A Methodology for Finding Significant Network Hosts

Much work has been done on observing and determining application types for network traffic flows. This is non-trivial because newer applications often encrypt their packets and do not use default port numbers. Also, application updates or protocol changes could vary the distributions of flow behaviors and patterns, resulting in complicated identification methods. We propose a different approach, in which we measure attribute values for hosts rather than flows to find significant hosts. We describe the attribute values that seem most useful in quantifying host behavior, and explain how we use an attribute sum to rank the hosts. Since host ranking does not rely on payload signatures or port numbers it is simple to implement, and can handle hosts running newly emerging applications and mixtures of applications. We suggest that hosts may be ´significant in various ways´. For instance, they may have high traffic rates (busy servers), interaction with many other hosts (P2P behaviors) or initiate many unidirectional flows (malicious behaviors). Further, they may change their behaviors over time (compromised hosts). We compute a set of host rankings at 60s intervals so as to observe changes in them.