Abstract
Current NAC technologies implement a pre-connect phase where the status of a device is checked against a set of policies before being granted access to a network, and a post-connect phase that examines whether the device complies with the policies that correspond to its role in the network. In order to enhance current NAC technologies, we propose a new architecture based on behaviors rather than roles or identity, where the policies are automatically learned and updated over time by the members of the network in order to adapt to behavioral changes of the devices. Behavior profiles may be presented as identity cards that can change over time. By incorporating an Anomaly Detector (AD) to the NAC server or to each of the hosts, their behavior profile is modeled and used to determine the type of behaviors that should be accepted within the network. These models constitute behavior-based policies. In our enhanced NAC architecture, global decisions are made using a group voting process. Each host’s behavior profile is used to compute a partial decision for or against the acceptance of a new profile or traffic. The aggregation of these partial votes amounts to the model-group decision. This voting process makes the architecture more resilient to attacks. Even after accepting a certain percentage of malicious devices, the enhanced NAC is able to compute an adequate decision. We provide proof-of-concept experiments of our architecture using web traffic from our department network. Our results show that the model-group decision approach based on behavior profiles has a 99% detection rate of anomalous traffic with a false positive rate of only 0.005%. Furthermore, the architecture achieves short latencies for both the pre- and post-connect phases.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7) (July 1970)
Cretu, G., Stavrou, A., Stolfo, S., Keromytis, A.: Data sanitization: Improving the forensic utility of anomaly detection systems. In: Proceedings of the Third Workshop on Hot Topics in System Dependability (2007)
Dressler, F., Munz, G., Carle, G.: Attack detection using cooperating autonomous detections systems (cats). In: Wilhelm-Schickard Institute of Computer Science, Computer Networks and Internet (2004)
Necula, G.C.: Proof-carrying code. In: The 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1997 (1997)
Necula, G.C., Lee, P.: Safe kernel extensions without run-time checking. In: 2nd Symposium on Operating Systems Design and Implementation, OSDI 1996 (October 1996)
Necula, G.C., Lee, P.: Efficient representation and validation of proofs. In: IEEE Symposiym on Logic in Computer Science, LICS 1998 (1998)
Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: Cossack: Coordinated suppression of simulatenous attacks. In: Proceedings of DISCEX III (2003)
Parekh, J., Wang, K., Stolfo, S.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Large Scale Attack Defense, LSAD (2006)
Snort rulesets, http://www.snort.org/pub-in/downloads.cgi
VXHeavens, vx.netlux.org
Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219. Springer, Heidelberg (2006)
Widmer, G., Kubat, M.: Learning in the presence of concept drift and hidden contexts. Machine Learning 23(1), 69–101 (1996)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Frias-Martinez, V., Stolfo, S.J., Keromytis, A.D. (2008). Behavior-Based Network Access Control: A Proof-of-Concept. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-85886-7_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85884-3
Online ISBN: 978-3-540-85886-7
eBook Packages: Computer ScienceComputer Science (R0)