FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Thursday, January 11 • 11:00am - 11:30am
Eliminating Barriers to Automated Tensor Analysis for Large-scale Flows

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
ENSIGN is a high-performance tensor decomposition suite that enables the unsupervised discovery of deep patterns in multidimensional network metadata. Operating the past three years in the Security Operations Center (SOC) at SCinet – the large-scale research network stood up each year in support of Supercomputing (SC) – ENSIGN has analyzed metadata collected for more than one-billion flows. From that data, ENSIGN has separated normal and off-normal patterns in a way that has led to the discovery of anomalous or alarming behavior, including:
   * Distributed port scans evolving to machine takeover
   * DNS-based data exfiltration/insider threat
   * Abuse of control and/or backchannel message streams
   * Network policy violations
   * Exploitation of application-specific port vulnerabilities
   * Patterns of traffic indicative of scans for printers or IoT devices
   * Broken and/or misconfigured network services
Tensor decompositions represent a new paradigm in network threat identification – one where pattern discovery is the starting point rather than the end goal of the analysis. In this presentation, we move beyond exploratory proof-of-concept experiments and present progress toward an automated tensor-based cyber analytics workflow. We address three critical barriers to practical deployment. First, we describe the development of a library of cyber tensors. This consolidated knowledge on tensor formation transforms decomposition methods from an approach based on accidental discovery to an approach that intentionally covers a range of detectable behavior. Second, we introduce a streaming decomposition method. This capability permits nearer to real-time updates of decompositions and tightens the analysis loop for the discovery of emergent behavior. Finally, we present an approach to automating classification of tensor components (discovered patterns). Component overload is a critical barrier to application for large-scale flows. Automating the classification process means that threat hunting can begin from coherent, prioritized, actionable reports. Taken together, these innovations represent a significant maturation of tensor methods - in scale, timeliness, and usability - bringing the approach closer to meeting the needs of enterprise environments.
This end-to-end workflow builds on R-Scope, a scalable and hardened network security sensor and Splunk as a metadata access store. We show how this combination of ENSIGN and R-Scope with automation, classification, and search support provides a powerful workflow capable of assisting network security professionals in capturing and visualizing – and ultimately comprehending – the patterns contained within the vast volumes of traffic on a large-scale network.

Attendees Will Learn:
Attendees will receive an introduction to tensor decompositions as a tool for network flow analysis. This will include insight into tensor methods as a rapidly evolving technology - one that provides an approach to unsupervised machine learning that discovers coherent patterns and is well-suited to rich network metadata. Attendees will also gain an understanding of recent progress toward addressing barriers to deploying the technology in enterprise environments. The intent is to improve security operations by informing professionals of the current state-of-the-art as a way to foster feedback on, and engagement with, tensor methods as a complement to existing threat hunting approaches.

avatar for James Ezick

James Ezick

Associate Directing Engineer, Reservoir Labs
James Ezick is the lead for Reservoir's Analytics, Reasoning, and Verification Team. Since joining Reservoir in 2004, he has developed solutions addressing a broad range of research and commercial challenges in verification, compilers, cyber security, software-defined radio, high-performance... Read More →

Thursday January 11, 2018 11:00am - 11:30am MST
Presidio III, IV, V

Attendees (5)