Primitive Cyber Situation Graph
Primitive Cyber Situation Graph

Here is an example of a simple and relatively primitive cyberspace situation graph (Bass,Tim, Cyberspace Situation Graphs – A Brief Overview, Presentation · September 2016, DOI: 10.13140/RG.2.2.16014.56643/9). This kind of graph is still in it’s infancy. However, it is noteworthy to point out that even in this very primitive example, visualizing the graph provides us some basic situational knowledge.

First, we can see that the web service of interest located at the basenode of this graph is not busy. We also can quickly see that of the little web server traffic in the current graph, the users are only from the US and Germany.

Second, we can easily see SSH activity on the server of interest. One is a successful login from Thailand (a known system admin) and the other is an unauthorized login attempt from China. If the unauthorized login attempt from China was successful, we would see another node on the graph that connects to the SSH node that represents the “user entity” which has logged in.

Granted, this is not a lot of situational information (yet!, but I’m working on it!). However, it’s a good start at using graphs to fuse together information from distributed software sensors and to build and update graphs with each key cyber event. If we wanted to give this process a name, we could call this “event-driven graph building” or “graph driven situation analysis”, or something like that (see Google search notes below).

When we look at how these graphs change over time, we easily get more situational knowledge. In this case, I noticed that entities from China are constantly making SSH login attempts on this particular server. I don’t know why and can only guess. Since the purpose of this post is not to answer that question, I’ll put this interesting tidbit aside for now.

The more I work with cyber situation graphs, the more I start to “enrich the objects”, which in this case means to fuse more data and situational information (mining for gold situational nuggets) from other software sensors into the nodes and edges of the graphs. This is consistent will the JDL model for multi-sensor data fusion applied to cyberspace (Bass, Tim, Intrusion Detection Systems and Multisensor Data Fusion, Communications of the ACM 43(4):99-105 · April 2000 DOI: 10.1145/332051.332079).

Imagine, you will, if your organization had 100s of critical nodes in your network and you wanted to create situation knowledge about your particular piece of cyberspace. You would have large graphs where you can aggregate, cluster and filter cyberspace information as required. At a glance you would have some basic situational knowledge of your “cyber area of interest” (CAOI). Ha! There is another term I have not seen used often, but a Google search reveals that Sandeep Singh used the term in a presentation. In addition, the term “cyber area of interest” appears in the proceedings of the 14th European Conference on Cyber Warfare and Security.


A Google search of the term “event-driven graph building” I used today, for the first time, yields zero fruit.

"event-driven graph building"
“event-driven graph building”

An exact Google search for “graph-driven situation analysis”, which is another one of “new terms for today”, also bears no fruit.

 

"graph driven situation analysis"
“graph driven situation analysis”

Clearly, representing cyberspace by building graphs from information and data fused from software sensors is “a new frontier”, and an exciting frontier (well, exciting for me!) as well.