Visible to the public Combining Tensor Decompositions and Graph Analytics to Provide Cyber Situational Awareness at HPC Scale

TitleCombining Tensor Decompositions and Graph Analytics to Provide Cyber Situational Awareness at HPC Scale
Publication TypeConference Paper
Year of Publication2019
AuthorsEzick, James, Henretty, Tom, Baskaran, Muthu, Lethin, Richard, Feo, John, Tuan, Tai-Ching, Coley, Christopher, Leonard, Leslie, Agrawal, Rajeev, Parsons, Ben, Glodek, William
Conference Name2019 IEEE High Performance Extreme Computing Conference (HPEC)
Date Publishedsep
Keywordsclustering methods, composability, Computing Theory, data structures, Detectors, Electronic mail, graph analytics, graph theory, groupware, high-performance packages, HPC architecture for cyber situational awareness, HPC resources, HPC scale, integrated workflow, IP networks, large-scale sparse tensor decompositions, MADHAT, metadata, Metrics, multidimensional anomaly detection fusing HPC Analytics and Tensors, Network topology, parallel processing, parallelized graph analysis, pattern clustering, pubcrawl, resilience, Resiliency, security metrics, security of data, sensor fusion, situational awareness, structured network sensor logs, Tensile stress, tensors, Tools
Abstract

This paper describes MADHAT (Multidimensional Anomaly Detection fusing HPC, Analytics, and Tensors), an integrated workflow that demonstrates the applicability of HPC resources to the problem of maintaining cyber situational awareness. MADHAT combines two high-performance packages: ENSIGN for large-scale sparse tensor decompositions and HAGGLE for graph analytics. Tensor decompositions isolate coherent patterns of network behavior in ways that common clustering methods based on distance metrics cannot. Parallelized graph analysis then uses directed queries on a representation that combines the elements of identified patterns with other available information (such as additional log fields, domain knowledge, network topology, whitelists and blacklists, prior feedback, and published alerts) to confirm or reject a threat hypothesis, collect context, and raise alerts. MADHAT was developed using the collaborative HPC Architecture for Cyber Situational Awareness (HACSAW) research environment and evaluated on structured network sensor logs collected from Defense Research and Engineering Network (DREN) sites using HPC resources at the U.S. Army Engineer Research and Development Center DoD Supercomputing Resource Center (ERDC DSRC). To date, MADHAT has analyzed logs with over 650 million entries.

DOI10.1109/HPEC.2019.8916559
Citation Keyezick_combining_2019