1. Intel and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright © 2006, Intel Corporation. All rights reserved. Research at Intel www.intel.com/research Different outlier behaviors PROTEUS: Profiling for Enterprise Network Security Nina Taft, Frederic Giroire (IRB), Dina Papagiannaki (IRP) Jaideep Chandrashekar (SC), Michalis Faloutsos (UC Riverside) Build profiles using communication traffic (all packet headers entering & exiting host) Captures communication behavior, application usage, community of people interact with, temporal patterns Approach: graphlets (see figures below), combining small graphs with time series data Adaptive profiles evolve with user via ongoing learning short-term evolution: changing environments between enterprise & home, wired & wireless long-term evolution: user changes application mix, community interacts with, etc. OS-independent, implementable in tamper-proof hardware #dstIP# src port # dst port Total Nodes 10231144 Today: all enterprise hosts configured the same way for security purposes. Easy to manage Easy to attack on large scale Goal: Change the game based on a new paradigm: end the “one-size-fits-all” era, and personalize end-host security solutions Why personalize security? A single universal configuration won’t work for everyone. Most anomaly detection algorithms based on “outlier” detection –Anomaly detection schemes rely on detecting deviations from patterns, by defining “normal” and “abnormal” behaviors. But what’s normal and what’s not is very personal ! –Each person uses their machine differently, so anomalous behavior should be defined relative to particular machine & user. End Host ProfilingA New Paradigm for Security Users differ both in their “typical” and “atypical” behaviors Threshold-based detectors used inside Host-IDS, firewalls, to detect DDOS, worms, scans, botnets, flash crowds. Example: If number simultaneous TCP connections > 1 million, raise an alarm. Using graphlets, can find out which ports, applications, and services a user uses, uncover the range of intensity of usage that is normal for user, and then supervise for extreme behavior. Graphlets enable learning of relevant thresholds Limits on number of simultaneous connections –number of failed TCP connections, –port 80 connections (thresholding limits port re-use) –catch via tracking of out-degree of relevant graphlet node Catch changes in dispersion metrics –entropy of destination addresses –entropy of ports. Thresholds should be set based on what is an outlier for a particular user. Example: Set max num TCP connections at 98% of what user usually does. How does this help security ? Night traffic (3-4am) Day traffic (10-11 am) #dstIP# src port # dst port Total nodes 188833139 srcIP Protocol ID dstIPsrcPortdstPort 8 users, 4 laptops (L) and 4 desktops (D) Entropy of destination ports Average out-degree of TCP nodeAverage out-degree of “port 80 node” # End Hosts dstIP Does one user need more than one profile ? 0.1 0.2 0.3 0.4 0.5 0.6 L1 D1 D2 D3 D4 L2 L3 L4