Zorigtbaatar Chuluundorj, Curtis R. Taylor, R. Walls, Craig A. Shue
{"title":"Can the User Help? Leveraging User Actions for Network Profiling","authors":"Zorigtbaatar Chuluundorj, Curtis R. Taylor, R. Walls, Craig A. Shue","doi":"10.1109/SDS54264.2021.9732164","DOIUrl":null,"url":null,"abstract":"Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.","PeriodicalId":394607,"journal":{"name":"2021 Eighth International Conference on Software Defined Systems (SDS)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 Eighth International Conference on Software Defined Systems (SDS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SDS54264.2021.9732164","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
