Discovering Significant Co-Occurrences to Characterize Network Behaviors

A key aspect of computer network defense and operations is the characterization of network behaviors. Several of these behaviors are a result of indirect interactions between various networked entities and are temporal in nature. Modeling them requires non-trivial and scalable approaches. We introduce a novel approach for characterizing network behaviors using significant co-occurrence discovery. A significant co-occurrence is a robust concurrence or coincidence of events or activities observed over a period of time. We formulate a network problem in the context of co-occurrence detection and propose an approach to detect co-occurrences in network flow information. The problem is a generalization of problems that are encountered in the areas of dependency discovery and related activity identification. Moreover, we define a set of metrics to determine robust characteristics of these co-occurrences. We demonstrate the approach, exercising it first on a simulated network trace, and second on a publicly-available anonymized network trace from CAIDA. We show that co-occurrences can identify interesting relationships and that the proposed algorithm can be an effective tool in network flow analysis.