Exploring the Behavior of a Host to Improve Network Security
How to divide a network to security segments based on the network behavior?
Protecting a computer network is a cat-and-mouse game with the attackers. The attacks are getting more sophisticated, targeted, and more challenging to defend against. The spending on the protection of the network increases year by year.
In this situation, we investigate how to apply modern techniques to the traditional network security measures to automate network defense, improve network security, and reduce the network protection costs. We use machine learning approaches in combination with the observation of host behavior in a network to provide a novel and automated approach to network defense.
We inspect the possibilities of the behavior-aware network segmentation using IP flows and machine learning approaches that would identify segments automatically, even in a complex network. Namely, we
- evaluate the suitability of clustering algorithms for the identification of behavior-consistent segments in a network. We show that the clustering algorithms can identify relevant behavior-consistent clusters that overlap with those identified manually by experts.
- investigate the assignment of an unknown host to an existing segment. We evaluate the performance of four different classification mechanisms on a real-world dataset. We show that it is possible to assign an unknown host to an appropriate network segment with up to 92% precision.
- release the whole dataset and experiment steps available for public use.
For this publication, we received the best paper award runner-up at the 14th International Conference on Availability, Reliability and Security (ARES 2019). This conference brings together researchers and practitioners in the area of dependability since 2006. The conference highlights various aspects of security – with special focus on the crucial linkage between availability, reliability and security.
In the C4e project, we are building upon these results to research more effective methods for network defense, traffic monitoring, and host behavior modeling. If you are interested in cybersecurity, follow us on our website: https://c4e.cz/.
References and Where to Learn More
- Full paper: https://is.muni.cz/publication/1550656/2019-ARES-behavior-aware-network-segmentation-IP-flows.pdf
- Slides: https://is.muni.cz/publication/1550656/2019-ARES-behavior-aware-network-segmentation-IP-flows-presentation.pdf
- Github repository: https://github.com/CSIRT-MU/BehaviorNetworkSegmentation
- Free Dataset: https://zenodo.org/record/2669079
How to Cite This Paper
SMERIGA, Juraj and Tomáš JIRSÍK. Behavior-Aware Network Segmentation using IP Flows. In Proceedings of the 14th International Conference on Availability, Reliability and Security. New York, NY, USA: ACM, 2019. p. 1-9, ISBN 978-1-4503-7164-3. doi: http://dx.doi.org/10.1145/3339252.3339265
Mapping the Landscape of Cybersecurity Education
How Is Cybersecurity Taught and How Is It Backed by Research?
C4e participated in the Cyberspace conference
C4e is the co-organizer of the annual international conference Cyberspace (cyberspace.muni.cz), which deals with social and legal issues related to new technologies.
C4e is a part of CONCORDIA H2020 project
CONCORDIA is a Horizon 2020 project that aims to integrate European cyber security competencies to strengthen European digital sovereignty and cybersecurity. One of the project consortium members is Masaryk University, specifically C4e.
Czech ICT law
On September 20 and 21, the Institute of Law and Technology of the Faculty of Law of MU, which cooperates with C4e, organizes the conference Czech Law and Information Technology.