Traffic Flow Classification and Visualization for Network Forensic Analysis

Abstract

This paper presents an iterative visualization technique including the timeline and parallel coordinates to illustrate network communication for forensic analysis. In primarily analysis process, the timeline of events is reconstructed from traffic logs. An analyst can track the related anomaly event on-demand. In addition the details of abnormal and normal activities are shown in multiple dimensions of parallel coordinates. The novelty of this research is not a presentation of the timeline and parallel coordinates technique, but iterative visualization framework to illustrate both anomaly traffic and application traffic pattern. We applied frequent item-set mining to search dominant traffic flow and classify them by traffic flow shape and entropy. Although some studies have been applied frequent item-set mining with traffic dataset, but as we have known, this is the first research to 1) take advantages of the frequent item-set mining and parallel coordinates, which allow us to find both the anomaly traffic and application traffic and it can easily understand the patterns of traffic flow with the multi-dimensional visualization, and 2) classify the application traffic from the entropy values of traffic flow discovered by frequent item-set mining. This method is able to classify the encrypted traffic data and it does not violate a user privacy. The results of this research and development of a visual network communication tool can: 1) show abnormalities and normal communication activities, 2) have application traffic classification 92% accurate, 3) be a visual network communication prototype which helps an analyst to find the cause of the network malfunction.