Abstract
Insider misuse is become a major threat to many
organisations. This is due to the knowledge that
might have about the organization's security
infrastructure. Therefore, a wide range of
technologies have been developed to detect/prevent
the insider misuse. Beyond detecting, there is a need
to investigate the misuse and identify the individual
perpetrating the crime. From a networking
perspective, the investigations currently rely upon
analysing traffic based upon two approaches:
packet-based-approach and flow-based approach.
However, a serious limitation in these approaches is
the use of IPs addresses to link the misuse to the
individual. However, IPs addresses are often not
reliable because of the mobile-nature of use (i.e.
mobile devices are continually connecting and
disconnecting to networks resulting in a device
being given a multitude of different IP addresses
over time). The presence of DCHP only serves to
complicate this for wired environments. This makes
it challenging to identify the individual or
individuals responsible for the misuse. This paper
aims to propose a novel approach that is able to
identify using encrypted network traffic. A novel
feature extraction process is proposed, that is based
upon deriving user actions from network-based
applications using packet metadata only. This
information is subsequently used to develop
biometric-based behavioural profiles. An experiment
using 27 participants and 2 months worth of
network data is undertaken and shows that users are
identifiable with individual applications resulting in
recognitions rates of up to 100%.
Original language | English |
---|---|
Pages (from-to) | 103-112 |
Number of pages | 0 |
Journal | International Journal of Chaotic Computing |
Volume | 4 |
Issue number | 2 |
Early online date | 30 Dec 2016 |
DOIs | |
Publication status | Published - Dec 2016 |