Visible to the public Deriving cyber use cases from graph projections of cyber data represented as bipartite graphs

TitleDeriving cyber use cases from graph projections of cyber data represented as bipartite graphs
Publication TypeConference Paper
Year of Publication2017
AuthorsEslami, M., Zheng, G., Eramian, H., Levchuk, G.
Conference Name2017 IEEE International Conference on Big Data (Big Data)
Date Publisheddec
ISBN Number 978-1-5386-2715-0
Keywordsanomaly detection, Bipartite graph, cyber security, graph analytics, IP networks, Measurement, Peer-to-peer computing, pubcrawl, Scalability, scalable, Scalable Security, security, Servers, situational awareness

Graph analysis can capture relationships between network entities and can be used to identify and rank anomalous hosts, users, or applications from various types of cyber logs. It is often the case that the data in the logs can be represented as a bipartite graph (e.g. internal IP-external IP, user-application, or client-server). State-of-the-art graph based anomaly detection often generalizes across all types of graphs -- namely bipartite and non-bipartite. This confounds the interpretation and use of specific graph features such as degree, page rank, and eigencentrality that can provide a security analyst with situational awareness and even insights to potential attacks on enterprise scale networks. Furthermore, graph algorithms applied to data collected from large, distributed enterprise scale networks require accompanying methods that allow them to scale to the data collected. In this paper, we provide a novel, scalable, directional graph projection framework that operates on cyber logs that can be represented as bipartite graphs. We also present methodologies to further narrow returned results to anomalous/outlier cases that may be indicative of a cyber security event. This framework computes directional graph projections and identifies a set of interpretable graph features that describe anomalies within each partite.

Citation Keyeslami_deriving_2017