Attribution and Aggregation of Network Flows for Security Analysis

This paper describes a network flow analyzer that is capable of attribution and aggregation of different flows into single activity events for the purposes of identifying suspicious and illegitimate behaviors. Flows are correlated with security events using the Process Query System (PQS) infrastructure. We show results from initial experiments and describe plans for extending the effort. The correlation of networks flows with security events appears to have high potential for aggregating disparate network and host activity and for classifying network activity as either benign or suspicious.

[1]  Valentine Crespi,et al.  Decentralized sensing and tracking for UAV scheduling , 2004, SPIE Defense + Commercial Sensing.

[2]  Jon Crowcroft,et al.  Flow aggregation for enhanced TCP over wide-area wireless , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[3]  Jorge Arturo Cobb Preserving quality of service guarantees in spite of flow aggregation , 2002, TNET.

[4]  CobbJorge Arturo Preserving quality of service guarantees in spite of flow aggregation , 2002 .

[5]  Vincent H. Berk,et al.  Covert Channel Detection Using Process Query Systems , 2005 .

[6]  Vincent H. Berk,et al.  An overview of process query systems , 2004, SPIE Defense + Commercial Sensing.

[7]  Vincent H. Berk,et al.  Detection of complex cyber attacks , 2006, SPIE Defense + Commercial Sensing.

[8]  Vincent H. Berk,et al.  Process query systems for network security monitoring , 2005, SPIE Defense + Commercial Sensing.

[9]  George Cybenko,et al.  Identifying and tracking dynamic processes in social networks , 2006, SPIE Defense + Commercial Sensing.