Behavior-Based Admission and Access Control

Current solutions for network admission and access control typically employ manually fixed rules or roles. Admission control is based on sets of rules (policies) manually specified by thenetwork administrator to determine the requirements that have to be met by a user in order to be granted access into the network. Inside the network, each user is assigned a fixed role that allows access to specific resources in the network. Access control ensures that users will act according to their fixed role. However, networks have evolved into dynamic environments where new policies or user roles need to be created and updated at a very fast pace. Unfortunately, performing these tasks manually at a high frequency becomes a very demanding proposition. Ideally, we seek a solution that can create and update roles and policies automatically without the inception of a human in the loop.

This project presents a new admission and access control mechanism based on behavior rather than fixed roles or sets of rules. This mechanism employs behavior profiles of network users, modeled by an Anomaly Detection (AD) sensor, to automatically compute and update behavior-based policies for admission and access control. Each user's behavior profile issues a partial decision for or against the admission of new users to the network. The aggregation of these partial decisions constitutes the behavior-based policy for the admission control. This new strategy enhances current admission control mechanisms by automatically creating and updating admission control policies without human intervention. Apart from admission control, behavior profiles are also responsible for the access control policies. Since behavior profiles represent a declaration of intent of behavior, users that drift from their behavior profiles are either under attack or are trying to get access to unauthorized services. This enables our mechanism to efficiently detect any type of anomalous behavior in real time while automatically generating new access control policies.

Identifying Clusters of Behavior

In order to achieve more refined admission and access control policies, we provide a fully automatic clustering technique that identifies groups of network users that behave similarly. These clusters of behavior profiles are used during admission and access control to guarantee that only similar behavior profiles participate in the decision. Additionally, we present an algorithm to preserve the robustness of the behavior-based mechanism over time. The algorithm differentiates between concept drift and attacks intended to manipulate the clusters of behavior profiles.

Centralized and Distributed Environments

We lay out deployments of the behavior-based mechanism for two different network architectures: Network Access Control (NAC) technologies and Mobile Ad-Hoc Networks (MANETs). NAC technologies represent centralized networks where the admission and access control is generally executed on NAC enforcers located at the edge of the network. On the other hand, MANETs are fully distributed networks with no central or base station. As a result, the admission and access control mechanisms are performed by the individual users themselves. While the architectures are vastly different in configuration, we establish empirical evidence and demonstrate that the behavior-based mechanism can successfully detect anomalous behavior during admission and access control in both types of architectures.

Mechanism Evaluation

To evaluate the feasibility of the mechanism with different types of AD sensors, we analyze its performance with content and volumetric sensors that characterize the payload and other relevant features of the traffic exchanged by a user. Using real traffic collected from wired and wireless networks, we show that the behavior-based mechanism accurately performs admission and access control with the two types of AD sensors.

• Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos D. Keromytis "Behavior-Profile Clustering for False Alert Reduction in Anomaly Detection Sensors" In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2008. [PDF]
• Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos D. Keromytis "Behavior-Based Network Access Control: A Proof-of-Concept" In the Proceedings of the 11th Information Security Conference (ISC), 2008. [PDF]
• Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos D. Keromytis "BARTER: Profile Model Exchange for Behavior-Based Access Control and Communication Security in MANETs" Tech Report cucs-036-07 , Department of Computer Science, Columbia University  [PDF]
• Gabriela F. Cretu, Janak J. Parekh, Ke Wang, Salvatore J. Stolfo "Intrusion and Anomaly Detection Model Exchange for Mobile Ad-Hoc Networks" to appear. Proceddings of IEEE Consumer Communications and Networking Conference. Jan 2006 [PDF]

Sponsors: