Discrete Mathematical Approaches to Traffic Graph Analysis

January 12, 2015 • Presentation

By

Cliff Joslyn (Pacific Northwest National Laboratory), Wendy Cowley (Pacific Northwest National Laboratory), Emilie Hogan (Pacific Northwest National Laboratory), and Bryan Olsen (Pacific Northwest National Laboratory)

In this presentation, the authors discuss NetFlow multigraphs and graph statistics and provide characterizations of IP interaction during simulated attacks.

Publisher

Software Engineering Institute

Subjects

Flocon Situational Awareness

Watch

Abstract

In this presentation, the authors describe:

A basic characterization of the formal structure of NetFlow multigraphs, both at the detailed IP:Port level and their scalar projections to subgraphs involving only IPs and ports
A description of the VAST 2013 cyber challenge test data″ Some analytical results using basic NetFlow graph statistics
A characterization of IP interaction during simulated attacks using a simple, but novel, theoretical measure of the labeled degree distribution of the flow nodes

Another characterization of the temporal characteristics of flows in attacks, using the mathematical order relationships of flow time intervals and interval arithmetic to measure their separations. These analytic methods are in the process of being deployed on operational data. But even against test data, in addition to highlighting the potential significance against real data, they reveal aspects and even artifacts of the simulation itself, indicating the promise for this approach.

Software Engineering Institute