Behavior-Aware Network Segmentation using IP Flows

Abstract: Network segmentation is a powerful tool for network defense. In contemporary complex, dynamic, and multilayer networks, network segmentation suffers from lack of visibility into processes in the network, which results in less strict segment definition and loosen network security. Moreover, the dynamics of the networks makes the manual identification of network segments nearly impossible. In this paper, we inspect the possibilities of the behavioraware network segmentation using IP flows and machine learning ap… Show more

“…More complicated roles may both be predefined or computed from observations. [4] models the behavior of the hosts of a university network and shows reasonable results to recover the network segmentation by unsupervised learning and to assign new hosts to these segments using supervised methods. Similarly, [5] utilizes Random Forests to assign newly observed hosts to departments respectively the central server infrastructure within an intranet.…”

“…The usage of standard NetFlow features to derive a network segmentation or characterize host behavior can be found in a number of works. Often the former are enriched by specially tailored features such as entropy measures [8], detection of connection spikes and bursts [9] or aggregated features for split time intervals [4]. In an IoT context, [10] extracts the MAC address of a device passively from ARP requests and searches a database for devices with a similar MAC address and known product type to determine the product type of this device.…”

Untitled

“…More complicated roles may both be predefined or computed from observations. [4] models the behavior of the hosts of a university network and shows reasonable results to recover the network segmentation by unsupervised learning and to assign new hosts to these segments using supervised methods. Similarly, [5] utilizes Random Forests to assign newly observed hosts to departments respectively the central server infrastructure within an intranet.…”

“…The usage of standard NetFlow features to derive a network segmentation or characterize host behavior can be found in a number of works. Often the former are enriched by specially tailored features such as entropy measures [8], detection of connection spikes and bursts [9] or aggregated features for split time intervals [4]. In an IoT context, [10] extracts the MAC address of a device passively from ARP requests and searches a database for devices with a similar MAC address and known product type to determine the product type of this device.…”

Untitled

Automatic Generation of Network Micro-Segmentation Policies for Cloud Environments