Chapter 14. On Volume and Time
In this chapter, we look at phenomena that can be identified by comparing traffic volume against the passage of time. âVolumeâ may be a simple count of the number of bytes or packets, or it may be a construct such as the number of IP addresses transferring files. Based on the traffic observed, there are a number of different phenomena that can be pulled out, such as:
- Beaconing
-
When a host on your network communicates with an unknown host at regular intervals, it is a possible sign of communications with command and control.
- File extraction
-
Massive downloads are suggestive of someone stealing your internal data.
- Denial of service (DoS)
-
DoS attacks can prevent your servers from providing service.
Traffic volume data is noisy. Most of the observables that you can directly count, such as the number of bytes over time, vary highly and with no real relationship between the volume of the event and its significance. In other words, thereâs rarely a significant relationship between the number of bytes and the importance of the events. This chapter will help you find unusual behaviors through scripts and visualizations, but a certain amount of human eyeballing and judgment are necessary to determine which behaviors to consider dangerous.
The Workday and Its Impact on Network Traffic Volume
The bulk of traffic on an enterprise network comes from people who are paid to work there, so their traffic is going to roughly follow the hours of the business ...
Get Network Security Through Data Analysis, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
