Attribution and Aggregation of Network Flows for Security Analysis (White Paper)
October 2006 • White Paper
Annarita Giani (UC Berkeley), IanGregorioDe Souza (Dartmouth College), Vincent Berk (Dartmouth College), George Cybenko (Dartmouth College)
In this paper, the authors describe a network flow analyzer capable of attribution and aggregation of different flows to identify suspicious behaviors.
Abstract
This paper describes a network flow analyzer that is capable of attribution and aggregation of different flows into single activity events for the purposes of identifying suspicious and illegitimate behaviors. Flows are correlated with security events using the Process Query System (PQS) infrastructure. We show results from initial experiments and describe plans for extending the effort. The correlation of networks flows with security events appears to have high potential for aggregating disparate network and host activity and for classifying network activity as either benign or suspicious.