Flowbreaker: Enriched Descriptions of Network Traffic Captures

Abstract

IP-based networks are used to connect computer systems across the globe, generating enormous volumes of data in the process. Analysing this data is vital to understanding the inner workings of networks and thus a central aspect of cybersecurity and network engineering.This allows researchers to perform Network Intrusion Detection (NID), understand network constraints, and plan for future expansions. Different tools—such as Zeek, Snort and Wireshark—exist for this purpose. These tools are also used to label traffic: either by aggregating it into flows, or by labeling individual packets. However, such labels often lack a proper justification and fail to provide meaningful insight to deeply understand traffic phenomena and situations.Therefore, the main objective of this thesis is to analyse existing labels of NID systems and datasets and explore how they can be improved. For this purpose, FlowBreaker—a new tool for describing traffic built upon Zeek—was designed and developed. FlowBreaker usability and performance are evaluated using the TII-SSRC-23 benchmark dataset and a real traffic sample from the the MAWI WIDE project collection.Evaluation results show how FlowBreaker is able to replicate the labels of the TII-SSRC-23 dataset while providing enriched information, justification, and keys for the deep understanding of traffic captures. On the other hand, it provides a highly useful description of real-life data for further analysis. Furthermore, the new tool significantly improves upon user experience when compared to pre-existing solutions, thus providing a very suitable framework for scientific research and experimentation.