【 摘 要 】

In this thesis, we investigate a university network that uses Active Directory as its authentication system. We get an understanding of the network by analyzing Windows event logs generated at Active Directory domain controllers. We want to see what network activity looks like as a first step in identifying and modeling network lateral movement. We characterize network activity, access behavior, most frequent events encountered, and domain controller usage. We find that the data, covering a week’s time, supports multiple trends. The number of events encountered increases from morning to noon and decreases after mid afternoon. Weekend activity is lower than during weekdays. Over the week of user-generated events, about 85% create 1,000 events or less. Less than 5% of users create more than 10,000 events. The top five events encountered are associated with user sessions (i.e., login, logout, authentication) or Kerberos ticket requests. Most events are generated at the Urbana Domain Controllers. The second largest number of events (although about 15 times smaller) are generated at the DCs that serve only WiFi and VPN.

【 预 览 】

附件列表

Files	Size	Format	View
Characterizing university network usage with Active Directory event logs	788KB	PDF	download