JavaScript is disabled for your browser. Some features of this site may not work without it.
Context-Aware Network Security.
Sinha, Sushant
Sinha, Sushant
2009
Abstract: The rapid growth in malicious Internet activity, due to the rise of threats like
automated worms, viruses, and botnets, has driven the development of tools
designed to protect host and network resources. One approach that has gained
significant popularity is the use of network based security
systems. These systems are deployed on the network to detect, characterize and
mitigate both new and existing threats.
Unfortunately, these systems are developed and deployed in production networks
as generic systems and little thought has been paid to customization.
Even when it is possible to customize these devices, the approaches for
customization are largely manual or ad hoc. Our observation of the production
networks suggest that these networks have significant diversity in end-host
characteristics, threat landscape, and traffic behavior -- a collection of
features that we call the security context of a network. The scale and
diversity in security context of production networks make manual or ad hoc
customization of security systems difficult. Our thesis is that automated
adaptation to the security context can be used to significantly improve the
performance and accuracy of network-based security systems.
In order to evaluate our thesis, we explore a system from three broad categories
of network-based security systems: known threat detection, new threat detection,
and reputation-based mitigation. For known threat detection, we examine a
signature-based intrusion detection system and show that the system performance
improves significantly if it is aware of the signature set and the traffic
characteristics of the network. Second, we explore a large collection of
honeypots (or honeynet) that are used to detect new threats. We show that
operating system and application configurations in the network impact honeynet
accuracy and adapting to the surrounding network provides a significantly better
view of the network threats. Last, we apply our context-aware approach to a
reputation-based system for spam blacklist generation and show how traffic
characteristics on the network can be used to significantly improve its
accuracy.
We conclude with the lessons learned from our experiences adapting to network
security context and the future directions for adapting network-based security
systems to the security context.