-
Hypersparse Network Flow Analysis of Packets with GraphBLAS
Authors:
Tyler Trigg,
Chad Meiners,
Sandeep Pisharody,
Hayden Jananthan,
Michael Jones,
Adam Michaleas,
Timothy Davis,
Erik Welch,
William Arcand,
David Bestor,
William Bergeron,
Chansup Byun,
Vijay Gadepally,
Micheal Houle,
Matthew Hubbell,
Anna Klein,
Peter Michaleas,
Lauren Milechin,
Julie Mullen,
Andrew Prout,
Albert Reuther,
Antonio Rosa,
Siddharth Samsi,
Doug Stetson,
Charles Yee
, et al. (1 additional authors not shown)
Abstract:
Internet analysis is a major challenge due to the volume and rate of network traffic. In lieu of analyzing traffic as raw packets, network analysts often rely on compressed network flows (netflows) that contain the start time, stop time, source, destination, and number of packets in each direction. However, many traffic analyses benefit from temporal aggregation of multiple simultaneous netflows,…
▽ More
Internet analysis is a major challenge due to the volume and rate of network traffic. In lieu of analyzing traffic as raw packets, network analysts often rely on compressed network flows (netflows) that contain the start time, stop time, source, destination, and number of packets in each direction. However, many traffic analyses benefit from temporal aggregation of multiple simultaneous netflows, which can be computationally challenging. To alleviate this concern, a novel netflow compression and resampling method has been developed leveraging GraphBLAS hyperspace traffic matrices that preserve anonymization while enabling subrange analysis. Standard multitemporal spatial analyses are then performed on each subrange to generate detailed statistical aggregates of the source packets, source fan-out, unique links, destination fan-in, and destination packets of each subrange which can then be used for background modeling and anomaly detection. A simple file format based on GraphBLAS sparse matrices is developed for storing these statistical aggregates. This method is scale tested on the MIT SuperCloud using a 50 trillion packet netflow corpus from several hundred sites collected over several months. The resulting compression achieved is significant (<0.1 bit per packet) enabling extremely large netflow analyses to be stored and transported. The single node parallel performance is analyzed in terms of both processors and threads showing that a single node can perform hundreds of simultaneous analyses at over a million packets/sec (roughly equivalent to a 10 Gigabit link).
△ Less
Submitted 13 September, 2022;
originally announced September 2022.
-
Large Scale Enrichment and Statistical Cyber Characterization of Network Traffic (Enriquecimiento a gran escala y caracterización cibernética estadística del tráfico de red)
Authors:
Ivan Kawaminami,
Arminda Estrada,
Youssef Elsakkary,
Hayden Jananthan,
Aydın Buluç,
Tim Davis,
Daniel Grant,
Michael Jones,
Chad Meiners,
Andrew Morris,
Sandeep Pisharody,
Jeremy Kepner
Abstract:
Modern network sensors continuously produce enormous quantities of raw data that are beyond the capacity of human analysts. Cross-correlation of network sensors increases this challenge by enriching every network event with additional metadata. These large volumes of enriched network data present opportunities to statistically characterize network traffic and quickly answer a key question: "What a…
▽ More
Modern network sensors continuously produce enormous quantities of raw data that are beyond the capacity of human analysts. Cross-correlation of network sensors increases this challenge by enriching every network event with additional metadata. These large volumes of enriched network data present opportunities to statistically characterize network traffic and quickly answer a key question: "What are the primary cyber characteristics of my network data?" The Python GraphBLAS and PyD4M analysis frameworks enable anonymized statistical analysis to be performed quickly and efficiently on very large network data sets. This approach is tested using billions of anonymized network data samples from the largest Internet observatory (CAIDA Telescope) and tens of millions of anonymized records from the largest commercially available background enrichment capability (GreyNoise). The analysis confirms that most of the enriched variables follow expected heavy-tail distributions and that a large fraction of the network traffic is due to a small number of cyber activities. This information can simplify the cyber analysts' task by enabling prioritization of cyber activities based on statistical prevalence.
--
Los sensores de red modernos producen enormes cantidades de datos sin procesar que están más allá de la capacidad del análisis humano. Una correlación cruzada de sensores de red se convierte en un desafío al enriquecer cada evento de red con metadatos adicionales. Estos grandes volúmenes de datos de red enriquecidos presentan una oportunidad para caracterizar estadísticamente el tráfico de red y responder a la pregunta: "?Cuáles son las principales características cibernéticas de mis datos de red?" Los esquemas de análisis de Python GraphBLAS y D4M permiten realizar análisis estadísticos anónimos, rápidos y eficientes en conjuntos grandes de datos de red. Este enfoque se prueba utilizando miles de millones de muestras de datos de red anónimos del observatorio de Internet más grande (Telescopio CAIDA) y decenas de millones de registros anónimos del fondo comercial con la mayor capacidad de enriquecimiento (GreyNoise). El análisis confirma que la mayoría de las variables enriquecidas siguen las distribuciones de cola pesada y que una gran fracción del tráfico de red se debe a una pequena cantidad de actividades cibernéticas. Esta información puede simplificar la tarea de los analistas cibernéticos al permitir la priorización de las actividades cibernéticas en función de la prevalencia estadística.
△ Less
Submitted 1 December, 2022; v1 submitted 7 September, 2022;
originally announced September 2022.
-
GraphBLAS on the Edge: Anonymized High Performance Streaming of Network Traffic
Authors:
Michael Jones,
Jeremy Kepner,
Daniel Andersen,
Aydin Buluc,
Chansup Byun,
K Claffy,
Timothy Davis,
William Arcand,
Jonathan Bernays,
David Bestor,
William Bergeron,
Vijay Gadepally,
Micheal Houle,
Matthew Hubbell,
Hayden Jananthan,
Anna Klein,
Chad Meiners,
Lauren Milechin,
Julie Mullen,
Sandeep Pisharody,
Andrew Prout,
Albert Reuther,
Antonio Rosa,
Siddharth Samsi,
Jon Sreekanth
, et al. (3 additional authors not shown)
Abstract:
Long range detection is a cornerstone of defense in many operating domains (land, sea, undersea, air, space, ..,). In the cyber domain, long range detection requires the analysis of significant network traffic from a variety of observatories and outposts. Construction of anonymized hypersparse traffic matrices on edge network devices can be a key enabler by providing significant data compression i…
▽ More
Long range detection is a cornerstone of defense in many operating domains (land, sea, undersea, air, space, ..,). In the cyber domain, long range detection requires the analysis of significant network traffic from a variety of observatories and outposts. Construction of anonymized hypersparse traffic matrices on edge network devices can be a key enabler by providing significant data compression in a rapidly analyzable format that protects privacy. GraphBLAS is ideally suited for both constructing and analyzing anonymized hypersparse traffic matrices. The performance of GraphBLAS on an Accolade Technologies edge network device is demonstrated on a near worse case traffic scenario using a continuous stream of CAIDA Telescope darknet packets. The performance for varying numbers of traffic buffers, threads, and processor cores is explored. Anonymized hypersparse traffic matrices can be constructed at a rate of over 50,000,000 packets per second; exceeding a typical 400 Gigabit network link. This performance demonstrates that anonymized hypersparse traffic matrices are readily computable on edge network devices with minimal compute resources and can be a viable data product for such devices.
△ Less
Submitted 5 September, 2022; v1 submitted 25 March, 2022;
originally announced March 2022.
-
Temporal Correlation of Internet Observatories and Outposts
Authors:
Jeremy Kepner,
Michael Jones,
Daniel Andersen,
Aydın Buluç,
Chansup Byun,
K Claffy,
Timothy Davis,
William Arcand,
Jonathan Bernays,
David Bestor,
William Bergeron,
Vijay Gadepally,
Daniel Grant,
Micheal Houle,
Matthew Hubbell,
Hayden Jananthan,
Anna Klein,
Chad Meiners,
Lauren Milechin,
Andrew Morris,
Julie Mullen,
Sandeep Pisharody,
Andrew Prout,
Albert Reuther,
Antonio Rosa
, et al. (4 additional authors not shown)
Abstract:
The Internet has become a critical component of modern civilization requiring scientific exploration akin to endeavors to understand the land, sea, air, and space environments. Understanding the baseline statistical distributions of traffic are essential to the scientific understanding of the Internet. Correlating data from different Internet observatories and outposts can be a useful tool for gai…
▽ More
The Internet has become a critical component of modern civilization requiring scientific exploration akin to endeavors to understand the land, sea, air, and space environments. Understanding the baseline statistical distributions of traffic are essential to the scientific understanding of the Internet. Correlating data from different Internet observatories and outposts can be a useful tool for gaining insights into these distributions. This work compares observed sources from the largest Internet telescope (the CAIDA darknet telescope) with those from a commercial outpost (the GreyNoise honeyfarm). Neither of these locations actively emit Internet traffic and provide distinct observations of unsolicited Internet traffic (primarily botnets and scanners). Newly developed GraphBLAS hyperspace matrices and D4M associative array technologies enable the efficient analysis of these data on significant scales. The CAIDA sources are well approximated by a Zipf-Mandelbrot distribution. Over a 6-month period 70\% of the brightest (highest frequency) sources in the CAIDA telescope are consistently detected by coeval observations in the GreyNoise honeyfarm. This overlap drops as the sources dim (reduce frequency) and as the time difference between the observations grows. The probability of seeing a CAIDA source is proportional to the logarithm of the brightness. The temporal correlations are well described by a modified Cauchy distribution. These observations are consistent with a correlated high frequency beam of sources that drifts on a time scale of a month.
△ Less
Submitted 18 March, 2022;
originally announced March 2022.
-
Zero Botnets: An Observe-Pursue-Counter Approach
Authors:
Jeremy Kepner,
Jonathan Bernays,
Stephen Buckley,
Kenjiro Cho,
Cary Conrad,
Leslie Daigle,
Keeley Erhardt,
Vijay Gadepally,
Barry Greene,
Michael Jones,
Robert Knake,
Bruce Maggs,
Peter Michaleas,
Chad Meiners,
Andrew Morris,
Alex Pentland,
Sandeep Pisharody,
Sarah Powazek,
Andrew Prout,
Philip Reiner,
Koichi Suzuki,
Kenji Takahashi,
Tony Tauber,
Leah Walker,
Douglas Stetson
Abstract:
Adversarial Internet robots (botnets) represent a growing threat to the safe use and stability of the Internet. Botnets can play a role in launching adversary reconnaissance (scanning and phishing), influence operations (upvoting), and financing operations (ransomware, market manipulation, denial of service, spamming, and ad click fraud) while obfuscating tailored tactical operations. Reducing the…
▽ More
Adversarial Internet robots (botnets) represent a growing threat to the safe use and stability of the Internet. Botnets can play a role in launching adversary reconnaissance (scanning and phishing), influence operations (upvoting), and financing operations (ransomware, market manipulation, denial of service, spamming, and ad click fraud) while obfuscating tailored tactical operations. Reducing the presence of botnets on the Internet, with the aspirational target of zero, is a powerful vision for galvanizing policy action. Setting a global goal, encouraging international cooperation, creating incentives for improving networks, and supporting entities for botnet takedowns are among several policies that could advance this goal. These policies raise significant questions regarding proper authorities/access that cannot be answered in the abstract. Systems analysis has been widely used in other domains to achieve sufficient detail to enable these questions to be dealt with in concrete terms. Defeating botnets using an observe-pursue-counter architecture is analyzed, the technical feasibility is affirmed, and the authorities/access questions are significantly narrowed. Recommended next steps include: supporting the international botnet takedown community, expanding network observatories, enhancing the underlying network science at scale, conducting detailed systems analysis, and develo** appropriate policy frameworks.
△ Less
Submitted 16 January, 2022;
originally announced January 2022.
-
Realizing Forward Defense in the Cyber Domain
Authors:
Sandeep Pisharody,
Jonathan Bernays,
Vijay Gadepally,
Michael Jones,
Jeremy Kepner,
Chad Meiners,
Peter Michaleas,
Adam Tse,
Doug Stetson
Abstract:
With the recognition of cyberspace as an operating domain, concerted effort is now being placed on addressing it in the whole-of-domain manner found in land, sea, undersea, air, and space domains. Among the first steps in this effort is applying the standard supporting concepts of security, defense, and deterrence to the cyber domain. This paper presents an architecture that helps realize forward…
▽ More
With the recognition of cyberspace as an operating domain, concerted effort is now being placed on addressing it in the whole-of-domain manner found in land, sea, undersea, air, and space domains. Among the first steps in this effort is applying the standard supporting concepts of security, defense, and deterrence to the cyber domain. This paper presents an architecture that helps realize forward defense in cyberspace, wherein adversarial actions are repulsed as close to the origin as possible. However, substantial work remains in making the architecture an operational reality including furthering fundamental research cyber science, conducting design trade-off analysis, and develo** appropriate public policy frameworks.
△ Less
Submitted 4 October, 2021;
originally announced October 2021.
-
Spatial Temporal Analysis of 40,000,000,000,000 Internet Darkspace Packets
Authors:
Jeremy Kepner,
Michael Jones,
Daniel Andersen,
Aydin Buluc,
Chansup Byun,
K Claffy,
Timothy Davis,
William Arcand,
Jonathan Bernays,
David Bestor,
William Bergeron,
Vijay Gadepally,
Micheal Houle,
Matthew Hubbell,
Anna Klein,
Chad Meiners,
Lauren Milechin,
Julie Mullen,
Sandeep Pisharody,
Andrew Prout,
Albert Reuther,
Antonio Rosa,
Siddharth Samsi,
Doug Stetson,
Adam Tse
, et al. (2 additional authors not shown)
Abstract:
The Internet has never been more important to our society, and understanding the behavior of the Internet is essential. The Center for Applied Internet Data Analysis (CAIDA) Telescope observes a continuous stream of packets from an unsolicited darkspace representing 1/256 of the Internet. During 2019 and 2020 over 40,000,000,000,000 unique packets were collected representing the largest ever assem…
▽ More
The Internet has never been more important to our society, and understanding the behavior of the Internet is essential. The Center for Applied Internet Data Analysis (CAIDA) Telescope observes a continuous stream of packets from an unsolicited darkspace representing 1/256 of the Internet. During 2019 and 2020 over 40,000,000,000,000 unique packets were collected representing the largest ever assembled public corpus of Internet traffic. Using the combined resources of the Supercomputing Centers at UC San Diego, Lawrence Berkeley National Laboratory, and MIT, the spatial temporal structure of anonymized source-destination pairs from the CAIDA Telescope data has been analyzed with GraphBLAS hierarchical hypersparse matrices. These analyses provide unique insight on this unsolicited Internet darkspace traffic with the discovery of many previously unseen scaling relations. The data show a significant sustained increase in unsolicited traffic corresponding to the start of the COVID19 pandemic, but relatively little change in the underlying scaling relations associated with unique sources, source fan-outs, unique links, destination fan-ins, and unique destinations. This work provides a demonstration of the practical feasibility and benefit of the safe collection and analysis of significant quantities of anonymized Internet traffic.
△ Less
Submitted 14 August, 2021;
originally announced August 2021.
-
Multi-Temporal Analysis and Scaling Relations of 100,000,000,000 Network Packets
Authors:
Jeremy Kepner,
Chad Meiners,
Chansup Byun,
Sarah McGuire,
Timothy Davis,
William Arcand,
Jonathan Bernays,
David Bestor,
William Bergeron,
Vijay Gadepally,
Raul Harnasch,
Matthew Hubbell,
Micheal Houle,
Micheal Jones,
Andrew Kirby,
Anna Klein,
Lauren Milechin,
Julie Mullen,
Andrew Prout,
Albert Reuther,
Antonio Rosa,
Siddharth Samsi,
Doug Stetson,
Adam Tse,
Charles Yee
, et al. (1 additional authors not shown)
Abstract:
Our society has never been more dependent on computer networks. Effective utilization of networks requires a detailed understanding of the normal background behaviors of network traffic. Large-scale measurements of networks are computationally challenging. Building on prior work in interactive supercomputing and GraphBLAS hypersparse hierarchical traffic matrices, we have developed an efficient me…
▽ More
Our society has never been more dependent on computer networks. Effective utilization of networks requires a detailed understanding of the normal background behaviors of network traffic. Large-scale measurements of networks are computationally challenging. Building on prior work in interactive supercomputing and GraphBLAS hypersparse hierarchical traffic matrices, we have developed an efficient method for computing a wide variety of streaming network quantities on diverse time scales. Applying these methods to 100,000,000,000 anonymized source-destination pairs collected at a network gateway reveals many previously unobserved scaling relationships. These observations provide new insights into normal network background traffic that could be used for anomaly detection, AI feature engineering, and testing theoretical models of streaming networks.
△ Less
Submitted 1 August, 2020;
originally announced August 2020.