Network forensics based on fuzzy logic and expert system

Network forensics is a research area that finds the malicious users by collecting and analyzing the intrusion or infringement evidence of computer crimes such as hacking. In the past, network forensics was only used by means of investigation. However, nowadays, due to the sharp increase of network traffic, not all the information captured or recorded will be useful for analysis or evidence. The existing methods and tools for network forensics show only simple results. The administrators have difficulty in analyzing the state of the damaged system without expert knowledge. Therefore, we need an effective and automated analyzing system for network forensics. In this paper, we firstly guarantee the evidence reliability as far as possible by collecting different forensic information of detection sensors. Secondly, we propose an approach based on fuzzy logic and expert system for network forensics that can analyze computer crimes in network environment and make digital evidences automatically. At the end of the paper, the experimental comparison results between our proposed method and other popular methods are presented. Experimental results show that the system can classify most kinds of attack types (91.5% correct classification rate on average) and provide analyzable and comprehensible information for forensic experts.

[1]  F. Guldenmund The nature of safety culture: a review of theory and research , 2000 .

[2]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[3]  Tzeng Gwo-Hshiung,et al.  Evaluating tourist risks from fuzzy perspectives , 1997 .

[4]  Ian Jenkinson,et al.  Inference and learning methodology of belief-rule-based expert system for pipeline leak detection , 2007, Expert Syst. Appl..

[5]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[6]  Tao Li,et al.  Dynamical Network Forensics Based on Immune Agent , 2007, Third International Conference on Natural Computation (ICNC 2007).

[7]  Ali Azadeh,et al.  Design and implementation of a fuzzy expert system for performance assessment of an integrated health, safety, environment (HSE) and ergonomics system: The case of a gas refinery , 2008, Inf. Sci..

[8]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[9]  Tian Shengfeng Research of the Dynamical Rule Generation for Intrusion Detection System , 2008 .

[10]  Mohamed Saleh,et al.  Analyzing multiple logs for forensic evidence , 2007, Digit. Investig..

[11]  Ronald R. Yager,et al.  A procedure for ordering fuzzy subsets of the unit interval , 1981, Inf. Sci..

[12]  Pedro M. Domingos,et al.  On the Optimality of the Simple Bayesian Classifier under Zero-One Loss , 1997, Machine Learning.

[13]  Karen A. Forcht,et al.  LEGAL METHODS OF USING COMPUTER FORENSICS TECHNIQUES FOR COMPUTER CRIME ANALYSIS AND INVESTIGATION , 2004 .

[14]  Gwo-Hshiung Tzeng,et al.  A hierarchy fuzzy MCDM method for studying electronic marketing strategies in the information service industry , 1998 .

[15]  Chris R. Chatwin,et al.  A framework for post-event timeline reconstruction using neural networks , 2007, Digit. Investig..

[16]  Adam Carlson,et al.  Modeling network intrusion detection alerts for correlation , 2007, ACM Trans. Inf. Syst. Secur..

[17]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[18]  Feng Dengguo,et al.  fuzzy decision tree based inference techniques for network forensic analysis , 2007 .

[19]  Rachid Beghdad,et al.  Efficient deterministic method for detecting new U2R attacks , 2009, Comput. Commun..

[20]  R. Suganya,et al.  Data Mining Concepts and Techniques , 2010 .

[21]  Jian-Bo Yang,et al.  Optimization Models for Training Belief-Rule-Based Systems , 2007, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[22]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[23]  Hisao Ishibuchi,et al.  Determination of rule weights of fuzzy association rules , 2001, 10th IEEE International Conference on Fuzzy Systems. (Cat. No.01CH37297).

[24]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[25]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[26]  Wei Wang,et al.  A Graph Based Approach Toward Network Forensics Analysis , 2008, TSEC.

[27]  Shuo-Yan Chou,et al.  International distribution center selection from a foreign market perspective using a weighted fuzzy factor rating system , 2009, Expert Syst. Appl..

[28]  Jian-Bo Yang,et al.  Risk evaluation in failure mode and effects analysis using fuzzy weighted geometric mean , 2009, Expert Syst. Appl..

[29]  Christos Faloutsos,et al.  Epidemic thresholds in real networks , 2008, TSEC.

[30]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[31]  Bon K. Sy Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS , 2009, Inf. Fusion.

[32]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[33]  Dong-Geun Kim,et al.  A fuzzy logic based expert system as a network forensics , 2004, 2004 IEEE International Conference on Fuzzy Systems (IEEE Cat. No.04CH37542).

[34]  Bo Chen,et al.  An Integrated System of Intrusion Detection Based on Rough Set and Wavelet Neural Network , 2007, Third International Conference on Natural Computation (ICNC 2007).

[35]  S. Sathiya Keerthi,et al.  Improvements to Platt's SMO Algorithm for SVM Classifier Design , 2001, Neural Computation.

[36]  Konrad Rieck,et al.  Language models for detection of unknown attacks in network traffic , 2006, Journal in Computer Virology.

[37]  Andrew H. Sung,et al.  Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligence Techniques , 2003, Int. J. Digit. EVid..

[38]  Gudela Grote,et al.  Diagnosis of safety culture in safety management audits , 2000 .

[39]  Syed Ali Khayam,et al.  A Comparative Evaluation of Anomaly Detectors under Portscan Attacks , 2008, RAID.

[40]  Liang-Yuh Ouyang,et al.  Models for a fuzzy inventory of two replaceable merchandises without backorder based on the signed distance of fuzzy sets , 2003, Eur. J. Oper. Res..

[41]  Man Gyun Na,et al.  Prediction of major transient scenarios for severe accidents of nuclear power plants , 2004, IEEE Transactions on Nuclear Science.