Device Tracking in Private Networks via NAPT Log Analysis

The source IP address where an offending activity had originated is of limited value because it does not specify a physical location, but an endpoint in a network for the sole purpose of routing. In addition, people and their devices move across the network, changing IP address as a consequence. It is useful to have some clues about where a device was at the time the offending action was performed. However, it would be desirable to correlate different pieces of evidence to discover other information, such as IP addresses used by the same device. Devices repeatedly accessing a private network, at different times, can be profiled by analyzing and correlating Network and Port Address Translation (NAPT) logs, in order to recognize recurring activity patterns. By mapping sequences of NAPT translations into multi-dimensional curves and computing a similarity measure on these, it is possible to group multiple different curves into common sets or profiles, that can be ascribed to individual users/machines. In this way, it is possible to recognize some of the users from their traffic peculiarities (browsing habits, mail access, network traffic generated by specific applications, etc.) without considering the exposed IP addresses. Experiments were performed on NAPT logs gathered in a campus network, with DHCP data providing control values for validation.

[1]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[2]  Tom Fawcett,et al.  ROC graphs with instance-varying costs , 2006, Pattern Recognit. Lett..

[3]  Francesco Palmieri,et al.  Network anomaly detection through nonlinear analysis , 2010, Comput. Secur..

[4]  Stefan Savage,et al.  Privacy-preserving network forensics , 2011, Commun. ACM.

[5]  Helmut Alt,et al.  Computing the Fréchet distance between two polygonal curves , 1995, Int. J. Comput. Geom. Appl..

[6]  Ved P. Kafle,et al.  Locator ID Separation for Mobility Management in the New Generation Network , 2010, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[7]  Roy Fielding RFC 2068 : Hypertext Transfer Protocol-HTTP/1.1 , 1997 .

[8]  Kevin Buchin,et al.  Exact algorithms for partial curve matching via the Fréchet distance , 2009, SODA.

[9]  Stephen Marsh,et al.  Measuring Privacy , 2011, J. Internet Serv. Inf. Secur..

[10]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[11]  H. Mannila,et al.  Computing Discrete Fréchet Distance ∗ , 1994 .

[12]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[13]  Anja Feldmann,et al.  Building a time machine for efficient recording and retrieval of high-volume network traffic , 2005, IMC '05.

[14]  Jacob Cohen A Coefficient of Agreement for Nominal Scales , 1960 .

[15]  Thomas E. Daniels,et al.  A simple framework for distributed forensics , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[16]  Hervé Brönnimann,et al.  New payload attribution methods for network forensic investigations , 2010, TSEC.