UC Davis

The primary focus of this dissertation is on evaluating anomaly detection for Science DMZ networks. Compared to other anomaly detection problems, this introduces some unique challenges.First, if real-time threat detection and response is desired, there is a smaller time window for reaction in high speed networks such as Science DMZs. Anomaly detection, and real-time detection in particular, is already a challenging problem, but in the case of high speed networks it becomes even more difficult. Different approaches are required in order to keep up at high rates, such as either simplifying the detection methods, or finding creative means of optimizing existing methods, either through different hardware or modifying the algorithms. In some cases the best option is finding an entirely new detection technique, utilizing new or previously neglected metrics. Determining the specific techniques best suited for a given environment is another challenge. The ideal methods for anomaly detection will vary depending on the particular network and how it is used. Science Demilitarized Zone (DMZ) networks are generally made to perform a limited range of tasks, primarily facilitating high speed data transfers between research sites. Therefore, the behavior seen will be more predictable compared to more general purpose networks, which helps allow for more practical anomaly detection. This work contains research into different methods of anomaly detection on Science DMZs, providing evaluations of new real-time detection methods and tools for more effective monitoring.