Visualisation of network forensics traffic data with a self-organising map for qualitative features

Palomo, Esteban J.; North, John; Elizondo, David; Luque, Rafael Marcos; Watson, Tim

doi:10.1109/ijcnn.2011.6033434

Cited by 8 publications

(3 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, Palomo et al (2011) focussed upon the analysis and visualisation of network traffic data via the use of SOM to identify abnormal behaviour or intrusions. For their experiment, a dataset with 150,871 packet samples was created by monitoring a university network via WireShark during a four-day period; each sample contained nine features, including the IP addresses of source and destination, port numbers, protocol type, date and time stamps, and packet length.…”

Section: Related Workmentioning

confidence: 99%

A suspect-oriented intelligent and automated computer forensic analysis

Fahdi

Clarke

et al. 2016

Digital Investigation

View full text Add to dashboard Cite

Computer forensics faces a range of challenges due to the widespread use of computing technologies. Examples include the increasing volume of data and devices that need to be analysed in any single case, differing platforms, use of encryption and new technology paradigms (such as cloud computing and the Internet of Things). Automation within forensic tools exists, but only to perform very simple tasks, such as data carving and file signature analysis. Investigators are responsible for undertaking the cognitively challenging and time-consuming process of identifying relevant artefacts. Due to the volume of cyber-dependent (e.g., malware and hacking) and cyber-enabled (e.g., fraud and online harassment) crimes, this results in a large backlog of cases. With the aim of speeding up the analysis process, this paper investigates the role that unsupervised pattern recognition can have in identifying notable artefacts. A study utilising the Self-Organising Map (SOM) to automatically cluster notable artefacts was devised using a series of four cases. Several SOMs were created – a File List SOM containing the metadata of files based upon the file system, and a series of application level SOMs based upon metadata extracted from files themselves (e.g., EXIF data extracted from JPEGs and email metadata extracted from email files). A total of 275 sets of experiments were conducted to determine the viability of clustering across a range of network configurations. The results reveal that more than 93.5% of notable artefacts were grouped within the rank-five clusters in all four cases. The best performance was achieved by using a 10 × 10 SOM where all notables were clustered in a single cell with only 1.6% of the non-notable artefacts (noise) being present, highlighting that SOM-based analysis does have the potential to cluster notable versus noise files to a degree that would significantly reduce the investigation time. Whilst clustering has proven to be successful, operationalizing it is still a challenge (for example, how to identify the cluster containing the largest proportion of notables within the case). The paper continues to propose a process that capitalises upon SOM and other parameters such as the timeline to identify notable artefacts whilst minimising noise files. Overall, based solely upon unsupervised learning, the approach is able to achieve a recall rate of up to 93%. © 2016 Elsevier Lt

show abstract

Section: Related Workmentioning

confidence: 99%

A suspect-oriented intelligent and automated computer forensic analysis

Fahdi

Clarke

et al. 2016

Digital Investigation

View full text Add to dashboard Cite

show abstract

“…Once that issue is resolved and the raw files are collected and duplicates are obtained, the forensic investigator can proceed at a pace which allows for appropriate diligence and care. The investigator begins by importing a toolset which allows for brute force password cracking [11]. After access is obtained, the file and directory structure is reconstructed onto the desktop of the workstation.…”

Section: Container and Vm Forensicsmentioning

confidence: 99%

Container and VM Visualization for Rapid Forensic Analysis

Shropshire

Benton

2020

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Most cloud security incidents are initially detected by automated monitoring tools. Because they are tuned to minimize the risk of false-negative errors, these tools cast a wide net of suspicion. Depending on the scale of the incident, the automated tools may implicate rather long lists of VMs and containers. Hence, this study proposes a new intermediate step aimed at reducing the number of VMs and containers awaiting forensic investigation. The proposed method renders two-dimensional visualizations of container contents and virtual machine disk images. The visualizations can be used to fingerprint container / VM contents, pinpoint instances of embedded malware, and find modified code. The proof of concept is evaluated in a pilot study. The results indicate that it shows promise. Implications and future research directions are also described.

show abstract

“…However, this approach focusses on the extraction of evidence rather than the visualisation of the social networks discovered. Palomo et al (2011) focus on the visualisation of network traffic through self-organising maps to identify anomalous behaviour or system intrusions. However, this approach focusses on the identification and visualisation of network artefacts, such as source ports, destination addresses, protocols, etc.…”

Section: Email Network Narrativesmentioning

confidence: 99%

Forensic triage of email network narratives through visualisation

Haggerty

Taylor

2014

Information Management &Amp; Computer Security

View full text Add to dashboard Cite

Purpose – The purpose of this paper is to propose a novel approach that automates the visualisation of both quantitative data (the network) and qualitative data (the content) within emails to aid the triage of evidence during a forensics investigation. Email remains a key source of evidence during a digital investigation, and a forensics examiner may be required to triage and analyse large email data sets for evidence. Current practice utilises tools and techniques that require a manual trawl through such data, which is a time-consuming process. Design/methodology/approach – This paper applies the methodology to the Enron email corpus, and in particular one key suspect, to demonstrate the applicability of the approach. Resulting visualisations of network narratives are discussed to show how network narratives may be used to triage large evidence data sets. Findings – Using the network narrative approach enables a forensics examiner to quickly identify relevant evidence within large email data sets. Within the case study presented in this paper, the results identify key witnesses, other actors of interest to the investigation and potential sources of further evidence. Practical implications – The implications are for digital forensics examiners or for security investigations that involve email data. The approach posited in this paper demonstrates the triage and visualisation of email network narratives to aid an investigation and identify potential sources of electronic evidence. Originality/value – There are a number of network visualisation applications in use. However, none of these enable the combined visualisation of quantitative and qualitative data to provide a view of what the actors are discussing and how this shapes the network in email data sets.

show abstract

Visualisation of network forensics traffic data with a self-organising map for qualitative features

Cited by 8 publications

References 10 publications

A suspect-oriented intelligent and automated computer forensic analysis

A suspect-oriented intelligent and automated computer forensic analysis

Container and VM Visualization for Rapid Forensic Analysis

Forensic triage of email network narratives through visualisation

Contact Info

Product

Resources

About