Network Forensic Analysis by Correlation of Attacks

with Network Attributes

Atul Kant Kaushik, Emmanuel S. Pilli, and R.C. Joshi

Department of Electronics and Computer Engineering,

Indian Institute of Technology Roorkee, Roorkee, India
{akk22pec,emshudec,rcjosfec}@iitr.ernet.in, emmshub@gmail.com

Abstract. Network forensics involves the capture, recording, and analysis of

network events in order to discover the source of security attacks and other
problem incidents. We extend our previously proposed model for collecting
network data, identifying suspicious packets, examining protocol features
misused and correlating attack attributes. This model is capable of handling
attacks on the TCP/IP suite. The results obtained by this model are validated.

Keywords: Network forensics, pcap, Perl, TCP/IP, correlation, investigation.

1 Introduction
Network forensics is a dedicated investigation technology that enables capture,
recording and analysis of network packets and events for investigative purposes. It
involves monitoring network traffic and determining if there is an anomaly in the
traffic and ascertaining whether it indicates an attack. If the attack is found, forensic
techniques enable investigators to identify and prosecute the attackers.
Google [1] has revealed that the Gmail accounts of Chinese human rights activists
were targeted in December 2009. A review [2] of the major attacks in 2009 proves an
increase in the security breaches. The large number of intrusions and the increasing
sophistication of these cyber attacks is the driving force behind network forensics.
We extend our proposed network forensic system [3] for ICMP based network
attacks to handle TCP/IP attacks. This model enables forensic experts to analyze the
marked suspicious network traffic, thus facilitating cost effective storage and faster
analysis of high bandwidth traffic. We identify the significant features which enable
security attacks on TCP/IP protocol. Rule sets for various TCP/IP attacks have been
designed and are queried on the database to calculate various statistical parameters and
thresholds. This information is used for validating the presence of attacks.
The paper is organized as follows: Section 2 provides a literature survey of related
work and the background on our proposed ‘Network Forensic System’. In section 3,
significant parameters for various TCP/IP based network attacks are correlated. Rule
sets are designed to identify and generate the statistics for some of the TCP attacks.
Section 4 describes the details of the experiments performed and results obtained.
Conclusions and future work are presented in section 5.

2 Background
Mukkamala and Sung [4] addressed the issue of identification of significant features
by ranking the importance of input features. Almulhem and Traore [5] proposed the

V. V Das, R. Vijaykumar et al. (Eds.): ICT 2010, CCIS 101, pp. 124–128, 2010.
© Springer-Verlag Berlin Heidelberg 2010
 Network Forensic Analysis by Correlation of Attacks with Network Attributes 125

architecture of a network forensics system that records data at the host-level and
network-level. The main idea was to mark the ‘malicious’ packet using a list of
suspicious IP addresses maintained by a group of sensors. It is still an open challenge
to identify such a list of IP addresses. Staniford et al. [6] proposed a data reduction
approach to infer the event likelihood and only consider the anomalous packets for
further analysis. However, the work was only concentrated towards detecting stealthy
portscans. Bailey et al. [7] focused on scalable monitoring of darknets and reducing
the amount of data for the forensic honeypots by using source-distribution based
methods. Maier et al. [8] suggested storing the network traffic up to a cutoff limit of
bytes per connection. Our approach, however, focuses on data reduction for forensic
analysis of network attacks by correlating the attacks and corresponding identified
significant network features.

2.1 Proposed Model for Network Forensics

We have proposed a model [3] for network forensic which includes five phases as
shown in Figure 1. The phases are – (1) Collection: Collects packets in pcap format
using various tools and extracts packet attributes. (2) Identification and Marking –
correlates various network attacks and corresponding affected network parameters.
(3) Conversion into database – creates the database of packet attributes while
considering only the features which are useful for analysis. (4) Analysis – generates
various statistical data by analyzing the database on the basis of designed rule sets.
(5) Validation and Investigation – validates the network attack events and report the
attacker information based on the statistics generated.

Fig. 1. Network forensic system for TCP/IP attacks

3 Network Forensic System for TCP/IP Attacks

Our proposed framework [3] is extended to handle attacks on various protocols of the
TCP/IP. The correlation between attacks on TCP and the significant parameters
manipulated are shown below in Table 1. In the analysis phase the rule sets (SQL
queries) for various TCP attacks are added.
126 A.K. Kaushik, E.S. Pilli, and R.C. Joshi

Table 1. Correlation of TCP attacks and protocol features misused

Attacks on TCP Significant Parameters

SYN Flood S & A Flag (flag = 18)
SYN Scan S Flag (flag =2)
XMAS Scan URG, FIN & PUSH flags (flag = 41)
NULL Scan flag = 0
Land Attack S Flag, Source & Destination IP Address
SYN/FIN Attack S & F Flag (flag = 3)
S/D Port Attack Source & Destination port

The sample SQL queries for some of the attacks on TCP are shown below.
Similarly the SQL queries for all the attacks are written and fired on the database to
generate the statistics. The validation phase also comprises of SQL queries which uses
the database updated by the analysis phase.
Sample SQL queries to generate the statistics and reports

SYN FLOOD Attack

Analysis
INSERT INTO sfcount (src_ip,xmascount)
(SELECT dest_ip, COUNT( dest_ip ) AS sfcount FROM tcp WHERE flag =18
AND src_ip = host_ip AND dest_ip != host_ip AND (seqnum+1) NOT
IN(SELECT acknum FROM tcp WHERE flag=16) GROUP BY dest_ip)
Reporting
SELECT src_ip, sfcount FROM synflood WHERE sfcount >= 5

XMAS Scan
Analysis
INSERT INTO xmas (src_ip,xmascount) (SELECT src_ip, COUNT(src_ip) as
xmascount FROM tcp
WHERE flag = 41 AND src_ip != host_ip GROUP BY src_ip)
Reporting
SELECT src_ip, xmascount FROM xmas WHERE xmascount >= 1

SYN/FIN Attack
Analysis
INSERT INTO sinfin (src_ip,sfcount) (SELECT src_ip, COUNT(src_ip) as
sfcount FROM tcp
WHERE flag = 3 AND src_ip != host_ip GROUP BY src_ip)
Reporting
SELECT src_ip, sfcount FROM sinfin WHERE xmascount >= 1
 Network Forensic Analysis by Correlation of Attacks with Network Attributes 127

4 Experiments and Results

The implementation of the framework is executed and tested with the dataset
‘isrgdt.pcap’ generated in the Lab. Normal internet activity was carried out by the user
and two systems were used to launch attack traffic. The entire traffic was logged using
Wireshark [9]. The size of the dataset was 86.2 MB, having Sweep, SYN flood, SYN
scan, Xmas scan and NULL scan attacks launched in it, using nmap, hping and free port
scanner. Our proposed model is applied for reduction of the dataset. The total number of
packets was 614300 and marked packets were 276185 as shown in Figure 2. The amount
of reduction achieved is 55.04% which significantly improves the analysis complexity.

Fig. 2. Reduction on dataset ‘isrgdt.pcap’

The marked packets are ported to the mysql database named ‘packet_attributes’.
The analysis phase is executed which updates the database and creates the statistics
for thresholds. Now attack validation phase is executed which reported results as
shown in Table 2. It also reported the date of attack as Wed, 24 Feb 2010 (not

Table 2. Result of reporting phase

Name of the No of attack Time of

IP Address
Attack packets Attack
192.168.111.203 232 17:54:55 GMT
SYN Flood
192.168.111.5 72 17:54:52 GMT
192.168.111.203 75539 17:54:55 GMT
SYN Scan
192.168.111.5 199341 17:54:52 GMT
192.168.111.203 29 17:54:56 GMT
XMAS Scan
192.168.111.5 11 17:54:56 GMT
192.168.111.203 28 17:54:56 GMT
NULL Scan
192.168.111.5 116 17:54:56 GMT
Land Attack No host has launched Land Attack
SYN/FIN Attack No host has launched SYN/FIN Attack
S/D Port Attack No host has launched S/D Port Attack
128 A.K. Kaushik, E.S. Pilli, and R.C. Joshi

included in the Table) for each of the launched attacks. The thresholds chosen for the
attacks in our experimentation are 5, 5, 1, 1, 1, 1 and 1 respectively. Since the last five
attacks are used to launch with the packets which are not generally used for any
legitimate work, low thresholds values were chosen. The threshold values are chosen
for a low traffic network environment similar to our institute’s network.
In order to validate our framework we run the same dataset with the popular IDS,
Snort. Snort gave false negative for null scan. The remaining attacks were alerted by
Snort in a similar manner to our model.

5 Conclusion and Future Work

The major challenge in network forensics is handling the massive size of network
packet capture. We address this problem by reducing the packet capture file size by
marking the attack packets using the packet header information. Our model shows a
significant reduction in the number of packets to be analyzed. The results validate the
correctness of the framework and are better in some cases.
The information reported will be useful for investigation process. The size of the
number of packets marked will increase when more attacks will be added but at least
all the legitimate packets will be removed which guarantees the reduction in the
number of packets to be investigated. The framework is scalable to the increasing
number of attacks on any kind of protocol.
We would like to extend the proposed framework by including the investigation
module, which will trace the actual attacker even if the IP address discovered by the
proposed framework is a spoofed one.

References
1. The official google blog, http://googleblog.blogspot.com/2010/01/
new-approach-to-china.html
2. DDOS attackers continue hitting Twitter, Facebook, Google,
http://www.computerworld.com/s/article/9136402/
DDOS_attackers_continue_hitting_Twitter_Facebook_Google
3. Kaushik, A.K., Joshi, R.C.: Network Forensic System for ICMP Attacks. Int’l J. of Comp.
App. 2(3), 14–21 (2010)
4. Mukkamala, S., Sung, A.H.: Identifying Significant Features for Network Forensic Analysis
Using Artificial Intelligent Techniques. Int’l J. of Dig. Evidence 1(4), 1–17 (2003)
5. Almulhem, A., Traore, I.: Experience with engineering a network forensics system. In: Kim,
C. (ed.) ICOIN 2005. LNCS, vol. 3391, pp. 62–71. Springer, Heidelberg (2005)
6. Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy
portscans. J. of Comp. Security 10(1/2), 105–136 (2002)
7. Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., Watson, D.: Data reduction for
the scalable automated analysis of distributed darknet traffic. In: 5th USENIX/ACM
Internet Measurement Conference, pp. 239–252 (2005)
8. Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Schneider, F.: Enriching
network security analysis with time travel. In: ACM SIGCOMM 2008, pp. 183–194 (2008)
9. Wireshark’s Users Guide, http://www.wireshark.org