Software Engineering Institute

One of the limitations of solely using flow metadata (e.g. Netflow) for network analysis is the difficulty in differentiating flows generated by user activities and flows generated by automatic processes. Most personal computers generate network flows continuously, performing actions such as checking for system updates, new messages, or network resources. We investigated how to identify automatic flows as a means of enhancing Netflow-based analyses of user behaviors; this approach however can be used to isolate and evaluate non-user generated flows as well. To develop this methodology this we created two virtual machines, one Windows 7 and one Ubuntu, and performed typical user activities on each VM while capturing the resultant flow data generated. User actions were scripted, with times logged and actions separated by intervals long enough for user initiated flows to complete. This allowed us to label all captured flow data as being either automatic or user generated. The labeled data was assessed, and used to develop and test algorithms to identify and label automatic flows. The resulting algorithms are not dependent on the ports or platform used. We present our observations on the discriminators we identified, the algorithms we generated and how well they performed.