?Cyber Big-Data Analytics
GEORGE CHIN, SUTANAY CHOUDHURY, KHUSHBU AGARWAL, VIVEK DATLA, PATRICK PAULSON, DENNIS THOMAS, PAK WONG, SETH THOMPSON, NATE KRUSSELL
Pacific Northwest National Laboratory
September 30, 2015 PNNL-SA-113259
?Idaho Bailiff Cyberanalytics Visualization Examples
Idaho Bailiff project focuses on following areas:
?Dynamic Graph Research Rooted in
High performance computing platforms
?Cybersecurity
Graph algorithms Streaming data
Big data
Cyberanalytics applications
Visualizations developed have following properties
Network/graph visualizations
Secondary area of research and development Support pattern discovery
Extend to big data and/or fast data streaming rates
?????????September 30, 2015 2
?Computer Network Threat Detection Using Dynamic Triadic Analysis
?Denial of Service
?????Source Hiding
????????????????????T4
T15 T4 T7
???Address/Port Scanning
??DNS Failure
DNS 1
DNS 2
??????????????????T7 T8
T6
September 30, 2015
3
?Computer Network Threat Detection Using Dynamic Triadic Analysis
0.0006 0.0005 0.0004 0.0003 0.0002 0.0001
0
All initiator triads (T7)
0.005 0.0045 0.004 0.0035 0.003 0.0025 0.002 0.0015 0.001 0.0005 0
All timeout triads (T8)
September 30, 2015
4
(111D) Triads Over Time
10Minute Interval (111U) Triads Over Time
DNS Failure
DNS 1 DNS 2
Triad Proportion
Triad Proportion
11 46 46 91 91
136 136 181 181 226 226 271 271 316 316 361 361 406 406 451 451 496 496 541 541 586 586 631 631 676 676 721 721 766 766 811 811 856 856 901 901
946
946
991 1036
991 1036
10Minute Interval
?Computer Network Threat Detection Using Dynamic Triadic Analysis
Changes in Specific Triad Patterns Signify a Potential Network Threat
While Other Triad Patterns are Unaffected
Specific Triad Types Indicate Specific Threats
????September 30, 2015
5
?DDoS Attack Query
?Subgraph Join Tree
?Host
Time
< E1 100% 43% ????Router Host Victim Time < E1 Time Host < E1 E1 ??????????????????????86% Host 14% ????Time < E2 Router E3 Host Time Victim E2 ??????????????????E4 Host < E3 Time < E4 ??????????43% Host ICMP Echo Request ????Router Broadcast Address Host ICMP Echo Request ????????????Host Request ICMP Echo September 30, 2015 Unclassified 6 Host ICMP Echo Reply Host Victim ICMP Echo Reply Host Reply ICMP Echo Router Victim ICMP Echo Request ??????48:06 ?Emerging Cyberattack Patterns Subgraph Join Tree ?Host Time < E1 100% 43% ???Router Host Time < E1 Time Host < E1 E1 Victim ??????????????????86% Host Router E3 Host Time Victim 14% ???E2 E4 Host Time < E2 ??????????????< E3 Time < E4 ??????????43% Router Broadcast Address Host ICMP Echo Request Host ICMP Echo Request ?????????????Host Request ICMP Echo September 30, 2015 Unclassified 7 Host ICMP Echo Reply Host Victim ICMP Echo Reply Host Reply ICMP Echo Router Victim ICMP Echo Request ????????51:39 ?Emerging Cyberattack Patterns ?Subgraph Join Tree ?Host Time < E1 100% 43% ????Router Host Victim Time < E1 Time Host < E1 E1 ??????????????????????86% Host 14% ????Time < E2 Router E3 Host Time Victim E2 ??????????????????E4 Host < E3 Time < E4 ??????????43% Host ICMP Echo Request ????Router Broadcast Address Host ICMP Echo Request ????????????Host Request ICMP Echo September 30, 2015 Unclassified 53:11 8 8 Host ICMP Echo Reply Host Victim ICMP Echo Reply Host Reply ICMP Echo Router Victim ICMP Echo Request ?????? ?Emerging Cyberattack Patterns Video September 30, 2015 9 ?Probabilistic Vulnerability Graph Vulnerability Graph ?Network Configuration ????September 30, 2015 Unclassified 10 Vulnerability Precondition Postcondition ?Probabilistic Vulnerability Graph Video September 30, 2015 Unclassified 11 ?Atmospheric Sensor Network Dynamic Bayesian Network ?September 30, 2015 12 ?Applications to the Future Power Grid DynAamgriacpGh roarpnhetRweosrkeaisrcahnaRtuoroatleadndinintuitive way to ?visually represent the power grid Cybersecurity Like computer network flow data, power grid data may be streaming in at fast rates Pattern discovery and network analysis approaches algorithms may be useful in representing and detecting anomalies and behaviors in the power grid Probabilistic graphical models may also be useful in power grid predictions and diagnostics Associated network visualizations should be equally enabling and useful ????September 30, 2015 13

Categories: News