Data reduction by identification and correlation of TCP/IP attack attributes for network forensics

Network forensics is an alternate approach to security, which monitors network traffic, stores the traces, detects anomalies, identifies the nature of attack, and investigates the source of attack. The challenge is to store, handle and analyze large volumes of network traffic. Attackers are exploiting the vulnerabilities in TCP/IP protocol suite and manipulating various attributes to launch attacks. In this paper, the attacks on TCP/IP protocol suite at the transport and network layer are studied and the significant network features being misused are identified. The key fields of the protocols are correlated with the attacks and are extracted from the packet capture files. These values are stored in a database and statistical information for determining various attack thresholds is derived. This information helps in identifying suspicious addresses and marking evidence packets for forensic analysis. These packets comprise of the highest probable evidence and are converted to a new packet capture file. The reduced size of this preprocessed data enables efficient storage, effective processing and time bound investigation.

[1]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.

[2]  Shawn Ostermann,et al.  Detecting network intrusions via a statistical analysis of network packet characteristics , 2001, Proceedings of the 33rd Southeastern Symposium on System Theory (Cat. No.01EX460).

[3]  Dario Forte Fragmentation Attacks: Protection Tools and Techniques , 2001 .

[4]  Tomas Olovsson,et al.  Detection of malicious traffic on back‐bone links via packet header analysis , 2008 .

[5]  Mohamed Mejri,et al.  Specification and Detection of TCP/IP Based Attacks Using the ADM-Logic , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[6]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[7]  Ali A. Ghorbani,et al.  A Feature Classification Scheme For Network Intrusion Detection , 2007, Int. J. Netw. Secur..

[8]  Ray Hunt,et al.  A taxonomy of network and computer attacks , 2005, Comput. Secur..

[9]  Zhen Ye,et al.  DDoS Defense Using TCP_IP Header Analysis and Proactive Tests , 2009, 2009 International Conference on Information Technology and Computer Science.

[10]  Fred Cohen Internet holes - Part 2: Packet fragmentation attacks , 1995 .

[11]  Wolfgang John,et al.  Analysis of internet backbone traffic and header anomalies observed , 2007, IMC '07.

[12]  Nasir D. Memon,et al.  ForNet: A Distributed Forensics Network , 2003, MMM-ACNS.

[13]  H.A. Chan,et al.  A Cross-protocol approach to detect TCP Hijacking attacks , 2007, 2007 IEEE International Conference on Signal Processing and Communications.

[14]  R. Hunt,et al.  TCP/IP security threats and attack methods , 1999, Comput. Commun..

[15]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[16]  Giovanni Vigna,et al.  A Topological Characterization of TCP/IP Security , 2003, FME.

[17]  Thomas E. Daniels,et al.  A simple framework for distributed forensics , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[18]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[19]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..