Behavior-Based Admission and Access Control
Current solutions for network admission and access control
typically employ manually fixed rules or roles.
Admission control is based on sets of rules (policies) manually
specified by thenetwork administrator to determine the requirements
that have to be met by a user in order to be granted access
into the network. Inside the network, each user is assigned
a fixed role
that allows access
to specific resources in the network.
Access control ensures that users will act according to their fixed
role.
However, networks have evolved into dynamic environments where new
policies or user roles
need to be created and updated at a very fast pace. Unfortunately,
performing these tasks manually at a high frequency becomes a very
demanding proposition.
Ideally, we seek a solution that can create and update roles and
policies automatically without the inception
of a human in the loop.
This project presents a new admission and access control mechanism
based
on behavior rather than fixed roles or sets of rules.
This mechanism employs behavior profiles of network users, modeled by an Anomaly Detection (AD) sensor,
to automatically compute and update
behavior-based policies for admission and access control.
Each user's behavior profile issues a partial decision for or against
the admission of new users to the network.
The aggregation of these partial decisions
constitutes the behavior-based policy for the admission control.
This new strategy enhances current admission control mechanisms
by automatically creating and updating admission control policies without human intervention.
Apart from admission control, behavior profiles are also responsible for the
access control policies. Since
behavior profiles represent a declaration of intent of behavior,
users that drift from their behavior profiles are either under attack or are trying to get access to
unauthorized services.
This enables our mechanism
to efficiently detect any type of anomalous behavior in real time
while automatically generating new access control policies.
Identifying Clusters of Behavior
In order to achieve more refined admission and access control policies, we
provide a fully automatic clustering technique that identifies groups of network users
that behave similarly. These clusters of behavior profiles are used during admission and access control
to guarantee that only similar behavior profiles participate in the decision.
Additionally, we present an algorithm to preserve the robustness of the behavior-based mechanism
over time. The algorithm differentiates between concept drift and attacks intended to manipulate
the clusters of behavior profiles.
Centralized and Distributed Environments
We lay out deployments of the behavior-based mechanism for two different
network architectures: Network Access Control (NAC) technologies and Mobile Ad-Hoc Networks (MANETs).
NAC technologies represent centralized networks where the admission and access control is generally
executed on NAC enforcers located at the edge of the network.
On the other hand, MANETs are fully distributed networks with no central or
base station. As a result, the admission and access control mechanisms are performed by the individual
users themselves.
While the architectures are vastly different in configuration, we establish empirical evidence and
demonstrate that the behavior-based mechanism can
successfully detect anomalous behavior during admission and access control in both types of architectures.
Mechanism Evaluation
To evaluate the feasibility of the mechanism with different types of AD sensors,
we analyze its performance with content and volumetric sensors that characterize
the payload and other relevant features of the traffic exchanged by a user.
Using real traffic collected from wired and wireless networks, we show that
the behavior-based mechanism accurately performs admission and access control
with the two types of AD sensors.
Papers
- Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos
D. Keromytis "Behavior-Profile Clustering for False Alert Reduction in
Anomaly Detection Sensors" In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2008. [PDF]
- Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos D. Keromytis "Behavior-Based Network Access Control: A Proof-of-Concept" In the Proceedings of the 11th Information Security Conference (ISC), 2008. [PDF]
-
Vanessa Frias-Martinez, Salvatore J. Stolfo, Angelos D. Keromytis
"BARTER: Profile Model Exchange for Behavior-Based Access Control and
Communication Security in MANETs" Tech Report cucs-036-07 , Department of Computer Science, Columbia University [PDF]
-
Gabriela F. Cretu, Janak J. Parekh, Ke Wang, Salvatore J. Stolfo
"Intrusion and Anomaly Detection Model Exchange for Mobile Ad-Hoc
Networks" to appear. Proceddings of IEEE Consumer Communications and Networking Conference. Jan 2006 [PDF]
Sponsors:
|