Authors: Fudong, Li, Nathan, Clarke, Gaseb Alotibi and Dany Joy
With more than 3 billion people using Internet based services daily, a huge volume of network traffic is generated and propagated through networks. When the inevitable incident occurs, network forensics (or incident analysis techniques) can be deployed to assist in identifying the security breach. However, due to the network analysis methods they employ (i.e. packet inspection or flow based examination), these existing tools face a number of challenges, including dealing enormous volumes of network traffic, the widespread use of encrypted traffic and being able to associate low-level packet-based data with a higher-level appreciate of what the user is doing. Neither of the two current approaches can provide a deep insight into an incident other than a service was accessed and data communicated. It is envisaged that additional information about the attack could be vital for the forensic analyst in understanding the user, what services they use and (importantly) for what purpose. To this end, this paper describes a preliminary study into the derivation of user interaction activities within Internet-based applications from their raw network metadata. Based upon the experimental result, the study demonstrates that user Internet activities can be identified, providing an investigator with the knowledge of what a service is being used for – chatting, uploading, reading, modifying, video conferencing. The proposed method provides a greater level of information abstraction than current approaches, enabling an investigator to undertake a faster analysis yet still ensuring user’s privacy is protected in comparison with other approaches.
Keywords: network analysis; protocol analysis; network forensics; SIEMs; metadata