Can the User Help? Leveraging User Actions for Network Profiling

Zorigtbaatar Chuluundorj; Curtis R. Taylor; Robert J. Walls; Craig A. Shue

doi:10.1109/SDS54264.2021.9732164

Can the User Help? Leveraging User Actions for Network Profiling

Zorigtbaatar Chuluundorj, Curtis R. Taylor, Robert J. Walls, Craig A. Shue

Embedded Systems Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-Terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-Aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.

Original language	English
Title of host publication	2021 8th International Conference on Software Defined Systems, SDS 2021
Editors	Pradeeban Kathiravelu, Jaime Lloret Mauri, Yaser Jararweh, Elhadj Benkhelifa, Sandra Sendra
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781665458207
DOIs	https://doi.org/10.1109/SDS54264.2021.9732164
State	Published - 2021
Event	8th International Conference on Software Defined Systems, SDS 2021 - Virtual, Gandia, Spain Duration: Dec 6 2021 → Dec 9 2021

Publication series

Name	2021 8th International Conference on Software Defined Systems, SDS 2021

Conference

Conference	8th International Conference on Software Defined Systems, SDS 2021
Country/Territory	Spain
City	Virtual, Gandia
Period	12/6/21 → 12/9/21

Funding

ACKNOWLEDGMENTS This material is based upon work supported by the National Science Foundation under Grant No. 1422180. Shue holds stock in ContexSure Networks, Inc., an arrangement that has been reviewed and approved by WPI.

Access to Document

10.1109/SDS54264.2021.9732164

Cite this

Chuluundorj, Z., Taylor, C. R., Walls, R. J., & Shue, C. A. (2021). Can the User Help? Leveraging User Actions for Network Profiling. In P. Kathiravelu, J. Lloret Mauri, Y. Jararweh, E. Benkhelifa, & S. Sendra (Eds.), 2021 8th International Conference on Software Defined Systems, SDS 2021 (2021 8th International Conference on Software Defined Systems, SDS 2021). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SDS54264.2021.9732164

Chuluundorj, Zorigtbaatar ; Taylor, Curtis R. ; Walls, Robert J. et al. / Can the User Help? Leveraging User Actions for Network Profiling. 2021 8th International Conference on Software Defined Systems, SDS 2021. editor / Pradeeban Kathiravelu ; Jaime Lloret Mauri ; Yaser Jararweh ; Elhadj Benkhelifa ; Sandra Sendra. Institute of Electrical and Electronics Engineers Inc., 2021. (2021 8th International Conference on Software Defined Systems, SDS 2021).

@inproceedings{598a0787ca2c49d2a48fed09b8c1e8d2,

title = "Can the User Help? Leveraging User Actions for Network Profiling",

abstract = "Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-Terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-Aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.",

author = "Zorigtbaatar Chuluundorj and Taylor, {Curtis R.} and Walls, {Robert J.} and Shue, {Craig A.}",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE.; 8th International Conference on Software Defined Systems, SDS 2021 ; Conference date: 06-12-2021 Through 09-12-2021",

year = "2021",

doi = "10.1109/SDS54264.2021.9732164",

language = "English",

series = "2021 8th International Conference on Software Defined Systems, SDS 2021",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

editor = "Pradeeban Kathiravelu and {Lloret Mauri}, Jaime and Yaser Jararweh and Elhadj Benkhelifa and Sandra Sendra",

booktitle = "2021 8th International Conference on Software Defined Systems, SDS 2021",

}

Chuluundorj, Z, Taylor, CR, Walls, RJ & Shue, CA 2021, Can the User Help? Leveraging User Actions for Network Profiling. in P Kathiravelu, J Lloret Mauri, Y Jararweh, E Benkhelifa & S Sendra (eds), 2021 8th International Conference on Software Defined Systems, SDS 2021. 2021 8th International Conference on Software Defined Systems, SDS 2021, Institute of Electrical and Electronics Engineers Inc., 8th International Conference on Software Defined Systems, SDS 2021, Virtual, Gandia, Spain, 12/6/21. https://doi.org/10.1109/SDS54264.2021.9732164

Can the User Help? Leveraging User Actions for Network Profiling. / Chuluundorj, Zorigtbaatar; Taylor, Curtis R.; Walls, Robert J. et al.
2021 8th International Conference on Software Defined Systems, SDS 2021. ed. / Pradeeban Kathiravelu; Jaime Lloret Mauri; Yaser Jararweh; Elhadj Benkhelifa; Sandra Sendra. Institute of Electrical and Electronics Engineers Inc., 2021. (2021 8th International Conference on Software Defined Systems, SDS 2021).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Can the User Help? Leveraging User Actions for Network Profiling

AU - Chuluundorj, Zorigtbaatar

AU - Taylor, Curtis R.

AU - Walls, Robert J.

AU - Shue, Craig A.

PY - 2021

Y1 - 2021

N2 - Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-Terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-Aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.

AB - Enterprises have difficulty gaining insight into the steps preceding anomalous activity in end-user machines. En-Terprises may log events to later reconstruct anomalies to gain insight and determine their causes. Unfortunately, most logs are low-level and lack contextual information, making manual inspection arduous. Accordingly, enterprises may fail to promptly respond to anomalies, leading to outages or security breaches. To help these enterprises, we monitor and log each user's interactions with the machine's user interface (UI) and link them to the resulting network flows. We design, implement, and evaluate an SDN system, called Harbinger, for the Microsoft Windows OS that provides user activity context for flows. Enterprises can use the context we gather to complement traditional analysis. We explore how Harbinger can help differentiate normal and abnormal network traffic. While IP or DNS host name profiling can have error rates between 29%-38 % for URL-based traffic, UI-Aware sensors can reduce such errors to 0.2%. We further find that with the help of user action tracking, we can detect errant network traffic 99.1% of the time in our tests. HARBINGERhas good performance, introducing less than 6 milliseconds of delay in 95% of new network flows.

UR - http://www.scopus.com/inward/record.url?scp=85128347838&partnerID=8YFLogxK

U2 - 10.1109/SDS54264.2021.9732164

DO - 10.1109/SDS54264.2021.9732164

M3 - Conference contribution

AN - SCOPUS:85128347838

T3 - 2021 8th International Conference on Software Defined Systems, SDS 2021

BT - 2021 8th International Conference on Software Defined Systems, SDS 2021

A2 - Kathiravelu, Pradeeban

A2 - Lloret Mauri, Jaime

A2 - Jararweh, Yaser

A2 - Benkhelifa, Elhadj

A2 - Sendra, Sandra

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 8th International Conference on Software Defined Systems, SDS 2021

Y2 - 6 December 2021 through 9 December 2021

ER -

Chuluundorj Z, Taylor CR, Walls RJ, Shue CA. Can the User Help? Leveraging User Actions for Network Profiling. In Kathiravelu P, Lloret Mauri J, Jararweh Y, Benkhelifa E, Sendra S, editors, 2021 8th International Conference on Software Defined Systems, SDS 2021. Institute of Electrical and Electronics Engineers Inc. 2021. (2021 8th International Conference on Software Defined Systems, SDS 2021). doi: 10.1109/SDS54264.2021.9732164

Can the User Help? Leveraging User Actions for Network Profiling

Abstract

Publication series

Conference

Funding

Access to Document

Other files and links

Fingerprint

Cite this