ESAFE: Enterprise Security and Forensics at Scale

TL;DR

ESAFE is a scalable enterprise security system that uses hierarchical machine learning and reasoning layers to detect, characterize, and alert on malicious activities across large, distributed networks.

Contribution

The paper introduces ESAFE, a novel multi-layer security framework with machine learning algorithms for scalable threat detection and automated alert generation in enterprise environments.

Findings

Improved detection recall with scalable throughput

Effective cross-sensor correlation for threat analysis

Automated human-readable alerts for analysts

Abstract

Securing enterprise networks presents challenges in terms of both their size and distributed structure. Data required to detect and characterize malicious activities may be diffused and may be located across network and endpoint devices. Further, cyber-relevant data routinely exceeds total available storage, bandwidth, and analysis capability, often by several orders of magnitude. Real-time detection of threats within or across very large enterprise networks is not simply an issue of scale, but also a challenge due to the variable nature of malicious activities and their presentations. The system seeks to develop a hierarchy of cyber reasoning layers to detect malicious behavior, characterize novel attack vectors and present an analyst with a contextualized human-readable output from a series of machine learning models. We developed machine learning algorithms for scalable throughput and improved recall for our Multi-Resolution Joint Optimization for Enterprise Security and Forensics (ESAFE) solution. This Paper will provide an overview of ESAFE's Machine Learning Modules, Attack Ontologies, and Automated Smart Alert generation which provide multi-layer reasoning over cross-correlated sensors for analyst consumption.