Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
IEEE Internet Computing
Transport layer identification of P2P traffic
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
More Netflow Tools for Performance and Security
LISA '04 Proceedings of the 18th USENIX conference on System administration
A traffic characterization of popular on-line games
IEEE/ACM Transactions on Networking (TON)
Measurement-based characterization of a collection of on-line games
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Building a time machine for efficient recording and retrieval of high-volume network traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Unsupervised host behavior classification from connection patterns
International Journal of Network Management
Source attribution for network address translated forensic captures
Digital Investigation: The International Journal of Digital Forensics & Incident Response
IEEE/ACM Transactions on Networking (TON)
Hi-index | 0.00 |
Passive monitoring of the data entering and leaving an enterprise network can support a number of forensic objectives. We have developed analysis techniques for NetFlow data that use behavioural identification and can confirm individual host roles and behaviours expressed as connection patterns. By looking at the way a given machine interacts with others, it is often possible to determine the role of the machine based solely on the network data. Host behaviours as characterized by NetFlow data are not stationary. Evolutionary changes occur as the result of new applications, computational and communications paradigms. Compromised machines often undergo changes in behaviour that range from subtle to dramatic. We use behavioural changes to identify role shifts and to trace the malicious or unintentional propagation of that change to other machines. Observed behavioural characteristics from over a year of traffic captures containing ordinary behaviours as well as a variety of compromises of interest are presented as examples for the forensics practitioner or researcher.