Date of Award

Spring 5-2018

Embargo Period

5-23-2018

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Information Networking Institute

Advisor(s)

Kathleen Carley

Second Advisor

Tim Shimeall

Abstract

For this thesis, a toolchain was designed that aimed to process network traffic to identify host and event behavior. Network traffic is difficult for network administrators to analyze because both the area of responsibility and distribution of external actors are very large when protecting an enterprise network. Having a process that converts streaming network data into actionable intelligence greatly improves the operational capability of network administrators. The process consisted of three phases: Netflow Collection, Network Analysis, and Actionable Classification which were validated using a series of experiments. The following experiments were performed: a comparison between behavior of normal weeks and a flash crowd incident, a comparison of behavior among functional groups within the corporation, an analysis of hosts reported for abusive behavior, and a classification method for identifying hosts by behavior. The toolchain revolved around using network science methods to gather, process, and measure data. Even though network science is typically used to analyze social network data, the similarities in size and structure of social network data and netflow data make it viable for similar analysis.

Media Format

flash_audio

Share

COinS