Uri's Netflow Traffic Logs' Behavioral Analysis and Monitoring Visualization Tool

摘要

As long as the Internet users and the dependency of human on IT are evolving, the detailed inspection of NetFlow data will be useful, especially for the detection of cyber anomalies and outbreaks. To date, numerous researchers have examined NetFlow with respect to numerical fields including, for example, Packets, IPs, Bytes, and Bandwidth consumption. But only a handful of projects have paid attention to the analysis of NetFlow activity using categorical fields including Internet application and computer location, especially concerning a particular academic institution. The primary focus of this project is on the development of a tool for analyzing NetFlow activity at the University of Rhode Island (URI) computer network. This tool helps to monitor the NetFlow activity over time stratified first by the Primary and then by the Secondary fields selected by the user. NetFlow activity is evaluated and visualized with; frequency of traffic flow -- if user only selects filter option 'Primary Log Field', and relative frequency of traffic flow -- after selecting Field value of interest from 'Primary Log Field' if user continues and select filter option 'Secondary Log Field'. Automatically, the drill-down of data through those log fields along timestamp of interest will trigger the generation of an advanced log table grid view. Additionally, the proposed tool takes advantage of the network theory and provides visualization of the bipartite graph representation of NetFlow data subset with selected fields and time period with pre-specified sets of node degrees. This representation helps to monitor and characterize communication behavior of individual nodes in the selected time period. Overall, the tool created for this project can be regarded as the first step in the development of the comprehensive cyber security system for monitoring and analysis of the URI NetFlow activity.