Post on 23-Sep-2020
Visualizing Graph Dynamics and
Similarity for Enterprise Network
Security and ManagementSecurity and Management
Qi Liao, Aaron Striegel and Nitesh ChawlaC t S i d E i iComputer Science and Engineering
University of Notre Dame, USA.
Enterprise Network Management
P bli
What is going on in the network?What is going on in the network?Private
Publicservers
servers
WirelessUsers
DMZ
Users
Applications
Data
Internet Enterprise
Wired Users
11/15/2010Visualizing Graph Dynamics and Similarity
VizSec’10, Ottawa, Canada, September 14th, 2010 2
Internet Enterprise
Traditional Logging
Network connectivity logging usually in form of IP addresses and port numbers.T diti l Ci N tFl d fi itiTraditional Cisco NetFlow definition:
Ingress Interface
IP Protocol
IP TOS
SrcIP
DstIP
Srcport
Dstport
Where but not Who and What
Interface Protocol TOS IP IP port port
Where, but not Who and WhatVisual analysis of hosts, users and applications is more important and harderapplications is more important and harder than traditional IP/ports visualization [Hertzog06, Lalanne07, Liao08]
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
3
Introduction
Security management of enterprise networks is hard
d lUsers and applicationsComplex interrelationshipsSo dynamic constantly changingSo dynamic, constantly changingNo clean signal. Traditional data mining for anomaly detection falls shorty
Understanding the dynamics / similarities is non-trivial
Important step for anomaly detection
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
4
Similarity visualization
First step to understand abnormalityKey questions:
What are the changes?What changes are (ab)normal?How different (or similar) from day to dayHow different (or similar) from day-to-day activities?How to effectively visualize them?y
Dynamic and noisy data
Insights(variants invariantsSimilaritynoisy data
(hosts, users, applications)
(variants, invariants, abnormal behaviors,
root causes …)
Similarity visualization
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
5
Hierarchical Similarity Visualization
GraphsHUA connectivity graphs
Top down manner Bipartite graphsSimilarity graphs
Top-down manner(overview + context)
Inter-graphs • Among network graphs across multiple timelines.
Intra-graph • Identify similar structure within each individual
nodes• Dynamic of neighborhoods changes
at each individual node level.
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
6
at each individual node level.
Similarity/Difference Visualization
time i time i+1
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
7
Variance vs. invariance
MCP / MCPPMinimum common Maximum common
g1supergraphs (MCP) subgraphs (MCS)
=invariance
MCS
invariance
g3g2
MCS
variance
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
8
Differential view
new
Show / Hide
ld
Show / Hide
old
invariance
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
9
Visualizing graph property changes
Cl t ffi i t G h di tGraphs sizes Cluster coefficients Graphs diameters
Graphs distances Graphs variance scoresDegree distributions
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
10
p Graphs variance scoresg
Graph distance
Quantification through normalized distance functions:Schenker:2003, Bunke 1998, 2007.MCS based:
|)||,max(||),(|1),(
21
2121 gg
ggmcsggd −=
Graph edit distance (GED) based:|)(|2||||
|||||),(|2||||),(
21
212121 gg
ggmcsggggd+
−+=
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
11
Graph distance
Spikes of changesDaily graphs 14, 15, 16
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
12
MDS view (cluster evolution)
Transition
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
13
Top networkcomponentspresponsible
Day 14
Day 15
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
14
Dynamic interactive and exploration
2-hop view from an investigated user nodeg
Sorting and filtering by node degrees and edge weights
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
15
Queries for degree trendone-hop view from anone hop view from an investigated user node
Trend of user activities (degrees)
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
16
Hierarchical Similarity Visualization
Inter-graphs
Intra-graph clustering visualizationIntra-graph visualization
HUA connectivity graphs(Multi-)bipartite graphs(Multi )bipartite graphsSimilarity graphs
nodes
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
17
HUA Graph Model
Heterogeneous graph4D space
Hosts Users Applications (HUA) TimeHosts, Users, Applications (HUA), Time
The ability to visualize the various combinations of
Host-to-Host(similar to Netflows)Hvarious combinations of
HUA (Liao:2008)(similar to Netflows)H
Host-to-User Host-to-App
(switch
Application-to-A li ti
User-to-User
(switch views)
U A
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
18
ApplicationUser-to-App
Examples (HU, HA)
H H(Bipartite graphs)
U
cselab01 cselab01
A
cselab01
crc05qliao
cselab01
crc05
ssh
ill
bomber kate bomber
mozilla
condor
cse-gw-06 cse-gw-06
Contrib tion the abilit to is ali e the ario s combinations of HUA
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
19
Contribution: the ability to visualize the various combinations of HUA
Intra-graph clusters visualization
3) desk 2) httpd web1) firefox
apps
4) CondorWalktrap [Pons:2006]
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
20
4) Condorresearch computing
Cluster similarity visualization
Visualizing the intra-graph clusters can provide:
Understanding of network usage patternClosely related community formed by i il h tsimilar hosts, users, apps.
Insight and potential anomaly analysisQ tif h h th hQuantify graphs changes through cluster distance
i il t R d I d [R d 1971]similar to Rand Index [Rand 1971]
DSDDSDSSDDSSCCdist
++++−=1),( 21
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
21
DSDDSDSS +++
Bipartite graphs
The general HUA connectivity graphs can be separated into (multi-)bipartite graphs.
host hosthost host
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
22
Multi-bipartite graphs Quadripartitegraph
Hosts Users Applications Hosts
InfoInfo-gain
Criticalpath
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
23
Biclique communities Users Applications
Bicliquecommunity
Membership changesJDoe community
ONEONE
overlapping communitiesONE &
TWO
Bicliquecommunity
TWO
yTWO
Bicliquecommunities [L h 2008]
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
24
[Lehmann:2008] HR & Finance
Similarity graphs
PreviousHUA heterogeneous graphs(multi-)bipartite graphs
Similarity graphsHeterogeneity HomogeneityPush similarity into the edge weights
(Example)nodes = usersd i ht b f li ti thedge weights = number of applications they
share.
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
25
Similarity Graphs
Local users (root)
# users
bridgesapplications
g
Ent. users(condor)
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
26
(condor)
Hierarchical Similarity Visualization
Inter-graphs
I t hIntra-graph
nodes
Dynamics / similarity of each individual nodesVisualization of neighborhoodnodes Visualization of neighborhood changes over time
Quick visual analysis on node’s anomalous behaviors
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
27
anomalous behaviors
Dynamics of Node Degrees
firefox-bin
parrot chirp_distrib chirp_server
condor_shadow
parrot
sD
egre
es
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
28
time
Node Dynamics/Similarity Visualization
Neighborhood changesHosts: UHH Aday 1
usersUsers:
hostsHH
d 2
Ahostsapplications
Applications:
U
AHH
day 2 HH
ppuserssrc/dst hsots
AQuick and easy visualization2D scatter plots
HH
UHH
Aday i
A
A
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
29
HH A
Node Similarity Visualization
options dots = unique NEIGHBORS (hosts, users, or apps)
anomalies
patterns
Nodes by dynamic scores Time
Overlapping neighbors
Table view: legends
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
30
Table view: legends
Node Similarity VisualizationSrc hosts
User: hwang6
cse-gw-02.nd.edu
g
day 17 -20
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
31
Node Similarity Visualizationli ti
sshapplications
hexdokush
condor_execcondor_shadow
firefoxgweather-appletUser: hwang6
day 17 -20
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
32
ConclusionVisualizing dynamic relationships among hosts, users, and applications vs. traditional IP/port-based Netflowmonitoring.Importance and challenges of similarity / differencesof network graphs
Security / forensics / policy auditSecurity / forensics / policy auditNetwork management, troubleshootAnomaly analysis
Similarity visualization : a promising approachSimilarity visualization : a promising approach.Novel transformation of graphs
HUA connectivity graphs, MDS graphs, (multi-)bipartite graphs, similarity graphssimilarity graphs
Hierarchical similarity visualization frameworkInter-graphs, intra-graphs, nodes
More info available at http://netscale.cse.nd.edu/Lockdown
11/15/2010 Visualizing Graph Dynamics and SimilarityVizSec’10, Ottawa, Canada, September 14th, 2010
33