A New Approach to Executable File Fragment Detection in Network Forensics

Network forensics known as an extended phase of network security plays an essential role in dealing with cybercrime. The performance of a network forensics system heavily depends on the network attack detection solutions. Two main types of network attacks are network level and application level. Current research methods have improved the detection rate but this is still a challenge. We propose a Shannon entropy approach to this study to identify executable file content for anomaly-based network attack detection in network forensics systems. Experimental results show that the proposed approach provides high detection rate.

[1]  Vassil Roussev,et al.  File fragment encoding classification - An empirical approach , 2013, Digit. Investig..

[2]  Stefano Zanero,et al.  File Block Classification by Support Vector Machine , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[3]  Claude E. Shannon,et al.  A mathematical theory of communication , 1948, MOCO.

[4]  Matthew M. Shannon Forensic Relative Strength Scoring: ASCII and Entropy Scoring , 2004, Int. J. Digit. EVid..

[5]  Simson L. Garfinkel,et al.  File Fragment Classification-The Case for Specialized Approaches , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Mohammad Hossain Heydari,et al.  Content based file type detection algorithms , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[7]  Colin Morris,et al.  Using NLP techniques for file fragment classification , 2012, Digit. Investig..

[8]  Mohsen Toorani,et al.  Feature-based Type Identification of File Fragments , 2013, Secur. Commun. Networks.

[9]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[10]  Cor J. Veenman Statistical Disk Cluster Classification for File Carving , 2007 .

[11]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[12]  Gregory B. White,et al.  An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[13]  Ke Wang,et al.  Fileprints: identifying file types by n-gram analysis , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[14]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[15]  Simson L. Garfinkel,et al.  Bringing science to digital forensics with standardized forensic corpora , 2009, Digit. Investig..

[16]  M. Chatterjee,et al.  Secure E-Commerce Protocol for Purchase of e-Goods - Using Smart Card , 2007 .

[17]  Stefan Axelsson,et al.  The Normalised Compression Distance as a file fragment classifier , 2010, Digit. Investig..

[18]  N. Shahmehri,et al.  File Type Identification of Data Fragments by Their Binary Structure , 2006, 2006 IEEE Information Assurance Workshop.

[19]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..