TY - GEN
T1 - Users' behavior character analysis and classification approaches in enterprise networks
AU - Qin, Tao
AU - Guan, Xiaohong
AU - Long, Yi
AU - Li, Wei
PY - 2009
Y1 - 2009
N2 - Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.
AB - Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.
KW - Behavior Classification
KW - Security
KW - Traffic Flow
UR - https://www.scopus.com/pages/publications/70350733878
U2 - 10.1109/ICIS.2009.104
DO - 10.1109/ICIS.2009.104
M3 - 会议稿件
AN - SCOPUS:70350733878
SN - 9780769536415
T3 - Proceedings of the 2009 8th IEEE/ACIS International Conference on Computer and Information Science, ICIS 2009
SP - 323
EP - 328
BT - Proceedings of the 2009 8th IEEE/ACIS International Conference on Computer and Information Science, ICIS 2009
PB - IEEE Computer Society
T2 - 8th IEEE/ACIS International Conference on Computer and Information Science, ICIS 2009
Y2 - 1 June 2009 through 3 June 2009
ER -