Behavior-Based Network Access Control: A Proof-of-Concept
Current NAC technologies implement a pre-connect phase where the status of a device is checked against a set of policies before being granted access to a network, and a post-connect phase that examines whether the device complies with the policies that correspond to its role in the network. In order to enhance current NAC technologies, we propose a new architecture based on behaviors rather than roles or identity, where the policies are automatically learned and updated over time by the members of the network in order to adapt to behavioral changes of the devices. Behavior profiles may be presented as identity cards that can change over time. By incorporating an Anomaly Detector (AD) to the NAC server or to each of the hosts, their behavior profile is modeled and used to determine the type of behaviors that should be accepted within the network. These models constitute behavior-based policies. In our enhanced NAC architecture, global decisions are made using a group voting process. Each host’s behavior profile is used to compute a partial decision for or against the acceptance of a new profile or traffic. The aggregation of these partial votes amounts to the model-group decision. This voting process makes the architecture more resilient to attacks. Even after accepting a certain percentage of malicious devices, the enhanced NAC is able to compute an adequate decision. We provide proof-of-concept experiments of our architecture using web traffic from our department network. Our results show that the model-group decision approach based on behavior profiles has a 99% detection rate of anomalous traffic with a false positive rate of only 0.005%. Furthermore, the architecture achieves short latencies for both the pre- and post-connect phases.
KeywordsNetwork Access Control Technologies Intrusion Detection Systems
Unable to display preview. Download preview PDF.
- 1.Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13(7) (July 1970)Google Scholar
- 2.Cretu, G., Stavrou, A., Stolfo, S., Keromytis, A.: Data sanitization: Improving the forensic utility of anomaly detection systems. In: Proceedings of the Third Workshop on Hot Topics in System Dependability (2007)Google Scholar
- 3.Dressler, F., Munz, G., Carle, G.: Attack detection using cooperating autonomous detections systems (cats). In: Wilhelm-Schickard Institute of Computer Science, Computer Networks and Internet (2004)Google Scholar
- 4.Necula, G.C.: Proof-carrying code. In: The 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1997 (1997)Google Scholar
- 5.Necula, G.C., Lee, P.: Safe kernel extensions without run-time checking. In: 2nd Symposium on Operating Systems Design and Implementation, OSDI 1996 (October 1996)Google Scholar
- 6.Necula, G.C., Lee, P.: Efficient representation and validation of proofs. In: IEEE Symposiym on Logic in Computer Science, LICS 1998 (1998)Google Scholar
- 7.Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: Cossack: Coordinated suppression of simulatenous attacks. In: Proceedings of DISCEX III (2003)Google Scholar
- 8.Parekh, J., Wang, K., Stolfo, S.: Privacy-preserving payload-based correlation for accurate malicious traffic detection. In: Large Scale Attack Defense, LSAD (2006)Google Scholar
- 9.Snort rulesets, http://www.snort.org/pub-in/downloads.cgi
- 10.VXHeavens, vx.netlux.org
- 12.Widmer, G., Kubat, M.: Learning in the presence of concept drift and hidden contexts. Machine Learning 23(1), 69–101 (1996)Google Scholar