A Network Access Control Mechanism Based on Behavior Profiles

Current network access control (NAC) technologies manage the access of new devices into a network to prevent rogue devices from attacking network hosts or services. Typically, new devices are checked against a set of manually defined policies (rules) before being granted access by the NAC enforcer. The main difficulty with this approach lies in the generation and update of new policies manually as time elapses and all devices have to reestablish their access rights. The BB-NAC mechanism was the first to introduce a novel behavior-based network access control architecture based on behavior profiles and not rules, where behavior-based access control policies were automatically generated. As originally presented, BB-NAC relied on manually pre-determined clusters of behavior which required human intervention and prevented the fully automation of the mechanism. In this paper, we present an enhanced BB-NAC mechanism that fully automatizes the creation of clusters of behavior. The access control is enhanced with the incorporation of automatic behavior clustering, which improves the intrusion detection capabilities by allowing for a more fine-grained definition of normal behavior. Apart from the lack of automatic clustering, the original BB-NAC overlooked the evolution of the mechanism as new behavior profiles were computed over time. As part of our enhancements, we also present an incremental-learning algorithm that automatically updates the behavior-based access control policies. We show that the algorithm is resilient to compromised or fabricated profiles trying to manipulate the policies. We provide extensive experiments with real user profiles computed with their network flows processed from Cisco NetFlow logs captured at our host institution. Our results show that behavior-based access control policies enhance conventional NAC technologies. Specifically, we achieve true rejection rates of 95% for anomalous user profiles separated by one standard deviation from the nor- mal user network behavior. In addition, we also show that the enhanced mechanism can differentiate between normal changes in the behavior profiles (concept drift) and attacks.