Authentication graphs: Analyzing user behavior within an enterprise network

User authentication over the network builds a foundation of trust within large-scale computer networks. The collection of this network authentication activity provides valuable insight into user behavior within an enterprise network. Representing this authentication data as a set of user-specific graphs and graph features, including time-constrained attributes, enables novel and comprehensive analysis opportunities. We show graph-based approaches to user classification and intrusion detection with practical results. We also show a method for assessing network authentication trust risk and cyber attack mitigation within an enterprise network using bipartite authentication graphs. We demonstrate the value of these graph-based approaches on a real-world authentication data set collected from an enterprise network.

[1]  Yuval Elovici,et al.  Detecting unknown malicious code by applying classification techniques on OpCode patterns , 2012, Security Informatics.

[2]  R. Breiger The Duality of Persons and Groups , 1974 .

[3]  Vipin Kumar,et al.  Algorithms for Constraint-Satisfaction Problems: A Survey , 1992, AI Mag..

[4]  Andrew P. Bradley,et al.  The use of the area under the ROC curve in the evaluation of machine learning algorithms , 1997, Pattern Recognit..

[5]  David J. Marchette,et al.  Scan Statistics on Enron Graphs , 2005, Comput. Math. Organ. Theory.

[6]  William M. Pottenger,et al.  A Higher Order Collective Classifier for detecting and classifying network events , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[7]  Hans-Peter Kriegel,et al.  Pattern Mining in Frequent Dynamic Subgraphs , 2006, Sixth International Conference on Data Mining (ICDM'06).

[8]  Mahantesh Halappanavar,et al.  Graph coarsening for path finding in cybersecurity graphs , 2013, CSIIRW '13.

[9]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[10]  Gregory Gutin,et al.  Digraphs - theory, algorithms and applications , 2002 .

[11]  Chuanhai Liu,et al.  Adaptive Thresholds , 2006 .

[12]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[13]  Curtis B. Storlie,et al.  Scan Statistics for the Online Detection of Locally Anomalous Subgraphs , 2013, Technometrics.

[14]  Xiangliang Zhang,et al.  Fast intrusion detection based on a non-negative matrix factorization model , 2009, J. Netw. Comput. Appl..

[15]  James Clifford,et al.  Network Information Management and Distribution in a Heterogeneous and Decentralized Enterprise Environment , 2000, LISA.

[16]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[17]  Hung Q. Ngo,et al.  Insider Threat Analysis Using Information-Centric Modeling , 2007, IFIP Int. Conf. Digital Forensics.

[18]  Whitman Richards,et al.  Graph Comparison Using Fine Structure Analysis , 2010, 2010 IEEE Second International Conference on Social Computing.

[19]  Sujeet Shenoi,et al.  Advances in Digital Forensics III , 2007 .

[20]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[21]  Wen Zhang,et al.  Specializing network analysis to detect anomalous insider actions , 2012, Security Informatics.

[22]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[23]  Jafar Adibi,et al.  Discovering important nodes through graph entropy the case of Enron email database , 2005, LinkKDD '05.

[24]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[25]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[26]  Chih-Jen Lin,et al.  A comparison of methods for multiclass support vector machines , 2002, IEEE Trans. Neural Networks.

[27]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[28]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[29]  G. Barnard Control Charts and Stochastic Processes , 1959 .

[30]  Mike Fisk,et al.  FileMap: map-reduce program execution on loosely-coupled distributed systems , 2014, CloudDP '14.

[31]  Wei Wang,et al.  A Graph Based Approach Toward Network Forensics Analysis , 2008, TSEC.

[32]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[33]  Jianhua Li,et al.  Building network attack graph for alert causal correlation , 2008, Comput. Secur..

[34]  Malek Ben Salem,et al.  Masquerade Attack Detection Using a Search-Behavior Modeling Approach , 2009 .

[35]  Alfonso Valdes,et al.  Next-generation Intrusion Detection Expert System (NIDES)A Summary , 1997 .

[36]  Bülent Yener,et al.  Graph Theoretic and Spectral Analysis of Enron Email Data , 2005, Comput. Math. Organ. Theory.

[37]  Lorie M. Liebrock,et al.  Web Adoption: An Attempt Toward Classifying Risky Internet Web Browsing Behavior , 2013, LASER.

[38]  Lorie M. Liebrock,et al.  Differentiating User Authentication Graphs , 2013, 2013 IEEE Security and Privacy Workshops.