Device-type Profiling using Packet Inter-Arrival Time for Network Access Control
Date
Authors
Advisors
Journal Title
Journal ISSN
ISSN
DOI
Volume Title
Publisher
Type
Peer reviewed
Abstract
Network Access Control (NAC) systems are technologies and defined policies typically established to control the access of devices attempting to connect to enterprise networks. However, NAC limitations have led to security threats that can lead to illegal and unauthorised access to networks as well as insider misuse. Current NAC configuration settings rely on point of entry authentication systems including passwords, biometrics, two-factor, and multi-factor authentication to protect employees, but this reliance can lead to security susceptibilities that can significantly damage enterprise network systems. In addition, incorporating NAC into the growing Bring Your Own Device (BYOD) paradigm further increases the security threats, vulnerabilities and risks potentials in enterprise network environments. Regardless of any existing security solutions, such as antimalware, anti-virus and intrusion detection and prevention systems, security issues continue to rise within BYOD, with a proportionate increase in consequences and impacts. This thesis explores novel solution paths to the above challenges by investigating device-type fingerprinting and behaviour profiling to improve the security of NAC. This is achieved by proposing a novel Intelligent Filtering Technique (IFT) that uses packet Inter-Arrival Time (IAT) data for smartphones, tablets and laptops to profile and identify abnormal patterns based on device-types. The IFT is composed of three data mining algorithms, namely K-means clustering, clustering-based multivariate gaussian outlier score, and long short-term memory networks algorithms. These algorithms are capable of identifying abnormal inter-arrival time patterns based on device-types. The effectiveness of the proposed technique is evaluated using a combination of datasets from different network traffic protocols, such as Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP), the author’s knowledge, this is the only technique to date that can identify abnormal inter-arrival time patterns based on the devicetype. The new technique can improve intrusion detection system capabilities and outcomes by using device-type profiling to reduce the false positive rates of detected abnormal patterns.