Accession Number:

AD1053820

Title:

Statistic Whitelisting for Enterprise Network Incident Response

Descriptive Note:

Technical Report

Corporate Author:

AIR FORCE INSTITUTE OF TECHNOLOGY WRIGHT-PATTERSON AFB OH WRIGHT-PATTERSON AFB United States

Personal Author(s):

Report Date:

2016-03-24

Pagination or Media Count:

106.0

Abstract:

This research seeks to satisfy the need for the rapid evaluation of enterprise network hosts in order to identify items of significance through the introduction of a statistic whitelist based on the behavior of the processes on each host. By taking advantage of the repetition of processes and the resources they access, a whitelist can be generated using large quantities of host machines. For each process, the Modules and the TCP and UDP Connections are compared to identify which resources are most commonly accessed by each process. Results show 47 of processes receiving a whitelist score of 75 or greater in thefive hosts identified as having the worst overall scores and 60 of processes when the hosts more closely match the hosts used to build the whitelist.

Subject Categories:

  • Sociology and Law

Distribution Statement:

APPROVED FOR PUBLIC RELEASE