Traffic Classification and Application Identification in Network Forensics - Advances in Digital Forensics XIV
Conference Papers Year : 2018

Traffic Classification and Application Identification in Network Forensics

Abstract

Network traffic classification is an absolute necessity for network monitoring, security analyses and digital forensics. Without accurate traffic classification, the computational demands imposed by analyzing all the IP traffic flows are enormous. Classification can also reduce the number of flows that need to be examined and prioritized for analysis in forensic investigations.This chapter presents an automated feature elimination method based on a feature correlation matrix. Additionally, it proposes an enhanced statistical protocol identification method, which is compared against Bayesian network and random forests classification methods that offer high accuracy and acceptable performance. Each classification method is used with a subset of features that best suit the method. The methods are evaluated based on their ability to identify the application layer protocols and the applications themselves. Experiments demonstrate that the random forests classifier yields the most promising results whereas the proposed enhanced statistical protocol identification method provides an interesting trade-off between higher performance and slightly lower accuracy.
Fichier principal
Vignette du fichier
472401_1_En_10_Chapter.pdf (300.09 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01988838 , version 1 (22-01-2019)

Licence

Identifiers

Cite

Jan Pluskal, Ondrej Lichtner, Ondrej Rysavy. Traffic Classification and Application Identification in Network Forensics. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.161-181, ⟨10.1007/978-3-319-99277-8_10⟩. ⟨hal-01988838⟩
125 View
176 Download

Altmetric

Share

More