Software Engineering Institute

Determining a network baseline is an important metric for achieving situational awareness on an enterprise network, yet this task is often left undone. Further, defense organizations need to differentiate normal network traffic patterns in support of comprehensive cyberspace operations but lack a pre-operational baseline for comparison. A properly established baseline requires the collection of network packet capture and performance metrics, optimally prior to network deployment. Compounding the issue, the volume and voracity of network traffic requiring analysis is increasing, making the application of Deep Packet Inspection (DPI) technologies more infeasible. Using features of network flow metadata, we propose a method for producing a generalizable baseline to support operational analysis on established networks. We first decompose network traffic into a feature space based on predictive importance. We can observe these collected features and identify patterns over time to enable anomaly detection. Using linear regression, we attempt network packet classification as the first step in a hierarchical approach to be expanded and tested as part of future work.