Network traffic based computer system user identification Dr Zsolt Illési associate professor College of Dunaújváros Open Source Intelligence Areas of Development

Key Questions of Detection Provide Information About Who? (individual(s) involved) When? (timeline) What? (nature of events) Where? (scene) Why? (motivation) How? (used tools/ exploits) Open Source Intelligence Areas of Development

Incident Lifecycle Open Source Intelligence Areas of Development

Network Situational Awareness Cyber Attack Scenarios Situation-Aware and Context-Aware Network Applications CERTs and CSIRTs Security Event and Information Management Application Security, Audits and Penetration Testing Open Source Intelligence Areas of Development

Web Traffic Characterisation Intrusion Detection Systems Traffic Characterisation Techniques Web Analytics Security Incident Response Open Source Intelligence Areas of Development

Cyber Situational Awareness Tools & Techniques Fuzzy Logic Rough Set Artificial Neural Networks Artificial Intelligence Genetic Algorithm Evidence Theory (DST) Bayesian Networks & Set Theory Big Data Analytics Game Theory Graph Theory Open Source Intelligence Areas of Development

Identifying someone Prove that a signature is from a known person Prove that some network traffic is generated by a specific user Open Source Intelligence Areas of Development

Bayesian interpretation of network data Open Source Intelligence Areas of Development posterior knowledge new data prior knowledge posterior odds likehood ratio prior odds

Identification of WHO using a computer? (Assumptions) User(s) in action – one or more person – one or more computer system – carefully defined (limited) task performance Used network data – generic protocol data are available – payload (e.g. data) possibly encrypted Previous information (reference data model is available) Open Source Intelligence Areas of Development

Identification of WHO using a computer? (Tools) Network taps (specialised hardware or active network tool) Sniffers, and network traffic/data analysers (wireshark, tcpdump, tcpstat, tcptrace, CoralReef etc.) Scripting language for data pre-processing (Python, Pearl etc.) Number cruncher (Octave, Scilab, Matlab, Mathematica etc.) Open Source Intelligence Areas of Development

Identification of WHO using a computer? (Stages) Reference data network usage data collection (prior probability distribution) Definine the probability that a certain person (or computer system) uses the network (hypothesis testing; posterior distribution analysis) Open Source Intelligence Areas of Development

Identification of WHO using a computer? (Process) Raw network data collection Understand network data ( – packet sorting and analysis – data-flow and protocol statistics – network connection (source-destination pairing) Bayesian analysis (current data vs reference data) Open Source Intelligence Areas of Development

Pro’s and Con’s Constraints Single user No other (significant) interference to computer traffic (e.g background software activity) lack of adequate amount of reference data (directed network usage) Benefits 80%+ accuracy (pls consider the limitations!!!) Open Source Intelligence Areas of Development

Future development — Experiment Scope Greater reference data – number of persons – duration of network usage – mixed data with some other subjects Combine with logs (apply the results to log analisis fileld and enhance accuracy) Open Source Intelligence Areas of Development

Future Developments — Combined approach Hidden Markov model Gaussian mixture models Fuzzy Logic Artificial Neural Networks Data Mining Decision Trees Graph Theory etc. Open Source Intelligence Areas of Development