Identifying Users by Network Traffic Metadata

G Alotibi, N Clarke, F Li, S Furnell

Research output: Contribution to journalArticlepeer-review

2 Downloads (Pure)

Abstract

Insider misuse is become a major threat to many organisations. This is due to the knowledge that might have about the organization's security infrastructure. Therefore, a wide range of technologies have been developed to detect/prevent the insider misuse. Beyond detecting, there is a need to investigate the misuse and identify the individual perpetrating the crime. From a networking perspective, the investigations currently rely upon analysing traffic based upon two approaches: packet-based-approach and flow-based approach. However, a serious limitation in these approaches is the use of IPs addresses to link the misuse to the individual. However, IPs addresses are often not reliable because of the mobile-nature of use (i.e. mobile devices are continually connecting and disconnecting to networks resulting in a device being given a multitude of different IP addresses over time). The presence of DCHP only serves to complicate this for wired environments. This makes it challenging to identify the individual or individuals responsible for the misuse. This paper aims to propose a novel approach that is able to identify using encrypted network traffic. A novel feature extraction process is proposed, that is based upon deriving user actions from network-based applications using packet metadata only. This information is subsequently used to develop biometric-based behavioural profiles. An experiment using 27 participants and 2 months worth of network data is undertaken and shows that users are identifiable with individual applications resulting in recognitions rates of up to 100%.
Original languageEnglish
Pages (from-to)103-112
Number of pages0
JournalInternational Journal of Chaotic Computing
Volume4
Issue number2
Early online date30 Dec 2016
DOIs
Publication statusPublished - Dec 2016

Fingerprint

Dive into the research topics of 'Identifying Users by Network Traffic Metadata'. Together they form a unique fingerprint.

Cite this