Data fusion & visualization application for network forensic investigation - a case study

Abstract

Information Security field has seen a paradigm shift from a traditional silo approach to an integrated approach in collection, dissemination and analysis of structured and unstructured information for overall information protection and digital crime investigation goals. Digital crimes have become a big problem due to large number of data access, insufficient threat analysis techniques and growing size of storage capacity for investigating agencies. Since threat detection projects involve processing of large volume of uncertain information and to reduce uncertainties in the detection process, the analyst has to evaluate a large volume of data collected from different sources and network threat related databases. Being a data intensive analysis and detection, for improved analysis and detection, there is a need for these data to be harmonized and integrated along with the visualization technique for displaying large amount of data at once by incorporating information from various sources and variety of threat detection criteria's (e.g., threat types, attacker behavior and motive, effects of the threat on resources). Data Fusion and Integrated visualization of data distribution bars and rules, visualization of behavior and comprehensive analysis, maps allow investigating agencies to analyze different rules and data at different level, with any kind of anomaly. The primary aim of this study deals with have a front end or upstream approach towards an effective dynamic data fusion (DF)-based analysis and detection procedures along with visualization technique for network forensic investigation and threat analysis. Thus such procedures would be able to detect different network trends and patterns and integrate various intrusion datasets from different sources. As a practical approach, the model has been implemented in identification, analysis and detection for IP Spoofing as an illustrative example. The application in this study shows that this approach can increase the efficiency of forensic digital investigation by dynamic data integration and incorporation of existing intrusion detection system based information in the network threat investigation and analysis.