A major goal of current computer network security systems is to protect the network from outside attackers; however, protecting the network from its own users is still an unattended problem. In campus area networks, the risk of having internal attacks is high because of their topologies and the amount of users. This work proposes a new approach to identify whether a network user is having or not a normal behavior, by analyzing host traffic using top-k ranking similarity measures. The result of this analysis could be an input of intrusion detection systems. The document presents an experiment where real-time traffic of different users in a campus area network is compared to a reference traffic that corresponds to one of them

Cervantes, Francisco

Parres-Peredo, Álvaro I.

Piza-Dávila, Hugo I.

English

Repositorio Institucional del ITESO

Towards a User Network Profiling for InternalSecurity using Top-K Rankings Similarity MeasuresAlvaro Parres-Peredo, Ivan Piza-Davila, Francisco CervantesDepartment of Electronics, Systems and InformaticsITESO - The Jesuit University of GuadalajaraTlaquepaque, Mexicoparres@iteso.mx,hpiza@iteso.mx,fcervantes@iteso.mxAbstract—A major goal of current computer network securitysystems is to protect the network from outside attackers; however,protecting the network from its own users is still an unattendedproblem. In campus area networks, the risk of having internalattacks is high because of their topologies and the amount ofusers. This work proposes a new approach to identify whether anetwork user is having or not a normal behavior, by analyzinghost traffic using top-k ranking similarity measures. The resultof this analysis could be an input of intrusion detection systems.The document presents an experiment where real-time trafficof different users in a campus area network is compared to areference traffic that corresponds to one of them.Keywords—computer network, network security, user profile,network traffic, top-k rankingsI. INTRODUCTIONOn current computer networks, traditional security methodslike firewalls, access control systems and simple IntrusionDetection Systems (IDS) are no longer enough to protectcomputer systems; day after day, intruders find new waysto attack computers and systems. This has given rise to theresearch and development of new security technology since1980, when Anderson proposed the first IDS approach [1].Nowadays, attackers use advanced techniques to go unde-tected by IDSs, including the following: IP address spoof,encrypted payload, or even social engineering techniques [2].A common symptom of an attack using these techniques isthat the host under attack is experiencing unexpected networkbehavior. This is why the use of profiles to determine whetherthe user is having the expected behavior or not has becomenecessary as a new way to detect intrusions.Many authors have proposed using network profiles [3]–[5].However, these works focus on the traffic at the border to buildthe profiles, losing visibility of internal attacks.In this work, we propose to build the user profile using thetraffic captured at the host or a nearby point, e.g., the switch atthe access layer. The proposed profile is built upon the remoteservices accessed by the host in real time, and treated as atop-k ranking. In order to determine whether the user behavesas expected, an attack-free user profile -normal-behavior- isThis work was supported in part by ITESOs Program for Academic LevelEnhancement (Programa de Superacin de Nivel Acadmico, PSNA) throughan assistantship granted to A. Parres-Peredobuilt a priori and compared with the current user profile bymeans of similarity measures for top-k rankings.In order to validate our approach, we have built a normal-behavior profile of a selected user, and then calculated simi-larities with the same user and with two others.The present document is organized as follows. Section IIpresents some works about user profiling and network trafficprofiling. Section III explains the proposed methodology indetail. Section IV contains the experimental results. Andfinally, Section V concludes the report and suggests somefuture work.II. RELATED WORKThe definition of network user profiles to represent networkbehavior has been part of the research into computer networksecurity.Kihl et al. [6] present a study of traffic analysis and charac-terization of Internet users to help understand Internet usageand the demands on broadband access. They use a commercialtool for capturing and classifying traffic according to Internetprotocols and applications. The authors conclude that Internetusage has changed from traditional WWW requests to a morecomplex use. Looking at Internet usage in 2010 they found thatmost of the traffic came from file-sharing protocols (74%),media streaming (7.6%), and web-traffic (5.5%). The trafficfor this work was collected from a Swedish municipal FTTHnetwork.Sing et al. [3] present an intrusion detection technique usingnetwork-traffic profiling and an extreme online sequentialmachine-learning algorithm. The proposed methodology usesone profiling procedure called alpha profiling that createsprofiles on the basis of protocol and service features, anda second profiling process, beta profiling, where the alphaprofiles are grouped to reduce the number of profiles. Theauthors conducted three different experiments: 1) using allfeatures and alpha profiling, 2) using only some featuresand alpha profiling, and 3) using only some features, alphaprofiling and beta profiling. The best results were obtainedfrom the last experiment using both profiling methods. Thedataset used for this work was NSL-KDD.A work that builds profiles of network prefixes instead ofusers is presented by Qin et al [4], who propose aggregatingtraffic based on network prefixes in order to reduce the amountof data to be processed, and then calculate clusters usinga k-means algorithm. Qin found that similar users producesimilar traffic; with this information, decisions about securityand management can be taken. The traffic used for this workwas captured at the CERNET backbone.A similar work is presented by Xu et al. [5], who proposed amethodology that analyzes Internet traffic. This methodologyfirst constructs bipartite graphs; after this, it generates one-mode projections; then, it builds a similarity matrix andgenerates clusters with a spectral clustering method; finally,it analyzes the clusters. The traffic used in this work wascaptured at the backbone of a large Internet service provider,aggregating the information using 24-bit length prefix net-works, and the network 5-tuple.As we can see, all the works presented here have used thetraffic captured at a point far from the end-user host, evenoutside the users local network, leaving the internal networksecurity unattended. On the other hand, the usage of profileshas proved to be viable to either identify or specify networkbehaviors.III. METHODOLOGY PROPOSEDThe proposed methodology has the goal of determining howsimilar the traffic captured in real time is to the traffic captureda priori in a controlled environment, i.e., the normal behavior.The network traffic is captured at the host. For each packetthe following data is collected: a) remote IP address, b)transport protocol, c) remote port and d) total length.A. Building normal user behaviorThis phase builds a user network profile called normalbehavior, which will be used as a reference for calculatingthe similarity factor. Fig. 1 shows the overall process at thisphaseNetwork traffic PSE,x is captured from user x’s host duringa period of time T in a secure environment in which we canguarantee that the host will be used only by the expected userand there are no malware, virus, Trojan or any other malicioussoftware installed. The period of time T must be long enoughto make sure that habitual tasks are registered.From PSE,x, a subset p that corresponds to the period oftime [t · · · t+ f ] is selected. From traffic p, a top-k ranking ofaccessed services is calculated using the total transferred bytesas weight measure of each service. The ranking is added toKx. This process is repeated while t is less than T . At theend of each iteration, t increases by ∆t, a value smaller thanf in order to produce overlaps in time frames.An extraction of a top-k ranking is illustrated in Fig. 2,where k = 10 and five time frames are listed.B. Capturing regular trafficIn this phase, regular traffic, PRT,x is captured in real timefrom the user x’s host during a period of time [t · · · t+ f ].Using this traffic, a top-k ranking is built and the best similarityfactor against every top-k ranking in Kx is calculated, asdescribed in the next section. This factor will be useful to de-termine whether the current traffic corresponds to the expectedusers normal network behavior. This process is repeated thenext time frame: t+ ∆t. Fig. 3 shows the flow chart of theprocess.C. Calculating best similarity factorThe purpose of this phase is to find out if the real-timetraffic captured during a period of time l[t · · · t+ f ] resemblesany traffic within the records of the normal behavior capturedduring a period of time of length f . Thus, a similarity factoris calculated between the top-k ranking of the real-time traffic(κx) and each of the top-k rankings stored in Kx. According tothis value, a decision might be taken about the correspondenceFig. 1. Building normal user behavior.Timeframe Top 1 · · · Top 10[t · · · t + f] 148.201.129.173:TCP80 ... 148.201.140.50:TCP80[t + ∆t · · · t + ∆t + f] 148.201.129.173:TCP80 ... 148.201.140.50:TCP80[t + 2∆t · · · t + 2∆t + f] 148.201.129.173:TCP80 ... 148.201.140.98:TCP339[t + 3∆t · · · t + 3∆t + f] 132.245.44.2:TCP443 ... 148.201.129.43:TCP80[t + 4∆t · · · t + 4∆t + f] 148.201.129.148:TCP443 ... 148.201.129.43:TCP80Fig. 2. Extraction of a top-k rankingof the current network traffic to the expected traffic. Fig. 4shows a diagram of this process.To compare each pair of top-k rankings, it is necessary touse a ranking similarity measure, but with the peculiarity thatthese top-k rankings are non-conjoint rankings; this means thatnot all elements of one of them are present in the other. Thus,we have explored two different measures: 1) Spearmans rho[7] and 2) Average Overlap [8]. We decide to use the secondmeasure because it produced better results. This measure, ingeneral, calculates for each d ∈ {1 · · · k} the overlap at d, andthen averages those overlaps to derive the similarity measure.Formally, the average overlap between two top-k lists canbe expressed as:AO(S, T, k) =1kk∑d=1AS,T,d (1)where S and T are top lists of k number of elements, andAS,T,d is defined as:AS,T,d =| S:d ∩ T:d |d(2)Fig. 3. Process of capture real-time traffic from user x.Fig. 4. Calculating best similarity factor.Fig. 5 shows an example where the Average Overlap (AO)between two top-5 lists is calculated.IV. EXPERIMENTS AND RESULTSA. Experiment setupThe experiment was carried out on a Campus Area Network(CAN) that has a 16-bit network; it has a Windows domaincontroller and uses a HTTP proxy. Campus applications in-clude web-apps and remote desktop apps. The email serviceis provided by Microsoft Exchange Server which was hostedoutside of the campus network.The target users were full-time professors, who had acomputer with two types of access to the network: a wiredaccess with a static IP address and a wireless access with adynamic IP address.Five full-time professors (hereafter denoted as users) wereselected for this experiment and, for each one, we generatedhis normal-behavior profile KA to KE , and then captured real-time traffic κA to κE .Different values of the parameters were evaluated: f =1, 5, 10minutes, ∆t = 10, 30, 60seconds, the number ofelements selected for the top-k rankings, k = 10, 25, 50, 100,and both measure functions.The best tuple < t, δt, k, Function > found was: t =5min, δt = 10sec, k = 10, AverageOverlap, becauseit accentuated the differences between AO(Kx, κx) and allAO(Kx, κy) where y are the rest of users.B. Capturing and processing trafficDuring a labor week, the normal behavior was capturedfrom each user’s computer. Before starting to capture, wechecked that no computers had any malicious software in-stalled. During this period only the owner user had access toeach computer. The average size of the traffic captured was 3gigabytes per user, involving more than four million packets.All the packets were processed as described in Section 3.A.On a different labor week, real-time traffic was capturedfrom the same computers. This traffic was processed asdescribed in Section 3.B and all the produced top-k were storedin a different collection for each user.C. Similarity calculation and resultsFrom each collection of top-k, two different 1000 top-k setswere selected randomly, κA1 , κA2 , · · ·, κE1 , κE2 . The bestsimilarity factor with respect to KA, · · ·, KE was found andd S:d T:d AS,T,d AO(S, T, d)1 < a > < x > 0.0000 0.00002 < ab > < xc > 0.0000 0.00003 < abc > < xcb > 0.6667 0.22224 < abcd > < xcby > 0.5000 0.29175 < abcde > < xcbye > 0.6000 0.3534Fig. 5. Similarity calculation of two top-5 lists using average overlap measure.plotted. Fig. 6 and 7 show respectively the similarity factorscorresponding to κB1 and κC1 against each normal-behaviorKA · · ·KE . We can see that users B and C exhibited a highersimilarity to their own normal behavior than the rest of theusers.Table I shows the average of the similarity factors ofeach evaluation set κA1 ,κA2 , · · ·, κE1 ,κE2 against all normalbehavior sets KA · · · KE . We can observe that the highestaverage of each evaluation set is found at the column thatcorresponds to the same user (main diagonal).V. CONCLUSION AND FUTURE WORKIn this work, we have proposed a methodology to determinehow similar the traffic captured in real time at a user hostκx, is to previously captured traffic, which we called normal00.10.20.30.40.50.60.70.80.91AO(KX,κc1,10)User A User B User C User D User EFig. 6. Similarity Factors of κB1 against KA to KE ordered by value00.10.20.30.40.50.60.70.80.91AO(KX,κc1,10)User A User B User C User D User EFig. 7. Similarity Factors of κC1 against KA to KE ordered by valueTABLE I. AVERAGE SIMILARITY FACTORSEvaluation Set KA KB KC KD KEκA1 0.516 0.434 0.401 0.312 0.267κA2 0.516 0.434 0.401 0.312 0.267κB1 0.571 0.920 0.555 0.389 0.322κB2 0.571 0.914 0.548 0.391 0.330κC1 0.273 0.419 0.855 0.189 0.354κC2 0.279 0.417 0.847 0.197 0.354κD1 0.295 0.179 0.247 0.446 0.293κD2 0.296 0.176 0.245 0.447 0.289κE1 0.263 0.336 0.364 0.194 0.553κE2 0.256 0.335 0.362 0.198 0.552behavior Kx. We present the results of the implementation ofthis methodology.An early conclusion from this work is that the proposeduser-network profile allows us to determine whether the cap-tured traffic corresponds to the expected user or not. In theresults of the experiments we can see that a users real-timetraffic has a higher similarity to his own normal-behavior thanthat of other users.From the charts, we can see that only few top-k rankingfrom κb1 and κc1 are identical to any top-k from KB and KC ,i.e., the similarity factor is 1.0. A possible reason for this isthat multiple IP addresses can be configured by the same hostor service, or the user does not actually do exactly the samething all the time. But we consider that the average similarityfactors obtained are good enough to differentiate between theexpected user and the others.In future work, the similarity factors obtained will beemployed by a real-time process that determines how likelyit is for the current traffic to belong (or not) to the expecteduser. More experiments are still necessary to determine theconsistency of the proposed methodology.REFERENCES[1] J. P. Anderson, “Computer Security Threat Monitoring And Surveillance,”NIST, Fort Washington, PA, Report Contract 79F296400, 1980.[2] Paul Wood, Ed., ISTR Internet Secuirty Threat Report. Symantec, Apr.2016.[3] R. Singh, H. Kumar, and R. K. Singla, “An intrusion detection systemusing network traffic profiling and online sequential extreme learningmachine,” Expert Systems with Applications, vol. 42, no. 22, pp. 8609–8624, Dec. 2015.[4] T. Qin, X. Guan, C. Wang, and Z. Liu, “MUCM: Multilevel User ClusterMining Based on Behavior Profiles for Network Monitoring,” IEEESystems Journal, vol. 9, no. 4, pp. 1322–1333, Dec. 2015.[5] K. Xu, F. Wang, and L. Gu, “Behavior analysis of internet traffic viabipartite graphs and one-mode projections,” IEEE/ACM Transactions onNetworking, vol. 22, no. 3, pp. 931–942, Jun. 2014.[6] M. Kihl, P. dling, C. Lagerstedt, and A. Aurelius, “Traffic analysisand characterization of Internet user behavior,” in 2010 InternationalCongress on Ultra Modern Telecommunications and Control Systems andWorkshops (ICUMT), Moscow, Oct. 2010, pp. 224–231.[7] R. Fagin, R. Kumar, and D. Sivakumar, “Comparing Top k Lists,” SIAMJournal on Discrete Mathematics, vol. 17, no. 1, pp. 134–160, Jan. 2003.[8] W. Webber, A. Moffat, and J. Zobel, “A Similarity Measure for IndefiniteRankings,” ACM Trans. Inf. Syst., vol. 28, no. 4, pp. 20:1–20:38, Nov.2010.

Towards a user network profiling for internal security using top-K rankings similarity measures

https://rei.iteso.mx/bitstream/11117/5009/5/Network%20Profiling%20for%20Internal%20Security.pdf

Towards a user network profiling for internal security using top-K rankings similarity measures

Abstract

Similar works

Full text

Available Versions

Repositorio Institucional del ITESO