Behavioral analysis of network flow traffic

Abstract

Network Behavior Analysis (NBA) is a technique to enhance network security by passively monitoring aggregate traffic patterns and noting unusual action or departures from normal operations. The analysis is typically performed offline, due to the huge volume of input data, in contrast to conventional intrusion prevention solutions based on deep packet inspection, signature detection, and real-time blocking. After establishing a benchmark for normal traffic, an NBA program monitors network activity and flags unknown, new, or unusual patterns that might indicate the presence of a potential threat. NBA also monitors and records trends in bandwidth and protocol use. Computer users in the Department of Defense (DoD) operational networks may use Hypertext Transport Protocol (HTTP) to stream video from multimedia sites like youtube.com, myspace.com, mtv.com, and blackplanet.com. Such streaming may hog bandwidth, a grave concern, given that increasing amounts of operational data are exchanged over the Global Information Grid, and introduce malicious viruses inadvertently. This thesis develops an NBA solution to identify and estimate the bandwidth usage of HTTP streaming video traffic entirely from flow records such as Cisco's NetFlow data.