Modeling the Active and Idle Durations of Network Hosts
In this presentation, Soumyo discusses the distributions of active and idle durations of network hosts using flow data. Active periods are defined as those where there has been one or more outward flows in that period. Duration of activity is estimated as the sum of the periods over which the host has been continuously active. An idle period is similarly defined as one in which there have been no outward flows. An idle duration is the sum of the periods over which the host was continuously idle. Soumyo estimates these active and idle durations over a time window and consider their distributions. The analysis provides a particular perspective on network activity and is important for situational awareness. We can develop baselines for characterizing these distributions and see if there are significant changes in the network behavior of hosts in terms of the active and idle durations. The distribution of the idle times is important since it can help us estimate the probability of a host still being active after a period of idleness. This metric is analogous to survivability in reliability theory. The distribution can also be used to estimate the conditional probability of a host being active again within a time horizon given it has been idle for some length of time. Soumyo estimates these distributions from some public domain data and suggest ways of interpreting them. Soumyo also discusses the implications for situational awareness, security, and network inventory.