By Topic

A Network Access Control Mechanism Based on Behavior Profiles

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)

Current network access control (NAC) technologies manage the access of new devices into a network to prevent rogue devices from attacking network hosts or services. Typically, new devices are checked against a set of manually defined policies (rules) before being granted access by the NAC enforcer. The main difficulty with this approach lies in the generation and update of new policies manually as time elapses and all devices have to reestablish their access rights. The BB-NAC mechanism was the first to introduce a novel behavior-based network access control architecture based on behavior profiles and not rules, where behavior-based access control policies were automatically generated. As originally presented, BB-NAC relied on manually pre-determined clusters of behavior which required human intervention and prevented the fully automation of the mechanism. In this paper, we present an enhanced BB-NAC mechanism that fully automatizes the creation of clusters of behavior. The access control is enhanced with the incorporation of automatic behavior clustering, which improves the intrusion detection capabilities by allowing for a more fine-grained definition of normal behavior. Apart from the lack of automatic clustering, the original BB-NAC overlooked the evolution of the mechanism as new behavior profiles were computed over time. As part of our enhancements, we also present an incremental-learning algorithm that automatically updates the behavior-based access control policies. We show that the algorithm is resilient to compromised or fabricated profiles trying to manipulate the policies. We provide extensive experiments with real user profiles computed with their network flows processed from Cisco NetFlow logs captured at our host institution. Our results show that behavior-based access control policies enhance conventional NAC technologies. Specifically, we achieve true rejection rates of 95% for anomalous user profiles separated by one standard deviation from the nor- mal user network behavior. In addition, we also show that the enhanced mechanism can differentiate between normal changes in the behavior profiles (concept drift) and attacks.

Published in:

Computer Security Applications Conference, 2009. ACSAC '09. Annual

Date of Conference:

7-11 Dec. 2009