错误!未知的文档属性名称 错误!未知的文档属性名称 Page 1 of 5
Big Data Analytics for United Security
—
What Advantages Does an Agile Network Bring? (Issue 2)
By Swift Liu, President Enterprise Networking Product Line Huawei Enterprise Business Group
Agile means quick and nimble.
New services such as mobility, cloud computing, social media, Big Data, and the Internet of Things (IoT) bring higher requirements for real-time service transmission, network mobility and scalability, as well as improved user experience. Huawei Agile Network Solution focuses on ways to cope with the challenges brought by these new services and quickly solve problems they create for traditional networks.
This article talks about how Big Data analytics can be used to safeguard a network.
1 Big Data Analytics
"Big Data" has become a hot trend in recent years, and its popularity even surpasses Software-Defined
Networking (SDN). Big Data actually refers to Big Data analytics. Traditional analytics methods typically use the causal theory to infer results. For example, if someone is hungry, traditional analytics infers that this person did not have dinner. However, the causal theory does not apply in Big Data analytics. Big Data analytics predicts the future based on large amounts of data, although the predicted results have no theoretical base.
The book Big Data tells a story that Google once predicted a flu pandemic. A special flu was found in the U.S., and medical agencies tried to collect patient information, predict the trend, and take actions to prevent the flu spreading. But the flu spread anyway, despite their efforts. Google had predicted the spread of the flu before the medical agencies. Because people who suspected that they had flu usually searched the Internet for symptoms and treatments, Google was able to obtain a large amount of data about the flu. By analyzing this data, Google
predicted the occurrence and spread of the flu. After the health authorities released a report on the flu two or three weeks later, people were surprised to find that the spread and other descriptions of the flu in the report were completely consistent with Google's prediction.
In another Big Data story, a data mining scientist planned to fly to the East from San Francisco to attend his brother’s wedding. He booked the ticket several months earlier with the hope of getting a cheaper ticket. But after
错误!未知的文档属性名称 错误!未知的文档属性名称 Page 2 of 5 he was on board, he found that the passenger sitting next to him bought the ticket at a lower price than he did, even though the passenger had only booked the ticket several days before. Common sense tells us the ticket should be cheaper if you book it earlier. But why did that passenger get a cheaper ticket than the data mining scientist? The scientist then developed an analytics software program to figure out the best timing for buying a flight ticket. He analyzed a large amount of data and found out that a flight ticket can be bought at the lowest price at a specific time with about a 70% probability. News of the software spread quickly and the software was
purchased by a big corporation. The software provides high prediction accuracy but has no theoretical base. It simply collects data from all airline companies. When an airline company is selected, the software tells you when to buy a flight ticket at the lowest price.
This is the advantage of Big Data analytics. It does not depend on any business relationship or causality, but still arrives at a correct conclusion.
Why were the merits Big Data analytics not realized for several decades? Big Data analytics involves a huge amount of data and data storage and computing resources, which were not available in the past. Now that they are available, what changes has Big Data brought to industry? The major change occurred in the database. Traditional relational databases cannot be used in Big Data analytics, so a new type of database was required. Traditional databases must synchronize data because of the causality between data. Big Data analytics does not depend on causality and therefore does not need data synchronization, bringing new requirements for databases. Big Data does not change the network, storage, or computing architecture as much as it changes databases. Big Data analytics can also help IT administrators predict future events on networks, such as when a fault may occur on a network and when traffic will increase sharply.
2 Internet of Things
The Internet of Things (IoT) is also a popular technology. It was originally called Machine to Machine (M2M) and is now known as the Internet of Everything (IoE). As the IoE will connect everything around the globe, it becomes possible to collect and analyze Big Data in a centralized manner. Therefore, IoE and Big Data analytics are correlative. The major challenges brought by the IoE are the bandwidth, reliability, and security. With the sharp increase of nodes on the network, increasing bandwidth is required, while reliability and security of data transmission pipes are key to the IoE.
According to research, water utilities receive the most attacks in the IoE in the U.S. Because the IoE often involves industrial controls, and its security is important in daily life. If the computer system of a water plant is
错误!未知的文档属性名称 错误!未知的文档属性名称 Page 3 of 5 hacked, the hacker may blend wastewater with domestic water, which could endanger the health and welfare of large populations.
3 Innovation 2: United Security — Use Big Data Analytics to Protect Your Big Data and Big Data Network
Imagine someone hears a knock and opens the door. The rapper says that he just knocked on a wrong door. The resident believes the rapper and closes the door. The rapper continues to knock on other doors in the neighborhood until he finds a house with nobody in. Then he breaks in and robs the house.
In this story, no resident suspects the rapper, but security personnel in the residential community will find the behavior of the rapper suspicious from surveillance cameras.
This story illustrates that different risks can be found by checking the entire network compared with checking a single point. Checking the entire network will uncover more potential threats.
In the article on mobility, I talked about the use of SDN architecture in campus networks. SDN introduces a Controller for centralized management and control in a campus network. The controller can check security of the entire network. So why not use Big Data analytics to find potential threats in the network? Based on this idea, Huawei integrates behavior analysis software on the Controller. Mature behavior analysis products are already available. For example, many hospitals are now using behavior analysis software to audit whether staffs are using patients' personal information for a profit-making purpose. Some hospital staff may leak personal information of patients like ID, telephone number, address, occupation, and income to make a profit. Hospitals use behavior analysis software to distinguish normal staff behaviors from information theft and to investigate those who leak patient information according to the analysis results.
The preceding example shows that software needs to identify abnormal behaviors. However, the software is just a platform and only works properly when rules are defined. The rules must be defined by customers or partners that are familiar with services, not by IT vendors that are not familiar with services.
For these reasons, Huawei integrates security behavior analysis software into the Controller. The Controller searches logs on diverse types of devices, records various types of security events on the entire network, and analyzes and discovers potential threats or attacks that cannot be discovered by single-point defense measures.
The Controller displays the information on the GUI, which notifies the network administrator. The Controller also generates alarms. The network administrator then takes security measures to defend against risks. The network administrator can also predefine some policies or actions on the Controller. For example, suspicious traffic can be imported to the security center and cleaned. The Controller reduces the maintenance workload of the network administrator and ensures secure operations for the entire system.
错误!未知的文档属性名称 错误!未知的文档属性名称 Page 4 of 5 Another important advantage: Big Data analytics is in real time.
At the end of 2012, the serial killer Zhou Kehua was the focus of Chinese media. The criminal killed and robbed victims in several Chinese cities. To find his escape route and issue the arrest warrant with the clearest photo of Zhou Kehua, the public security bureau retrieved surveillance videos of all cameras in the locations and
surrounding areas where the incidents occurred, and mobilized many police organizations to analyze the incidents.
Within a total of two weeks, the public security bureau found a clear photo and issued the arrest warrant. By this time, Zhou Kehua had escaped without trace.
If a security event occurs on an enterprise network, the event can be detected through post-event review and summary if logs about attack devices and neighboring devices are analyzed. Why are these clues not detected onsite? This is because there is too much data for the network administrator to audit all logs and analyze log correlation.
With the Big Data methods, public security bureaus can analyze information about serial killer Zhou Kehua in the first instance. The public security bureau could find serial killer Zhou Kehua before he escaped and mobilize the police to control the criminal. Similarly, Big Data methods can immediately analyze network security attack events, find network security problems in a timely manner, and even discover potential security risks in advance to prevent the security events from occurring. This is the magic of Big Data analytics.
United security — Big Data analytics is used to protect Big Data and Big Data networks
Huawei's Agile switch supports the next-generation firewall card, which provides multiple security functions including IPS, IDS, and anti-DDoS. The aggregation switch at the aggregation layer can analyze various security events. Let’s look at an example. During network operations, traffic on some ports of the agile switch at the aggregation layer may increase suddenly due to DDoS attacks. When the traffic volume reaches a threshold, the agile switch reports an alarm to the Controller. The security behavior analysis module of the Controller predefines rules for importing suspicious traffic. After receiving the alarm, the Controller delivers the Policy-Based Routing (PBR) for importing traffic to the aggregation switch and imports the suspicious traffic to the security center. The security center cleans the DDoS traffic and sends the traffic to the aggregation switch. In this manner, attacks are not spread on the network. Other policies, such as a drop policy, can also be configured.
In the preceding example, the alarm first notifies the administrator, and then the administrator configures policies.
This is because preconfigured policies and automatic execution of policies present risk. If incorrect policies are defined, network exceptions may occur. Such exceptions are difficult to locate. Therefore, the network
administrator can define a few simple policies. When network automation is implemented in the future, the system can generate policies to defend against common attacks, such as DDoS attacks. The system discovers suspicious traffic and delivers policies to import the traffic to the security center or discard the attack traffic. Automated network management improves efficiency and reduces IT costs. Huawei believes network management
错误!未知的文档属性名称 错误!未知的文档属性名称 Page 5 of 5 automation will be implemented gradually, in the same manner as automation in the computer and industrial control fields.
Huawei also provides sandbox technology for security detection. Sandbox technology acts like a virus Petri dish and can simulate environments such as LINUX, Windows, Android, and IOS. When finding suspicious
applications and potential threats, the network administrator can put the suspicious applications and potential threats in the simulated environment (sandbox) and observe behaviors. If an application is attacked, an alarm is generated in the simulated environment. The network administrator can determine whether the suspicious applications create potential risks or threats and take measures in advance. The firewall card can be configured to copy potential threats to the sandbox for automatic check, analysis and alarm generation. Security threats can thus be detected in the initial phase and the network remains well protected.
As the preceding examples have shown, the Controller is important to network security. Common firewalls can provide basic security defenses. However, defense is also required for network administrators, whose roles have the highest rights. Operation errors, incorrect configurations, or intentional damage by network administrators seriously affect the network. An audit measure is required specifically for them. Huawei provides administrator behavior audit software that records all commands executed and all actions taken by network administrators. All records are used for post-audit purposes and cannot be deleted. For example, if a network administrator enters the Display Interface1/0/0 command, the command is typically only logged. Administrator behavior audit software records this command and all information related to this command.
4 Summary
United security is a second innovation of Huawei's agile network. This solution uses Big Data analytics methods to protect Big Data and Big Data networks. The network administrator can find potential security risks and threats and remove the threats through policies such as traffic import and drop to properly protect user data and networks.
