One Step Closer to the Matrix: Machine Learning and Augmented Reality in Networking Defense

Presented at THOTCON 0x6 (2015), May 15, 2015, 3:30 p.m. (25 minutes).

Network operations are constrained by three fundamental issues: i) shortage of qualified personnel; ii) a complex operational environment, and iii) a sparse pattern recognition problem. Addressing these challenges requires technologies, tools, and methods that revisit how we look at network data and how we allow much broader groups of users to interact with this data intuitively in "cyber time." Our goal is to allow any user – technical or otherwise – to interact with their network and network data just like they interact with the physical world. To achieve this, we combined streaming analytics and an immersive, intuitive user interface to show continuous real-time network data, allowing broad groups of personnel to do real-time anomaly discovery. Humans can "walk through" a network and its traffic to see "real" patterns in the network. By taking advantage of fundamental strengths in the human brain for sparse pattern recognition, we go beyond analytics and intrusion detection systems, allowing the human to be the final analytics engine.0 This opens the way to gamification of network operations, including concepts such as the crowdsourcing of network defense. Our approach uses four open-source components: i) an ingestion layer that uses a custom built pluggable Python library, ii) a platform that consists of a data streaming layer (Apache Storm) for data processing and application layers that host parallel streaming analytics (Trident-ML), iii) a construct that creates a visual language of networking and supports interfacing between the platform and other services, such as the user interface, and iv) a streaming virtual world that provides users with an immersive, intuitive user experience. We will discuss and demonstrate our project on network service usage patterns in the context of network topology and user roles (e.g., is this user accessing applications and services in a pattern and manner consistent with their role in the organization?) and we will present and demonstrate the following: 1) A conceptual overview of our approach: machine learning, streaming analytics, augmented reality, the idea of crowd sourcing innovative solutions to network defense problems, and why this concept has the potential to radically alter how we look at networks. 2) A review of our system architecture, tools used, methods for developing the system and references to code repositories and resources (so you can build your own!). We will explain how network data flows real time through the streaming analytics (Storm), gets scored by pattern mining algorithms (Trident-ML), flows through the construct and gets rendered in the 3D immersive environment via a visual language. 3) An online demonstration of the platform, showing how users can interact directly with network data and concepts in an immersive environment to identify anomalous behavior. We would also like to make system access available to conference attendees throughout the conference."


Presenters:

  • Rob Weiss
    Rob Weiss is a senior systems engineer with over 24 years of experience in government and commercial markets. He started with Legos and is now a tool builder and problem solver. Currently runs the Altamira Red Team and performs information security research, looking for hard problems to solve.
  • John Eberhardt
    John Eberhardt is a Data Scientist with 20 years of quantitative problem solving and a penchant for trying to decipher symbolism in obscure 16th century literature. John has experience in analytical problem solving in healthcare, life sciences, security, financial services, consumer products, and transportation.

Similar Presentations: