Passive network forensics: behavioural classification of network hosts based on connection patterns

Authors:
John McHugh;Ron McLeod;Vagishwari Nagaonkar
Affiliations:
Dalhousie University, Nova Scotia, Canada;Telecommunications Applications Research Alliance (TARA), Nova Scotia, Canada;Wipro Technologies India
Venue:
ACM SIGOPS Operating Systems Review
Year:
2008

Citing 7
Cited 3

Space/time trade-offs in hash coding with allowable errors

Communications of the ACM
Network Forensics Analysis

IEEE Internet Computing
Transport layer identification of P2P traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
More Netflow Tools for Performance and Security

LISA '04 Proceedings of the 18th USENIX conference on System administration
A traffic characterization of popular on-line games

IEEE/ACM Transactions on Networking (TON)
Measurement-based characterization of a collection of on-line games

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Building a time machine for efficient recording and retrieval of high-volume network traffic

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement

Unsupervised host behavior classification from connection patterns

International Journal of Network Management
Source attribution for network address translated forensic captures

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Synoptic graphlet: bridging the gap between supervised and unsupervised profiling of host-level network traffic

IEEE/ACM Transactions on Networking (TON)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Passive monitoring of the data entering and leaving an enterprise network can support a number of forensic objectives. We have developed analysis techniques for NetFlow data that use behavioural identification and can confirm individual host roles and behaviours expressed as connection patterns. By looking at the way a given machine interacts with others, it is often possible to determine the role of the machine based solely on the network data. Host behaviours as characterized by NetFlow data are not stationary. Evolutionary changes occur as the result of new applications, computational and communications paradigms. Compromised machines often undergo changes in behaviour that range from subtle to dramatic. We use behavioural changes to identify role shifts and to trace the malicious or unintentional propagation of that change to other machines. Observed behavioural characteristics from over a year of traffic captures containing ordinary behaviours as well as a variety of compromises of interest are presented as examples for the forensics practitioner or researcher.