search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Anomaly Detection Through Blind Flow Analysis Inside a Local Network (White Paper)

White Paper
By
In this paper, the authors describe how hosts may be clustered into user workstations, servers, printers, and hosts compromised by worms.
Publisher

Software Engineering Institute

Subjects

Abstract

In August of 2006, 4 months of Netflow records that were collected inside a small private network were subjected to a Blind Flow Analysis. Such an analysis is characterized by having access to the flow records from inside the network but no access to the payload data and no physical access to the hosts generating the traffic. Experiments were conducted to discover if useful behavioural clusters could be constructed with such minimal access and whether individual classes of hosts could be clustered into standard ranges, including clusters indicative of compromised hosts. Early results are promising in that hosts may be clustered into User Workstations, Servers, Printers, and hosts Compromised by Worms.

SHARE
Download PDF
Part of a Collection

FloCon 2006 Collection

Ask a question about this White Paper

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.