Characterizing different aspects of exchanged traffic between an organization and the Internet provides valuable insights for the organization to determine how network resources are utilized and help identify potential malicious activity and performance bottlenecks. However, the huge volume and complexity of Internet traffic make such a profiling effort inherently challenging, as identifying an important event or pattern is essentially akin to finding a needle in a haystack.

In this thesis, we profile multiple aspects of exchanged traffic between the UO campus and the Internet using flow-level traffic data. Our main goal is to efficiently identify and summarize some of the key flow-level features of UO traffic that represent normal/typical behavior. This, in turn, enables us to quickly determine whether a single flow or an aggregate group of flows (e.g., all flows associated with a particular application) exhibits any abnormal behavior. To this end, our profiling follows a top-down approach in characterizing UO traffic by starting from aggregate analysis, classifying flows into main categories, and then “zooming into” main categories to gain more insight into each group. This strategy enables us to define a signature at each level for each category of flows.

We present the results of our multi-level profiling of UO traffic and investigate whether meaningful/stable signatures for distinguishing normal and abnormal behavior at each level can be identified.