TY - GEN
T1 - Behavior-based outlier detection for network access control systems
AU - Muhammad, Musa Abubakar
AU - Ayesh, Aladdin
AU - Wagner, Isabel
N1 - Publisher Copyright:
© 2019 ACM.
PY - 2019/7/1
Y1 - 2019/7/1
N2 - Network Access Control (NAC) systems manage the access of new devices into enterprise networks to prevent unauthorised devices from attacking network services. The main difficulty with this approach is that NAC cannot detect abnormal behaviour of devices connected to an enterprise network. These abnormal devices can be detected using outlier detection techniques. Existing outlier detection techniques focus on specific application domains such as fraud, event or system health monitoring. In this paper, we review attacks on Bring Your Own Device (BYOD) enterprise networks as well as existing clustering-based outlier detection algorithms along with their limitations. Importantly, existing techniques can detect outliers, but cannot detect where or which device is causing the abnormal behaviour. We develop a novel behaviour-based outlier detection technique which detects abnormal behaviour according to a device type profile. Based on data analysis with K-means clustering, we build device type profiles using Clustering-based Multivariate Gaussian Outlier Score (CMGOS) and filter out abnormal devices from the device type profile. The experimental results show the applicability of our approach as we can obtain a device type profile for five dell-netbooks, three iPads, two iPhone 3G, two iPhones 4G and Nokia Phones and detect outlying devices within the device type profile.
AB - Network Access Control (NAC) systems manage the access of new devices into enterprise networks to prevent unauthorised devices from attacking network services. The main difficulty with this approach is that NAC cannot detect abnormal behaviour of devices connected to an enterprise network. These abnormal devices can be detected using outlier detection techniques. Existing outlier detection techniques focus on specific application domains such as fraud, event or system health monitoring. In this paper, we review attacks on Bring Your Own Device (BYOD) enterprise networks as well as existing clustering-based outlier detection algorithms along with their limitations. Importantly, existing techniques can detect outliers, but cannot detect where or which device is causing the abnormal behaviour. We develop a novel behaviour-based outlier detection technique which detects abnormal behaviour according to a device type profile. Based on data analysis with K-means clustering, we build device type profiles using Clustering-based Multivariate Gaussian Outlier Score (CMGOS) and filter out abnormal devices from the device type profile. The experimental results show the applicability of our approach as we can obtain a device type profile for five dell-netbooks, three iPads, two iPhone 3G, two iPhones 4G and Nokia Phones and detect outlying devices within the device type profile.
UR - http://www.scopus.com/inward/record.url?scp=85072804308&partnerID=8YFLogxK
U2 - 10.1145/3341325.3342004
DO - 10.1145/3341325.3342004
M3 - Published conference contribution
AN - SCOPUS:85072804308
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 3rd International Conference on Future Networks and Distributed Systems, ICFNDS 2019
PB - Association for Computing Machinery
T2 - 3rd International Conference on Future Networks and Distributed Systems, ICFNDS 2019
Y2 - 1 July 2019 through 2 July 2019
ER -