Behavioural Monitoring via Network Communications

It is commonly acknowledged that using Internet applications is an integral part of an individual’s everyday life, with more than three billion users now using Internet services across the world; and this number is growing every year. Unfortunately, with this rise in Internet use comes an increasing rise in cyber-related crime. Whilst significant effort has been expended on protecting systems from outside attack, only more recently have researchers sought to develop countermeasures against insider attack. However, for an organisation, the detection of an attack is merely the start of a process that requires them to investigate and attribute the attack to an individual (or group of individuals). The investigation of an attack typically revolves around the analysis of network traffic, in order to better understand the nature of the traffic flows and importantly resolves this to an IP address of the insider. However, with mobile computing and Dynamic Host Control Protocol (DHCP), which results in Internet Protocol (IP) addresses changing frequently, it is particularly challenging to resolve the traffic back to a specific individual. The thesis explores the feasibility of profiling network traffic in a biometric-manner in order to be able to identify users independently of the IP address. In order to maintain privacy and the issue of encryption (which exists on an increasing volume of network traffic), the proposed approach utilises data derived only from the metadata of packets, not the payload. The research proposed a novel feature extraction approach focussed upon extracting user-oriented application-level features from the wider network traffic. An investigation across nine of the most common web applications (Facebook, Twitter, YouTube, Dropbox, Google, Outlook, Skype, BBC and Wikipedia) was undertaken to determine whether such high-level features could be derived from the low-level network signals. The results showed that whilst some user interactions were not possible to extract due to the complexities of the resulting web application, a majority of them were. Having developed a feature extraction process that focussed more upon the user, rather than machine-to-machine traffic, the research sought to use this information to determine whether a behavioural profile could be developed to enable identification of the users. Network traffic of 27 users over 2 months was collected and processed using the aforementioned feature extraction process. Over 140 million packets were collected and processed into 45 user-level interactions across the nine applications. The results from behavioural profiling showed that the system is capable of identifying users, with an average True Positive Identification Rate (TPIR) in the top three applications of 87.4%, 75% and 61.9% respectively. Whilst the initial study provided some encouraging results, the research continued to develop further refinements which could improve the performance. Two techniques were applied, fusion and timeline analysis techniques. The former approach sought to fuse the output of the classification stage to better incorporate and manage the variability of the classification and resulting decision phases of the biometric system. The latter approach sought to capitalise on the fact that whilst the IP address is not reliable over a period of time due to reallocation, over shorter timeframes (e.g. a few minutes) it is likely to reliable and map to the same user. The results for fusion across the top three applications were 93.3%, 82.5% and 68.9%. The overall performance adding in the timeline analysis (with a 240 second time window) on average across all applications was 72.1%. Whilst in terms of biometric identification in the normal sense, 72.1% is not outstanding, its use within this problem of attributing misuse to an individual provides the investigator with an enormous advantage over existing approaches. At best, it will provide him with a user’s specific traffic and at worst allow them to significantly reduce the volume of traffic to be analysed

Identifying users by network traffic metadata

Insider misuse is become a major threat to many organisations. This is due to the knowledge that might have about the organization\u27s security infrastructure. Therefore, a wide range of technologies have been developed to detect/prevent the insider misuse. Beyond detecting, there is a need to investigate the misuse and identify the individual perpetrating the crime. From a networking perspective, the investigations currently rely upon analysing traffic based upon two approaches: packet-based-approach and flow-based approach. However, a serious limitation in these approaches is the use of IPs addresses to link the misuse to the individual. However, IPs addresses are often not reliable because of the mobile-nature of use (i.e. mobile devices are continually connecting and disconnecting to networks resulting in a device being given a multitude of different IP addresses over time). The presence of DCHP only serves to complicate this for wired environments. This makes it challenging to identify the individual or individuals responsible for the misuse. This paper aims to propose a novel approach that is able to identify using encrypted network traffic. A novel feature extraction process is proposed, that is based upon deriving user actions from network-based applications using packet metadata only. This information is subsequently used to develop biometric-based behavioural profiles. An experiment using 27 participants and 2 months worth of network data is undertaken and shows that users are identifiable with individual applications resulting in recognitions rates of up to 100%

Behavioral-based feature abstraction from network traffic

Information security breaches cost organizations collectively billions in lost intellectual property and business. To mitigate this threat, a whole host of countermeasures have been devised to detect, monitor and respond to network‐based attacks and compromise. These include: incident management teams oper‐ating 24/7, network forensic tools, Security Incident and Event Management (SIEM) systems, insider misuse detection, intrusion detection and intrusion pre‐vention systems. A fundamental limitation of all these approaches however is the reliance upon analyzing network traffic based upon the computer node, which itself is derived from a dynamically allocated IP address, rather than being able to identify network traffic based upon the user. Identifying the user rather than IP provides a more complete and accurate set of data to be utilized within existing countermeasures. For example, in an organization, a user might have access to a desktop, laptop, tablet and mobile phone that all utilize and access the corporate network and who’s IPs are different and vary against time. Currently understand‐ing and identifying that user in such an environment is extremely challenging and time consuming. Whilst research has attempted to achieve this level of abstrac‐tion to the user, results are poor due to the volume and variability of data at the network‐level. This paper describes a research study into the identification and extraction of high‐level behavioural features from low‐level network traffic. Hav‐ing identified application‐level services and derived sets of typical use cases, this research presents a set of experiments to demonstrate how user behaviours with‐in internet‐enabled applications can be determined through analysis of low‐level network traffic metadata. The enhanced features that are derived not only inform us of which services a person is using but also how they use it. For example, from our social networking experiment it has been shown that it is possible to identify whether a person is reading, posting an image or using instant messenger. This feature‐rich user‐focused approach to metadata analysis of network traffic will provide the underlying information required for profiling and modelling user activity

A Nonfiducial PPG-Based Subject Authentication Approach Using the Statistical Features of DWT-Based Filtered Signals

Nowadays, there is a global change in lifestyle that is moving more toward the use of e-services and smart devices which necessitate the verification of user identity. Different organizations have put into place a range of technologies, hardware, and/or software to authenticate users using fingerprints, iris recognition, and so forth. However, cost and reliability are significant limitations to the use of such technologies. This study presents a nonfiducial PPG-based subject authentication system. In particular, the photoplethysmogram (PPG) signal is first filtered into four signals using the discrete wavelet transform (DWT) and then segmented into frames. Ten simple statistical features are extracted from the frame of each signal band to compose the feature vector. Augmenting the feature vector with the same features extracted from the 1st derivative of the corresponding signal is investigated, along with different fusion approaches. A support vector machine (SVM) classifier is then employed for the purpose of identity authentication. The proposed authentication system achieved an average authentication accuracy of 99.3% using a 15 sec frame length with the augmented multiband approach