Information Technology Reference
In-Depth Information
This research has been predicated on the notion that it is desirable for human
analysts to group the contents of passively logged TCP connections into user
sessions for the purpose of surveillance. The above results are now used to show
how Link Chaining aids this process.
6.1
Modeling Sessionization Time
Without Link Chaining, or a similar technique, the largest unit of network traf-
fic that can be rebuilt from the stream automatically and reliably is the TCP
connection. After TCP connections are rebuilt, it is assumed the analyst would
sessionize them by analysing hyperlinks, content, semantics etc. Since no real
data on human sessionization time is available, the time
t
s
, to sessionize
n
con-
nections is modeled as follows:
t
s
=
t
c
n
(
n
−
1)
Sessionization Time Model 1
(6)
2
Where the time to compare one connection or fragment to another,
t
c
,iscon-
stant, and is multiplied by the maximum number of comparisons required (i.e.
the comparison of all possible connection pairs or
2
). This is a conservative
model.
Modeling sessionization time without empirical data is admittedly clumsy.
The following relationship is used to model the best case sessionization time
achievable by an analyst,
t
s
, which is linear with respect to the number of con-
nections. It is impossible to argue that a human (or even a computer) can do
better than compare all connections in one pass simultaneously, so the model is
used as an ultra-optimistic benchmark.
t
s
=
n
Sessionization Time Model 2
·
t
c
(7)
6.2
Time Savings
The average size of fragments isolated by the heuristic in the Link Chaining
Attack was 10.62 connections. Based on this average, the number of pieces,
n
,
that an analyst would have to sessionize is reduced to
n
10
.
62
. Figures 12 and 13
illustrate the effect of such a reduction on sessionization time using both models
M1 and M2.
The first model shows that based on the average fragment size of the experi-
ments, a human analyst working with fragments (as opposed to individual TCP
connections) would experience a speedup of greater than 100 when based on a
conservative model of analyst eciency. When based on an optimistic model for
analyst eciency, the LCA represents a ten-fold speedup. Since the optimistic
model represents the best possible case for a human analyst's unaided perfor-
mance, it is expected that the actual speedup would be significantly better than
the indicated ten-fold speedup.
The amount of content visible in each fragment has a definite impact on
sessionization speed. Individual TCP connections offer only a small window onto
