Securing Enterprise Networks with Statistical Node Behavior Profiling

dc.contributor.advisor Thomas Daniels
dc.contributor.author Chang, Su
dc.contributor.department Electrical and Computer Engineering
dc.date 2018-08-12T05:05:07.000
dc.date.accessioned 2020-06-30T02:36:00Z
dc.date.available 2020-06-30T02:36:00Z
dc.date.copyright Thu Jan 01 00:00:00 UTC 2009
dc.date.embargo 2013-06-05
dc.date.issued 2009-01-01
dc.description.abstract <p>The substantial proliferation of the Internet has made it the most critical infrastructure in today's world. However, it is still vulnerable to various kinds of attacks/malwares and poses a number of great security challenges. Furthermore, we have also witnessed in the past decade that there is always a fast self-evolution of attacks/malwares (e.g. from worms to botnets) against every success in network security. Network security thereby remains a hot topic in both research and industry and requires both continuous and great attention.</p> <p>In this research, we consider two fundamental areas in network security, malware detection and background traffic modeling, from a new view point of node behavior profiling under enterprise network environments. Our main objectives are to extend and enhance the current research in these two areas. In particular, central to our research is the node behavior profiling approach that groups the behaviors of different nodes by jointly considering time and spatial correlations. We also present an extensive study on botnets, which are believed to be the largest threat to the Internet. To better understand the botnet, we propose a botnet framework and predict a new P2P botnet that is much stronger and stealthier than the current ones. We then propose anomaly malware detection approaches based directly on the insights (statistical characteristics) from the node behavior study and apply them on P2P botnet detection. Further, by considering the worst case attack model where the botmaster knows all the parameter values used in detection, we propose a fast and optimized anomaly detection approach by formulating the detection problem as an optimization problem. In addition, we propose a novel traffic modeling structure using behavior profiles for NIDS evaluations. It is efficient and takes into account the node heterogeneity in traffic modeling. It is also compatible with most current modeling schemes and helpful in generating better realistic background traffic. Last but not least, we evaluate the proposed approaches using real user trace from enterprise networks and achieve encouraging results. Our contributions in this research include: 1) a new node behavior profiling approach to study the normal node behavior; 2) a framework for botnets; 3) a new P2P botnet and performance comparisons with other P2P botnets; 4) two anomaly detection approaches based on node behavior profiles; 4) a fast and optimized anomaly detection approach under the worst case attack model; 5) a new traffic modeling structure and 6) simulations and evaluations of the above approaches under real user data from enterprise networks.</p> <p>To the best of our knowledge, we are the first to propose the botnet framework, consider the worst case attack model and propose corresponding fast and optimized solution in botnet related research. We are also the first to propose efficient solutions in traffic modeling without the assumption of node homogeneity.</p>
dc.format.mimetype application/pdf
dc.identifier archive/lib.dr.iastate.edu/etd/11483/
dc.identifier.articleid 2463
dc.identifier.contextkey 2807661
dc.identifier.doi https://doi.org/10.31274/etd-180810-1825
dc.identifier.s3bucket isulib-bepress-aws-west
dc.identifier.submissionpath etd/11483
dc.identifier.uri https://dr.lib.iastate.edu/handle/20.500.12876/25689
dc.language.iso en
dc.source.bitstream archive/lib.dr.iastate.edu/etd/11483/Chang_iastate_0097E_11248.pdf|||Fri Jan 14 18:51:04 UTC 2022
dc.subject.disciplines Electrical and Computer Engineering
dc.subject.keywords Computer Networks
dc.subject.keywords Internet Traffic Modeling
dc.subject.keywords Intrusion Detection
dc.subject.keywords Malware/Botnet Study
dc.subject.keywords Network Security
dc.subject.keywords Node Behavior
dc.title Securing Enterprise Networks with Statistical Node Behavior Profiling
dc.type article
dc.type.genre dissertation
dspace.entity.type Publication
relation.isOrgUnitOfPublication a75a044c-d11e-44cd-af4f-dab1d83339ff
thesis.degree.level dissertation
thesis.degree.name Doctor of Philosophy
File
Original bundle
Now showing 1 - 1 of 1
Name:
Chang_iastate_0097E_11248.pdf
Size:
2.95 MB
Format:
Adobe Portable Document Format
Description: