A FRAMEWORK FOR NETWORK FORENSIC ANALYSIS

Abstract

Network forensics is a nascent science that deals with the capture and analysis of the network traffic and logs of intrusions. Network forensics characterizes intrusion or misbehavior features in order to discover the source of security attacks. Network forensics uses scientifically proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence. This information is collected from multiple, actively processing digital sources and security sensors. The analysis results in detecting and characterizing unauthorized network events meant to disrupt, corrupt, and/or compromise system components. It also provides information to assist in incident response and recover from system compromise or disruption of services. Network forensics goes beyond network security as it not only detects the attack, but records the evidence as well. There are certain attacks which do not breach network security policies but may be legally prosecutable. These crimes can be handled only by network forensics. Forensic systems act as a deterrent, as attackers become cautious. They spend more time and energy to cover the tracks in order to avoid prosecution. This makes the attack costly, reduces the rate of network crime, thereby enhancing security. A generic process model for network forensic analysis was proposed based on various existing digital forensics models. A methodology was formalized, specifically for investigation based on network traffic. The proposed model is generic as it handles both the real-time and post attack scenarios. The term 'process model' is used to refer to our and many other theoretical representations of phases involved in network forensics. The model has nine phases - preparation, detection, incident response, collection preservation, examination, analysis, investigation and presentation. The first five phases handle real time network traffic. The next four phases are common for real-time and post attack scenarios. Many phases like preparation, detection, collection, preservation, and presentation in our proposed generic process model have been extensively studied and researched. Techniques have been developed for these phases and are standardized. Research is now focused on examination, analysis, investigation and incidence response phases. Few frameworks have been proposed involving these phases. The term 'framework' is used to mean prototype implementation. in A framework is proposed for network forensic analysis, which will capture network traffic data, correlate and analyze this data, perform fusion of alerts and attack information and investigate the source of attack. The three phases of examination, analysis and investigation are handled in three objectives: Identification and Correlation, Data Fusion and Source Traceback. Network events provide information about the attempts made in compromising the system and help in attack reconstruction. Identifying important sessions of suspicious activity will reduce the data to be analyzed. The correlation of events will validate the occurrence of the malicious incident and guide the decision to proceed with the investigation. An approach to examine the packet captures and identify network events at the application, transport, and network layer was presented. The events specific to distributed denial of service (DDoS) attacks, port scan attacks and cross-site scripting (XSS) are identified and correlated. This approach is validated using an attack dataset. Attack occurrence is ascertained and validated before proceeding with investigation. Attack information and alerts from multiple security sensors with complementary and contradictory functionality are analyzed. Intrusion detection systems (Snort and Bro), packet capture and analysis tools (tcpdump) or sniffers (wireshark), traffic statistic tools (tcpstat) and security analysis console (BASE) are used. Data fusion is performed on the alert and attack information generated by these sensors using Dempster-Shafer theory of evidence. The suspicious addresses and alert information is used in investigation phase. IP traceback identifies the actual source of any packet sent across the Internet. The source of the attack can be traced using packet marking mechanisms and attributed with the attack. Two novel approaches are proposed as part of investigation phase - Autonomous System based Deterministic Packet Marking (ASDPM) and Deterministic Router and Interface Marking (DRIM). They involve deterministic marking of each packet with the first internal routers information and either the AS Number (ASN) or the number of the interface through which the packet reached the router. A single packet is sufficient to detect the attack source. In ASDPM, we trace the first internal router within the source AS of the attacker's network. In DRIM, we move one step closer to the attacker and identify the interface on which the packet reached the router. Simulations were performed to examine the feasibility of the approaches and validate them using discrete event network simulator ns-2.