Cyber Security through Multidimensional Data Decompositions

Traditional machine learning approaches are plagued with problems for practical use in operational cyber security. The class of unsupervised learning algorithms called tensor decompositions provide a new approach for analyzing network traffic data that avoids these traditional problems. Tensors are a natural representation for multidimensional data as an array with arbitrary dimensions. Tensor decompositions factor the data into components, each of which represents a different pattern of activity from within the original data.We use ENSIGN, a tensor decomposition toolbox developed by Reservoir Labs, in the security operations center for the SCinet network at SC15 - The International Conference for High Performance Computing, Networking, Storage and Analysis. ENSIGN integrates naturally into an operational cyber security framework by extracting anomalous patterns of network traffic. In this paper, we present two case studies highlighting specific actionable results: one, discovering an external attacker and tracing the evolution of the attack over time, and the other, extracting an example of data exfiltration that the actor disguised as DNS activity and cleanly separating it from normal DNS activity. Through proof-of-concept experiments at SC15, we successfully demonstrate concrete and practical use of ENSIGN and make a critical step forward towards delivering an integrated tensor analysis engine for network security.