Identifying infected users via network traffic

摘要

There has been increasing interest in deeper understandings of users and user behavior to tailor and strengthen cybersecurity. Just as in the field of medicine where symptoms of a disease trigger early doctor intervention, we investigate the feasibility of extracting indicators from network traffic that can be used for proactive identification of user infection, which in turn can prompt proactive intervention from a network administrator. Using two months of wireless traffic from a large, public university, we attempt to differentiate between 1923 users with infected devices and random samples of uninfected users. We extract 36 features from the traffic and apply various dimensionality reduction techniques, unsupervised clustering methods, and supervised learning algorithms. Principal Component Analysis suggests 10 features that contribute most to explaining about 92.8% of variance in user behavior, revealing 26 features less useful for understanding users. K-means clustering partitions users in distinct groups that in the majority of cases separate the infected and uninfected users, with some clusters being composed of up to 100.0% of only one type of user. Finally, supervised learning yields accuracy values up to 79.0% and ROC AUC values up to 86.0% when classifying users as either infected or uninfected. Our work shows there is potential to derive infection 'symptoms' from network traffic. Published by Elsevier Ltd.