Network Forensics Research Articles

The Design of Huge Amounts of Information Network Forensics System in View of the Network Crime Prevention

The Design of Huge Amounts of Information Network Forensics System in View of the Network Crime Prevention

A cloud-based forensics tracking scheme for online social network clients

In recent years, with significant changes in the communication modes, most users are diverted to cloud-based applications, especially online social networks (OSNs), which applications are mostly hosted on the outside and available to criminals, enabling them to impede criminal investigations and intelligence gathering. In the virtual world, how the Law Enforcement Agency (LEA) identifies the “actual” identity of criminal suspects, and their geolocation in social networks, is a major challenge to current digital investigation. In view of this, this paper proposes a scheme, based on the concepts of IP location and network forensics, which aims to develop forensics tracking on OSNs. According to our empirical analysis, the proposed mechanism can instantly trace the “physical location” of a targeted service resource identifier (SRI), when the target client is using online social network applications (Facebook, Twitter, etc.), and can analyze the probable target client “identity” associatively. To the best of our knowledge, this is the first individualized location method and architecture developed and evaluated in OSNs.

Network and device forensic analysis of Android social-messaging applications

In this research we forensically acquire and analyze the device-stored data and network traffic of 20 popular instant messaging applications for Android. We were able to reconstruct some or the entire message content from 16 of the 20 applications tested, which reflects poorly on the security and privacy measures employed by these applications but may be construed positively for evidence collection purposes by digital forensic practitioners. This work shows which features of these instant messaging applications leave evidentiary traces allowing for suspect data to be reconstructed or partially reconstructed, and whether network forensics or device forensics permits the reconstruction of that activity. We show that in most cases we were able to reconstruct or intercept data such as: passwords, screenshots taken by applications, pictures, videos, audio sent, messages sent, sketches, profile pictures and more.

A Proposed Architecture for Network Forensic System in Large-Scale Networks

Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so investigating attackers after commitment is of utmost importance and become one of the main concerns of network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing data and systematically monitoring traffic of network is one of the main requirements in detection and tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed architecture consists of five main components: collection and indexing, database management, analysis component, SOC communication component and the database. The main difference between our proposed architecture and other systems is in analysis component. This component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert and visualization subsystem and the malware analysis subsystem. The most important differentiating factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.

IFS: Intelligent flow sampling for network security–an adaptive approach

SummaryIn order to cope with an increasing volume of network traffic, flow sampling methods are deployed to reduce the volume of log data stored for monitoring, attack detection and forensic purposes. Sampling frequently changes the statistical properties of the data and can reduce the effectiveness of subsequent analysis or processing. We propose two concepts that mitigate the negative impact of sampling on the data. Late sampling is based on a simple idea that the features used by the analytic algorithms can be extracted before the sampling and attached to the surviving flows. The surviving flows thus carry the representation of the original statistical distribution in these attached features. The second concept we introduce is that of adaptive sampling. Adaptive sampling deliberatively skews the distribution of the surviving data to over‐represent the rare flows or flows with rare feature values. This preserves the variability of the data and is critical for the analysis of malicious traffic, such as the detection of stealthy, hidden threats. Our approach has been extensively validated on standard NetFlow data, as well as on HTTP proxy logs that approximate the use‐case of enriched IPFIX for the network forensics. Copyright © 2015 John Wiley & Sons, Ltd.

Web S ervices Oriented Architecture for DPI based Network Forensics Grid

Web S ervices Oriented Architecture for DPI based Network Forensics Grid

Distributed Network Forensics Framework: A Systematic Review

Network forensics is a branch of digital forensics, which applies to network security. It is used to relate monitoring and analysis of the computer network traffic, that helps us in collecting information and digital evidence, for the protection of network that can use as firewall and IDS. Firewalls and IDS can’t always prevent and find out the unauthorized access within a network. This paper presents an extensive survey of several forensic frameworks. There is a demand of a system which not only detects the complex attack, but also it should be able to understand what had happened. Here it talks about the concept of the distributed network forensics. The concept of the Distributed network forensics is based on the distributed techniques, which are useful for providing an integrated platform for the automatic forensic evidence gathering and important data storage, valuable support and an attack attribution graph generation mechanism to depict hacking events.

Rooting our Rumor Sources in Online Social Networks: The Value of Diversity From Multiple Observations

This paper addresses the problem of rumor source detection with multiple observations, from a statistical point of view of a spreading over a network, based on the susceptible-infectious model. For tree networks, multiple independent observations can dramatically improve the detection probability. For the case of a single rumor source, we propose a unified inference framework based on the joint rumor centrality, and provide explicit detection performance for degree-regular tree networks. Surprisingly, even with merely two observations, the detection probability at least doubles that of a single observation, and further approaches one, i.e., reliable detection, with increasing degree. This indicates that a richer diversity enhances detectability. Furthermore, we consider the case of multiple connected sources and investigate the effect of diversity. For general graphs, a detection algorithm using a breadth-first search strategy is also proposed and evaluated. Besides rumor source detection, our results can be used in network forensics to combat recurring epidemic-like information spreading such as online anomaly and fraudulent email spams.

OpenFlow Virtual Appliance

Network forensics vis-a-vis cloud computing offerings can be leveraged to address the needs of enterprise-grade spyware solutions online. A modular, extensible cloud architecture with intrinsic support for efficient security monitoring is proposed and an implementation architecture which facilitates dynamic interface with OpenFlow hardware to create infinite flexibility in managing security decisions is presented. A forensic DataCenter model that integrates remote security monitoring using an intelligent Virtual Security Gateway in a cloud domain was developed as part of the work. An OpenFlow Virtual Appliance is proposed as a security hardware interface for thin clients connected to the Cloud Sypware Robot (CSR) server. The cloud ontology-Software as a Service (SaaS) model was used for the CSR application conveying several security benefits. The goal is to facilitate an open, service-based, online network forensics application that is transparently provisioned for users. The paper proposes a security foundation for next-generation enterprise-grade cloud computing.

Hviz: HTTP(S) traffic aggregation and visualization for network forensics

HTTP and HTTPS traffic recorded at the perimeter of an organization is an exhaustive data source for the forensic investigation of security incidents. However, due to the nested nature of today's Web page structures, it is a huge manual effort to tell apart benign traffic caused by regular user browsing from malicious traffic that relates to malware or insider threats. We present Hviz, an interactive visualization approach to represent the event timeline of HTTP and HTTPS activities of a workstation in a comprehensible manner. Hviz facilitates incident investigation by structuring, aggregating, and correlating HTTP events between workstations in order to reduce the number of events that are exposed to an investigator while preserving the big picture. We have implemented a prototype system and have used it to evaluate its utility using synthetic and real-world HTTP traces from a campus network. Our results show that Hviz is able to significantly reduce the number of user browsing events that need to be exposed to an investigator by distilling the structural properties of HTTP traffic, thus simplifying the examination of malicious activities that arise from malware traffic or insider threats.

A transductive scheme based inference techniques for network forensic analysis

Network forensics is a security infrastructure, and becomes the research focus of forensic investigation. However many challenges still exist in conducting network forensics: network has produced large amounts of data; the comprehensibility of evidence extracting from collected data; the efficiency of evidence analysis methods, etc. To solve these problems, in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments, and extract digital evidence automatically. At the end of the paper, we evaluate our method on a series of experiments on KDD Cup 1999 dataset. The results demonstrate that our methods are actually effective for real-time network forensics, and can provide comprehensible aid for a forensic expert.

PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes

Nowadays, cyber crimes are increasing and have affected large organizations with highly sensitive information. Consequently, the affected organizations spent more resources analyzing the cyber crimes rather than detecting and preventing these crimes. Network forensics plays an important role in investigating cyber crimes; it helps organizations resolve cyber crimes as soon as possible without incurring a significant loss. This paper proposes a new approach to analyze cyber crime evidence. The proposed approach aims to use cyber crime evidence to reconstruct useful attack evidence. Moreover, it helps investigators to resolve cyber crime efficiently. The results of the comparison of the proposed approach prove that it is more efficient in terms of time and cost compared with the generic and the modern process approach for network forensics.

Use of Network Forensic Mechanisms to Formulate Network Security

Network Forensics is fairly a new area of research which would be used after an intrusion in various organizations ranging from small, mid-size private companies and government corporations to the defense secretariat of a country. At the point of an investigation valuable information may be mishandled which leads to difficulties in the examination and time wastage. Additionally the intruder could obliterate tracks such as intrusion entry, vulnerabilities used in an entry, destruction caused, and most importantly the identity of the intruder. The aim of this research was to map the correlation between network security and network forensic mechanisms. There are three sub research questions that had been studied. Those have identified Network Security issues, Network Forensic investigations used in an incident, and the use of network forensics mechanisms to eliminate network security issues. Literature review has been the research strategy used in order study the sub research questions discussed. Literature such as research papers published in Journals, PhD Theses, ISO standards, and other official research papers have been evaluated and have been the base of this research. The deliverable or the output of this research was produced as a report on how network forensics has assisted in aligning network security in case of an intrusion. This research has not been specific to an organization but has given a general overview about the industry. Embedding Digital Forensics Framework, Network Forensic Development Life Cycle, and Enhanced Network Forensic Cycle could be used to develop a secure network. Through the mentioned framework, and cycles the author has recommended implementing the 4R Strategy (Resistance, Recognition, Recovery, Redress) with the assistance of a number of tools. This research would be of interest to Network Administrators, Network Managers, Network Security personnel, and other personnel interested in obtaining knowledge in securing communication devices/infrastructure. This research provides a framework that can be used in an organization to eliminate digital anomalies through network forensics, helps the above mentioned persons to prepare infrastructure readiness for threats and also enables further research to be carried on in the fields of computer, database, mobile, video, and audio.

Security in Software Defined Networks: A Survey

Software defined networking (SDN) decouples the network control and data planes. The network intelligence and state are logically centralized and the underlying network infrastructure is abstracted from applications. SDN enhances network security by means of global visibility of the network state where a conflict can be easily resolved from the logically centralized control plane. Hence, the SDN architecture empowers networks to actively monitor traffic and diagnose threats to facilitates network forensics, security policy alteration, and security service insertion. The separation of the control and data planes, however, opens security challenges, such as man-in-the middle attacks, denial of service (DoS) attacks, and saturation attacks. In this paper, we analyze security threats to application, control, and data planes of SDN. The security platforms that secure each of the planes are described followed by various security approaches for network-wide security in SDN. SDN security is analyzed according to security dimensions of the ITU-T recommendation, as well as, by the costs of security solutions. In a nutshell, this paper highlights the present and future security challenges in SDN and future directions for secure SDN.

Efficient Data Capturing for Network Forensics in Cognitive Radio Networks

Network forensics is an emerging interdiscipline used to track down cyber crimes and detect network anomalies for a multitude of applications. Efficient capture of data is the basis of network forensics. Compared to traditional networks, data capture faces significant challenges in cognitive radio networks. In traditional wireless networks, usually one monitor is assigned to one channel for traffic capture. This approach will incur very high cost in cognitive radio networks because it typically has a large number of channels. Furthermore, due to the uncertainty of the primary user's behavior, cognitive radio devices change their operating channels dynamically, which makes data capturing more difficult. In this paper, we propose a systematic method to capture data in cognitive radio networks with a small number of monitors. We utilize incremental support vector regression to predict packet arrival time and intelligently switch monitors between channels. We also propose a protocol that schedules multiple monitors to perform channel scanning and packet capturing in an efficient manner. Monitors are reused in the time domain, and geographic coverage is taken into account. The real-world experiments and simulations show that our method is able to achieve the packet capture rate above 70% using a small number of monitors, which outperforms the random scheme by 200%-300%.

Anomaly Extraction and Mitigation using Efficient-Web Miner Algorithm

Today network security, uptime and performance of network are important and serious issues in computer network. Anomaly is deviation from normal behavior affecting network security. Anomaly Extraction is identification of unusual flow from network, which is need of network operator. Anomaly extraction aims to automatically find the inconsistencies in large set of data observed during an anomalous time interval. Extracted anomalies will be important for root cause analysis, network forensics, attack mitigation and anomaly modeling. Frequent pattern mining technique namely Efficient-Web Miner Algorithm will be used to generate the set of association rules applied on metadata. Using network traffic log data, algorithms effectively finds the flow associated with the anomalous event(s). EfficientWeb Miner Algorithm triggers a very small number of false positives. EfficientWeb Miner has much better performance in terms of time and space complexity than Apriori Algorithm and its variations like Apriori All algorithm.for large data sets This anomaly extraction method significantly reduces the time needed for analyzing alarms, making anomaly detection systems more practical, simple and realistic. System makes an effort to mitigate the anomaly so detected without human intervention. Proposed system provides human overrides in mitigation process and inculcates self-learning approach which is advantageous.

Native actors

When an organization detects a security breach, it undertakes a forensic analysis to figure out what happened. This investigation involves inspecting a wide range of heterogeneous data sources spanning over a long period of time. The iterative nature of the analysis procedure requires an interactive experience with the data. However, the distributed processing paradigms we find in practice today fail to provide this requirement: the batch-oriented nature of MapReduce cannot deliver sub-second round-trip times, and distributed in-memory processing cannot store the terabytes of activity logs needed to inspect during an incident. We present the design and implementation of Visibility Across Space and Time (VAST), a distributed database to support interactive network forensics, and libcppa, its exceptionally scalable messaging core. The extended actor framework libcppa enables VAST to distribute lightweight tasks at negligible overhead. In our live demo, we showcase how VAST enables security analysts to grapple with the huge amounts of data often associated with incident investigations.

Rumor source detection with multiple observations

This paper addresses the problem of a single rumor source detection with multiple observations, from a statistical point of view of a spreading over a network, based on the susceptible-infectious model. For tree networks, multiple sequential observations for one single instance of rumor spreading cannot improve over the initial snapshot observation. The situation dramatically improves for multiple independent observations. We propose a unified inference framework based on the union rumor centrality, and provide explicit detection performance for degree-regular tree networks. Surprisingly, even with merely two observations, the detection probability at least doubles that of a single observation, and further approaches one, i.e., reliable detection, with increasing degree. This indicates that a richer diversity enhances detectability. For general graphs, a detection algorithm using a breadth-first search strategy is also proposed and evaluated. Besides rumor source detection, our results can be used in network forensics to combat recurring epidemic-like information spreading such as online anomaly and fraudulent email spams.

A digital evidence fusion method in network forensics systems with Dempster-shafer theory

Network intrusion forensics is an important extension to present security infrastructure, and is becoming the focus of forensics research field. However, comparison with sophisticated multi-stage attacks and volume of sensor data, current practices in network forensic analysis are to manually examine, an error prone, labor-intensive and time consuming process. To solve these problems, in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments, and fuse digital evidence from different sources such as hosts and sub-networks automatically. In the end, we evaluate the method on well-known KDD Cup 1999 dataset. The results prove our method is very effective for real-time network forensics, and can provide comprehensible messages for a forensic investigators.

Network forensics and challenges for cybersecurity

Societies in the contemporary world are becoming more and more dependent on open networks such as the Internet where commercial activities, business transactions, and government services are realized. This has led to the fast development of new cyber threats and information security issues, which are utilized by cyber criminals. Mistrust for telecommunications and computer network technologies have tremendous socioeconomic impacts on global enterprises as well as individuals. Moreover, the occurrence of international frauds often requires the investigation of facts that cross international borders. They are also often subject to different jurisdictions and legal systems. The increased complexity of the communication and networking infrastructure is making investigation of the crimes difficult. Clues of illegal digital activities are often buried in large volumes of data that are hard to inspect in order to detect crimes and collect evidence. This poses new challenges for law enforcement and forces computer societies to utilize digital forensics to combat the growing number of cybercrimes. Forensic professionals need to be fully prepared in order to be able to provide effective evidence. To achieve these goals forensic techniques must keep pace with new technologies. That is why the field of digital forensics is becomingmore and more important for law enforcement and information and network security. Network forensics is a newly emerged research area, and its importance has attracted a great attention among computer professionals, law enforcers, and practitioners. It is a multidisciplinary area that includes multiple fields, i.e., law, computer science, finance, networking, data mining, and criminal justice. However, network forensics still faces diverse challenges and issues in terms of the efficiency of digital evidence processing and the related forensic procedures. In this special issue, we are delighted to present a selection of ten papers, which, in our opinion, will contribute to the enhancement of knowledge in network forensics and cybersecurity. The collection of high-quality research papers provides a view on the latest research advances on special security incidents, steganography, and steganalysis. In the first paper [1], Dohoon Kim, Jungbean Lee, YoungGab Kim, Byungsik Yoon, and Hoh Peter propose an architecture for IMS/SIP-based lawful interception in wireless 3G networks and original techniques of interception, where content service providers are separated from network providers. The authors present the results of a Quality of Service performance analysis conducted on their proposed interception architecture for various numbers of IMS users. The authors of the second paper [2], Robert Filasiak, Maciej Grzenda, Marcin Luckner, and Pawel Zawistowski, introduce a new way of testing methods detecting network threats, including a procedure for creating realistic reference data sets describing network threats and the processing and use of these data sets in testing environments. The new approach is evaluated on the basis of the problem of spam detection, and two measures, accuracy and performance of threat detection, are considered. Bo-Chao Cheng, Guo-Tan Liao, Hsu-Chen Huang, and Ping-Hai Hsu in their paper [3] propose a new mechanism to overcome the disadvantage of requiring huge data storage for network forensics analysis tools for denial-of-service attacks. The experimental results confirmed that the proposed mechanism, based on advanced training methods to build proper data classifiers, is useful in reduction of data quantity. W. Mazurczyk (*) :K. Szczypiorski Warsaw University of Technology, Warsaw, Poland e-mail: wmazurczyk@tele.pw.edu.pl