Impact of network activity levels on the performance of passive network service dependency discovery

Network services often depend on other services distributed throughout a network to function correctly. If a service fails, is disrupted, or is degraded, it is likely to impair other services. The web of dependencies can be surprisingly complex-especially within a large enterprise network-and evolve over time. Acquiring, maintaining, and understanding dependency knowledge is critical for many network management and cyber defense activities, such as cyber mission mapping. While automation can improve situation awareness for network operators and cyber practitioners, poor detection performance reduces their confidence and can complicate their roles. In this paper, we study the effects of network activity levels on the detection performance of passive network-based service dependency discovery methods. The performance of all methods except for one were inconsistent with respect to network activity levels. Our proposed cross-correlation method was particularly robust to the influence of network activity. The proposed experimental treatment will further advance a more scientific evaluation of methods and provide a foundation to determine their operational boundaries.