By Topic

Users' Behavior Character Analysis and Classification Approaches in Enterprise Networks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)
Tao Qin ; SKLMS Lab., Xian Jiaotong Univ., Xian, China ; Xiaohong Guan ; Yi Long ; Wei Li

Userspsila character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the userspsila behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the userspsila characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for userspsila behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the userspsila behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous userspsila behaviors are controlled by a dynamic quarantine method based on the principle of ldquoassume guilty before proven innocentrdquo. We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the userspsila normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Published in:

Computer and Information Science, 2009. ICIS 2009. Eighth IEEE/ACIS International Conference on

Date of Conference:

1-3 June 2009