Abstract

Enterprise networks today carry a range of mission crit-ical communications. A successful worm attack within an enterprise network can be substantially more devastating to most companies than attacks on the larger Internet. In this paper we explore a brownfield approach to hardening an enterprise network against active malware such as worms. The premise of our approach is that if future communica-tion patterns are constrained to historical “normal ” com-munication patterns, then the ability of malware to exploit vulnerabilities in the enterprise can be severely curtailed. We present techniques for automatically deriving individual host profiles that capture historical communication patterns (i.e., community of interest (COI)) of end hosts within an en-terprise network. Using traces from a large enterprise net-work, we investigate how a range of different security poli-cies based on these profiles impact usability (as valid com-munications may get restricted) and security (how well the policies contain malware). Our evaluations indicate that a simple security policy comprised of our Extended COI-based profile and Relaxed Throttling Discipline can effec-tively contain worm behavior within an enterprise without significantly impairing normal network operation. 1