Context Aware Network Security
Add to Google Calendar
Network based security systems have become popular and are deployed in a large number of production networks. These networks exhibit significant diversity in applications, end host characteristics and traffic behavior. However, the current network based security systems are developed and deployed as a generic system. As a result, they fail to completely exploit the rich network environment. Our theses is that automated adaptation to the deployment context will significantly improve the performance and accuracy of network-based security systems.
In order to evaluate our theses, we explore known threat detection systems as well as new threat detection systems. We show how security context can impact these systems and then develop techniques for automatically adapting the systems to the desired context. For known threat detection, we take a signature based intrusion detection system and show that the system performance improves significantly if it is aware of the signature set and the traffic characteristics of the network. Secondly, we take a large collection of honeypots called honeynets that are used to detect new threats or exploits. We show that operating systems and applications configurations in the network impact honeynet accuracy and adapting to the surrounding network
provides significantly better threat view of the network. Finally, we
apply our context aware approach to a reputation based system namely spam blacklist generation. We show how traffic characteristics on the network impacts its accuracy and then develop a technique for automatically adapting the system to the traffic characteristics. The context aware blacklist generation approach shows significantly better false positive and false negative rates.
We conclude with lessons learnt, the directions for adapting a network security system to the deployment context and outlining of new security systems that may get benefited with context adaptation.