FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Tuesday, January 9 • 2:30pm - 3:00pm
Anomaly Detection in Cyber Networks Using Graph-node Role-dynamics and NetFlow Bayesian Normalcy Modeling

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Advanced Persistent Threats (APTs), i.e., “low and slow” cyber-attacks, are difficult to detect using standard network defense tools. APTs typically hide within the noise of normal network operations, and may persist undetected for months or even years. As a result, the warning signs of an APT can easily be lost in the flood of alerts generated by intrusion detection systems (IDSs) and NetFlow data.

This paper describes ongoing research in APT detection. Our approach is two-fold. First, we fuse alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro), into a single weighted graph that allows us to identify anomalies across modalities. To detect the anomalies, we apply the role-dynamics algorithm, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node in the fused IDS-alert graph is assigned a probability distribution across a small set of roles based on that node’s features. A cyber-attack should trigger IDS alerts causing changes in node features, but rather than track every feature for every node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles.

Second, we implement a Bayesian dynamic packet flow model to characterize NetFlow patterns within the network. The algorithm provides a probabilistic measure of traffic volatility from which Bayesian inference can be used to forecast expected normal behavior. The model triggers an indication of compromise when deviations from the expected behavior occur, such as during the exfiltration of data.

We test our approach using IDS alerts and NetFlow data generated from a network of virtual machines (workstations, data and print servers, DHCP and DNS servers), virtual switches, and a virtual server that approximates connections to the internet. The simulations include weeks of normal background traffic and APT-like cyber-attacks. The network includes installations of Snort, OSSEC, and Bro, which generated alerts throughout the entire experiment. A NetFlow sensor captured the network traffic during the simulation.

Multi-modal data fusion is a promising avenue for threat intelligence and contextual awareness in network defense. Although we have focused here on APTs, our methods may apply to other forms of cyber-attacks.

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Attendees will learn:

This talk will describe a novel approach to cyber-anomaly detection. The method includes multi-modal data fusion, advanced graph-based analytics, and Bayesian normalcy modeling, to alert security analysts to anomalous and possibly malicious network activities.

avatar for Anthony Palladino

Anthony Palladino

Sr. Research Scientist, Boston Fusion
Anthony Palladino is a senior research scientist at Boston Fusion, where he is principal investigator on several advanced research projects. His current areas of research include multi-modal data fusion, machine learning, and advanced graph-based analytics. Prior to joining Boston... Read More →

Tuesday January 9, 2018 2:30pm - 3:00pm MST
Presidio III, IV, V