Identifying Users by Network Traffic Metadata

Abstract

Insider misuse is become a major threat to many organisations. This is due to the knowledge that might have about the organization's security infrastructure. Therefore, a wide range of technologies have been developed to detect/prevent the insider misuse. Beyond detecting, there is a need to investigate the misuse and identify the individual perpetrating the crime. From a networking perspective, the investigations currently rely upon analysing traffic based upon two approaches: packet-based-approach and flow-based approach. However, a serious limitation in these approaches is the use of IPs addresses to link the misuse to the individual. However, IPs addresses are often not reliable because of the mobile-nature of use (i.e. mobile devices are continually connecting and disconnecting to networks resulting in a device being given a multitude of different IP addresses over time). The presence of DCHP only serves to complicate this for wired environments. This makes it challenging to identify the individual or individuals responsible for the misuse. This paper aims to propose a novel approach that is able to identify using encrypted network traffic. A novel feature extraction process is proposed, that is based upon deriving user actions from network-based applications using packet metadata only. This information is subsequently used to develop biometric-based behavioural profiles. An experiment using 27 participants and 2 months worth of network data is undertaken and shows that users are identifiable with individual applications resulting in recognitions rates of up to 100%.