User profiling from network traffic via novel application-level interactions

Abstract

Insider misuse has become a significant issue for organisations. Traditional information security has focussed upon threats from the outside rather than employees. A wide range of research has been undertaken to develop approaches to detect the insider - often referred to as Data Loss Prevention (DLP) tools. Unfortunately, the fundamental limitation of these tools is that they provide information resolved to IP addresses rather than people. This assumes the IP is static and linkable to an individual, which is often not the case. IPs are increasingly unreliable due to the mobile natural of devices and the dynamic allocation of IP addresses. This paper builds upon prior work to propose and investigate a biometric-based behavioural profile created from a novel feature extraction process that identifies user's application-level interactions (e.g. not simply that they are accessing Facebook but whether they are posting, reading or watching a video) from raw network traffic metadata. It also proceeds to describe various types of user's interactions that can be derived from applications. Validation of the model was conducted by collecting 62 GBs of metadata over a 2 months period from 27 participants. The average results of identifying users at first rank in the top three applications Skype, Hotmail and BBC are scored 98.1%, 96.2% and 81.8% respectively.