Effective Programmatic Analysis of Network Flow Data for Security and Visualization using Higher-order Statistics and Domain Specific Embedded Languages

The widespread availability of information on networks today, coupled with the potential for exploitation by malicious software, demands constant vigilance by network engineers responsible for information security. Even a moderately sized computer network produces a flow of information that is impossible for a human to watch carefully and understand without tools capable of automatic summation and analysis.

This thesis presents research and engineering that demonstrates the usefulness of network traffic data and presents effective statistical methods and practical mechanisms for analyzing massive amounts of this information for intrusion detection, network forensics, problem alerting and systems monitoring.

We explore how a simple set of network traffic features can be analyzed and used for characterizing behavior on the network. We suggest that statistical measurements, entropy and other higher-order calculations are effective in determining network status or for detecting anomalies. Communication patterns in NetFlow data are summarized for further automatic analysis or for visual interpretation by information security analysts. We examine the potential for identifying overlying networks, such as botnet command and control systems, within a larger complex network of communication. We suggest ways of automating or assisting the manual processes for traffic analysis currently in place at Ohio University through the development of simple tools.