Check out the new USENIX Web site. next up previous
Next: Effectiveness of the Grouping Up: Role Classification of Hosts Previous: The Role Correlation Algorithm


Results

In this section, we evaluate the performance of the algorithms using traces gathered over a day at two corporate networks. We show that the algorithms operate well for both networks and examine the effects of user-defined thresholds on the results of the role classification algorithm.

We call the two test networks Mazu and BigCompany. Mazu is part of the corporate network at Mazu Networks, Inc., in Cambridge, MA. It consists of 110 hosts, including engineering workstations, several servers, and laptops. Mazu develops various software products in the area of network security and monitoring. The BigCompany network consists of 3638 hosts, including workstations, servers, and many IP phones. For privacy reasons, BigCompany must remain anonymous.

Figure 4: Grouping results based on data gathered over one day at Mazu. The number in parentheses next to the group ID is the group's KG. The number next to each host is a count of the host's connections. Each line after ``comm with'' denotes a neighbor group and the average number of connections between the group and that neighbor.
\begin{figure*}\begin{center} \epsfig{file=figs/mazu-groups0.ps, height=1.1\columnwidth}\end{center}\end{figure*}

Figure 5: The grouping results on the Mazu network with several changes (see table) to the connection patterns. The number next to ``old'' represents the ID of the correlated group shown in Figure 4.
\begin{figure*}\begin{center} \subfigure{\epsfig{file=figs/mod0.ps, height=0.85\... ....0.0.110} & {\tiny admin} & - \\ \hline \end{tabular}} \end{center}\end{figure*}


Subsections
next up previous
Next: Effectiveness of the Grouping Up: Role Classification of Hosts Previous: The Role Correlation Algorithm
Godfrey Tan 2003-04-01