Improving Network Insight Through Local Context Gathering and Analysis

Master's Thesis


Identity of network traffic is becoming increasingly important in the definition and enforcement of security policies in an enterprise network. Network management and auditing require a finer granularity to be associated with the traffic flows in addition to the host level. Unfortunately, the inability of current architecture results in the local context of the connectivity in terms of the user and application being inferred from the packet content, such as IP address and port numbers. It is this inference that frequently results in overly coarse rules for the firewall in the interest of performance or simply enabling connectivity. While there are mechanisms proposed in the literature that purport to address this issue, the reality of deployment often negates adoption of such techniques. To that end, this work proposes a distributed network data collection and analysis system, eXpsicor, that pro-actively gathers the missing characteristics (local context) for the purpose of enterprise network management. By combining the full visibility at the end hosts (through such simple tools as netstat, ps, and lsof) and the global aggregate view at the central management server, it is demonstrated how local context improves network insight, and can be used for security auditing, finer network management and better policy mapping without costly deployment overhead. The system has been built and evaluated, and tools for visualizing analyzing data have been developed. The system has been deployed on over 150+ machines in our department. Many interesting analysis have been performed and shown in this thesis based on the data that has been collected since April 2007.


Attribute NameValues
  • etd-09202007-174338

Author Qi Liao
Advisor Dr. Aaron Striegel
Contributor Dr. Douglas Thain, Committee Member
Contributor Dr. Aaron Striegel, Committee Chair
Contributor Dr. Nitesh Chawla, Committee Member
Degree Level Master's Thesis
Degree Discipline Computer Science and Engineering
Degree Name Master of Science in Computer Science and Engineering
Defense Date
  • 2007-08-27

Submission Date 2007-09-20
  • United States of America

  • agent

  • computer security

  • local context

  • network security

  • networking data analysis

  • data mining

  • University of Notre Dame

  • English

Record Visibility Public
Content License
  • All rights reserved

Departments and Units

Digital Object Identifier


This DOI is the best way to cite this master's thesis.


Please Note: You may encounter a delay before a download begins. Large or infrequently accessed files can take several minutes to retrieve from our archival storage system.