Identity Linking in Computer Networks

Libor Pol

, Ond

rej Ry

sav

and Petr Matou

sek

Brno University of Technology, Faculty of Information Technology, Centre of Excellence IT4Innovations,

zet

echova 2, 612 66 Brno, Czech Republic

Keywords:

Cross-layer Identity Linking, Identiﬁers, Graph of Identiﬁers, Applications of Labeled Property Graphs.

Abstract:

Lawful interception, network forensics, and security incident investigations require cross-layer linking of iden-

tiﬁcation information to link different activities of a particular person. This paper presents a model called

graphs of identiﬁers that allows cross-layer linking of identiﬁers detected by various methods. Graphs of iden-

tiﬁers provide operations that link identiﬁers according to the constraints provided in the queries. The goal is

to employ the linking during early stages of the network forensic investigations when an investigator searches

for leads. The tools that implement the proposed model are publicly available.

1 INTRODUCTION

Identiﬁers appearing in the network identify differ-

ent subjects (Pﬁtzmann and Hansen, 2010), for exam-

ple, human beings, legal persons, or computers. For

many network-related tasks spanning lawful intercep-

tion, network forensics, and security incident inves-

tigation, it is necessary to link identities of different

subjects. The linking is necessary to answer questions

such as Who was using the computer with a particular

IP address last Friday at 5 PM?

An IP address identiﬁes a computer interface.

However, an IP address is not stable (Pol

ak et al.,

2014b) and can be hidden behind a network address

translation (NAT). At the application layer, users au-

thenticate to various services. They open sessions,

each of which is carried over one or more TCP

or UDP connections. All communication can be

identiﬁed with identiﬁers occurring inside the trafﬁc

ﬂow (FIDIS project, 2008b).

This paper proposes graphs of identiﬁers based on

undirected labeled property graphs (Robinson et al.,

2015). A graph of identiﬁers can link identiﬁers

used by a particular subject and link different subjects

based on the relationships between the subjects. The

model and operations in the model described in this

paper are available in a tool called linking

This work enhances the graph model established

https://orcid.org/0000-0001-9177-3073

https://orcid.org/0000-0001-9652-6418

https://orcid.org/0000-0003-4589-2041

https://github.com/polcak/linking

by (Pol

ak et al., 2014b). Comparably, this paper rep-

resents identiﬁers as nodes in a graph. The novelty

of the model presented in this paper lays in assign-

ments of key-value pairs to both nodes and relation-

ships. This improves the information that can be re-

vealed by the model:

• Time is an inherent component of graphs of iden-

tiﬁers. Hence, it is possible to track and investi-

gate time-related identiﬁer linking which is cru-

cial for ﬁelds such as network forensics and secu-

rity incident investigations.

• The model supports probabilistic identiﬁcation

methods (Pﬁtzmann and Hansen, 2010) — meth-

ods that are not able to indisputably reveal the sub-

ject represented by an identiﬁer. Instead, such

method reveals the identity with some degree of

certainty. Graphs of identiﬁers support linking of

identiﬁers detected by probabilistic identiﬁcation.

Hence, during network forensics, it is possible to

treat all identiﬁcation information as inaccurate,

see (Casey and Jaquet-Chiffelle, 2017) for more

information on the need for careful examination

during network forensics.

• The model considers resources such as web pages

or chat rooms. The underlying labeled property

graphs allow a deﬁnition of additional categories

of identiﬁers.

• We provide more operations compared to the orig-

inal model with the possibility to deﬁne even more

operations. The operations are deﬁned as walks in

the labeled property graphs.

Pol

cák, L., Ryšavý, O. and Matoušek, P.

Identity Linking in Computer Networks.

DOI: 10.5220/0009783500450052

In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - DCNET, OPTICS, SIGMAP and WINSYS, pages 45-52

ISBN: 978-989-758-445-9

This paper primarily uses the terminology established

by (Pﬁtzmann and Hansen, 2010). An identiﬁer is

a unique attribute value of the subject. FIDIS project

introduced a concept of natural persons and virtual

persons (FIDIS project, 2008a). According to the ter-

minology established by FIDIS, the model established

in this paper links identiﬁers in the virtual world only.

This paper is organized as follows. Section 2

overviews scenarios that beneﬁt from identiﬁer link-

ing. Section 3 positions this paper to the related work.

Section 4 reviews methods and information sources

that reveals identiﬁers used in the network. Revealed

identiﬁers are used to build graphs of identiﬁers as de-

scribed in Section 5. Section 5 also deﬁnes operations

in graphs of identiﬁers. Section 6 describes the vali-

dation of the method. Section 7 concludes the paper.

2 SCENARIOS

This section lists several scenarios that beneﬁt from

identiﬁer linking.

Lawful Interception. (ATIS/TIA, 2006; ETSI,

2009) allows an authorized law enforcement agency

(LEA) to capture network trafﬁc of criminal suspects.

For each intercept, the LEA provides an identiﬁer that

identiﬁes the suspect to a service provider or a net-

work operator. However, the network of the operator

can be designed in a way in which it is not straight-

forward to carry the interception. For example, a law-

ful interception system has to be able to determine all

IP addresses used by devices in the network and link

them to the suspect.

Nevertheless, sometimes the warrant authoriz-

ing lawful interception provides some restrictions on

the identiﬁers allowed for the interception. For ex-

ample, a warrant can list an IP address and allow in-

terception of data identiﬁed by the particular IP ad-

dress only. Any other address even if it is certain that

the other address belongs to the same computer can-

not be intercepted. Other warrants may allow inter-

ception of all trafﬁc of the computer. Hence, the link-

ing should be customizable.

Data Retention. (ETSI, 2015): providers of elec-

tronic communications services or public communi-

cation networks collect metadata about all communi-

cation in the network. Authorized LEA can obtain

metadata about communication. A service provider or

a network operator that receives a data retention war-

rant has to ﬁnd all identiﬁers used by the suspect dur-

ing a listed period. Hence, it is crucial that the linking

mechanism support time-related queries.

Network Forensics. entails the separation of sus-

pect trafﬁc from other communication to reduce

the amount of information that needs to be analyzed

and to avoid privacy infringements of benign users.

Nevertheless, as (Casey and Jaquet-Chiffelle, 2017)

note, there is always an uncertainty in conﬁdence

in the online traces. Malware, identity thefts, and

the integrity of the input data are a signiﬁcant con-

cern. Hence, during network forensic investigation,

it is necessary to take into account the conﬁdence in

the identiﬁcation data.

Security Incident Investigation. Computer emer-

gency response teams (CERTs) and computer se-

curity incident response teams (CSIRTs) investigate

network security incidents. One of the tasks of

the CERT/CSIRT team investigating an incident is to

learn the identity of the attacker. For the investigation

of the security incident, it can be necessary to link

identiﬁers stored in different sources, sometimes even

including end stations.

3 RELATED WORK

Identiﬁcation in digital environment faces several is-

sues. It is common that a single natural person

has multiple online identities (Furnell, 2010; FIDIS

project, 2009; Casey and Jaquet-Chiffelle, 2017).

Also, identity theft and the use of false identity com-

plicates the identiﬁcation. The challenge in the cur-

rent forensic investigation is to prove that the suspect

was using the device at the incriminated time, so it is

possible to link her responsibility for the actions taken

by the device (Jones and Martin, 2010). This paper

does not address the linking between natural persons

and virtual persons. Nevertheless, the operations al-

lows linking different virtual identities which can be

helpful for the identiﬁcation of the suspect.

(Casey, 2011) emphasizes the need to link iden-

tiﬁers based on speciﬁc network parameters and

the limits imposed by law. The graphs of identiﬁers

link information revealed from various information

sources. Moreover, the operations can limit the scope

of allowed linking on a per-query basis. Each query

can be limited by time and inaccuracy constraints.

(Da-Yu Kao, 2015) proposes People-Process-

Technology-Strategy model to investigate advanced

persistent threats, that is stealthy network attacks in

which unauthorized persons gain access to a network

and remain undetected for a long period. As Da-Yu

Kao explains, the technology part of the model ben-

eﬁts from identity linking. Graphs of identiﬁers help

DCNET 2020 - 11th International Conference on Data Communication Networking

to achieve the goal to provide tools to execute time-

dependent queries.

(Atsa Etoundi Roger and Mboupda Moyo Achille,

2012) describe a network forensic model for proac-

tive, reactive, and active investigation. One of

the steps during the forensics is the analysis of gath-

ered evidence. As the evidence is coming from many

sources, the analysis can beneﬁt from graphs of iden-

tiﬁers. Nevertheless, expertise supervision on the re-

sults of queries in the model is necessary.

Evidence revealed during a forensic investigation

has only a limited level of certainty (Casey, 2011;

Casey and Jaquet-Chiffelle, 2017). Graphs of iden-

tiﬁers support both accurate and inaccurate relation-

ships. The linking operations consider the inaccu-

racy and queries can limit linking of inaccurate evi-

dence. Nevertheless, the intended use of the tools is in

the early phases of the investigative process (Jackson

et al., 2006) when the investigator is looking for leads.

The investigator can provide thresholds for acceptable

inaccuracy using linking

. It is up to the investiga-

tor to link revealed partial identities (Pﬁtzmann and

Hansen, 2010) and virtual persons (FIDIS project,

2008a) to the physical world entities.

(Carmagnola et al., 2010; Ye Na et al., 2013;

Peled et al., 2013) focus on identity linking of iden-

tities in social network websites. This paper provides

a method of generalized linking that covers various

information sources. Moreover, the linking methods

that detect proﬁles of the same person on different so-

cial network websites can be used as another source

of relationships between identiﬁers. The proﬁle iden-

tiﬁcation on a social network is an account identiﬁer

of category L7User as speciﬁed in Section 5.

The main contribution of this paper is the graph

model that links identiﬁers learned from various

sources that can be distributed in the network envi-

ronment. Graphs of identiﬁers extend previous work

introduced by (Pol

ak et al., 2014b). Graphs of iden-

tiﬁers described in this paper provide multiple ad-

vantages compared to the previous work, such as the

extensibility, time-related queries, support for iden-

tiﬁcation methods with limited certainty. The en-

hanced model described in this paper is implemented

in the tool linking

4 DETECTION OF IDENTIFIERS

Identiﬁers can be detected from many sources in

the network and network hosts. Current research al-

ready considers various options to learn identiﬁcation

information. Let us summarize the options.

• Network trafﬁc: network protocols usually rely on

identiﬁers (FIDIS project, 2008b). The presence

of a source and destination identiﬁer is often nec-

essary to enable the communication between re-

mote parties. Netﬂow/IPFIX data provide meta-

data about the trafﬁc ﬂows in the network.

• Log ﬁles, temporary and cache ﬁles, and his-

tory ﬁles reﬂect events that occurred on a com-

puter system. Events in server logs are typically

connected to network-related identiﬁers (Casey,

2011). See Figure 1 for example of log entries.

• Locally stored information such as hard drives

and other storage mediums. Tools such as

Autopsy

or AUDIT (Karabiyik and Aggarwal,

2014) analyze the content of hard drives includ-

ing deleted ﬁles. Besides the content of the ﬁles,

metadata, such as the owner, group, or last modi-

ﬁcation time are also available.

• Hidden identiﬁers are unique characteristics that

are speciﬁc to the deployed software or hard-

ware of a unique user, site, or a small set of

users. For example, hidden identiﬁers are browser

ﬁngerprints (Laperdrix et al., 2020), communi-

cation patterns (Banse et al., 2012; Herrmann

et al., 2012; Kirchler et al., 2016), and clock skew

(Kohno et al., 2005; Pol

ak and Frankov

a, 2015) .

(a) 192.168.9.5 - - [04/Nov/2016:15:21:02 +0000]

”GET /phpMyAdmin/scripts/setup.php HTTP/1.1”

403 237 ”-” ”ZmEu”

(b) Nov 4 15:06:41 server dhcpd: DHCPACK on

192.168.9.5 to fc:55:47:00:4f:90 (R1) via em0

Anonymous TLS connection established from

dhcp1.example.com[192.168.9.5]: TLSv1.2 with

cipher AECDH-AES256-SHA (256/256 bits)

Figure 1: An example of log ﬁles: (a) web server, (b) DHCP

server, (c) SMTP server.

Many sources of identiﬁcation are scattered in

the network environment. Even though a single in-

vestigation case typically employs only a subset of

the discussed identiﬁcation methods, there is a need

to link the scattered information. Graphs of identiﬁers

proposed in Section 5 can utilize any source of iden-

tiﬁers. Each detected relationship between identiﬁers

can be limited in time. Additionally, the identiﬁcation

method should report the uncertainty of the relation-

ship as inaccuracy. The identiﬁcation method is in

the best position to quantify the possible inaccuracy

of the provided information as it knows the trustwor-

thiness of its sources and its detection abilities. Re-

call that in some scenarios, such as network forensics,

https://www.sleuthkit.org/autopsy/

Identity Linking in Computer Networks

all sources have some level of uncertainty depending

on the possibility to alter the information (Casey and

Jaquet-Chiffelle, 2017).

5 IDENTIFIER LINKING

Section 4 identiﬁed various sources of identiﬁcation

information in the network and on network hosts.

However, the mere knowledge that some identiﬁers

do exist or did exist at some time is only of limited

use for the use cases established in Section 2. This

section provides the main contribution of this paper

— the model that links the information based on user-

speciﬁed queries. Subsection 5.1 divides the iden-

tiﬁers into categories according to their similarities,

such as durability and the identiﬁed subject. Sub-

section 5.2 deﬁnes the graphs of identiﬁers based on

undirected labeled property graphs (Robinson et al.,

2015). Finally, Subsection 5.3 deﬁnes operations in

the graphs of identiﬁers as implemented by linking

5.1 Categories of Identiﬁers

Even though the identiﬁers can be learned by various

methods, there are some similarities between iden-

tiﬁers. We divide identiﬁers into categories; each

contains identiﬁers of the same subject — a per-

son, a computer, or a resource. The categories also

reﬂect the occurrence of the identiﬁers, for exam-

ple, the identiﬁer appears in each network packet, or

the identiﬁer appears during an authentication phase

of a protocol only. Last but not least, the categories re-

ﬂect the duration of the identiﬁers: long-term or short-

term. We consider virtual identiﬁers (FIDIS project,

2008a) only. The goal of the categories is to gener-

alise the similarities in identiﬁers so that it is possible

to deﬁne useful operations. The categories are based

on categories established by (Pol

ak et al., 2014b)

with two differences: (1) the categories are labeled

and (2) we add the category L7Resource.

We distinguish the following categories:

L4Flow — Bi-directional TCP and UDP ﬂows.

IPAddr — IP addresses (typically short-term dura-

tion and dynamically assigned) identify an inter-

face of a network node.

IfcOrComp — Long-term identiﬁers of computers

or network interfaces, such as MAC addresses,

DUIDs, and hidden identiﬁers, such as clock skew

values and browser ﬁngerprints.

AAAUser — Usernames of authentication protocols

such as RADIUS, or PPP that identify a set of net-

work devices controlled by a unique virtual per-

son or a household depending on the network.

L7User — Application layer usernames (for exam-

ple, login names, account identiﬁers, e-mail ad-

dresses) identify a unique virtual person in a spe-

ciﬁc context or a role. Usually, application layer

usernames appear at least once in each session

of an application layer protocol. Nevertheless,

such session may be composed of several trans-

port layer ﬂows (for example, SIP, FTP).

L7Resource — An application layer resource such as

a chat room or a web page URI.

AAAUser and L7User identiﬁers are very close to

the natural person whereas L4Flow and IPAddr iden-

tify devices. As the use cases often seek for trans-

lation between natural persons and devices or vice

versa, such identiﬁers are common input or output

identiﬁers of the queries in the proposed model.

5.2 Graph Model for Identiﬁer Linking

For identiﬁer linking, we store identiﬁers in an undi-

rected labeled property graph (Robinson et al., 2015).

A labeled property graph consists of nodes (vertices)

and relationships between nodes; each relationship

is represented as an oriented edge connecting two

nodes. A labeled property graph allows multiple rela-

tionships between a pair of nodes. Both nodes and re-

lationships can contain properties as key-value pairs.

In the proposed model, each node (vertex) repre-

sents a single identiﬁer. Additionally, each node con-

tains the category of the node as a property. The edges

of the proposed model have no orientation.

When an identity source detects a connection be-

tween identiﬁers, the relationship is inserted into

the graph of identiﬁers as an edge. Each relation-

ship is valid during a speciﬁc period; the relationship

can have an inaccuracy quantiﬁed by the detection

method. The detection method, validity, and inaccu-

racy are stored as properties of the relationships in

undirected labeled property graphs.

For example, the IP address of a computer of John

Doe can be conﬁgured through a dynamic protocol

such as RADIUS. In that case, the virtual person au-

thenticates a device to the network, and the network

assigns the device a dynamic IPv4 address. Such as-

signment is stored in a RADIUS server log ﬁles; it

can also be learned from an analysis of RADIUS traf-

ﬁc. In addition, the device might obtain an IPv6 pre-

ﬁx through DHCPv6. Figure 2 shows the graph con-

structed in this example.

DCNET 2020 - 11th International Conference on Data Communication Networking

AAAUser

RadiusLogin: JohnDoe

IfcOrComp

MAC: aa:bb:cc:00:11:22

IPv4: 10.0.0.1

IPAddr

source RADIUS log

valid from

2017-01-01T12:00

valid to

2017-01-01T13:00

inaccuracy 0

IPv6: 2001:db8::/64

source DHCPv6 log

valid from 2017-01-01T12:01

valid to 2017-01-01T12:31

inaccuracy 0

Figure 2: An example of a simple graph of detected identiﬁers.

5.3 Operations in Graphs of Identiﬁers

This subsection speciﬁes the operations designed for

queries during lawful interception, data retention, net-

work forensics, and security incident investigation.

For lawful interception, we deﬁne operations reﬂect-

ing the speciﬁc wording of a warrant. Note that it

is possible to limit queries in graphs of identiﬁers

by multiple constraints at the same time. A query

with multiple constraints yields identiﬁers that are ac-

cepted by all constraints.

The queries are deﬁned as walks in the graph.

For mathematical deﬁnitions of most of the opera-

tions presented in this paper refer to the Ph.D. the-

sis (Pol

ak, 2017).

5.3.1 Constraining Relations between Identiﬁers

For both network forensics and lawful interception,

it is essential to limit identiﬁer linking based on

the relationship between the identiﬁers. For example,

(1) Were all linked identiﬁers used by the same com-

puter? (2) Do all linked identiﬁers identify the same

virtual person?

Based on the restrictions on allowed relation-

ships (edges) between identiﬁers (nodes), the identity

graphs support the following constraints:

Other Corresponding Identiﬁers. This constraint

aims at cases like a warrant to intercept network trafﬁc

linkable to a DHCPv6 DUID. The intercept should

cover all IP addresses leased to the DHCPv6 DUID,

but it must not cover other IP addresses even if they

are assigned to the same interface.

Identiﬁers of a Speciﬁc Computer. The goal is to

detect identiﬁers belonging to the same computer. For

example, a lawful interception warrant may require

capturing all trafﬁc of a computer, or, a forensic inves-

tigator analyses if two IP addresses belong to the same

computer.

Note that the input identiﬁer for this constraint has

to be an identiﬁer of a computer or a computer net-

work interface(IPAddr or IfcOrComp).

Identiﬁers of Computers Where a Speciﬁc Virtual

Person Was Authenticated or Logged in. Some-

times, a lawful interception warrant orders intercep-

tion of all trafﬁc of all computers authenticated by

a speciﬁc virtual person or a digital forensic inves-

tigator needs such identiﬁers.

The input identiﬁer of this constraint is an iden-

tiﬁer of a virtual person, hence, only AAAUser or

L7User identiﬁers are allowed.

Identiﬁers of All Virtual Persons Accessing

a Speciﬁc Resource. When network forensics in-

vestigator needs to know what users have seen a spe-

ciﬁc resource, this constrain reveals the information.

All IP Addresses Accessing a Speciﬁc Resource.

For network forensics focusing on a resource, it is

usually beneﬁcial to learn all IP addresses that ac-

cessed the resource.

All Login Aliases. A single person can use multiple

L7User identiﬁers in parallel. Hence, it is beneﬁcial

to have an operation to learn all detected names be-

longing to a single person — aliases.

All User Accounts Logged in or Authenticated

from a Computer or a Set of Computers. The

goal is to reveal all virtual person identiﬁers linkable

to an identiﬁer of a computer identiﬁed by a category

IPAddr or IfcOrComp identiﬁer, or a set of computers

linkable to a category AAAUser or L7User identiﬁer.

All Accessed Resources. The goal is to determine

all resources accessed by a particular virtual person

(identiﬁed by a category AAAUser or L7User identi-

ﬁer) or a particular computer (identiﬁer by a category

IPAddr or IfcOrComp) identiﬁer.

Identity Linking in Computer Networks

5.3.2 Time Restrictions

The time limitations are essential for all considered

scenarios. Consider the following constraints:

• The investigator is interested only in identiﬁers

active during a particular period determined by

the investigator. Finding such identiﬁers in

a graph of identiﬁers consists of ﬁnding a path be-

tween the input identiﬁer and the linked identiﬁer,

such as all the relationships (edges) on the path

are valid during the whole period.

• The investigator is interested only in identiﬁers

active at any time during a particular period deter-

mined by the investigator. In this case, the path

consists of relationships (edges) that are valid

at some moment of the previous relationship on

the path and during the input period.

5.3.3 Path Inaccuracy

In case that some linking information is based on in-

accurate sources such as hidden identiﬁers (see Sec-

tion 4) or in case of network forensics investiga-

tion (Casey and Jaquet-Chiffelle, 2017), the linking is

not transitive. Let us deﬁne a cumulative inaccuracy

for a path in a graph of identiﬁers as the sum of the in-

accuracy of all edges on the path. Then, the query

in the graph can be limited with a threshold specify-

ing the maximal inaccuracy of the path from the input

identiﬁer to the linked identiﬁer. Another inaccuracy

constraints is to ignore all paths with an edge with a

cost higher than a threshold.

Note that the model expects that the accuracy is

speciﬁed by all detection methods with the same met-

ric and that the metric is additive. We leave the deﬁ-

nition of a universal metric for future research.

6 VALIDATION

The original mechanism (Pol

ak et al., 2014b) to link

identities is a part of the lawful interception system

developed at our university. The extended model pro-

posed in Section 5 released as open source software

linking

As a part of the lawful interception system,

graphs of identiﬁers were able to link identities that

were learned from many sources including DHCP,

DHCPv6, SLAAC (and IPv6 neighbor discovery in

general), PPPoE, RADIUS, XMPP, OSCAR, IRC,

YMSG, and SMTP. Identiﬁers from these protocols

http://www.ﬁt.vutbr.cz/

∼

ipolcak/prods.php.en?id=

397&notitle=1

were linked with IP addresses; which in turn were

used by custom 1 and 10 Gbps probes to capture traf-

ﬁc of the suspects.

Validation in Simulated Network. Consider an ex-

ample of a simulated network of an IPv6-enabled in-

ternet provider network. The provider authenticates

the MAC address of all devices by RADIUS. Each

device leases an IPv4 address and generates IPv6 ad-

dresses as the device needs (Narten et al., 2007). Fig-

ure 3 shows results of a complex forensic investiga-

tion in the simulated network. The example consid-

ers two monitoring scenarios: local and remote. In

the local monitoring scenario, the graph of identiﬁers

is constructed from information in local networks, in

this case, RADIUS log ﬁles, DHCP log ﬁles, and IPv6

neighbor discovery tracking (Pol

ak et al., 2014a). In

a remote scenario, the data in Figure 3 reﬂects the in-

ability to obtain the data used for local monitoring;

instead, the graph of identiﬁers for remote monitor-

ing is based on inaccurate data sources.

• The number of active IP addresses in the network

equals to a sum of the number of IP addresses re-

vealed by learning other corresponding identiﬁers

to each RADIUS login at a particular time.

• The average number of IP addresses linked to

each active IPv4 address in local monitoring is

computed by learning active IPv4 addresses at

each evaluation time t

and the number of linked

IP addresses to the input address by learning iden-

tiﬁers of a speciﬁc computer at the time t

• To present comparable results, the average num-

ber of IP addresses linked to each active IPv4 ad-

dress in remote monitoring is computed by learn-

ing active IPv4 addresses at each evaluation time

and the number of linked IP addresses evaluat-

ing the same query with an inaccuracy thresholds

of 3, 5, and 10 for the whole path.

As obvious from the Figure 3, the local and re-

mote monitoring use case provides the forensic inves-

tigator with different results. By modifying the inac-

curacy threshold, the forensic investigator can focus

only on data that most probably belong to the subject

of the investigation.

7 CONCLUSION

There are many sources of identiﬁers in computer net-

works. One of the challenges is to link information re-

vealed by several sources and methods. The linking is

DCNET 2020 - 11th International Conference on Data Communication Networking

0 30 60 90 120 150 180 210 240 270 300 330 360

120

150

180

Avg number of linked IP addresses

Count of detected IP addresses

Time of the monitoring [minutes]

Detected number of IP addresses

Local: average number of linked IP addresses

Remote: average number of linked IP addresses (max inacc. 3)

Remote: average number of linked IP addresses (max inacc. 5)

Remote: average number of linked IP addresses (max inacc. 10)

Figure 3: The number of detected IP addresses (right y axis) and linked average number of IP addresses (left y axis) in

the simulated internet service provider network.

applicable in (1) lawful interception as a lawful inter-

ception system has to identify trafﬁc of an intercep-

tion target according to the warrant allowing the in-

tercept, (2) data retention queries, (3) early stages of

network forensic investigative process, and (4) secu-

rity incident investigations.

This paper describes graphs of identiﬁers that ex-

tend the work of (Pol

ak et al., 2014b). Graphs of

identiﬁers can be built based on information from var-

ious sources, including trafﬁc traces, log ﬁles, and

inaccurate identiﬁcation methods. One of the essen-

tial extensions to the previous work is the time that

is an inherent part of graphs of identiﬁers. Conse-

quently, the investigation queries support time-related

queries. Another signiﬁcant extension is the support

of inaccurate identiﬁcation methods which quantify

the inaccuracy for each reported relation between two

identiﬁers.

The tool linking

is freely available and imple-

ments queries in graphs of identiﬁers as described in

this paper. We also provide an extensible log ﬁles con-

verter that currently allows processing log ﬁles of ISC

DHCP server and NCSA common/combined log for-

mat.

ACKNOWLEDGEMENTS

This work was supported by The Ministry of Ed-

ucation, Youth and Sports of the Czech Republic

from the National Programme of Sustainability (NPU

II); project IT4Innovations excellence in science -

LQ1602. We thank Frank Breitinger for his help dur-

ing the preparation of this paper.

REFERENCES

ATIS/TIA (2006). Lawfully Authorized Electronic Surveil-

lance. J-STD-025-B. Alliance for Telecommunica-

tions Industry Solutions/Telecommunications Indus-

try Association Joint Standard.

Atsa Etoundi Roger and Mboupda Moyo Achille (2012).

Multi-perspective cybercrime investigation process

modeling. International Journal of Applied Informa-

tion Systems, 2(2):14–20.

Banse, C., Herrmann, D., and Federrath, H. (2012). Track-

ing users on the internet with behavioral patterns:

Evaluation of its practical feasibility. In Information

Security and Privacy Research, volume 376 of IFIP

Advances in Information and Communication Tech-

nology, pages 235–248. Springer Berlin Heidelberg,

DE.

Carmagnola, F., Osborne, F., and Torre, I. (2010). User

data distributed on the social web: How to identify

users on different social systems and collecting data

about them. In Proceedings of the 1st International

Workshop on Information Heterogeneity and Fusion

in Recommender Systems, HetRec ’10, pages 9–15,

New York, NY, USA. ACM.

Casey, E. (2011). Digital Evidence and Computer Crime:

Forensic Science, Computers and the Internet. Aca-

demic Press, Elsevier Inc., USA. Third Edition.

Casey, E. and Jaquet-Chiffelle, D.-O. (2017). Do identities

matter? Policing: a Journal of Policy and Practice,

(Special Issue):1–14.

Da-Yu Kao (2015). Performing an APT investigation: Us-

ing people-process-technology-strategy model in dig-

ital triage forensics. In 2015 IEEE 39th Annual

Computer Software and Applications Conference, vol-

ume 3, pages 47–52.

ETSI (2009). ETSI TR 101 331: Lawful Interception (LI);

Requirements of Law Enforcement Agencies. Euro-

Identity Linking in Computer Networks

pean Telecommunications Standards Institute. Ver-

sion 1.3.1.

ETSI (2015). ETSI TS 102 657: Lawful Interception

(LI); Retained data handling; Handover interface for

the request and delivery of retained data. Euro-

pean Telecommunications Standards Institute. Ver-

sion 1.17.1.

FIDIS project (2008a). D2.13: Virtual Persons and Identi-

ties. David-Oliver Jaquet-Chiffelle (ed.), Version 1.0,

Available online at http://www.ﬁdis.net/resources/

ﬁdis-deliverables/identity-of-identity/#c2162.

FIDIS project (2008b). D3.8: Study on protocols with

respect to identity and identiﬁcation — an insight

on network protocols and privacy-aware communi-

cation. Marit Hansen and Ammar Alkassar (ed.),

Version 0.8. Available online at http://www.ﬁdis.net/

resources/ﬁdis-deliverables/hightechid/#c2216.

FIDIS project (2009). D17.4: Trust and Identiﬁcation in

the Light of Virtual Persons. David-Oliver Jaquet-

Chiffelle and Hans Buitelaar (ed.), Version 1.2. Avail-

able online at http://www.ﬁdis.net/resources/ﬁdis-

deliverables/identity-of-identity/#c2596.

Furnell, S. (2010). Online identity: Giving it all away?

Information Security Technical Report, 15(2):42–46.

Identity Theft and Reconstruction.

Herrmann, D., Gerber, C., Banse, C., and Federrath, H.

(2012). Analyzing characteristic host access patterns

for re-identiﬁcation of web user sessions. In Infor-

mation Security Technology for Applications, volume

7127 of Lecture Notes in Computer Science, pages

136–154. Springer Berlin Heidelberg, DE.

Jackson, G., Jones, S., Booth, G., Champod, C., and Evett,

I. (2006). The nature of forensic science opinion —

a possible framework to guide thinking and practicce

in investigation and in court proceedings. Science &

Justice, 46(1):33–44.

Jones, A. and Martin, T. (2010). Digital forensics and the

issues of identity. Information Security Technical Re-

port, 15(2):67–71. Identity Theft and Reconstruction.

Karabiyik, U. and Aggarwal, S. (2014). Audit: Auto-

mated disk investigation toolkit. The Journal of Digi-

tal Forensics, Security and Law, 2014(2):129–143.

Kirchler, M., Herrmann, D., Lindemann, J., and Kloft, M.

(2016). Tracked without a trace: Linking sessions

of users by unsupervised learning of patterns in their

DNS trafﬁc. In Proceedings of the 2016 ACM Work-

shop on Artiﬁcial Intelligence and Security, AISec

’16, pages 23–34, New York, NY, USA. ACM.

Kohno, T., Broido, A., and Claffy, K. C. (2005). Remote

physical device ﬁngerprinting. IEEE Transactions on

Dependable and Secure Computing, 2(2):93–108.

Laperdrix, P., Bielova, N., Baudry, B., and Avoine, G.

(2020). Browser ﬁngerprinting: A survey. ACM

Trans. Web, 14(2):8:1–8:33.

Narten, T., Draves, R., and Krishnan, S. (2007). Privacy

Extensions for Stateless Address Autoconﬁguration in

IPv6. IETF. RFC 4941 (Draft Standard).

Peled, O., Fire, M., Rokach, L., and Elovici, Y. (2013). En-

tity matching in online social networks. In 2013 In-

ternational Conference on Social Computing, pages

339–344.

Pﬁtzmann, A. and Hansen, M. (2010). A terminol-

ogy for talking about privacy by data minimiza-

tion: Anonymity, unlinkability, undetectability, un-

observability, pseudonymity, and identity manage-

ment. Technical report. Version 0.34, Available

online at https://dud.inf.tu-dresden.de/literatur/Anon

Terminology v0.34.pdf.

Pol

ak, L. (2017). Lawful Interception: Identity Detection.

PhD thesis, Brno University of Technology, Faculty of

Information Technology.

Pol

ak, L. and Frankov

a, B. (2015). Clock-skew-based

computer identiﬁcation: Traps and pitfalls. Journal

of Universal Computer Science, 21(9):1210–1233.

Pol

ak, L., Holkovi

c, M., and Matou

sek, P. (2014a). Host

Identity Detection in IPv6 Networks. In Communica-

tions in Computer and Information Science. Springer

Berlin Heidelberg, DE.

Pol

ak, L., Hranick

y, R., and Mart

ınek, T. (2014b). On

identities in modern networks. The Journal of Digital

Forensics, Security and Law, 2014(2):9–22.

Robinson, I., Webber, J., and Eifrem, E. (2015). Graph

Databases. O’Reilly Media, Inc., 1005 Gravenstein

Highway North, Sebastopol, CA, USA. Second Edi-

tion.

Ye Na, Zhao Yinliang, Dong Lili, Bian Genqing, Liu, E.,

and Clapworthy, G. J. (2013). User identiﬁcation

based on multiple attribute decision making in social

networks. China Communications, 10(12):37–49.

DCNET 2020 - 11th International Conference on Data Communication Networking