Analysis of corporate network cyber threats based on parallel processing of Netflow data

Public services of various organizations are subject to constant cyber attacks, which increases information security risks. Network traffic analysis is an important task to ensure the safe operation of network infrastructure, including corporate networks. This paper provides an overview of the main approaches for analyzing network traffic, provides related works, and points out the shortcomings of existing works. One method is to analyze network traffic data using the Netflow protocol, which allows traffic data to be stored at the L3 layer of the OSI model. A feature of the study is the use of long observation periods. When storing data over long time intervals, the logs become large, which requires parallelization for primary data processing. The authors developed a cross-platform software package for distributed processing of network activity logs, which was used to analyze the network activity of the corporate network of the Krasnoyarsk Scientific Center for 2021-2022. A diagram of the software package is shown, its capabilities and operating features are described. Data sources for analysis and processing methods are provided. In this paper the authors formulated and formalized heuristic criteria for the anomaly of network traffic, which identify the presence of possible network attacks, and extracted datasets on the network activity of various application-level protocols. For the obtained data sets, statistical indicators were calculated, information about anomalous network activity was obtained for two years. In this work we tested the previously proposed method for comparing the cyber threats risks for different time intervals, which showed a significant increase in risks for 50% of indicators in 2022. Comparisons of monthly intervals over different years showed similar increases in risk. Thus, the method has shown its efficiency and can be used in other areas in which there are groups of criteria for independent indicators. The authors proposed plans for further development of methods for analyzing network activity.