High-Throughput Real-Time Network Flow Visualization

Similar documents
Atypical Behavior Identification in Large Scale Network Traffic

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Putting it all together: Creating a Big Data Analytic Workflow with Spotfire

Threat Intel for All: There s More to Your Data than Meets the Eye

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Massive Data Analysis

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Know Your Network. Computer Security Incident Response Center. Tracking Compliance Identifying and Mitigating Threats

Network Visualization

Network Visualization. Introduction. Introduction. Introduction. Paper List. Paper List. Shahed. Basic building blocks

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

SIEM Product Comparison

Novetta Cyber Analytics

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Integrate MATLAB Analytics into Enterprise Applications

OLAP Introduction and Overview

OPERATIONALIZING MACHINE LEARNING USING GPU ACCELERATED, IN-DATABASE ANALYTICS

A Real-world Demonstration of NetSocket Cloud Experience Manager for Microsoft Lync

Managing the Subscriber Experience

Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch

Introduction to Data Science

Sitecore Experience Platform 8.0 Rev: September 13, Sitecore Experience Platform 8.0

Event: PASS SQL Saturday - DC 2018 Presenter: Jon Tupitza, CTO Architect

Enterprise Situational Intelligence

Build a system health check for Db2 using IBM Machine Learning for z/os

Integrate MATLAB Analytics into Enterprise Applications

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

PNDA.io: when BGP meets Big-Data

in PCI Regulated Environments

The coolest place on earth

Monitoring and Managing IIoT Security

DATA MINING II - 1DL460

Fluentd + MongoDB + Spark = Awesome Sauce

AMP-Based Flow Collection. Greg Virgin - RedJack

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Video AI Alerts An Artificial Intelligence-Based Approach to Anomaly Detection and Root Cause Analysis for OTT Video Publishers

Network Analytics. Hendrik Borras, Marian Babik IT-CM-MM

Cisco Tetration Analytics

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Deploying, Managing and Reusing R Models in an Enterprise Environment

FPGA based Network Traffic Analysis using Traffic Dispersion Graphs

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

RSA NetWitness Suite Respond in Minutes, Not Months

TIBCO Complex Event Processing Evaluation Guide

Visual Computing. Lecture 2 Visualization, Data, and Process

Creating a Recommender System. An Elasticsearch & Apache Spark approach

Learning Objectives for Data Concept and Visualization

Microsoft Perform Data Engineering on Microsoft Azure HDInsight.

Enable IoT Solutions using Azure

Latent Space Model for Road Networks to Predict Time-Varying Traffic. Presented by: Rob Fitzgerald Spring 2017

RIPE75 - Network monitoring at scale. Louis Poinsignon

Collective Mind. Early Warnings of Systematic Failures of Equipment. Dr. Artur Dubrawski. Dr. Norman Sondheimer. Auton Lab Carnegie Mellon University

Creating Situational Awareness with Spacecraft Data Trending and Monitoring

Oracle Big Data Connectors

Data Warehousing. Ritham Vashisht, Sukhdeep Kaur and Shobti Saini

THE EVOLUTION OF SIEM

Increase Value from Big Data with Real-Time Data Integration and Streaming Analytics

SIEM Solutions from McAfee

DATA MINING TRANSACTION

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

MauveDB: Statistical Modeling inside Database Systems. Amol Deshpande, University of Maryland

Protect vital DNS assets and identify malware

Empower stakeholders with single-pane visibility and insights Enrich firewall security data

Alberto Dainotti

An IP.com Prior Art Database Technical Disclosure

The Evolution of : Continuous Advanced Threat Protection

Solace Message Routers and Cisco Ethernet Switches: Unified Infrastructure for Financial Services Middleware

How enterprises can use cyber threat information effectively? Shimon Modi,

SIEM: Five Requirements that Solve the Bigger Business Issues

<Insert Picture Here> Introduction to Big Data Technology

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Intelligent Enterprise meets Science of Where. Anand Raisinghani Head Platform & Data Management SAP India 10 September, 2018

Cisco Tetration Analytics

Quality of Service in US Air Force Information Management Systems

Big Data Technology Ecosystem. Mark Burnette Pentaho Director Sales Engineering, Hitachi Vantara

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

IMAGE ACQUISTION AND PROCESSING FOR FINANCIAL DUE DILIGENCE

Oracle and Tangosol Acquisition Announcement

HYBRID TRANSACTION/ANALYTICAL PROCESSING COLIN MACNAUGHTON

Real-Time & Big Data GIS: Leveraging the spatiotemporal big data store

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Knowledge Discovery and Data Mining

GEOMEDIA MOTION VIDEO ANALYSIS PROFESSIONAL

Optimized Data Integration for the MSO Market

Compare Security Analytics Solutions

align security instill confidence

DATA MINING II - 1DL460

Diagnostics in Testing and Performance Engineering

Integrate MATLAB Analytics into Enterprise Applications

Fast Innovation requires Fast IT

The Challenge of Cyberspace Defense and CSSP Services

Industry Analytics Kit

Triage & Collaboration. Improving a major bank s cyber threat security posture

Transcription:

High-Throughput Real-Time Network Flow Visualization Daniel Best Research Scientist Information Analytics daniel.best@pnl.gov Douglas Love, Shawn Bohn, William Pike 1

Tools and a Pipeline to Provide Defense in Depth Traffic Circle Visualization for situational awareness Correlation Layers for Information Query and Exploration (CLIQUE) Network behavior visualization using LiveRac interface Middleware for Data-Intensive Computing (MeDiCi) Data pipeline 2

Motivation Improve upon current analysis capabilities Provide a mechanism for multiple tools to feed off the same data Move away from batch processing of flow data Support both forensic and real-time monitoring capabilities Implement a streaming analytics tool set Handle large volumes of flow data (millions to billions) per view Help analysts gain situational understanding of current state of a network Provide engaging flow visualizations Visualization of both raw data and aggregates Automated identification of off normal conditions 3

What our users want They want to know what normal looks like from an individual host, to a group, to an enterprise They want ways to overcome limitations in analyzing raw transactions Lots of data (billions of transactions/day) Lots of unique actors (IPv6: 6.67 * 1027 IP addresses per square meter on Earth) Lots of noise If they know what they re looking for, they can build a signature to detect it. But what s in the data that they don t already know to look for? Need to link data reduction techniques with exploratory analysis interfaces They want to know where to focus! 4

Middleware for Data-Intensive Computing (MeDICi) Provides a high-throughput data communication and processing pipeline Creates the substrate for real-time information sharing Mechanism to hand information to multiple tools Multiple tools subscribe to MeDICi data, so that tools can be combined for defense in depth Capable of streaming data transformations Handles data changes needed by a client prior to being transmitted to that client Offloads computational cycles to the MeDICi server 5

Using MeDICi for real-time analytics Components can be created by different developers using various languages Traffic Circle and CLIQUE use Java, but components from other languages can be wrapped easily Information is passed between components using a producer / listener mechanism Apache ActiveMQ message broker JMS messaging standard Components are chained together to create a pipeline Aggregates Summary Statistics Others 6

7 A sample MeDICi pipeline

CLIQUE Produces behavioral summaries based on a live sensor feed A behavior is a model of predicted activity based on past activity CLIQUE helps visualize the deviation of an actor from its predicted activity Working at the level of behaviors helps cope with large data volumes Display walks along with incoming flow information to show current state Helps highlight trends and patterns in highvolume flows Capability to compare behavior deviations with category activity 8

CLIQUE behavior analysis Utilizes Symbolic Aggregate approximation (SAX) To deal with the scaling issue in the temporal dimension (scales by summarization/aggregation) Creates a SAX representation across all categories for a given actor Converts SAX representation to a glyph Produces a language Creates matrix of glyphs and temporal sub-segments Compares current matrix and historic matrix to yield behavior deviation plot 9

10 CLIQUE Walkthrough

Traffic Circle Interactive visualization of patterns in high volume flow data When you can see more data you can see patterns previously hidden when examining by subsets Visualizes raw flow information Drill-through from CLIQUE Manages throughput by utilizing a threaded architecture that distributes query and rendering Can operate in forensic mode or real-time animation mode 11

Traffic Circle Circular time wheel metaphor Flows ordered by start time Arc length corresponds to duration Spinnable interface Filters can be added Color coding Hide / show capability Operationally demonstrated at data volumes upward of 125 million flows Using high-performance backfill database 12

13 Traffic Circle Walkthrough

Conclusions Visualization at different levels of abstraction supports situational awareness in large data sets High-throughput pipelines are necessary to scale visual analysis to operational data volumes Modeling helps analysts baseline normal activities and quickly identify off-normal conditions 14

Future Directions Develop a predictive capability Nascent behavioral changes can be detected visually in real-time in Traffic Circle and CLIQUE CLIQUE classifier enables sequence detection for proactive threat identification Explore extensions to other domains Financial fraud detection SCADA system reliability and security 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback