Network security analysts gather data from diverse sources, from high-level summaries of network flow and traffic volumes to low-level details such as service logs from servers and the contents of individual packets. They validate and check this data against traffic patterns and historical indicators of compromise. Based on the results of this analysis, a decision is made to either automatically manage the traffic or report it to an analyst for further investigation. Unfortunately, due rapidly increasing traffic volumes, there are far more events to check than operational teams can handle for effective forensic analysis. However, just as packets are grouped into flows that share a commonality, we argue that a high-level construct for grouping network flows into a set a flows that share a hypothesis is needed to significantly improve the quality of operational network response by increasing Events Per Analysts Hour (EPAH). In this paper, we propose a formalism for describing a superflow construct, which we characterize as an aggregation of one or more flows based on an analyst-specific hypothesis about traffic behavior. We demonstrate simple superflow constructions and representations, and perform a case study to explain how the formalism can be used to reduce the volume of data for forensic analysis.

翻译：网络安全分析师从多种来源收集数据，从网络流量和传输量的高级摘要，到服务器服务日志及单个数据包内容等低级细节。他们会根据流量模式和历史入侵指标对这些数据进行验证和核对。基于分析结果，决策者要么自动管理这些流量，要么将其上报给分析师进行进一步调查。然而，由于流量数据呈指数级增长，需要检查的事件数量远超运营团队进行有效法医分析的能力。但正如数据包被归类为具有共性的流，我们提出，需要一种更高级的构建方式，将网络流量分组为基于假设的流集合，从而通过提高分析师每小时事件处理量（EPAH）来显著提升运营网络响应的质量。本文提出了一种用于描述超流构建的形式化方法，该构建是基于分析师对流量行为的特定假设，将单个或多个流聚合而成。我们演示了简单的超流构建与表示方法，并通过案例分析解释了该形式化方法如何减少法医分析所需的数据量。