Abstract
Any network connected to the Internet is subject to cyber attacks. Strong security measures, forensic tools, and investigators contribute together to detect and mitigate those attacks, reducing the damages and enabling reestablishing the network to its normal operation, thus increasing the cybersecurity of the networked environment. This paper addresses the use of a forensic approach with Deep Packet Inspection to detect anomalies in the network traffic. As cyber attacks may occur on any layer of the TCP/IP networking model, Deep Packet Inspection is an effective way to reveal suspicious content in the headers or the payloads in any packet processing layer, excepting of course situations where the payload is encrypted. Although being efficient, this technique still faces big challenges. The contributions of this paper rely on the association of Deep Packet Inspection with forensics analysis to evaluate different attacks towards a Honeynet operating in a network laboratory at the University of Brasilia. In this perspective, this work could identify and map the content and behavior of attacks such as the Mirai botnet and brute-force attacks targeting various different network services. Obtained results demonstrate the behavior of automated attacks (such as worms and bots) and non-automated attacks (brute-force conducted with different tools). The data collected and analyzed is then used to generate statistics of used usernames and passwords, IP and services distribution, among other elements. This paper also discusses the importance of network forensics and Chain of Custody procedures to conduct investigations and shows the effectiveness of the mentioned techniques in evaluating different attacks in networks.
Highlights
It is no longer possible to consider business and government services without the use of the Internet
The main contribution of this paper is to provide a characterization of real attacks using Deep Packet Inspection (DPI) to evaluate the modus operandi of some bots (i.e., W32.Internet Relay Chat (IRC)), botnets (i.e., Mirai), evaluation of brute-force attacks’ behavior conducted either by humans or bots providing distribution statistics of the source of the attacks, protocols used and link analysis of the data
DPI has proven to be effective in the detection of the anomalies shown in this article, providing information about the attackers’ behavior and, it faces challenges and possible misuses depending on the source or the analysis, its use can help investigators to detect anomalies in any layer in their network
Summary
The impressive growth rate of the Internet and its technologies allows many companies and government agencies to provide their services online, bringing more practicality to users This technique consists of a thorough examination of the fields contained in the packets that flow within the investigated network It allows for detecting anomalies into the network flow, along with the other important information that is useful when dealing with incident response, such as the IP address involved, type, time and duration of the attack, along with other data that helps security professionals to mitigate incidents. This paper provides DPI and analysis of network traffic data obtained from a Honeynet maintained for research purposes in a network laboratory at the University of Brasilia.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
