TY - GEN
T1 - Sifting through network data to cull activity patterns with HEAPs
AU - Sharafuddin, Esam
AU - Jin, Yu
AU - Jiang, Nan
AU - Zhang, Zhi-Li
PY - 2010
Y1 - 2010
N2 - Today's large campus and enterprise networks are characterized by their complexity, i.e. containing thousands of hosts, and diversity, i.e. with various applications and usage patterns. To effectively manage and secure such networks, network operators and system administrators are faced with the challenge of characterizing, profiling and tracking activity patterns passing through their networks. Because of the large number of IP addresses and the prevalence of dynamic IP addresses, profiling and tracking individual hosts may not be effective nor scalable. In this paper, we develop a hierarchical extraction of activity patterns (HEAPs), which is a method for characterizing and profiling activity patterns within subnets. By representing activities within a subnet in a host-port association matrix (HPAM) and applying pLSA, we obtain co-clusters that capture the significant and dominant activity patterns of the subnet. Using these co-clusters, we utilize hierarchical clustering to cluster activity patterns to assist network operators and security analysts gain a "big-picture" view of the network activity-patterns. We also develop a novel method to track and quantify changes in activity patterns within subnets over time and demonstrate how to utilize this method to identify major changes and anomalies within the network.
AB - Today's large campus and enterprise networks are characterized by their complexity, i.e. containing thousands of hosts, and diversity, i.e. with various applications and usage patterns. To effectively manage and secure such networks, network operators and system administrators are faced with the challenge of characterizing, profiling and tracking activity patterns passing through their networks. Because of the large number of IP addresses and the prevalence of dynamic IP addresses, profiling and tracking individual hosts may not be effective nor scalable. In this paper, we develop a hierarchical extraction of activity patterns (HEAPs), which is a method for characterizing and profiling activity patterns within subnets. By representing activities within a subnet in a host-port association matrix (HPAM) and applying pLSA, we obtain co-clusters that capture the significant and dominant activity patterns of the subnet. Using these co-clusters, we utilize hierarchical clustering to cluster activity patterns to assist network operators and security analysts gain a "big-picture" view of the network activity-patterns. We also develop a novel method to track and quantify changes in activity patterns within subnets over time and demonstrate how to utilize this method to identify major changes and anomalies within the network.
UR - http://www.scopus.com/inward/record.url?scp=77955864806&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77955864806&partnerID=8YFLogxK
U2 - 10.1109/ICDCS.2010.65
DO - 10.1109/ICDCS.2010.65
M3 - Conference contribution
AN - SCOPUS:77955864806
SN - 9780769540597
T3 - Proceedings - International Conference on Distributed Computing Systems
SP - 685
EP - 696
BT - ICDCS 2010 - 2010 International Conference on Distributed Computing Systems
T2 - 30th IEEE International Conference on Distributed Computing Systems, ICDCS 2010
Y2 - 21 June 2010 through 25 June 2010
ER -