TY - GEN
T1 - Behavioral-based feature abstraction from network traffic
AU - Alotibi, Gaseb
AU - Li, Fudong
AU - Clarke, Nathan
AU - Furnell, Steven
PY - 2015/3
Y1 - 2015/3
N2 - Information security breaches cost organizations collectively billions in lost intellectual property and business. To mitigate this threat, a whole host of countermeasures have been devised to detect, monitor and respond to network-based attacks and compromise. These include: incident management teams operating 24/7, network forensic tools, Security Incident and Event Management (SIEM) systems, insider misuse detection, intrusion detection and intrusion prevention systems. A fundamental limitation of all these approaches however is the reliance upon analyzing network traffic based upon the computer node, which itself is derived from a dynamically allocated IP address, rather than being able to identify network traffic based upon the user. Identifying the user rather than IP provides a more complete and accurate set of data to be utilized within existing countermeasures. For example, in an organization, a user might have access to a desktop, laptop, tablet and mobile phone that all utilize and access the corporate network and who's IPs are different and vary against time. Currently understanding and identifying that user in such an environment is extremely challenging and time consuming. Whilst research has attempted to achieve this level of abstraction to the user, results are poor due to the volume and variability of data at the network-level. This paper describes a research study into the identification and extraction of highlevel behavioural features from low-level network traffic. Having identified application-level services and derived sets of typical use cases, this research presents a set of experiments to demonstrate how user behaviours within internet-enabled applications can be determined through analysis of low-level network traffic metadata. The enhanced features that are derived not only inform us of which services a person is using but also how they use it. For example, from our social networking experiment it has been shown that it is possible to identify whether a person is reading, posting an image or using instant messenger. This feature-rich user-focused approach to metadata analysis of network traffic will provide the underlying information required for profiling and modelling user activity.
AB - Information security breaches cost organizations collectively billions in lost intellectual property and business. To mitigate this threat, a whole host of countermeasures have been devised to detect, monitor and respond to network-based attacks and compromise. These include: incident management teams operating 24/7, network forensic tools, Security Incident and Event Management (SIEM) systems, insider misuse detection, intrusion detection and intrusion prevention systems. A fundamental limitation of all these approaches however is the reliance upon analyzing network traffic based upon the computer node, which itself is derived from a dynamically allocated IP address, rather than being able to identify network traffic based upon the user. Identifying the user rather than IP provides a more complete and accurate set of data to be utilized within existing countermeasures. For example, in an organization, a user might have access to a desktop, laptop, tablet and mobile phone that all utilize and access the corporate network and who's IPs are different and vary against time. Currently understanding and identifying that user in such an environment is extremely challenging and time consuming. Whilst research has attempted to achieve this level of abstraction to the user, results are poor due to the volume and variability of data at the network-level. This paper describes a research study into the identification and extraction of highlevel behavioural features from low-level network traffic. Having identified application-level services and derived sets of typical use cases, this research presents a set of experiments to demonstrate how user behaviours within internet-enabled applications can be determined through analysis of low-level network traffic metadata. The enhanced features that are derived not only inform us of which services a person is using but also how they use it. For example, from our social networking experiment it has been shown that it is possible to identify whether a person is reading, posting an image or using instant messenger. This feature-rich user-focused approach to metadata analysis of network traffic will provide the underlying information required for profiling and modelling user activity.
KW - authentication
KW - behavioural profiling
KW - identification
KW - network traffic
UR - http://www.scopus.com/inward/record.url?scp=84969285718&partnerID=8YFLogxK
UR - http://academic-bookshop.com/ourshop/prod_3774091-ICCWS-2015-10th-International-Conference-on-Cyber-Warfare-and-Security-Kruger-National-Park-South-Africa-PRINT-ver-ISBN-978191030996.html
M3 - Conference contribution
AN - SCOPUS:84969285718
SN - 978‐1‐910309‐96‐4
T3 - ACMI ICCWS Proceedings Series
SP - 1
EP - 9
BT - Proceedings of the 10th International Conference on Cyber Warfare and Security, ICCWS 2015
A2 - Zaaiman, Jannie
A2 - Leenen, Louise
PB - Academic Conferences and Publishing International Limited
T2 - 10th International Conference on Cyber Warfare and Security
Y2 - 24 March 2015 through 25 March 2015
ER -