Alexander D. Kent

Authentication graphs

User authentication over the network builds a foundation of trust within large-scale computer networks. The collection of this network authentication activity provides valuable insight into user behavior within an enterprise network. Representing this authentication data as a set of user-specific graphs and graph features, including time-constrained attributes, enables novel and comprehensive analysis opportunities. We show graph-based approaches to user classification and intrusion detection with practical results. We also show a method for assessing network authentication trust risk and cyber attack mitigation within an enterprise network using bipartite authentication graphs. We demonstrate the value of these graph-based approaches on a real-world authentication data set collected from an enterprise network.

Connected Components and Credential Hopping in Authentication Graphs

Modern enterprise computer networks rely on centrally managed authentication schemes that allow users to easily communicate access credentials to many computer systems and applications. The authentication events typically consist of a user connecting to a computer with an authorized credential. These credentials are often cached on the application servers which creates a risk that they may be stolen and used to hop between computers in the network. We examine computer network risk associated with credential hopping by creating and studying the structure of the authentication graph, a bipartite graph built from authentication events. We assume that an authentication graph with many short paths between computers represents a network that is more vulnerable to such attacks. Under this natural assumption, we use a measure of graph connectivity, namely the size of the largest connected component, to give a quantitative indicator of the networks susceptibility to such attacks. Motivated by graph theoretical results for component sizes in random intersection graphs, we propose a mitigation strategy, and perform experiments simulating an implementation using data from a large enterprise network. The results lead to realistic, actionable risk reduction strategies. To facilitate continued research opportunities we are also providing our authentication bipartite graph data set spanning 9 months and 708 million time-series edge records.

Differentiating User Authentication Graphs

Authentication using centralized methods is a primary trust mechanism within most large-scale, enterprise computer networks. This paper proposes using graphs to represent user authentication activity within the network. Using this mechanism over a real enterprise network dataset, we find that non-privileged users and users with system administration privileges have distinguishable graph attributes in terms of size and complexity. In addition, we find that user authentication graphs provide intuitive insights into network user behavior. We believe that understanding these differences in even greater detail will lead to improved user behavior profiling and the elusive detection of authentication credential misuse.

Secure Communication via Shared Knowledge and a Salted Hash in Ad-Hoc Environments

Decentralized, message-based communication networks commonly require mechanisms for message confidentiality and integrity. While these needs are traditionally provided through methods of channel encryption and signing, such mechanisms are often difficult or impossible to implement in the ad-hoc, decentralized environments seen in sensor networks, collaborative intrusion detection systems, or other similar peer-to-peer networks. Using the concepts from one-way hashing and language-derived relevance theory, we propose five novel contributions relevant to ad-hoc communications and security: one-way cryptographic hashing as a mechanism for securely communicating in an environment where preexisting shared knowledge exists, hashed shared knowledge messages as a basis for secure formation of self-selecting subgroups and trust building, adding salt to the shared knowledge hashes to remove the static nature of common messages and defend against precomputed table attacks, integration of variable complexity hash functions to dynamically adjust hash complexity relative to message complexity, and a message integrity element based on the secrecy of the original shared knowledge within a hashed message. Although our proposed mechanisms are likely implemented without difficulty from a network and encryption standpoint, they do require significant integration and awareness within the applications relying on them. The method also assumes a static value from a large existing set of shared knowledge, which does not always exist.

Evolving Multi-level Graph Partitioning Algorithms

Optimal graph partitioning is a foundational problem in computer science, and appears in many different applications. Multi-level graph partitioning is a state-of-the-art method of efficiently approximating high quality graph partitions. In this work, genetic programming techniques are used to evolve new multi-level graph partitioning heuristics that are tailored to specific applications. Results are presented using these evolved partitioners on traditional random graph models as well as a real-world computer network data set. These results demonstrate an improvement in the quality of the partitions produced over current state-of-the-art methods.

Evolving Bipartite Authentication Graph Partitions

As large scale enterprise computer networks become more ubiquitous, finding the appropriate balance between user convenience and user access control is an increasingly challenging proposition. Suboptimal partitioning of users’ access and available services contributes to the vulnerability of enterprise networks. Previous edge-cut partitioning methods unduly restrict users’ access to network resources. This paper introduces a novel method of network partitioning superior to the current state-of-the-art which minimizes user impact by providing alternate avenues for access that reduce vulnerability. Networks are modeled as bipartite authentication access graphs and a multi-objective evolutionary algorithm is used to simultaneously minimize the size of large connected components while minimizing overall restrictions on network users. Results are presented on a real world data set that demonstrates the effectiveness of the introduced method compared to previous naive methods.

Evolving random graph generators: A case for increased algorithmic primitive granularity

Random graph generation techniques provide an invaluable tool for studying graph related concepts. Unfortunately, traditional random graph models tend to produce artificial representations of real-world phenomenon. Manually developing customized random graph models for every application would require an unreasonable amount of time and effort. In this work, a platform is developed to automate the production of random graph generators that are tailored to specific applications. Elements of existing random graph generation techniques are used to create a set of graph-based primitive operations. A hyper-heuristic approach is employed that uses genetic programming to automatically construct random graph generators from this set of operations. This work improves upon similar research by increasing the level of algorithmic sophistication possible with evolved solutions, allowing more accurate modeling of subtle graph characteristics. The versatility of this approach is tested against existing methods and experimental results demonstrate the potential to outperform conventional and state of the art techniques for specific applications.

DCAFE: A Distributed Cyber Security Automation Framework for Experiments

Cyber security has quickly become an overwhelming challenge for governments, businesses, private organizations, and individuals. In an increasingly connected world, the trend is for resources to be accessible from anywhere at any time. Greater access to resources implies more targets and potentially a larger surface area for attacks, which makes securing systems more difficult. Automated and semi-automated solutions are needed to keep up with the deluge of modern threats, but designing such systems requires a distributed architecture to support development and testing. Several such architectures exist, but most only focus on providing a platform for running cyber security experiments as opposed to automating experiment processes. In response to this need, we have built a distributed framework based on software agents which can manage system roles, automate data collection, analyze results, and run new experiments without human intervention. The contribution of this work is the creation of a model for experiment automation and control in a distributed system environment, and this paper provides a detailed description of our framework based on that model.

Statistical detection of malicious web sites through time proximity to existing detection events

We present a novel method of combining and aggregating disparate computer security events with web browsing activity to produce new and extended intrusion information with low false positives. This method integrates web browsing and intrusion-related security events as an unevenly spaced time series, and then aggregates commonalities from these integrated events across a population of monitored computers. This aggregation enables not only increased validation and knowledge about known security events, but also reveals new and previously unknown activity of security concern with very low false positives. This source-oriented information enables more effective defensive measures and increased enterprise-wide security. Using data covering over 24,000 computers and spanning 6 months, we demonstrate the value of our approach. Most importantly, we show a data reduction from 6.4 billion web requests to just 19 from 10 Internet domains requiring a security analysts review given our real world data set.

Intruder detection based on graph structured hypothesis testing

Anomaly based network intruder detection is considered. In particular, we view anomaly detection as a statistical hypothesis testing problem. The null hypothesis associated with each host is that it is acting normally, while the alternative is that the host is acting abnormally. When considered in relation to the network traffic, these host-level hypotheses form a graphically structured hypothesis testing problem. Some network intrusions will form linked regions in this graph where the null hypotheses are false. This will be the case when an intruder traverses the network, or when a coordinated attack is performed targeting the same set of machines. Other network intrusions can lead to multiple unrelated hosts acting abnormally, such as when multiple attackers are acting more or less independently. We consider model based approaches for detecting these different types of disruptions to the network activity. For instance, network traversal is modeled as a random walk through the network stringing together multiple abnormally acting machines. A coordinated attack targeting a single machine is modeled as multiple anomalous hosts connecting to a randomly selected target. The advantage of modeling the attacker patterns is that, under ideal conditions, this defines an optimal detector of the intruders. This optimal detector depends on unknown parameters, and is therefore less attractive for practical use. We describe pragmatic approaches that, in simulations, achieve close to optimal detection rates. The methodology is applied to a real-world network intrusion, clearly identifying the attack.