Statistic Whitelisting for Enterprise Network Incident Response

Author

Nathan E. Grunzweig

Date of Award

3-24-2016

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Gilbert L. Peterson, PhD.

Abstract

This research seeks to satisfy the need for the rapid evaluation of enterprise network hosts in order to identify items of significance through the introduction of a statistic whitelist based on the behavior of the processes on each host. By taking advantage of the repetition of processes and the resources they access, a whitelist can be generated using large quantities of host machines. For each process, the Modules and the TCP & UDP Connections are compared to identify which resources are most commonly accessed by each process. Results show 47% of processes receiving a whitelist score of 75% or greater in the five hosts identified as having the worst overall scores and 60% of processes when the hosts more closely match the hosts used to build the whitelist.

AFIT Designator

AFIT-ENG-MS-16-M-019

DTIC Accession Number

AD1053820

Recommended Citation

Grunzweig, Nathan E., "Statistic Whitelisting for Enterprise Network Incident Response" (2016). Theses and Dissertations. 303.
https://scholar.afit.edu/etd/303