Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

Authors: van de Weil, Erwin; Scanlon, Mark and Le-Khac, Nhien-An

Publication Date: August 2018

Publication Name: Advances in Digital Forensics XIV

Abstract:

In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data.

Download:

Download Paper as PDF

BibTeX Entry:

@Inbook{vandeWeil2018NetworkIntell,
author="van de Weil, Erwin and Scanlon, Mark and Le-Khac, Nhien-An",
editor="Peterson, Gilbert and Shenoi, Sujeet",
title="Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic",
booktitle="Advances in Digital Forensics XIV",
year="2018",
month="08",
publisher="Springer",
address="Cham",
pages="183-197",
isbn="978-3-319-99276-1",
doi="https://doi.org/10.1007/978-3-319-99277-8_11",
url="https://forensicsandsecurity.com/papers/NetworkIntell.php",
chapter = "11",
abstract="In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data."
}