Unsupervised Learning for security of Enterprise networks by micro-segmentation

Micro-segmentation is a network security technique that requires delivering services for each unique segment. To do so, the first stage is defining these unique segments (a.k.a security groups) and then initializing policy-driven security controls. In this paper, we propose an unsupervised learning technique that covers both the security grouping and policy creation. For the network asset grouping, we develop a distance-based machine learning algorithm using the dynamic behavior of the assets. That is, after observing the entire network logs, our unsupervised learning algorithm suggests partitioning network assets into the groups. A key point of this un-supervised technique is that the grouping is only generated during the training phase and remains valid during the testing phase. The outcome of the grouping stage is then fed into the rules (security policies) creation stage enabling to establish the security groups as the lowest granularity of firewall rules. We conducted both quantitative and qualitative experiments and demonstrate the good performance of our network micro-segmentation approach. We further developed a prototype to validate the run-time performance of our approach at scale in a real-world environment. The hyper-parameters of our approach provides users with a flexible model to be fine-tuned to adapt very easily with the enterprise's security governance.