Exploring the Behavior of a Host to Improve Network Security

How to divide a network to security segments based on the network behavior?

21 May 2020 Tomáš Jirsík

Protecting a computer network is a cat-and-mouse game with the attackers. The attacks are getting more sophisticated, targeted, and more challenging to defend against. The spending on the protection of the network increases year by year.

In this situation, we investigate how to apply modern techniques to the traditional network security measures to automate network defense, improve network security, and reduce the network protection costs. We use machine learning approaches in combination with the observation of host behavior in a network to provide a novel and automated approach to network defense.

We inspect the possibilities of the behavior-aware network segmentation using IP flows and machine learning approaches that would identify segments automatically, even in a complex network. Namely, we

evaluate the suitability of clustering algorithms for the identification of behavior-consistent segments in a network. We show that the clustering algorithms can identify relevant behavior-consistent clusters that overlap with those identified manually by experts.
investigate the assignment of an unknown host to an existing segment. We evaluate the performance of four different classification mechanisms on a real-world dataset. We show that it is possible to assign an unknown host to an appropriate network segment with up to 92% precision.
release the whole dataset and experiment steps available for public use.

For this publication, we received the best paper award runner-up at the 14th International Conference on Availability, Reliability and Security (ARES 2019). This conference brings together researchers and practitioners in the area of dependability since 2006. The conference highlights various aspects of security – with special focus on the crucial linkage between availability, reliability and security.

In the C4e project, we are building upon these results to research more effective methods for network defense, traffic monitoring, and host behavior modeling. If you are interested in cybersecurity, follow us on our website: https://c4e.cz/.

References and Where to Learn More

Full paper: https://is.muni.cz/publication/1550656/2019-ARES-behavior-aware-network-segmentation-IP-flows.pdf
Slides: https://is.muni.cz/publication/1550656/2019-ARES-behavior-aware-network-segmentation-IP-flows-presentation.pdf
Github repository: https://github.com/CSIRT-MU/BehaviorNetworkSegmentation
Free Dataset: https://zenodo.org/record/2669079

How to Cite This Paper

SMERIGA, Juraj and Tomáš JIRSÍK. Behavior-Aware Network Segmentation using IP Flows. In Proceedings of the 14th International Conference on Availability, Reliability and Security. New York, NY, USA: ACM, 2019. p. 1-9, ISBN 978-1-4503-7164-3. doi: http://dx.doi.org/10.1145/3339252.3339265