Data reduction by identification and correlation of TCP/IP attack attributes for network forensics

Pilli, Emmanuel S.; Joshi, Rohit; Niyogi, Rajdeep

doi:10.1145/1980022.1980085

Cited by 7 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to acquire evidences, various network forensic methods have been proposed to collect and analyze network data. Pilli proposed a method that collects packets under the TCP/IP protocol to analyze the common characteristics of attacks so as to filter suspicious packets [9]. However, high data rate of network traffic creates difficulties for network forensics in the capture and preservation of all network packets [10].…”

Section: Related Workmentioning

confidence: 99%

Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning

Chang

Peng

et al. 2016

Future Internet

View full text Add to dashboard Cite

As the Internet becomes larger in scale, more complex in structure and more diversified in traffic, the number of crimes that utilize computer technologies is also increasing at a phenomenal rate. To react to the increasing number of computer crimes, the field of computer and network forensics has emerged. The general purpose of network forensics is to find malicious users or activities by gathering and dissecting firm evidences about computer crimes, e.g., hacking. However, due to the large volume of Internet traffic, not all the traffic captured and analyzed is valuable for investigation or confirmation. After analyzing some existing network forensics methods to identify common shortcomings, we propose in this paper a new network forensics method that uses a combination of network vulnerability and network evidence graph. In our proposed method, we use vulnerability evidence and reasoning algorithm to reconstruct attack scenarios and then backtrack the network packets to find the original evidences. Our proposed method can reconstruct attack scenarios effectively and then identify multi-staged attacks through evidential reasoning. Results of experiments show that the evidence graph constructed using our method is more complete and credible while possessing the reasoning capability.

show abstract

Section: Related Workmentioning

confidence: 99%

Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning

Chang

Peng

et al. 2016

Future Internet

View full text Add to dashboard Cite

show abstract

“…Often, network forensics can be integrated with other techniques such as adaptive firewalls and malware and social network analysis . Further, maintaining network logs is not trivial, and analysis often requires the inspection of large files . To expedite the attribution mechanism, forensics can also be integrated with visualization tools .…”

Section: Survey Of Attribution Techniquesmentioning

confidence: 99%

Attribution in cyberspace: techniques and legal implications

Shamsi

Zeadally

Sheikh

et al. 2016

Security Comm Networks

View full text Add to dashboard Cite

Attribution of cybercrimes is significant in limiting the rate of crime as well as in preparing the required level of response. Motivated by this significance, we introduce a level-based approach for achieving attribution. In our proposed approach, attribution consists of three steps: (1) identification of the cyberweapon used; (2) determination of the origin of the attack; and (3) identification of the actual attacker. We conduct an in-depth analysis of recently proposed attribution techniques. Our analysis reveals that indirect methods of attribution are particularly effective when attributing cybercrimes; many of them remain unattributed. We also discuss some of the legal issues pertaining to attribution, and we argue that well-defined international laws for cyberspace along with strong cooperation among governments are needed to track down and punish cybercriminals.

show abstract

“…For example, Pilli et al [17] focus on reducing the file size of captured data. They consider only TCP/IP headers and additionally reduce file size with a filter.…”

Section: Network Forensicsmentioning

confidence: 99%

Network Forensics for Cloud Computing

Gebhardt

Reiser

2013

Distributed Applications and Interoperable Systems

View full text Add to dashboard Cite

Abstract.Computer forensics involves the collection, analysis, and reporting of information about security incidents and computer-based criminal activity. Cloud computing causes new challenges for the forensics process. This paper addresses three challenges for network forensics in an Infrastructure-as-a-Service (IaaS) environment: First, network forensics needs a mechanism for analysing network traffic remotely in the cloud. This task is complicated by dynamic migration of virtual machines. Second, forensics needs to be targeted at the virtual resources of a specific cloud user. In a multi-tenancy environment, in which multiple cloud clients share physical resources, forensics must not infringe the privacy and security of other users. Third, forensic data should be processed directly in the cloud to avoid a costly transfer of huge amounts of data to external investigators. This paper presents a generic model for network forensics in the cloud and defines an architecture that addresses above challenges. We validate this architecture with a prototype implementation based on the OpenNebula platform and the Xplico analysis tool.

show abstract

Data reduction by identification and correlation of TCP/IP attack attributes for network forensics

Cited by 7 publications

References 19 publications

Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning

Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning

Attribution in cyberspace: techniques and legal implications

Network Forensics for Cloud Computing

Contact Info

Product

Resources

About