Massive scale cyber traffic analysis: a driver for graph database research

Authors:
Cliff Joslyn;Sutanay Choudhury;David Haglin;Bill Howe;Bill Nickless;Bryan Olsen
Affiliations:
Pacific Northwest National Laboratory (PNNL);PNNL;PNNL;University of Washington;PNNL;PNNL
Venue:
First International Workshop on Graph Data Management Experiences and Systems
Year:
2013

Citing 11
Cited 0

Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics

LISA '00 Proceedings of the 14th USENIX conference on System administration
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Preserving the Big Picture: Visual Network Traffic Analysis with TN

VIZSEC '05 Proceedings of the IEEE Workshops on Visualization for Computer Security
Inferring Internet denial-of-service activity

ACM Transactions on Computer Systems (TOCS)
Network monitoring using traffic dispersion graphs (tdgs)

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
The Expressive Power of SPARQL

ISWC '08 Proceedings of the 7th International Conference on The Semantic Web
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts

Proceedings of the 26th Annual Computer Security Applications Conference
BotGrep: finding P2P bots with structured graph analysis

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Graph cube: on warehousing and OLAP multidimensional networks

Proceedings of the 2011 ACM SIGMOD International Conference on Management of data
BotFinder: finding bots in network traffic without deep packet inspection

Proceedings of the 8th international conference on Emerging networking experiments and technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

We consider cyber traffic analysis (TA) as a challenge problem for research in graph database systems. TA involves observing and analyzing connections between clients, servers, hosts, and actors within IP networks, over time, to detect suspicious patterns. Towards that end, NetFlow (or more generically, IPFLOW) data are available from routers and servers which summarize coherent groups of IP packets flowing through the network. The ability to cast IPFLOW data as a massive graph and query it interactively is potentially transformative for cybersecurity, but issues of scale and data complexity pose challenges for current technology. In this paper, we outline requirements and opportunities for graph-structured IPFLOW analytics based on our experience with real IPFLOW databases. We describe real use cases from the security domain, cast them as graph patterns, show how to express them in two graph-oriented query languages (SPARQL and Datalog), and use these examples to motivate a new class of "hybrid" graph-relational systems.