Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

TL;DR

This paper introduces a new method for non-experts to analyze large intercepted network traffic using metadata, reducing analysis time and providing clearer insights, especially in encrypted and IoT-rich environments.

Contribution

The paper presents a novel metadata-based analysis approach that simplifies and accelerates the examination of large, complex intercepted network data for non-technical investigators.

Findings

Significantly reduces analysis duration

Provides clearer insight views for non-experts

Effective on large, encrypted, and IoT traffic datasets

Abstract

In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data.