Constructing Communication Profiles by Clustering Selected Network Traffic Attributes

Large-scale IP networks cause special challenges to the security. The network consists of a large number of devices with a vast variety of traffic behavior. Implementation of the intrusion detection and monitoring mechanisms are often ineffective or require a lot of hardware and human resources. In this paper we present a methodology to construct communication profiles by making a time series and clusters from selected network attributes. Using the method we can divide the network devices into different groups by their traffic behavior even if we don’t know the role of each device or the network topology. Most appropriate intrusion detection or monitoring mechanisms can be assigned to each device according to its profile. It is also possible to monitor the changes in the devices’ behavior by inspecting their changes from constructed profile cluster to another. The changes between different profiles can be considered abnormal or common variation in the usage.