The Network Nervous System

Description:

Do computer networks have a nervous system? And if so, how can we detect and measure them? In this project, CASOS team members are analyzing IP to IP Network Flow (netflow) data on a live corporate network. The data is binned into different categories by type and direction. Once the data is binned, we can look at various network measures to get a sense of how the data changes over time. Some of this binned data is considered "autonomic". That is, without any human intervention, the computers are communicating with each other. This activity is what we refer to as the "nervous system". Like our own nervous system, that automatically regulates our heartbeat, breathing, and internal heating, there seems to be a computer network nervous system that regulates patching, updating, and maintaining, all on its own. If that's the case, understanding the normal operating behavior of that data will greatly increase the cyber situation awareness necessary to execute any organization's mission. This is especially true for networks that are controlling critical infrastructure and security apparatus. Once we get a sense of what the normal network nervous system data looks like, we can incorporate known patterns of life behavior for the organization using that network. It is the combination of these two disparate categories of information that will greatly increase cyber situation awareness.

This picture shows Network Density under control of a Shehart X Bar Chart. There is one sample amongst the data that goes outside of control, indicating a potential concern for network behavior during that hour.