The rapid growth in malicious Internet activity, due to the rise of threats likeautomated worms, viruses, and botnets, has driven the development of toolsdesigned to protect host and network resources.One approach that has gainedsignificant popularity is the use of network based securitysystems. These systems are deployed on the network to detect, characterize andmitigate both new and existing threats.Unfortunately, these systems are developed and deployed in production networksas generic systems and little thought has been paid to customization.Even when it is possible to customize these devices, the approaches forcustomization are largely manual or ad hoc.Our observation of the productionnetworks suggest that these networks have significant diversity in end-hostcharacteristics, threat landscape, and traffic behavior -- a collection offeatures that we call the security context of a network.The scale anddiversity in security context of production networks make manual or ad hoccustomization of security systems difficult.Our thesis is that automatedadaptation to the security context can be used to significantly improve theperformance and accuracy of network-based security systems.In order to evaluate our thesis, we explore a system from three broad categoriesof network-based security systems: known threat detection, new threat detection,and reputation-based mitigation.For known threat detection, we examine asignature-based intrusion detection system and show that the system performanceimproves significantly if it is aware of the signature set and the trafficcharacteristics of the network.Second, we explore a large collection ofhoneypots (or honeynet) that are used to detect new threats. We show thatoperating system and application configurations in the network impact honeynetaccuracy and adapting to the surrounding network provides a significantly betterview of the network threats. Last, we apply our context-aware approach to areputation-based system for spam blacklist generation and show how trafficcharacteristics on the network can be used to significantly improve itsaccuracy.We conclude with the lessons learned from our experiences adapting to networksecurity context and the future directions for adaptingnetwork-based securitysystems to the security context.
PDF
download
878987797
028-85220240
