Visualisation of network forensics traffic data with a self-organising map for qualitative features

Digital crimes are a part of modern life but evidence of these crimes can be captured in network traffic data logs. Analysing these logs is a difficult process, this is especially true as the format that different attacks can take can vary tremendously and may be unknown at the time of the analysis. The main objective of the field of network forensics consists of gathering evidence of illegal acts from a networking infrastructure. Therefore, software tools, and techniques, that can help with these digital investigations are in great demand. In this paper, an approach to analysing and visualising network traffic data based upon the use of self-organising maps (SOM) is presented. The self-organising map has been widely used in clustering tasks in the literature; it can enable network clusters to be created and visualised in a manner that makes them immediately more intuitive and understandable and can be performed on high-dimensional input data, transforming this into a much lower dimensional space. In order to show the usefulness of this approach, the self-organising map has been applied to traffic data, for use as a tool in network forensics. Moreover, the proposed SOM takes into account the qualitative features that are present in the traffic data, in addition to the quantitative features. The traffic data was was clustered and visualised and the results were then analysed. The results demonstrate that this technique can be used to aid in the comprehension of digital forensics and to facilitate the search for anomalous behaviour in the network environment.