Sonification of Network Traffic Flow for Monitoring and Situational Awareness

Maintaining situational awareness of what is happening within a network is challenging, not least because the behaviour happens within computers and communications networks, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation is widely used to present information about the dynamics of network traffic dynamics. Although it provides operators with an overall view and specific information about particular traffic or attacks on the network, it often fails to represent the events in an understandable way. Visualisations require visual attention and so are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Situational awareness is critical and essential for decision-making in the domain of computer network monitoring where it is vital to be able to identify and recognize network environment behaviours.Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system to be used in the monitoring of computer networks to support the situational awareness of network administrators. SoNSTAR provides an auditory representation of all the TCP/IP protocol traffic within a network based on the different traffic flows between between network hosts. SoNSTAR raises situational awareness levels for computer network defence by allowing operators to achieve better understanding and performance while imposing less workload compared to visual techniques. SoNSTAR identifies the features of network traffic flows by inspecting the status flags of TCP/IP packet headers and mapping traffic events to recorded sounds to generate a soundscape representing the real-time status of the network traffic environment. Listening to the soundscape allows the administrator to recognise anomalous behaviour quickly and without having to continuously watch a computer screen.Comment: 17 pages, 7 figures plus supplemental material in Github repositor

Sonification of Network Traffic for Detecting and Learning About Botnet Behavior

Today's computer networks are under increasing threat from malicious activity. Botnets (networks of remotely controlled computers, or "bots") operate in such a way that their activity superficially resembles normal network traffic which makes their behaviour hard to detect by current Intrusion Detection Systems (IDS). Therefore, new monitoring techniques are needed to enable network operators to detect botnet activity quickly and in real time. Here we show a sonification technique using the SoNSTAR system that maps characteristics of network traffic to a real-time soundscape enabling an operator to hear and detect botnet activity. A case study demonstrated how using traffic log files alongside the interactive SoNSTAR system enabled the identification of new traffic patterns that characteristic botnet behaviour and subsequently the effective targeting and real-time detection of botnet activity. An experiment using the 11.39 GiB ISOT Botnet Dataset, containing labelled botnet traffic data, compared the SoNSTAR system with three leading machine learning-based traffic classifiers in a botnet activity detection test. SoNSTAR demonstrated greater accuracy, precision and recall and much lower false positive rates than the other techniques. The knowledge generated about characteristic botnet behaviours could be used in the development of future IDSs

Sonification Aesthetics and Listening for Network Situational Awareness

This paper looks at the problem of using sonification to enable network administrators to maintaining situational awareness about their network environment. Network environments generate a lot of data and the need for continuous monitoring means that sonification systems must be designed in such a way as to maximise acceptance while minimising annoyance and listener fatigue. It will be argued that solutions based on the concept of the soundscape offer an ecological advantage over other sonification designs.Comment: Workshop paper presented at SoniHED --- Conference on Sonification of Health and Environmental Data, York, UK, 12 September, 201

Interactive Sonification of Network Traffic to support Cyber Security Situational Awareness

Maintaining situational awareness of what is happening within a computer network is challenging, not least because the behaviour happens within computers and communications networks, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation techniques are widely used to present information about the dynamics of network traffic. Although they provide operators with an overall view and specific information about particular traffic or attacks on the network, they often still fail to represent the events in an understandable way. Also, visualisations require visual attention and so are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Situational awareness is critical and essential for decision-making in the domain of computer network monitoring where it is vital to be able to identify and recognise network environment behaviours. This thesis presents SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system to be used in the monitoring of computer networks to support the situational awareness of network administrators. Together with a new way of reducing traffic complexity, called “IP flow”, SoNSTAR provides an auditory representation of all the TCP/IP protocol traffic within a network based on the different traffic flows between network hosts. SoNSTAR narrows the gap between network administrators and the cyber environment so they can more quickly recognise and learn about the way the traffic flows within their network behave and change. SoNSTAR raises situational awareness levels for computer network defence by allowing operators to achieve better understanding and performance while imposing less workload compared to visual techniques. SoNSTAR identifies the features of network traffic flows by inspecting the status flags of TCP/IP packet headers. Different combinations of these features define particular traffic events. These events are mapped to recorded sounds to generate a soundscape that represents the real-time status of the network traffic environment. Listening to the sequence, timing, and loudness of the different sounds within the soundscape allows the network administrator to monitor the network and recognise anomalous behaviour quickly, without having to continuously look at a computer screen. Evaluation showed that operators were able to monitor and recognise network attacks better with SoNSTAR than with Snort, a leading visual intrusion detection system, and with lower reported cognitive workloads. Accuracy of recognition was highest when using both Snort and SoNSTAR together (97.14%). The results clearly show that accuracy improved when using sonification. When using sonification, the mental and perceptual workloads required were less than when using visualisation alone (45% vs. 58%). The pressure participants felt due to the pace of the monitoring task was less when using SoNSTAR (31% vs. 65%). Frustration rate showed improvement when using SoNSTAR (36% vs. 71%). The very act of listening to the traffic generates a fast discovery process leading to new knowledge of malicious behaviours that is not possible with current algorithmic approaches. SoNSTAR enabled the user to explore distributed, parallel and horizontal behaviours that are similar to normal behaviours. An experiment using the 11.39 GiB ISOT Botnet Dataset, containing labelled botnet traffic data, compared the SoNSTAR system with three leading machine learning-based traffic classifiers in a botnet activity detection test. SoNSTAR demonstrated greater accuracy (99.92%), precision (97.1%) and recall (99.5%) and much lower false positive rates (0.007%) than the other techniques. The knowledge generated about characteristic botnet behaviours could be used in the development of future IDSs

Evaluation results.

<p>Evaluation results.</p

Virtual network environment.

<p>The virtual network environment design used in the experiment.</p

Feature combinations.

<p>Feature combinations.</p

Conflation of multiple traffic flows to one IP flow.

<p>Seven traffic flows between different ports on the same sending and receiving hosts are reduced to a single IP flow.</p

Additional SoNSTAR evaluation (preference results).

<p>Additional SoNSTAR evaluation (preference results).</p

Horrible to fantastic evaluation.

<p>Horrible to fantastic evaluation.</p