Extracting the most significant activity in a network with millions of transactions is a challenging task, but one that is critical in the process of analyzing behaviours, detecting issues and recognizing the most significant interactions in a monitored network. GraphIQ is a MOREAL component that aims to aid in this task, leveraging low-level and high-level information from other MOREAL ThreatIQ components. The most frequent IP flows and especially the ones “surprisingly” frequent, along with the flows exhibiting anomalies and threat events are extracted in a common format which is then utilized in other MOREAL components like the branch-level network graph.
How GraphIQ works
The most significant interactions are derived using a proprietary algorithm which scores, ranks and finally selects the most interesting network activities and the involved network entities. In simple terms, the graph is built by examining the distribution of traffic and selecting the most frequent or “surprisingly”-frequent flows (IP-IP pairs), while also assigning more weight to the interactions having IPS threats and MOREAL alerts.
More specifically, the GraphIQ component analyzes log data generated from network and security devices along with higher-level from MOREAL metric counters and alerts, and gradually builds historical models for the most critical entities in the network. Then, those entities are monitored for “interesting” interactions with other network devices and the ones exceeding a minimum level of “significance” (by metrics of frequency, magnitude and criticality) are stored for use by other ThreatIQ components.
The GraphIQ component analyzes internal assets, networks and more specific types of activity for those entities:
- Network and Security appliances: activity in a network as a whole
- Assets: activity and behavior of internal IPs that have been registered within MOREAL as critical assets by the user
- Internal IPs: activity of other internal IPs (non-assets) which are considered significant by behaviour.
- External IPs: activity of external IPs that are frequently encountered or exhibiting threatful behaviour.