Metrics for network forensics conviction evidence

Evaluation of forensics evidence is an essential step in proving the malicious intents of an attacker or adversary and the severity of the damages caused to any network. This paper takes a step forward showing how security metrics can be used to sustain a sense of credibility to network evidence gathered as an elaboration and extension to an embedded feature of Network Forensic Readiness (NFR) — Redress that is defined as holding intruders responsible. We propose a procedure of evidence acquisition in network forensics where we then analyse sample of packet data in order to extract useful information as evidence through a formalised intuitive model, based on capturing adversarial behaviour and layer analysis. We then apply the Common Vulnerability Scoring System (CVSS) metrics to show that a forensics metrics system could assess the severity of network attacks committed, thus giving a degree of credibility to the evidence gathered. This way, hard evidence could be objectively collected to lend support to the resource-intensive process of investigation and litigation, leading to successful conviction, while reducing effort expended on the process.

[1]  Yoichi Shinoda,et al.  Design Issues of an Isolated Sandbox Used to Analyze Malwares , 2007, IWSEC.

[2]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[3]  Deborah A. Frincke,et al.  A Theoretical Framework for Organizational Network Forensic Readiness , 2007, J. Comput..

[4]  Brandon Shirley,et al.  A Model for Covert Botnet Communication in a Private Subnet , 2008, Networking.

[5]  Ruibin Gong,et al.  Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework , 2005, Int. J. Digit. EVid..

[6]  Wouter Joosen,et al.  Using Security Patterns to Combine Security Metrics , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[7]  K. Clark,et al.  Security risk metrics: fusing enterprise objectives and vulnerabilities , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[8]  Jan H. P. Eloff,et al.  Applying Machine Trust Models to Forensic Investigations , 2006, IFIP Int. Conf. Digital Forensics.

[9]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[10]  Axel W. Krings,et al.  A Formalization of Digital Forensics , 2004, Int. J. Digit. EVid..

[11]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[12]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[13]  Reijo Savola,et al.  A Novel Security Metrics Taxonomy for R&D Organisations , 2008, ISSA.

[14]  Reijo Savola,et al.  Towards a Security Metrics Taxonomy for the Information and Communication Technology Industry , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[15]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[16]  Guanhua Yan,et al.  DDoS Mitigation in Non-cooperative Environments , 2008, Networking.