Device Tracking in Private Networks via NAPT Log Analysis

The source IP address where an offending activity had originated is of limited value because it does not specify a physical location, but an endpoint in a network for the sole purpose of routing. In addition, people and their devices move across the network, changing IP address as a consequence. It is useful to have some clues about where a device was at the time the offending action was performed. However, it would be desirable to correlate different pieces of evidence to discover other information, such as IP addresses used by the same device. Devices repeatedly accessing a private network, at different times, can be profiled by analyzing and correlating Network and Port Address Translation (NAPT) logs, in order to recognize recurring activity patterns. By mapping sequences of NAPT translations into multi-dimensional curves and computing a similarity measure on these, it is possible to group multiple different curves into common sets or profiles, that can be ascribed to individual users/machines. In this way, it is possible to recognize some of the users from their traffic peculiarities (browsing habits, mail access, network traffic generated by specific applications, etc.) without considering the exposed IP addresses. Experiments were performed on NAPT logs gathered in a campus network, with DHCP data providing control values for validation.