Visible to the public Biblio

Filters: Keyword is graph analytics  [Clear All Filters]
2020-12-02
Malvankar, A., Payne, J., Budhraja, K. K., Kundu, A., Chari, S., Mohania, M..  2019.  Malware Containment in Cloud. 2019 First IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). :221—227.

Malware is pervasive and poses serious threats to normal operation of business processes in cloud. Cloud computing environments typically have hundreds of hosts that are connected to each other, often with high risk trust assumptions and/or protection mechanisms that are not difficult to break. Malware often exploits such weaknesses, as its immediate goal is often to spread itself to as many hosts as possible. Detecting this propagation is often difficult to address because the malware may reside in multiple components across the software or hardware stack. In this scenario, it is usually best to contain the malware to the smallest possible number of hosts, and it's also critical for system administration to resolve the issue in a timely manner. Furthermore, resolution often requires that several participants across different organizational teams scramble together to address the intrusion. In this vision paper, we define this problem in detail. We then present our vision of decentralized malware containment and the challenges and issues associated with this vision. The approach of containment involves detection and response using graph analytics coupled with a blockchain framework. We propose the use of a dominance frontier for profile nodes which must be involved in the containment process. Smart contracts are used to obtain consensus amongst the involved parties. The paper presents a basic implementation of this proposal. We have further discussed some open problems related to our vision.

2020-11-16
Dwivedi, A..  2018.  Implementing Cyber Resilient Designs through Graph Analytics Assisted Model Based Systems Engineering. 2018 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C). :607–616.
Model Based Systems Engineering (MBSE) adds efficiency during all phases of the design lifecycle. MBSE tools enforce design policies and rules to capture the design elements, inter-element relationships, and their attributes in a consistent manner. The system elements, and attributes are captured and stored in a centralized MBSE database for future retrieval. Systems that depend on computer networks can be designed using MBSE to meet cybersecurity and resilience requirements. At each step of a structured systems engineering methodology, decisions need to be made regarding the selection of architecture and designs that mitigate cyber risk and enhance cyber resilience. Detailed risk and decision analysis methods involve complex models and computations which are often characterized as a Big Data analytic problem. In this paper, we argue in favor of using graph analytic methods with model based systems engineering to support risk and decision analyses when engineering cyber resilient systems.
2020-02-17
Ezick, James, Henretty, Tom, Baskaran, Muthu, Lethin, Richard, Feo, John, Tuan, Tai-Ching, Coley, Christopher, Leonard, Leslie, Agrawal, Rajeev, Parsons, Ben et al..  2019.  Combining Tensor Decompositions and Graph Analytics to Provide Cyber Situational Awareness at HPC Scale. 2019 IEEE High Performance Extreme Computing Conference (HPEC). :1–7.

This paper describes MADHAT (Multidimensional Anomaly Detection fusing HPC, Analytics, and Tensors), an integrated workflow that demonstrates the applicability of HPC resources to the problem of maintaining cyber situational awareness. MADHAT combines two high-performance packages: ENSIGN for large-scale sparse tensor decompositions and HAGGLE for graph analytics. Tensor decompositions isolate coherent patterns of network behavior in ways that common clustering methods based on distance metrics cannot. Parallelized graph analysis then uses directed queries on a representation that combines the elements of identified patterns with other available information (such as additional log fields, domain knowledge, network topology, whitelists and blacklists, prior feedback, and published alerts) to confirm or reject a threat hypothesis, collect context, and raise alerts. MADHAT was developed using the collaborative HPC Architecture for Cyber Situational Awareness (HACSAW) research environment and evaluated on structured network sensor logs collected from Defense Research and Engineering Network (DREN) sites using HPC resources at the U.S. Army Engineer Research and Development Center DoD Supercomputing Resource Center (ERDC DSRC). To date, MADHAT has analyzed logs with over 650 million entries.

Hadar, Ethan, Hassanzadeh, Amin.  2019.  Big Data Analytics on Cyber Attack Graphs for Prioritizing Agile Security Requirements. 2019 IEEE 27th International Requirements Engineering Conference (RE). :330–339.

In enterprise environments, the amount of managed assets and vulnerabilities that can be exploited is staggering. Hackers' lateral movements between such assets generate a complex big data graph, that contains potential hacking paths. In this vision paper, we enumerate risk-reduction security requirements in large scale environments, then present the Agile Security methodology and technologies for detection, modeling, and constant prioritization of security requirements, agile style. Agile Security models different types of security requirements into the context of an attack graph, containing business process targets and critical assets identification, configuration items, and possible impacts of cyber-attacks. By simulating and analyzing virtual adversary attack paths toward cardinal assets, Agile Security examines the business impact on business processes and prioritizes surgical requirements. Thus, handling these requirements backlog that are constantly evaluated as an outcome of employing Agile Security, gradually increases system hardening, reduces business risks and informs the IT service desk or Security Operation Center what remediation action to perform next. Once remediated, Agile Security constantly recomputes residual risk, assessing risk increase by threat intelligence or infrastructure changes versus defender's remediation actions in order to drive overall attack surface reduction.

2018-02-06
Eslami, M., Zheng, G., Eramian, H., Levchuk, G..  2017.  Anomaly Detection on Bipartite Graphs for Cyber Situational Awareness and Threat Detection. 2017 IEEE International Conference on Big Data (Big Data). :4741–4743.

Data from cyber logs can often be represented as a bipartite graph (e.g. internal IP-external IP, user-application, or client-server). State-of-the-art graph based anomaly detection often generalizes across all types of graphs — namely bipartite and non-bipartite. This confounds the interpretation and use of specific graph features such as degree, page rank, and eigencentrality that can provide a security analyst with rapid situational awareness of their network. Furthermore, graph algorithms applied to data collected from large, distributed enterprise scale networks require accompanying methods that allow them to scale to the data collected. In this paper, we provide a novel, scalable, directional graph projection framework that operates on cyber logs that can be represented as bipartite graphs. This framework computes directional graph projections and identifies a set of interpretable graph features that describe anomalies within each partite.

2018-01-23
Eslami, M., Zheng, G., Eramian, H., Levchuk, G..  2017.  Deriving cyber use cases from graph projections of cyber data represented as bipartite graphs. 2017 IEEE International Conference on Big Data (Big Data). :4658–4663.

Graph analysis can capture relationships between network entities and can be used to identify and rank anomalous hosts, users, or applications from various types of cyber logs. It is often the case that the data in the logs can be represented as a bipartite graph (e.g. internal IP-external IP, user-application, or client-server). State-of-the-art graph based anomaly detection often generalizes across all types of graphs — namely bipartite and non-bipartite. This confounds the interpretation and use of specific graph features such as degree, page rank, and eigencentrality that can provide a security analyst with situational awareness and even insights to potential attacks on enterprise scale networks. Furthermore, graph algorithms applied to data collected from large, distributed enterprise scale networks require accompanying methods that allow them to scale to the data collected. In this paper, we provide a novel, scalable, directional graph projection framework that operates on cyber logs that can be represented as bipartite graphs. We also present methodologies to further narrow returned results to anomalous/outlier cases that may be indicative of a cyber security event. This framework computes directional graph projections and identifies a set of interpretable graph features that describe anomalies within each partite.