Cyber Black Box: Network intrusion forensics system for collecting and preserving evidence of attack

Once the system is compromised, the forensics and investigation are always executed after the attacks and the loss of some useful instant evidence. Since there is no log information necessary for analyzing an attack cause after the cyber incident occurs, it is difficult to analyze the cause of an intrusion even after an intrusion event is recognized. Moreover, in an advanced cyber incident such as advanced persistent threats, several months or more are expended in only analyzing a cause, and it is difficult to find the cause with conventional security equipment. In this paper, we introduce a network intrusion forensics system for collecting and preserving the evidence of an intrusion, it is called Cyber Black Box that is deployed in Local Area Network environment. It quickly analyzes a cause of an intrusion event when the intrusion event occurs, and provides a function of collecting evidence data of the intrusion event. The paper also describes the experimental results of the network throughput performance by deploying our proposed system in an experimental testbed environment.

[1]  Fulvio Risso,et al.  An architecture for high performance network analysis , 2001, Proceedings. Sixth IEEE Symposium on Computers and Communications.

[2]  Jonathan Ham,et al.  Network Forensics: Tracking Hackers through Cyberspace , 2012 .

[3]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[4]  Steven McCanne,et al.  The BSD Packet Filter: A New Architecture for User-level Packet Capture , 1993, USENIX Winter.

[5]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.

[6]  Michael S. Greenberg,et al.  Network Forensics Analysis , 2002, IEEE Internet Comput..

[7]  Gregg H. Gunsch,et al.  An Examination of Digital Forensic Models , 2002, Int. J. Digit. EVid..

[8]  Angelos D. Keromytis,et al.  xPF: packet filtering for low-cost network monitoring , 2002, Workshop on High Performance Switching and Routing, Merging Optical and IP Technologie.

[9]  Alec Yasinsac,et al.  Policies to Enhance Computer and Network Forensics , 2001 .

[10]  Luca Deri,et al.  10 Gbit line rate packet-to-disk using n2disk , 2013, INFOCOM Workshops.

[11]  Sotiris Ioannidis,et al.  Practical Network Applications on a Lightweight Active Management Environment , 2001, IWAN.