mathematical model describing links or edges between a set of entities � Example [Computer Network] entities: hosts, links: communication between hosts � Example [Social Network] entities: people, links: friend as in Facebook, connection as in LinkedIn etc. � A graph is directed, if the relationship between two nodes have a directional aspect � Example: My laptop (say 130.20.177.117) making a request to www.google.com (130.20.128.83) => “130.20.177.117 -> 130.20.128.83” in the graph � Sutanay and Kiri works together => represented as a directed graph January 15, 2015 3

  4. Preliminaries (cont.) � Formally, a graph is an ordered pair G = (U, E) where U is a set of nodes and E is the set of edges connecting pairs in U � Weighted graphs can have a weight, or a number associated with each node and/or edge � We build directed, weighted graphs from flow data � A node represents an IP address from network flow data � An edge models the summary of communication between two IP addresses � Flow attributes such as number of exchanged bytes are aggregated and represented as edge weights � Additionally, edges have attributes such as protocol � Edge direction indicates directionality of communication January 15, 2015 4

  5. What is Role Mining � Define meaningful roles for nodes on a network � Each node in the network is assigned a set of features � Features are based on a node’s structural properties and traffic-based behavioral attributes � Roles are defined based on strength of a subset of features � Assume every node is assigned a 8-length feature set (in-degree, out-degree, centrality etc.) � Role A may be defined as nodes with “high in-degree and high-centrality” � Roles have potential to take on different types of meaning, e.g. classifying nodes based on hardware type or criticality to network operations. January 15, 2015 5

  6. Expected Payoffs � The role distribution can be monitored to detect anomalies or failures in an enterprise � We are investigating techniques for building multi-scale graph models of an enterprise’s cyber behavior � We foresee “role”-based coarsening as a way to construct multi-scale models of a cyber architecture h"p://aws.amazon.com/solu1ons/case-­‑studies/discovery-­‑communica1ons/ ¡ January 15, 2015 6

  7. Algorithm � A matrix of features ( 𝑊 ) is generated for each vertex in the graph � Graph theoretic features In and out degree, number of associated triangle/ triads, k-core ranking, PageRank centrality, clustering coefficient � Flow based features Median (in and out) flow duration, median (in and out) bytes exchanged, top-k protocols � The matrix is then factored as 𝑊 ¡= ¡ 𝐻 ∗ 𝐺 ¡ where: � 𝑊 is the 𝑜 ¡ 𝑦 ¡ 𝑔 ¡ feature matrix � 𝐻 is the 𝑜 ¡ 𝑦 ¡ 𝑠 matrix defining each node’s affinity to each role � 𝐺 is the 𝑠 ¡ 𝑦 ¡ 𝑔 ¡ matrix defining how much each feature impacts each role � We use the Non-Negative Matrix Factorization algorithm to perform the decomposition � Once roles are defined 𝐺 remains constant and new node traffic is classified as follows, 𝐻 ¡= ¡ 𝑊 ∗ ​𝐺↑ −1 � The optimal number of roles is selected by finding the value that yields 𝐻 ∗ 𝐺 with Minimum Description Length. January 15, 2015 7

  8. Graph Theoretic Features h"p://docs.graphlab.org/ graph_analy1cs.html ¡ � Triangle statistics capture local behavior around a node in the graph � PageRank based centrality provides a measure of importance of a node in the graph– a higher number indicates higher likelihood of that node being via a random walk on the graph � K-Core rank provides an indication of Alvarez-­‑Hamelin, ¡J. ¡Ignacio, ¡et ¡ al. ¡"Large ¡scale ¡networks ¡ the node’s position in the graph – a fingerprin1ng ¡and ¡visualiza1on ¡ ¡ using ¡the ¡k-­‑core ¡ lower rank indicates peripheral decomposi1on." ¡ Advances ¡in ¡ neural ¡informa1on ¡processing ¡ systems . ¡2005. ¡ presence, whereas a higher number indicates a presence in the “core” network January 15, 2015 8

  9. Illustration of graph theoretic features January 15, 2015 9

  10. Analysis Objectives � Classification Accuracy : � We learn the role distribution from a training dataset, say one describing a period of normal activity � Given a new data set and the previous role definitions, we map each node in the graph to one of the roles � A node will swap roles only if its behavior has changed significantly � We test the variation among node classification using the k-nearest neighbors algorithm. January 15, 2015 10

  11. Analysis Objectives � Role Distributions Due to the dynamic nature of networks, the number of nodes identifying as a certain role will vary over time. However, the overall rate of change should hold steady, implying changes to the distribution could be meaningful. Does ¡the ¡role ¡distribu.on ¡changes ¡between ¡days? ¡ January 15, 2015 11

  12. Algorithm Output � We get back two things � A set of role definitions defined in terms of feature strengths � A role assignment for every node January 15, 2015 12

  13. Analysis Objectives � Role Changes Given good role definitions, a node’s role is unlikely to vary much over time. The less frequently changes occur, the more likely they are to indicate some anomaly. For instance, if a certain role is heavily influenced by the number of bytes transmitted by a node and a node moves from a role where the number of bytes is relatively small to one where a large number of bytes is large, this could indicate that the node is being exploited to move sensitive data to an undesirable location. January 15, 2015 13

  14. Experimental Analysis – About the Data � Initial testing made use of traffic captures from an openly available simulated data set* from University of New Brunswick. � The data was collected from a test bed environment implementing a methodology for generating user profiles and attack scenarios. � The user profiles are generated based on distributions of packets, flow lengths, requests, endpoints, etc. as observed among users in real traffic flows. � Attack profiles are generated to simulate buffer overflows, SQL injections, cross-site scripting attacks, DOS attacks and brute force attempts to establish an SSH connection. � By using simulated data, we have a full knowledge of the anomalous activity within the data set to reinforce the validity of our results. * ¡Shiravi, ¡Ali, ¡et ¡al. ¡"Toward ¡developing ¡a ¡systema1c ¡approach ¡to ¡generate ¡benchmark ¡datasets ¡for ¡intrusion ¡detec1on." ¡Computers ¡& ¡Security ¡31.3 ¡(2012): ¡357-­‑374. ¡ January 15, 2015 14

  15. Testbed Topology � We present our analysis on network traffic flow dataset collected at University of New Brunswick Shiravi, ¡Ali, ¡et ¡al. ¡"Toward ¡developing ¡a ¡systema1c ¡approach ¡to ¡generate ¡benchmark ¡datasets ¡for ¡intrusion ¡detec1on." ¡Computers ¡& ¡Security ¡31.3 ¡(2012): ¡357-­‑374. ¡ January 15, 2015 15

  16. Visualizing IP-graph using Roles January 15, 2015 16

  17. Experimental Analysis – Role Definitions January 15, 2015 17

  18. “Making this work” - Challenges � How do we make this work at the production environment? � Remember that we are aggregating traffic within a certain interval and building a graph based model, so what is the right time resolution for aggregation? � We are looking at netflow and aggregating all traffic. Interesting signals can be drowned in the aggregation process. Which protocols/traffic class is interesting to extract? � What other features should we consider? � How can we benchmark the performance? January 15, 2015 18

  19. Conclusions and Future Work � Given a target dataset, our end goal is to identify the minimal set of features and algorithmic constraints that lead to alignment of roles learnt from the data with real-world roles taken by the machines. � Discover the types of meaning inherent in the extracted roles and trace how the meaning differs based on the features selected. � We are currently focusing on testing the algorithm with different combinations of features. � Experimenting with various constraints to guide the role mining process. � Diversity Constraints to ensure less overlap between role definitions and stronger role assignments for nodes. � Sparsity Constraints so the role definitions will gravitate toward a small number of impactful features, while nodes will only be assigned to roles with which they most strongly identify. January 15, 2015 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis

Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis

Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis Li Xiong Slides credits: Jiawei Han and Micheline Kamber 1 April 2, 2008 Graph Mining and Social Network Analysis Graph mining Frequent

879 views • 62 slides
SP 800-16 Rev 1 (3 rd Draft) A Role-Based Model for Federal Information Technology/Cyber Security

SP 800-16 Rev 1 (3 rd Draft) A Role-Based Model for Federal Information Technology/Cyber Security

SP 800-16 Rev 1 (3 rd Draft) A Role-Based Model for Federal Information Technology/Cyber Security Training FISSEA Conference March 19, 2014 Pat Toth Penny Klein Computer Security Division Systegra Information Technology Laboratory NATIONAL

750 views • 40 slides
Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman

Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman

Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 16, 2013 SafeConfig 2013: IEEE 6th

227 views • 18 slides
Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques

Current Trends in Cyber Security Course on Cyber Attack Detection & Mitigation Techniques (NIT-K) S. K. Pal Defence Research & Development Organization (DRDO) SAG, Metcalfe House, Delhi 27-Jul-2020 1 What is Cyberspace? Refers to

766 views • 17 slides
CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun yzsun@ccs.neu.edu November 16, 2015 Methods to Learn Matrix Data Text Set Data Sequence Time Series Graph & Images Data Data Network Classification

936 views • 38 slides
CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun yzsun@ccs.neu.edu March 16, 2016 Methods to Learn Matrix Data Text Set Data Sequence Time Series Graph & Images Data Data Network Classification

724 views • 54 slides
Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System

Worldwide Security and Resiliency of Cyber Infrastructures: the Role of the Domain Name System Dr. Igor Nai Fovino Head of the Research Department Global Cyber Security Center The Global Cyber Security Center, is an International not-for-profit

615 views • 33 slides
ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER SECURITY ALERTS Thursday 31 st

ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER SECURITY ALERTS Thursday 31 st

ON THE SEQUENTIAL PATTERN AND RULE MINING IN THE ANALYSIS OF CYBER SECURITY ALERTS Thursday 31 st August, 2017 Martin Husk Jaroslav Kapar Elias Bou-Harb Pavel eleda Motivation Cyber Security Alerts Timely information about current

826 views • 23 slides
GRAPH MINING AND GRAPH KERNELS Part I: Graph Mining Karsten Borgwardt^ and Xifeng Yan*

GRAPH MINING AND GRAPH KERNELS Part I: Graph Mining Karsten Borgwardt^ and Xifeng Yan*

Graph Mining and Graph Kernels GRAPH MINING AND GRAPH KERNELS Part I: Graph Mining Karsten Borgwardt^ and Xifeng Yan* ^University of Cambridge *IBM T. J. Watson Research Center August 24, 2008 | ACM SIG KDD, Las Vegas Graph Mining and Graph

1.28k views • 60 slides
KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A.

KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A.

KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A. Cyber Defense and Forensics Analyst The Dilemma Caught in a web, ever growing cyber attacks, changes in technology. Strategies seem to last an

452 views • 28 slides
CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data: Part I Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data: Part I Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data: Part I Instructor: Yizhou Sun yzsun@ccs.neu.edu November 12, 2013 Announcement Homework 4 will be out tonight Due on 12/2 Next class will be canceled I will still put the

1.06k views • 77 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
Web Mining Web Mining Web mining is the use of data mining techniques to automatically

Web Mining Web Mining Web mining is the use of data mining techniques to automatically

What is Web Mining? What is Web Mining? Web Mining Web Mining Web mining is the use of data mining techniques to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) Web mining aims to

566 views • 22 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure

Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure

Ofcoms role in cyber security UKNOF Edinburgh Huw Saunders Director, Network Infrastructure PROMOTING CHOICE SECURING STANDARDS PREVENTING HARM Ofcom and cyber security Area of growing importance across all sectors, with

216 views • 7 slides
Ellerston Australian Micro Cap Fund June 2020 1 Performance 2 Outcomes & Portfolio

Ellerston Australian Micro Cap Fund June 2020 1 Performance 2 Outcomes & Portfolio

Ellerston Australian Micro Cap Fund June 2020 1 Performance 2 Outcomes & Portfolio Characteristics AS AT 31 MAY 2020 Since 3 Years Inception Net Performance 3 Months 6 Months FYTD 1 Year p.a. p.a.* Ellerston Australian Micro Cap

547 views • 23 slides
ICMA ICM ICMA ERCC CC Opera ratio ions Se Semin inar r 2016: : Future challenges in the

ICMA ICM ICMA ERCC CC Opera ratio ions Se Semin inar r 2016: : Future challenges in the

International Capital Market Association ICMA ICM ICMA ERCC CC Opera ratio ions Se Semin inar r 2016: : Future challenges in the management of securities financing transactions discovery & delivery 10 10 Febr February 2016

715 views • 56 slides
SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive

SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive

15TH INTERNATIONAL ENERGY FORUM MINISTERIAL Algiers, 26-28 September 2016 International Conference Center of Algiers SUSTAINABLE ENERGY ACCESS: A CRITICAL FACTOR FOR HUMAN DEVELOPMENT Mahama Kappiah Executive Director ECREEE WWW.ECREEE.ORG

343 views • 19 slides
Global Figures CY15: $55 80 CY13: $135 60 CY14: $97 40 20 Feb-19: $88 0 Jan-13 Mar-13

Global Figures CY15: $55 80 CY13: $135 60 CY14: $97 40 20 Feb-19: $88 0 Jan-13 Mar-13

S TEEL S ECTOR O VERVIEW March 2019 S ECTOR | C ONTENTS O UTLINE Specific Terms & Products Raw Material Iron Ore | Price trend Steel scrap | Price trend Global | Steel Production | CY18 Top Producing Countries Global | Steel

427 views • 19 slides
Global Reach Regional Focus Corporate Profile January 2017 AXIA at a Glance 2 Who What Key

Global Reach Regional Focus Corporate Profile January 2017 AXIA at a Glance 2 Who What Key

Global Reach Regional Focus Corporate Profile January 2017 AXIA at a Glance 2 Who What Key Global Local We Are Differentiates AXIA Values Reach Access AXIA is a leading, independent, AXIAs team of people offers Excellence and

337 views • 20 slides
Global Reach Regional Focus Corporate Profile Summer 2018 AXIA at a Glance 2 Who What Key

Global Reach Regional Focus Corporate Profile Summer 2018 AXIA at a Glance 2 Who What Key

Global Reach Regional Focus Corporate Profile Summer 2018 AXIA at a Glance 2 Who What Key Global Local We Are Differentiates AXIA Values Reach Access AXIA is a leading, independent, AXIAs team of people offers Excellence and

409 views • 22 slides
Annual 2016 Results Presentation NIREUS AQUACULTURE S.A. Table of Contents Pages I. Our

Annual 2016 Results Presentation NIREUS AQUACULTURE S.A. Table of Contents Pages I. Our

Athens Greece | 31 March 2017 Annual 2016 Results Presentation NIREUS AQUACULTURE S.A. Table of Contents Pages I. Our

492 views • 25 slides
A D A M J O N E S - H E A D O F I N V E S T M E N T S W H Y D O W E I N V E S T ? T H E I

A D A M J O N E S - H E A D O F I N V E S T M E N T S W H Y D O W E I N V E S T ? T H E I

A D A M J O N E S - H E A D O F I N V E S T M E N T S W H Y D O W E I N V E S T ? T H E I M P A C T O F I N F L A T I O N O N C A S H O V E R T H E L O N G T E R M ( A S S U M E S A 2 % N E G A T I V E R E A L I N T E R E S T

649 views • 22 slides

More recommend