An efficient user identification approach based on Netflow analysis

with the advent of new technologies such as cloud- based services, smart phones, tablets and etc. users’ connectivity to networks are inevitable. This will result in the generation of huge amount of traffic from the users’ activities. For forensic examiners, this traffic is a critical source of information. In network forensics, focusing only on the IP addresses will result to evidence which is not confident as the account might have been compromised. Thus, the associated user is of more interest for forensic scientists rather than the IP address. Moreover, with the wide range of devices that a user may use (smart phone, tablet, laptop, etc.) and also the wide use of DHCP, the IP address is not a suitable identifier to distinguish users. This paper, proposes a method for efficiently identifying users of a network based on their behavior using the netflow traffic (which does not contain payloads). We extract a feature set from the flows of the network and use a random forest model to classify users. We have achieved the precision of 0.94 in the detection of users. The results show that this method can be effectively used by forensic scientists as they do not need to examine the whole traffic and only the reduced netflow traffic would be enough for investigation.