Sonification of network traffic flow for monitoring and situational awareness

Maintaining situational awareness of what is happening within a computer network is challenging, not only because the behaviour happens within machines, but also because data traffic speeds and volumes are beyond human ability to process. Visualisation techniques are widely used to present information about network traffic dynamics. Although they provide operators with an overall view and specific information about particular traffic or attacks on the network, they often still fail to represent the events in an understandable way. Also, because they require visual attention they are not well suited to continuous monitoring scenarios in which network administrators must carry out other tasks. Here we present SoNSTAR (Sonification of Networks for SiTuational AwaReness), a real-time sonification system for monitoring computer networks to support network administrators’ situational awareness. SoNSTAR provides an auditory representation of all the TCP/IP traffic within a network based on the different traffic flows between between network hosts. A user study showed that SoNSTAR raises situational awareness levels by enabling operators to understand network behaviour and with the benefit of lower workload demands (as measured by the NASA TLX method) than visual techniques. SoNSTAR identifies network traffic features by inspecting the status flags of TCP/IP packet headers. Combinations of these features define particular traffic events which are mapped to recorded sounds to generate a soundscape that represents the real-time status of the network traffic environment. The sequence, timing, and loudness of the different sounds allow the network to be monitored and anomalous behaviour to be detected without the need to continuously watch a monitor screen.

S1 Appendix -SoNSTAR: flow and IP flow feature information array contents When a TCP packet is received, the Feature Extractor unpacks the packet and extracts the flag status. The system has a counter which counts the packets arriving in each time window. For every packet which arrives in the time window, the Features Extractor extracts the flag status. If this flow has not been seen before it creates a new Traffic flow or IP flow if it does not already exist; if the flow already exists then it updates the flag counts for the two types of TCP protocol flows as follows.

Traffic Flows
Traffic Flows identified by src addr, src port, dst addr and dst port are followed by columns with flag status counts. SoNSTAR retains the information in an array carrying all feature information extracted from the packets in each time window for each Traffic flow as per Table 1. Address 1 This is one of the IP addresses of the flow which changes to be the source or destination according to the side sending or receiving the packet. 3 Address 2 This is one of the IP addresses of the flow which changes to be the source or destination according to the side sending or receiving the packet. 4 Port 1 This is one of the ports of the flow which changes to be the source or destination according to the side sending or receiving the packet. 5 Port 2 This is one of the ports of the flow which changes to be the source or destination according to the side sending or receiving the packet. 6 FIN Out Counts of outgoing FINs packets, which represent the total counts of outgoing packets which hold FIN status set to 1 and the status of other flags is set to 0. 7

FIN In
Counts of incoming FINs packets., which represent the total counts of incoming packets which hold FIN status set to 1 and the status of other flags is set to 0. 8

SYN Out
Counts of outgoing SYN packets, which represent the total counts of outgoing packets which hold SYN status set to 1 and the status of other flags is set to 0. 9 SYN In Counts of incoming SYN packets, which represent the total counts of incoming packets which hold SYN status set to 1 and the status of other flags is set to 0. 10 SYN ACK Out Counts of outgoing SYN-ACKs packets, which represent the total counts of outgoing packets which hold SYN and ACK status set to 1 and the status of other flags is set to 0. 11 SYN ACK In Counts of incoming SYN-ACKs packets, which represent the total counts of incoming packets which hold SYN and ACK status set to 1 and the status of other flags is set to 0. 12

RST Out
Counts of outgoing RSTs packets, which represent the total counts of outgoing packets which hold RST status set to 1 and the status of other flags is set to 0. 13

RST In
Counts of incoming RSTs packets, which represent the total counts of incoming packets which hold RST status set to 1 and the status of other flags is set to 0. 14 ACK Out Counts of outgoing ACKs packets, which represent the total counts of outgoing packets which hold ACK status set to 1 and the status of other flags is set to 0. 15 ACK In Counts of incoming ACKs packets, which represent the total counts of incoming packets which hold ACK status set to 1 and the status of other flags is set to 0. 16

PSH Out
Counts of outgoing PSH packets, which represent the total counts of outgoing packets which hold PSH status set to 1 and the status of other flags is set to 0. 17

PSH In
Counts of incoming PSH packets, which represent the total counts of incoming packets which hold PSH status set to 1 and the status of other flags is set to 0. 18 PSH ACK Out Counts of outgoing PSH-ACK packets, which represent the total counts of outgoing packets which hold PSH status set to 1 and ACK status set to 1 and the status of other flags is set to 0.

PSH ACK In
Counts of incoming PSH-ACK packets, which represent the total counts of incoming packets which hold PSH status set to 1 and ACK status set to 1 and the status of other flags is set to 0. 20 URG Out Counts of outgoing URG packets, which represent the total counts of outgoing packets which hold URG status set to 1 and the status of other flags is set to 0. 21

URG In
Counts of incoming URG packets, which represent the total counts of incoming packets which hold URG status set to 1 and the status of other flags is set to 0.

IP flows
IP flow identified by src addr and dst addr are followed by columns of flag status counts. SoNSTAR retains the information in an array carrying all feature information extracted from the packets in each time window for each IP flow as per Table 2. Address 1 This is one of the IP addresses of the flow which changes to be the source or destination according to the side sending or receiving the packet. 3 Address 2 This is one of the IP addresses of the flow which changes to be the source or destination according to the side sending or receiving the packet.

FIN Out IPs
Counts of outgoing FINs packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold FIN status set to 1 and the status of other flags is set to 0.

FIN In IPs
Counts of incoming FINs packets between two IP addresses for whole ports, which represent the total counts of incoming packets holds FIN status set to 1 and the status of other flags is set to 0. 6 SYN Out IPs Counts of outgoing SYN packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold SYN status set to 1 and the status of other flags is set to 0. 7

SYN In IPs
Counts of incoming SYN packets between two IP addresses for whole ports, which represent the total counts of incoming packets which hold SYN status set to 1 and the status of other flags is set to 0. 8

SYN ACK Out IPs
Counts of outgoing SYN-ACKs packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold SYN and ACK status set to 1 and the status of other flags is set to 0. 9

SYN ACK In IPs
Counts of incoming SYN-ACKs packets between two IP addresses for whole ports, which represent the total counts of incoming packets which hold SYN and ACK status set to 1 and the status of other flags is set to 0. 10 RST Out IPs Counts of outgoing RSTs packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold RST status set to 1 and the status of other flags is set to 0. 11

RST In IPs
Counts of incoming RSTs packets between two IP addresses for whole ports, which represent the total counts of incoming packets which hold RST status set to 1 and the status of other flags is set to 0. 12 ACK Out IPs Counts of outgoing ACKs packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold ACK status set to 1 and the status of other flags is set to 0. 13 ACK In IPs Counts of incoming ACKs packets between two IP addresses for whole ports, which represent the total counts of incoming packets which hold ACK status set to 1 and the status of other flags is set to 0. 14 PSH Out IPs Counts of outgoing PSH packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold PSH status set to 1 and the status of other flags is set to 0. 15 PSH In IPs Counts of incoming PSH packets between two IP addresses for whole ports, which represent the total counts of incoming packets which hold PSH status set to 1 and the status of other flags is set to 0. 16

PSH ACK Out IPs
Counts of outgoing PSH-ACK packets between two IP addresses for whole ports, which represent the total counts of outgoing packets which hold PSH status set to 1 and ACK status set to 1 and the status of other flags is set to 0. Counts of outgoing NULL packets between two IP addresses for all ports, which represent the total counts of outgoing packets which hold all flags with status set to 0. 23 NULL In IPs Counts of incoming NULL packets between two IP addresses for all ports, which represent the total counts of incoming packets which hold all flags with status set to 0. 24 LAND Out IPs Counts of outgoing LAND packets between two IP addresses for all ports, which represent the total counts of outgoing packets which have the same source and destination IP addresses.

LAND In IPs
Counts of incoming LAND packets between two IP addresses for all ports, which represent the total counts of incoming packets which have the same source and destination IP addresses.