Towards an Estimation of the Accuracy of TCP Reassembly in Network Forensics

Today, honeypot operators are strongly relying on network analysis tools to examine network traces collected in their honeynet environment. The accuracy of such analysis depends on the ability of the tools to properly reassemble streams especially TCP sessions. Network forensics analysis quality is tight to those tools and we evaluated widely used network analysis tools. We pinpoint TCP reassembly errors with their causes and propose algorithms and analytical techniques to measure them in order to improve network forensic analysis.

[1]  Alok N. Choudhary,et al.  An FPGA-Based Network Intrusion Detection Architecture , 2008, IEEE Transactions on Information Forensics and Security.

[2]  Craig Partridge,et al.  When the CRC and TCP checksum disagree , 2000, SIGCOMM.

[3]  Michael Cohen,et al.  PyFlag - An advanced network forensic framework , 2008, Digit. Investig..

[4]  L. Schaelicke,et al.  Characterizing sources and remedies for packet loss in network intrusion detection systems , 2005, IEEE International. 2005 Proceedings of the IEEE Workload Characterization Symposium, 2005..

[5]  Micah Sherr,et al.  On the Reliability of Current Generation Network Eavesdropping Tools , 2006 .

[6]  Richard Bejtlich,et al.  The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .

[7]  E. McKinney Generalized Birthday Problem , 1966 .

[8]  Nicholas Nethercote,et al.  How to shadow every byte of memory used by a program , 2007, VEE '07.

[9]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[10]  Mark Crovella,et al.  Internet measurement , 2006 .

[11]  Sarang Dharmapurikar,et al.  Robust TCP Stream Reassembly in the Presence of Adversaries , 2005, USENIX Security Symposium.

[12]  Dug Song,et al.  Nidsbench - a Network Intrusion Detection Test Suite , 1999, Recent Advances in Intrusion Detection.

[13]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.