Time

Time is an extremely interesting concept analytically.  It's a dimension that's often overlooked when performing network traffic analysis.  On this blog, I've discussed the concept of looking for anomalous or unexpected traffic/behavior on an enterprise network quite a bit.  But what about traffic that may be completely normal/expected at 14:00 on a weekday, but not at 02:00 on a Sunday?  By considering the dimension of time analytically, one can look for normal traffic that because of the time window it occurs in is considered abnormal.

Consider the example of the administrative assistant who sends emails and calendar invites (amidst performing a variety of other tasks) all day long.  If we study the mail logs, there is nothing particularly interesting or unusual about this.  But what if that same administrative assistant sends a bunch of emails and calendar invites between 02:00 and 03:00 on Sunday?  Perhaps he/she is dedicated and catching up on work while dealing with a bout of insomnia.  Or, perhaps he/she is about to become a pawn in a spear phishing campaign that will await targeted personnel when they arrive to work Monday morning....