Users´ Behavior Character Analysis and Classification Approaches in Enterprise Networks

Userspsila character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the userspsila behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the userspsila characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for userspsila behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the userspsila behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous userspsila behaviors are controlled by a dynamic quarantine method based on the principle of ldquoassume guilty before proven innocentrdquo. We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the userspsila normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.