Chen Lin,Li Zhitang,Gao Cuixia

DOI: https://doi.org/10.1109/ETCS.2009.153

2009-01-01

Abstract:Nowadays, one of the reasons for the lack of legal sanctions taken against attackers is that the collection and analysis of forensic evidence is very troublesome and time-consuming. There are many research results about events correlation but not directly suitable for network forensics. The work presented in this paper is based on an idea to collect the evidences from multiple network sensors and analyze them to improve the quality of forensic evidence automatically. This paper discusses the issues of log evidence first. The framework of IEAAS (Automated Analysis System of Intrusion Evidences) is illustrated with LCA (Log Collection Agent) in network sensors and multiple modules in IEAAS. Analysis mechanism is discussed, particularly the improved aggregation algorithm and evidence preservation method are described. Then a series of experiments are performed to validate our method on actual attack network environments of CERNET. The results of experiments show that our approach is practical and effective for dynamic forensics to augment the computer crime investigators’ efforts.

QIAN Qin,ZHANG Jian,ZHANG Kun,FU Xiao,MAO Bing

2014-01-01

Computer Science

Abstract:For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers' storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

Tian Zhihong,Jiang Wei,Li Yang,Dong Lan

DOI: https://doi.org/10.1109/CC.2014.6880464

2014-01-01

Abstract:Network intrusion forensics is an important extension to present security infrastructure, and is becoming the focus of forensics research field. However, comparison with sophisticated multi-stage attacks and volume of sensor data, current practices in network forensic analysis are to manually examine, an error prone, labor-intensive and time consuming process. To solve these problems, in this paper we propose a digital evidence fusion method for network forensics with Dempster-Shafer theory that can detect efficiently computer crime in networked environments, and fuse digital evidence from different sources such as hosts and sub-networks automatically. In the end, we evaluate the method on well-known KDD Cup 1999 dataset. The results prove our method is very effective for real-time network forensics, and can provide comprehensible messages for a forensic investigators.

Zhang Xu,Zhenyu Wu,Zhichun Li,Kangkook Jee,Junghwan Rhee,Xusheng Xiao,Fengyuan Xu,Haining Wang,Guofei Jiang

DOI: https://doi.org/10.1145/2976749.2978378

2016-01-01

Abstract:Intrusive multi-step attacks, such as Advanced Persistent Threat (APT) attacks, have plagued enterprises with significant financial losses and are the top reason for enterprises to increase their security budgets. Since these attacks are sophisticated and stealthy, they can remain undetected for years if individual steps are buried in background "noise." Thus, enterprises are seeking solutions to "connect the suspicious dots" across multiple activities. This requires ubiquitous system auditing for long periods of time, which in turn causes overwhelmingly large amount of system audit events. Given a limited system budget, how to efficiently handle ever-increasing system audit logs is a great challenge. This paper proposes a new approach that exploits the dependency among system events to reduce the number of log entries while still supporting high-quality forensic analysis. In particular, we first propose an aggregation algorithm that preserves the dependency of events during data reduction to ensure the high quality of forensic analysis. Then we propose an aggressive reduction algorithm and exploit domain knowledge for further data reduction. To validate the efficacy of our proposed approach, we conduct a comprehensive evaluation on real-world auditing systems using log traces of more than one month. Our evaluation results demonstrate that our approach can significantly reduce the size of system logs and improve the efficiency of forensic analysis without losing accuracy.

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Tian Zhihong,Jiang Wei,Li Yang

DOI: https://doi.org/10.1109/cc.2015.7084411

2015-01-01

Abstract:Network forensics is a security infrastructure, and becomes the research focus of forensic investigation. However many challenges still exist in conducting network forensics: network has produced large amounts of data; the comprehensibility of evidence extracting from collected data; the efficiency of evidence analysis methods, etc. To solve these problems, in this paper we develop a network intrusion forensics system based on transductive scheme that can detect and analyze efficiently computer crime in networked environments, and extract digital evidence automatically. At the end of the paper, we evaluate our method on a series of experiments on KDD Cup 1999 dataset. The results demonstrate that our methods are actually effective for real-time network forensics, and can provide comprehensible aid for a forensic expert.

Gong Jian,Wang Zhuoran,Su Qi,Yang Wang

DOI: https://doi.org/10.13245/j.hust.161107

2016-01-01

Abstract:To improve the efficiency of the security incident response ,an intrusion detection and fo‐rensic analysis automation response model was designed and implemented .The model was based on the particular security event information ,OpenFlow switches were used for packet filtering and for‐warding ,PF- RING ZC Zero‐Copy tool was used to automatically collect packet traffic ,and open source intrusion detection software Suricata and multi‐feature associated redundancy elimination algo‐rithm were used to complete network intrusion detection and redundance elimination of intrusion e‐vent .Bro system was combined with application layer protocol analysis to complete forensic analysis of network traffic ,which could significantly reduce manual intervention .Various parts of the automa‐ted response model were analyzed in detail by bots detected experiment ,the results show the effective‐ness of the model for enhancing the efficiency of the security incident response .

Erwin van de Wiel,Mark Scanlon,Nhien-An Le-Khac

DOI: https://doi.org/10.48550/arXiv.1712.05727

2018-01-27

Abstract:In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data.

Cryptography and Security,Networking and Internet Architecture

Zhouzhou Liu,Wei,Hao Wang,Yangmei Zhang,Qianyun Zhang,Shining Li

DOI: https://doi.org/10.1109/access.2018.2879891

IF: 3.9

2018-01-01

IEEE Access

Abstract:Aiming at large-scale, high dimensional data, and variable intrusion behavior in wireless sensor networks (WSNs), an intrusion detection algorithm based on parallel intelligent optimization feature extraction and distributed fuzzy clustering for WSNs is proposed. First, in order to effectively reduce the data dimensionality and improve the robustness of the feature extraction process, the parallel intelligent optimization feature extraction framework is constructed on the basis of defining the optimal feature evaluation index, for which the theoretical analysis shows that the index can eliminate feature redundancy and maintain the diversity of original data. Second, the spider cluster optimization algorithm evolution rule is redefined by introducing local search and adaptive multi strategy update method, and it proves that the improved social spider optimization (ISSO) algorithm has global convergence. The ISSO is used to solve the feature extraction framework, and through the parallel feature subset selection process, the best feature combination is extracted. Finally, WSNs intrusion detection is carried out by using the best feature subset and the distributed fuzzy clustering technology, and intelligent iterative evolution method and adaptive clustering strategy are introduced in order to improve the fuzzy clustering algorithm performance. Experimental results show that the intrusion detection algorithm can effectively give the results of intrusion detection, and moreover, compared with the other detection algorithms, the intrusion detection rate is improved by about 13.1%, and the false detection rate is decreased by about 8.5%.

WANG Yi-miao,PENG Hong,CHEN Long

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.05.086

2007-01-01

Abstract:So it is costly to be evidence as a whole.A proactive forensics method was proposed to reduce the huge amount of data and reserve valuable evidence according to IDS alerts.The method was viable and reach a good trade-off performance,between possible evidence and cost.

Ruining Guo,Tianjie Cao,Xuan Luo

DOI: https://doi.org/10.1109/isme.2010.20

2010-01-01

Abstract:The work presented in this paper focuses on acquiring the original illegal information hidden in the network data traffic, to provide reliable digital evidence for the network crime cases. Directing toward the data transmission based on Web service, the paper designed a total-part type forensics modal, and implemented a passive network forensics system under the windows system. The technology and methods we applied are referred to as packet capture, packet filtration, protocol analysis, application date regeneration and so on. The system captures, disassembles, identifies and recombines the network information flow, restores the data into a standard format and makes the plaintext information of application layer reappear at last. The result of appraisal and application indicates the system can gain original transparent digital evidence and satisfy network forensics requirements, which provides strong support for solving the network crime cases.

Darren Quick,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/s10586-016-0553-1

2016-03-21

Cluster Computing

Abstract:An issue that continues to impact digital forensics is the increasing volume of data and the growing number of devices. One proposed method to deal with the problem of “big digital forensic data”: the volume, variety, and velocity of digital forensic data, is to reduce the volume of data at either the collection stage or the processing stage. We have developed a novel approach which significantly improves on current practice, and in this paper we outline our data volume reduction process which focuses on imaging a selection of key files and data such as: registry, documents, spreadsheets, email, internet history, communications, logs, pictures, videos, and other relevant file types. When applied to test cases, a hundredfold reduction of original media volume was observed. When applied to real world cases of an Australian Law Enforcement Agency, the data volume further reduced to a small percentage of the original media volume, whilst retaining key evidential files and data. The reduction process was applied to a range of real world cases reviewed by experienced investigators and detectives and highlighted that evidential data was present in the data reduced forensic subset files. A data reduction approach is applicable in a range of areas, including: digital forensic triage, analysis, review, intelligence analysis, presentation, and archiving. In addition, the data reduction process outlined can be applied using common digital forensic hardware and software solutions available in appropriately equipped digital forensic labs without requiring additional purchase of software or hardware. The process can be applied to a wide variety of cases, such as terrorism and organised crime investigations, and the proposed data reduction process is intended to provide a capability to rapidly process data and gain an understanding of the information and/or locate key evidence or intelligence in a timely manner.

LIU Zai-Qiang,LIN Dong-Dai,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos182635

2007-01-01

Journal of Software

Abstract:Network forensics is an important extension to present security infrastructure,and is becoming the research focus of forensic investigators and network security researchers.However many challenges still exist in conducting network forensics:The sheer amount of data generated by the network;the comprehensibility of evidences extracted from collected data;the efficiency of evidence analysis methods,etc.Against above challenges,by taking the advantage of both the great learning capability and the comprehensibility of the analyzed results of decision tree technology and fuzzy logic,the researcher develops a fuzzy decision tree based network forensics system to aid an investigator in analyzing computer crime in network environments and automatically extract digital evidence.At the end of the paper,the experimental comparison results between our proposed method and other popular methods are presented.Experimental results show that the system can classify most kinds of events (91.16% correct classification rate on average),provide analyzed and comprehensible information for a forensic expert and automate or semi-automate the process of forensic analysis.

X. Fu,X. Du,B. Luo

DOI: https://doi.org/10.1002/sec.1337

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Memory forensics is an important technique for protecting network security and fighting against computer crimes. It has developed greatly in the past decade, because memory can provide more reliable information that other evidence sources do not contain. However, nowadays, when investigating network criminal cases, the Gigabyte GB and even Terabyte TB level memory and many such dumps have made memory analysis a difficult task. And investigators usually have to deal with complex operating system OS data structures, which they have little knowledge of. So how to analyze memory evidence automatically so as to find the hidden criminal behavior and reconstruct the scenario in an understandable way has become an important problem. This paper presents an automatic memory analysis methodology based on data correlation. Through analyzing key OS data structures and utilizing a clustering algorithm, this methodology can discover the relationships among processes, files, users, Dynamic-link library DLLs, and network connections. By describing these relationships as correlation graphs, our methods can reorganize these independent memory evidences and disclose their meanings in a high semantic level. Experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios. And as we know, now, little work is in this field. Copyright © 2015 John Wiley & Sons, Ltd.

Yu Su,Kaiyue Qi,Chong Di,Yinghua Ma,Shenghong Li

DOI: https://doi.org/10.1109/dsc.2018.00099

2018-01-01

Abstract:Considering the sharp increasing flow of network traffic, it is extremely emergency to detect malicious and anomalous network traffic to protect network security. Network Intrusion Detection Systems (NIDS) can be used to detect normal and anomalous behavior by analyzing network traffic. However, network traffic data consist of large quantities of features, increasing the difficulty of detection. These features contain many redundant features, which can affect the effectiveness of detection. In this paper, a method of learning automata is proposed to select the optimal and significant features for network traffic intrusion detection. Multiple LAs collaboratively remove redundant features and fully consider the redundancy of single feature and multiple combined features. The experiments on KDD99 show that the proposed feature selection scheme can effectively reduce feature dimension and select the optimal feature subset. It can also achieves higher detection accuracy compared with other feature selection methods.

Ying-Dar Lin,Ze-Yu Wang,Po-Ching Lin,Van-Linh Nguyen,Ren-Hung Hwang,Yuan-Cheng Lai

DOI: https://doi.org/10.1016/j.jisa.2022.103248

IF: 4.96

2022-08-01

Journal of Information Security and Applications

Abstract:This work compares the performance of different combinations of data sources for intrusion detection in depth. To learn and distinguish between normal and malicious behavior, we use machine learning algorithms and train three typical models on three kinds of datasets: system logs, packet flows and host statistics. Unlike other studies, our study captures and monitors the behavior from multiple data sources in order to catch security attacks. Our aim is to figure out how to build the most effective dataset for machine learning with a combination of multiple sources. However, since there are no such datasets which have been generated from multiple sources for given attacks, we show how to build and generate a dataset with three data sources. We then compare the F1 score of the detection by applying machine learning algorithms for various combinations of the data sources. Our evaluation results show that the dataset of host statistics results in better performance (0.91) than traffic flows (0.63) and system logs (0.44) because it has the highest average F1-score in the three stages of attacks, while the other datasets may have poor F1-scores in some of the stages, particularly in the stage of impact. However, in the initial access stage of attacks, the dataset of logs performs the best (0.94), and the packet flows are suitable for detecting network DoS attacks (0.82). Furthermore, running this detection with all three data sources results in minor overheads of at most 2.1% CPU utilization. Finally, we analyze the important features of each model, such as the number of logs generated by apache-access, in.telnetd and postfix in the dataset of logs, SrcBytes and TotBytes in the dataset of flows, and MINFLT, VSTEXT and RSIZE in the dataset of statistics.

computer science, information systems

Yulai Xie,Dan Feng,Zhipeng Tan,Junzhe Zhou

DOI: https://doi.org/10.1016/j.future.2016.02.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:The existing host-based intrusion detection methods are mainly based on recording and analyzing the system calls of the invasion processes (such as exploring the sequences of system calls and their occurring probabilities). However, these methods are not efficient enough on the detection precision as they do not reveal the inherent intrusion events in detail (e.g., where are the system vulnerabilities and what causes the invasion are both not mentioned). On the other hand, though the log-based forensic analysis can enhance the understanding of how these invasion processes break into the system and what files are affected by them, it is a very cumbersome process to manually acquire information from logs which consist of the users' normal behavior and intruders' illegal behavior together.This paper proposes to use provenance, the history or lineage of an object that explicitly represents the dependency relationship between the damaged files and the intrusion processes, rather than the underlying system calls, to detect and analyze intrusions. Provenance more accurately reveals and records the data and control flow between files and processes, reducing the potential false alarm caused by system call sequences. Moreover, the warning report during intrusion call explicitly output system vulnerabilities and intrusion sources, and provide detection points for further provenance graph based forensic analysis. Experimental results show that this framework call identify the intrusion with high detection rate, lower false alarm rate, and smaller detection time overhead compared to traditional system call based method. In addition, it can analyze the system vulnerabilities and attack sources quickly and accurately. (C) 2016 Elsevier B.V. All rights reserved.

Zhang Xue-qin,Gu Chun-hua

DOI: https://doi.org/10.3969/j.issn.1000-565X.2010.01.016

2010-01-01

Abstract:In order to eliminate redundant features,reduce the system burden of storage and computation,and improve the performance of the classifier for network intrusion detection,a method to extract network intrusion detection feature is proposed based on the Fisher score and the support vector machine(SVM).Then,in accordance with KDD′99 network intrusion detection dataset,the feature significance rankings for the mixed attack and four single attacks are respectively obtained by using the proposed method.By extracting important features,a SVM classifier is thus constructed.Experimental results show that,as compared with the classifier constructed based on all features,the new classifier is of approximately equivalent accuracy and dramatically low training and testing time cost.

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Xiaofei Wang,Junchen Jiang,Wei Lin,Yi Tang,Xiaojun Wang,Bin Liu

DOI: https://doi.org/10.1109/iccomta.2009.5349207

2009-01-01

Abstract:Deep packet inspection at high speed has become extremely important due to its application in a wide range of network applications, such as network security and network monitoring. Network intrusion detection system (NIDS) uses a collection of signatures of known security threats and viruses to scan the payload of each packet. Signatures are often specified in the form of regular expressions (regex), called patterns, which are traditionally implemented as finite automata. Deterministic finite automata (DFA) is fast, but requires prohibitive amounts of memory which limits their practical use. Instead of matching an incoming packet with each individual regex in a ruleset, we match the packet with a fixed substring, called fingerprint, of a regex first. Fixed string matching is faster and consumes less energy than regex matching. The fact is that if a packet does not match with the fingerprint of a regex, it will not match the regex itself. So fingerprints can be used in a prefilter engine to filter out those packets and do not match any of the fingerprints of the regex in a rule set, which represents normal non-malicious traffic. This actually reduces the number of regex rules being matched, which results in increased throughput of the NIDS. We present a weight scheme to extract a good fingerprint from a regex. A good fingerprint is the one that not only indicates the regex uniquely, but also occurs as less as possible in the matching procedure. We demonstrate how to use fingerprints for efficient prefiltering by means of Bloom filters in practice.