Behavioral Authentication for Computer Security

Abstract

Understanding the nature of the information flowing into and out of a system or network is fundamental to determining if there is adherence to a usage policy or whether the security of the system has been compromised. In this talk I will describe how behavioral authentication can be used to detect anomalies in the expected behavior of both processes and users. The first application, classifying server traffic, addresses the problem that traditional methods of determining traffic type rely on the port label carried in the packet header to indicate the type of service (e.g., HTTP, Telnet, SSH, etc). This method can fail, however, in the presence of proxy servers that re-map port numbers or host services that have been compromised to act as back doors or covert channels. I will present an approach to classifying server traffic based on models of server stream behavior. The models are learned during a training phase from traffic described using a set of features we designed to capture the behavior of TCP services. In the second application, user-reauthentication, I will describe methods for learning a profile of the valid user and illustrate how this profile can be used to monitor current behavior to detect anomalies, which in turn may indicate either misuse or an intrusion.