Abstract
Traditionally, user traffic profiling is performed by analyzing traffic traces collected on behalf of the user at aggregation points located in the middle of the network. However, the modern enterprise network has a highly mobile population that frequently moves in and out of its physical perimeter. Thus an in-the-network monitor is unlikely to capture full user activity traces when users move outside the enterprise perimeter. The distinct environments, such as the cubicle and the coffee shop (among others), that users visit, may each pose different constraints and lead to varied behavioral modes. It is thus important to ask: is the profile of a user constructed in one environment representative of the same user in another environment?
In this paper, we answer in the negative for the mobile population of an enterprise. Using real corporate traces collected at nearly 400 end-hosts for approximately 5 weeks, we study how end-host usage differs across three environments: inside the enterprise, outside the enterprise but using a VPN, and entirely outside the enterprise network. Within these environments, we examine three types of features: (i) environment lifetimes, (ii) relative usage statistics of network services, and (iii) outlier detection thresholds as used for anomaly detection. We find significant diversity in end-host behavior across environments for many features, thus indicating that profiles computed for a user in one environment yield inaccurate representations of the same user in a different environment.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
McDaniel, P., Sen, S., Spatscheck, O., der Merwe, J.V., Aiello, B., Kalmanek, C.: Enterprise security: A community of interest based approach. In: Proc. of Network and Distributed System Security (NDSS) (Feburary 2006)
Tan, G., Poletto, M., Guttag, J., Kaashoek, F.: Role classification of hosts within enterprise networks based on connection patterns. In: Proc. of the USENIX Annual Technical Conference 2003, USENIX, pp. 2–2 (2003)
Karagiannis, T., Papagiannaki, K., Taft, N., Faloutsos, M.: Profiling the end host. In: Passive and Active Measurement, pp. 186–196 (2007)
Padmanabhan, V.N., Ramabhadran, S., Padhye, J.: Netprofiler: Profiling wide-area networks using peer cooperation. In: Castro, M., van Renesse, R. (eds.) IPTPS 2005. LNCS, vol. 3640, pp. 80–92. Springer, Heidelberg (2005)
Bhatti, N., Bouch, A., Kuchinsky, A.: Integrating user-perceived quality into web server design. In: Proc. of the 9th International World Wide Web conference on Computer networks, pp. 1–16. North-Holland Publishing Co, Amsterdam (2000)
Pang, R., Allman, M., Bennett, M., Lee, J., Paxson, V., Tierney, B.: A first look at modern enterprise traffic. In: Proc. of the Internet Measurement Conference (IMC), pp. 2–2. ACM, New York (2005)
Bahl, P., Chandra, R., Greenberg, A., Kandula, S., Maltz, D.A., Zhang, M.: Towards highly reliable enterprise network services via inference of multi-level dependencies. In: Proc. of ACM SIGCOMM, New York, USA, pp. 13–24. ACM, New York (2007)
Biles, S.: Detecting the unknown with snort and the statistical packet anomaly detection engine (SPADE) Computer Security Online Ltd
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symposium on Security and Privacy, p. 211 (2004)
Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using Packet Symmetry to Curtail Malicious Traffic. In: Fourth Workshop on Hot Topics in Networks (HotNets-IV) (November 2005)
Paxson, V.: Bro: A system for detecting network intruders in real-time. Comput. Networks 31(23), 2435–2463 (1999)
England, P., Manferdelli, J.: Virtual machines for enterprise desktop security. Information Security Technical Report 11(4), 193–202 (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giroire, F., Chandrashekar, J., Iannaccone, G., Papagiannaki, K., Schooler, E.M., Taft, N. (2008). The Cubicle vs. The Coffee Shop: Behavioral Modes in Enterprise End-Users. In: Claypool, M., Uhlig, S. (eds) Passive and Active Network Measurement. PAM 2008. Lecture Notes in Computer Science, vol 4979. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79232-1_21
Download citation
DOI: https://doi.org/10.1007/978-3-540-79232-1_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79231-4
Online ISBN: 978-3-540-79232-1
eBook Packages: Computer ScienceComputer Science (R0)