A novel privacy preserving user identification approach for network traffic

Abstract The prevalence of the Internet and cloud-based applications, alongside the technological evolution of smartphones, tablets and smartwatches, has resulted in users relying upon network connectivity more than ever before. This results in an increasingly voluminous footprint with respect to the network traffic that is created as a consequence. For network forensic examiners, this traffic represents a vital source of independent evidence in an environment where anti-forensics is increasingly challenging the validity of computer-based forensics. Performing network forensics today largely focuses upon an analysis based upon the Internet Protocol (IP) address – as this is the only characteristic available. More typically, however, investigators are not actually interested in the IP address but rather the associated user (whose account might have been compromised). However, given the range of devices (e.g., laptop, mobile, and tablet) that a user might be using and the widespread use of DHCP, IP is not a reliable and consistent means of understanding the traffic from a user. This paper presents a novel approach to the identification of users from network traffic using only the meta-data of the traffic (i.e. rather than payload) and the creation of application-level user interactions, which are proven to provide a far richer discriminatory feature set to enable more reliable identity verification. A study involving data collected from 46 users over a two-month period generated over 112 GBs of meta-data traffic was undertaken to examine the novel user-interaction based feature extraction algorithm. On an individual application basis, the approach can achieve recognition rates of 90%, with some users experiencing recognition performance of 100%. The consequence of this recognition is an enormous reduction in the volume of traffic an investigator has to analyse, allowing them to focus upon a particular suspect or enabling them to disregard traffic and focus upon what is left.

[1]  Steven P. Weber,et al.  Active Authentication on Mobile Devices via Stylometry, Application Usage, Web Browsing, and GPS Location , 2017, IEEE Systems Journal.

[2]  Rita Cucchiara,et al.  People reidentification in surveillance and forensics , 2013, ACM Comput. Surv..

[3]  Victor C. Valgenti,et al.  NFA-Based Pattern Matching for Deep Packet Inspection , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[4]  Bin Liu,et al.  A Memory-Efficient Parallel String Matching Architecture for High-Speed Intrusion Detection , 2006, IEEE Journal on Selected Areas in Communications.

[5]  Sencun Zhu,et al.  SigFree: A Signature-Free Buffer Overflow Attack Blocker , 2010, IEEE Transactions on Dependable and Secure Computing.

[6]  Kyung-suk Lhee,et al.  Classification of packet contents for malware detection , 2011, Journal in Computer Virology.

[7]  William H. Mangione-Smith,et al.  Specialized Hardware for Deep Network Packet Filtering , 2002, FPL.

[8]  T. V. Lakshman,et al.  Fast and memory-efficient regular expression matching for deep packet inspection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[9]  Nino Vincenzo Verde,et al.  Analyzing Android Encrypted Network Traffic to Identify User Actions , 2016, IEEE Transactions on Information Forensics and Security.

[10]  Steven Furnell,et al.  Continuous user authentication using multi-modal biometrics , 2015, Comput. Secur..

[11]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[12]  Aiko Pras,et al.  Towards real-time intrusion detection for NetFlow and IPFIX , 2013, Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013).

[13]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[14]  Stamatis Vassiliadis,et al.  A reconfigurable perfect-hashing scheme for packet inspection , 2005, International Conference on Field Programmable Logic and Applications, 2005..

[15]  Tao Zhang,et al.  A Novel Method to Detect Encrypted Data Exfiltration , 2014, 2014 Second International Conference on Advanced Cloud and Big Data.

[16]  Francesco Versaci,et al.  A Novel Method to Detect Encrypted Data Exfiltration , 2013, ICPADS 2013.

[17]  Stefano Zanero,et al.  Analyzing TCP Traffic Patterns Using Self Organizing Maps , 2005, ICIAP.

[18]  Carsten Lund,et al.  Flow sampling under hard resource constraints , 2004, SIGMETRICS '04/Performance '04.

[19]  Pieter H. Hartel,et al.  POSEIDON: a 2-tier anomaly-based network intrusion detection system , 2006, Fourth IEEE International Workshop on Information Assurance (IWIA'06).

[20]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[21]  Philipp Winter,et al.  Inductive Intrusion Detection in Flow-Based Network Data Using One-Class Support Vector Machines , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[22]  Vallipuram Muthukkumarasamy,et al.  Flow-Based Anomaly Detection Using Neural Network Optimized with GSA Algorithm , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops.

[23]  Salman Yussof,et al.  Online Handwritten Signature Verification Using Neural Network Classifier Based on Principal Component Analysis , 2014, TheScientificWorldJournal.

[24]  Michael Cohen,et al.  PyFlag - An advanced network forensic framework , 2008, Digit. Investig..

[25]  Karthikeyan Sankaralingam,et al.  Evaluating GPUs for network packet signature matching , 2009, 2009 IEEE International Symposium on Performance Analysis of Systems and Software.

[26]  John W. Lockwood,et al.  Deep packet inspection using parallel bloom filters , 2004, IEEE Micro.

[27]  S. Papavassiliou,et al.  Using Selective Sampling for the Support of Scalable and Efficient Network Anomaly Detection , 2007, 2007 IEEE Globecom Workshops.

[28]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[29]  Ingo Deutschmann,et al.  Behavioral biometrics for DARPA's Active Authentication program , 2013, 2013 International Conference of the BIOSIG Special Interest Group (BIOSIG).

[30]  Luca Salgarelli,et al.  A statistical approach to IP-level classification of network traffic , 2006, 2006 IEEE International Conference on Communications.

[31]  Maria Papadaki,et al.  Active authentication for mobile devices utilising behaviour profiling , 2014, International Journal of Information Security.

[32]  Malek Ben Salem,et al.  System Level User Behavior Biometrics using Fisher Features and Gaussian Mixture Models , 2013, 2013 IEEE Security and Privacy Workshops.

[33]  Carsten Lund,et al.  Learn more, sample less: control of volume and variance in network measurement , 2005, IEEE Transactions on Information Theory.

[34]  Marco Canini,et al.  Per flow packet sampling for high-speed network monitoring , 2009, 2009 First International Communication Systems and Networks and Workshops.

[35]  Sui Song,et al.  Flow-based Statistical Aggregation Schemes for Network Anomaly Detection , 2006, 2006 IEEE International Conference on Networking, Sensing and Control.

[36]  Anil K. Jain,et al.  Artificial Neural Networks: A Tutorial , 1996, Computer.

[37]  Ryszard Erazm Jurga,et al.  Packet Sampling for Network Monitoring , 2007 .

[38]  John W. Lockwood,et al.  Fast and Scalable Pattern Matching for Network Intrusion Detection Systems , 2006, IEEE Journal on Selected Areas in Communications.

[39]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[40]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[41]  Hiroki Takakura,et al.  Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation , 2011, BADGERS '11.

[42]  Fadi N. Sibai,et al.  Ear recognition with feed-forward artificial neural networks , 2012, Neural Computing and Applications.

[43]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[44]  Nen-Fu Huang,et al.  A fast pattern-match engine for network processor-based network intrusion detection system , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[45]  Tsang-Long Pao,et al.  NetFlow based intrusion detection system , 2004, IEEE International Conference on Networking, Sensing and Control, 2004.

[46]  Andrew Vance,et al.  Intrusion analysis with deep packet inspection: Increasing efficiency of packet based investigations , 2011, 2011 International Conference on Cloud and Service Computing.

[47]  George C. Polyzos,et al.  A Parameterizable Methodology for Internet Traffic Flow Profiling , 1995, IEEE J. Sel. Areas Commun..

[48]  George Varghese,et al.  New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice , 2003, TOCS.

[49]  Se Young Chun,et al.  Single pulse ECG-based small scale user authentication using guided filtering , 2016, 2016 International Conference on Biometrics (ICB).

[50]  Steven Furnell,et al.  Authenticating mobile phone users using keystroke analysis , 2006, International Journal of Information Security.

[51]  Manish Kumar,et al.  A flow based anomaly detection system using chi-square technique , 2010, 2010 IEEE 2nd International Advance Computing Conference (IACC).

[52]  Daniel Svozil,et al.  Introduction to multi-layer feed-forward neural networks , 1997 .

[53]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[54]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[55]  Areej Al-Bataineh,et al.  Analysis and detection of malicious data exfiltration in web traffic , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[56]  Gregory J. Conti,et al.  Toward Instrumenting Network Warfare Competitions to Generate Labeled Datasets , 2009, CSET.