Next: Effectiveness of the Grouping
Up: Role Classification of Hosts
Previous: The Role Correlation Algorithm
Results
In this section, we evaluate the performance of the algorithms using
traces gathered over a day at two corporate networks. We show that
the algorithms operate well for both networks and examine the effects
of user-defined thresholds on the results of the role classification
algorithm.
We call the two test networks Mazu and BigCompany. Mazu is
part of the corporate network at Mazu Networks, Inc., in Cambridge, MA.
It consists of 110 hosts, including engineering workstations, several
servers, and laptops. Mazu develops various software products in the
area of network security and monitoring. The BigCompany network
consists of 3638 hosts, including workstations, servers, and many IP
phones. For privacy reasons, BigCompany must remain anonymous.
Figure 4:
Grouping results based on data gathered over one day at
Mazu. The number in parentheses next to the group ID is the group's
KG. The number next to each host is a count of the host's
connections. Each line after ``comm with'' denotes a neighbor group
and the average number of connections between the group and that
neighbor.
|
Figure 5:
The grouping results on the Mazu network with several changes (see
table) to the connection patterns. The number next to ``old''
represents the ID of the correlated group shown in
Figure 4.
|
Subsections
Next: Effectiveness of the Grouping
Up: Role Classification of Hosts
Previous: The Role Correlation Algorithm
Godfrey Tan
2003-04-01