Enhancing Network Security: Host Trustworthiness Estimation

  • Tomáš Jirsík
  • Pavel Čeleda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8508)


Network connected devices has become inherent part of our lives. These devices have come to be more and more mobile and are target of various malware attacks. An inability to guarantee or check proper security settings of such devices poses a serious risk to network security. In this paper we propose a novel concept of flow based host trustworthiness estimation. The estimated trustworthiness determines a level of the risk to the network security the host posses. This concept enables network operators to identify a potential dangerous host in their network and take an appropriate precautions. Models used for trustworthiness estimation are based on scoring either single events or host characteristics. In order to be able to estimate trustworthiness of a host even in large scale networks, the data used for estimation are reduced only to extended network flows. The research is in its initial phase and will conclude with Ph.D. thesis in three years.


network flow host model trustworthiness scoring 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abt, S., Dietz, C., Baier, H., Petrović, S.: Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 148–159. Springer, Heidelberg (2013), http://dx.doi.org/10.1007/978-3-642-38998-6_18 CrossRefGoogle Scholar
  2. 2.
    Bhuyan, M., Bhattacharyya, D., Kalita, J.: Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys Tutorials PP(99), 1–34 (2013)Google Scholar
  3. 3.
    Callado, A.C., Kamienski, C.A., Szabo, G., Gero, B.P., Kelner, J., Fernandes, S.F.L., Sadok, D.F.H.: A survey on internet traffic identification. IEEE Communications Surveys and Tutorials 11(3), 37–52 (2009)CrossRefGoogle Scholar
  4. 4.
    Caracas, A., Kind, A., Gantenbein, D., Fussenegger, S., Dechouniotis, D.: Mining semantic relations using NetFlow. In: 3rd IEEE/IFIP International Workshop on Business-driven IT Management, BDIM 2008, pp. 110–111 (2008)Google Scholar
  5. 5.
    Dewaele, G., Himura, Y., Borgnat, P., Fukuda, K., Abry, P., Michel, O., Fontugne, R., Cho, K., Esaki, H.: Unsupervised host behavior classification from connection patterns. Int. J. Netw. Manag. 20(5), 317–337 (2010), http://dx.doi.org/10.1002/nem.750 CrossRefGoogle Scholar
  6. 6.
    François, J., Moura, G.C.M., Pras, A.: Cleaning your house first: Shifting the paradigm on how to secure networks. In: Chrisment, I., Couch, A., Badonnel, R., Waldburger, M. (eds.) AIMS 2011. LNCS, vol. 6734, pp. 1–12. Springer, Heidelberg (2011), http://dl.acm.org/citation.cfm?id=2022216.2022218 CrossRefGoogle Scholar
  7. 7.
    Inacio, C.M., Trammell, B.: YAF: Yet Another Flowmeter. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–16. USENIX Association, Berkeley (2010), http://dl.acm.org/citation.cfm?id=1924976.1924987
  8. 8.
    INVEA-TECH: FlowMon Exporter – Community Program (2013), http://www.invea-tech.com (cited January 23, 2014)
  9. 9.
    Kim, H., Claffy, K., Fomenkov, M., Barman, D., Faloutsos, M., Lee, K.: Internet traffic classification demystified: Myths, caveats, and the best practices. In: Proceedings of the 2008 ACM CoNEXT Conference, CoNEXT 2008, pp. 11:1–11:12. ACM, New York (2008), http://doi.acm.org/10.1145/1544012.1544023
  10. 10.
    Kouřil, D., Rebok, T., Jirsík, T., Čegan, J., Drašar, M., Vizváry, M., Vykopal, J.: Cloud-based Testbed for Simulation of Cyber Attacks. In: Proceedings of the 2014 IEEE Network Operations and Management Symposium, NOMS 20124 (to appear, 2014)Google Scholar
  11. 11.
    Krmicek, V., Vykopal, J., Krejci, R.: Netflow based system for nat detection. In: Proceedings of the 5th International Student Workshop on Emerging Networking Experiments and Technologies, Co-Next Student Workshop 2009, pp. 23–24. ACM, New York (2009), http://doi.acm.org/10.1145/1658997.1659010
  12. 12.
    McHugh, J., McLeod, R., Nagaonkar, V.: Passive network forensics: Behavioural classification of network hosts based on connection patterns. SIGOPS Oper. Syst. Rev. 42(3), 99–111 (2008), http://doi.acm.org/10.1145/1368506.1368520 CrossRefGoogle Scholar
  13. 13.
    Melnikov, N., Schönwälder, J.: Cybermetrics: User identification through network flow analysis. In: Stiller, B., De Turck, F. (eds.) AIMS 2010. LNCS, vol. 6155, pp. 167–170. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-13986-4_24 CrossRefGoogle Scholar
  14. 14.
    ntop: nProbe (2014), http://www.ntop.org/products/nprobe/ (cited January 23, 2014)
  15. 15.
    Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. SIGCOMM Comput. Commun. Rev. 38(1), 55–59 (2008), http://doi.acm.org/10.1145/1341431.1341443 CrossRefGoogle Scholar
  16. 16.
    Stolfo, S., Fan, W., Lee, W., Prodromidis, A., Chan, P.: Cost-based modeling for fraud and intrusion detection: results from the jam project. In: Proceedings of the DARPA Information Survivability Conference and Exposition, DISCEX 2000, vol. 2, pp. 130–144 (2000)Google Scholar
  17. 17.
    Thomas, L.C., Crook, J., Edelman, D.: Credit Scoring and Its Applications. Society for Industrial and Applied Mathematics, Philadelphia (2002)Google Scholar
  18. 18.
    Velan, P., Jirsík, T., Čeleda, P.: Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement. In: Bauschert, T. (ed.) EUNICE 2013. LNCS, vol. 8115, pp. 136–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2014

Authors and Affiliations

  • Tomáš Jirsík
    • 1
  • Pavel Čeleda
    • 1
  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations