Examining the Effect of Organizational Roles in Shaping Network Traffic Activity
Abstract
We hypothesize that a computer user's environment shapes the characteristics of his/her network traffic. In particular, we focus on whether a user's role at the work place induces discriminating characteristics, due to the task requirements of assuming that role. If true, this shaping can enable development of useful indicators for detecting insider threat activities. We develop a methodology to evaluate this hypothesis, characterized by (i) new traffic similarity metrics for quantifying the variations of flow-level traffic activities between role-based user groups; (ii) use of exclusively Netflow data to build user/group discriminating features; and (iii) a rigorous process for attributing flows to users and mapping users to roles. We evaluate the role-based hypothesis using a four-week long dataset of Netflow records from a university building. We measure inter-system similarities using several flow based methodologies, and show significant levels of value overlap when computing inter and intra role-based group similarities. We did observe indications that similar roles lead to similar allocations of time for related tasks. We also found that most of the user traffic features under consideration persist over time, with a typical similarity value of above 0.8 week to week. These findings lead us to believe that measuring role based group characteristics on the network requires a temporal component for the characterization to be useful.
Document Details
- Document Type
- Technical Report
- Publication Date
- Aug 01, 2012
- Accession Number
- ADA582602
Entities
People
- Geoffrey G. Xie
- Jeffrey S. Dean
- Neil Rowe
- Robert Beverly
Organizations
- Naval Postgraduate School