Behavioral-based feature abstraction from network traffic

Gaseb Alotibi, Fudong Li, Nathan Clarke, Steven Furnell

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Information security breaches cost organizations collectively billions in lost intellectual property and business. To mitigate this threat, a whole host of countermeasures have been devised to detect, monitor and respond to network-based attacks and compromise. These include: incident management teams operating 24/7, network forensic tools, Security Incident and Event Management (SIEM) systems, insider misuse detection, intrusion detection and intrusion prevention systems. A fundamental limitation of all these approaches however is the reliance upon analyzing network traffic based upon the computer node, which itself is derived from a dynamically allocated IP address, rather than being able to identify network traffic based upon the user. Identifying the user rather than IP provides a more complete and accurate set of data to be utilized within existing countermeasures. For example, in an organization, a user might have access to a desktop, laptop, tablet and mobile phone that all utilize and access the corporate network and who's IPs are different and vary against time. Currently understanding and identifying that user in such an environment is extremely challenging and time consuming. Whilst research has attempted to achieve this level of abstraction to the user, results are poor due to the volume and variability of data at the network-level. This paper describes a research study into the identification and extraction of highlevel behavioural features from low-level network traffic. Having identified application-level services and derived sets of typical use cases, this research presents a set of experiments to demonstrate how user behaviours within internet-enabled applications can be determined through analysis of low-level network traffic metadata. The enhanced features that are derived not only inform us of which services a person is using but also how they use it. For example, from our social networking experiment it has been shown that it is possible to identify whether a person is reading, posting an image or using instant messenger. This feature-rich user-focused approach to metadata analysis of network traffic will provide the underlying information required for profiling and modelling user activity.

Original languageEnglish
Title of host publicationProceedings of the 10th International Conference on Cyber Warfare and Security, ICCWS 2015
EditorsJannie Zaaiman, Louise Leenen
PublisherAcademic Conferences and Publishing International Limited
Number of pages9
ISBN (Electronic)978‐1‐910309‐97‐1
ISBN (Print)978‐1‐910309‐96‐4
Publication statusPublished - Mar 2015
Event10th International Conference on Cyber Warfare and Security - , South Africa
Duration: 24 Mar 201525 Mar 2015

Publication series

NameACMI ICCWS Proceedings Series
ISSN (Print)2048‐9870
ISSN (Electronic)2048‐9889


Conference10th International Conference on Cyber Warfare and Security
Abbreviated titleICCWS 2015
Country/TerritorySouth Africa


  • authentication
  • behavioural profiling
  • identification
  • network traffic


Dive into the research topics of 'Behavioral-based feature abstraction from network traffic'. Together they form a unique fingerprint.

Cite this