TY - GEN
T1 - IP2User - Identifying the username of an IP address in network-related events
AU - Shabtai, Asaf
AU - Morad, Idan
AU - Kolman, Eyal
AU - Eran, Ereli
AU - Vaystikh, Alex
AU - Gruss, Eyal
AU - Rokach, Lior
AU - Elovici, Yuval
PY - 2013/10/28
Y1 - 2013/10/28
N2 - Network devices deployed in organizations (Firewall, IDS, routers, antivirus, servers, etc.) logs users' activity as events. Based on these events users' behavioral profiles can be derived in order to detect anomalies, indicating potential attacks. The identifier of a user in most cases is the user's organizational username. While events are always logged with the source IP address they are not always logged with the relevant username and therefore, many of the collected events are not directly linked with the appropriate user. In this paper we describe a method for associating an IP address with an actual username based on a set of logged events. This is crucial precondition for generating an accurate user's profile. The proposed method was evaluated using real large datasets (logs) and showed 88% accuracy in the identification of usernames.
AB - Network devices deployed in organizations (Firewall, IDS, routers, antivirus, servers, etc.) logs users' activity as events. Based on these events users' behavioral profiles can be derived in order to detect anomalies, indicating potential attacks. The identifier of a user in most cases is the user's organizational username. While events are always logged with the source IP address they are not always logged with the relevant username and therefore, many of the collected events are not directly linked with the appropriate user. In this paper we describe a method for associating an IP address with an actual username based on a set of logged events. This is crucial precondition for generating an accurate user's profile. The proposed method was evaluated using real large datasets (logs) and showed 88% accuracy in the identification of usernames.
KW - anomaly detection
KW - security and event management
KW - user profiling
UR - http://www.scopus.com/inward/record.url?scp=84886020426&partnerID=8YFLogxK
U2 - 10.1109/BigData.Congress.2013.73
DO - 10.1109/BigData.Congress.2013.73
M3 - Conference contribution
AN - SCOPUS:84886020426
SN - 9780768550060
T3 - Proceedings - 2013 IEEE International Congress on Big Data, BigData 2013
SP - 435
EP - 436
BT - Proceedings - 2013 IEEE International Congress on Big Data, BigData 2013
T2 - 2013 IEEE International Congress on Big Data, BigData 2013
Y2 - 27 June 2013 through 2 July 2013
ER -