Enhancing Network Security: Host Trustworthiness Estimation

  • Tomáš Jirsík
  • Pavel Čeleda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8508)


Network connected devices has become inherent part of our lives. These devices have come to be more and more mobile and are target of various malware attacks. An inability to guarantee or check proper security settings of such devices poses a serious risk to network security. In this paper we propose a novel concept of flow based host trustworthiness estimation. The estimated trustworthiness determines a level of the risk to the network security the host posses. This concept enables network operators to identify a potential dangerous host in their network and take an appropriate precautions. Models used for trustworthiness estimation are based on scoring either single events or host characteristics. In order to be able to estimate trustworthiness of a host even in large scale networks, the data used for estimation are reduced only to extended network flows. The research is in its initial phase and will conclude with Ph.D. thesis in three years.


network flow host model trustworthiness scoring 


  1. 1.
    Abt, S., Dietz, C., Baier, H., Petrović, S.: Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 148–159. Springer, Heidelberg (2013), CrossRefGoogle Scholar
  2. 2.
    Bhuyan, M., Bhattacharyya, D., Kalita, J.: Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys Tutorials PP(99), 1–34 (2013)Google Scholar
  3. 3.
    Callado, A.C., Kamienski, C.A., Szabo, G., Gero, B.P., Kelner, J., Fernandes, S.F.L., Sadok, D.F.H.: A survey on internet traffic identification. IEEE Communications Surveys and Tutorials 11(3), 37–52 (2009)CrossRefGoogle Scholar
  4. 4.
    Caracas, A., Kind, A., Gantenbein, D., Fussenegger, S., Dechouniotis, D.: Mining semantic relations using NetFlow. In: 3rd IEEE/IFIP International Workshop on Business-driven IT Management, BDIM 2008, pp. 110–111 (2008)Google Scholar
  5. 5.
    Dewaele, G., Himura, Y., Borgnat, P., Fukuda, K., Abry, P., Michel, O., Fontugne, R., Cho, K., Esaki, H.: Unsupervised host behavior classification from connection patterns. Int. J. Netw. Manag. 20(5), 317–337 (2010), CrossRefGoogle Scholar
  6. 6.
    François, J., Moura, G.C.M., Pras, A.: Cleaning your house first: Shifting the paradigm on how to secure networks. In: Chrisment, I., Couch, A., Badonnel, R., Waldburger, M. (eds.) AIMS 2011. LNCS, vol. 6734, pp. 1–12. Springer, Heidelberg (2011), CrossRefGoogle Scholar
  7. 7.
    Inacio, C.M., Trammell, B.: YAF: Yet Another Flowmeter. In: Proceedings of the 24th International Conference on Large Installation System Administration, LISA 2010, pp. 1–16. USENIX Association, Berkeley (2010),
  8. 8.
    INVEA-TECH: FlowMon Exporter – Community Program (2013), (cited January 23, 2014)
  9. 9.
    Kim, H., Claffy, K., Fomenkov, M., Barman, D., Faloutsos, M., Lee, K.: Internet traffic classification demystified: Myths, caveats, and the best practices. In: Proceedings of the 2008 ACM CoNEXT Conference, CoNEXT 2008, pp. 11:1–11:12. ACM, New York (2008),
  10. 10.
    Kouřil, D., Rebok, T., Jirsík, T., Čegan, J., Drašar, M., Vizváry, M., Vykopal, J.: Cloud-based Testbed for Simulation of Cyber Attacks. In: Proceedings of the 2014 IEEE Network Operations and Management Symposium, NOMS 20124 (to appear, 2014)Google Scholar
  11. 11.
    Krmicek, V., Vykopal, J., Krejci, R.: Netflow based system for nat detection. In: Proceedings of the 5th International Student Workshop on Emerging Networking Experiments and Technologies, Co-Next Student Workshop 2009, pp. 23–24. ACM, New York (2009),
  12. 12.
    McHugh, J., McLeod, R., Nagaonkar, V.: Passive network forensics: Behavioural classification of network hosts based on connection patterns. SIGOPS Oper. Syst. Rev. 42(3), 99–111 (2008), CrossRefGoogle Scholar
  13. 13.
    Melnikov, N., Schönwälder, J.: Cybermetrics: User identification through network flow analysis. In: Stiller, B., De Turck, F. (eds.) AIMS 2010. LNCS, vol. 6155, pp. 167–170. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  14. 14.
    ntop: nProbe (2014), (cited January 23, 2014)
  15. 15.
    Ringberg, H., Roughan, M., Rexford, J.: The need for simulation in evaluating anomaly detectors. SIGCOMM Comput. Commun. Rev. 38(1), 55–59 (2008), CrossRefGoogle Scholar
  16. 16.
    Stolfo, S., Fan, W., Lee, W., Prodromidis, A., Chan, P.: Cost-based modeling for fraud and intrusion detection: results from the jam project. In: Proceedings of the DARPA Information Survivability Conference and Exposition, DISCEX 2000, vol. 2, pp. 130–144 (2000)Google Scholar
  17. 17.
    Thomas, L.C., Crook, J., Edelman, D.: Credit Scoring and Its Applications. Society for Industrial and Applied Mathematics, Philadelphia (2002)Google Scholar
  18. 18.
    Velan, P., Jirsík, T., Čeleda, P.: Design and Evaluation of HTTP Protocol Parsers for IPFIX Measurement. In: Bauschert, T. (ed.) EUNICE 2013. LNCS, vol. 8115, pp. 136–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© International Federation for Information Processing 2014

Authors and Affiliations

  • Tomáš Jirsík
    • 1
  • Pavel Čeleda
    • 1
  1. 1.Institute of Computer ScienceMasaryk UniversityBrnoCzech Republic

Personalised recommendations