Technical Report 1150017

Title: On the Characteristics of Persistent Communities of Enterprises
Version (s): < 1 >
Authors: Han Zhang
Mark Teodoro
Christos Papadopoulos
Allison Mankin
Date: 2015-01-15
Paper: Download here
Abstract: The set of hosts that communicate with an enterprise is a complex mix. Some may visit the enterprise occasionally and never come back, others communicate with the enterprise very frequently. We define the latter as Persistent Hosts and the set as a Persistent Community. Characterizing Persistent Communities benefits enterprises in several ways, including security, network management, traffic engineering and more. In this paper, we use 78 billion flow records collected from a sample of 84 enterprises for an entire month to explore the characteristics of Persistent Communities. First we characterize the Persistent Community of each enterprise and find that for 90% of the enterprises, less than 21% of the hosts are persistent, yet they contribute more than 50% of the traffic. Then we correlate the Persistent Communities between multiple enterprises. We find that as the number of enterprises that a Persistent Host communicates with increases, their communication hours each day also increases. Moreover, we correlate Persistent Communities with DDoS attacks and find that while some Persistent Hosts are involved in UDP-based DDoS attacks, they only contribute a small portion of the overall attack traffic. Based on our findings, we give a simple case study of using Persistent Communities to detect business changes of enterprises, prioritize traffic and perhaps result in improved DDoS protection.
                author = {Han Zhang and Mark Teodoro and Christos Papadopoulos and Allison Mankin},
                title = {On the Characteristics of Persistent Communities of Enterprises },
                booktitle = {Verisign Labs Technical Reports},
                number = {1150017 version 1},
                year = {2015},