Exploring NAT detection and host identification

Abstract

This thesis explores NAT detection and host identification. The NAT detection approach is processed by supervised machine learning algorithms on HTTP attributes. Three classifiers are employed on training datasets labelled by artificial NAT generation method in NAT detection. This research demonstrates that AD Tree performs best in NAT detection and selects five effective attributes for it. AD Tree can detect NAT devices with an accuracy approximately of 100% on five datasets. The impact of difference in sizes of datasets in NAT detection is also observed in this thesis. Host identification is based on TCP timestamp values and system uptime values of TCP packets. This research identifies end hosts behind a detected NAT device using an improved artificial line generation method and an improved line distance calculation method. It also provides a new evaluation method for host identification. These two tasks are combined in this research for forensic analysis in order to analyze cybersecurity incidents that could occur from unknown NAT devices in the incoming traffic to an organization.