Superflows: A New Tool for Forensic Network Flow Analysis

Superflows propose a new method for grouping network flows based on common hypotheses to enhance operational network response.

Network security analysts collect data from various sources for forensic analysis. The volume of data for analysis has increased due to rising traffic volumes. Superflows group flows based on common hypotheses to improve operational network response. A formalism for describing superflows is proposed in the paper. Case studies demonstrate the effectiveness of superflows in reducing data volume for forensic analysis. Different classes of superflows are discussed, including website analysis and scan data. The paper outlines the contributions, motivations, related work, and future directions for superflows.

"There are far more events to check than operational teams can handle for effective forensic analysis." "Flows provide a compact summary of the most important information about a session." "Forensic analysis requires the ability to reconstruct rare events, leading to a specific forensic need for unsampled Netflow."

"Superflows are motivated by the need for traffic summaries describing modern network traffic." "Superflows must be compact and the hypothesis guiding its creation must be clear, unambiguous, and easily communicated to other users."