Masters 2011

Posted on 22 February, 2011 by Samuel

Through the use of existing monitoring techniques one is able to maintain situational awareness of activity on a network; however the granularity of the data obtained is of such a high level that it results in the obfuscation of important details. These details pertain to devices, the service they run and the traffic patterns they generate; all of which is ultimately responsible for the host demographic that constitute a network.

This research will focus on the development of a network traffic analysis and data mining framework which will aggregate data between multiple heterogeneous sources in order to construct a partial demographic of potentially malicious hosts on the internet. Data from these various sources will be aggregated through the development of a distributed messaging framework that will make use of AMQP through the use of a RabbitMQ message broker.

Through traffic characteristic and link analysis we will attempt to identify and categorise the various types of nefarious traffic found on the internet. The aggregation this traffic in near real-time through the use of a messaging framework will provide valuable insight into current malicious traffic. Host specific information contained in the demographic would include details such as open ports, operating system, geographic locality, domain names registered to their IP address and estimated bandwidth speed. Using this host specific information and traffic analysis techniques we will be able to produce a comprehensive model representing the sources of malicious traffic on the internet.