Interactive Sonification of Network Traffic to support Cyber Security Situational Awareness

Debashi, Mohamed (2018) Interactive Sonification of Network Traffic to support Cyber Security Situational Awareness. Doctoral thesis, Northumbria University.

Preview

Text (Doctoral thesis) Debashi.Mohamed_phd.pdf - Submitted Version Download (4MB) | Preview

Abstract

Maintaining situational awareness of what is happening within a computer network is challenging, not least because the behaviour happens within computers and communications networks, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation techniques are widely used to present information about the dynamics of network traffic. Although they provide operators with an overall view and specific information about particular traffic or attacks on the network, they often still fail to represent the events in an understandable way. Also, visualisations require visual attention and so are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Situational awareness is critical and essential for decision-making in the domain of computer network monitoring where it is vital to be able to identify and recognise network environment behaviours.

This thesis presents SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system to be used in the monitoring of computer networks to support the situational awareness of network administrators. Together with a new way of reducing traffic complexity, called “IP flow”, SoNSTAR provides an auditory representation of all the TCP/IP protocol traffic within a network based on the different traffic flows between network hosts. SoNSTAR narrows the gap between network administrators and the cyber environment so they can more quickly recognise and learn about the way the traffic flows within their network behave and change. SoNSTAR raises situational awareness levels for computer network defence by allowing operators to achieve better understanding and performance while imposing less workload compared to visual techniques. SoNSTAR identifies the features of network traffic flows by inspecting the status flags of TCP/IP packet headers. Different combinations of these features define particular traffic events.

These events are mapped to recorded sounds to generate a soundscape that represents the real-time status of the network traffic environment. Listening to the sequence, timing, and loudness of the different sounds within the soundscape allows the network administrator to monitor the network and recognise anomalous behaviour quickly, without having to continuously look at a computer screen. Evaluation showed that operators were able to monitor and recognise network attacks better with SoNSTAR than with Snort, a leading visual intrusion detection system, and with lower reported cognitive workloads. Accuracy of recognition was highest when using both Snort and SoNSTAR together (97.14%). The results clearly show that accuracy improved when using sonification. When using sonification, the mental and perceptual workloads required were less than when using visualisation alone (45% vs. 58%). The pressure participants felt due to the pace of the monitoring task was less when using SoNSTAR (31% vs. 65%). Frustration rate showed improvement when using SoNSTAR (36% vs. 71%). The very act of listening to the traffic generates a fast discovery process leading to new knowledge of malicious behaviours that is not possible with current algorithmic approaches. SoNSTAR enabled the user to explore distributed, parallel and horizontal behaviours that are similar to normal behaviours. An experiment using the 11.39 GiB ISOT Botnet Dataset, containing labelled botnet traffic data, compared the SoNSTAR system with three leading machine learning-based traffic classifiers in a botnet activity detection test. SoNSTAR demonstrated greater accuracy (99.92%), precision (97.1%) and recall (99.5%) and much lower false positive rates (0.007%) than the other techniques. The knowledge generated about characteristic botnet behaviours could be used in the development of future IDSs.

Actions (login required)

View Item

Downloads