Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Minzhao Lyu, Hassan Habibi Gharakheili, Vijay Sivaraman

TL;DR

This survey tackles distributed network attacks targeting enterprise assets by framing a comprehensive view of asset behavior monitoring and near-edge detection. It surveys static and dynamic asset classification methods, including graph-based host profiling, and reviews three detection paradigms—proprietary rules, community signatures, and fine-grained flow statistics—while assessing the potential of programmable networks and ML to address current gaps. The paper identifies key research challenges such as dynamic, scalable monitoring, role-aware and explainable detection, and the prospect of self-driving security systems, offering a roadmap for future enterprise security research and practice. Overall, it provides a structured reference for practitioners and researchers to design scalable, adaptable defenses in modern, heterogeneous enterprise networks.

Abstract

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

TL;DR

This survey tackles distributed network attacks targeting enterprise assets by framing a comprehensive view of asset behavior monitoring and near-edge detection. It surveys static and dynamic asset classification methods, including graph-based host profiling, and reviews three detection paradigms—proprietary rules, community signatures, and fine-grained flow statistics—while assessing the potential of programmable networks and ML to address current gaps. The paper identifies key research challenges such as dynamic, scalable monitoring, role-aware and explainable detection, and the prospect of self-driving security systems, offering a roadmap for future enterprise security research and practice. Overall, it provides a structured reference for practitioners and researchers to design scalable, adaptable defenses in modern, heterogeneous enterprise networks.

Abstract

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.
Paper Structure (41 sections, 4 figures, 3 tables)

This paper contains 41 sections, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Distributed Network Attacks on Enterprise Assets
  3. Reconnaissance Attacks
  4. Distributed Denial-of-Service Attacks
  5. Highlights of Distributed Network Attacks
  6. Asset Classification and Network Behavioral Monitoring
  7. Static Monitoring via Generic Configurations
  8. Dynamic Monitoring via Specific Networked Graphs
  9. Per-Host Classification
  10. Clustering Hosts and Modelling Group Interactions
  11. Detecting Host Anomaly from Graphs
  12. Highlights
  13. Detecting Distributed Network Attacks on Enterprise Hosts
  14. Proprietary Rule-Based Detection
  15. Thresholds in Commercial Appliances
  16. ...and 26 more sections

Figures (4)

  • Figure 1: Key topics covered in this survey.
  • Figure 2: A visual example of distributed network attacks on a victim inside an enterprise.
  • Figure 3: Sankey diagrams illustrating network behavioral profiles of two representative enterprise assets: (a) a website server, and (b) a DNS recursive resolver, using 1000 flows of each networked asset for visualization purpose.
  • Figure 4: Firewall configurations available for distributed network attack protection ( i.e., detection and mitigation): (a) reconnaissance/scan protection, (b) SYN flood DDoS protection, and (c) UDP flood DDoS protection.