Investigating logs is getting more and more important as more of our lives get recorded, and graph techniques promise to help us to reveal the connections in our data. However, scale challenges forensics in many enterprise and federal settings. By focusing on the fundamentals around the pure math, GPU accelerated implementation, and the experts performing the process, we can go quite far.
Demos span security, fraud, & crime, and cover concepts such as UMAP/K-NN/DL, hypergraphs, and low-code investigation automation via visual graph-based record & replay.
Injustice - Developers Among Us (SciFiDevCon 2024)
Scaling graph investigations with Math, GPUs, & Experts
1. G R A P H I S T R Y info@graphistry.com
G R A P H I S T R Y
Scaling Visual Graph Investigations with Math, GPUs, and Experts
GraphThePlanet, San Francisco, 2020
Leo Meyerovich, CEO
@LMeyerov
2. G R A P H I S T R Y info@graphistry.com
Tech
Security, anti-fraud, networking, …
Analysts, devs, & researchers
100X Investigations:
Graph, viz, GPUs, workflow acceleration
Users
3. G R A P H I S T R Y info@graphistry.com3
Graph the planet by solving logs
• 1K – 1M devices
• 1K – 1B users
• All logged: Payments, logins, clicks, ...
• Super rich metadata: IP, time, …
• Stored in many independent DBs/APIs
GRAPH
• Scope
• History & root cause
• Impact
• Patterns & outliers
• …
4. G R A P H I S T R Y info@graphistry.com
Three scaling advances for graph-aware investigations
Math
Hypergraphs, virtual graphs,
& ML-driven linking
Compute
GPUs for everyone!
Experts
Collaborative low-code automation
G R A P H I S T R Y
5. G R A P H I S T R Y info@graphistry.com
IP=10.16.0.8; msg=Malware.Object;
time=2 Nov 2017 19:32:00 UTC;
vendor=FireEye; Product=Web MPS NX
5
Unify all data by modeling logs as graphs
6. G R A P H I S T R Y info@graphistry.com
Pick entity cols for nodes Linked when same Event
event
Fetch logs
(ex: api result)
Modeling 1/5: Map all logs as hypergraphs
Simple UI: Column picker for any
Splunk, Neo4j, etc. query result
IP in 2 events
event
7. G R A P H I S T R Y info@graphistry.com
Modeling 2/5: Look across all DBs/APIs with virtual graph queries
10.0.0.1
Alert
Alerts DB
(Splunk)
10.0.0.2
Accounts DB
(SQL)
10.0.0.2
User2
Account Takeover
(ZenDesk)
LM LMeyer
8. G R A P H I S T R Y info@graphistry.com
Modeling 2/5: Look across all DBs/APIs with virtual graph queries
10.0.0.1
Alert
10.0.0.2 10.0.0.2
User2
search_splunk(x)
LM LMeyer
search_splunk(x)
search_sql(x)
search_sql(x)
Alerts DB
(Splunk)
Accounts DB
(SQL)
Account Takeover
(ZenDesk)
Materialize on-demand: no actual graph
DB!
9. G R A P H I S T R Y info@graphistry.com
Modeling 3/5: Queries are nasty, generate w/ UI + automation!
Checks more data sources Tracks more clues In less time
Generated query for 1 Splunk pivot call
10. G R A P H I S T R Y info@graphistry.com
Modeling 4/5: Graph algorithms to highlight events & entities
Auto-clusters
into 4 different
behavioral
groups
Pumped accts &
messages have
high degree,
high centrality
Twitter-based mass phishing
scam
Alerts across IT perimeter
User clusters
inside company
Smart layout splits
out perimeter crossings
11. G R A P H I S T R Y info@graphistry.com
UMAP: ML likes dates, $, counts, … which graphs don’t…
@leland_mcinnes
12. G R A P H I S T R Y info@graphistry.com
Modeling 5/5: … Use ML to infer neighbors & add them!
Tensorflow+UMAP
White: Link by k-nn on model
Blue: Link entities as usual
Regular graph analytics on merged graph
13. G R A P H I S T R Y info@graphistry.com
Three scaling advances for graph-aware investigations
Math
Hypergraphs, virtual graphs,
& ML-driven linking
Compute
GPUs for everyone!
Experts
Collaborative low-code automation
G R A P H I S T R Y
14. G R A P H I S T R Y info@graphistry.com
Scaling viz helps reveal correlations + work through dirty data
15. G R A P H I S T R Y info@graphistry.com
Client/Cloud CPU: Moore’s law is dead
Client/Cloud GPU: Steady perf doublings & price drops 🤩
Flipping from “Graphistry is weird sci-fi” to “best & most affordable solution”
16. G R A P H I S T R Y info@graphistry.com
GPU Democratization 1/2
2014
Graphistry NSF:
GPU Dataframes SBIR
2016/2017
Apache Arrow
+ Nvidia, BlazingSQL, …
2018/2019
RAPIDS:
Databricks, Ursa, …
Shared data format,
GPU docker, …
Graphistry first RAPIDS-
native viz stack: it’s ready!
GPU client <>GPU server:
any browser!
17. G R A P H I S T R Y info@graphistry.com
G R A P H I S T R Y
Graphistry Cloud:
Get an account and go!
• Open graph data network:
free!
• Developer embedding API
• Data scientist notebook API
• (AWS Price drop: 5X!)
Rest of 2020: Explore more
things & more easily!
GPU Democratization 2/2
18. G R A P H I S T R Y info@graphistry.com
Three scaling advances for graph-aware investigations
Math
Hypergraphs, virtual graphs,
& ML-inferred edges
Compute
GPUs for everyone!
Experts
Collaborative low-code automation
G R A P H I S T R Y
19. G R A P H I S T R Y info@graphistry.com
Putting the Team into Blue Team: Collaboration tech
Share Configs
Data schemas generated and shared across community:
“AWS logs settings”
Automate without the Python & Docker
• Enable regular analysts to automate their
investigations via record & replay
• ... => build up team arsenal to cover all data types and
all investigation types
Integrate with other investigation tools
Embed viz into others apps
launch investigation templates from them (ex: User 360)
jump from event/entity to original tool / query (ex: Splunk)
Explore
20. G R A P H I S T R Y info@graphistry.com
G R A P H I S T R Y
Graphistry Cloud:
Get an account and go!
• Open graph data network:
free!
• Developer embedding API
• Data scientist notebook API
Thanks!
info@graphistry.com
21. G R A P H I S T R Y info@graphistry.com
backup
22. G R A P H I S T R Y info@graphistry.com
Management perspective: 80/20 rule for covering functional KPIs
80% of DATA
endpoint logs & alerts
user logs & alerts
server logs & alerts
network logs & alerts
service logs & alerts
ticket APIs
…
80% of INCIDENTS
malware
phishing
cloud tenant breach
app server takeover
device theft
offboarding
…
80% of TASKS
high-fidelity quick check
investigative deep dive
mitigation/containment/report
table top training
automation
...
Overdue to make investigation structured & predictable!
• Incident SLA
• Investigation depth (burnout!)
• Satellite team methodology
• …
23. G R A P H I S T R Y info@graphistry.com
Collective automation:
Record-and-replay
investigation templates!
2. Auto-expand virtual graph
26. G R A P H I S T R Y info@graphistry.com
RAPIDS UMAP layout
Tensorflow categorization
Graphistry visual analytics
Splunk data lake
regular review
potential illicit activity
potential trafficking
41K Reviews => 400 flagged
27. G R A P H I S T R Y info@graphistry.com
Graph: Top 5 most suspicious co’s,
their records, and hits on their metadata
Explainable & key entities *pop*
Graph for correlating entities across events
28. G R A P H I S T R Y info@graphistry.com
Correlated macro view better than disconnected alerts & tickets!
DEMO: 1w of FireEye HX over 546 IPs & 22 users
29. G R A P H I S T R Y info@graphistry.com
Quickly popping insights
Color by time, data source Expand 2 hops Expand by community
Color by rank, btwness, … Visual data cleaning Model tuning
30. G R A P H I S T R Y info@graphistry.com
100X Compute:
GPUs for everyone
What if we could easily compute over full datasets in subsecond?
31. G R A P H I S T R Y info@graphistry.com
Hunting:
Finally possible to do 1M+ events/entities w/ web UIs!
Ex: Bro/Zeek
(secrepo.com)
32. G R A P H I S T R Y info@graphistry.com
Faster Speeds, Real-World Benefits
cuIO/cuDF –
Load and Data Preparation cuML - XGBoost
Time in seconds (shorter is better)
cuIO/cuDF (Load and Data Prep) Data Conversion XGBoost
Benchmark
200GB CSV dataset; Data prep includes
joins, variable transformations
CPU Cluster Configuration
CPU nodes (61 GiB memory, 8 vCPUs, 64-
bit platform), Apache Spark
DGX Cluster Configuration
5x DGX-1 on InfiniBand
network
8762
6148
3925
3221
322
213
End-to-End
my_gdf.groupby([‘src_ip’,’dest_ip’])[‘time’].plot()
33. G R A P H I S T R Y info@graphistry.com
cuGraph
Multi-GPU PageRank Performance
PageRank portion of the HiBench benchmark suite
HiBench Scale Vertices Edges CSV File
(GB)
# of GPUs PageRank for
3 Iterations (secs)
Huge 5,000,000 198,000,000 3 1 1.1
BigData 50,000,000 1,980,000,000 34 3 5.1
BigData x2 100,000,000 4,000,000,000 69 6 9.0
BigData x4 200,000,000 8,000,000,000 146 12 18.2
BigData x8 400,000,000 16,000,000,000 300 16 31.8
Graph().add_edges(my_df).pagerank()
34. G R A P H I S T R Y info@graphistry.com
graph = netflow_df.sql(“““
SELECT
sum(bytes),
min(time),
max(time)
GROUP BY src_ip, dest_ip
”””)
graphistry.plot(graph)
BlazingSQL’s C++ skips cuDF’s Python Numba JIT…
so _great_ for subsecond interactivity!
35. G R A P H I S T R Y info@graphistry.com
Closing remarks: Scaling graph _projects_
Avoid failure to launch by avoiding infra & NIH:
1d-1mo: Cloud, viz, on-the-fly compute, notebooks, API connectors
3mo-never: Graph DB, Kafka ingest, Hadoop, on-prem, custom analytics, custom UIs
Useful by design: Make user+problem #1 driver, not infra
Win ROI politics w/ cupcake principle: Big projects start as small projects
Lower switching costs by augmenting vs. replacing
Everyone used to status quo and uninterested in avoidable work..
Start w/ good champions: Ideally innovative, influential, technical, & has time
grow from there
Gartner: “85% of data science projects fail.”