Frequent Inventory of Network Devices for Incident Response: A Data-driven Approach to Cybersecurity and Network Operations
| dc.contributor.author | Kobezak, Philip D. | en |
| dc.contributor.committeechair | Tront, Joseph G. | en |
| dc.contributor.committeemember | Midkiff, Scott F. | en |
| dc.contributor.committeemember | Marchany, Randolph C. | en |
| dc.contributor.department | Electrical and Computer Engineering | en |
| dc.date.accessioned | 2018-05-23T08:00:26Z | en |
| dc.date.available | 2018-05-23T08:00:26Z | en |
| dc.date.issued | 2018-05-22 | en |
| dc.description.abstract | Challenges exist in higher education networks with host inventory and identification. Any student, staff, faculty, or dedicated IT administrator can be the primary responsible personnel for devices on the network. Confounding the problem is that there is also a large mix of personally-owned devices. These network environments are a hybrid of corporate enterprise, federated network, and Internet service provider. This management model has survived for decades based on the ability to identify responsible personnel when a host, system, or user account is suspected to have been compromised or is disrupting network availability for others. Mobile devices, roaming wireless access, and users accessing services from multiple devices has made the task of identification onerous. With increasing numbers of hosts on networks of higher education institutions, strategies such as dynamic addressing and address translation become necessary. The proliferation of the Internet of Things (IoT) makes this identification task even more difficult. Loss of intellectual property, extortion, theft, and reputational damage are all significant risks to research institution networks. Quickly responding to and remediating incidents reduces exposure and risk. This research evaluates what universities are doing for host inventory and creates a working prototype of a system for associating relevant log events to one or more responsible people. The prototype reduces the need for human-driven updates while enriching the dynamic host inventory with additional information. It also shows the value of associating application and service authentications to hosts. The prototype uses live network data which is de-identified to protect privacy. | en |
| dc.description.abstractgeneral | Keeping track of computers or hosts on a network has become increasingly difficult. In the past, most of the hosts were owned by the institution, but now more hosts are owned by the end users. The management of institution networks has become a mix of corporate enterprise, federated network, and Internet service provider. This model has survived for decades based on the ability to identify someone responsible when a host or system is suspected to be infected with malware or is disrupting network availability for others. Mobile devices, roaming wireless access, and users accessing services from multiple devices has made the task of identification more difficult. With increasing numbers of hosts on networks of higher education institutions, strategies such as dynamic addressing and address translation become necessary. The proliferation of the Internet of Things (IoT) makes identification even more difficult. Loss of intellectual property, theft, and reputational damage are all significant risks to institution networks. Quickly responding to and remediating cybersecurity incidents reduces exposure and risk. This research considers what universities are doing for host inventory and creates a working prototype of a system for associating relevant log events to one or more responsible people. The prototype reduces the need for human-driven updates while incorporating additional information for the dynamic host inventory. It also shows the value of associating application and service authentications to hosts. The prototype uses real network data which is de-identified to protect privacy. | en |
| dc.description.degree | Master of Science | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:15932 | en |
| dc.identifier.uri | http://hdl.handle.net/10919/83375 | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | In Copyright | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.subject | Cybersecurity | en |
| dc.subject | Log Analysis | en |
| dc.subject | Network Inventory | en |
| dc.subject | Host Inventory | en |
| dc.title | Frequent Inventory of Network Devices for Incident Response: A Data-driven Approach to Cybersecurity and Network Operations | en |
| dc.type | Thesis | en |
| thesis.degree.discipline | Computer Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | masters | en |
| thesis.degree.name | Master of Science | en |
Files
Original bundle
1 - 1 of 1