Conversation exchange dynamics for real-time network monitoring and anomaly detection

We present a model for real-time network monitoring and anomaly detection that provides a holistic view of network conversation exchanges. We argue that monitoring and anomaly detection are necessary mechanisms for ensuring secure and dependable network computing infrastructure. The model for network traffic exchange is based on a modified Ehrenfest urn model. The motivation for the model is heavily influenced by the success of statistical physics to provide macrostate descriptions of physical systems when the exact microstate parameters of each element in the system precludes understanding from first principles. The conversation exchange dynamics model for real-time network monitoring and anomaly detection is formally described. The model induces a unique real-time visualization capability for network monitoring and detection of anomalous events. An implementation of the model and visualization capability is presented along with laboratory tests and successful detection of real world events, including a Code Red worm attack.