A visual analytics approach for the cyber forensics based on

different views of the network traffic

Igor Kotenko1,2+, Maxim Kolomeets1,2, Andrey Chechulin1,2, and Yannick Chevalier2

 

1Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation

(SPIIRAS), 39, 14 Liniya, St. Petersburg, Russia

{kotenko,kolomeec, chechulin}@comsec.spb.ru

2Saint-Petersburg ITMO University, 49, Kronverksky Prospect, St. Petersburg, Russia

yannick.chevalier@gmail.com

 

Abstract

Network forensics is based on the analysis of network traffic. Traffic analysis is a routine procedure, but it allows one to not only identify the cause of the security breach, but also step by step to recreate the whole picture of what happened. To analyze the traffic, investigators usually use Wireshark, a software that has the graphical interface and has greater capabilities for sorting and filtering packets. But even with it, packet analysis takes a lot of time. In this paper, we propose an approach for cyber forensics based on different views on the network traffic. Using this approach, it is possible to significantly improve the efficiency of forensic scientists, including the rapid localization of anomalies and, importantly, the creation of easily understandable graphical proofs and histories of computer attacks. The example of the investigation of the attack SSL-strip is a way to classify different views (slices) of traffic and a scheme for using for these slices different models of visualization. Also provides an assessment and recommendations for the application of visual analytics methods.

 

Keywords: network forensics, visual analytics, data visualization, traffic analysis,
cyber-attack investigation.

 

+: Corresponding author: Igor Kotenko

Tel: +7(812) 328-71-81, Web: http://www.comsec.spb.ru/
 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA)

Vol. 9, No. 2, pp. 57-73, June 2018 [pdf]