Your SlideShare is downloading. ×
  • Like
Cyber security and attack analysis : how Cisco uses graph analytics
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cyber security and attack analysis : how Cisco uses graph analytics


Cyber security and attack analysis : how Cisco uses graph analytics

Cyber security and attack analysis : how Cisco uses graph analytics

Published in Software
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. SAS founded in 2013 in Paris | | @linkurious Cyber security and attack analysis : how Cisco use graph analytics.
  • 2. Introduction. Software Engineer Engineer (La Belle Assiette) CS at Epitech and Beijing University CMO >5 years in consulting MSc Political sciences and Competitive Intelligence Jean Villedieu Sébastien Heymann Romain Yon Pierrick Paul CEO Gephi Founder Phd in Computer Science and Complex Systems CTO Engineer (Microsoft, Spotify) Machine Learning at Georgia Tech Linkurious is a French startup founded in 2013.
  • 3. Father Of Father Of Siblings What is a graph ? This is a graph.
  • 4. Father Of Father Of Siblings This is a node This is a relationship What is a graph ? / Nodes & relationshipsWhat is a graph : nodes and relationships. A graph is a set of nodes linked by relationships.
  • 5. Some of the domains in which our customers use graphs. People, objects, movies, restaurants, music… Suggest new contacts, help discover new music Antennas, servers, phones, people… Diminish network outages Supplier, roads, warehouses, products… Diminish transportation cost, optimize delivery Supply chains Social networks Communications Differents domains where graphs are important.
  • 6. Source : $445 billion The cost of cyber criminality. Cyber crime costs the global economy $445 billion per year.
  • 7. Some of the latest victims. No company is immuned from cyber criminality.
  • 8. A data problem. IP logs, network logs, communications logs, web server logs, etc.
  • 9. The IT systems generate new data constantly. The data is coming from different sources, is incomplete and evolves. Hard to use a structured data model. For big organizations, storing years of raw data means a total volume in high TBs or low PBs. The IT security data is complex. The challenges of working with complex data. Large Unstructured Dynamic
  • 10. How to make sense of complex data. Can IT security teams answer that challenge?
  • 11. Graphs are perfect to extract insights from complex data. Graphs help make sense of complex data.
  • 12. How to use graph analytics to fight back against a cyber attack? A concrete example. Inspired by a real use case demonstrated by Cisco.
  • 13. In April 2014, a zero-day vulnerability in IE is identified. A zero-day vulnerability. A newly discovered vulnerability in Internet Explorer allows an unauthenticated, remote attacker to execute arbitrary code.
  • 14. The vulnerability is known in the security community. A group of hackers decide to use it before a patch fixes the vulnerability. The identification information is captured by the hackers. They can use it to penetrate the company IT. The hackers send mails to a few people in one company. They are asked to login into a seemingly innocuous website. The vulnerability is known A phishing attack uses it A company is immediately targeted by a phishing attack. The 3 steps of the attack. Computers are compromised
  • 15. A not so innocent mail. The mail sent by the hackers.
  • 16. The hackers used the domain +, and The domain names used in the attack. The domains names used in the attack are identified.
  • 17. Information about one domain. Information about these domains are publicly available.
  • 18. Modelling information as a graph. That data can be modeled as a graph.
  • 19. The graph model reveals the connections in the data. This helps streamline the identification of connections. Domain A is connected to Domain C through a Name Server or a MX Record, Domain B and Host B.
  • 20. Can we prevent more attacks? How to use the information.
  • 21. The traditional approach. The 7 sins of looking for connections with tabular tools.
  • 22. It helps human interpret the data and make smart decisions. Graph analytics? Graph visualization? It helps to analyse large datasets to find interesting data. Combining graph analysis and graph visualization. Combine automatic analysis and human interpretation.
  • 23. A query to get all the domains connected to the attackers. Step 1 : graph analysis. MATCH (baddomain:Domain_name)-[r*2]-(suspiciousdomains:Domain_name) WHERE baddomain.reputation = 'Very negative reputation' RETURN DISTINCT suspiciousdomains This query is written with Cypher the Neo4j query language. It returns us 25 results.
  • 24. Step 2 : graph visualization. First, we identify the attackers. The initial domain names identified as rogues. A public registrar. Good domains.
  • 25. Then we identify the domains they are connected to. Step 2 : graph visualization. In pink are previously unknown domains connected to the known attackers.
  • 26. Cyber security at Cisco. Cisco uses graphs to prevent cyber attacks. Cisco maintain a list of the compromised domains and IP addresses. Through its data collection program, Cisco has good information on 25 to 30 million Internet domains. Graph analytics enable Cisco to use data collected via its customers to maintain this list up to date. The information is the used to block known malicious domains and thwart cyber attacks. Behind the scenes. Cisco’s Global Security Intelligence Operations (SIO) group operates a 60-node, 1,000-core Hadoop cluster. Every day it receives about 20 TB of new raw log data. To store and anlyse the data, Cisco uses a few graph technologies like GraphLab (a machine learning solution specialized in graph data), Titan (an open-source graph database) and Faunus (an open-source graph analytics engine).
  • 27. You can do it too! Try Linkurious.
  • 28. Contact us to discuss your projects at Conclusion
  • 29. GraphGIst : Blog post on attack analysis : Sample dataset : Original CIsco article : graph/ Additional resources.