In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting point for incident analysis to a forensic practitioner who has to investigate on the vast amount of network traffic collected using the cyber blackbox. Experimental results show this approach is effectively able to reduce the amount of data to search by dividing doubtful flows from normal traffic. Finally, we discuss the results with the forensically meaningful point of view and present further works.
[1]
Sungryoul Lee,et al.
FloSIS: A Highly Scalable Network Flow Capture System for Fast Retrieval and Storage Efficiency
,
2015,
USENIX Annual Technical Conference.
[2]
Luca Deri,et al.
High speed network traffic analysis with commodity multi-core systems
,
2010,
IMC '10.
[3]
Luca Deri,et al.
10 Gbit line rate packet-to-disk using n2disk
,
2013,
INFOCOM Workshops.
[4]
Jongsub Moon,et al.
Effective Feature Selection Model for Network Data Modeling
,
2008
.
[5]
Christophe Diot,et al.
Diagnosing network-wide traffic anomalies
,
2004,
SIGCOMM.
[6]
Mark Crovella,et al.
Diagnosing network-wide traffic anomalies
,
2004,
SIGCOMM '04.
[7]
Eunyoung Jeong,et al.
Comparison of caching strategies in modern cellular backhaul networks
,
2013,
MobiSys '13.