A visual analytics approach for the
cyber forensics based on different views of the network traffic 1Laboratory
of Computer Security Problems,
St. Petersburg Institute for Informatics and Automation (SPIIRAS), 39, 14 Liniya,
St. Petersburg, Russia {kotenko,kolomeec, chechulin}@comsec.spb.ru
2Saint-Petersburg
ITMO University, 49, Kronverksky Prospect, St.
Petersburg, Russia yannick.chevalier@gmail.com
Abstract Network forensics is based on the analysis of network traffic. Traffic analysis is a routine procedure, but it allows one to not only identify the cause of the security breach, but also step by step to recreate the whole picture of what happened. To analyze the traffic, investigators usually use Wireshark, a software that has the graphical interface and has greater capabilities for sorting and filtering packets. But even with it, packet analysis takes a lot of time. In this paper, we propose an approach for cyber forensics based on different views on the network traffic. Using this approach, it is possible to significantly improve the efficiency of forensic scientists, including the rapid localization of anomalies and, importantly, the creation of easily understandable graphical proofs and histories of computer attacks. The example of the investigation of the attack SSL-strip is a way to classify different views (slices) of traffic and a scheme for using for these slices different models of visualization. Also provides an assessment and recommendations for the application of visual analytics methods. Keywords: network
forensics, visual analytics, data visualization, traffic analysis, +: Corresponding author: Igor Kotenko Tel: +7(812)
328-71-81, Web: http://www.comsec.spb.ru/ Journal of Wireless Mobile
Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) Vol. 9, No. 2, pp. 57-73, June 2018 [pdf] |