TY - GEN
T1 - Situational awareness of network system roles (SANSR)
AU - Huffer, Kelly M.T.
AU - Reed, Joel W.
PY - 2017/4/4
Y1 - 2017/4/4
N2 - In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g., file server, domain name server, email server). Using network flow data, already collected by most enterprises, we developed a proof-of-concept tool that discovers the roles of a system using both clustering and categorization techniques. The tool's role information would allow cyber analysts to detect consequential changes in the network, initiate incident response plans, and optimize their security posture. The results of this proof-of-concept tool proved to be quite accurate on three real data sets. We will present the algorithms used in the tool, describe the results of preliminary testing, provide visualizations of the results, and discuss areas for future work. Without this kind of situational awareness, cyber analysts cannot quickly diagnose an attack or prioritize remedial actions.
AB - In a large enterprise it is difficult for cyber security analysts to know what services and roles every machine on the network is performing (e.g., file server, domain name server, email server). Using network flow data, already collected by most enterprises, we developed a proof-of-concept tool that discovers the roles of a system using both clustering and categorization techniques. The tool's role information would allow cyber analysts to detect consequential changes in the network, initiate incident response plans, and optimize their security posture. The results of this proof-of-concept tool proved to be quite accurate on three real data sets. We will present the algorithms used in the tool, describe the results of preliminary testing, provide visualizations of the results, and discuss areas for future work. Without this kind of situational awareness, cyber analysts cannot quickly diagnose an attack or prioritize remedial actions.
KW - Cyber security
KW - Network behavior
KW - Network monitoring
KW - Situational awareness
KW - Unsupervised learning
UR - http://www.scopus.com/inward/record.url?scp=85018308566&partnerID=8YFLogxK
U2 - 10.1145/3064814.3064828
DO - 10.1145/3064814.3064828
M3 - Conference contribution
AN - SCOPUS:85018308566
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 12th Annual Cyber and Information Security Research Conference, CISRC 2017
PB - Association for Computing Machinery
T2 - 12th Annual Cyber and Information Security Research Conference, CISRC 2017
Y2 - 4 April 2017 through 6 April 2017
ER -