update Mastersthesis.pdf and main.tex to add detailed analysis of host...

update Mastersthesis.pdf and main.tex to add detailed analysis of host activity and enhance content clarity

Thesis_Docs/main.tex

@@ -544,6 +544,16 @@ After checking the URLs that were reached by these hosts, several conclusions ca
     Hosts that interact with a higher number of unique URLs are typically engaging with a more diverse set of services, which may reflect a broader range of operations. These activities include access to enhanced security protocols, system updates, and various enterprise services. The diversity in connections may also point to more specialized use cases, where certain hosts are tasked with overseeing a larger portion of the network’s activities, such as system administrators or network engineers. The variety in services accessed by these hosts allows for better resource allocation and helps the organization ensure that different types of services receive appropriate attention. These hosts are likely performing more complex tasks, such as monitoring, data analysis, or security audits, and their broad range of connections is an important feature of their role in the network.
 \end{itemize}
 
+All the hosts in one day are 208,516; however, until now, only 61,207 hosts have been analyzed. So, 147,309 other hosts are waiting to be analyzed. Here are some bullet points about the hosts that have been analyzed:
+\begin{itemize}
+    \item \textbf{10.201.24.129} is the host that connected to 29,858 unique URLs. This host is the most active host in the network.
+    \item \textbf{10.16.17.11}, \textbf{10.73.17.16}, \textbf{10.17.105.167}, \textbf{172.31.161.1} are hosts that connected to 15,159, 14,567, 13,004, and 10,151 unique URLs, respectively. These hosts are the second, third, fourth, and fifth most active hosts in the network.
+    \item 997 hosts have connected to unique URLs between 1,000 and 7,000.
+    \item 7,965 hosts have connected to unique URLs between 500 and 999.
+    \item 70,519 hosts have connected to unique URLs between 100 and 499.
+    \item 67,823 hosts have connected to unique URLs between 16 and 99.
+\end{itemize}
+
 \section{Summary}
 The data analysis presented in this chapter offers a detailed and comprehensive examination of the dataset's structure, user behavior, and network interactions. By utilizing a variety of visualization tools and statistical methods, the chapter identifies and uncovers key patterns that not only contribute to a better understanding of the data but also provide actionable insights for optimizing network performance and enhancing security measures. The analysis begins with a focus on URL request counts, offering a clear view of the frequency and distribution of web traffic. This helps highlight which URLs are most frequently accessed by hosts within the network, shedding light on the overall popularity of various resources. Understanding the distribution of these request counts is for determining which URLs should be prioritized in network monitoring and security management. The high-traffic URLs, in particular, are often more susceptible to attacks, such as phishing, malware distribution, or even DDoS attacks. By recognizing these hotspots, network administrators can more effectively allocate resources to ensure that these critical URLs are properly secured and monitored. Further investigation into the 24-hour visit patterns of hosts reveals how user activity is distributed across time. By analyzing these temporal patterns, the chapter sheds light on peak usage times, user behavior trends, and possible anomalies. A close examination of these patterns provides a deeper understanding of when the network is most active and helps detect deviations that might indicate unusual or malicious behavior. For instance, atypical spikes in activity at specific hours of the day could signal security incidents such as bot traffic or unauthorized access attempts. This aspect of the analysis is for optimizing network resources and managing traffic loads during high-usage periods, ensuring the network's stability and performance. Another aspect of the analysis involves the time intervals between requests. This segment of the study reveals how hosts interact with the network, providing insights into the frequency of user requests and the temporal gaps between them. This can help identify periodic or repetitive behavior, which may indicate underlying issues such as inefficient resource usage or even intentional attempts at evading detection. The analysis of time intervals is for identifying malicious activities, such as beaconing—a pattern in which an infected device sends regular, seemingly benign requests to a specific URL to maintain communication with a command-and-control server. Detecting such behaviors can play an important role in early-stage threat detection, as it allows for the identification of compromised devices or ongoing cyberattacks before they escalate. The distribution of hosts based on the number of unique URLs they contact provides a further layer of insight into user and network behavior. This analysis highlights the concentration of network activity and reveals how different hosts interact with various resources. For example, some hosts may only contact a limited number of URLs, often related to essential services, while others might interact with a broader set of resources. The latter group may represent specialized functions or more complex network activities. By understanding the distribution of hosts across different sets of URLs, organizations can better prioritize their security efforts and ensure that high-risk activities are closely monitored. This distribution can also help distinguish between normal and anomalous behaviors, offering clues about potential security threats or misconfigurations within the network. Collectively, these findings emphasize the importance of focusing on high-traffic URLs and understanding the temporal patterns in user activity. By identifying periodic behaviors or unusual request intervals, it becomes possible to detect anomalies that could indicate malicious intent or system vulnerabilities. The insights provided by this analysis are important for creating more effective detection mechanisms within the BAYWATCH framework, laying a strong foundation for the development of robust network security tools and strategies. The use of advanced visualization techniques and statistical analysis in this chapter is instrumental in uncovering these patterns. These tools provide a clear and intuitive way to visualize complex data sets, helping to identify trends and outliers that may otherwise go unnoticed. This approach not only contributes to a deeper understanding of the dataset but also facilitates the identification of areas that require further investigation or intervention. By offering a comprehensive view of the network's structure and behavior, this chapter provides a solid foundation for enhancing network security, improving performance, and developing more effective detection and mitigation mechanisms for potential threats. In conclusion, the data analysis conducted in this chapter offers a thorough understanding of network dynamics, highlighting key areas for improvement in both security and performance optimization. By examining the dataset's structure, user behavior, and network interactions through various lenses, this chapter delivers valuable insights that can guide future research and the implementation of more sophisticated network management strategies. These findings are for building a proactive security posture, ensuring the network remains resilient against evolving threats while maintaining optimal performance.