IP2User - Identifying the username of an IP address in network-related events

Asaf Shabtai, Idan Morad, Eyal Kolman, Ereli Eran, Alex Vaystikh, Eyal Gruss, Lior Rokach, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Network devices deployed in organizations (Firewall, IDS, routers, antivirus, servers, etc.) logs users' activity as events. Based on these events users' behavioral profiles can be derived in order to detect anomalies, indicating potential attacks. The identifier of a user in most cases is the user's organizational username. While events are always logged with the source IP address they are not always logged with the relevant username and therefore, many of the collected events are not directly linked with the appropriate user. In this paper we describe a method for associating an IP address with an actual username based on a set of logged events. This is crucial precondition for generating an accurate user's profile. The proposed method was evaluated using real large datasets (logs) and showed 88% accuracy in the identification of usernames.

Original languageEnglish
Title of host publicationProceedings - 2013 IEEE International Congress on Big Data, BigData 2013
Pages435-436
Number of pages2
DOIs
StatePublished - 28 Oct 2013
Event2013 IEEE International Congress on Big Data, BigData 2013 - Santa Clara, CA, United States
Duration: 27 Jun 20132 Jul 2013

Publication series

NameProceedings - 2013 IEEE International Congress on Big Data, BigData 2013

Conference

Conference2013 IEEE International Congress on Big Data, BigData 2013
Country/TerritoryUnited States
CitySanta Clara, CA
Period27/06/132/07/13

Keywords

  • anomaly detection
  • security and event management
  • user profiling

Fingerprint

Dive into the research topics of 'IP2User - Identifying the username of an IP address in network-related events'. Together they form a unique fingerprint.

Cite this