The Cubicle vs. The Coffee Shop: Behavioral Modes in Enterprise End-Users
Traditionally, user traffic profiling is performed by analyzing traffic traces collected on behalf of the user at aggregation points located in the middle of the network. However, the modern enterprise network has a highly mobile population that frequently moves in and out of its physical perimeter. Thus an in-the-network monitor is unlikely to capture full user activity traces when users move outside the enterprise perimeter. The distinct environments, such as the cubicle and the coffee shop (among others), that users visit, may each pose different constraints and lead to varied behavioral modes. It is thus important to ask: is the profile of a user constructed in one environment representative of the same user in another environment?
In this paper, we answer in the negative for the mobile population of an enterprise. Using real corporate traces collected at nearly 400 end-hosts for approximately 5 weeks, we study how end-host usage differs across three environments: inside the enterprise, outside the enterprise but using a VPN, and entirely outside the enterprise network. Within these environments, we examine three types of features: (i) environment lifetimes, (ii) relative usage statistics of network services, and (iii) outlier detection thresholds as used for anomaly detection. We find significant diversity in end-host behavior across environments for many features, thus indicating that profiles computed for a user in one environment yield inaccurate representations of the same user in a different environment.
KeywordsAnomaly Detector Behavioral Mode Enterprise Network Packet Trace Inside Mode
Unable to display preview. Download preview PDF.
- 1.McDaniel, P., Sen, S., Spatscheck, O., der Merwe, J.V., Aiello, B., Kalmanek, C.: Enterprise security: A community of interest based approach. In: Proc. of Network and Distributed System Security (NDSS) (Feburary 2006)Google Scholar
- 2.Tan, G., Poletto, M., Guttag, J., Kaashoek, F.: Role classification of hosts within enterprise networks based on connection patterns. In: Proc. of the USENIX Annual Technical Conference 2003, USENIX, pp. 2–2 (2003)Google Scholar
- 3.Karagiannis, T., Papagiannaki, K., Taft, N., Faloutsos, M.: Profiling the end host. In: Passive and Active Measurement, pp. 186–196 (2007)Google Scholar
- 5.Bhatti, N., Bouch, A., Kuchinsky, A.: Integrating user-perceived quality into web server design. In: Proc. of the 9th International World Wide Web conference on Computer networks, pp. 1–16. North-Holland Publishing Co, Amsterdam (2000)Google Scholar
- 6.Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: Proc. of the Internet Measurement Conference (IMC), pp. 2–2. ACM, New York (2005)Google Scholar
- 7.Bahl, P., Chandra, R., Greenberg, A., Kandula, S., Maltz, D.A., Zhang, M.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In: Proc. of ACM SIGCOMM, New York, USA, pp. 13–24. ACM, New York (2007)Google Scholar
- 8.Biles, S.: Detecting the unknown with snort and the statistical packet anomaly detection engine (SPADE) Computer Security Online LtdGoogle Scholar
- 9.Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symposium on Security and Privacy, p. 211 (2004)Google Scholar
- 10.Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using Packet Symmetry to Curtail Malicious Traffic. In: Fourth Workshop on Hot Topics in Networks (HotNets-IV) (November 2005)Google Scholar