Management of enterprise networks is a challenging problem because of their continued growth in size and functionality. We propose
and evaluate a framework, Godai , which addresses the challenges in (i) setting thresholds in end host anomaly detectors,(ii) hierarchical summarization in data and (ii) application traffic classification. Godai enables IT operators to identify the end hosts that have been enslaved by an attacker to launch attacks and Godai achieves it by diversifying anomaly detector configuration. The general policies in the framework are holistic and achieve two goals: (a)
balance the trade-offs between false alarm and mis-detection rates and (b) show that the benefits of full diversity can be attained at reduced complexity, by clustering the end hosts and treating a cluster homogeneously.
The underlying principle of attack detection is to identify changes in data. Godai generalizes the concept for data with hierarchical identifiers, e.g., IP prefixes, URLs. A parsimonious hierarchical summarization eases the burden on IT operators to interprete analysis reports. Godai proposes efficient and provable algorithms to produce parsimonious explanations from the output of any statistical model that provides predictions and confidence intervals, making it widely applicable. Finally, Godai takes a step towards associating applications to traffic flows. It critically re-visits the existing ad hoc techniques of traffic classification approaches based on transport layer ports, host behavior and flow features and analyzes the effectiveness of different approaches. The results allow us to answer questions about the best available traffic classification approach, the conditions under which it performs well, and the strengths and limitations of each approach. The multifarious functionalities allow Godai to be a viable solution in enterprise network management.