Constructing a Network Science Toolchain for Analyzing Network Traffic

For this thesis, a toolchain was designed that aimed to process network traffic to identify host and event behavior. Network traffic is difficult for network administrators to analyze because both the area of responsibility and distribution of external actors are very large when protecting an enterprise network. Having a process that converts streaming network data into actionable intelligence greatly improves the operational capability of network administrators. The process consisted of three phases: Netflow Collection, Network Analysis, and Actionable Classification which were validated using a series of experiments. The following experiments were performed: a comparison between behavior of normal weeks and a flash crowd incident, a comparison of behavior among functional groups within the corporation, an analysis of hosts reported for abusive behavior, and a classification method for identifying hosts by behavior. The toolchain revolved around using network science methods to gather, process, and measure data. Even though network science is typically used to analyze social network data, the similarities in size and structure of social network data and netflow data make it viable for similar analysis.