Technology Overview
Two hundred and ninety-two days—that’s how long, on average, it takes to detect a cyber breach from the time it begins—double the time it took a decade ago. As cyberattacks grow more sophisticated and costly, the urgency for faster, more proactive detection has never been greater. Pacific Northwest National Laboratory’s patented StreamWorks cuts that time significantly—to near real time—by detecting emerging patterns of sophisticated cyberattacks in massive data streams.
Combining several analytic approaches, which has never been seen before together in a cybersecurity tool, StreamWorks tells a cyber analyst when major suspicious patterns are occurring. The tool also provides a description of the potential threat and a rationale for why the threat was selected—so the analyst doesn’t have to guess but, instead, can act swiftly.
This software application is intended to be used in a dynamic environment where network data is streamed in and appended to a large-scale dynamic graph. This technology can be a benefit to organizations seeking to detect attacks within networks comprising multiple devices. For example, an organization’s cyber network can be observed as a graph, where each node represents a computing device (or IP address) and an edge represents the communication between the devices. As data is generated, the graph continuously updates so a threat can be identified sooner rather than later. Different types of graphical query patterns (expressed as subgraphs) may be defined for specific types of cyberattacks, including various network scans, reflector attacks, flood attack, viruses, worms, etc.
This tool caught the attention of the Department of Homeland Security, which featured StreamWorks in its 2017 cohort of eight patented technologies fit for its Transition to Practice program. Graph-based machine learning, as outlined in Patent US10855706B2, is essential for modeling complex relationships, making it a critical foundation for emerging artificial intelligence technologies and market innovation.
Pacific Northwest National Laboratory scientists have engineered this technology to systematically address the industry's pain points by enabling scalable, real-time analysis of network data. It has the potential to revolutionize how industries monitor and analyze dynamic data, offering substantial economic and efficiency benefits, and reducing the time required to detect and respond to emerging threats.
APPLICABILITY
This R&D 100 Award-winning graph-analytics engine detects patterns within data as they flow between computers, users, and applications at rate 10 to 100 times faster than current methods. With the patents involvement in more than 400 collective citations, the tool performs continuous matching for user-selected query patterns, which can be tailored to analyze computer network traffic, social media events, or other streams of data represented as a dynamic data graph. Users can tailor StreamWorks query graphs to different types of intrusions and produce visualizations showing the emerging and evolving patterns. This fast-pace, real-time monitoring and analysis allows cybersecurity analysts to detect cyberattacks quickly, before thieves steal data or crash a system.
Advantages
- Detect emerging patterns of sophisticated cyberattacks in massive data streams in near real time.
- Identify intrusion and threat patterns 10 to 100 times faster than current methods.
- Produce easy-to-use visualization showing emerging and evolving threat patterns.
- Enhance performance with distributed computing resources.
- Analyze dynamic and scalable data in real time.
State of Development
StreamWorks has applicability in real-time monitoring in cybersecurity, finance, and Internet of Things applications. The analysis framework is intended to be used in a dynamic environment where network data is streamed in and represented as a large-scale evolving dynamic graph. The framework may be applied to identify emerging graph patterns that are known to users in advance or ones that spontaneously emerge that are deemed “significant” or “interesting” and then alerted to users as significant events.