Extracting the most significant activity in a network with millions of transactions is a challenging task, but one that is critical in the process of analyzing behaviours, detecting issues and recognizing the most significant interactions in a monitored network. GraphIQ is a MOREAL component that aims to aid in this task, leveraging low-level and high-level information from other MOREAL ThreatIQ components. The most frequent IP flows and especially the ones “surprisingly” frequent, along with the flows exhibiting anomalies and threat events are extracted in a common format which is then utilized in other MOREAL components like the Branch-level network graph.
The most significant interactions are derived using a proprietary algorithm which scores, ranks and finally selects the most interesting network activities and the involved network entities. In simple terms, the graph is built by examining the distribution of traffic and selecting the most frequent or “surprisingly”-frequent flows (IP-IP pairs), while also assigning more weight to the interactions having IPS threats and MOREAL alerts.
More specifically, the GraphIQ component analyzes log data generated from network and security devices along with higher-level from MOREAL metric counters and alerts, and gradually builds historical models for the most critical entities in the network. Then, those entities are monitored for “interesting” interactions with other network devices and the ones exceeding a minimum level of “significance” (by metrics of frequency, magnitude and criticality) are stored for use by other ThreatIQ components.
The specific metrics regarding network events (TCP/UDP/ICMP network sessions) and security events (IDS alerts, firewall blocks) related to the above entities are described in the “MOREAL Metrics” documentation.
The GraphIQ component analyzes internal assets, networks and more specific types of activity for those entities: