Professional Documents
Culture Documents
1 Introduction
Network forensics is a dedicated investigation technology that enables capture,
recording and analysis of network packets and events for investigative purposes. It
involves monitoring network traffic and determining if there is an anomaly in the
traffic and ascertaining whether it indicates an attack. If the attack is found, forensic
techniques enable investigators to identify and prosecute the attackers.
Google [1] has revealed that the Gmail accounts of Chinese human rights activists
were targeted in December 2009. A review [2] of the major attacks in 2009 proves an
increase in the security breaches. The large number of intrusions and the increasing
sophistication of these cyber attacks is the driving force behind network forensics.
We extend our proposed network forensic system [3] for ICMP based network
attacks to handle TCP/IP attacks. This model enables forensic experts to analyze the
marked suspicious network traffic, thus facilitating cost effective storage and faster
analysis of high bandwidth traffic. We identify the significant features which enable
security attacks on TCP/IP protocol. Rule sets for various TCP/IP attacks have been
designed and are queried on the database to calculate various statistical parameters and
thresholds. This information is used for validating the presence of attacks.
The paper is organized as follows: Section 2 provides a literature survey of related
work and the background on our proposed ‘Network Forensic System’. In section 3,
significant parameters for various TCP/IP based network attacks are correlated. Rule
sets are designed to identify and generate the statistics for some of the TCP attacks.
Section 4 describes the details of the experiments performed and results obtained.
Conclusions and future work are presented in section 5.
2 Background
Mukkamala and Sung [4] addressed the issue of identification of significant features
by ranking the importance of input features. Almulhem and Traore [5] proposed the
V. V Das, R. Vijaykumar et al. (Eds.): ICT 2010, CCIS 101, pp. 124–128, 2010.
© Springer-Verlag Berlin Heidelberg 2010
Network Forensic Analysis by Correlation of Attacks with Network Attributes 125
architecture of a network forensics system that records data at the host-level and
network-level. The main idea was to mark the ‘malicious’ packet using a list of
suspicious IP addresses maintained by a group of sensors. It is still an open challenge
to identify such a list of IP addresses. Staniford et al. [6] proposed a data reduction
approach to infer the event likelihood and only consider the anomalous packets for
further analysis. However, the work was only concentrated towards detecting stealthy
portscans. Bailey et al. [7] focused on scalable monitoring of darknets and reducing
the amount of data for the forensic honeypots by using source-distribution based
methods. Maier et al. [8] suggested storing the network traffic up to a cutoff limit of
bytes per connection. Our approach, however, focuses on data reduction for forensic
analysis of network attacks by correlating the attacks and corresponding identified
significant network features.
The sample SQL queries for some of the attacks on TCP are shown below.
Similarly the SQL queries for all the attacks are written and fired on the database to
generate the statistics. The validation phase also comprises of SQL queries which uses
the database updated by the analysis phase.
Sample SQL queries to generate the statistics and reports
XMAS Scan
Analysis
INSERT INTO xmas (src_ip,xmascount) (SELECT src_ip, COUNT(src_ip) as
xmascount FROM tcp
WHERE flag = 41 AND src_ip != host_ip GROUP BY src_ip)
Reporting
SELECT src_ip, xmascount FROM xmas WHERE xmascount >= 1
SYN/FIN Attack
Analysis
INSERT INTO sinfin (src_ip,sfcount) (SELECT src_ip, COUNT(src_ip) as
sfcount FROM tcp
WHERE flag = 3 AND src_ip != host_ip GROUP BY src_ip)
Reporting
SELECT src_ip, sfcount FROM sinfin WHERE xmascount >= 1
Network Forensic Analysis by Correlation of Attacks with Network Attributes 127
The marked packets are ported to the mysql database named ‘packet_attributes’.
The analysis phase is executed which updates the database and creates the statistics
for thresholds. Now attack validation phase is executed which reported results as
shown in Table 2. It also reported the date of attack as Wed, 24 Feb 2010 (not
included in the Table) for each of the launched attacks. The thresholds chosen for the
attacks in our experimentation are 5, 5, 1, 1, 1, 1 and 1 respectively. Since the last five
attacks are used to launch with the packets which are not generally used for any
legitimate work, low thresholds values were chosen. The threshold values are chosen
for a low traffic network environment similar to our institute’s network.
In order to validate our framework we run the same dataset with the popular IDS,
Snort. Snort gave false negative for null scan. The remaining attacks were alerted by
Snort in a similar manner to our model.
References
1. The official google blog, http://googleblog.blogspot.com/2010/01/
new-approach-to-china.html
2. DDOS attackers continue hitting Twitter, Facebook, Google,
http://www.computerworld.com/s/article/9136402/
DDOS_attackers_continue_hitting_Twitter_Facebook_Google
3. Kaushik, A.K., Joshi, R.C.: Network Forensic System for ICMP Attacks. Int’l J. of Comp.
App. 2(3), 14–21 (2010)
4. Mukkamala, S., Sung, A.H.: Identifying Significant Features for Network Forensic Analysis
Using Artificial Intelligent Techniques. Int’l J. of Dig. Evidence 1(4), 1–17 (2003)
5. Almulhem, A., Traore, I.: Experience with engineering a network forensics system. In: Kim,
C. (ed.) ICOIN 2005. LNCS, vol. 3391, pp. 62–71. Springer, Heidelberg (2005)
6. Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy
portscans. J. of Comp. Security 10(1/2), 105–136 (2002)
7. Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., Watson, D.: Data reduction for
the scalable automated analysis of distributed darknet traffic. In: 5th USENIX/ACM
Internet Measurement Conference, pp. 239–252 (2005)
8. Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching
network security analysis with time travel. In: ACM SIGCOMM 2008, pp. 183–194 (2008)
9. Wireshark’s Users Guide, http://www.wireshark.org