Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Integrating user-perceived quality into Web server design
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Virtual machines for enterprise desktop security
Information Security Tech. Report
Role classification of hosts within enterprise networks based on connection patterns
ATEC '03 Proceedings of the annual conference on USENIX Annual Technical Conference
A first look at modern enterprise traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Towards highly reliable enterprise network services via inference of multi-level dependencies
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
NetProfiler: profiling wide-area networks using peer cooperation
IPTPS'05 Proceedings of the 4th international conference on Peer-to-Peer Systems
What ought a program committee to do?
WOWCS'08 Proceedings of the conference on Organizing Workshops, Conferences, and Symposia for Computer Systems
What ought a program committee to do?
WOWCS'08 Proceedings of the conference on Organizing Workshops, Conferences, and Symposia for Computer Systems
How healthy are today's enterprise networks?
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Not-a-Bot: improving service availability in the face of botnet attacks
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Change is hard: adapting dependency graph models for unified diagnosis in wired/wireless networks
Proceedings of the 1st ACM workshop on Research on enterprise networking
On calibrating enterprise switch measurements
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
IDC: an energy efficient communication scheme for connected mobile platforms
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
International Journal of Sensor Networks
A preliminary analysis of TCP performance in an enterprise network
INM/WREN'10 Proceedings of the 2010 internet network management conference on Research on enterprise networking
End-user perspectives of Internet connectivity problems
Computer Networks: The International Journal of Computer and Telecommunications Networking
An end-host view on local traffic at home and work
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
Hi-index | 0.00 |
Traditionally, user traffic profiling is performed by analyzing traffic traces collected on behalf of the user at aggregation points located in the middle of the network. However, the modern enterprise network has a highly mobile population that frequently moves in and out of its physical perimeter. Thus an in-the-network monitor is unlikely to capture full user activity traces when users move outside the enterprise perimeter. The distinct environments, such as the cubicle and the coffee shop (among others), that users visit, may each pose different constraints and lead to varied behavioral modes. It is thus important to ask: is the profile of a user constructed in one environment representative of the same user in another environment? In this paper, we answer in the negative for the mobile population of an enterprise. Using real corporate traces collected at nearly 400 end-hosts for approximately 5 weeks, we study how end-host usage differs across three environments: inside the enterprise, outside the enterprise but using a VPN, and entirely outside the enterprise network. Within these environments, we examine three types of features: (i) environment lifetimes, (ii) relative usage statistics of network services, and (iii) outlier detection thresholds as used for anomaly detection. We find significant diversity in end-host behavior across environments for many features, thus indicating that profiles computed for a user in one environment yield inaccurate representations of the same user in a different environment.