Statistic Whitelisting for Enterprise Network Incident Response

Abstract

This research seeks to satisfy the need for the rapid evaluation of enterprise network hosts in order to identify items of significance through the introduction of a statistic whitelist based on the behavior of the processes on each host. By taking advantage of the repetition of processes and the resources they access, a whitelist can be generated using large quantities of host machines. For each process, the Modules and the TCP and UDP Connections are compared to identify which resources are most commonly accessed by each process. Results show 47% of processes receiving a whitelist score of 75% or greater in thexC;five hosts identified as having the worst overall scores and 60% of processes when the hosts more closely match the hosts used to build the whitelist.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 24, 2016
Accession Number
AD1053820

Entities

People

  • Nathan E Grunzweig

Organizations

  • Air Force Institute of Technology

Tags

Communities of Interest

  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Air Force
  • Anti-Virus Software
  • Computational Forensics
  • Computers
  • Control Systems
  • Data Analysis
  • Data Set
  • Databases
  • Department Of Defense
  • Digital Data
  • Engineering
  • Governments
  • Graphical User Interface
  • Information Operations
  • Information Processing
  • Intellectual Property
  • Malware
  • Network Protocols
  • Operating Systems
  • Security
  • Standards
  • United States
  • United States Government
  • User Interface

Readers

  • Computer Networking
  • Computer Programming and Software Development.
  • Systems Analysis and Design