Description |
Network administrators perform various activities every day in order to keep an organization's network healthy. They take the assistance of different tools to maintain these networks. The tools used by admins perform aggregation at different levels for performance management, security, maintaining the quality of service, and others. Aggregating at port/application level to understand the behavior of flows is well studied whereas understanding the behavior of hosts and groups of hosts is less well studied. The latter in conjunction with the former is helpful to admins in making informed decisions regarding activities that include security policies and capacity planning, among many others. Looking at flow level does not help us in understanding the total activities each host is undertaking and does not let us figure out which hosts are behaving alike as a flow is just an instance of communication between two hosts. Hence, we want to aggregate by hosts and group them by understanding their behavior. As we have millions of flows and thousands of hosts to work on, we used data mining techniques to find the structure and present them to admins to help them make decisions and ease enterprise network management. We have built a system that consumes flow records of a network as input and determines the host behaviors in the network and groups the hosts accordingly. We also built an accompanying tool to this system that analyzes the host behaviors in different dimensions. This approach of extracting behaviors from network data has helped us in gaining interesting insights into the users of the system. We claim that analyzing host behaviors can help in uncovering the vulnerabilities in network security that are not found through traditional tools. We also claim that hosts behaving similarly require a similar amount of network resources and this will be an efficient way for network admins to plan their network capacity compared to the present bandwidth monitoring techniques. |