The network traffic generated by humans and various devices is one of the most important data sources in network forensics. The main challenge in investigating and collecting evidence in network traffic is handling the huge amounts of data streams caused by the rapid growth of network bandwidth and applications, as well as preserving the useful information for further analysis. HTTP, as the most popular protocol on the Internet, is usually exploited to carry malware and evasive attacks besides the normal services. In this paper, we study how malware and network attacks in real-world exploit HTTP to hide their malicious activities and present an Evasive Network Attack Forensic System (ENAFS), which is able to effectively discover evasive network attacks on HTTP and integrally draw attack the samples and their metadata for further analysis. We believe that our work will benefit the research in the network forensics field in the future.
[1]
Christopher Krügel,et al.
Nazca: Detecting Malware Distribution in Large-Scale Networks
,
2014,
NDSS.
[2]
Atul Kant Kaushik,et al.
Network Forensic System for ICMP Attacks
,
2010
.
[3]
Anja Feldmann,et al.
Pitfalls in HTTP Traffic Measurements and Analysis
,
2012,
PAM.
[4]
Rajdeep Niyogi,et al.
Network forensic frameworks: Survey and research challenges
,
2010,
Digit. Investig..
[5]
Michael Cohen,et al.
PyFlag - An advanced network forensic framework
,
2008,
Digit. Investig..
[6]
Andrew H. Sung,et al.
Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligence Techniques
,
2003,
Int. J. Digit. EVid..