User identification and behaviour profiling from generic network traffic is a critical step that allows the ISP or security administrator, to take into consideration the information and make an informed decision about policing, traffic management, and enforcing the policy of the organisation. Additionally, application usage trend is significant in terms of identifying and profiling the user by analysing the generic network traffic and extracting a relevant feature that represents the user’s activity. However, user identification and behaviour profiling in real-time network management remains a challenge, as the behaviour and underline interaction of network applications are permanently changing. In parallel, user behaviour is also changing and adapting, as the online interaction environment changes. Also, the challenge is how to fully describe the user activity among generic network traffic in terms of identifying the user and his changing behaviour over time. In this paper, we propose a novel mechanism for user identification and behaviour profiling from generic network traffic. The research considered the application-level flow sessions identified based on Domain Name System (DNS) filtering criteria and a timing resolution bins leading to an extended set of features. Validation of the module was conducted by collecting NetFlow records over a 60-day period from nine users. The Gradient Boosting supervised machine learning classifier was utilised to train and test the selected features. The average results of identifying a user based on the proposed features between all ranks range from 67-91%.

Published in: Internet Technology and Secured Transactions (ICITST-2018)

• Date of Conference: 10-13 December 2018
• DOI: 10.2053/ICITST.WorldCIS.WCST.WCICSS.2018.0005
• ISBN: 978-1-908320-94-0
• Conference Location: University of Cambridge, Churchill College