Classifying and tracking enterprise assets via dual-grained network behavioral analysis

Enterprise networks continue to grow in scale and complexity, encompassing a wide range of Internet-connected end-points including web servers/proxies, DNS/VPN/mail servers, and other special-purpose devices. Monitoring this dynamically evolving set of assets, for the purposes of ensuring operational efficiency and cyber security, poses a significant challenge for IT personnel. In this paper, we develop a system that automatically classifies enterprise Internet-connected assets in a continuous manner by analyzing their network activity, thereby reducing blind spots for organizational IT departments. Our contributions are three-fold: (1) We analyze over 3 billion packets from a large enterprise network to deduce network behavioral profiles of the popular asset types like website servers, DNS servers, and file storage systems and transport-layer patterns of less popular ones such as non-typical TCP/UDP servers, proxies, and NAT gateways; (2) We systematically develop host-level graph structure, identify a rich set of behavioral attributes, balance the computational cost against predictive power, train classifiers in a dual-grained classification scheme to categorize assets, and evaluate them via cross-fold validation as well as open set; and (3) We prototype our system on multiple 10Gbps Internet links of a campus network, and present insights over a month, such as the ability to identify hundreds of typical servers as well as thousands of non-typical assets, track their utilization, and highlight anomalous behaviors pertinent to possible cyber-threats. Our solution provides a dynamic and scalable way for IT personnel to effectively track enterprise assets.