Files in this item



application/pdfMITSDARFER-THESIS-2017.pdf (807kB)
(no description provided)PDF


Title:Characterizing university network usage with Active Directory event logs
Author(s):Mitsdarfer, Alex Joseph
Advisor(s):Bailey, Michael
Department / Program:Electrical & Computer Eng
Discipline:Electrical & Computer Engr
Degree Granting Institution:University of Illinois at Urbana-Champaign
Subject(s):Active Directory
Network usage
Network characterization
University network
University network usage
University network characterization
Lateral movement
Event logs
Active Directory event logs
Abstract:In this thesis, we investigate a university network that uses Active Directory as its authentication system. We get an understanding of the network by analyzing Windows event logs generated at Active Directory domain controllers. We want to see what network activity looks like as a first step in identifying and modeling network lateral movement. We characterize network activity, access behavior, most frequent events encountered, and domain controller usage. We find that the data, covering a week’s time, supports multiple trends. The number of events encountered increases from morning to noon and decreases after mid afternoon. Weekend activity is lower than during weekdays. Over the week of user-generated events, about 85% create 1,000 events or less. Less than 5% of users create more than 10,000 events. The top five events encountered are associated with user sessions (i.e., login, logout, authentication) or Kerberos ticket requests. Most events are generated at the Urbana Domain Controllers. The second largest number of events (although about 15 times smaller) are generated at the DCs that serve only WiFi and VPN.
Issue Date:2017-12-06
Rights Information:Copyright 2017 Alex Mitsdarfer
Date Available in IDEALS:2018-03-13
Date Deposited:2017-12

This item appears in the following Collection(s)

Item Statistics