The source IP address where an offending activity had originated is of limited value because it does not specify a physical location, but an endpoint in a network for the sole purpose of routing. In addition, people and their devices move across the network, changing IP address as a consequence. It is useful to have some clues about where a device was at the time the offending action was performed. However, it would be desirable to correlate different pieces of evidence to discover other information, such as IP addresses used by the same device. Devices repeatedly accessing a private network, at different times, can be profiled by analyzing and correlating Network and Port Address Translation (NAPT) logs, in order to recognize recurring activity patterns. By mapping sequences of NAPT translations into multi-dimensional curves and computing a similarity measure on these, it is possible to group multiple different curves into common sets or profiles, that can be ascribed to individual users/machines. In this way, it is possible to recognize some of the users from their traffic peculiarities (browsing habits, mail access, network traffic generated by specific applications, etc.) without considering the exposed IP addresses. Experiments were performed on NAPT logs gathered in a campus network, with DHCP data providing control values for validation. © 2012 IEEE.

Device tracking in private networks via NAPT log analysis

Castiglione, Aniello;Fiore, Ugo;
2012-01-01

Abstract

The source IP address where an offending activity had originated is of limited value because it does not specify a physical location, but an endpoint in a network for the sole purpose of routing. In addition, people and their devices move across the network, changing IP address as a consequence. It is useful to have some clues about where a device was at the time the offending action was performed. However, it would be desirable to correlate different pieces of evidence to discover other information, such as IP addresses used by the same device. Devices repeatedly accessing a private network, at different times, can be profiled by analyzing and correlating Network and Port Address Translation (NAPT) logs, in order to recognize recurring activity patterns. By mapping sequences of NAPT translations into multi-dimensional curves and computing a similarity measure on these, it is possible to group multiple different curves into common sets or profiles, that can be ascribed to individual users/machines. In this way, it is possible to recognize some of the users from their traffic peculiarities (browsing habits, mail access, network traffic generated by specific applications, etc.) without considering the exposed IP addresses. Experiments were performed on NAPT logs gathered in a campus network, with DHCP data providing control values for validation. © 2012 IEEE.
2012
9780769546841
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11367/64109
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 8
  • ???jsp.display-item.citation.isi??? ND
social impact