Passive network forensics: behavioural classification of network hosts based on connection patterns

Passive monitoring of the data entering and leaving an enterprise network can support a number of forensic objectives. We have developed analysis techniques for NetFlow data that use behavioural identification and can confirm individual host roles and behaviours expressed as connection patterns. By looking at the way a given machine interacts with others, it is often possible to determine the role of the machine based solely on the network data. Host behaviours as characterized by NetFlow data are not stationary. Evolutionary changes occur as the result of new applications, computational and communications paradigms. Compromised machines often undergo changes in behaviour that range from subtle to dramatic. We use behavioural changes to identify role shifts and to trace the malicious or unintentional propagation of that change to other machines. Observed behavioural characteristics from over a year of traffic captures containing ordinary behaviours as well as a variety of compromises of interest are presented as examples for the forensics practitioner or researcher.