Network Forensic Analysis Using Growing Hierarchical SOM

IP flow analysis is an effective way of doing network forensic analysis which aims to detect attack patterns and identify attackers in a given network traffic data. For attacks such as Distributed Denial of Service (DDoS), efficiently identifying the botnet in time can be a challenge. Recently, the unsupervised learning methods such as the K-means, self-organizing map (SOM), and growing hierarchical self-organizing map (GHSOM) have been shown to be able to facilitate network anomaly detection. However, there is no study focusing on mining IP flows with high variability of attacks in an intuitive way. In this study, we leverage the visualization specialty of GHSOM to help analyze the static IP flow data, also called the network traces of victims, to identify any suspicious IP source. The GHSOM can generate a hierarchical architecture based on the input data and help reveal their inherent hierarchical relationships. For example, the geometric distances between each attack pattern and its descriptive information are revealed in the topological space which forms the signature of a botnet. The IP flows clustered by GHSOM are grouped with distinctive connecting features, and the differences between each cluster are visualized with sequential time stamps which can be used to portray various attack patterns, help explore the sources of attacks and understand the behaviors of attacks. The experimental results from real-world traffic data show that forensic analysis using GHSOM can efficiently identify several DDoS attack patterns and generate filtering rules for intrusion detection system (IDS) by further inspecting and book marking the suspicious IP sources.