Asynchronous Record Alignment of Network Flows for Incident Detection and Reconstruction

Authors

  • Virgilijus Krinickij Vilnius University, Vilnius, Lithuania https://orcid.org/0009-0005-8248-5690
  • Linas Bukauskas Institute of Computer Science, Vilnius University, Vilnius, Lithuania

DOI:

https://doi.org/10.34190/eccws.23.1.2254

Keywords:

Cybersecurity, networks, flow, incident, detection

Abstract

In today's interconnected digital landscape, the distribution of cyber threats presents a significant challenge to cyber security. Moreover, as of 2016, the amount of data in the world exceeds one zettabyte. Because of this, evidence-based network flow analytics is a critical component of modern network management and security. Problems such as anomalies in the network flow, cyber security incidents, alert generation, data pre-processing, network monitoring, network flow complexity, and data flow patterns become difficult to detect in massive network data flows. These specific problems can be addressed using Packet capture (PCAP). PCAP analysis is a standard network forensics process and investigation for assessing network behaviour and identifying anomalies. This work presents a method for analysing network flows for probable alignment of asynchronously recorded communications in heterogeneous networks. Using a proposed method for alignment, we can identify the relevant recordings aligned over two data streams for faster and more conclusive incident analysis. We use synthetic network incident scenarios for research experiments, detailing the generation of cyber event data and impact on cloud network traffic, followed by in-depth PCAP analysis. The automated cyber-attacks are simulated within a network infrastructure generating network flows in a PCAP format. Simulated cyber-attacks range from standard port scans, service scans, and specific scenarios like SQL injection, phishing, DoS or DDoS. We define analysis objectives and criteria for the in-depth PCAP analysis and alignment. The evidence gathered showcases valuable information about network data flow and its behaviour.

Author Biographies

Virgilijus Krinickij, Vilnius University, Vilnius, Lithuania

Virgilijus Krinickij currently is a PhD student, junior assistant and a member of cybersecurity laboratory at Vilnius University, Institute of Computer Science. His skills and research interests consist of cybersecurity, web development and automation. 

Linas Bukauskas, Institute of Computer Science, Vilnius University, Vilnius, Lithuania

Linas Bukauskas has PhD in computer science from Aalborg University, Denmark. Currently, he is the head of the cybersecurity laboratory at the Institute of Computer Science, Vilnius University. His research interests are cybersecurity, defence systems, digital forensics, algorithm efficiency, and machine learning.

Downloads

Published

2024-06-21