Title :
Behavioral authentication of server flows
Author :
Early, James P. ; Brodley, Carla E. ; Rosenberg, Catherine
Author_Institution :
CERIAS, Purdue Univ., West Lafayette, IN, USA
Abstract :
Understanding the nature of the information flowing into and out of a system or network is fundamental to determining if there is adherence to a usage policy. Traditional methods of determining traffic type rely on the port label carried in the packet header. This method can fail, however, in the presence of proxy servers that remap port numbers or host services that have been compromised to act as backdoors or covert channels. We present an approach to classify server traffic based on decision trees learned during a training phase. The trees are constructed from traffic described using a set of features we designed to capture stream behavior. Because our classification of the traffic type is independent of port label, it provides a more accurate classification in the presence of malicious activity. An empirical evaluation illustrates that models of both aggregate protocol behavior and host-specific protocol behavior obtain classification accuracies ranging from 82-100%.
Keywords :
computer crime; decision trees; message authentication; network servers; pattern classification; protocols; telecommunication security; telecommunication traffic; aggregate protocol behavior; decision trees; host-specific protocol behavior; packet header; port label; proxy servers; server flows behavioral authentication; server traffic classification; stream behavior capturing; Authentication; Computer networks; Filtering; Network servers; Peer to peer computing; Portals; Protocols; Telecommunication traffic; Traffic control; Web server;
Conference_Titel :
Computer Security Applications Conference, 2003. Proceedings. 19th Annual
Print_ISBN :
0-7695-2041-3
DOI :
10.1109/CSAC.2003.1254309
