NETWORK FORENSIC ANALYSIS BY CORRELATION OF ATTACKS WITH NETWORK ATTRIBUTES

Abstract

Internet is facilitating numerous services while being the most commonly attacked environment. Hackers attack the vulnerabilities in the protocols used. Network forensics involves monitoring network traffic and determining if anomalies in the traffic indicate an attack. The network forensic techniques enable investigators to trace and prosecute the attackers. The network traffic is stored, examined and analyzed to detect attacks and discover their source. The amount of data stored as packet captures are voluminous and difficult to handle and there is a serious need to reduce the amount of data to be analyzed. Data reduction is one of the major research challenges in network forensics. In this dissertation entitled "NETWORK FORENSIC ANALYSIS BY CORRELATION OF ATTACKS WITH NETWORK ATTRIBUTES ", a framework is proposed which addresses the major challenges in collection, examination and analysis processes. This framework overcomes the problems in handling large volumes of network data required for analysis. This model has been built with reference to the security attacks specific to TCP and ICMP. The packet capture file is analyzed for significant TCP and ICMP attack features and suspicious packets are marked. The header information encapsulated in the marked packets is ported to a database. Rule sets designed for various TCP and ICMP attacks are queried on the database to calculate various statistical thresholds which validate the presence of attacks. The analysis of marked packets. is easy to manage as the data is reduced. The protocol features usually manipulated by the attackers is available in database format for next stage analysis and investigation. The proposed strategy can be extended to increasing number of security attacks on various other protocols. The model has been tested with sample attack datasets and resulted in significant data reduction. The analysis results are also compared with the attack alerts given by the popular IDS, Snort. The results validate the correctness of the framework and give extra information about the source of attacks.