Accession Number : AD1046827


Title :   Systematic Assessment of the Impact of User Roles on Network Flow Patterns


Descriptive Note : Technical Report


Corporate Author : Naval Postgraduate School Monterey United States


Personal Author(s) : Dean,Jeffrey S


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/1046827.pdf


Report Date : 01 Sep 2017


Pagination or Media Count : 165


Abstract : Defining normal computer user behavior is critical to detecting potentially malicious activity. To facilitate this, some anomaly detection systems group the profiles of users expected to behave similarly, setting thresholds of normal behavior for each group. One way to group users is to use organizational role labels, as people with similar roles in an organization often share common tasks and activities. Another way is to group users based on observed behavioral similarities. We tested the premise that users sharing roles behave similarly on networks, applying two machine-learning classifiers (nearest-centroid and a support vector machine) to differentiate between groups based on flow-data feature vectors. We conducted tests using 1.2 billion network-flow records from a large building at Naval Postgraduate School over five weeks. Tests showed similar results when they were conducted with and without removal of automated flows. Tests showed that users in role groups do not exhibit significantly similar network behaviors. We also clustered feature-vector data to group users by patterns of network behavior and showed that defining user groups this way provides a better way to bound normal user behavior.


Descriptors :   MACHINE LEARNING , Behavior , networks , test and evaluation


Subject Categories : Psychology
      Computer Systems


Distribution Statement : APPROVED FOR PUBLIC RELEASE