Characterizing University of Virginia's Baseline Network for Anomaly Detection

The following paper details the research conducted for characterizing the University of Virginia’s baseline network behavior. The study lays out a methodology for extracting network traffic, processing the captured data, reading the traffic into the utilized programs, and generating time series graphs for characterization analysis. Furthermore, the paper details the study’s initial results from various models followed by data cleaning and layering techniques to achieve a final model in distinguishing the “pattern of life” of the network traffic. Differing from previous studies, this study aims to characterize a large network accessed by an academic population through analysis of Bro logs, specifically http.logs. Future work will focus on constructing wider time window comparisons of various features, in order to analyze how the baseline network behaves across each day, week, month, and conceivably year. The end result for this study is to develop a more accurate model in distinguishing the “pattern of life” of the University of Virginia’s network traffic in order to detect network anomalies. This network characterization model would aid the University of Virginia and other large academic institutions in understanding typical behaviors of their network traffic and detecting anomalous traffic for intrusions.