Enhancing Network Visibility and Security through Tensor Analysis

• Published in: Future generation computer systems Vol. 96; no. C; pp. 207 - 215
• Main Authors: Baskaran, Muthu M., Henretty, Thomas, Ezick, James, Lethin, Richard, Bruns-Smith, David
• Format: Journal Article
• Language: English
• Published: United States Elsevier B.V 01.07.2019; Elsevier
• Subjects: Cyber security; MATHEMATICS AND COMPUTING; Network analysis; Network threats; Tensor decompositions; Tensor decompositions; Network threats; Cyber security; Network analysis
• ISSN: 0167-739X; 1872-7115
• DOI: 10.1016/j.future.2019.01.039

The increasing size, variety, rate of growth and change, and complexity of network data has warranted advanced network analysis and services. Tools that provide automated analysis through traditional or advanced signature-based systems or machine learning classifiers suffer from practical difficulties. These tools fail to provide comprehensive and contextual insights into the network when put to practical use in operational cyber security. In this paper, we present an effective tool for network security and traffic analysis that uses high-performance data analytics based on a class of unsupervised learning algorithms called tensor decompositions. The tool aims to provide a scalable analysis of the network traffic data and also reduce the cognitive load of network analysts and be network-expert-friendly by presenting clear and actionable insights into the network. In this paper, we demonstrate the successful use of the tool in two completely diverse operational cyber security environments, namely, (1) security operations center (SOC) for the SCinet network at the SuperComputing (SC) Conference in 2016 and 2017 and (2) Reservoir Labs’ Local Area Network (LAN). In each of these environments, we produce actionable results for cyber security specialists including (but not limited to) (1) finding malicious network traffic involving internal and external attackers using port scans, SSH brute forcing, and NTP amplification attacks, (2) uncovering obfuscated network threats such as data exfiltration using DNS port and using ICMP traffic, and (3) finding network misconfiguration and performance degradation patterns. •CANDID - network analysis tool based on high-performance tensor decompositions.•Presents actionable insights into the network.•Demonstrated successfully in two diverse operational cyber security environments.•Finds malicious network traffic and uncovers obfuscated network threats.•Uncovers obfuscated network threats such as data exfiltration using DNS port and using ICMP traffic.•Finds network misconfiguration and performance degradation patterns.