Graph Based Role Mining Techniques for Cyber Security
January 2015 • Presentation
Kiri Oler (Pacific Northwest National Laboratory), Sutanay Choudhury (Pacific Northwest National Laboratory)
In this talk, Kiri proposes tailoring existing role-mining techniques to enterprise networks where the network graph is derived from NetFlow data captured by the enterprise.
Mathematical methods of role-mining with respect to graphs have found applications across several types of communication networks (e.g. social media), where the communications are modeled as a graph and features of the graph’s structure, such as node degree, are used to group the nodes into roles defined by these feature-based characteristics. In this talk, Kiri proposes tailoring existing role-mining techniques to enterprise networks where the network graph is derived from NetFlow data captured by the enterprise. More specifically, nodes on the graph represent IPs, while an edge between two nodes represents the existence of a flow record where one node is the source IP and the other is the destination IP. This approach allows for the possibility of a directed graph. Additionally, weights can be added to the edges representing, for example, the number of bytes transmitted or the duration of the flow. When role-mining a NetFlow graph, we can go beyond graphical properties when compiling a feature set for each node. We can also incorporate behavioral information from the NetFlow records not otherwise included on the graph. For example, the median duration of all flows in which the IP participates, the total number of packets transmitted to and from the IP, or the number of different ports the IP talks to. We theorize that tracking the distribution of users into roles over time will allow the detection of service outages and cyber attacks, as well as allowing enterprises to monitor the resiliency of their network. To do this type of tracking, we aim to define meaningful roles by which each node on the network can be classified.