NOracle

Abstract: This demo presents NOracle: a system using Stochastic Block Models (SBMs) to infer structural roles of hosts and communication patterns of services in networks. NOracle can be used with existing monitoring systems to analyze and visualize networks in an online manner or be used to analyze stored traces. Network operators can use SBMs to monitor and verify network operation, detect possible security issues and change-points. To showcase this, NOracle combines the production-grade network management solution Sta… Show more

“…3) Detecting Host Anomaly from Graphs: Using networked graphs that describe host interconnectivity can be particularly useful for cybersecurity applications such as to detect malicious hosts in a network or identify clusters of botnet devices launching distributed attacks [119], [152], [7], [103], [10], [39], [71], [62]. For some recent examples, the work in [10] considers a large enterprise network with dynamic compositions and communication patterns of hosts, and hence becomes difficult to manage and secure.…”

“…The authors leveraged randomized sketching algorithms to make cost-effective inferences with optimal memory consumption. Similarly, Noracle [71] detect anomalous behavioral changes of individual hosts in network graphs using stochastic block models, which could detect hosts with deviated behaviors (e.g., connecting to unusual hosts) compared with other hosts in the same cluster. Whereas TRACE [62] builds a distributed enterprise-wide communica-tions graph tracking information from both network connectivity (e.g., IP address and port number) and involved device system calls (e.g., application name and process ID) between enterprise hosts for advanced persistent threat (APT) detection.…”

Classifying and tracking enterprise assets via dual-grained network behavioral analysis

“…3) Detecting Host Anomaly from Graphs: Using networked graphs that describe host interconnectivity can be particularly useful for cybersecurity applications such as to detect malicious hosts in a network or identify clusters of botnet devices launching distributed attacks [119], [152], [7], [103], [10], [39], [71], [62]. For some recent examples, the work in [10] considers a large enterprise network with dynamic compositions and communication patterns of hosts, and hence becomes difficult to manage and secure.…”

“…The authors leveraged randomized sketching algorithms to make cost-effective inferences with optimal memory consumption. Similarly, Noracle [71] detect anomalous behavioral changes of individual hosts in network graphs using stochastic block models, which could detect hosts with deviated behaviors (e.g., connecting to unusual hosts) compared with other hosts in the same cluster. Whereas TRACE [62] builds a distributed enterprise-wide communica-tions graph tracking information from both network connectivity (e.g., IP address and port number) and involved device system calls (e.g., application name and process ID) between enterprise hosts for advanced persistent threat (APT) detection.…”

Classifying and tracking enterprise assets via dual-grained network behavioral analysis

“…The fitted SBM enables the generation of synthetic communication patterns as well as analysis of observed communication. In this context, Kalmbach [2] uses WSBMs to replicate data center network traffic in an offline setting, while NOracle [3] uses unweighted SBMs to detect malware in a testbed network. In contrast to [3], AwareNet can detect anomalies like targeted host scans in a real campus network.…”

“…In this context, Kalmbach [2] uses WSBMs to replicate data center network traffic in an offline setting, while NOracle [3] uses unweighted SBMs to detect malware in a testbed network. In contrast to [3], AwareNet can detect anomalies like targeted host scans in a real campus network. Port scans are often part of network attack's probing phases [6].…”

AwareNet

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection