Characterizing university network usage with Active Directory event logs
Mitsdarfer, Alex Joseph
Loading…
Permalink
https://hdl.handle.net/2142/99375
Description
Title
Characterizing university network usage with Active Directory event logs
Author(s)
Mitsdarfer, Alex Joseph
Issue Date
2017-12-06
Director of Research (if dissertation) or Advisor (if thesis)
Bailey, Michael
Department of Study
Electrical & Computer Eng
Discipline
Electrical & Computer Engr
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Date of Ingest
2018-03-13T15:48:58Z
Keyword(s)
Active Directory
Network usage
Network characterization
University network
University network usage
University network characterization
Lateral movement
Event logs
Active Directory event logs
Abstract
In this thesis, we investigate a university network that uses Active Directory as its authentication system. We get an understanding of the network by analyzing Windows event logs generated at Active Directory domain controllers. We want to see what network activity looks like as a first step in identifying and modeling network lateral movement. We characterize network activity, access behavior, most frequent events encountered, and domain controller usage. We find that the data, covering a week’s time, supports multiple trends. The number of events encountered increases from morning to noon and decreases after mid afternoon. Weekend activity is lower than during weekdays. Over the week of user-generated events, about 85% create 1,000 events or less. Less than 5% of users create more than 10,000 events. The top five events encountered are associated with user sessions (i.e., login, logout, authentication) or Kerberos ticket requests. Most events are generated at the Urbana Domain Controllers. The second largest number of events (although about 15 times smaller) are generated at the DCs that serve only WiFi and VPN.
Use this login method if you
don't
have an
@illinois.edu
email address.
(Oops, I do have one)
IDEALS migrated to a new platform on June 23, 2022. If you created
your account prior to this date, you will have to reset your password
using the forgot-password link below.
